An analysis from Recorded Future’s research group, Insikt Group, details the tactics, techniques, and procedures (TTPs) used by cybercriminals on dark web and special-access sources to compromise networks, deploy infostealer malware, and obtain valid credentials.
Excerpts:
Threat actors require remote access to compromised networks to conduct successful attacks, such as malware loader deployment, data exfiltration, or espionage campaigns. These compromised access methods, … are the work of specialized threat actors colloquially referred to as “initial access brokers” (IAB). IABs use several tools and TTPs to obtain such access, including obtaining valid credential pairs and session cookies from the successful deployment of infostealer malware, the purchase of infostealer “logs” or “bots” on dark web shops, credential stuffing, adversary-in-the-middle attacks, phishing, remote desktop protocol (RDP) “brute force guessing”, and more.
The most common credential pairs that appear for sale or auction on top-tier dark web and special-access sources, such as Exploit and XSS, are for corporate virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers (business email compromise, or BEC)
This underscores why passwords as a credential are bad. The best way to combat this threat is to eliminate the use of passwords from as many systems as possible. If that is not possible, multi factor authentication should be implemented for all access. MFA has become easy to implement over the last few years, should be the default.
“Lastly, to prevent lateral movement, principals of least privilege must be observed. This means, that each person has the minimal level of trust granted for the task at hand. For any escalation of privilege, one should: