Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Underground Forums

Underground Forums

Section titled “Underground Forums”

5 automated security scanners

Threat Actor Tracking

Section titled “Threat Actor Tracking”

Purpose: The Threat Actor Tracking Scanner is designed to identify potential threats by analyzing data from various threat intelligence feeds. It aims to detect actor capabilities, targeting preferences, and tactics, techniques, and procedures (TTPs) associated with a specified domain and company. This tool helps in understanding the risk landscape and assessing the security posture of targeted entities.

What It Detects:

  • CVE Indicators: Identifies Common Vulnerabilities and Exposures (CVEs) related to the target domain or IP address, which are crucial for understanding potential vulnerabilities that could be exploited by adversaries.
  • Malware and Ransomware Indicators: Detects mentions of malware, ransomware, and trojans in threat intelligence feeds, highlighting potential cyber threats associated with these malicious activities.
  • Command and Control (C2) Indicators: Identifies references to command and control servers or infrastructure, which are critical for monitoring and analyzing the communication channels used by adversaries during an intrusion.
  • Phishing and Credential Harvesting Indicators: Detects mentions of phishing attempts and credential harvesting activities, indicating potential social engineering tactics employed by threat actors to gain unauthorized access to sensitive information.
  • Exposure Indicators: Identifies indicators of data exposure, leaks, or breaches, which are essential for understanding the risk associated with compromised systems and networks.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com, which is crucial for directing the scanner’s analysis towards specific targets.
  • company_name (string): The company name for statement searching, like “Acme Corporation,” which helps in refining the search parameters to align with organizational information and naming conventions.
  • keyword (string): A specific keyword related to threat actors or TTPs that serves as a filter for targeted detection within the broader intelligence feeds.

Business Impact: This scanner is critical for organizations looking to proactively identify potential cyber threats and vulnerabilities associated with their operations, allowing them to take preemptive measures to mitigate risks and protect sensitive information. Understanding the capabilities and tactics of threat actors can significantly enhance an organization’s security posture by enabling more informed decision-making regarding cybersecurity strategies and investments.

Risk Levels:

  • Critical: Conditions that directly lead to significant vulnerabilities or immediate threats, such as known exploited CVEs with high severity scores affecting critical systems.
  • High: Conditions that pose a substantial risk but are not immediately exploitable, such as widespread malware or ransomware activity indicative of advanced persistent threats.
  • Medium: Conditions that indicate potential risks requiring attention, such as the presence of phishing activities suggestive of ongoing social engineering attempts.
  • Low: Informational findings that provide context but do not directly impact security posture, such as exposure indicators in non-critical systems or data categories.
  • Info: Findings that are purely informational and may require further investigation to understand their significance within the broader threat landscape.

Example Findings:

  • A critical finding might be a CVE associated with a known exploit affecting a core component of the organization’s infrastructure, which could lead to significant downtime or data loss if exploited.
  • A high risk might involve the detection of specific malware strains that are prevalent in the threat intelligence community but not directly impacting all systems equally, requiring targeted mitigation strategies.
  • A medium risk example would be the identification of ongoing phishing campaigns aimed at employees, highlighting potential vulnerabilities in the organization’s security awareness training and defenses against social engineering attacks.

Fraud Community Monitoring

Section titled “Fraud Community Monitoring”

Purpose: The Fraud Community Monitoring Scanner is designed to identify and detect various fraud techniques, cashout methods, and discussions about target companies within specified underground forums. This tool aims to help organizations assess potential threats to their security posture by analyzing patterns related to common fraud activities such as phishing, credential harvesting, and social engineering.

What It Detects:

  • Fraud Techniques: Identifies patterns associated with common fraud techniques including malware (e.g., ransomware, trojan), phishing, and credential harvesting.
  • Cashout Methods: Detects discussions on how stolen data or compromised systems are monetized, such as money mule activities, bitcoin laundering, and cryptocurrency transfer.
  • Target Discussions: Identifies mentions of the target company and its specific vulnerabilities or weaknesses in forum discussions.
  • Vulnerability Exploits: Looks for references to known vulnerabilities that could be exploited, including those identified by CVE numbers.
  • Exposure Indicators: Detects signs of data exposure, unauthorized access, or data dumps which are critical indicators of potential security breaches.

Inputs Required:

  • domain (string): The primary domain to analyze, providing the context for forum searches.
  • company_name (string): The company name used for searching specific discussions and mentions within forums.
  • keyword (string): A specific keyword related to the company or threats that triggers the search for potential issues in underground forums.

Business Impact: This scanner is crucial as it helps organizations proactively monitor their digital footprint on underground forums, enabling them to identify and respond to potential security threats promptly. By detecting fraud techniques and exposure indicators early, organizations can mitigate risks associated with data breaches and unauthorized access more effectively.

Risk Levels:

  • Critical: Identifies vulnerabilities that have been publicly disclosed as critical (e.g., high-severity CVEs) which could be exploited by adversaries to gain significant advantage over the target organization.
  • High: Detects patterns associated with high-risk fraud techniques or indicators of unauthorized access, posing a serious threat to data security and integrity.
  • Medium: Identifies moderate risk indicators such as discussions around potential vulnerabilities that might require immediate attention but do not necessarily lead to severe consequences.
  • Low: Informational findings about general threats or minor issues which may still need monitoring but are less critical in terms of immediate impact on security posture.
  • Info: Non-critical findings providing background information useful for ongoing threat intelligence gathering and strategic planning.

Example Findings:

  1. A discussion post mentioning “malware” and “ransomware” patterns could indicate an active campaign to exploit the company’s systems using these techniques.
  2. References to specific vulnerabilities (e.g., CVE-XXXX-X) suggest that the system might be vulnerable to known attacks, requiring immediate attention for patching or mitigation strategies.

Malware Market Monitoring

Section titled “Malware Market Monitoring”

Purpose: The Malware Market Monitoring Scanner is designed to identify and analyze potential threats in the underground market by detecting the presence of malware sales, ransomware developments, and service offerings on specified domains. This tool helps in identifying potential risks associated with malicious activities and provides insights into the activities of dark markets.

What It Detects:

  • Malware Sales Indicators: Detection of phrases indicating malware sales such as “malware for sale”, “buy malware”, or “malware kits”. The scanner also identifies specific malware types like “ransomware”, “trojan”, and “virus”.
  • Ransomware Developments: Recognition of terms related to ransomware development, including “ransomware development kit”, “ransomware builder”, and “ransomware as a service (RaaS)”. The scanner can also detect phrases indicating new ransomware variants or updates.
  • Service Offerings: Identification of services offered in the underground market such as “DDoS for hire”, “credential stuffing services”, and “botnet rentals”. Additionally, the scanner detects terms like “command and control”, “C2 server”, and “remote access tools (RAT)”.
  • Threat Indicators: Recognition of Common Vulnerabilities and Exposures (CVE) numbers, indicating known vulnerabilities being exploited. The scanner also detects patterns related to unauthorized access, data breaches, and exposed systems.
  • Exposure Indicators: Identification of phrases indicating system exposure such as “exposed”, “leaked”, or “breached”. The scanner detects terms like “unauthorized access” and “data dump”.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., darkmarket.com)
  • company_name (string): Company name for statement searching (e.g., “Dark Market Inc.”)
  • keyword (string): Specific keyword related to the threat or service being monitored (e.g., “ransomware”)

Business Impact: This scanner is crucial for organizations and security teams as it helps in monitoring and understanding the activities of dark markets, which can pose significant risks to cybersecurity. By identifying potential threats early on, organizations can take proactive measures to mitigate these risks and protect their assets.

Risk Levels:

  • Critical: The scanner identifies clear indicators of malware sales, ransomware developments, or service offerings that are actively being promoted or discussed in the monitored domain. This level is critical as it directly points to active threats and potential breaches.
  • High: The scanner detects indications of ongoing malicious activities such as unauthorized access attempts or exposure of sensitive data, which could lead to significant security incidents if not addressed promptly.
  • Medium: The scanner flags patterns that suggest possible vulnerabilities being exploited or discussions about upcoming threats, requiring attention for further investigation and potential mitigation strategies.
  • Low: Informational findings may include mentions of historical vulnerabilities or past breaches that are less likely to pose an immediate threat but should still be monitored for trends and changes in the underground market.
  • Info: These are generally non-critical findings such as discussions about specific malware types without clear indicators of active exploitation or sale. They provide background information useful for understanding broader trends but do not indicate imminent risks.

Example Findings:

  1. The scanner detected “malware for sale” on a domain discussing illegal transactions in the underground market, indicating potential threats to multiple organizations that may have systems connected to this domain.
  2. A ransomware development kit was identified on a forum discussing advanced cybercrime techniques, which could signal an increased risk of ransomware attacks targeting various industries.

Tool Development

Section titled “Tool Development”

Purpose: The VIGILGUARD SCANNER is designed to analyze underground forums and other dark web sources to detect custom exploitation attempts, targeted tooling, and other malicious activities specifically targeting a given domain or company. It leverages threat intelligence feeds from Shodan, VirusTotal, CISA KEV, and the dark web to identify potential threats.

What It Detects:

  • Custom Exploitation Attempts: Detection of known vulnerabilities being exploited (CVE patterns), identification of malware, ransomware, or trojan signatures in forum posts.
  • Targeted Tooling Usage: Recognition of command and control (C2) server mentions and detection of phishing or credential harvesting attempts.
  • Domain-Specific Threat Indicators: Monitoring for exposure indicators such as “exposed,” “leaked,” or “breached” related to the specified domain, and identification of unauthorized access claims.
  • Data Dump References: Detection of data dump mentions associated with the target domain and analysis of forum posts for any references to compromised data.
  • Known Exploited Vulnerabilities (KEV): Cross-referencing findings with CISA KEV to identify known exploited vulnerabilities relevant to the target.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)
  • keyword (string): Specific keyword related to the company or product being monitored

Business Impact: This scanner is crucial for organizations looking to proactively identify and respond to potential cyber threats targeting their specific domain or industry. By detecting custom exploitation attempts, targeted tooling usage, and other malicious activities, it helps in safeguarding sensitive information and maintaining a secure digital environment.

Risk Levels:

  • Critical: Detection of unpatched vulnerabilities being exploited for the first time against the target domain.
  • High: Recognition of malware or ransomware signatures that are known to be actively targeting the company’s systems.
  • Medium: Identification of unauthorized access claims or exposure indicators that suggest potential data breaches or sensitive information leakage.
  • Low: Detection of generic threat indicators without specific evidence of active exploitation or breach.
  • Info: Informational findings related to domain-specific threats but not indicating immediate risk unless exploited further.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  1. “CVE-2021-44228 exploit was used against example.com.” - Indicates a critical vulnerability being exploited for the first time.
  2. “The data breach at Example Corporation exposed sensitive customer information.” - Indicates unauthorized access and potential data leakage, posing a high risk to the company’s security posture.

Hacker Forum Monitoring

Section titled “Hacker Forum Monitoring”

Purpose: The Hacker Forum Monitoring Scanner is designed to detect and alert about discussions of exploits, zero-day sales, and targeting specific to a company on underground forums. This tool helps in identifying potential threats and vulnerabilities that may be exploited by threat actors, providing valuable insights for security teams to take proactive measures against potential cyber threats.

What It Detects:

  • Exploit Discussions: Patterns related to Common Vulnerabilities and Exposures (CVE) such as CVE-\d{4}-\d+ are detected along with keywords like malware, ransomware, and trojan.
  • Zero-Day Sales: Phrases indicating the sale of zero-day exploits include mentions of “zero-day” or related terms like command and control (C2) servers.
  • Targeting Indicators: Discussions targeting specific companies or industries are flagged using keywords such as phishing, credential harvesting, and reconnaissance activities.
  • Vulnerability Exposure: Indications of exposed services or data breaches include phrases like “exposed,” “leaked,” “breached,” unauthorized access, and data dumps.
  • Threat Actor Activity: Detection includes known threat actor groups or nation-state actors identified by patterns such as “nation-state actor,” “APT group,” “Fancy Bear,” and “Lazarus.”

Inputs Required:

  • domain (string): The primary domain to analyze, e.g., acme.com. This helps in identifying relevant discussions on underground forums related to the specified domain.
  • company_name (string): A company name for statement searching, e.g., “Acme Corporation.” This is used to search for specific mentions and discussions within the forum posts.
  • keyword (string): A specific keyword related to the company or product, e.g., “AcmeWidget.” This aids in refining the search to focus on relevant content linked to the company’s products or services.

Business Impact: Identifying potential threats and vulnerabilities discussed on underground forums is crucial for organizations to mitigate risks associated with cyber-attacks. By proactively monitoring such discussions, security teams can stay informed about emerging threats and take preventive measures to protect their systems and data from exploitation.

Risk Levels:

  • Critical: Findings that directly indicate active exploitation attempts or highly critical vulnerabilities should be considered critical. This includes patterns like specific CVE numbers and direct mentions of malware types.
  • High: High-risk findings include discussions about zero-day exploits, unauthorized access to sensitive data, and reconnaissance activities targeting the company’s assets.
  • Medium: Medium severity findings involve general threats related to exposed services or potential vulnerabilities that could be exploited if not addressed promptly.
  • Low: Lower risk findings are generally informational unless they indicate ongoing threat activity or significant exposure.
  • Info: These are typically for information gathering and awareness purposes, such as initial reconnaissance activities without immediate actionable impact.

Example Findings:

  • A post discussing a new CVE number (CVE-2023-1234) related to a critical vulnerability in Acme Corporation’s software could be flagged as Critical.
  • A discussion about an unauthorized access attempt on the company’s internal network might be considered High due to potential data breach risks.