Full Report
Swiss cybersecurity firm Prodaft has launched a new initiative called 'Sell your Source' where the company purchases verified and aged accounts on cybercrime forums to conduct threat intelligence operations. [...]
Analysis Summary
# Threat Actor: Prodaft (Intelligence Gathering Entity)
## Attribution & Identity
This report focuses on the *cybersecurity firm* **Prodaft**, which employs intelligence gathering and infiltration tactics against the cybercriminal ecosystem rather than being a traditional threat actor or cybercriminal group. They use aggressive investigation methods to infiltrate criminal operations.
## Activity Summary
Prodaft is actively involved in intelligence gathering by:
1. Purchasing accounts on hacker forums (e.g., using an old account on the Russian-speaking XSS cybercrime forum to advertise) to gain access to private criminal discussions.
2. Conducting due diligence on account sellers, explicitly avoiding accounts associated with individuals on FBI/law enforcement most-wanted lists.
3. Infiltrating sophisticated attack automation platforms, notably one belonging to the **FIN7** hacking group that utilized Microsoft Exchange and SQL injection flaws.
4. This infiltration led to proactively alerting over eight thousand potentially targeted organizations about vulnerabilities that could lead to ransomware or other payload deployment.
## Tactics, Techniques & Procedures
Prodaft's self-described *investigation* TTPs include:
- Infiltration/Undercover operations on cybercrime forums.
- Purchasing illicit forum accounts to gain access to criminal intelligence.
- Identification and alerting of compromised organizations based on intelligence gathered from infiltrated platforms.
- Reporting account purchases to law enforcement authorities (though promising anonymity to sellers regarding sensitive data).
## Targeting
- Sectors: Not explicitly stated for proactive defense, but their infiltration efforts targeted platforms associated with groups attacking **corporate networks** (related to the FIN7 investigation).
- Geography: Activities involve forums like the Russian-speaking XSS.
- Victims: Proactively alerted **over eight thousand compromised organizations** that were potentially targeted by ransomware or other payloads via the FIN7 infrastructure.
## Tools & Infrastructure
- **Payment Methods:** Bitcoin, Monero, and other preferred cryptocurrencies for account purchases.
- **Communication:** TOX or email for sellers to reach Prodaft anonymously.
- **Malware Families Used:** None mentioned as used by Prodaft; however, their investigation targeted infrastructure leveraging **Microsoft Exchange and SQL injection flaws** utilized by FIN7.
- **Infrastructure (C2, domains, IPs):** No specific infrastructure linked to Prodaft's operations is mentioned, though they target criminal infrastructure.
## Implications
Prodaft represents an intelligence-gathering entity blurring the lines between defensive and intrusive operations. Their success in infiltrating groups like FIN7 demonstrates the ability of private sector entities to proactively disrupt major criminal operations before significant damage occurs, leading to the identification and potential **arrest of cybercriminals**. The use of illicit forum markets to gather intelligence is a key operational aspect.
## Mitigations
The article focuses on what Prodaft *does* to gather intelligence, rather than providing specific mitigations against Prodaft itself. However, the intelligence gathered points toward organizations needing to defend against:
- **Exploitation of Microsoft Exchange vulnerabilities.**
- **SQL Injection (SQLi) attacks.**
- The general threat of **ransomware and access broker payloads.**