Anyone can access the darknet by downloading the Tor browser and while there is certainly a huge amount of criminal activity on it, the darknet is far more organised than most people realise. A significant chunk of darknet criminal activity is conducted via online marketplaces, not dissimilar to more familiar online retailers such as Amazon. Potential buyers can browse the different market sections, filter out different types of products, and even leave reviews on products they have purchased.
One product which poses a clear security threat to organisations is tranches of stolen credentials, which remain a valuable commodity for cybercriminals. On the darknet, stolen credentials are widely available, often being traded and sold in the open, available for anyone to purchase. There are numerous online markets dedicated solely to the purchasing of stolen credentials which can then be used for anything from compromising email accounts to stealing bank details.
Monitoring the darknet for stolen credentials can be vital for pre-emptively identifying threats to company assets. It can prevent damaging, and potentially costly data breaches, as well as mitigating fraudulent account activity.
A vast range of products is sold on the darknet, with those most frequently mentioned being drugs, stolen credit card details, and firearms. Yet one of the most potentially damaging products available is rarely given the same level of attention. This product is access: specifically, access to an organisation’s network.
The main threat from initial access sales does not come from the broker themselves, but from the threat actors who purchase this access. Initial access sales are exceptionally popular within cybercrime communities, primarily because it outsources the need for time-consuming enumeration, scanning, and gaining of access to systems of value. In most cases, it is access to the domain administrator account that is sold which essentially provides a threat actor with control over an organisation’s entire network.
Over the past few months alone, Cyjax analysts have identified initial access sales targeting organisations from sectors including healthcare, energy, financial services, and telecoms. These sales affected a well-known multinational market research agency, a large government healthcare provider, and one of the world’s largest airport operators, to name just three.
Ransomware is one of the most prominent threats across the current threat landscape. Ransomware attacks began to increase in frequency throughout 2019, before exploding in 2020. There are many factors behind this rapid rise: one of the most important of these is the proliferation of Ransomware-as-a-Service (RaaS) offerings, many of which are active on the darknet.
Monitoring these RaaS groups can provide invaluable insight. From a strategic perspective, a new recruitment campaign for affiliates can provide advanced warning to expect a surge of attacks associated with this particular RaaS group in the coming months. At a more granular level, monitoring RaaS groups can enable analysts to identify affiliates belonging to a specific group. Armed with this knowledge, analysts can then begin to monitor these affiliates more closely and in some cases, pre-emptively identify organisations being targeted.
Many ransomware groups are now publicly naming victims and leaking stolen data unless the ransom demand is paid. Consequently, ransomware now poses not just a direct threat to the original victim, but to an indirect threat to that organisation’s clients and supply chain. Monitoring these sites, therefore, provides advanced warning of potential abuse of business assets.