Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Tracking Hacker Forums with Traffic Analysis

A study conducted by the Intelligence firm RecordedFuture demonstrates the efficiency of the analysis of hacker forums through traffic analysis-like techniques. Hacker forums still exist, hacking communities are with good shape and growing. Hacker Forums are normally hard to find and once you find them you will see them change again. Most prolific Hacker forums […]

Trigona ransomware

A study conducted by the Intelligence firm RecordedFuture demonstrates the efficiency of the analysis of hacker forums through traffic analysis-like techniques.

Hacker forums still exist, hacking communities are with good shape and growing. Hacker Forums are normally hard to find and once you find them you will see them change again.

Most prolific Hacker forums are mainly located in Russia, China, Brazil and in Arabic countries, so its normal face with the further problem of the language.

Hacker Forums are excellent aggregators, they represent a good place to sell/buy exploit kits, to talk about new vulnerabilities, and to get opinions (but again, you will not be able to understand it).

A study conducted by the Intelligence firm RecordedFuture has analyzed a hacker forum through traffic analysis-like techniques, a technique that resulted effective even if the authors of the research did not had any knowledge about foreign languages used in the hacker forum.

“Analysts can detect patterns in timing, forum participant product and vulnerability, etc. and use this knowledge to determine whether forum participants are a threat. Further, such insights can be used to set up appropriate alerting based on forum activity and help network defenders keep pace with developments around vulnerabilities and exploits.” states the analysis published by Recorded Future.

The data presented in the study was collected over 900 days during which the experts analyzed a Russian hacking forum, the first thing the researchers did was the identification of the principal language used in the forum, it was Russian.

In a second step they focused the analysis on the vulnerability coding, the Common Vulnerabilities and Exposures (CVE), in this way the researchers discovered that the hacker forum was focused mainly on CVE related with Microsoft, Adobe Flash, but surprising Linux was also present most likely because of Shellshock flaw.

Hacker forums

In terms of vulnerabilities, Heartbleed and Shellshock were on the top, but other important vulnerabilities were in the list too, and heavy discussions about it:

Hacker forum analysis 2

“Patch Tuesday … Exploit Wednesday”

The expression “Patch Tuesday … Exploit Wednesday” was referred in a Trend Micro post, back in 2006, and revealed that after the release of new discovered vulnerabilities with Tuesday Microsoft Security Bulletin, a exploit week would start, trying to take advantage of these new discovered vulnerabilities. Nowadays this expression continues to be valid. The next image shows a period starting in March 2013 and ending in September 2015, the blue section is the general forum traffic, the green section is for traffic concerning CVEs and the red one, is related with traffic concerning Microsoft products specifically:

Hacker forum analysis 3

The research provided also interesting info on hackers’ habits, for example, participants to the hacker forums are latecomers in the day, especially when it comes to traffic concerning vulnerabilities. This data reveals that probably the participant have a different job during the entire day.

I strongly suggest you to read the report, the research demonstrated how hacker forums can be analyzed at the message/post-traffic level. This technique is very efficient because frees researchers from the knowledge of the language or tracking individual posts.

“Analysts can detect patterns in timing, spikes in forum participation, mentions of products or vulnerabilities, etc. and use this knowledge to determine whether forum participants are a threat.” states Recorded Future.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs –  Hacker Forums, Intelligence)