Aidan Murphy: Hello, and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy and I’m your host as each episode we look at different aspects of the dark web. In the podcast feed, you can already find the entire limited series. In other episodes, we look at how the dark web works and we look...

Aidan Murphy: Hello, and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy and I’m your host as each episode we look at different aspects of the dark web. In the podcast feed, you can already find the entire limited series. In other episodes, we look at how the dark web works and we look at other areas of the dark web, like marketplaces and ransomware leak sites. In this episode, we’re going to look at dark web forums, the place where criminals go to talk to each other, sharing tips, news and collaborating with one another. To discuss this topic, I’m joined by two individuals who spend their time trawling through the contents of dark web forums. Vlad, a threat intelligence analyst at Searchlight Cyber. Hello, Vlad.

Vlad: Hello, Aidan. Hello, everyone.

Aidan Murphy: And Joe Honey, one of Searchlight Cyber’s threat intelligence engineers. Hello Joe.

Joe Honey: Hello, Aidan. Hello guys.

Aidan Murphy: Great. Before we jump in, can I just ask each of you to maybe give a quick overview of your role to listeners? We’ll start with you, Vlad. What does it mean to be a threat intelligence analyst? What does your day-to-day look like?

Vlad: Well, I’m responsible for monitoring cyber criminal activity on underground forums, marketplaces, instant communication platforms. Basically anywhere that threat actors may interact with each other. As well as maintaining and ensuring elevated access on closed sources, analyzing and researching threat actor behavior and so on and so forth. Basically, anything that involves movement by threat actors of any kind.

Aidan Murphy: Brilliant. Well, you sound like the right person to speak to for this particular episode and we’re going to talk about what that means in a minute. Joe, what does it mean to be a threat intelligence engineer? How does that, I guess, differ from Vlad’s day-to-day?

Joe Honey: Thanks, Aidan. My role differs from Vlad in that it’s very much more sales focused. I specialize working with our customers, helping them get the best from our tools and our data. A large part of that is technical. You know, what do our tools do, how do they work, how do customers use them but a massive part is understanding what criminals are doing on the dark web, how they’re doing it, where they’re doing it, why they’re doing that and then translating that into a format that our customers can use and, kind of, guide their searches, ultimately making sure they get what they want out of our tools and our data.

Aidan Murphy: This episode, we’re going to look at dark web forums. Our listeners may have listened to our last episode on dark web marketplaces. I think many will be familiar with the idea of Internet forums, the likes of Reddit. A good place to start maybe is how dark web forums differ from the forums that you might find on the clear web. Vlad, what’s different between dark web forums and clear web forums?

Vlad: Of course, in terms of structure, there isn’t that much of a difference, to be honest. It’s basically the same thing. I wouldn’t compare it to Reddit, apart from Dread which is a bit of a different kind of cyber crime board but most of the forums, they actually resemble regular forums that you see with car enthusiasts and art people and so on. I think this is because every forum is structured into a few categories, usually a marketplace, learning and knowledge part and everyone gets to click on their specific topic and they can go on from that point and basically interact with other forum members who have similar interests. Those interests vary quite a lot. It’s a very similar place, it’s a very similar structure. Only the topics are a bit more illegal sometimes. Most of the time but, yes, in large, it’s basically the same thing. It works in the same way, it’s just a different topic.

Aidan Murphy: Interesting. I guess that’s quite helpful for the listener. If you know what an Internet forum looks like, you can imagine a dark web forum but the content is different. Joe, what type of things do people talk about on dark web forums that maybe they don’t talk about on regular forums or do? Is there a crossover?

Joe Honey: Absolutely everything gets discussed on the dark web, really. I mean, as Vlad’s, kind of, hinted to, probably the majority of content on dark web forums is illegal or shady in some shape or form. Everything from, you know, this particular piece of malware, how do I buy it, access it, use it, ‘I’ve got this particular item or piece of data to trade’. You know, everything, kind of, illegal is discussed on the dark web. Equally as well, there is a lot of what could be called normal content on dark web forums. There is people sharing news stories and, you know, discussions about current politics and things like that. I was looking this morning and stumbled across a thread dedicated to a dog which had passed away but the dog was 30 years old and there was this massive outpouring of support. Yes, on the whole, these forums are quite dark places to hang around but you did get odd little, sort of, funny moments and moments of light and good humor and so on.

Aidan Murphy: Why do you think people use dark web forums instead of clear web forums then? Is it a privacy thing or is it because they want to talk about things that typically would be frowned upon or maybe even illegal on the clear web?

Vlad: I would say it’s just because they know that on those specific forums, they’re going to get an answer for their question because those people that also joined the forums have common interests. It makes sense to just go onto the dark web forums just because you know that there’s someone there who has similar interests as you and you might get an actual useful answer while asking the same question on a regular forum might not lead you anywhere because there aren’t similar people over there. There is no simple answer to this question, it’s just a matter of choice for everyone. There is a lot of factors that might change this. For example, in some countries, there are some laws that prohibit people from using normal forums, countries like Iran and so on, so they are forced to go onto the dark web to ask questions that may not be seen as illegal. There are plenty of factors out there.

Joe Honey: I think one of the other things for me, you know, if you’re after illegal content, the dark web is the place to go but I think one of the other attractive parts to a dark web forum is the fact that they are anonymous. You know, the Internet is general anonymous. You can de-anonymize people and work out who they are and so on but the dark web is even more anonymous than that and because of that perceived anonymity, you know, people feel a lot freer to be who they want to be, look for what they want to look for, talk about what they want to do, share opinions that would be problematic elsewhere. I think that, kind of, enables people to be, you know, the version of themselves they want to be almost.

Aidan Murphy: That’s really interesting. The sense I’m getting from both of you is almost it’s about this, kind of, community feel, finding like-minded people, having the ability to speak freely which actually isn’t something I’ve considered before. That’s a really fascinating topic in itself. If people want to find out a little bit more about how the dark web is more anonymous than the clear web, we have a separate episode on that, the first episode in the series so, we won’t go into too much depth on that now but it’s a really good point, Joe. You’ve mentioned one of the forums, Dread, Vlad. Are there any other, I guess, noteworthy forums, you know, the most, kind of, infamous or famous forums on the dark web that people should know about if they’re listening?

Vlad: It really depends on the type of activity you’re looking to get yourself into but usually with cyber crime, the most used at the moment in terms of English language forums is Breach, Breach forums. It’s a reincarnation of Right forums, which was taken down a couple of years ago, which then morphed into Breach forums, which then morphed again into another Breach forums because the first version was taken offline for a bit as the admin was arrested but now it still lingers on, it’s still here. It accepts new accounts and so on. In terms of topics that are discussed over there, it’s very widespread so, there’s no specific thing that you have to talk about. You’ll see their initial access brokers, you see the database vendors. You see fraud and financial-related scams and so on, as well as a really large knowledge and learning. It’s also considered a large knowledge and learning platform because there’s a specific sub-section of the forum where people just discuss how to do things and what’s the newest method of designing and coding this specific malware and so on. While going away from the English language area, we, of course, have to think about the Russian because the Russian language is widely used in cyber crime. The most well-known forums at the moment are Exploit and XSS which are-, they consider themselves to be brothers in terms of-, I mean, the admins probably know each other and they’ve been partners in a way or another for the past almost twenty years because the first signs of these forums appeared in about I think 2005, 2006. They’ve been out there for quite a while. There are plenty of other forums but these three, they are the trifecta of forums. There’s others that popped up a bit more recently like RAMP, which appeared a couple years ago. What’s different about RAMP is that it widely accepts ransomware discussions, while Exploit and XSS actually banned this to make sure that they’re not targeted by law enforcement that much. Of course, there’s plenty of others. It really depends on who is joining and what they want to find on those forums.

Aidan Murphy: You’ve opened up a whole can of worms of things that I want to talk about but one thing that I did just want to pull out very quickly, or just highlight maybe, for the listener. You mentioned that Exploit and XSS have been around almost twenty years now. In our marketplace, we were talking about how these marketplaces struggle really to stay around for a couple of years. Louise was talking about how we, kind of, think of marketplaces in terms of months at a time and longevity for a marketplace is maybe two or three years. You know, that’s a pretty good run. Do either of you, I guess, have a sense of why these hacking forums are able to stay operational for much longer? How do they avoid being, I guess, taken down by law enforcement? Is it because what they’re doing is less criminal or are they just better at getting away with it?

Vlad: I think as Joe mentioned earlier, the forums are seen as a community rather than a money-making platform and they seem to be a bit more accepted by law enforcement in some areas, where the marketplaces are just full of illegal stuff, illegal selling of drugs and weapons and counterfeit devices and jewelry and so on. I think it’s just a matter of how they’re viewed. In a sense, they’re basically-, both categories are illegal but I don’t know, I think the fact that the forums are a bit more gray, I would say. I wouldn’t say they’re white because they definitely are not white but there’s other things happening apart from the illegal stuff. Also, the admins are not there necessarily for profit, as it happens with the marketplace admins, which you’ve probably discussed about this, the admins of cyber crime forums, they’re there for the community, they’re there for the reputation. They just want to make sure they keep the community living and alive and so on. That’s how I see things. Maybe Joe has another view.

Joe Honey: No, I think, kind of, very similar. I think for me there’s, kind of, a couple of main points. Yes, firstly, on forums, there is a lot of non-illegal content. I wouldn’t necessarily call it legitimate. You know, if I was to sit and have a conversation with Vlad about how to hack into a particular system and the methods I would use, that in itself isn’t illegal. Me going to do it is, absolutely, but me just talking about writing code is perfectly fine. So, because of that, the proportion of illegal content there is much lower. Possibly I think it’s part of it that where a lot of these forums are cyber crime focused, a lot of the admins and so on take a lot more pains around, you know, their own operational security, keeping things safe and secure and looking after themselves. Whereas if you’re on a market, you know, if you’re a drug dealer, you’re, kind of, a drug dealer first and on the dark web second, if that makes sense. You’re likely to be less knowledgeable perhaps in the area. You know, I can’t have any sources for this, I can’t, kind of, quote it but I wonder almost if there’s an element of a resourcing challenge as well. You know, if you’re law enforcement and you’ve got the resources to target and take down one dark web community, are you going to go for the forums where there’s some bad stuff but also lots of not illegal stuff or are you going to go for the market where the vast majority of it is, you know, illegal goods, drugs, guns, whatever it may be, you’re going to get more return on investment, more bang for your buck by taking down that marketplace than you would do the forum. Unfortunately with the resourcing challenges most law enforcement departments face, they’ve got to go for where the value is.

Aidan Murphy: That makes a lot of sense, Joe. One thing I just wanted to come in on was that operational security point. It’s an interesting term and it’s not one I’d heard of before I’d started working here at Searchlight Cyber. Maybe you could just explain for the listener what operational security is?

Joe Honey: Yes, OpSec, operational security. It’s a term that initially was started to be used by, kind of, the military and the intelligence community, those types of people. Essentially, operational security is about the measures that you take to ensure the security of you, yourself, your operation. Let’s say you’re a spy, you know, trying to go into Russia or something like that, you’re not going to use your own passport, you’re going to have a cover identity, you’re going to use burner phones. Basically, all things to enable you to try and stay anonymous and essentially to stay safe and to achieve your goals, whatever they are. The exact same thing applies in the dark web.

Vlad: I wanted to add something regarding OpSec, is that OpSec is extremely important when maintaining and operating marketplaces or forums and so on. This leads me to in a recent example, someone named Conor Fitzpatrick who was the admin of Breachforums in his first version. His alias on the forum was Pompompurin and he was actually found and arrested because he used one of his real email addresses. That was a huge OpSec flaw that he-, I don’t know why, I’m really not sure how this happened with such an experienced threat actor but it happens to the best of us and it also takes me back to our previous question on why forums linger on much longer than marketplaces. The audience needs to understand that it’s not because law enforcement doesn’t target and doesn’t focus on both of them-,

Joe Honey: There’s less stuff changing hands. There isn’t physical goods changing hands. There isn’t money changing hands and because of that, there’s essentially less stuff to track on a forum versus a marketplace. Obviously, the less stuff there is to track, the less opportunities law enforcement has to, you know, work out who you are in real life and come and knock on your door and say hello.

Aidan Murphy: I think Breach forums is an interesting example as well because as you mentioned, Vlad, it’s, kind of, already gone through a couple of different iterations and at times felt like it was gone for good and then returned. After Conor Fitzpatrick was arrested, the BreachForums has continued with not new administrators but other administrators effectively just taking the reins and continuing the forum. One thing I just wanted to, I guess, bring up at this point for the benefit of our listeners, it is worth saying that some of the forums we’re talking about don’t only exist in the dark web and some of them exist just on the clear web and deep web. I wonder if Vlad you could maybe break that down for the listeners. If some of these forums are existing on the clear web or deep web, are there any kind of barriers to stop regular people like me just accidentally wandering onto them or again, security professionals or law enforcement?

Vlad: There is absolutely no barrier, especially with free forums like Breachforums. Anyone can join. There’s plenty of discussions about it on popular places like Reddit. There are some forums who have a few other verification methods. Some of them require, for example, on RAMP forums, you have two ways of creating an account. One of them is by paying $500 to the admins via Bitcoin while the second one is to provide proof that you are reputable on a secondary forum like Exploit or XSS. If you are reputable on those forums, then you can get the account for free. Of course, this isn’t for everyone, this is a way for the admin to ensure that whoever is joining the forum is knowledgeable of hacking and not just everyone who has heard of hacking for the first time today can get in there. It’s also a method of securing the forum against scammers but yes, in large, with quite a large number of forums, it’s free for everyone to join, it’s easy to get in there, it’s just the similar way of creating an account as you’d create an account on Amazon or any other well-known reputable platform out there.

Joe Honey: I think on the topic of, like, technical barriers and challenges, the dark web has this aura of being this really mysterious, hard to access thing. It’s not. The main, kind of, technical barrier is just working out where to go. There isn’t a Google for the dark web, there isn’t a site index, so you have to know the address for Breach forums, for example, to access it. Addresses on the dark web, they’re not what you’d expect, they’re not what you’re used to on the clear web, they’re just 56 random characters thrown together. That’s the only technical barrier, is just working out where to go. Accessing the dark web itself and the sites is very easy.

Vlad: We also have to mention that most of these forums, quite a lot of them-, not all of them but quite a lot of them also have a surface web address, a regular one, as I was saying earlier. You can just go onto Breachforums. You don’t need the onion link, you can use the surface link. Same with XSS, same with Exploit, same with RAMP. The most well-known forums out there also have a surface web option for those who don’t want to bother with TOR.

Aidan Murphy: Would it be right in thinking that the ones that do require this kind of extra authentication, so you mentioned RAMP requiring a fee or proving that you have credibility on another forum, is there, I guess, a hierarchy of forums in terms of more serious cyber criminal activity on those forums? You would expect more, I guess, serious crime or more sophisticated hackers? Is that the right way of looking at it?

Vlad: We could say that. From my experience on the forums, I think those forums are somewhat open to everyone to join, even if they have a fee that you have to pay. RAMP and Exploit are probably considered to be the most serious ones at the moment. There’s a good balance between quantity of quality of threat actors. XSS also quite similar. There were forums in the past who aren’t used anymore, they, kind of, died down. They’re still active but there isn’t much activity. Even if you wanted to join, you’d have to pass an interview with the admin who would personally ask you questions. This is a great example of the Kick Ass forum. I mean, it’s way past it’s prime at the moment but the admin over there, he asks you questions in person. You had to pass the interview. Also, you had to remain active on the forum. That was probably considered serious-, or it wanted to be considered a serious forum at the time but it didn’t go that well because it was too strict for a lot of actors. Free forums like Breach, you see a larger number of scammers. They’re easily bannable by the admins but it’s a game of cat and mice. You have to pay attention if you want to purchase anything from there.

Aidan Murphy: I imagine if you’re an actor concerned about your OpSec, doing an interview to get onto a forum may go counter to your sensibilities. I can imagine that may have been off-putting to some people. Just before I come to you, Joe, to maybe talk a little bit more about what’s on these forums, Vlad, just one more question on the differences between the levels of the forums. Is there a divide between these Russian forums you mentioned like XSS and Exploit and the English-language speaking forums or, again, is there a lot of crossover between them?

Vlad: There is a huge crossover. When I’m saying Russian-speaking forum, it doesn’t mean that it’s necessarily speaking Russian only. It’s tailored to Russians, the admins are Russian but there are a lot of English speakers out there who want to join and want to have a more mature and a more serious audience who even if they are English speakers, they prefer to use those forums. They usually don’t have an issue with that, you can post freely in English. I think there’s a huge crossover between them. Also, I’ve seen actors moving on from Russian speaking forums onto English-speaking forums. The language barrier isn’t that much of a problem, apart from communication sometimes but in terms of sales and business, you’re free to join everyone. Probably the Chinese forums are a bit more strict in that regard. There is a more definite wall between Chinese forums and the Russian and English ones but apart from that, no, I wouldn’t say there’s any divide between them.

Aidan Murphy: That’s interesting. Are there any examples of Chinese forums? It’s not something I’ve come across before.

Vlad: There is Deepmix. It’s a bit more difficult to get into if you’re not speaking Chinese but it’s still active. There’s quite a few others which I cannot pronounce their names because I don’t really speak Chinese. Also, I’ve noticed something interesting on the RAMP forum recently. I mean, over the past year. They’ve translated some of their sections to Chinese as well, to Mandarin. They basically wanted to attract actors from that region. It worked, roughly. There are some actors active over there who speak Chinese but there’s not that much of an audience but it happens. It’s the first time I’m seeing this.

Aidan Murphy: It speaks, I guess, to the international nature of the hacking scene. Was there something you wanted to add on that, Joe?

Joe Honey: Yes, I mean, I almost wonder Vlad if we can almost, like, draw a parallel between mainstream social media and, you know, forums and stuff on the dark web. If you look at the clear web zone, you’ve got Facebook, you’ve got Twitter, you’ve got Instagram, they are, you know, your big boys, your main players. You know, pretty much every piece of content either starts on Facebook or, you know, starts somewhere else and ends up on Facebook at one particular point. I think it’s kind of quite similar for the dark web. You know, you have your XSS, your Exploit, Breachforums and so on which are popular and most people have accounts on but for every Facebook, there’s, what, five, ten smaller, niche communities or more where, you know, things are discussed and, sort of, nuggets of gold from an intelligence point of view end up. They, sort of, change places all the time. You know, if you look at how Facebook dethroned MySpace, kind of, many years ago, similar things happen on the dark web. Sometimes it’s, kind of, a very quick, quite rapid change and others, it’s much slower.

Vlad: We also have to take into account the fact that in this area we’re speaking about business. If someone wants to sell something and if they cannot find the right buyer in their area, they’ll have to look for other markets to go into. I’m thinking that even actors from China or Chinese-speaking regions who cannot find the right person to sell to on Deepmix or on Chang’an, which is another Chinese forum, they will look for other places to do so or maybe they will obtain access to some Chinese government institution which they wouldn’t want to sell that on a Chinese forum because they would be afraid of repercussions from law enforcement. There are plenty of reasons for actors to spread their wings far and wide. Of course, they want to sell their product and if the only way to do so is abroad, then they’ll do so.

Aidan Murphy: This leads me on beautifully to something I was about to ask about which I guess is the activity that goes on on these forums. You mentioned before, Vlad, that there’s a lot of, kind of, information sharing, education, learning new skills but you have just mentioned there is a business element to this and something that we see a lot is initial access brokers. I wonder, Joe, maybe if you could explain what an initial access broker is and how they operate?

Joe Honey: Yes, of course. An initial access broker, it’s probably just a posh title for a specialized hacker. What they specialize in is that very first part of an attack on the business. If you consider, you know, a cyber attack on a business, it all starts with someone getting a foothold into that organization. Essentially, kind of, walking through the front door. You would then wander in, have a round, understand, you know, what is this computer network, what’s inside the organization and then you would take some sort of action. You know, you would take that data for yourselves. If you’re a ransomware group, you would probably do that and encrypt all of their data and all their systems as well. What initial access brokers do is they specialize just in that very first part of that chain. Finding a business that has a vulnerability, a technical weakness in their infrastructure. They will exploit that and gain a foothold inside their systems. They’ll typically do a little bit of work past this. Yes, they’ll do a bit of a numeration to try and understand what potential assets are there. Quite commonly we see things like how many computers are on the network, what systems are they running, what security tools are they running. Essentially, they will take that, they will package up that access and the initial information they’ve got about this victim and then they will try and sell that on the dark web. Typically, depending on the size of the company and, you know, the value of the data there, those accesses could go for $20-50, something like that. It could go for tens of thousands of dollars, depending on, you know, the potential benefit from an actual hacker, sort of, doing that. They’ll take just that very first part of that attack chain, that sort of access, they’ll say that to the highest broker and typically, they do that on forums because, sort of, forums are much better suited to that product compared to a marketplace. If you consider a marketplace to be like Amazon, you go on, ‘I want ten whatever’. Amazon is perfect for that. You go on, you place your order, you make your payment, who gives a shit? If you’re trying to buy an access, it’s not as black and white. You know, who are you going to hack into? What is there? What do I potentially need to know to do that? Do I need to spend my $10,000 up front to potentially get a million dollars when I successfully ransom the business, for example? So, because of that back and forward nature and, kind of, the questions that often happen, they tend to sit more on forums rather than marketplaces.

Aidan Murphy: Where we see this then on the forums is effectively as an advert, or at least that’s how I think of them. They advertise this access and then you typically see other forum members interacting with it, like you say, Joe, maybe asking questions or bidding because effectively, they’re often done as auctions. I guess the tricky thing about this is they probably can’t give away too much information because they would let the organization know that they’re being targeted. What type of information does the typical initial access broker provide to let the buyer know or give an indication of what they’re getting?

Joe Honey: Yes, you’re exactly right. It’s a fine line to walk. You know, they want to share as much as possible to, kind of, showcase that they’ve got a valuable product. They want to drive that bidding, they want to get it sold, at the end of the day. If they share too much, you know, another hacker will go and just abuse that access, they’ll target that same business or exactly right, the end customer, the victim will, sort of, patch that particular vulnerability. I mean, what we typically see on, sort of, initial access broker posts, we typically see the industry that the organization is a part of. We typically see details around turnover and the numbers of computers and so on that’s on the network. We quite often see what kind of systems are in use, you know, what operating systems, what level of access has that access sort of got. You know, if there’s an antivirus or something they’ll, kind of, try and put that there as well. I mean, a lot of the information that these kind of access brokers share is just taken straight from sites like ZoomInfo. You know, they’ll put in Searchlight Cyber in there, they’ll see that we’re a software company, we’re based in the UK, we’ve got X number of employees, X amount of turnover. I’ve seen they’ll even just copy and paste the output from ZoomInfo and pop it into that sort of access broker post. There is a few people out there who go to a lot more depth. There’s a couple of very brazen access brokers. The name of one escapes me now, he attacked a university a couple of years ago but he’s, kind of, been that big, he’s that well established that he’s very happy to just share the names and, sort of, domains of the organizations that he’s targeted. There’s a real mix but, I mean, on the whole, it’s as little information as they can get away with but still conveying the, kind of, size of the organization.

Aidan Murphy: Vlad, I know you spend quite a lot of time tracking down these initial access broker posts. From a security perspective, so, looking at this from maybe our audience of security professionals, what can they learn from these posts and how useful is it that we can see them on the other side, I guess?

Vlad: Well, I think it’s monitoring those initial access sales is quite relevant. As Joe said, they provide a lot of very useful information. Sometimes actors, they actually provide too much information which would allow any security team out there, any member of the IT department who knows their way around their network to actually identify how the actor got there. They can actually identify if they are the victim or not. It’s extremely relevant and I’m saying this because we’ve seen actors providing so much detail about the companies that the actual company was able to identify themselves, they identified the door that was accessed to get into their systems and they secured their network before anything much is happening. This, of course, comes down to was the initial access broker careful enough to not provide enough information or did he provide? Sometimes I’ve noticed that actors, they do not provide that much information on the initial sale access thread but if security researcher would try to get into direct contact with the actor, which, of course, by using human intelligence methods, you can get some more info from the actor by speaking to him directly, asking for proof of concept which often comes in the form of screenshots or videos from the network. There’s plenty of information to source from the actors which may help you protect your network before any kind of attack happening. This is basically the pre-attack surface, it’s just you have to make sure that you monitor all these forums, monitor the relevant initial access brokers because you never know when you’re the next victim.

Joe Honey: I think it’s possibly worth adding as well, Vlad, you know, if you consider the lifestyle-, sorry, the life cycle of a cyber attack, you know, you look at the Lockheed Martin model from reconnaissance and weaponization through to command and control on actions and objectives, a lot of security setups, I mean, if the hacker is careful, they may not get noticed until that bad action is actually taken. You know, that malware is deployed, that ransomware starts encrypting the systems. The initial access broker post, it sits around that, you know, exploitation, that installation, sort of, type level there. It’s much earlier at that kill chain. If you can identify, you know, you being attacked much earlier in that kill chain, it’s going to be quicker, it’s going to be cheaper, it’s going to be easier for you to fix that particular problem, that particular vulnerability rather than waiting for all of that bad news where, you know, the ransomware is detonated and the many millions in ransoms and downtime and negative media exposure and so on.

Aidan Murphy: Yes, so, I guess this is an opportunity, really, for security professionals, because of the initial access broker model, there’s a point where effectively, they have to communicate externally and even if they’re doing it on these forums that have a degree of anonymity, have a degree maybe of barriers to entry, like you said at the beginning, Vlad, they’re pretty accessible, really. There is an opportunity for security professionals to gather this information, like you say, Joe, act a little bit earlier. Vlad, you look at the profile of these initial access brokers as well. It’s a game of reputation, right? Often they sell access to multiple organizations and they, kind of, build up this credibility over time, it’s very rarely just a, kind of, one and done situation, is that right?

Vlad: It really depends on the actor. I’ve seen actors who take OpSec really seriously, they create a new account for each of their sales but there are actors out there who have been active for the past seven or ten years. There isn’t a definite answer for that. Some actors prefer to just use one account, they gain a reputation over time and they can charge more and more money because if they get reputable and they have confirmed sales on the forum, they will be seen as trustworthy and buyers can-, will feel free to contact them and buy from them without being scared of being scammed. Even with new actors, in the last few years, forums became a bit more secure. Most of the reputable forums have a escrow or middle man service which basically guarantees that what you’re paying for, you actually get. This middle man basically acts as he’s going to-, the middle man usually is the forum admin or another reputable person from the forum and this middle man will hold your money and will get the product from the actor basically being a third wheel over there, to make sure the product is right and when he confirms the product is right, he will exchange the product with the money, basically, giving the money to the seller and giving the product to you. Of course, in exchange for a percentage. This way, you wouldn’t have to pay the money upfront and eventually get scammed.

Aidan Murphy: Okay, that makes sense. That’s one type of activity that goes on, initial access brokers. Obviously, we talked about the education and sharing of, kind of, techniques. We did mention ransomware. I guess it might be quite surprising to listeners, it was surprising to me that there are these hacking forums where ransomware is a banned topic as you mentioned, Vlad, but there are some ransomware groups that do use forums. How exactly does that work?

Vlad: They generally use the forums for communication and discussing things, discussing about their plans, discussing about all sorts of stuff but they’re not actively recruiting from the forum. They’re not looking for the affilitates, they’re not advertising their actual product. For example, LockBit, LockBit support is quite active on XSS. They have thousands of reputation points but they’re not actively recruiting over there, at least not since the ransomware topic has been banned. In a similar way, they discuss with other ransomware operators, for example, with Blackhat. Recently, Blackhat was taken down and there was an interesting discussion on XSS from LockBit to Blackhat where they mentioned that anyone who was impacted from Blackhat, they’re free to send them a message and discuss about their future endeavors. Other than that, on the RAMP forums, they allow discussions and they allow a bit more freedom in terms of ransomware just because they are a smaller forum and they are looking to attract more hackers because it’s a very well rewarding business. There’s money to be made and with smaller forums, there is some flexibility. While on Exploit and XSS, they’re a bit afraid of law enforcement, so, they wouldn’t want to risk such a large community to be taken down by law enforcement just because they’re discussing and actively advertising ransomware. With RAMP, this risk is much smaller because the community is much smaller and even if they get taken down, they’ll quickly spread to other forums. Yes, it’s just a matter of risk versus what you lose in case of law enforcement taking you down.

Aidan Murphy: That’s why ransomware is banned on some forums, because it’s too hot a topic, effectively, that there’s too much law enforcement focus on it? Interesting.

Vlad: Exactly.

Aidan Murphy: Joe, is there something you wanted to come in on?

Joe Honey: For the work that I’ve done, you know, we’ve seen examples of ransomware groups actively bidding for access on initial access broker posts on forums and things like that. You know, an initial access broker post is-, can be widely valuable on that kind of community and will be damaging to people like us but I’ve also seen, I guess it could almost be called, like, PR work, kind of, being done by the ransomware groups. You know, a lot of the ransomware groups, similar to the access brokers, depend on their reputation. You know, if they’ve got a reputation for taking money and not decrypting their victims or overstating, kind of, the access they’ve got and the ransoms they’ve done, that’s essentially going to destroy their reputation and make it a lot more difficult for that group to make money. You’ll quite often see posts around, you know, this ransomware group bragging about a new version of their encrypter, that sort of thing. You know, a particular win or success. It’s all about building their, kind of, profile online.

Aidan Murphy: Yes, we’ve discussed this a little bit more, actually, on the ransomware episode. We have too this slightly paradoxical situation that ransomware groups have where they seem to be very focused on their publicity while at the same time obviously using the dark web to mask their activities but it is a fascinating topic. We’ve mentioned, I guess, one way that security professionals can use forums. Monitoring initial access broker posts, for example. They could identify that they are being targeted, it’s probably something worth doing. I guess maybe just to wrap up, I might ask each of you what other intelligence can security professionals gather by monitoring forums? What can they learn about the cyber criminal community from keeping an eye and is that something you would recommend that organizations do to keep an eye on what’s happening on hacking forums? I’ll start with you, Vlad.

Vlad: I think it’s very important to not only monitor for specific incidents but also monitoring for trends and monitoring for methods and keeping up to date with everything that comes to the actors TTP’s. Okay, probably your company is not going to get targeted because you have a lot of security measures in place and so on but you have to make sure that it doesn’t-, your security measures aren’t obsolete in, let’s say, six months. You have to keep on updating and updating everything to make sure you keep up to speed with the actors TTP’s. By TTP’s, I meant techniques, tactics and procedures. As I said earlier, it’s a matter of game of cat and mouse. You have to be faster than them, you have to keep up with them because you never know when they find that new very interesting method of getting a foothold into your network. Also, actors, quite often they speak, they discuss and sell information about vulnerabilities and methods of how to exploit CV’s and so on and it’s a very good method for you as a security practitioner and information technology department member to make sure that those CV’s that are discussed, they do not impact-, they are not about software that you use on your platform and resources and services. Yes, as I said, it’s not necessarily your fault if software is vulnerable to something but you have to make sure that you-, security discussions about it arise on forums.

Aidan Murphy: Yes, and I think something we talk about sometimes is there are obviously a huge amount of vulnerabilities and a problem for organizations is how you prioritize patching but, for example, if you look on hacking forums and see a particular vulnerability is being much discussed and like you say, maybe information is being shared on techniques for exploiting it, you could maybe make a good decision to prioritize that patch. Effectively, you’re using the resources that criminals learn to train themselves to understand how, you know, you could protect yourself as well. I don’t know if there’s anything you’d add on that, Joe, what else can people learn from these-, monitoring these forums?

Joe Honey: No, I mean, you made the exact point that I was going to do around that prioritization. You know, yes, you can use forums to look for dark web threats towards yourself. Yes, you should absolutely be using forums to understand, you know, what actors are doing and wear and so on but every organization only has so much budget, so much manpower. If you rewind to last year when that Citrix Bleed, sort of, vulnerability came out, within just a couple of days of that vulnerability being announced, there was exploit code freely being discussed and shared and promoted on a number of forums. You know, if you had two or three IT projects on the go for that particular time, if you see something like that that is widely exploited, has a massive risk to your infrastructure and is so easy to do based on what you can see, you know, it’s quite clear that you need to prioritize that.

Aidan Murphy: Brilliant. Well, that seems like a good note to draw a line under this episode of The Dark Dive. A big thank you to Vlad and Joe for joining me and if you can’t wait to find out more, remember, you can follow us for free on Apple Podcasts, Spotify and whatever podcast app you have on your device and get all of the episodes of this limited series in your podcast feed now. If you’d like to get in touch with us here at Searchlight Cyber, you can find our social media accounts and our email address in the show notes. Or you can find plenty of information on our website, ‘www.SLCyber.io’. Until next time, stay safe.