This week, there’s a chilling offer on the dark web involving sensitive data from the U.S. healthcare industry. But that’s not all. There are the other topics:
- A new Remote Access Trojan (RAT) tool has entered the market, promising unprecedented control to cybercriminals.
- Alarmingly, a zero day exploit for the Windows OS has also hit the dark web, raising grave security concerns for millions of users worldwide.
- ATM & POS systems are once again under threat with a fresh pack of malware on sale, underscoring the persistent vulnerabilities in our financial infrastructure.
The U.S. Healthcare Data on Sale
A SOCRadar dark web analyst has detected a post that a threat actor claims to have dumped 17 million healthcare records, including 12 million patient records and 5 million specialist records. The compromised data allegedly includes fields such as ID, address, birthdate, city, company ID, name, phone number, and zip code. This disclosure raises significant concerns as it exposes a substantial identity theft risk and fraud.
A New RAT Tool is on Sale
A SOCRadar dark web analyst has detected a recent post in which a threat actor advertises the sale of a new RAT tool called WrathRat. The post highlights the tool’s multiple panels for administration, reselling, and user control. It emphasizes features such as device monitoring, lock screens, call log management, keylogging, remote control capabilities, and more. The threat actor offers payment options, including the purchase of source codes or the option to rent the tool weekly.
Zero Day Exploit of Windows OS is on Sale
The SOCRadar Dark Web Team has detected a post where a threat actor claims to have a zero-day exploit of Windows for sale. According to the post, the exploit is a local privilege escalation (LPE) zero-day that provides 100% kernel read and write access. It allegedly affects versions of Windows from 8 to the newest release. The exploit is said to elevate privileges from medium to system level and has the capability to bypass Firefox sandboxing. The post mentions a runtime of 1 second for the exploit. The advertised price is 150k, and the threat actor specifies that only a guarantor service from a forum is accepted. The post instructs users to send a private message for further inquiries or to initiate contact.
Unauthorized VPN Access Sale is Detected for a Chilean Government Organization
A SOCRadar researcher has detected a post that a cybercriminal is allegedly selling unauthorized VPN access that supposedly belongs to a government organization operating in Chile. The post states that the access is for a VPN Cisco system. It further mentions that the organization’s estimated income, based on ZoomInfo data, is 57.3 million. ZoomInfo is a B2B contact and company information platform.
The cybercriminal emphasizes that they are selling the access exclusively to a single buyer. For any further inquiries, interested parties are instructed to contact via private message. The post also specifies that the seller only works with newcomers or individuals with a limited reputation through a guarantor, and their dealings are limited to the Russian community.
The threat actor’s preference for working with newcomers or individuals with a limited reputation through a guarantor and exclusively within the Russian community may stem from several factors. It could be a strategy to minimize the risk of law enforcement detection by targeting less experienced individuals who are less likely to be monitored.
Additionally, by working exclusively within the Russian community, the threat actor can leverage shared language, cultural understanding, and established networks for smoother transactions and enhanced trust. Furthermore, newcomers or individuals with limited reputations may be seen as less connected to organized cyber weapon technologies or larger criminal groups, reducing the risk of attracting attention from sophisticated adversaries.
Pack of Malware for ATM & POS is on Sale
SOCRadar detected a post in a hacker forum where someone was selling a pack of ATM and POS malware. The pack includes Alina POS Malware, Katrina POS Malware, Ploutos ATM Malware, QROG ATM Malware, and Alice ATM Malware. The seller has set the price at $8,000 and specifies that the sale is restricted to one buyer. Additionally, the pack includes an operation manual for implementing and enhancing privileges. The seller accepts the use of escrow for the transaction.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
