Firms face targeted bespoke cyber attacks, dark web study reveals

There has been a 20% rise in the number of dark net listings that have the potential to harm the enterprise since 2016, according to a report of cyber criminal markets on the dark web by Michael McGuire, senior lecturer in criminology at Surrey University.

The dark net markets report, which is the third in a series of studies on the cyber criminal Web Of Profit commissioned by virtualisation-based security firm Bromium, was unveiled at Infosecurity Europe 2019 in London, highlighting the risks of relying only on traditional signature-based security technologies.

McGuire’s first report into the macro economics of cyber crime revealed that cyber criminal revenues worldwide are at least $1.5tn, and the second report showed that social media-enabled cyber crimes are generating at least $3.25bn a year in global revenue and one in five organisations has been infected with malware distributed via social media.

The latest report outlines the current risk to organisations, describing the variety of bespoke malware available, as well as the prevalence of network access and corporate espionage services, highlighting the wide variety and easy availability of tools to steal intellectual property (IP) or disrupt business operation.

The report, which shows that the cyber crime economy is driven by platforms that operate on the dark net as well as the clear net, is based on first-hand intelligence gathered from covert discussions with dark net suppliers, alongside analysis from consultations with a panel of global industry experts across law enforcement and government.

According to McGuire, network compromises, including malware, remote access trojans and targeted hacking services found on the dark web, pose a high threat level to businesses. “All those vendors we spoke to were acutely aware of commodities related to enterprise, how to target them and how to acquire their data,” he told Computer Weekly.

The dark net has become a haven for bespoke malware, with threats tailored to specific industries or organisations outnumbering off-the-shelf varieties by 2:1, the study shows. This reveals that commodity malware is being replaced by a service-driven economy, with bespoke tools available on demand.

Access to corporate networks is being sold openly, the study shows, with 60% of the sellers approached offering access to more than 10 business networks at a time. This includes credentials for accessing business email accounts for intelligence gathering and other purposes.

“In many cases, we came across a very sensitive, finely tuned approach, and I don’t think many enterprises appreciate the extent to which they are becoming targets, ranging from the largest organisations all the way down to SMEs [small and medium-sized enterprises], which are also being targeted in surprisingly intelligent, informed and directed ways,” said McGuire.

But despite the study’s findings, McGuire is critical of law enforcement’s “heavy-handed” approach to clamping down on cyber criminal activity by shutting down sites. “This approach is only stimulating cyber criminals’ creativity and pushing them off the dark web into the ‘invisible net’,” he said.

“About 70% of the sellers that researchers spoke to about buying malware did not want to talk on the dark web, preferring instead encrypted messaging applications, like Telegram, to take conversations beyond the reach of law enforcement.”

The industries most frequently targeted by malware tools being traded on the dark net are banking (34%), e-commerce (20%), healthcare (15%) and education (12%), with malware increasingly being targeted to boost the effectiveness of campaigns.

“Almost every vendor offered us tailored versions of malware as a way of targeting specific companies or industries,” said McGuire. “The more targeted the attack, the higher the price, with costs rising even further when it involved high-value targets like banks. The most expensive piece of malware found was designed to target ATMs and retailed for approximately $1,500.”

At least 40% of researchers’ attempts to request dark net hacking services targeting companies in the Fortune 500 or FTSE 100 received positive responses from sellers.

“These services typically come with service plans for conducting the hack, with prices ranging from $150 to $10,000, depending on the company involved,” said McGuire. “From our conversations on dark net platforms, forums and encrypted messaging services like Telegram, it is clear that vendors are acting on behalf of clients to hack organisations to obtain IP and trade secrets and disrupt operations.”

Within every dark net market examined, vendors were offering access to a diverse range of business networks, with banking and finance (29%), healthcare (24%), e-commerce (16%) and education (12%) corporate networks the most common.

The methods for providing access varied considerably, said McGuire, with some involving stolen remote access credentials that were available to buy from as little as $2 to provide illicit remote access to corporate networks. Others involved backdoors or the use of malware.

Researchers found there was a clear preference for the use of remote access trojans (RATs) over keyloggers to gain access. On average, researchers found, or were offered, RATs such as Ramnit and DiamondRat five times as often as keyloggers, with prices starting at $2.

Dark net vendors are also offering the means to create convincing lures for phishing campaigns using genuine company invoices and official documentation.

Corporate invoices and other documentation can be purchased on the dark net, the study found, with prices ranging from $5 to $10. These documents can be used to defraud organisations, or as part of phishing campaigns to trick employees into opening them and inadvertently install malware.

“Organisations need a much better understanding of the threats posed by the dark net, in particular those posed by custom malware and remote access trojans,” said McGuire.

He suggested that organisations should build capacity to use the dark net for intelligence gathering by monitoring dark net marketplaces for the trade of malware, company or customer data, and for potential brand misuses, such as the sale of invoices or spoof web pages.

The study also found evidence that businesses are starting to explore using the dark web for things like recruitment, competitive intelligence gathering and secure communications. “But in exploiting those opportunities, organisations need to understand that there are clear dangers, including unwittingly collaborating with criminals by providing trade and revue or giving them access to their own networks,” said McGuire. 

“Crime and normality are interweaving in ways we haven’t seen before, and certainly nation states are exploiting this so that war is becoming form of a crime and crime is becoming a form of war.”

Ian Pratt, co-founder and president of Bromium, said that in the light of the threat posed by the dark net goods and services discovered by the researchers, organisations must adopt layered defences that use application isolation to identify and contain threats, as well as having in-depth threat telemetry to stop cyber criminals getting a foothold in corporate networks.

“It is clear that the traditional way of trying to do things is doing a poor job of keeping the bad guys out, and when we talk about ‘bespoke malware’, it is not necessarily anything clever or complicated,” he told Computer Weekly. “It is just about ensuring that a given piece of malware will bypass whatever security products the target organisation has in place, not every security control on the market, and is therefore often available relatively cheaply.”

For that reason, Pratt said it is important for cyber defenders to understand the motivations of adversaries and the resources they have available to them. “One of the best ways of doing that is having the perspective of a leading criminologist, which is why we have been sponsoring this independent research for the past few years,” he said.

Pratt said the findings of this latest report on the supply chain available to cyber criminal organisations tie in with the discovery in April 2019 of more than a dozen US-based web servers operating as the malware equivalent of an Amazon fulfilment centre to distribute malware to target businesses.

Organisations need to understand that they are up against a whole supply chain of tools between criminal  groups that are designed to target the enterprise, he said, and enterprises should re-evaluate the value of the data they are holding and adjust their defence strategies accordingly.