• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Deep Web
  • Hacking
  • Automated systems crawl the DarkWeb to find Zero-Days

Automated systems crawl the DarkWeb to find Zero-Days

Pierluigi Paganini August 09, 2016

A team researchers at Arizona State University (ASU) is crawling the Darkweb searching for zero-days for Proactive Cybersecurity Threat Intelligence

Can finding zero-day vulnerabilities be as easy as crawling the Darkweb?

Security researchers at Arizona State University (ASU) think so and they’re already seeing some success.  In a paper titled, “Darknet and Deepnet Mining for Proactive Cybersecurity Threat Intelligence”, the group of 10 co-authors outlines the possibilities of programmatically identifying zero-days before they’re used in an attack by scraping and parsing known so-called Darkweb and Deepweb forums.  According to the research, various data mining and machine learning techniques can be used to analyze discussions in forums where malicious code is sold in exchange for bitcoins and the initial results are encouraging.

As an example, the paper highlights the Dyre Trojan discovered by FireEye in July of last year.

In February 2015, Microsoft reported a Windows remote code execution vulnerability, MS15-010.  According to the team’s research, no known exploit existed for that vulnerability until April 2015, when an exploit (Dyre) that leveraged the vulnerability appeared on a Darknet market site for 48 BTC, or US$10,000 – US$15,000.  Using this information, the researchers worked to devise an automated process of gathering information from these marketplaces and searching for keywords that could be filtered and classified as possible malicious code for sale. The results so far are impressive.

zero-days DarkWeb threat intelligence

The team is current tracking twenty-seven marketplaces and twenty-one forums selling anything from cocaine to the latest Adobe exploits – and this is where it gets challenging.

Much of the information collected on these sites is in the form of unstructured data that is no relevant to cyber security. For example, the word “SALE” could be misspelled causing the automated system to simply skip over this misspelled word as noise.

Another challenge, of course, is word variations particularly those found in the common hacker vernacular such as “S4L3.” Despite these challenges, the team has proven that automation has some serious value in identifying zero-day exploits in the wild detecting 16 zero-day exploits over a four week period. Despite the initial success, automation of zero-day hunting may remain a novel idea.

Getting to the left of the cyber kill chain has been a topic of discussion for over a year now, with a lot of groups focusing efforts on intelligence gathering at the pre-reconnaissance phase; so far, these approaches have had mixed results.

One of the most significant challenges facing the cyber intelligence community looking to use automated gathering techniques is the constant change of the forums themselves.

Cyber criminals are becoming more and more aware they what they can do to their targets, the targets can do to them. This cat-and-mouse game of shifting techniques only increases the situational awareness of the adversary forcing them to change their behavior.  Forums are becoming increasingly harder to gain access to and sophisticated vetting processes are being established to weed out cyber researchers and law enforcement with intentions of stopping zero-days before they ever hit their first victims.

In 2013, the FBI brought down the so-called Silk Road, an illegal marketplace selling everything from heroin to hitmen for hire.  Court documents revealed that the FBI used many traditional investigative techniques in the take down but also used cyber as a tool to dismantle the very network the Silk Road was built upon.

In all, the operation seized US$4 million in BTC and led to the arrest of the alleged operator, Ross Ulbricht. Despite FBI efforts, the Silk Road has been relaunched as the “Silk Road 3.0” with those backing the project proclaiming this new version has “undergone a massive security upgrade and modified design”, likely to keep federal snoops from poking around.

It’s not just cyber criminals that are making automated techniques difficult, changes in the threat landscape are also forcing changes in the way cyber intelligence is delivered. The scope of attacks is evolving as well.

Kevin Mandia, FireEye’s new CEO points out that “As the current threat environment shifts to smaller scoped breaches, some organizations may be opting for good enough over best-of-breed detection.” This shift in attitude could curb spending on research and development projects in the search of unknown zero-days in favor of resiliency and incident response, the right of the kill chain, the exact opposite of where ASU team believes it can make a difference.

According to their paper, the ASU researchers are currently shopping their system around looking for additional funding for their research, and why not?  Their system of collection and parsing isn’t just collecting zero-days it’s also collecting over 300 high-quality cyber threat warnings weekly making it an invaluable source of actionable information.

Hopefully, the ASU project will find a home that will mature their system.  Future iterations will likely include the collection and analysis of other types of information being sold in the Dark and Deep webs such as stolen credit card information, health records, and other criminal activity.

Written by: Rick GamacheRick Gamache

Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program.  Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.

LinkedIn – https://www.linkedin.com/in/rick-gamache-cissp-021ab43

Twitter – https://twitter.com/thecissp

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Zero-days, DarkWeb)


facebook linkedin twitter

Darkweb Deep Web exploit Hacking threat intelligence Zero-Days

you might also like

Pierluigi Paganini July 04, 2025
A flaw in Catwatchful spyware exposed logins of +62,000 users
Read more
Pierluigi Paganini July 03, 2025
China-linked group Houken hit French organizations using zero-days
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    A flaw in Catwatchful spyware exposed logins of +62,000 users

    Malware / July 04, 2025

    China-linked group Houken hit French organizations using zero-days

    APT / July 03, 2025

    Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

    Data Breach / July 03, 2025

    Europol shuts down Archetyp Market, longest-running dark web drug marketplace

    Cyber Crime / July 03, 2025

    Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

    Uncategorized / July 03, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT