Posted by News at 2016.10.26

Category: Ideas

The American military's radical, unlikely, democratic experiment in northern Syria now teeters on a knife’s edge.

Posted by News at 2016.10.26

Category: Ideas

The Philippines president flew to China and signed billions in deals, said he would separate ties with the U.S., then took it all back.

Posted by News at 2016.10.26

Category: Product

Illuminating the darkness with the open source breadth of Recorded Future and the closed source depth of Intel 471.

Editor’s Note

This is the first of a series of blog posts on useful “all-source analysis” research and collaborative approaches using Recorded Future and our OMNI Intelligence Partners.


LogoThrough our OMNI Intelligence Partners Program, threat researchers can easily pivot between Recorded Future Intel Cards and Intel 471’s closed source intelligence collection. This integration enables all-source analysis to uncover hidden connections on new and emerging threats. In this article you’ll find a:

  • Broad overview of the challenge Intel 471 helps to solve.
  • Detailed example of how Recorded Future and Intel 471 together can expose timely information on criminal threat actors.


Information security analysts get frustrated attempting to manually correlate threat data from multiple sources, especially from the dark web. The process is time consuming, often confusing, and can produce a final report with stale information.

On top of that, analysts are never confident they have access to timely and relevant data from both a tactical and proactive point of view. Without the ability to access dark web intelligence, many analysts are left with the feeling they can only react to the threat, not get ahead of the threat.


To stay ahead of security risks, information security analysts need to detect, evaluate, and prioritize emerging threats in real time. Reducing clicks is critical for creating actionable threat intelligence with speed and confidence.

Security teams want access to closed sources where threat actors actually collaborate, communicate, and plan cyber attacks.

Recorded Future’s open source intelligence, combined with Intel 471’s actor-centric dark web intelligence, contains a wealth of information about global threat actors, their methods, and associated technical indicators — organized in a single view on the following Intel Cards.

Intel Card Extension
IP Address Available
Domain Available
Hash Available
Malware Available
Threat Actor Coming Soon


The following analysis provides a taste of what’s possible with our Intel 471 integration.

In September 2016, FireEye published a report titled “Vendetta Brothers, Inc. – A Window Into the Business of the Cyber Criminal Underground.” This report covers two cyber criminals that FireEye refers to as the “Vendetta Brothers”; they operate under the handles 1nsider and P0s3id0n.

These two are believed to be involved with compromising point-of-sale (POS) systems to obtain payment card information that can be sold through their own underground marketplace called “Vendetta World.”

Researching Vendetta World on Intel 471’s platform revealed that Intel 471 researchers first reported and linked P0s3id0n to the underground marketplace Vendetta World in late 2015.

At the time, P0s3id0n and 1nsider were soliciting fellow members of the underground to collaborate with them by installing their malware on systems involved with scanning or storing credit card information. In addition, Intel 471 intelligence included information on P0s3id0n’s POS malware, called Cerebrus.

Control Panel Login Page

Control panel login page from P0s3id0n’s POS malware, Cerebrus.

Using Recorded Future, we find several references earlier this year linking Cerebrus with the malware known as CenterPOS.

Table of Cerebrus References

Public references to Cerebrus found in Recorded Future.

At this point, we can pivot to the Recorded Future Malware Intel Card for CenterPOS. This provides an overview of the available open source information about this malware, which was first mentioned in September 2015 and has references as recently as two weeks ago.

Malware Intel Card for CenterPOS

Recorded Future Intel Card for CenterPOS malware.

Intel 471 also has an extension for Malware Intel Cards, and a simple click can provide a search on what forum posts have included references to CenterPOS.

Intel 471 Integration

Intel 471 Integration

Intel 471 Integration

Forum posts from Intel 471 as viewed from the Malware Intel Card for CenterPOS.

Of note, in June 2016 the user identified as “cashoutsmith” appears to be selling Cerebrus (CenterPOS), hence showing that this POS malware is potentially beyond the use of the Vendetta Brothers alone.

Returning to an analysis of the two actors themselves (1nsider and P0s3id0n), Intel 471’s platform allowed us to paint a historical picture of the two actors’ activity.

For example, 1nsider was first active under this handle in the criminal underground from early to mid 2015. He almost certainly operated under another handle previously as three other cyber criminals, including P0s3id0n, had vouched for him at another well-known underground forum.

Also, P0s3id0n, who had previously used the handle viscolul, has been active since at least 2011. Interestingly, back in March 2015 viscolul put out the following request.

POS Skimmer Solicitation

POS Skimmer solicitation collected by Intel 471.

The various malware mentioned (Alina, vskimmer, blackPOS, and Dexter) may have influenced the development of Cerebrus (a.k.a. CenterPOS); indeed, Intel 471 analysis of a P0s3id0n malware build appears to have similarities with the memory dumps of Dexter.

As in any marketplace, reputation is very important to being successful in the underground. Often times actors will operate across forums in different languages and under different handles. The Intel 471 platform offers the ability to track and link together these bits of information. Intel 471 has seen P0s3id0n active across a number of underground forums both in Spanish and English. Also, as we previously mentioned, P0s3id0n had previously operated under the handle viscolul. He had changed to P0s3id0n after being labeled a scammer.

Intel 471 Integration

Intel 471 captured posts before and after the actor changed handles from viscolul to P0s3id0n.

Advertising, sales incentives, and customer service are also important components of the marketplace. Using Recorded Future, we find a lot of marketing from these actors promoting their wares in late 2015 to early 2016; among the notable features are 24/7 customer service with 360 min refund/replace guarantees and increasing discounts for larger upfront payments.

Timeline of 1nsider and P0s3id0n References

Recorded Future timeline of references that included either 1nsider and/or P0s3id0n.

Intel 471 researchers were also able to tie the following infrastructure and indicators of compromise, used at least through late 2015, to both Cerebrus and the “Vendetta Brothers.”

Intel 471 Integration

Intel 471 infrastructure data linked to Cerebrus in late 2015, displayed via the Intel Card extension.

These technical indicators are from an Intel 471 information report written over a year ago and security teams likely would have found high value in them at the time. Checking the indicators against Recorded Future, one can note that some of them are indeed suspicious, as illustrated in the Intel Card for IP address

IP Address Intel Card for

Intel Card for one of the IP addresses identified by Intel 471 as part of the Cerebrus infrastructure.


Threat Intelligence analysts can gain deeper insight into criminal cyber activity using the combined resources of Intel 471 and Recorded Future.

The two intelligence sources are highly complementary (closed forum versus open sources and human-curated versus machine analyzed, respectively) and together they help build a broader picture of actor activities and related technical indicators.

Intel 471’s integration with Recorded Future’s Intel Cards make it easy to pivot between the two intelligence sources, giving researchers opportunities to explore hidden connections and facilitate faster analysis.


Want to learn more about using Intel 471 with Recorded Future? Click and request a free demo. You can also contact Intel 471’s Vice President of Sales and Strategy, Steve Laskowski at sales [at] intel471 [dot] com or complete the contact form on their website.

Intel 471

Intel 471 provides an actor-centric intelligence collection capability that focuses on infiltrating and maintaining access to closed sources where threat actors collaborate, communicate, and plan cyber attacks. Their mission is to understand the adversary in a way that does not bring added risk to your organization.

The post OMNI Intelligence Partner Spotlight: Intel 471 appeared first on Recorded Future.


Posted by News at 2016.10.26

Category: Threats

Fort Meade says 133 Cyber Mission Force teams have reached initial operating capability, with full readiness two years away.

Posted by News at 2016.10.26

Category: Ideas

Director of National Intelligence James Clapper discusses emerging challenges in U.S.-Russian relations, cybersecurity, and how his office views North Korea’s nuclear program.

Posted by News at 2016.10.26

Category: Ideas

Much is being done to counter Russian ambitions in the High North, and yet much more remains to be done.

Posted by News at 2016.10.26

Category: News

Posted by News at 2016.10.25

Category: Technology

Reseachers are using seismic sensors to learn about enemy weapons — and one day, even to find them as they fire.

Posted by News at 2016.10.25

Category: Uncategorized

Posted by News at 2016.10.25

Category: Uncategorized

  • Log in/out

  • Categories