Sensitive data stolen from companies during cyberattacks often ends up on Dark web markets and forums. With the rise of the cybercrime as a service business model, Kaspersky researchers found that not only corporate data itself is for sale, but also the information necessary for access to corporate networks to organise that attack.
Globally, the average cost for access to corporate systems is in the range from $2,000 to $4,000, and in the Africa, Middle East and Turkey (META) region, the average price for access to corporate infrastructure is $2,100. This is relatively inexpensive compared to the possible damage to the targeted business. Such services are of prime interest to ransomware operators, whose profit may reach tens of millions of dollars a year.
The Dark web is a common term that is used to describe different resources used by cybercriminals – forums, instant messengers, Tor websites, blogs, Pastebin and similar websites, and others. The Dark web is also a multifunctional platform and market for any need – from attack preparation to money withdrawal.
Ways the attackers can get access to corporate data
The first way is by exploiting vulnerabilities on the network perimeter. These can be unpatched software with available exploits, vulnerabilities in web applications, misconfigured services or zero-day vulnerabilities. A zero-day vulnerability is an unknown software bug discovered by attackers before the vendor has become aware of it. Since the vendors are unaware, no patch exists for zero-day vulnerabilities, making attacks likely to succeed unexpectedly.
Another way is by phishing attacks. Most common attack scenarios include fake business correspondence from partners, fake links for online meetings or documents, and COVID-related emails.
Finally, access can be gained by infecting user devices (personal or corporate ones) with a data stealer. Data gets stolen while users continue to work on their device, then the stolen data is transferred to Command and Control servers, packed in files, which are then published on Dark web forums and put on sale. In South Africa, 1,270,617 accounts of users were stolen this way in 2021-2022. In Kenya, 375,011 accounts of users were stolen during the same period.
Selling access on the dark web
Once an attacker gains access to the organisation’s infrastructure, they can then sell this access to other advanced cybercriminals, for example, ransomware operators. The price for accessing potential victims’ systems is relatively inexpensive when compared to the possible damage that can be done afterwards. The average cost for access to a company’s systems lies in the range from $2,000 to $4,000. The cost of initial access depends on the victim company’s revenue and price. Globally 42% of all offers for the sale of access are cheaper than $1,000. The majority (75%) of all lots offer initial access through Remote Desktop Protocol (RDP), making the access for buyers easy. Other types include access through virtual network computing services, through web shell, through Citrix access or SQL injection.
While companies from the META region account for 8% of all offers globally on the sale of access to corporate infrastructure, their access is sold at a high price – the most expensive offer stood at $25,000. The average price for access to corporate infrastructure in the META region is $2,100. The most expensive offers that were found were for companies from Saudi Arabia, the UAE, Israel (starting from $5,000). Access to over 100 enterprises in META with an average revenue of $500 million has been up for sale on the Darknet over the past 2 years.
Protecting businesses from dark web criminals
“While the Dark web seemed impossible to control in the past, now the situation is changing. Businesses can act to give fraudsters less opportunity to make dark web profits out of their data. Organisations should protect their data from being stolen with strong data security practices, including data encryption and educating employees on how to avoid accidentally giving cybercriminals access,” comments Yuliya Novikova, Head of Security Services Analysis at Kaspersky. “Dark web monitoring should be considered as a threat intelligence data source for cybersecurity staff – CTI analysts, SOC analysts, and others. It will allow to immediately react on security incidents such as offers on selling access to the company and help to prevent data breaches. Digital Footprint Intelligence introduced within the Kaspersky Threat Intelligence portal provides access to insights from a range of validated sources worldwide, allowing companies to mitigate the impact of cyberattacks and identify potential threats before they become incidents.”