The rise of criminal gangs, malware-as-a-service and enhanced infrastructure for carrying out criminal actions are changing the dark web. Here’s what that means for business security

Recently, dark web actors have additional stress: getting caught by law enforcement. Tracking dark web illegal actions has become a cat-and-mouse game for governments, but ultimately, they frequently catch their adversaries and grab the dodgy money.

On the night of the 2020 presidential election, by way of example, US government officials managed to empty a $1 billion Bitcoin wallet recovering funds connected to Silk Road, seven years following the market’s closure. Silk Road was a favorite dark web market dealing in illegal goods and services such as narcotics, hacking for hire, and contract killing.

Cybercriminal group closed and exit scams

Events such as these have driven cybercriminals to plot new approaches, which occasionally involves closing store and cashing out before they get on the feds’ radar. In October 2020, the Maze ransomware group that has breached hundreds of companies such as Xerox, LG, and Canon, closed down itself on six weeks saying they had retired their actions.

However, experts have indicated this is probably a façade. Ransomware operators often shut down one operation to join another rather than exit the operation completely.

“In recent years, the dark web has radically changed, quite reluctantly, because of increased organized criminal organizations’ use of anonymous forums and markets, the greater presence of youthful YouTube motivated ‘criminal wannabes,’ and obviously, the following increased presence of law enforcement and their efforts to infiltrate, de-anonymize, and take down these classes and hidden services,” states Mark Turnage, CEO of DarkOwl, a dark web search engine.

Dark web becoming a recruiting channel

By Turnage, the dark web has developed to an intermediary ground where cyber-criminals minimally interact with poach new members for their own group. Then they move communications to private, encrypted channels like Telegram, Jabber, and WickR.

“Malware programmers and financial fraud [criminals] rely on dark web markets for dispersing their exploits and rather levy black hat forums across the deep web and darknet to establish their brand, develop clout throughout the community, and recruit new members,” states Turnage. “Many criminal organizations use the dark web merely to vet prospective affiliates, especially in the ransomware-as-a-service business, and they’re [co-conspirators].”

Turnage says that DarkOwl has seen more technically savvy criminals increase their use of alternative decentralized dark web and mesh nets like Lokinet and Yggdrasil. He attributes this to the brief lifespan of dark web markets and services across Tor and host seizures by internationally coordinated law enforcement agencies.

Moving marketplaces from Tor nodes to personal messaging services may also arrive with technical benefits, such as a distributed denial of service (DDoS) protection.

These technical safeguards may lure dark web admins as underground marketplaces such as Empire have been made to shut down themselves after DDoS attacks by other cybercriminals in rather ironic extortion attempts. Empire’s abrupt exit has also left its so-called”escrow” guarantee emptiness, prompting a few patrons to tag the closure an”exit scam.”

By changing patrons over to legitimate end-to-end encrypted messaging services, cybercriminals leverage the dependable distributed infrastructure of those platforms while remaining discreet and avoiding the scrutiny of law enforcement.

Granted, messaging platforms such as Telegram might not be entirely immune from DDoS attacks, protecting against these attacks then becoming the duty of platform owners instead of dark web ops.

Leveraging underground chatter for intel gathering

According to Raveed Laeb, product manager at KELA, the dark web of now represents a huge array of products and services. Although traditionally concentrated in forums, dark web communications and transactions have moved into various mediums such as IM platforms, automated stores, and closed communities. Threat celebrities are sharing covert intelligence on endangered networks, stolen information, leaked databases, and other monetizable cyber-crime goods using these mediums.

“The market changes are focused on automation and servitization [subscription versions ], aimed at helping the cyber-crime company to grow at scale,” says Laeb. “As can be seen by the exponential growth of ransomware attacks leveraging the underground financial ecosystem, the cyber criminal-to-cyber-criminal markets make it possible for celebrities to create a supply chain that supports decentralized and effective cyber-crime intrusions–providing attackers an inherent advantage.”

On the other hand, security professionals and hazard analysts can tap into this intel to identify and patch system flaws before threat actors can exploit them.

“Defenders can exploit these strong and dynamic ecosystems by gaining visibility into the internal workings of the underground ecosystem–allowing them to trace the very same vulnerabilities, exposures, and compromises which would be leveraged by danger actors and remediate them until they get exploited,” says Laeb.

This may be accomplished by tracking forums and dark web sites where dangerous actors are likely to lurk, discuss upcoming threats, and place exploits up available.

A hacker recently posted exploits for more than 49,000 vulnerable Fortinet VPNs on a forum, by way of instance, a few of which belonged to prominent telecoms, banks, and government organizations. This was followed by a second discussion article where another hazard actor exposed plaintext credentials for most of the VPN devices for any adversary to exploit.

Even though the vulnerability in question is a two-year-old path-traversal insect, probably not on anybody’s radar anymore, tens of thousands of corporate VPNs present on the record remained vulnerable to this crucial matter.

Tapping into these forums and observation for such intel can give heads up to security teams at organizations to perform their due diligence in where adversaries might be headed next.

Tracking illegal activity disguised under valid programs

Advanced persistent threat (APT) groups are currently using the dark web to collect knowledge of the aims and then use legitimate network protocols and applications for covert data exfiltration purposes.

“In the past, organizations tended to only worry about their own data appearing on the dark web, and even then, it would just ring alarm bells if important data were found. However, lots of the Russian and Chinese nation-state backed advanced persistent threat groups are currently using the dark internet to do a reconnaissance of possible targets, and provide a cover for exfiltrating data,” states Vince Warrington, CEO in Dark Intelligence.

“Since the beginning of 2020, using SSH by those APT groups has increased by over 200 percent,” says Warrington. “Our study indicated that APT classes are using SSH via port 22 to infiltrate organizations unnoticed and, once inside, are using poorly monitored and maintained systems–notably industrial management systems–to steal important amounts of data.

“A number of recent attacks are alleged to have stolen over one terabyte of information from individual companies, an enormous number that organizations are failing to spot since they’re not able to monitor effectively for dark web connections.”

This point was substantiated by the discovery last month of this gigantic SolarWinds supply chain assault credited to the Russian espionage group APT29, a.k.a. Cozy Bear. By exploiting trust within a legitimate program like SolarWinds Orion and its own secure update channels (or protocols), sophisticated attackers managed to quietly breach over 18,000 of their 300,000 SolarWinds clients and remained unnoticed for months. Their sinister actions conducted as part of this attack might have entailed covert surveillance and data exfiltration, leaving no apparent hint.

This differs from cases where threat celebrities make a sound on people or dark web forums when leaking info dumps. So, tracking the dark web exclusively for indications of data exfiltration is insufficient.

Threat analysts and security researchers are therefore encouraged to reevaluate their observation strategies. As opposed to focusing solely on detecting anomalies within corporate networks, such as foreign IPs and strange port numbers, or waiting for proprietary information to appear on the dark web, it’s well worth monitoring trustworthy programs and services, such as their security upgrades, along with your organization’s software supply chains where danger actors could be concealing unnoticed.