The MITRE ATT&CK framework defines reconnaissance as “techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further reconnaissance efforts.”

As the “cyber-crime-as-a-service” market continues to thrive and grow, actors are looking at new ways to help outsource time-consuming tasks, especially when it comes to the often lucrative and profitable endeavor of finding and breaching corporate networks. This blog looks at two services dark web threat actors offer, the first being a pre-exploit reconnaissance service aimed at helping low-skilled actors find suitable corporate networks to breach, and the second a service for ransomware and extortion gangs to investigate data to which they have gained access and carry out internal reconnaissance on a target company to help determine the amount of money those criminals can extort from a target.

Pre-Exploitation Service

Since August 2021, Accenture Cyber Threat Intelligence (ACTI) has tracked a threat actor advertising a service aimed at helping those looking to target suitable corporate networks. Users of the service must provide an IP address and pay US$50 to receive services. The actor uses paid subscriptions to three different internet scanning services as well as a sales and marketing intelligence company. The information they return about a target includes:

  • Informational Infrastructure (IP address, port, server, software, internet service provider, vulnerabilities)
  • Geographical Information (country, city)
  • Finance Report (company name, headquarters address, revenue, number of employees, website, industries in which target conducts business)
  • Leads (corporate email addresses, personal email addresses, phone numbers)
  • Other (email provider, Sender Policy Framework record, supply chain, additional company websites, endpoints)

The actor provided an example of the type of information they can provide, showing a list of information on targets that the actor claims are vulnerable to CVE-2021-34473, a high-severity vulnerability affecting Microsoft Exchange Servers (see screenshot below). This vulnerability forms part of the ProxyShell collection of vulnerabilities, which malicious actors used to exploit unpatched Exchange servers throughout August 2021.

<<< Start >>>

Threat-Actor-Provided Example of Data on Companies Vulnerable to CVE-2021-34473

<<< End >>>

The actor also provided an example and accompanying screenshot of how the service they offer can provide a list of online stores that use a variety of e-commerce platforms such as Shopify, Magento, WooCommerce, BigCommerce, PrestaShop and Opencart, along with prospective victims’ locations and revenue and traffic data. ACTI assesses that this actor has provided this information to attract those involved in online payment card data skimming from vulnerable content management systems.

Pre-Exploitation Mitigation

Criminals always look for easy targets, and services such as these further lower the barriers to entry for low-skilled actors looking to breach company networks. It is therefore vital for organizations to proactively look for weaknesses in their own networks and help remediate them. This is especially the case for finding and patching known vulnerabilities, because ransomware gangs in particular are increasingly utilizing vulnerability exploitation to gain initial access to target networks. Malicious actors have used vulnerabilities in Pulse Secure VPN, Citrix, Fortinet, SonicWall, F5, Accellion, and a variety of Microsoft products (to name but a few) to deploy various strains of ransomware in 2021. Therefore, administrators should apply security updates as soon as is practicable.

Post-Exploitation Service

ACTI discovered on the dark web references to a post-exploitation reconnaissance service. The provider of those services does not overtly advertise. ACTI found in dark web forums, however, references to the “Outsource Company," which offers the following services:

  • Investigation and selection of the best executive-level individuals within a victim company to exert pressure upon with the goal of increasing the chances of receiving a ransom payment
  • Analysis of stolen data to establish how much sensitive data a criminal client can use as leverage in negotiations
  • Determination of the extent of the damage done by the ransomware attack
  • Investigation of target company finances to help determine the highest realistic ransom a client ransomware gang can demand

“Outsource Company” provides these services in exchange for 20 percent of the final ransom fee. For this, the “company” promises average returns of US$25 million from ransom victims as a result of using their services. The actor connected to the service who was involved in the forum disputes keeps the service a closely guarded secret and has stated anyone who wants to work with the actor, and thus “Outsource Company,” must be vouched for and pay US$200,000 upfront. One actor was so keen to get access to the “company” they offered other forum members 10 Bitcoins (US$548,106 as of 29 April 2021, when the offer was made) to anyone who could provide them with a direct contact, showing the lengths some are willing to go to get access to its services.

Post-Exploitation Mitigation

This service shows threat-actor reconnaissance does not end once a malicious actor has chosen a target network. Organizations must prepare for when a ransomware attack does occur. This preparation should include:

  • Designing playbooks that illustrate scenarios in which attackers have gained communication access to and are putting pressure on people in leadership positions to demand high ransom amounts.
  • Establishing their current leadership’s online open-source and dark web footprints to assess whether to reduce those footprints to make extortion more difficult.
  • Providing company leadership with training on how to deal with potential extortion scenarios.
  • Using threat intelligence to assess the legitimacy of threat actors who carry out these attacks and their demands.
  • Putting in place business continuity and disaster recovery plans, having a clear media strategy and running regular exercises with all relevant stakeholders.

Outlook

The cyber-crime-as-a-service market has undergone rapid expansion over the past two years, coinciding with the explosion of ransomware and data theft targeting corporate entities. This created a huge influx of funds into the criminal underground which has attracted new players to the scene, thereby increasing the amount of specialist services offered on dark web forums and markets, and professionalizing the ecosystem. Cybercriminal groups have progressed from carrying out an entire attack themselves to outsourcing specific aspects – and potentially increasing the profitability to all involved.

The availability of a range of off-the-shelf services, such as those described in this blog, saves actors time, improves their chances of a successful attack and allows them to diversify the types of attacks they carry out. This affords criminals the ability to be more adaptable and agile, which is bad news for corporate entities. This should serve as a warning to businesses to try and stay one step ahead of the criminals, as this threat continues to grow and evolve.

ACTI provides actionable and relevant threat intelligence to support decision makers. More information on this activity is available to subscribed ACTI IntelGraph customers. IntelGraph is a proprietary next-generation security intelligence platform that allows users to search, visualize, and contextualize the relationships among malicious actors, their tools, and the vulnerabilities they exploit.

To learn more about ACTI and obtain additional information about our dark web intelligence and monitoring services, please contact CTI.Sales@accenture.com

Paul Mansfield is a senior analyst on the ACTI Reconnaissance Team, which produces actionable intelligence and tracks threat actors operating in both open and closed communities.

Accenture Security helps organizations build resilience from the inside, out so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.

Copyright © 2021 Accenture. All rights reserved.

Paul Mansfield

Cyber Threat Intelligence Analyst

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog
Subscribe