DeltaBoys : Black Hats On The Rise

EXECUTIVE SUMMARY

CYFIRMA research team has identified a new threat actor group on the rise with the moniker; DeltaBoys. We have assessed this unknown threat actor to be both financially and geopolitically motivated: they have targeted Israeli infrastructure for ideological purposes but will also indiscriminately attack other infrastructure for financial exploitation. Furthermore, they provide private hacker training sessions, which include access to zero-days, and a web-application vulnerability scanner license for the buyer. The rate at which they are defacing websites is accelerating rapidly, which shows that DeltaBoys are increasing their capacity, sophistication, and capability, and as such we highly recommend that organizations in Israel – particularly those in critical infrastructure sectors – implement enhanced security measures, including regular assessments, patch management, employee awareness training, and multi-factor authentication.

INTRODUCTION

DeltaBoys have been operating since December 2021, initially starting out as database brokers and carders. However, in August 2022, their operation evolved into mass defacement and the ‘initial access’ broking market, providing webshells to sensitive websites. To fund their geopolitically motivated operations, they built a diverse catalogue of recently compromised databases, ‘zero-days’, ‘exploits to known vulnerabilities’, webshells, and leaked credit cards for sale.

KEY FINDINGS

DeltaBoys created their telegram channel on 1st December 2021 to monetize their hacking efforts.

It soon became evident that the market for specific databases was smaller than that looking for initial domain access. The threat actors posted their first set of webshells for sale in August 2022.

Webshell access usually gets sold very quickly on the dark web: this is dependent on who finds the vulnerability/misconfiguration first, as naturally, threat actors do not want to share their victims.

In this case, the 170 webshells were sold within a minute, which highlights the demand of such data.

DeltaBoys launched with just 2 defacements in 2021, whereas in April 2023 alone DeltaBoys have defaced 59 websites, with majority of the victims from Israel, Taiwan, China and Spain.

Please note, the majority of domain hosting providers shown in Fig 4, are from the US.

DEFACED WEBSITES

DeltaBoys group is known to use the ‘bashupload’ utility, which allows a user to upload files for later access, and also facilitates data exfiltration. Further to that, only 3/88 antivirus vendors flagged this domain as malicious.

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) INSIGHTS

Attribution

Please note that whenever DeltaBoys deface a non-Israeli infrastructure, they display the message “Contact for more security” – which implies that they want money to fix the vulnerabilities on the defaced infrastructure.

However, when DeltaBoys group defaces any infrastructure belonging to Israeli firms, they make sure to leave a strong message for the readers – which explains their DeltaBoys Black Hats on The Rise motivation behind the attack.

Threat Actor Profile: The members of DeltaBoys are seasoned black hat hackers, who have a wide variety of skills. DeltaBoys funds its activities by selling zero days, webshells and hacking tutorials to the black hat community.

Threat Landscape: Subscription models can be beneficial for threat actors, as it provides a steady source of income, which helps them plan their operations more effectively. DeltaBoys operators are moving to a subscription model, which equips the subscribers everyday with the latest exploits, zero days, tricks and bypasses, webshells, private databases, along with the methodologies and training to assist with the exploitation of latest vulnerabilities.

Victimology: Due to the geopolitical motivations, DeltaBoys has primarily targeted Israel’s infrastructure. However, other victims include the US, India, China, Vietnam, Kurdistan, Spain. The targeted industries by DeltaBoys are Government, Manufacturing and Financial Services. The threat actor group’s favorite targets are web applications running on Linux and FreeBSD environments.

Impact Assessment: DeltaBoys pose a significant threat to organizations, particularly those in critical infrastructure sectors, due to their advanced hacking skills and focus on financial and geopolitical motivations. Having access to a diverse range of exploits and methodologies makes them a formidable adversary, potentially leading to financial losses, due to stolen intellectual property, defacement, or compromised customer data.

CONCLUSION

In conclusion, DeltaBoys is a highly skilled threat actor group that poses a significant threat to organizations, particularly those in critical infrastructure sectors, due to their financial and geopolitical motivations. They have been observed accelerating their operations over the past year, expanding from database-brokering and carding to mass defacement and initial-access brokering. Their subscription model provides a steady source of income as well as access to a diverse range of exploits and methodologies. Organizations – particularly those in Israel – should implement enhanced security measures (such as regular security assessments, patch management, employee awareness training, and multi-factor authentication) to protect against potential attacks and mitigate risks from this growing, capable, and pernicious group.

Appendix

IOC(S)

MITRE ATT&CK Mapping

Recommendations

To protect against the threat posed by DeltaBoys, organizations, particularly those in critical infrastructure sectors, should implement the following enhanced security measures:

Management Recommendations:

1. Regular Security Assessments: Establish a process for conducting regular security assessments and penetration testing to identify vulnerabilities. Allocate resources and budget for these assessments and ensure they are performed by qualified professionals.
2. Employee Awareness Training: Develop and implement a comprehensive cybersecurity awareness training program for all employees. Include topics such as phishing awareness, safe browsing practices, and password security. Regularly reinforce and update training materials to stay current with emerging threats.
3. Vendor Security Assessment: Establish a vendor security assessment process to evaluate the security practices of third-party vendors and service providers. Prioritize vendors with access to sensitive data or critical systems. Ensure they adhere to robust security standards and conduct regular assessments to verify compliance.

Strategic Recommendations:

1. Patch Management: Establish a robust patch management program to ensure timely application of security patches across all systems, applications, and devices. Implement a centralized patch management system to track and prioritize patches, based on criticality.
2. Threat Intelligence Monitoring: Establish a process for monitoring and analyzing threat intelligence reports and information sharing platforms. Subscribe to reputable threat intelligence services and establish relationships with industry peers for sharing actionable threat information.
3. Incident Response Plan: Develop a comprehensive incident response plan that outlines roles, responsibilities, and procedures for detecting, responding to, and recovering from security incidents. Regularly review and update the plan to align with changing threat landscapes.

Tactical Recommendations:

1. Multi-Factor Authentication (MFA): Implement MFA for all systems and applications, especially for privileged accounts and critical assets. Leverage MFA solutions that support various authentication factors such as one-time passwords, biometrics, or hardware tokens.
2. Web Application Security: Implement secure coding practices and conduct regular vulnerability scans and penetration tests for web applications. Deploy web application firewalls (WAFs) to protect against common attack vectors and implement secure configuration guidelines for web servers.
3. Encryption and Data Protection: Ensure sensitive data is encrypted both at rest and in transit, using strong encryption algorithms. Implement secure protocols (e.g., HTTPS) for data transmission and enforce data protection policies to minimize the risk of data exfiltration.
4. Incident Monitoring and Response: Deploy security monitoring tools, such as intrusion detection and prevention systems, log management solutions, and security information and event management (SIEM) systems. Establish a dedicated incident response team to monitor alerts, investigate incidents, and respond promptly.