Access to FTSE 100 and Fortune 500 corporate networks has increased on the dark web.
According to research by Bromium and the University of Surrey, presented at Infosecurity Europe, four in ten dark net vendors are selling targeted hacking services aimed at FTSE 100 and Fortune 500 businesses, while there has been a 20% rise in the number of dark net listings in the last three years, specifically “with a direct potential to harm the enterprise.”
The most heavily targeted industries were identified as banking (34%), ecommerce (20%), healthcare (15%), and education (12%). Also, with threats tailored to specific industries or organizations outnumber off-the-shelf varieties by a ratio of 2:1.
“Almost every vendor offered us tailored versions of malware as a way of targeting specific companies or industries,” said Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey. “The more targeted the attack, the higher the cost, with prices rising even further when it involved high-value targets like banks. The most expensive piece of malware found was designed to target ATMs and retailed for approximately $1,500.”
Access to corporate networks is sold openly; 60% of vendors approached by researchers offered access to more than ten business networks each and 70% of dark net vendors engaged invited researchers to talk on encrypted messaging applications, like Telegram, to take conversations beyond the reach of law enforcement.
Speaking to Infosecurity, Bromium president and co-founder Ian Pratt said that dark web “stores” are often just a “shop window” to sell services, and most transactions usually take place over encrypted communication channels like Signal and Telegram.
“The dark web is not an index, but a bunch of sites separate from the regular web,” Pratt said. He also said that access to networks is commonly sold for around $10,000, but it is not too hard to determine what a company uses. “Also it is not even zero-days, it is bypassing detection-based systems,” he said.
Pratt also said that many cyber-criminals now have separate supply chains to provide language services, and tailored malware for the attack. One example is the Emotet banking Trojan, which is often used as an initial dropper for the initial malware infection, and then command and control access is sold, while the payload scrapes the credentials while the Trojan is re-used for cryptojacking.
Aside from access to financial services and e-commerce, healthcare information was targeted by 15% of actors. Pratt explained that commonly, the information is held for ransom and if the ransom is not paid, the details are released.
“The methods for providing access varied considerably,” Dr. McGuire explained. “Some involved stolen remote access credentials that are for sale for as little as $2, others involve backdoor access or the use of malware. Illicit remote access tools appear to be most popular – we were offered Remote Access Trojans at least five times more often than keyloggers.
“Enterprises, researchers, and law enforcement must continue to study the dark net to get a deeper understanding of the adversaries that we are dealing with, and better prepare ourselves for counteracting the effects of a growing cybercrime economy.”