• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Deep Web
  • Hacking
  • Automated systems crawl the DarkWeb to find Zero-Days

Automated systems crawl the DarkWeb to find Zero-Days

Pierluigi Paganini August 09, 2016

A team researchers at Arizona State University (ASU) is crawling the Darkweb searching for zero-days for Proactive Cybersecurity Threat Intelligence

Can finding zero-day vulnerabilities be as easy as crawling the Darkweb?

Security researchers at Arizona State University (ASU) think so and they’re already seeing some success.  In a paper titled, “Darknet and Deepnet Mining for Proactive Cybersecurity Threat Intelligence”, the group of 10 co-authors outlines the possibilities of programmatically identifying zero-days before they’re used in an attack by scraping and parsing known so-called Darkweb and Deepweb forums.  According to the research, various data mining and machine learning techniques can be used to analyze discussions in forums where malicious code is sold in exchange for bitcoins and the initial results are encouraging.

As an example, the paper highlights the Dyre Trojan discovered by FireEye in July of last year.

In February 2015, Microsoft reported a Windows remote code execution vulnerability, MS15-010.  According to the team’s research, no known exploit existed for that vulnerability until April 2015, when an exploit (Dyre) that leveraged the vulnerability appeared on a Darknet market site for 48 BTC, or US$10,000 – US$15,000.  Using this information, the researchers worked to devise an automated process of gathering information from these marketplaces and searching for keywords that could be filtered and classified as possible malicious code for sale. The results so far are impressive.

zero-days DarkWeb threat intelligence

The team is current tracking twenty-seven marketplaces and twenty-one forums selling anything from cocaine to the latest Adobe exploits – and this is where it gets challenging.

Much of the information collected on these sites is in the form of unstructured data that is no relevant to cyber security. For example, the word “SALE” could be misspelled causing the automated system to simply skip over this misspelled word as noise.

Another challenge, of course, is word variations particularly those found in the common hacker vernacular such as “S4L3.” Despite these challenges, the team has proven that automation has some serious value in identifying zero-day exploits in the wild detecting 16 zero-day exploits over a four week period. Despite the initial success, automation of zero-day hunting may remain a novel idea.

Getting to the left of the cyber kill chain has been a topic of discussion for over a year now, with a lot of groups focusing efforts on intelligence gathering at the pre-reconnaissance phase; so far, these approaches have had mixed results.

One of the most significant challenges facing the cyber intelligence community looking to use automated gathering techniques is the constant change of the forums themselves.

Cyber criminals are becoming more and more aware they what they can do to their targets, the targets can do to them. This cat-and-mouse game of shifting techniques only increases the situational awareness of the adversary forcing them to change their behavior.  Forums are becoming increasingly harder to gain access to and sophisticated vetting processes are being established to weed out cyber researchers and law enforcement with intentions of stopping zero-days before they ever hit their first victims.

In 2013, the FBI brought down the so-called Silk Road, an illegal marketplace selling everything from heroin to hitmen for hire.  Court documents revealed that the FBI used many traditional investigative techniques in the take down but also used cyber as a tool to dismantle the very network the Silk Road was built upon.

In all, the operation seized US$4 million in BTC and led to the arrest of the alleged operator, Ross Ulbricht. Despite FBI efforts, the Silk Road has been relaunched as the “Silk Road 3.0” with those backing the project proclaiming this new version has “undergone a massive security upgrade and modified design”, likely to keep federal snoops from poking around.

It’s not just cyber criminals that are making automated techniques difficult, changes in the threat landscape are also forcing changes in the way cyber intelligence is delivered. The scope of attacks is evolving as well.

Kevin Mandia, FireEye’s new CEO points out that “As the current threat environment shifts to smaller scoped breaches, some organizations may be opting for good enough over best-of-breed detection.” This shift in attitude could curb spending on research and development projects in the search of unknown zero-days in favor of resiliency and incident response, the right of the kill chain, the exact opposite of where ASU team believes it can make a difference.

According to their paper, the ASU researchers are currently shopping their system around looking for additional funding for their research, and why not?  Their system of collection and parsing isn’t just collecting zero-days it’s also collecting over 300 high-quality cyber threat warnings weekly making it an invaluable source of actionable information.

Hopefully, the ASU project will find a home that will mature their system.  Future iterations will likely include the collection and analysis of other types of information being sold in the Dark and Deep webs such as stolen credit card information, health records, and other criminal activity.

Written by: Rick GamacheRick Gamache

Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program.  Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.

LinkedIn – https://www.linkedin.com/in/rick-gamache-cissp-021ab43

Twitter – https://twitter.com/thecissp

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Zero-days, DarkWeb)


facebook linkedin twitter

Darkweb Deep Web exploit Hacking threat intelligence Zero-Days

you might also like

Pierluigi Paganini July 24, 2025
U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 23, 2025
U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 24, 2025

    U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

    Hacking / July 23, 2025

    Sophos fixed two critical Sophos Firewall vulnerabilities

    Security / July 23, 2025

    French Authorities confirm XSS.is admin arrested in Ukraine

    Cyber Crime / July 23, 2025

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT