Going Undercover in the Underground - A Guide on How to Infiltrate and Engage - Michael-Angelo Zummo

hey everybody thanks for having me back anyone who attend my talk last year here obviously Brad I got to thank Brad for introducing me to this great Community here other people there as well awesome thank you again for coming back uh I am Zumo uh I just go by Zumo I am the North America thread Intel manager at Cyber 6 Gill and last year I talked uh about threat hunting at this conference and how to uh Implement a thread hunting program a CTI program within your organization and one of the most common questions I got when we got into the dark web and stuff like that was well how do you get started in the dark web

how do you safely access it and how do you engage with thread actors and start extracting Intel from there so that's what this talks about we're going to talk about everything from setting up your own dirty machine your own secured environment to start exploring the dark web and then of course we're going to talk about how to find sources on the dark web uh and as you'll see I actually just call the underground um and then once we've developed some sources that we we have interest in we're going to actually create our own Persona together and my goal is to give you all the steps today so that you could actually do this yourselves afterwards um but we're going

to do so in a safe Manner and I have two rules is one don't become a perpetrator and two do not become a victim I have to say that or else the FBI might come knock to my door later so um and then once we create our personas we're going to actually show some examples of communicating with thread actors and some of the methods that we use and then we'll of course just like last year we'll do a little bit of a thread hunt at the end together so this is probably the only time I'm going to say dark web or the the last time I'll say dark web throughout this presentation I think everyone here probably has a good

understanding of what the dark web is but basically anything that's not indexed by Google um you need a special browser to get access to it things like tour which is the onion on the bottom left for you i2p and then zeronet which is a little less popular these days but there are still some sources that are hosted there um but really I like to refer to it as the underground because many of you if you're in thread Intel or you do your own ENT knows that many of these sources aren't just exclusive to the dark web you can get to plenty sources just using Google you can get to you know find Intel on Reddit on Twitter

ppins things like that um and then there's also messaging platforms like telegram which is ex you know huge platform now for threat actors for any type of use case uh for fraud terrorism narcotics even you could pretty much find a channel for anything on telegram because it's easy to use it's very accessible For Thread actors of all levels of sophistication no matter what kind of experience they have um so for the rest of this we're going to just talk about it as the underground places where threat actors engage with each other where they plan play and profit uh from their attacks and again my two rules are do not become a perpetrator and definitely do not become a victim that's part of

the goal of this is to help you set up a secure environment so that you can actually do some of the activities that I engage in safely yourselves um as you'll see here as an example uh this forum might actually look familiar to some of you um if you know what it is just call it out um but many of the programs that you can click on or you know files that you can download from these sources are malicious so you might think you're downloading one thing for your research or for you know uh engineering or whatever and in fact you're downloading a hour into your own machine uh because thread actors are looking to take advantage of anybody

they're not like friends with others on The Forum they will take advantage of anyone that's silly enough to you know click on links like this uh with their own machine so always set up a a dirty machine before you're going to explore some of these sources and definitely before you start clicking around on these sources now one of my preferred methods of exploring the dark web or the underground is by using a Tails machine Tails OS is a very lightweight that you could just flash onto a drive uh alls you need is like 8 gig 8 gigabyt of um storage and you can plug that drive into pretty much any machine and then boot up

the Tails OS which is uh has Amnesia so every time you terminate that machine it's going to erase everything off of that drive uh it's not magic you still can't be logging into your Facebook or your bank accounts on it because if you're connecting that whatever your activity on that drive to your personal life then you know whatever activity you're engaging in it can be traced back to you so this is meant to disassociate everything from your personal machines from your personal profiles this is purely meant for your thread int tell investigations your dark web investigations stuff like that um I have a quick little video here for you to show you booting it up it's

very lightweight and as you you can see here you can actually set persistent storage but if you set persistent storage you leaving more room for you to get compromised by thread actors in The Underground uh by the way you can get this from me afterwards so if you want to see these again I can send the slid so you can send me a message afterwards uh but that's it that's all it is there's a few programs on Tails uh it comes with uh tour installed so you can start navigating to those sources uh right from the beginning uh but again it's not magic you still need need to put in additional precautions in place and making sure that you're not

connecting any of that activity you're you you're doing on tails with your personal uh self and we're going to go through those steps here

now every time I do a video it the presentation messes up here we

go all right so we have tail set up or you have a VM set up something like that some sort of secure environment where now you can go on tour and just start start looking around start trying to find sources start trying to follow thread actors and gain access to some of these sources um but there are a large variety of sources out there I come from military law enforcement background I spend a lot of my time developing my personas on narcotics forums marketplaces and things things like that taking down narcotics dealers you know serious ones like fentanyl dealers and things like that um but there are sources for whatever use case you're interested in for data leaks ransomware

malware um again narcotics fraud anything like that you can find a source hosted on the dark web or again just a clear web Source or a chat group somewhere on Discord for example um I have some examples here of these sources cracks which we'll talk a little bit more uh in in the next few slides it's just a clear web Source you can it's cracks. proo or something like that um you can find it on Google and anybody could register for it it's not very difficult but there is very sensitive data on this type of source you can find leak data for major Enterprises you can find vulnerability information malicious programs people trying to hack their ex-girlfriend's

Facebooks accounts whatever it is is you can find it on fors that all look relatively the same these look probably very similar to sources that you might uh go to for your own Hobbies like a biking form or something like that that's all this is then you have credit card markets fraud is one of the number one um use cases that we're extracting Intel from in all of our organizations uh especially in law enforcement uh but there are plenty of sources that are just dedicated fraud markets where you can purchase anybody's compromised payment card um these you know they're listing thousands of payment cards a day uh and you can buy somebody's account for as little as a dollar and start

using their credit card information to commit fraud then we have your miscellaneous markets your drug markets which is again where I spent a lot of my time uh back in the Silk Road days uh but this one you can see here which is known as dark Fox is a source where you could buy anything from narcotics to pornography to even just legitimate stuff um it's a site like an Amazon where it just hosts vendors that could sell whatever they want anonymously um but but there are plenty of markets like this this is just one of those [Music] examples Russian Market H how how many people are familiar Russian Market couple of hands there this is what we

call an initial access broker probably for anybody in Intel in this uh that is here today uh this is probably one of your biggest pains in the asses that you're hearing about every single day compromised access for sale on the dark web this is probably the notorious Market there was many others like it but this is definitely the most popular one where you can just simply go in and buy an account to pretty much any domain you can think of um they're they're available every single day for again as little as a dollar and we'll talk more about this when we get into the thread hunting later on and then lastly telegram as I mentioned earlier you can find a

telegram channel for anything whether it's fraud uh narcotics leaks malicious programs gaming uh again whatever hobby fishing whatever you want you can connect with people around the world uh and it's so popular with thread actors because of how easy it is to use and how accessible it is um so this is one of those places that we're constantly finding access to and engaging with thread actors and communicating with them after we've connected with them on a forum somewhere now when it comes to dark web sources there's a bit of a challenge here one most sources you know the popular ones you could probably find pretty easily these days um but most sources are pretty difficult to find and

that there's a reason for that people are trying to remain anonymous right um and you actually need the whole onion link which is that link highlighted here a little difficult to see for you guys but again you can get these slides from me afterwards and I think it's being recorded as well um but you need the actual onion link or one of the mirrors to get to these sources you can't just Google you know CP BB uh and you know get a result where you could just log in you need that link there's different ways to find those links I'll show you one in a few slides um but there are some sources that will host links to

these uh to these dark websites or these onion links typically though uh these sources are look normally listing drug sites it's one of the most popular reasons why threat actors or people in general are going to the dark web is to buy drugs uh it's very easy to buy drugs on the dark web that's why I had a job in law enforcement for so long um but there are sources like the hidden wiki Shadow Wiki dark eye Darkness live many others as well um constantly coming up and you know often times going down as well that will host these links where you can simply just click on it or you know see the mirrors for those sources uh and then start you

know exploring these sources but again lar they're mostly for Narcotics sites or fraud sites you you'll often see those sites that we TP we typically use for threat Intel leak sites ransomware sites things like that usually it's a little bit more difficult to find those links but if you're going deep enough into Reddit or you go on Twitter or you're active on another source maybe not a dark web Source but some other Forum you'll have an easier time of finding these these links uh to these sources as you can see here this is an example where often times thread actors on just a normal clear web Source will advertise another source that they're active on or in this case this thread

actor was adver ad vertising their own telegram Channel where they were uh posting uh data leaks and um combos for uh credential stuffers and things like that so oftentimes you just need to participate on some of these forums and stay up to date on the post to find links like this to find oh here's another source that thread actors are frequenting uh pretty often now often times finding the sour is not enough you have to register for them right and this is why Persona management is so important because we're not going to register for uh malicious source with our Gmail right we we can't be letting these threat actors know who we are one most of the time they don't

care who you are uh but they will ban you uh if they don't think you're contributing to the source uh but you know worse they could actually Target you so registering the to to these sources can be pretty difficult especially because many of them require invites or access codes things like that Genesis was one of those competing initial access Brokers probably one of the first ones uh before Russian Market came online uh I was particularly proud of this one because I was one of the first people one of the first thread Intel people in this Source uh and this was a source where again you needed to know the admin to get an invite or you needed

to pay a significant fee uh to get access too I uh having my all my personas from law enforcement got into this one pretty quickly and then was able to make a bunch of burner accounts just in case that one got uh banned Forum ramp which is a Chinese and Russian speaking form primarily although they mostly speak English on the source is another example of a dark web Forum where you need to again know the admin or in most cases actually just pay the fee uh quick note for any thread Intel analysts or thread Hunters that do this manually never use your own funds to pay to get access to these sources you will get burned we've been burned before I've

been burned before uh where you pay a fee and then you never get your access or you know you get scammed or something like that so never use your own sources make your companies pay for that and then back to cracks Pro which uh is a pretty easy source to get registered for but in this the issue with this source is you need to actually participate or contribute to the Forum now again my first rule is do not become a perpetrator so we're not going to engage in criminal activity right um FBI has some pretty good guidelines of what you're allowed to do what are gray areas and what you should not do at all um but

this Source you need to actually participate to be able to get access to everybody else's post um a cck quick little tip thread actors like to know what's going on in the world so an easy way to get around this is just share articles you can go on a source and you know ceso comes in you know screaming about some new vulnerability that's being reported on you could simply just share the CNN link about that um vulnerability and uh that's usually good enough for these admins on these sources uh you have to post it in the right section they are pretty uh picky about where you post information they don't want you to be on like the leak

girlfriend's Facebook Tab and you're posting vulnerability stuff um but it's usually good enough for you to get around these requirements so that you can actually see uh what other people are posting and trying to extract whatever Intel you're looking for the next obstacle which is becoming a bit of an easier obstacle to hurdle over uh are language barriers many of these sources um most some of the most sophisticated threat actors in the world are Russian Chinese uh but that's not it you know there's German Italian uh you know Arabic plenty of other languages out there that are using the underground to engage in malicious activity again I was a Korean linguist in the military unfortunately Koreans

don't like to use the dark web at all so I don't really get to have any fun with that or practice Korean anymore um I have to do it legitimately but um you can find pretty much any language or dedicated source for that region of thread actor in the underground and that's one of the barriers that you're going to have to deal with or obstacles you're going to have to deal with because not everybody targeting your company speaks English right uh they are speaking many other languages and you need to be able to to see that to be able to identify the threats that uh your organization might have and then there's also VIP sections anyone familiar with raid

forms one two couple rest in peace um raid forms went down was taken down by law enforcement I guess probably a year and a half ago now or something like that couple have taken its place um was a form that was around for a really long time um and I was sad because I had personas on that form that were just specific to that form that I can't really use anymore um but there was an example of a forum where just gaining access wasn't enough you need to also again particip in the form or no sophisticated threat actors on that site or significant threat actors to actually get access to the VIP section or you

could just pay your way too um but there are many sources like this where they'll have VIP sections where the you know the most precious Intel for us is actually located um so when as you're exploring these sources is something to keep note of if there are locked areas of that form uh where it's just typically where you're trying to get your Intel from so we've set up our our dirty machine in this case I'm using Tails now again tails is very good for your just one-off investigations if it's something you're looking to automate then you're going to have to look into other methods like a VM uh a dedicated VM that you can set up um tails is not really meant for

that it's you know it was really meant for journalists and people Behind Enemy Lines being able to communic what's going on without risking themselves um uh but whatever method you have as long as you have some sort of secure environment that you've set up and now you've identified some sources that you want to get access to we need to actually create our own Persona and for our Persona I actually modeled off of a thread actor I have many personas but for this example I created a brand new one just so that you guys can learn from this uh and you can learn from the requirements that I built here for this persona but you all you need to

really do is model it after any other thread actor that you see on these sources you know the best ones aren't you know the most popular thread actors but the ones that are using the most uh forms of communication or are active on a multiple sources so that you can kind of blend in and model after them so some of the requirements that you're going to use are a burner email in this case I just use proton mail it's usually my go to uh you're definitely not going to use Gmail or anything like that that requires you to verify who you are um a password manager I almost hesitate telling you this because I believe the

best way to learn things is through pain I still try and do that um but if you don't use a password manager you risk uh logging into a site that is no longer legitimate uh and then you lose access to all your other personas so don't do that use a password manager and do not reuse pass passwords um make sure your persona is completely isolated from the real you because we're again we're not going to become a victim right and then we're going to use other uh communication methods like pgp which I'll show you an example of jabber telegram uh and then one other which we'll go through so this is pitiful this is me

you could find you can actually find pitiful uh and a challenge that you could do if you follow these steps afterwards is actually try and contact me you could contact me at proton at pitiful proton the L's in full are ones just uh FYI you can find me on jabber pitiful xm. JP I will warn you though I don't always have jabber pulled up on my machine so if you reach out to me there I might not get back to you right away on forums I'm not going to tell you which forums though you'll get a hint later uh you'll just find me on pityful on telegram which is probably the easiest way to get in touch with me is

at pitiful and then here's my pgp fingerprint so this is our Persona that we're going to run with for the next few slides and again these are some of the requirements that you can follow yourselves when trying to set up your own Persona by the way I love pit bulls so if you didn't know so for this example I created this per Persona following uh Jack low who is a not a very significant thread actor it's not like a notorious hacker or anything like that it's just some random person um that I found on a carding Forum known as card Villa that uh has profiles across various sources and is using multiple contact methods as you

can see it's a little hard for you to see but the bottom right there you could see Jack low is also known as Baker B and ya fu buo and Fountain as well um and I have a gathering tool so it's a little bit easier for me to do now than it was back in the day um but typically if you're just on a form any form of your choice and you click on a thread actor's post you'll be able to see the contact details that they're sharing about themselves so that anybody can get in contact with them especially if they're selling services they're always listing their contact information so in this case I chose Jack

low because he was just you know the easiest one to find on this particular source that I chose and he was using uh he or she uses a variety of contact methods aliases so I thought hey this is a perfect example of somebody I should model after you could do this too using a threat actor of your choice um or you could just follow the guide that I I created with pitiful now Jack low as we saw shared their jabber ID and their telegram which is Baker b221 xm. JP and Baker b221 at Telegram and using those investigative leads is a term we like to use in law enforcement and thread Intel um uh I was

able to find more sources where this thread actor was active on as you can see here there was a list of was that six forums uh couple of them dark web exclusive on most of them are just you know you can use Google to get to uh but also 10 or so profiles that this thread actor used itself so it's not really a big deal if you don't utilize the same uh moniker or profile name across your sources but if you're looking to develop your persona a single Persona and trying to gain trust with thread actors I do recommend utilizing the same moniker otherwise just make sure using the same contact details across that profile or across

those profiles similar to what Jack did here uh we found them as Jack L on card Villa um but you can see he goes by Baker B Fountain I some of those I can't pronounce Rangers Z all these different creative names um and here's another example where these thread actors are often sharing these contact details in their posts so all you need to do is a little bit of digging just clicking on posts following a thread actor looking at their activity to find more sources more contact methods things like that at the bottom of their post here on a form known as altinin not a very popular Source but you could find some Intel on

there um you can see that they shared their telegram their jabber and again I don't know why but this guy's using Outlook and Gmail as well for if I was still in law law enforcement I'd be like this is easy we're going to find this guy in no time uh don't use your Gils to to uh create your personas now we're going to set up these modes of communication we discovered we found jabber right pgp Telegram and we're also going to utilize just a plain old private messaging on the form take a sip of water one sec so we're going to set up these modes of communications I'm going to show you some examples of these just to show you

how easy they are to use and for pgp it's a little bit more difficult uh or it just takes a little bit more time getting comfortable with so I'll show you a live example of that as well the first one we have up is telegram many of you probably already use telegram but we're not going to use your actual telegram address to conduct investigations right now there's some challenges with that you need a burner phone me have the privilege of of working with people overseas so it's much easier for us to set up a burner phone than it is for somebody in the US now cuz pretty much burner phones or pay as you go phones are kind of going away

but you might get lucky and find something else otherwise you can use other services that might be available out there but for us we're using um burner phones to create telegram accounts with separate numbers of that than our own um and as you can see telegram is just a simple chat group and again no matter the use case no matter the type of threat you're looking for there is a channel out there on telegram for you very easy to use also very easy to go unnoticed because often times you could just join a group that's got hundreds of thousands of people in the group but you don't have to say a word you kind of

just observe what's going on in there um unless you know again back in although I don't think telegram was back uh when I left law enforcement um but you don't really have to participate all unless you're trying to do a buy or something like that the cons of telegram are there's a lot of users with similar monikers so if you know of a threat actor maybe you haven't seen the exact name but you heard of what his his or her moniker was and you're trying to find him there could be a list of a hundred monikers that are very similar so it's difficult to figure out who is who uh and you're not going to just go

and messaging each person trying to figure out who they are right there's also lots of groups um very groups with very similar names so that can be another challenge another challenge is that sometimes the names are like emojis and stuff which I don't know how to search an emoji um so that could be a challenge when trying to find groups for your thread Intel and then lastly you need a burner phone because we're not going to use our own personals numbers to sign up for telegram to do our thread hunting

next we have private messaging pretty much any Source you go on uh whether it's clear deep or dark there's going to be some form of private messaging on that form it's the easiest method to use when communicating with thread actors um it's frequently used on all the you know everything back from the raid form days to now it's uh it was breached and then breach and now it's like pone forms and there's like all these you know they all look exactly the same they just have a new admin that hasn't been arrested yet basically um but they all usually have a private messaging chat uh feature on there that you can use the issue being

thread actors can save your Chats on those sources which if you're engaging with them and all of a sudden they think you're a narc or you said something that they don't like they could flag your profile and then that could lead to getting blocked or people targeting you so it's not a method that I particularly uh recommend but it is something that is available to you if there's no other options you can also get banned using this uh because you know who knows what the admins are looking at what's happening on their sources so if they see some chatter going on between you and somebody else they could just ban you or again you can get flagged by one

of the other threat actors on that Source uh but it's pretty simple again I'm sure there's plenty of forum like sites that you that you all frequent um whether it's Reddit or a hobby site or something like that it's pretty easy thing to use you know it's typically just a message box and every time you send a message or receive a message you get a little notification that's all there really is to it problem with that another problem with that is you can only communicate with the thread actors on that source which is something that jabber uh gets us around jabber is just a messaging client that you can use and communicate with anybody that has a jabber address

and oftentimes I communicate with thread actors on sources that I'm not even active on or don't have a profile on I just know they have a jabber so I can communicate with them anyway it's pretty easy to create um I in this Slide the next slide there's a list of jabber servers that you can use my recommendation is use xm. JP most consistent one uh and you don't have to link any uh accounts for verification to your jabber address with that specific server uh and then lastly again the pro here is that you can communicate with thread actors regardless of what source you're active on the cons are sometimes it's difficult to reach thread actors because like me

it's not something that I just have pulled up all the time or running uh it's typically when I'm engaging in some sort of activity I'll have it pulled up otherwise it's not on so that's why if you're going to try TR and reach out to me recommend using one of the other methods I showed earlier uh cuz you can quite often miss uh your messages and depending on what server you're on that server might delete messages automatically so and often times before you even see it uh so it could be kind of challenging if you're dealing with a thread actor that only uses jabber and then lastly some jabber servers are just inconsistent exploits for example is like it's one it's almost

impossible to connect to it's either it you know if it's up when you're doing some sort of Investigation you're like the luckiest person in the world you should go play the Power Ball and here's this just a one example of a jabber communication I had with the thread actor this is actually probably about three years ago now um I was it was uh with a thread actor that was selling uh French Bank data uh so and I was trying to communicate with them to figure out which bank it was turn out it was multiple Banks uh but simple plain text uh chatting program and again there's a couple different clients that you can use with

Jabber uh again you can get the list here uh of different servers list at. jabber. again you can get these slides from me afterwards and the client that I like to use for windows at least is Pigeon I don't know if pigeon works on Mac or iOS so you might have to look for a different client but there are plenty of clients that you can load a jabber account onto and start using for your messaging these slides uh have tips on setting up your pigeon again just get the slides for me afterwards you can follow this um yourselves next we have pgp now pgp as for those that don't know is a great encryption messaging uh method it's very secure

uh and only one recipient can decrypt your messages unless that recipient shares a message of course or their keys been compromised um but what I have found with pgp over the years especially in law enforcement is if you were going through the trouble of uh communication communicating through pgp uh thread actors often revealed more information or trusted you faster than if you were just pming them on a forum usually they're not going to give you the sensitive data just through a a private messaging feature on a form um with pgp they'll they tend to give you more details the cons are pgp is a little bit difficult to get uh comfortable with depending on which method you're using

there are multiple different ways you can use pgp um it takes a bit longer to communicate with red actors and if you lose your key you lose all your messages uh so that's a big issue of course but really it just takes a some practice to get um comfortable with and I have an example here of using pgp I used it using a tool known as Cleopatra Cleo with a K let me restart that from the beginning and all we're doing here is this key block this is a a thread actor public key block I'm just simply taking their key block and I'm copying it to my clipboard and then within Cleopatra I'm actually uploading that key block and

saving it to uh the thread out so now I can send them messages I'm just writing here hey I love you thank you for the dumps and I'm simply going to copy that message I'm going to encrypt it with their public key you can see I'm clicking through just encrypting with that key that I've uploaded once I hit next here it's going to automatically encrypt that message and it's automatically saved to your clipboard so now I could just paste over this plain text message and now you can see the encrypted message here which just says begin pgp message it's the encryption and then end message so the next thing you would do here is send that block to the recipient

and they would decrypt your message using their private key um and then if they need to send message back to you they would take your public key encrypt a message send it to you and then you would decrypt with your private key so don't lose your private Keys um because you won't be able to see what they wrote uh but it's really not that difficult it just takes practice and again the advantage you get here is that thread actors will they tend to be more trusting when you're communicating with them over this uh they're not worried about you leaking data or leaking whatever they're saying to you um so I do encourage you to utilize this method

when engaging in your thread hunts and thread actor activity so we've set set up our methods we have our our new persona although it's very young uh and early on and it's dark web activities but now what do we do we're actually going to utilize this for threat hunting and finding threats before they find us that is all threat hunting is it's a constant game of cat and mouse we've went all through all this trouble of researching threat actors researching methods finding sources getting registered to those sources now we actually need to utilize these personas and some of the threats the most common threats that you're going to find in the underground are initial access fishing threats supply chain

compromise valid accounts for sale Insider threats fraud data leaks vulnerabilities narcotics so on and so forth pretty much anything that you're looking for you could find uh but you want to be more targeted in what you're actually looking for rather than just kind of mosy rch hoping that you'll stumble on something manual threat hunting is timec consuming so keep this in mind that this is a journey you're going on this is not a quick wins type investigation it's going to take you some time to set up your personas it's going to take you some time to find sources where you believe there's Intel for you on uh so keep that in mind and you're also going

to bang your head against the wall when you have to deal with these damn cap showes uh and Q like on dread Dre's like a redded style form uh on the dark web pretty pretty interesting one honestly but again it's kind of a pain because they will often put you in cues as you could see here and then often times your queue gets interrupted and then you got to start over again and all of a sudden you're at the end of the line or they give you impossible capses like this which I still cannot solve because I I have to read digital time these days um but you'll have impossible ones like this that you'll keep retrying retrying

retrying and even if you know you're right it says you're wrong and then you'll just never get access um I think they put that they do that on purpose but and then other times is that these sources are often unstable uh you have competitor forums or marketplaces that are attacking these sources trying to bring them down to get all their user base you have law enforcement that's coming down you have Shady host providers um so these sites are very inconsistent so an important step when you're engaging in your threat hunts is that if you do find evidence save it because there's no promise that that source is going to be active tomorrow when your SEO is like hey where was that

evidence again because if you didn't take a screenshot it you know it's there but the sight's down now you can't get it and haha to you um so make sure that you are taking screenshots or actually documenting because often times you'll find that a source that was always active is now suddenly inactive and you can thank the law enforcement uh operators for taking it down from

you so tell a little bit of story to kind of help with putting this all together I'm not picking on Racetrack here uh they just happen to be somebody an organization that I see all the time when I'm getting onto the highway from my house um but racetrack was compromised by the Klo group and their tens of their gigabytes of data was made public back in July 2022 that information included employee tax information Financial records customer data all whole bunch of different stuff that was that was just dumped publicly on their Source uh and in this example clap was actually reaching out to the victims that they compromised individually to inform them of the breach and not just like posting

it somewhere on a source so that just further hurt that Brand's reputation and also pissed off a lot of people but if we use this as an example how might we have used our personas to help find the threat before it turned into something like this where it was a ransom or compromise so that's why we're going to combine our personas with our thread hunting skills and try and find these threats before they take advantage of us one of the most easiest things to find in the underground is leak credentials whether it's on telegram it's on a forum or it's on a pay spin somewhere you will find plenty of different lists of credentials sometimes

it's hidden behind a link most of the times just hidden it's just posted in PL text but there are plenty of examples of credentials leaked every single day probably Millions per day uh that are leaked to the underground often times they're recycled uh but that's okay what we're looking for is evidence uh and and risk that might be out there in the underground in this case I was able to find a bunch of racetrack credentials here's just a snippet just by having access to a couple of sources where we could see racetrack employee emails and passwords which I did of course blur out um that were dumped uh from Steeler locks and one example from a data leak

these are things that you could again just grab from a ppin or just logging into a form it's probably the first post you'll see is the most recently Le credentials that somebody's sharing on on the ground one of the most common threats that you're coming across but it's still an important threat because you need to know what threats are out there and what risks to your organization exist in this case these emails obviously a threat actor could test the credentials to see if they can get access to the to the account or they could just use the email now in a fishing attack and Target them with something more um significant like a ransomware link

right in fact I did a search across a variety of different sources and these were all the sources in Just A month's time frame which you can get from this uh presentation and start trying to get access to yourselves um where RAC trck employee emails were found again just in a month you can see at the top breach which is no longer up uh but there were 62 results from that Source alone cracked having 61 and then so on so forth down the list here so it's this show just shows why it's important to one have access to these sources but also be looking for Intel on the sources here's another example of just uh when it came to leaked Steeler logs

that contained racetrack employee information 150 results in a month that's a lot and especially if you're doing this manually and you're only one person conducting these types of Investigations can be a bit overwhelming but at least you know it exists and if there are this many results out there then maybe that starts impacting policy uh and additional security measures that you can put in place because you can't deal with these one one by one so you better Implement some policy to help protect your organization an example of uh oftentimes logs or credentials are hidden within you know behind a link you know it's a file you got to download and this is just emphasizing again to make sure you

are conducting this on some secure environment don't do this on your work laptop don't do this on your personal machine you need a secure environment because you will find out uh examples where you need to download a link um or a file to be able to extract the Intel uh or the threats that are targeting your organization this is an example here there's a Steeler log files two two gigs worth and there was a bunch of Intel not only for racetrack but other organizations within this file and this is very often the case that you know a barrier or obstacle that you have to go around in order to get that Intel here's an example from Russian

Market uh where you could see somebody that has access to racetrack. oo.com was compromised and listed for sale and I believe I have a live example here this is the actual Marketplace itself it's not like in some you know crazy format because it's all dark web it's not spooky or anything it's just like a blue version of Amazon basically um where again you simply just go to these marketplaces often times you'll see experienced thread actors less experienced thread actors using these markets themselves to gain that initial access rather than trying to go create it themselves um or you know pen testing or trying to get access to the source to that Target in another way they'll

simply just come to these markets and pay uh they'll search for a particular URL or domain uh and then just see if there's anybody's account that's for sale and just simply pay 10 bucks or a dollar and gain their passwords their usernames and passwords and sometimes they'll even get their their session cookies to try and hijack the session uh of course I didn't uh provide the race track employees details here but once you purchase the account for sale you'll just get a plain text file like this back usually has a little stamp of the info stealer that was used in this case was Redline uh and then you'll just have a few lines the first

line being the URL or subdomain that was compromised or where the account has access to and then you'll simp have the username and password which you can see my very strong password here at the bottom and that's what threat actors get when they purchase this and then from there they can try and log in um in uh the case of like uber for example often times that's not enough they'll need to uh employ some other type of uh threat or U attack like social engineering for example to get it to get access to that account but this is at least a starting point for them to try and get access to that that Network and perform some sort

of attack so the benefits of persona management one you get access to exclusive information and you can get access to that information prior to an attack actually happening often times as we saw here threat actors are just selling the data they ga it but they're not actually looking to utilize it to take advantage of you they're just selling it to somebody else to take advantage of you so if you're not popular or your organization is not popular uh often times you can get that information off the underground before a threat actor gets their hands on it and mitigate that issue before it becomes a greater attack also just being active on these sources allows you to gain an

understanding of the tactics and techniques that thread actors are using every single day you can also get understanding of different tools that they might be utilizing tools that they're developing identify Trends and things like that of course you could track data leaks which is important for with all the supply chain compromise going on maybe it's a a vendor or a partner that you're using and you see their data leaked on there you can you know identify if there's any risk to your organization by tracking those data leaks and seeing if any sensitive information for your organization was also exposed and also you could quickly attribute attacks to thread actors that you might be familiar with now because you're

engaging with them you're not just reading some blog about threat actors or threat groups instead you're on the sources that where these threat researchers Gathering their Intel from in the first place so you're able to have your own perspective on these threats uh and be able to um communicate with your organization some of the issues that you're seeing with these uh with these sources so I didn't want to just end it on that I am I I created a little sneak peek of what I plan to do next year for bsides which is similar to initial access we're downloading a bunch of tools basically that thread actors are using uh that we've uh identified with our own

personas and we're going to demonstrate how easy these tools are and why they're so popular in the underground the first one being very popular credential stuffing tool known as open bullet I'm not a hacker a script Kitty at best uh I can copy and paste tools and follow a guide and figure out how to use them right um and that's a lot of CAS in a lot of cases thread actors are doing themselves so we did that same thing uh my buddy and my and I uh and we did that with open bullet the thing about open bullet is not only are thread actors in The Underground use using this tool every single day they're also getting

every other piece of information they need to run the tool from the the underground in this case all you need is a target so who you're going to attack combo list username and passwords you can get you can find a ton of those combo lists and a configuration file basically a file that just automates an attack to the Target that you're you're targeting um and to show you how popular this tool is in Just A month's time frame there was 101,000 mentions of this tool across the underground this is you know probably hundreds maybe thousands of sources but you could see how often it's coming up in conversations across these sources so we went out and we downloaded

the tool it's it's available on GitHub um very you know very accessible and another reason why thread actors are using it but we went out and tested it ourselves and was able to capture how easy it is to do in just a minute 40 seconds so I have my Cali machine here I'm going to boot up open bullet and again I can provide this afterwards I know it's probably tough for you to see here so it's booting up and I'm a UI guy I'm not a terminal guy so I like to open it up in a nice little UI which open bullet comes with first thing we're we're going to do instead of actually downloading a config

from a thread actor we're just going to create our own to show how easy it is to do and we're going to build a simple HTTP request to a site known as demo Blaze it's basically like a Marketplace that you can just test your automation on pretty much um and that's pretty much exactly what we did here is we created a config to send request a login request basically to demo Blaze I did create my own combo list which is contains three username and password combinations separated by the colon but again you can find these in any old dump across the underground it's just username and passwords separ by separated by a colon that we're going to

upload into open bullet and then we're going to create a job and what we're doing here is we're simply hitting start or play and it what it's doing is sending these requests to demo Blaze using that list of combinations that we've loaded in and within this was a very small list so it took like a second um but within a second it tested all three accounts and that little green line here at the bottom showed the account that it successfully hit on which was my test account and showed that it successfully logged in using that those details so that's kind of just a little snippet of what to expect next year if you if you all would have

me back so more to come with that but yeah just a little glimpse of what what's to come appreciate you all coming out if you have any questions that you don't want to ask right away please reach out to me on LinkedIn if you're not comfortable with QR codes I think I'm the only Michelangelo Zumo on LinkedIn so it's I'm not hard to find but please feel free to send uh me a message or communicate with me I'd be happy to send you slides afterwards as well so thank

you