Recently, we published an intel about data leakage from some U.S. local authorities. It was about two different local authorities in U.S. and was showing us how threat actors share information between them.
To put it very briefly, a threat actor claimed they have data of these authorities and they captured these data with using vulnerabilities which are discovered by another threat actors a few months ago.
These incidents (real incidents or not) shows us that the digital underworld operates much like any marketplace, with information as its most valuable commodity. When a threat actor discovers a vulnerability in an organization’s systems, they often don’t keep it to themselves. Instead, this information is shared, traded, and even sold within various corners of the internet, accelerating the spread of cyberattacks.
The Information Bazaar: Where Vulnerabilities Become Commodities
Threat actors operate within a hidden ecosystem where information is a valuable currency. This “information bazaar” takes many forms:
- Dark Web Forums and Marketplaces: These clandestine online platforms serve as hubs for cybercriminals to connect, communicate, and trade. Forums often specialize in specific areas like malware development, zero-day exploits, or targeted industries. Threat actors use these forums to:
- Share exploits and vulnerabilities: Detailed write-ups, proof-of-concept code, and even automated tools are shared, allowing others to quickly weaponize the information.
- Buy and sell access: Compromised accounts, stolen data, and access to vulnerable systems are frequently traded, often with “customer support” and guarantees.
- Offer services: Specialized services like DDoS attacks, ransomware deployment, or data exfiltration are advertised and sold.
- Private Communication Channels: For sensitive information and collaborations, threat actors rely on more secure and private channels:
- Encrypted messaging apps: Platforms like Telegram, Signal, and Wickr offer end-to-end encryption, making it difficult for authorities to intercept communications.
- Closed groups and chat rooms: Exclusive online communities provide a safe space for trusted individuals to share information and coordinate attacks.
- Peer-to-peer networks: Direct connections between individuals allow for discreet file sharing and communication.
- Automated Sharing Platforms: Speed and reach are critical in the cybercrime world. Automated platforms and bots facilitate rapid information dissemination:
- Malware distribution networks: Botnets and other automated systems can quickly spread malware and exploit kits to vulnerable systems.
- Social media and underground channels: Automated accounts and bots spread malicious links and information across various platforms.
The Rise of “Cybercrime-as-a-Service”
The cybercrime landscape is evolving towards a service-based model, with specialized actors offering their expertise for hire:
- Initial Access Brokers: These groups focus on identifying and exploiting vulnerabilities to gain initial access to target networks. They then sell this access to other threat actors who carry out the actual attack.
- Ransomware-as-a-Service: Ransomware developers provide their malware and infrastructure to affiliates who distribute it and handle negotiations with victims.
- Data exfiltration and laundering services: Specialized groups offer to steal and monetize sensitive data, providing a complete package for cybercriminals.
Motivations Behind Information Sharing
The motivations for sharing vulnerability information are diverse:
- Financial Gain: Selling exploits or access to compromised systems can be highly profitable.
- Collaboration and Efficiency: Sharing allows threat actors to pool resources, expertise, and knowledge, leading to more sophisticated and effective attacks.
- Reputation and Status: Sharing valuable information or developing powerful tools can enhance a threat actor’s reputation within the community.
- Ideology and “Hacktivism”: Some actors share information to expose corruption, promote social causes, or disrupt organizations they oppose.
The Impact on Organizations
The widespread sharing of vulnerability information poses significant challenges for organizations:
- Expanded Attack Surface: Shared vulnerabilities increase the likelihood of multiple, simultaneous attacks from different actors.
- Reduced Response Time: Rapid information dissemination gives organizations less time to patch vulnerabilities before they are exploited.
- Increased Attack Complexity: Collaboration allows threat actors to combine their skills and resources, leading to more sophisticated and damaging attacks.
Defending Against the Information Deluge
Organizations need to adopt a proactive and multi-layered approach to defend against the constant barrage of cyber threats:
- Continuous Vulnerability Management: Regularly scan for and patch vulnerabilities, prioritize critical systems, and implement strong access controls.
- Threat Intelligence and Monitoring: Stay informed about emerging threats, vulnerabilities, and attack trends. Utilize threat intelligence platforms to gain insights into the activities of threat actors.
- Security Awareness Training: Educate employees about cybersecurity best practices, phishing scams, and social engineering tactics.
- Incident Response Planning: Develop and regularly test an incident response plan to quickly detect, contain, and recover from cyberattacks.
By understanding the intricate ways threat actors share information, organizations can strengthen their defenses and better protect their valuable assets in the ever-evolving digital landscape.