Thursday 29 September 2022, 12:00 - 12:30
Dasom Kim (S2W)
Yeonghyeon Jeong (S2W)
Yujin Lee (S2W)
Jeongyeon Lim (S2W)
On the deep & dark web, increasing threats leading to data breaches and open source vulnerabilities are occurring. With the advent of LAPSUS$ this year, major companies around the world suffered damage, and confidential information within the companies was easily disclosed to the public.
In 2020, as remote working became a daily routine due to Covid-19, threat actors began to pose a greater threat to our daily life, from corporate infrastructure to individuals. Now, not only corporations, but also websites with vulnerabilities on the open web, small businesses and general community sites with low-level security are being targeted by threat actors. We focused on analysing two threat actors who sold relatively little-known but critical leaks.
First, we analysed zerocool888, which sold personal information of Korean users and database leak information related to Korean websites. zerocool888, which was active on Raidforums in 2021, sold a total of 35 cases of Korean company information and Korean personal information. The actor not only sold account information, but also sold website users' home addresses, phone numbers, and information on the carriers they signed up for. And this was not just a threat actor active in the deep & dark web, he was a Korean who spoke Chinese, which we might have seen at least once in our daily life, and knew Korea well. We obtained the address of his BTC wallet in order to analyse it in depth, and collected and tracked information about how he mainly obtained information about leaks on the deep & dark web.
Second, we analysed pumpedkicks (a.k.a. mont4na), which sold information about leaked employee information and databases related to the websites of large Korean companies and international companies. mont4na joined Raidforums on 10 November 2020, and on 22 January 2021, wrote a post on Raidforums with the title “TXT nmmoney.xyz”, selling email and password leak information.
From 28 October 2021, he started selling website-related databases and employee leaked information in earnest. In 2021, he sold a total of 42 corporate-related databases and employee leaked information. We have confirmed that he always uses sqlmap when attacking websites, and he only sells SQL Injection vulnerability information each time.
Since Raidforums was shut down, the actor has mainly been active on Breached and XSS forums, selling a total of 31 sets of victimized company information by March 2022. The buyers of the data from pumpedkicks (a.k.a. mont4na) are diverse, and his BTC wallet is constantly generating new transactions.
In this presentation, we cover the data leakage incidents related to zerocool888 and pumpedkicks (a.k.a. mont4na) and share the results of analysis and tracking the data broker.
This work was supported by an Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (MSIT) (No.2022-0-00740, The Development of Darkweb Hidden Service Identification and Real IP Trace Technology).
Dasom's main research areas are user profiling, brand abusing case analysis, and takedown process research in the Deep & Dark Web forum. Currently, she is working as a senior researcher at S2W TALON's HOTSAUCE, performing correlation analysis between users of the Deep & Dark Web forum, analysis and response to Deep & Dark Web data leakage incidents and brand abuse. She is primarily interested in analysing threat actors related to stealer, ransomware, and data breach incidents found on the Deep & Dark Web. She is also active in presentations and research at international conferences such as HITCON, Rootcon and AVTokyo.
Currently, Yeonghyeon is working as a researcher at S2W TALON's HOTSAUCE, performing correlation analysis between users of the Deep & Dark Web forum, analysis and response to Deep & Dark Web data leakage incidents and brand abuse. Recently, research results on ransomware operators active on the dark web were presented at K-CTI, a Korean conference.
Yujin's interests are cyber threat intelligence, OSINT, Deep & Dark Web, incident response. Currently, she is working as a researcher at S2W TALON's HOTSAUCE , performing correlation analysis between users of the Deep & Dark Web forum, analysis and response to deep dark web data leakage incidents and brand abuse.
Jeongyeon LimAfter working at the Digital Forensics Center of the National Police Agency, Jeongyeon became interested in the cybersecurity industry. He has a lot of forensic experience in major cases, such as the development of IoT forensic techniques for the National Police Agency and forensics related to N room. Currently, he is working as a senior researcher at S2W TALON's HOTSAUCE, performing analysis of ransomware attack organizations' money flow analysis in the block chain, correlation analysis between users of the Deep & Dark Web forum, and analysis and response to Deep & Dark Web data leakage incidents.
Recently, he is interested in blockchain and DeFi coins, including analysing the address of money management of the Conti ransomware organization and writing a transaction analysis report related to the clay swap hacking incident, and he is continuously conducting related research.