Where is the year going? It only seems like yesterday that we celebrated the turn of the year, with the end of May also coming up fast. With that turn of the month, it is of course time for our team of talented analysts to give an update on what’s caught their attention this month. 

Nick: Springing into Crypto 2022:

So 2022 has not been an ideal year for investors in cryptocurrency, with the market tanking in the last month to levels not seen since 2020.  But what is the reason for this?  Bank of America’s global crypto and digital asset strategist Alkesh Shah blames this downward trend on rising inflation, interest rate hikes, and geopolitical instability caused by Russia’s invasion of Ukraine.  

Much of what I’ve read this month has related to the cryptocurrency—including the recent crash—and its impact on cyber risk. Several times this year we have seen cryptocurrencies targeted by threat actors.  In January 2022, Crypto.com lost $30 million from 483 digital wallets by bypassing their Two Factor Authentication.  In March 2022, the Ronin Network was breached, losing over $625 million dollars due to an attacker using hacked private keys to make withdrawls.  This incidents carried over form several impactful incidents last year. In August 2021, Poly Network had a vulnerability that was exploited and allowed unauthorized executions for multiple transactions that totaled $600 million.  Within a month, the Poly Network hacker returned the funds and was in contact with Poly, stating that they were trying to “contribute to the security of the Poly project in my personal style”.  While this instance may have ended with no one getting hurt, this is not always the case when threat actors target cryptocurrencies.

So where do we go from here? The market is pretty unstable, and that instability in many ways contributes towards an escalating cyber risk for investors.  One step being taken to combat the attacks on cryptocurrency can be found in the 2023 budget proposal from the US Government, which would allocate $52 million to fight ransomware and the misuse of cryptocurrency.  This push strengthens the fact that cyber security should be at the forefront of the world of cryptocurrency and decentralised finance (DeFi).  Digital Risk monitoring companies will likely play a big role in the mitigation of threats and risk dealing with cryptocurrency. 

Nicole – Not the Autobots

It has been three months since a Ukrainian cyber security researcher began leaking information about the inner workings of the Conti ransomware group. The “Conti Leaks” exposed chat logs with over 60,000 messages sent between members of ransomware gang as well as source code. Due to this exposure, it was only a matter of time before new techniques or tools emerged from the group. Proofpoint’s recent blog, “This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming” provides a technical overview of a new malware loader associated with Conti, the “Bumblebee”.

In their article, authors Kelsey Merriman and Pim Trouerbach dive into recently tracked campaigns attributed to two initial access broker (IAB) groups; “TA578” and “TA579”. Proofpoint has been tracking both groups for a while and they are known for distributing different malware loaders via email-based campaigns. Malware loaders are malicious programs used to download additional malware onto an infected device. Prior to March, both of these threat groups were primarily distributing “BazarLoader” (aka BazaLaoder) and “IcedID”, but have since switched and began using the Bumblebee loader. TA578 and TA579 have been associated with malware payloads attributed to ransomware campaigns, primarily Conti and Diavol ransomware. 

Bumblebee is written in C++ has sophisticated defense evasion techniques such as anti-virtualization. Security tools and sandboxes often use virtual machines (VM) to execute potentially malicious code. Anti-virtualization techniques refer to mechanisms in malware to detect virtual environments so the malware can avoid detonating malicious code. This not only avoids setting off alarms during the attack, but it also makes it harder to analyze the malware. 

Proofpoint researcher believe Bumblebee may have replaced BazarLoader due to the timing with Conti Leaks, the disappearance of BazarLoader, and multiple threat groups adopting the tool. Given its association with Conti—who we reported as the second most active ransomware group in Q1 2022 and Q4 2021—its definitely a malware that you should keep on your radar. 

Read about it here.

Pippa: Social Media on the Dark Web: What Does it Look Like?

The Dark Web is notorious for being an sinister portion of the internet, reportedly rife with drug vendors, hitmen, and other illicit content. Overarching narratives maintain that the Dark Web serves solely as an online realm for cybercriminals. While these sorts of transactions do occur, there are also less egregious platforms with more benign intentions. Social media networks have been popping up on Tor browsers, many of which having parallels to social media on the clear web. This includes sites with profiles, friend lists, messaging services, and user interaction. It is possible that this transition of social media to the Dark Web is centered around privacy concerns and government attempts to regulate online content. Given the nature of the Dark Web, multiple social media networks are still littered with group chats and pages dedicated to the distribution of illegal services and content.

Mirrored Platforms

One of the main parallels of social media on the dark web is mirrored platforms. These social media networks recreate popular platforms such as Facebook and Twitter and provide identical functionality. These platforms go one step further and extend what already exists by centering their attention on security. After the last few years of stories being released about data breaches, selling private information, and more, security and users’ privacy are becoming increasingly important. For example, Facebook onion, which lives on the Dark Web, functions precisely the same as the clear web version, without keeping logs.

A Facebook mirror site through ToR

The Inherent Dark Side

As expected by the Dark Web, it is not all for the greater good. With these platforms being mostly unmoderated, the distribution of illegal content becomes widespread. Distribution of illicit pornography, credit card details, and videos showing extreme violence can easily be viewed with just a couple of clicks.

Dark socials can be hard to generalize as users often initiate sites’ trends. Socials such as the now inactive ‘Connect’ promoted free speech surrounding antifascism and antisexism to counter societal hierarchies. Other sites keep up with trends by selling fake COVID-19 passports or vaccines online. The anonymity of the dark web inherently supports the functioning of dark socials as cybercriminals and activists can escape to a community much like the ones we use with Instagram and Twitter – simply without the risk of identification.

How Does This Impact Us?

Ultimately Dark Web socials act as a medium between social networking and typical Dark Web content fueled by anonymity and identity protection. The fast-paced nature of the Dark Web has shown us that sites can be taken down in the blink of an eye. Although replacement links are often posted, the information is gone along with user interactions – thus making them hard to monitor. Due to a perceived loss of privacy at the hands of big tech companies and government regulation, Dark Web socials facilitate engaging political discussions – appealing to cybercriminals and activists alike. With the current stigma associated with clear web privacy, emerging platforms may change the way we view the dark web by providing a private, secure environment in which users operate.

The Digital Shadows (now ReliaQuest) Difference

This is the stuff analysts love to do: Researching and learning more about the myriad threats out there, and contextualizing them with the world around us. We love all things cyber threat intelligence.

Find out more about the intelligence we provide in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with a 7-day test drive, or contact us to schedule a demo to learn more about your use cases and how intelligence might make a difference for you.