Light Dark
July 11, 2019 By Mark Stone 4 min read
Intelligence & Analytics

Imagine this scenario: Everyone in your accounts payable department receives an invoice for a service your organization uses frequently. The invoice appears legitimate and doesn’t set off any alarm bells, but is in fact loaded with malware purchased on the darknet — a popular marketplace for tools that can be used as backdoors into your network.

This is happening to more companies than you might think.

Over the last few years, there has been a 20 percent increase of threat actors on the darknet selling tools, services and stolen data to target the world’s most prominent organizations. Even more alarming, 40 percent of darknet actors are selling targeted hacking services against FTSE 100 and Fortune 500 businesses.

These are some of the findings in a June report, “Behind the Dark Net Black Mirror,” which presented research conducted by Dr. Mike McGuire, a respected criminology lecturer at the University of Surrey in the U.K. Also included in the report are details surrounding how the researchers engaged in communication with criminal vendors offering services targeting the enterprise.

As soon as I began exploring the contents of the report, I couldn’t wait to connect with McGuire for answers to the burning questions I had. I needed to understand how serious of a threat the darknet represents for the enterprise, what information revealed in the report every business must know about and, more importantly, what the enterprise can do to mitigate this cyber risk.

It’s Getting Harder to Track Darknet Activity

It’s fascinating to learn the lengths to which McGuire and his team went to obtain the data.

“For this report, we embedded researchers within gated and private platforms and communities within the dark net,” McGuire said. “This gave us unique insights into how cybercriminals target enterprises and helped expose conversations with ‘vendors’ of cybercrime services.”

According to the research, it’s clear that the darknet has become a major threat to the enterprise and a key enabler of cybercrime. The kid in the candy store analogy is perfect here: The darknet’s cookie jars are full of everything threat actors need to breach enterprise networks, steal data and spy on company activities. With one quick trip, attackers can fill their virtual carryalls with all the tools and services they need to launch attacks.

What might be most concerning, however, is a trend that makes it more challenging to track cybercrime in the future.

“Increased law enforcement activity has forced cybercriminals to become more secretive, with 70 percent inviting us to talk over private, encrypted channels in the invisible net, such as Telegram,” said McGuire. “This is making it even harder for law enforcement to track dark net transactions, and helps to cover-up plans for future attacks on the enterprise.”

A Virtual Treasure Trove for Threat Actors

Ian Pratt, co-founder and president of Bromium, the publisher of McGuire’s report, is no stranger to advanced threats. But after reviewing the report’s findings, he was caught off guard by the increased demand for bespoke malware, which is outnumbering off-the-shelf varieties 2 to 1. Pratt noted that almost every vendor offers tailored versions of malware that can poke holes through an enterprise’s defenses. Even more surprising was the report’s spotlight on the dedicated market for corporate network access — stolen credentials and remote access Trojans (RATs) included.

“This raises the very real threat that cyber actors could stroll into corporate networks at any time, leaving them free to obtain high-value assets and install further backdoors for future access,” warned Pratt. “This suggests that targeting the enterprise has become big business.”

I’ve always drawn analogies between threat groups and the mob, but according to McGuire, the mob analogy no longer fits the methods of today’s bad actors. A better analogy, he suggested, might be with targeted marketing and sales campaigns.

“Research about the target is conducted, intelligence is gathered, then specific tools are obtained which can exploit known vulnerabilities, whether in the form of a direct ‘attack’ on a network, a more long drawn out campaign using phishing tools, or a ‘backdoor/insider’ breach which exploits an organization’s internal vulnerabilities,” he said.

No Better Time to Be Proactive

Before you get too alarmed, it’s critical for the enterprise to understand that the darknet can be a good resource for cyberthreat intelligence gathering. For McGuire, there are certain advantages to the enterprise in using the darknet for enhancing network and customer security, with a wealth of information available on darknet forums to alert cybersecurity teams about potential vulnerabilities and emerging threats. He advised that the enterprise can gain significant cost savings in developing cybersecurity strategies by learning about the advanced intelligence on new hacks, tools and compromised servers that could be used against them.

“Active involvement in monitoring darknet activity can be extremely useful in guarding against phishing attacks, for example, or when customer data has been breached and appears for sale there,” McGuire said.

To help reduce the impact of darknet threats, experts advocate for organizations to fully assess and understand this particular cyber risk. To do that, however, there needs to be a complete rethink on security.

The most worrying trend to me is the ease with which a company employee can be tricked into installing and triggering malware. People are always the weakest link in the security chain, and it appears that tools on the darknet are like a big pair of wire cutters. Darknet vendors are even offering the means to create convincing lures for phishing campaigns using official-looking company invoices and documentation.

“These documents can be used to defraud organizations or as part of phishing campaigns to trick employees into opening them,” McGuire noted. “They may look real, but in reality, they deliver malware that triggers a breach or gives hackers a backdoor to corporate networks which could be sold on the dark net.”

Don’t Leave Yourself in the Dark About the Darknet

The bottom line is to ensure you’re not in the dark about the darknet. While it may be yet another security threat to worry about, ignoring it can be costly.

So what can we do if risk mitigation is in our job description? One thing is to take matters into our own hands. We need to strengthen cybersecurity posture and apply layered defenses — including application isolation capabilities to identify and contain threats. If we learn anything from McGuire’s report, cybercriminals are in a prime position to disrupt business operations and gain a foothold in our networks.

A proactive approach to security and intelligence gathering is the best way to stem the tide of threats and lucrative trading of business-critical data on the darknet.

 |  |  |  |  |  |  |  |  |  |  |  | 
Mark Stone

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature