Rapid7’s Raj Samani gives an insight into the growing threat of bad actors on the dark web and offers advice for businesses to better protect their data.
The cybercrime economy is thriving under the bedrock of a flourishing underground market. Whereas historically, launching an attack like ransomware simply required purchasing valid RDP credentials, the more recent trend of exploiting previously not-publicly-known vulnerabilities has demonstrated a level of access (and indeed capability) that was solely the domain of well-resourced threat groups.
The security industry is known to attach terms such as ‘sophisticated’ to select advanced persistent threat (APT) groups, whilst criminal groups solely able to use initial entry vectors such as weak passwords have been dubbed ‘unsophisticated’. More recently, however, we have seen such criminal groups get their hands on critical zero-day exploits and subsequently privileged access to high-value corporate networks.
In other words, criminal groups who were the modern equivalent of finishing fourth in the school sports day race are now appearing in the Olympics final. So, the question is, what is their performance-enhancing drug? How did we arrive at this juncture where previously marginal players have gained such formidable prowess in the cyber realm? And how are underground markets contributing to the swift upsurge in cybercrime capabilities?
Underground market as a service economy
Modern cybercrime has shattered the previous stereotypes of hoodies and basements. With the incorporation of affiliates and even sub-affiliates, there now exists organisations that look more corporate than basement. The cybercrime economy showcases a plethora of organised brokers who sell everything from network exploits, phishing kits, remote code executions and ransomware-as-a-service (RaaS). Such RaaS offerings found on the dark web can easily be compared to legitimate software-as-a-service (SaaS) offerings. Similar to the offerings of SaaS companies, RaaS services provide customer support and are happy to negotiate with affiliates to attract the brightest and best.
The consequences of this underground service economy are evident not only in the number of ransomware attacks we saw in 2023, but perhaps more worryingly in the average ransomware payment. According to Coveware, in the third quarter of 2023 the average payment was $850,700, an increase of 15pc from Q2 and a whopping 159pc increase from Q1. Such numbers clearly act as a motivation for new groups to enter the fray, and for existing groups to continue innovating. For instance, the Akira ransomware group, which launched around the end of Q1, claimed more than 60 known victims within months of setting up. This reflects a disturbing reality that cybercrime is no longer the domain of a few skilled individuals but has transformed into a vast, well-oiled machine with global reach and significant impact.
Zero-days have become low-hanging fruit
The cybersecurity industry has repeatedly put out the message that criminals go after the ‘low-hanging fruit’, but the trending exploitation of zero-day vulnerabilities at a mass scale — as we saw in the cases of Moveit and SysAid — are cause for concern.
One of the hottest commodities in the underground market are in fact remote zero-day exploits in major security appliances and network edge devices. Rapid7 research found that brokers are selling these vulnerabilities at prices of $75,000 upwards. We’re talking about critical undisclosed vulnerabilities in widely used network devices like Juniper and Cisco, which are used by thousands of corporations. The prices might seem high, but in reality, they’re often very affordable for threat actors, given that ransomware payments can come to millions of dollar and the fact that dark web brokers now offer flexible payment plans to make it easier.
We’ve also seen a growing demand for initial access brokers (IABs), who sell direct access to already compromised networks. These are cybercriminal groups who breach a network and outsource the access to potential buyers on the dark web market instead of going through the complexities of exploiting a target themselves. For instance, we saw a relatively new threat actor called Br0k3r, which was offering direct access to nearly 50 corporate networks across several industries.
Context is critical for defence
Despite the increasing complexity and sophistication of these threats, the cornerstone of effective defence remains the nuanced understanding of threat intelligence. This is where context starts to become so important to Security Operations Centre (SOC) teams. Understanding metrics such as ‘exploited in the wild’ is vital to streamline the approach towards updating vulnerable applications. SOC teams are now required to adopt more than just traditional threat intelligence methods. They must engage in proactive threat hunting, moving beyond the limitations of historical, encyclopaedic threat intelligence briefings towards more action-oriented content, including specific threat-hunting rules.
This shift is essential for SOC teams to quickly identify and resolve legitimate threats, before they cause major operational issues. The days of reacting to incidents only after receiving a call from the press or discovering leaked data are over. Instead, businesses must focus on establishing a continuous cycle of security improvement, emphasising rapid response to emerging threats.
To sum up, whilst the dark web has amplified the threat landscape, the response does not always require complex solutions. Getting a new expensive cybersecurity tool or solution is not necessarily the answer. Optimising your intelligence reporting process and being more proactive can help mitigate the risks posed by these advanced threats. By strengthening these foundations, businesses can not only better protect themselves but also contribute to diminishing the economic incentives driving the dark web’s cybercrime economy.
By Raj Samani
Raj Samani is senior vice president and chief scientist at Rapid7, where he is responsible for developing research initiatives to inform and equip business and government leaders. He has assisted multiple law enforcement agencies in cybercrime cases and is special advisor to the European Cybercrime Centre (EC3) in The Hague.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.