July 11, 2019 By Mark Stone 4 min read

Imagine this scenario: Everyone in your accounts payable department receives an invoice for a service your organization uses frequently. The invoice appears legitimate and doesn’t set off any alarm bells, but is in fact loaded with malware purchased on the darknet — a popular marketplace for tools that can be used as backdoors into your network.

This is happening to more companies than you might think.

Over the last few years, there has been a 20 percent increase of threat actors on the darknet selling tools, services and stolen data to target the world’s most prominent organizations. Even more alarming, 40 percent of darknet actors are selling targeted hacking services against FTSE 100 and Fortune 500 businesses.

These are some of the findings in a June report, “Behind the Dark Net Black Mirror,” which presented research conducted by Dr. Mike McGuire, a respected criminology lecturer at the University of Surrey in the U.K. Also included in the report are details surrounding how the researchers engaged in communication with criminal vendors offering services targeting the enterprise.

As soon as I began exploring the contents of the report, I couldn’t wait to connect with McGuire for answers to the burning questions I had. I needed to understand how serious of a threat the darknet represents for the enterprise, what information revealed in the report every business must know about and, more importantly, what the enterprise can do to mitigate this cyber risk.

It’s Getting Harder to Track Darknet Activity

It’s fascinating to learn the lengths to which McGuire and his team went to obtain the data.

“For this report, we embedded researchers within gated and private platforms and communities within the dark net,” McGuire said. “This gave us unique insights into how cybercriminals target enterprises and helped expose conversations with ‘vendors’ of cybercrime services.”

According to the research, it’s clear that the darknet has become a major threat to the enterprise and a key enabler of cybercrime. The kid in the candy store analogy is perfect here: The darknet’s cookie jars are full of everything threat actors need to breach enterprise networks, steal data and spy on company activities. With one quick trip, attackers can fill their virtual carryalls with all the tools and services they need to launch attacks.

What might be most concerning, however, is a trend that makes it more challenging to track cybercrime in the future.

“Increased law enforcement activity has forced cybercriminals to become more secretive, with 70 percent inviting us to talk over private, encrypted channels in the invisible net, such as Telegram,” said McGuire. “This is making it even harder for law enforcement to track dark net transactions, and helps to cover-up plans for future attacks on the enterprise.”

A Virtual Treasure Trove for Threat Actors

Ian Pratt, co-founder and president of Bromium, the publisher of McGuire’s report, is no stranger to advanced threats. But after reviewing the report’s findings, he was caught off guard by the increased demand for bespoke malware, which is outnumbering off-the-shelf varieties 2 to 1. Pratt noted that almost every vendor offers tailored versions of malware that can poke holes through an enterprise’s defenses. Even more surprising was the report’s spotlight on the dedicated market for corporate network access — stolen credentials and remote access Trojans (RATs) included.

“This raises the very real threat that cyber actors could stroll into corporate networks at any time, leaving them free to obtain high-value assets and install further backdoors for future access,” warned Pratt. “This suggests that targeting the enterprise has become big business.”

I’ve always drawn analogies between threat groups and the mob, but according to McGuire, the mob analogy no longer fits the methods of today’s bad actors. A better analogy, he suggested, might be with targeted marketing and sales campaigns.

“Research about the target is conducted, intelligence is gathered, then specific tools are obtained which can exploit known vulnerabilities, whether in the form of a direct ‘attack’ on a network, a more long drawn out campaign using phishing tools, or a ‘backdoor/insider’ breach which exploits an organization’s internal vulnerabilities,” he said.

No Better Time to Be Proactive

Before you get too alarmed, it’s critical for the enterprise to understand that the darknet can be a good resource for cyberthreat intelligence gathering. For McGuire, there are certain advantages to the enterprise in using the darknet for enhancing network and customer security, with a wealth of information available on darknet forums to alert cybersecurity teams about potential vulnerabilities and emerging threats. He advised that the enterprise can gain significant cost savings in developing cybersecurity strategies by learning about the advanced intelligence on new hacks, tools and compromised servers that could be used against them.

“Active involvement in monitoring darknet activity can be extremely useful in guarding against phishing attacks, for example, or when customer data has been breached and appears for sale there,” McGuire said.

To help reduce the impact of darknet threats, experts advocate for organizations to fully assess and understand this particular cyber risk. To do that, however, there needs to be a complete rethink on security.

The most worrying trend to me is the ease with which a company employee can be tricked into installing and triggering malware. People are always the weakest link in the security chain, and it appears that tools on the darknet are like a big pair of wire cutters. Darknet vendors are even offering the means to create convincing lures for phishing campaigns using official-looking company invoices and documentation.

“These documents can be used to defraud organizations or as part of phishing campaigns to trick employees into opening them,” McGuire noted. “They may look real, but in reality, they deliver malware that triggers a breach or gives hackers a backdoor to corporate networks which could be sold on the dark net.”

Don’t Leave Yourself in the Dark About the Darknet

The bottom line is to ensure you’re not in the dark about the darknet. While it may be yet another security threat to worry about, ignoring it can be costly.

So what can we do if risk mitigation is in our job description? One thing is to take matters into our own hands. We need to strengthen cybersecurity posture and apply layered defenses — including application isolation capabilities to identify and contain threats. If we learn anything from McGuire’s report, cybercriminals are in a prime position to disrupt business operations and gain a foothold in our networks.

A proactive approach to security and intelligence gathering is the best way to stem the tide of threats and lucrative trading of business-critical data on the darknet.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today