Network access for sale on dark web
Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, a Rapid7 Company, shares his observations about ransomware and the sale of (stolen) network access on the dark web.
EITN: How do you see ransomware attacks evolving in the next few years?
Paul: The shift to a remote workforce during the current COVID-19 pandemic have given attackers more attack surface to exploit, which has significantly fueled the marked increase in these attacks in the past 18 months. This phenomenon predates the pandemic, but it matured and took on a life of its own in 2020, with some underground criminal forums beginning to dedicate specific sections to this particular type of offering.
These sales of network access affect organizations in all industries and geographies. Technology and telecommunications companies are among the most common victims and often command higher prices. These offerings often include a combination of remote access into a network and administrator credentials or other highly privileged accounts.
We foresee that even once we move back to working from the office, organizations will still be exposed to ransomware attacks if preventive steps are not being put into practice.
Sales of network access affect organizations in all industries and geographies. Technology and telecommunications companies are among the most common victims and often command higher prices.
EITN: In your opinion, for how much longer is the ecosystem able to withstand frequent, large scale ransomware attacks?
Paul: In a situation where most organizations are not aware of the severity of these attacks, businesses will continuously be affected by such threats if networks are not protected and secured.
EITN: In a previous release, you mentioned the emergence of a data leaks black market. How do you see this activity panning out? For example, will it fuel more ransomware attacks?
Paul: Ransomware attacks and motivations will continue to evolve and cyber threats will involve more than loss of functionality or physical damage. There will be more and more versions and appearances of data theft, leakage, and trade over the coming years.
In addition to this, law enforcement organisations were not heavily involved within most areas of the dark web crime landscape. However, we see that some have recently stepped in to take down these cybercrime operations as these attacks have sparked national interest in protecting critical infrastructure.
For example in Malaysia, the Ministry of Communications and Multimedia is committed to sustain Malaysia’s cybersecurity ecosystem under the Cyber Security Empowerment Programme (SiberKASA).
Law enforcement organisations were not heavily involved within most areas of the dark web crime landscape. However, we see that some have recently stepped in to take down these cybercrime operations as these attacks have sparked national interest in protecting critical infrastructure.
EITN: What is your opinion of the 17.5% contribution from APAC in terms of victims?
Paul: There was no clear geographic focus beyond the disproportionate emphasis on North America at 37.5%. The 17.5% contribution from the Asia-Pacific region is similar to Europe and the Middle East as Asia-Pacific has both large and wealthy economies as well. Victims in wealthier countries are generally more lucrative, and English-speaking victims are often easier to compromise because they speak the world’s leading lingua franca.
EITN: Besides the response from law enforcement, what can be done to protect from ransomware attacks? How much can preventing sale of compromised network access, help to stem ransomware infections?
Paul: Every little decision we make in protecting our network could go a long way. By restricting cybercriminals from gaining network access, it could help curb ransomware attacks.
Here are some prevention measures that can help prevent the network compromise events:
- Require the use of strong, unique, and frequently changed passwords.
- Require the use of 2FA, particularly for RDP, VPNs, and other remote access services.
- Use mobile authenticator apps, rather than SMS, for 2FA.
- Use rate limiting to defend against brute force attacks, particularly on RDP.
- Monitor credential dumps for email addresses from your organization’s domain.
- Update VPN software to ensure that it has the latest security patches.
- Disable remote access services that employees no longer need as they return to the office.
- Urge remote employees to change default passwords and update firmware on home routers.
- Issue devices with endpoint and network security monitoring for long-term remote employees. Ensure that they receive regular security updates and comply with other security policies.
- Establish a system of frequent, segmented, and redundant backups from which to restore encrypted files in the event of a ransomware infection.
In addition to this, law enforcement organisations were not heavily involved within most areas of the dark web crime landscape. However, we see that some have recently stepped in to take down these cybercrime operations as these attacks have sparked national interest in protecting critical infrastructure.
EITN: Please share examples of how threat intel can help deter or thwart attacks.
Paul: The types of credentials and persistence mechanisms that these sellers transfer most frequently should be higher-priority targets for security teams. For example, audits or other scrutiny of these types of credentials and persistence mechanisms could be useful for threat hunters.
By the same token, organizations that receive notifications of the sale of unauthorized access to their networks on these forums should begin their incident response by reviewing logs for the types of credentials and persistence mechanisms identified in the advertisement for that sale.
Other intelligence derived from these advertisements should also inform incident response teams. Many incident response teams or other security professionals may assume that there is continuity over the course of all stages of a breach, from initial access to the exfiltration of compromised data. The very existence of these sales on criminal forums demonstrates that this assumption is often false, and it could lead incident response teams to flawed conclusions about a breach.
Organizations that receive notifications of the sale of unauthorized access to their networks on these forums should begin their incident response by reviewing logs for the types of credentials and persistence mechanisms identified in the advertisement for that sale.
The tools, tactics, and infrastructure of the initial intruders may vary significantly from those of the subsequent buyers who exploit that access. Observed changes or discontinuities in indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) may reflect and result from these transfers of access.
For example, an investigation may indicate that the initial intruders used IP addresses resolving to a specific ISP or geographic area.
The subsequent disappearance of those IOCs from network logs could lead investigators to the false conclusion that the attack ended, when in fact it merely changed hands and transitioned to a new group of actors using different infrastructure.
The tools, tactics, and infrastructure of the initial intruders may vary significantly from those of the subsequent buyers who exploit that access. Observed changes or discontinuities in indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) may reflect and result from these transfers of access.