An analysis from Recorded Future’s research group, Insikt Group, details the tactics, techniques, and procedures (TTPs) used by cybercriminals on dark web and special-access sources to compromise networks, deploy infostealer malware, and obtain valid credentials.

Excerpts:

Threat actors require remote access to compromised networks to conduct successful attacks, such as malware loader deployment, data exfiltration, or espionage campaigns. These compromised access methods, … are the work of specialized threat actors colloquially referred to as “initial access brokers” (IAB). IABs use several tools and TTPs to obtain such access, including obtaining valid credential pairs and session cookies from the successful deployment of infostealer malware, the purchase of infostealer “logs” or “bots” on dark web shops, credential stuffing, adversary-in-the-middle attacks, phishing, remote desktop protocol (RDP) “brute force guessing”, and more.

The most common credential pairs that appear for sale or auction on top-tier dark web and special-access sources, such as Exploit and XSS, are for corporate virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers (business email compromise, or BEC)

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Baber Amin
Baber Amin , COO
InfoSec Expert
August 4, 2022 10:06 am

This underscores why passwords as a credential are bad. The best way to combat this threat is to eliminate the use of passwords from as many systems as possible. If that is not possible, multi factor authentication should be implemented for all access. MFA has become easy to implement over the last few years, should be the default. 

  “Lastly, to prevent lateral movement, principals of least privilege must be observed. This means, that each person has the minimal level of trust granted for the task at hand. For any escalation of privilege, one should:
 

  • Look at user behavior in the context of the application, the task, and the user agent/device being used for deviation from normal
  • Depending on the threshold defined, setup authentication or re-authentication using different mechanisms than initially deployed should be invoked”
Last edited 12 days ago by Baber Amin
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x