“For security teams, data on initial access broker activity can be a valuable source of pre-attack intelligence,” the company said. The researchers also observed ransomware groups interacting with some of these posts.
Bank security teams and independent security researchers can use these posts to analyze the capabilities and assess the threat level of the actors posting and interacting with them.
Among the initial access brokers posts, those offering remote network access via Remote Desktop Protocol (RDP) and virtual private networks (VPNs) were the most common. The exploitation of a privileged accounts could potentially lead to malware or ransomware being deployed on the system, control over operating infrastructure, access to sensitive databases and file storage, and the harvesting of confidential information used to blackmail the victim into paying a ransom.
Searchlight Cyber also found several posts offering to sell web shells, which can be used to install backdoors into a compromised system, or remote code execution (RCE) access, which when exploited enables the attacker to make an application execute code they choose, rather than doing what the application should be doing.
Insider threat activity on the dark web
The researchers also observed two main insider threats leveraging the dark web. The first involves employees with access to an organization’s systems advertising it on the dark web, while in the second threat actors try to recruit malicious insiders on the dark web.
“For a security team that has to consider malicious insiders with privileged access as part of their threat model, these posts do provide a valuable starting point to investigate and mitigate the risk of compromised employees,” Searchlight Cyber said.