One of the most prominent events of the cyber threat landscape in 2022 has been the large leak of internal chat logs and other information tied to the Conti ransomware group. Intel 471 combed through these archives and discovered that this ransomware group actually operated in a highly structured manner akin to a legitimate corporation (see Conti puts the ‘organized’ in organized crime). For a group responsible for tens of billions of dollars in online theft over the last few years perhaps this is not all that surprising. What may come as more of a shock though is that sophisticated criminal groups like Conti and LockBit are not outliers achieving success with this model, but instead are simply some of the most notorious examples of highly structured operations that have become the norm across most corners of the cyber underground. We have observed notable recent cases of actors and groups with varying maturities even boasting their own product roadmaps, particularly for speedier exploitation of compromised credentials.
The roadmap of a new cybercriminal forum
New forums for leaking data, selling access, and sharing hacking tools come and go all the time in the cyber underground. However, this is the first year that Intel 471 observed a new forum with a dedicated roadmap section. In a line graph titled “Roadmap 2022 Our Strategy and Project Plan”, the forum administrator outlined the following development goals:
Launch of the new forum.
A project called “Leaks Circle” that aims to visualize leaked sources of data breaches.
Creation of a new cryptocurrency coin for exclusive use on the forum
A system called “Leaks Detector” to check for emails and domains in leaked sources of data breaches.
Streamed snapshots of other hacking forums for monitoring.
Suffice it to say that this product manager was a bit too ambitious and is a number of sprints behind. Though not fully realized yet, the vision calls out a fundamental challenge facing attackers and defenders alike: the race to compromise or secure the massive troves of data that underpin our digital economy. As we have seen in numerous incidents in recent years, it takes just the speedy and clever actioning of a single compromised credential to disrupt an entire organization.
Product updates for top-tier credential marketplaces
More established and highly reputed underground marketplaces have also made recent product updates following eerily similar practices to legitimate technology companies. Two top-tier marketplaces known for circulating compromised credentials harvested from information-stealer malware campaigns offer customer service support, publish press releases in forums, collect and promote positive feedback received about their products and regularly develop and launch new capabilities to attract or retain customers. The following developments were respectively released in the last few months on each of the marketplaces:
A fully non-attributable browser for anonymous web surfing with a pre-installed plugin to quickly action credentials, cookies, and other online footprint data purchased from the marketplace.
A new marketplace section allowing a registered user with a monetary deposit of $1,000 or more to create a watch list for domains of interest for automated pre-ordering of credentials for sale.
These updates seek to streamline the process of acquiring potentially sensitive and valuable compromised credentials. That timing can make all the difference for an attacker, whether it be seeking initial access to a corporate network to deploy ransomware or attempting to take over and cash out a bank account.
A criminal professional just trying to lend a hand
Cyber underground actors are not ignorant to the tools and techniques that have developed in the past decade to thwart their activity. The proliferation of cyber threats spawned the need for cyber threat intelligence, and like a virus mutating and adapting over time, threat actors continue to respond in kind and with an arrogance that shows we have a long way to go.
The administrator of XSS forum, one of the longest-standing predominantly Russian cybercriminal forums, recently launched a new initiative in response to vendors and researchers monitoring it. For a $2,000 annual subscription, any registered user can receive unfettered access to the vast majority of forum content without fear of account bans. This subscription includes the ability to see behind hidden content windows with more sensitive data that was historically reserved for the most highly regarded or deposit-rich actors. It is once again a nod to the fact that data is rampant and everywhere. Access is no longer a necessary gatekeeper. The noise that comes with trying to process so much data is more than enough.
Cutting through that noise is a unique challenge facing both sides and a big reason why and how cyber threat actors have professionalized their operations in recent years. As defenders, it is paramount to have a requirements-driven collection and monitoring plan in place in order to keep pace.