Many security professionals today associate the Dark Web with named leaks, which are leaked credentials from employee password reuse. This is still a relevant threat; in the last six years, the Flare platform has counted over 12 billion leaked credentials. The Dark Web is rapidly growing along with the variety of cybercrime. So is the value in monitoring it.
The cybercrime ecosystem now not only includes private communications platforms like I2P and Tor but also reaches across clear websites and Telegram channels.
There is tangible value in monitoring the Dark Web for potential risks. Following are some of the threats you might encounter.
Stealer logs with corporate access are likely one of the most significant vectors for data breaches and ransomware attacks today.
Infostealer variants such as RedLine, Raccoon, Vidar, Titan, and Aurora infect computers, then exfiltrate the browser fingerprint containing all the saved passwords in the browser. Threat actors then sell the results on Dark Web marketplaces or Telegram channels.
These logs are then used for account takeover attacks, stealing cryptocurrency, or as initial access for ransomware attacks. Flare monitors more than 20 million infostealer logs and is adding 1 million new logs per month, many of which contain credentials to multiple corporate applications. We believe that somewhere between 2% and 4% of logs contain access to corporate IT environments that could pose significant risk if compromised.
To detect malicious actors distributing stealer logs across the Dark Web and Telegram, companies can monitor for any logs that contain an internal corporate domain access, such as sso.companyname.com.
Initial access brokers (IABs) are active across Dark Web forums, such as XSS and Exploit.in. IABs establish initial access to companies, which they resell in auction and forum threads, typically for $10,000 to $500,000 per listing, depending on the company and level of access. A listing usually contains:
A court filing from Allentown, Pa.-based Lehigh Valley Health Network says Russian ransomware gang BlackCat posted 2,800 pictures of breast cancer patients undressed from the waist up, WFMZ reported April 12.
Lehigh Valley Health Network also said BlackCat demanded $5 million ransom after it breached its IT network on Feb. 6.
This comes after Lehigh Valley Health Network told Becker’s that BlackCat had posted limited patient information on the dark web, including three screenshots, which were “clinically appropriate photographs of cancer patients receiving radiation oncology treatment at LVPG Delta Medix, as well as seven documents containing patient information.”
Lehigh Valley Health Network is currently facing a lawsuit which accuses it of making a “knowing, reckless and willful decision to let the hackers post the nude images,” while “publicly patting itself on the back for standing up to the hackers” and “consciously and intentionally ignoring the real victims.”
The health system is trying to transfer this suit from a Lackawanna County, Pa., court to the U.S. District Court and said it could cost more than $55 million to resolve it.
The Google Play app store’s security mechanisms are being compromised by cybercriminals who are developing tools to trojanize Android apps and sell them on underground cybercrime marketplaces.
A recent blog post from cybersecurity firm Kaspersky, published on April 10th, 2023, revealed findings from an extensive study of Clear Net and Dark Web forums, highlighting the vulnerabilities in app store security – Most of these forums are Russian speaking.
The blog post stated that despite the vetting process for software uploaded to Google or Apple app stores, no security solution can be considered 100% foolproof. Every scanning mechanism has inherent flaws that can be exploited by threat actors, allowing them to upload malware to Google Play.
Researchers at Kaspersky monitored activities between 2019 and 2023 and found a thriving market on the Dark Web for buyers and sellers exchanging access to app developer accounts, infected Android apps, and botnets, with prices ranging from a few hundred to several thousand dollars.
One of the methods used by attackers to infect apps with malware involves uploading a harmless app to the app store to gain approval and attract a large number of users. Once the app is approved, the attackers release an update to the app that contains malicious code.
Another method is compromising legitimate app developers by hijacking their accounts and infecting existing apps with malware. Weak password policies and lack of two-factor authentication (2FA) make these accounts easy targets for cybercriminals.
Credential leaks are also used to obtain login details to breach accounts and corporate development systems. Kaspersky researchers found that access to a Google Play account can be purchased for as little as $60, while more lucrative accounts, services, or tools come with a higher price tag.
Loaders, which deploy malicious code into Android apps, are particularly sought-after products on the Dark Web marketplace, with prices ranging from $5,000 to…