Dark Web Reconnaissance-as-a-Service Thriving
December 6, 2021
The MITRE ATT&CK framework defines reconnaissance as “techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further reconnaissance efforts.”
As the “cyber-crime-as-a-service” market continues to thrive and grow, actors are looking at new ways to help outsource time-consuming tasks, especially when it comes to the often lucrative and profitable endeavor of finding and breaching corporate networks. This blog looks at two services dark web threat actors offer, the first being a pre-exploit reconnaissance service aimed at helping low-skilled actors find suitable corporate networks to breach, and the second a service for ransomware and extortion gangs to investigate data to which they have gained access and carry out internal reconnaissance on a target company to help determine the amount of money those criminals can extort from a target.
Since August 2021, Accenture Cyber Threat Intelligence (ACTI) has tracked a threat actor advertising a service aimed at helping those looking to target suitable corporate networks. Users of the service must provide an IP address and pay US$50 to receive services. The actor uses paid subscriptions to three different internet scanning services as well as a sales and marketing intelligence company. The information they return about a target includes:
The actor provided an example of the type of information they can provide, showing a list of information on targets that the actor claims are vulnerable to CVE-2021-34473, a high-severity vulnerability affecting Microsoft Exchange Servers (see screenshot below). This vulnerability forms part of the ProxyShell collection of vulnerabilities, which malicious actors used to exploit unpatched Exchange servers throughout August 2021.
<<< Start >>>
<<< End >>>
The actor also provided an example and accompanying screenshot of how the service they offer can provide a list of online stores that use a variety of e-commerce platforms such as Shopify, Magento, WooCommerce, BigCommerce, PrestaShop and Opencart, along with prospective victims’ locations and revenue and traffic data. ACTI assesses that this actor has provided this information to attract those involved in online payment card data skimming from vulnerable content management systems.
Criminals always look for easy targets, and services such as these further lower the barriers to entry for low-skilled actors looking to breach company networks. It is therefore vital for organizations to proactively look for weaknesses in their own networks and help remediate them. This is especially the case for finding and patching known vulnerabilities, because ransomware gangs in particular are increasingly utilizing vulnerability exploitation to gain initial access to target networks. Malicious actors have used vulnerabilities in Pulse Secure VPN, Citrix, Fortinet, SonicWall, F5, Accellion, and a variety of Microsoft products (to name but a few) to deploy various strains of ransomware in 2021. Therefore, administrators should apply security updates as soon as is practicable.
ACTI discovered on the dark web references to a post-exploitation reconnaissance service. The provider of those services does not overtly advertise. ACTI found in dark web forums, however, references to the “Outsource Company," which offers the following services:
“Outsource Company” provides these services in exchange for 20 percent of the final ransom fee. For this, the “company” promises average returns of US$25 million from ransom victims as a result of using their services. The actor connected to the service who was involved in the forum disputes keeps the service a closely guarded secret and has stated anyone who wants to work with the actor, and thus “Outsource Company,” must be vouched for and pay US$200,000 upfront. One actor was so keen to get access to the “company” they offered other forum members 10 Bitcoins (US$548,106 as of 29 April 2021, when the offer was made) to anyone who could provide them with a direct contact, showing the lengths some are willing to go to get access to its services.
This service shows threat-actor reconnaissance does not end once a malicious actor has chosen a target network. Organizations must prepare for when a ransomware attack does occur. This preparation should include:
The cyber-crime-as-a-service market has undergone rapid expansion over the past two years, coinciding with the explosion of ransomware and data theft targeting corporate entities. This created a huge influx of funds into the criminal underground which has attracted new players to the scene, thereby increasing the amount of specialist services offered on dark web forums and markets, and professionalizing the ecosystem. Cybercriminal groups have progressed from carrying out an entire attack themselves to outsourcing specific aspects – and potentially increasing the profitability to all involved.
The availability of a range of off-the-shelf services, such as those described in this blog, saves actors time, improves their chances of a successful attack and allows them to diversify the types of attacks they carry out. This affords criminals the ability to be more adaptable and agile, which is bad news for corporate entities. This should serve as a warning to businesses to try and stay one step ahead of the criminals, as this threat continues to grow and evolve.
ACTI provides actionable and relevant threat intelligence to support decision makers. More information on this activity is available to subscribed ACTI IntelGraph customers. IntelGraph is a proprietary next-generation security intelligence platform that allows users to search, visualize, and contextualize the relationships among malicious actors, their tools, and the vulnerabilities they exploit.
To learn more about ACTI and obtain additional information about our dark web intelligence and monitoring services, please contact CTI.Sales@accenture.com
Paul Mansfield is a senior analyst on the ACTI Reconnaissance Team, which produces actionable intelligence and tracks threat actors operating in both open and closed communities.
Accenture Security helps organizations build resilience from the inside, out so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.
Copyright © 2021 Accenture. All rights reserved.