The Dark Web is a place in cyberspace where criminals and other bad actors share stolen credentials and discuss successful attacks. Fake COVID-19 cures, counterfeit travel documents, and scam call services are amongst the services being traded on the Dark Web. Cybercriminals continually search for new ways of exploiting the 2020 health crisis. Sensitive information often ends up for sale on the black market on the Dark Web, compromising the security of businesses and their employees.
According to the 2019 the Global State of Cybersecurity in Small and, Medium-Sized Businesses report from the Ponemon Institute, 63% of businesses reported an incident involving the loss of sensitive information about customers and employees in the previous year.
The Dark Web is a collection of anonymous websites that are publicly available yet hide their IP (Internet Protocol) addresses to make it impossible for users to identify and track the host. It is quite common that personal information, including email accounts, passwords and credit card details obtained through data breaches end up becoming available illicitly for sale on the Dark Web. Recently, personal information from places ranging from education organizations to voter databases in the US has been found exposed. Although there have been big takedowns of cyber-crime groups online, cybercriminals evolve to avoid detection.
There is a lot of bad on the Dark Web and there is some good, in the form of intelligence that can be used to help protect organizations from attacks. Since they are so focused on doing what is right, researchers often overlook additional rich sources of cyber-threat intelligence that attackers essentially hand out as they interact online. To defend as a good guy, you must think like a bad guy. Getting into an attacker’s head provides clues as to how and why they operate. To catch a crook, try thinking like a crook.
In general, the terms “Dark Web” and “Darknet” are more or less interchangeable, but there are some nuanced differences. When people refer to the Dark Web, they are usually talking about hacker sites on the Internet that you can access from a regular web browser. When people talk about Darknet, it means you need special software. The most common one is the Tor browser, but there are others as well.
To better understand how hackers operate, it helps to explore their neighborhood. A common data source for threat intelligence is attacker-run and torrent/onion forums, usually on the Darknet, where hackers often discuss, purchase and sell malware, ransomware, and denial-of-service offerings. These forums usually require researchers to work to obtain access to them. Some forums require payment of some kind; others require people to vouch for you as a real hacker. Often, you have to prove your worthiness by demonstrating your ability to code around a security problem or create malicious software. Some of these “entrance exams” require a lot of talent and time to complete.
Most attackers on these forums are not only motivated by monetary gain but are also looking for some glory. They want to post and advertise their knowledge in forums that will have the most views, and many want to show off their skills. In a hacker’s mind, why do something if you cannot take credit for it and increase your standing in the hacker world? This has led to the identification and “outing” of hackers and can place them out of business or in prison.
What hackers typically show off are frequent attacks targeting mass numbers of individuals and organizations rather than narrow, specific, targeted attacks. Some of the techniques shared in these forums help defenders understand attacker culture and how to defend against frequent attacks. Attack forums enable researchers to understand what attackers find interesting. Getting inside the mind of an attacker not only enables threat researchers to anticipate risks and the steps within an attack, but it also helps them to begin to profile certain cybercriminals. Threat behaviors are a lot like fingerprints and can be especially useful in uncovering and defending against certain threats.
One trend in these attack forums that has been a popular topic for discussion over the past few months is security on various web meeting platforms. Most of these discussions have no malicious intent and are probably people just wanting to learn more or discuss a specific topic. In some rare cases, it is of note that when an application is getting enough chatter, it is because attackers are starting to research vulnerabilities or test code.
Threat researchers also make use of text dumps that contain usernames, names, passwords, and other information. This is often what happens to data when cybercriminals, or even people in your organization, have intentionally or inadvertently leaked passwords or other personally identifiable information (PII). This data can place an entire organization at risk. Cyber threat investigators need to check to see if their firms have been caught up in these types of credential packages and data leaks.
Nearly US$100 million worth of Covid-related goods has been listed for sale on the dark web, according to a forthcoming report by the CTI League, which is a coalition of cybersecurity researchers investigating the intersection of Covid-19 and the Internet. In a survey of 25 of the largest Dark Web marketplaces, the CTI league found that 10% included Covid-related branding.
Examining hacker forums and text dumps are just two of the ways that researchers can glean valuable information that will help them protect the networks they are responsible for. For this reason, cybersecurity training for researchers needs to include methods of accessing the dark online world so the good guys can better understand how the bad guys operate and beat them at their own game.
Another key part of this ecosystem is the role of law enforcement. Threat researchers should work with law-enforcement agencies to share threat information in a way that’s easy and accessible. This has to be a two-way street. Tackling cyber-crime can’t be resolved unilaterally by law enforcement alone; it is a joint responsibility that requires trusted relationships to be fostered between the public and private sector. For USA organizations, please consider joining your local Infragard chapter. Membership is at no charge www.infragard.org
Dark Web scans do not scan the entire Dark Web which would technically be impossible. Instead, they monitor known cyber-criminal forums and marketplaces where data dumps are frequently put up for sale. A Dark Web monitoring service may catch most incidents where your personal information has been put up for sale. The best way to think of Dark Web monitoring services is to look at them as one tool in your arsenal to protect yourself against cyber-crime. A Dark Web monitoring service, paired with good password security practices and a password manager, will provide comprehensive protection against nearly all password-related cyber-attacks at an affordable price.
Red Sky Alliance has been tracking cybercriminals for years. Throughout our research, we have learned through our clients that the installation, updating, and monitoring of firewalls, employing cybersecurity practices, and providing proper employee training are keys to success, yet unfortunately at times - not enough. Our current CTAC and RedXray tools provide a valuable look into the underground, where malware and all the different variants of malware are bought and sold. This includes forum conversations of Vishing techniques. Our information can help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
© 2020 Red Sky Alliance Corporation. All rights reserved.