26/11/2022
26/11/2022
KUWAIT CITY, Nov 26: Sensitive data stolen from companies during cyberattacks often ends up on Dark web markets and forums. With the rise of the cybercrime as a service business model, Kaspersky researchers found that not only corporate data itself is for sale, but also the information necessary for access to corporate networks to organize that attack. According to the information shared at the annual Kaspersky Cybersecurity weekend, globally the average cost for access to corporate systems is in the range from $2,000 to $4,000, and in META the average price for access to corporate infrastructure is $2,100. This is relatively inexpensive compared to the possible damage to the targeted business. Such services are of prime interest to ransomware operators, whose profit may reach tens of millions of dollars a year.
The Dark web is a common term that is used to describe different resources used by cybercriminals – forums, instant messengers, Tor websites, blogs, Pastebin and similar websites, and others. The Dark web is also a multifunctional platform and market for any need – from attack preparation to money withdrawal.
Ways the attackers can get access to corporate data
The first way is by exploiting vulnerabilities on the network perimeter. These can be unpatched software with available exploits, vulnerabilities in web applications, misconfigured services or zero-day vulnerabilities.
Another way is by phishing attacks. The most common attack scenarios include fake business correspondence from partners, fake links for online meetings or documents, and COVID-related emails.
Finally, access can be gained by infecting user devices (personal or corporate ones) with a data stealer. Data gets stolen while users continue to work on their device, then the stolen data is transferred to Command and Control servers, packed in files, which are then published on Dark web forums and put on sale..
Numbers of accounts of users stolen in a similar fashion in the Middle East in 2021-2022:
Saudi Arabia 1,155,622
Egypt 970,665
UAE 539,424
Jordan 194,629
Kuwait 67,037
Qatar 55,246
Selling access on the dark web
Once an attacker gains access to an organization’s infrastructure, they can then sell this access to other advanced cybercriminals, for example, ransomware operators. The price for accessing potential victims’ systems is relatively inexpensive when compared to the possible damage that can be done afterwards. The average cost for access to a company’s systems lies in the range from $2,000 to $4,000. The cost of initial access depends on the victim company’s revenue and price. Globally 42% of all offers for the sale of access are cheaper than $1,000. The majority (75%) of all lots offer initial access through Remote Desktop Protocol (RDP), making access for the buyers easy. Other types include access through virtual network computing services, through web shell, through Citrix access or SQL injection.
While companies from the META region account for 8% of all offers globally on the sale of access to corporate infrastructure, their access is sold at a high price – the most expensive offer stood at $25 000. The average price for access to corporate infrastructure in META is $2,100, while specifically in Egypt it is $1,000The most expensive offers that were found were for companies from Saudi Arabia, and the UAE,(starting from $5,000). Access to over 100 enterprises in META with an average revenue of $500 mln has been up for sale on the Darknet over the past 2 years.
“While the Dark web seemed impossible to control in the past, now the situation is changing. Businesses can act to give fraudsters less opportunity to make Dark web profits out of their data. Organizations should protect their data from being stolen with strong data security practices, including data encryption and educating employees on how to avoid accidentally giving cybercriminals access,” comments Yuliya Novikova, Head of Security Services Analysis. “Dark web monitoring should be considered as a threat intelligence data source for cybersecurity staff – CTI analysts, SOC analysts, and others. It will allow to immediately react on security incidents such as offers on selling access to the company and help to prevent data breaches. Digital Footprint Intelligence introduced within the Kaspersky Threat Intelligence portal provides access to insights from a range of validated sources worldwide, allowing companies to mitigate the impact of cyberattacks and identify potential threats before they become incidents.”