#NSBCS.044 - Open Source Intelligence (OSINT) - Friend or Foe?

Cyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

Open Source Intelligence (OSINT) - Friend or Foe?

The Australian Taxation Office recently invited tender submissions for an Open Source Intelligence (OSINT) tool to help protect Australia’s tax and superannuation systems. As OSINT becomes a critical tool for identifying system vulnerabilities in cyber security, it's also increasingly being leveraged by cyber criminals. So, is OSINT a friend or foe?

What is OSINT?

Open Source Intelligence (OSINT) involves the collection, analysis, and interpretation of publicly available information for intelligence purposes. Once primarily used by government and law enforcement, OSINT has increasingly become a critical tool in cyber security, aiding in identifying threats and vulnerabilities.

OSINT researchers collect data points from the following public sources:

  • Internet search engines (Google, Bing, Yahoo etc.)

  • Print and online news media (Newspapers, magazines, news sites etc)

  • Social media accounts (Facebook, Instagram, X, LinkedIn etc.)

  • Online platforms (forums, blogs and IRC Chat)

  • Dark Web (an area of the internet not indexed by search engines)

  • Online directories (phone numbers, email address or physical address)

  • Public records (births, deaths, court documents and business filings like ASIC, ATO etc)

  • Government records (meeting transcripts, budgets, speeches, press release from local, state or federal/national governments)

  • Academic research (papers, theses, journals etc)

  • Technical data (IP addresses, APIs, Open Ports, Web Page Metadata and Web Archives)

Why is OSINT important in cyber?

OSINT is widely used in cyber security to assess security risks, identify vulnerabilities in an organisation's IT systems, and gain insights into threat actors, their tactics, and targets. Organisations also use penetration testing to uncover weaknesses in their systems and networks, often leveraging the same OSINT data that is publicly available, enabling them to remediate vulnerabilities before they can be exploited by malicious actors.

What is Doxing?

Hackers and cyber criminals also leverage OSINT techniques for malicious activities such as phishing, social engineering, or exposing targets for cyberattacks, a practice known as doxing (or doxxing). Doxing involves searching, gathering, and publishing personally identifiable information about individuals or organisations without their consent, typically online or through social media. Unlike defamation, doxing doesn't require the information to be false or damaging—it often involves accurate data, regardless of whether it was lawfully obtained.

Doxing can refer to a number of different practices:

  • Deanonymising doxing: Revealing the identity of someone who was previously anonymous (e.g, someone who uses a pseudonym).

  • Targeting doxing: Revealing specific information about someone that allows them to be contacted or located, or their online security to be breached (e.g, their phone number or home address, or their account username and password).

  • Delegitimising doxing: Revealing sensitive or intimate information about someone that can damage their credibility or reputation (e.g, their private medical, legal, or financial records, or personal messages and photos usually kept out of public view).

How to Protect Yourself from Doxing

  • Use unique usernames for different online accounts.

  • Create strong, hard-to-guess passwords and security questions.

  • Enable two-factor or secure authentication wherever possible.

  • Review and adjust privacy settings on social media to control who can view your content and personal information. Consider locking your profiles.

  • Limit the amount of personal information you share online, such as your address, workplace, school, or frequent locations.

  • Regularly search your name online using incognito mode in your browser to check what personal data is publicly accessible.

Conclusion

OSINT can be both a friend and a foe. When used to protect organisations from cyber threats, it plays a crucial role in identifying risks and vulnerabilities. However, in the hands of criminals or threat actors, OSINT can be exploited for malicious purposes such as social engineering or doxing. While the information gathered is publicly available, legal, ethical, and privacy considerations must be observed. OSINT should be used responsibly, preserving privacy and avoiding harm or exploitation.

Education is key in helping individuals understand how much of their shared information can be accessed not only by companies but also by malicious actors. Equally important is ensuring that companies are transparent about what data they collect and how they use it, a growing concern in the digital age.

Ultimately, OSINT is a powerful tool and can be our friend or foe - how it is used will remain a deciding factor.

References:
ATO looks to "unattributable exploration" of social media and the internet
What is open-source intelligence (OSINT)?
Open Source Intelligence (OSINT)
Doxing

For info on NSB Cyber’s Cyber Threat Intelligence or Open Source Intelligence capabilities, or to book a meeting with our team, click here.

What we read this week

  • CISA: Hackers Target Industrial Systems Using “Unsophisticated Methods” - CISA warns that hackers are targeting industrial systems, including critical infrastructure like water and wastewater facilities, using unsophisticated methods such as brute force attacks and default credentials. These ongoing attacks are exploiting operational technology and industrial control systems devices. The agency highlighted that simple measures like changing default passwords and enabling multifactor authentication can reduce these risks. Recent advisories also link these attacks to pro-Russian hacktivists targeting North American and European systems, with CISA urging operators to defend against these threats by enhancing cybersecurity practices.

  • AI-Generated Malware Found in the Wild - HP discovered an artificial intelligence (AI) generated malware in the wild, specifically a dropper used in a phishing campaign. The dropper was unusually well-structured with clear comments, suggesting it was generated by AI rather than written by a human. This malware used common tools like AsyncRAT but highlighted a shift towards more accessible and low-skill cybercrime due to AI. The incident marks an evolution in the use of AI in malware, reducing barriers for less experienced attackers. Experts warn this could be the beginning of more sophisticated AI-generated threats in the near future.

  • Transportation Companies Hit by Cyberattacks Using Lumma Stealer and NetSupport Malware - Transportation and logistics companies in North America are being targeted by a phishing campaign distributing malware like Lumma Stealer, StealC, and NetSupport. Attackers are using compromised email accounts of legitimate companies to inject malicious content into email threads. The campaign has evolved with new tactics, such as employing URL attachments and PowerShell scripts, to deliver malware payloads like DanaBot. The phishing attempts impersonate software specific to transport and fleet management, indicating targeted research on victims.

  • Telegram Says it Will Share Phone Numbers and IP Addresses of ‘Bad Actors’ to Authorities - Telegram has updated its terms of service to share phone numbers and IP addresses of users violating platform rules with authorities in response to legal requests. This change aims to address issues like illegal activities conducted through the app, which were previously challenging to manage. Telegram's founder, Pavel Durov, emphasised that these measures are necessary to safeguard the platform's integrity. The updated policy applies to a broader range of violations, beyond just terrorism-related cases. This comes amid increased scrutiny and legal challenges faced by Telegram in several countries.

  • New Octo Android Malware Version Impersonates NordVPN, Google Chrome - The new version of the Octo Android malware, named Octo2, is spreading across Europe by impersonating apps like NordVPN, Google Chrome, and Europe Enterprise. Octo2 has enhanced anti-analysis and evasion capabilities, including a domain generation algorithm (DGA) for resilient command and control. It evolves from previous versions and maintains functionalities like on-device fraud, SMS interception, and device control. The malware is being distributed through third-party app stores and targeted campaigns, primarily in Italy, Poland, Moldova, and Hungary. The appearance of Octo2 suggests ongoing development and adaptation in the malware market.

References
https://www.bleepingcomputer.com/news/security/cisa-hackers-target-industrial-systems-using-unsophisticated-methods/
https://www.securityweek.com/ai-generated-malware-found-in-the-wild/
https://thehackernews.com/2024/09/transportation-companies-hit-by.html
https://therecord.media/telegram-shares-ip-addresses-enforcement
https://www.bleepingcomputer.com/news/security/new-octo-android-malware-version-impersonates-nordvpn-google-chrome/
Shane Bell
Previous

#NSBCS.045 - Trust, Growth, and Cybersecurity – The hidden ROI
Next

#NSBCS.043 - Bridging the Gap: From the Classroom to Cyber Security Consulting