According to data by Searchlight Cyber, initial access brokers on the dark web are increasingly focusing on the financial industry.
The dark web intelligence firm has also discovered evidence of insiders disclosing company secrets or being approached by hackers on the dark web, as well as threat actors conducting infrastructure reconnaissance to attack supply chains for financial services.
However, the organization noted in a recent study that these risks, which are concealed in plain sight on the dark web, also offer banks with a fantastic opportunity.
Security teams can improve their defenses based on potential future threats rather than just reacting to past events, it said, thanks to dark web intelligence that warns them of potential malicious activity while criminals are still in the “pre-attack” phase of their operations.
The study is based on an analysis of dark web data collected from 2020 to the present by analysts at Searchlight Cyber.
On the dark web, posts from initial access brokers seeking to sell access to financial systems to third-party threat actors made up the great majority of the activity against the banking industry that was seen. The researchers discovered numerous access kinds, including Exploit, XSS, and BreachForums, being advertised on dark web hacker sites.
Data on first access broker activity, according to the business, “can be a valuable source of pre-attack intelligence for security teams.” Additionally, the researchers saw ransomware organizations interacting with some of these posts.
These posts can be used by bank security teams and independent security researchers to assess the threat level and examine the skills of the individuals publishing and interacting with them.
The most prevalent first access broker posts were those promoting virtual private networks (VPNs) and Remote Desktop Protocol (RDP) for remote network access. A privileged account could be misused to install malware or ransomware, take over the device’s operating system, gain access to private databases and file storage, or collect sensitive data to use as leverage against the victim to pay ransom.
Additionally, Searchlight Cyber discovered a number of posts advertising the sale of web shells, which can be used to add backdoors to a compromised system, or remote code execution (RCE) access, which, when exploited, allows an attacker to force an application to execute code other than what the application is intended to, allowing them to circumvent the intended behavior of the application.
The cybersecurity company recommended that security teams be aware of and keep an eye on any staff members who use technologies like Tor to access dark web networks, contact with other members of the larger cybercriminal underworld, or leak information. Traffic between Tor and the enterprise network can be utilized as an early warning indicator of a potential insider threat, it added, in addition to monitoring dark web forums for malevolent insiders.
According to the report, threat actors also utilize the dark web to coordinate and plan their attack strategies. By keeping an eye out for these activities, a breach could be prevented.
According to Searchlight Cyber, “These two tactics are significant because they are the only ones that concentrate on the time before the network is breached.”
Banks and other financial institutions should also keep an eye out for information on their major suppliers on the dark web since it can let them know when threat actors are aiming for them.
According to the statement, “for instance, continuously monitoring employee credentials, IP addresses, company datasets, devices, and software can alert the enterprise to suspicious activity against their supplier that may indicate a potential attack.”