Expert criminal groups, malware services, and improved infrastructure for conducting criminal activities are transforming the dark web. Examine the impact on corporate security.
Recently, one more concern has arisen for the villains active in the dark web. They are arrested by law enforcement agencies. Tracking the Dark Web's illegal activities is a desperate chase for the authorities, but it is not uncommon to eventually catch the enemy and confiscate dirty money. For example, on the night of the 2020 U.S. presidential election, after seven years of pursuit, the U.S. government emptied a $1 billion bitcoin wallet to recover funds linked to the Silk Road. The Silk Road was a black market selling illegal goods and services such as drugs, hit-and-run killing, and hiring hackers.
Criminal group camouflage closure
Frequent events like this have led criminals to devise new strategies, one of which is to close stores and get money out of them before they get caught up in the authorities' surveillance. In October 2020, the ransomware group Maze declared retirement after plundering hundreds of businesses and shutting itself down for over six weeks. But experts thought it would be only superficial. Ransomware groups often stop one operation in order to participate in other operations, as they rarely withdraw completely from the business.
Mark Turnage, CEO of DarkOwl, the dark web search engine, said, “The dark web has changed dramatically in recent years, and has become quite organic as the use of anonymous forums and markets by organized criminal groups has increased. The number of young people who want to become criminals by watching YouTube has increased. Naturally, there has been an increase in the activities of judicial institutions and attempts to identify and punish the perpetrator by infiltrating such criminal groups or services.
The Dark Web Becomes a Job Channel
The dark web has evolved into a middle ground where cybercriminals have minimal contact to attract new gang members. Then, the actual communication uses secret and encrypted channels such as Telegram, Jabber, and WickR. "Malware developers and fraudsters don't rely heavily on the dark web market to spread their tricks," Turnage said. Instead, they announce themselves on the Black Hat forums, grow their influence across the community, and then recruit new gang members.” “Many criminal groups, especially the ransomware-as-a-service industry and their contributors, are simply candidates for the Dark Web. It is used to search for members of the organization.”
Looking at Dark Owl, we can see that more technologically advanced criminals are using more of the distributed Dark Web and Messnet, such as Lokinet and Yggdrasil. Turnage pointed to the short life of the dark web market and services throughout Tor and the seizure of servers through international cooperation by law enforcement agencies.
In addition, moving the market from Tor nodes to private messaging services has technical advantages such as DDoS protection. These technical safeguards can be attractive to dark web administrators. Black markets like Empire, ironically, were forced to shut themselves down due to a DDoS attack conducted by other criminals to take the market. The sudden shutdown of the Empire invalidated the so-called 'escrow' warranty, which some Empire customers called the so-called 'exit scam'.
By moving loyal customers to decent end-to-end encrypted messaging services, cybercriminals use these platforms' stable, distributed infrastructure to stay alert and avoid law enforcement surveillance. Of course, messaging platforms like Telegram are not completely free from DDoS attacks. However, defending against attacks is the responsibility of the platform owner, not the dark web operator.
Collecting espionage using the underground chat
According to Ravid Raeb, KELA's product manager, the dark web today represents a vast array of products and services. Dark web communications and transactions were originally focused on forums, but have already moved to other media such as IM platforms, automated stores, and closed communities. Through these intermediaries, criminals share confidential information about infected networks, stolen data, leaked databases, and other money-based cybercrime products.
Raeb said, “This market change is focused on automation and subscription model-based service, and its purpose is to support the enlargement of cybercrime.” It makes it possible to create a supply chain seamlessly. It can be seen from the exponential increase in ransomware attacks using the underground financial ecosystem, which in itself is a powerful weapon for attackers.”
On the plus side, this intelligence enables security experts and threat analysts to identify and patch system vulnerabilities before they are exploited. Raeb said, “A defender can take advantage of a robust and dynamic ecosystem by gaining visibility into the inner workings of the underground ecosystem. They can track the same vulnerabilities, exposures, and infections that attackers use, so they can be cured before being exploited.”
Proactive defense requires monitoring forums and dark websites that are most likely for attackers to hide behind to discuss future threats and post-attack tricks for sale. For example, a hacker recently posted an attack on more than 49,000 vulnerable Fortinet VPNs in a forum. Among these were famous telecommunications companies, banks, and government organizations. After that, another attacker published another post that revealed plaintext authentication information for VPN devices that anyone could exploit. The vulnerability at issue was a two-year-old routing bug and was no longer subject to surveillance, but VPNs at thousands of companies on the list were still vulnerable.
Monitoring espionage using these forums alerts security teams in the organization and forces attackers to carefully investigate where they may be heading in the future.
Tracking of illegal activities hidden in real programs
The APT (Advanced Persistent Threat) group collects information about targets through the dark web and uses real network protocols and programs for the purpose of stealing confidential data. Vince Warrington, CEO of Dark Intelligence, said: “In the past, companies tended to only care about getting their data on the dark web. And even then, it would only sound the alarm when there was important data. But the APT group, backed by state-level support from China and Russia, now scouts promising targets via the darknet and provides a cover-up to steal data later.
Warrington said, “Beginning in early 2020, the use of SSH by the APT group has increased by more than 200%. According to Dark Intelligence's investigation, the APT group enters the organization undetected via SSH over port 22. Once inside, they steal a significant amount of data through poorly monitored and maintained systems, especially industrial control systems. Several recent attacks are estimated to have stolen more than a terabyte of data from each company. "It's a huge amount of data that companies didn't understand because they couldn't effectively monitor access to the dark web."
Last month, a massive attack on the SolarWinds supply chain, believed to be the act of the Russian intelligence group APT29 (aka Cozy Bear), was discovered. By exploiting authentic programs like SolarWinds Orion and the reliability of secure update channels or protocols, the attacker quietly stole 18,000 pieces of information out of 300,000 SolarWinds customers and has not been discovered for months. Remained.
This evil attack would have included covert surveillance and data breaches that left no clear mark. This is different from the fuss an attacker causes in public or dark web forums when spreading stolen data. Therefore, it is not enough to monitor only the dark web for signs of data leakage.
Threat analysts and security researchers should re-evaluate existing monitoring strategies. Instead of focusing solely on detecting anomalous signals within the corporate network (foreign IPs, suspicious port numbers, etc.), or waiting for proprietary data appearing on the dark web, reliable programs and services such as security updates, as well as attackers can hide undetected. It is necessary to monitor the internal software supply chain.
0 Comments