The state of the dark web: Insights from the underground

Lately, dark web actors have one more worry: getting caught by law enforcement. Tracking dark web illegal activities has been a cat-and-mouse game for authorities, but in the end, they often catch their adversaries and seize the dodgy money. On the night of the 2020 presidential election, for example, US government officials managed to empty out a $1 billion Bitcoin wallet recovering funds linked to Silk Road, seven years after the market’s closure. Silk Road was a popular underground marketplace dealing in illegal goods and services such as narcotics, hacking for hire, and contract killing.

Cybercriminal group closure and exit scams

Events like these have compelled cybercriminals to plot new strategies, which sometimes involves closing shop and cashing out before they get on the feds’ radar. In October 2020, the Maze ransomware group, which has breached hundreds of companies including Xerox, LG, and Canon, shut itself down over a six-week period stating they had retired their activities. However, experts have suggested this is likely a façade. Ransomware operators often shut one operation down to join another rather than exit the business completely. 

“In recent years, the dark net has dramatically changed, quite organically, due to increased organized criminal organizations’ use of anonymous forums and marketplaces, the increased presence of young YouTube inspired ‘criminal wannabes,’ and naturally, the subsequent increased presence of law enforcement and their attempts to infiltrate, de-anonymize, and take down such groups and hidden services,” says Mark Turnage, CEO of DarkOwl, a dark web search engine.

Dark web becoming a recruiting channel

According to Turnage, the dark web has evolved into an intermediary ground where cybercriminals minimally interact to poach new members for their group. They then move communications to private, encrypted channels such as Telegram, Jabber, and WickR. “Malware developers and financial fraud [criminals] rely less on dark net marketplaces for distributing their exploits and instead levy black hat forums across the deep web and darknet to establish their brand, develop clout across the community, and recruit new members,” says Turnage. “Many criminal organizations use the dark net merely to vet potential affiliates, particularly in the ransomware-as-a-service industry, and their [co-conspirators].”

Turnage says that DarkOwl has seen more technically savvy criminals increase their use of alternative decentralized dark nets and meshnets such as Lokinet and Yggdrasil. He attributes this to the short lifespan of dark net marketplaces and services across Tor and server seizures by globally coordinated law enforcement agencies.

Moving marketplaces from Tor nodes to private messaging services may also come with technical advantages, such as distributed denial of service (DDoS) protections. These technical safeguards may lure dark web admins as underground marketplaces like Empire have been forced to shut themselves down following DDoS attacks by other cybercriminals in rather ironic extortion attempts. Empire’s abrupt exit has also rendered its so-called “escrow” guarantee void, prompting some patrons to label the closure an “exit scam.”

By switching patrons over to legitimate end-to-end encrypted messaging services, cybercriminals leverage the reliable distributed infrastructure of these platforms while remaining discreet and avoiding the scrutiny of law enforcement. Granted, messaging platforms like Telegram may not be entirely immune from DDoS attacks, protecting against such attacks then becomes the responsibility of platform owners rather than dark web ops.

Leveraging underground chatter for intel gathering

According to Raveed Laeb, product manager at KELA, the dark web of today represents a wide variety of goods and services. Although traditionally concentrated in forums, dark web communications and transactions have moved to different mediums including IM platforms, automated shops, and closed communities. Threat actors are sharing covert intelligence on compromised networks, stolen data, leaked databases and other monetizable cybercrime products through these mediums.

“The market shifts are focused on automation and servitization [subscription models], aimed at aiding the cybercrime business to grow at scale,” says Laeb. “As can be witnessed by the exponential rise of ransomware attacks leveraging the underground financial ecosystem, the cybercriminal-to-cybercriminal markets allow actors to seamlessly create a supply chain that supports decentralized and effective cybercrime intrusions—giving attackers an inherent edge.”

On the bright side, security professionals and threat analysts can tap into this intel to identify and patch system weaknesses before threat actors can exploit them. “Defenders can exploit these robust and dynamic ecosystems by gaining visibility into the inner workings of the underground ecosystem—allowing them to trace the same vulnerabilities, exposures, and compromises that would be leveraged by threat actors and remediate them before they get exploited,” says Laeb.

This can be done by monitoring forums and darknet sites where threat actors are most likely to lurk, discuss upcoming threats, and put exploits up for sale. A hacker recently posted exploits for over 49,000 vulnerable Fortinet VPNs on a forum, for example, some of which belonged to prominent telecoms, banks and government organizations. This was followed by a second forum post in which another threat actor exposed plaintext credentials for all the VPN devices for any adversary to exploit. Although the vulnerability in question is a two-year-old path-traversal bug, likely not on anyone’s radar anymore, thousands of corporate VPNs present on the list remained vulnerable to this critical issue.

Tapping into such forums and monitoring for such intel can give heads up to security teams at organizations to do their due diligence in where adversaries may be headed next.  

Tracking illicit activity disguised under legitimate programs

Advanced persistent threat (APT) groups are now using the dark web to gather knowledge of their targets and then use legitimate network protocols and programs for covert data exfiltration purposes. “In the past, organizations tended to only be concerned about their own data appearing on the dark web, and even then, it would only ring alarm bells if significant data were located. However, many of the Chinese and Russian nation-state backed advanced persistent threat groups are now using the dark net to perform reconnaissance of potential targets, and then provide a cover for exfiltrating data,” says Vince Warrington, CEO at Dark Intelligence.

“Since the start of 2020, the use of SSH by these APT groups has increased by over 200%. Our research indicated that APT groups are using SSH via port 22 to infiltrate organizations unnoticed and, once inside, are using poorly monitored and maintained systems—especially industrial control systems—to steal significant amounts of data. Several recent attacks are alleged to have stolen over 1 terabyte of data from individual businesses, a huge amount that organizations are failing to spot because they are unable to monitor effectively for dark net connections,” says Warrington.

This point has been substantiated by the discovery last month of the massive SolarWinds supply chain attack attributed to the Russian espionage group APT29, a.k.a. Cozy Bear. By exploiting trust within a legitimate program like SolarWinds Orion and its secure update channels (or protocols), sophisticated attackers managed to silently breach over 18,000 of the 300,000 SolarWinds customers and remained undetected for months. Their sinister activities conducted as a part of this attack could have involved covert surveillance and data exfiltration leaving no obvious trace.

This is different from cases where threat actors make noise on public or dark web forums when leaking data dumps. So, monitoring the dark web alone for signs of data exfiltration isn’t enough.

Threat analysts and security researchers are therefore encouraged to reevaluate their monitoring strategies. Rather than focusing solely on detecting anomalies within corporate networks, such as foreign IPs and odd port numbers, or waiting for proprietary data to appear on the dark web, it is worth monitoring trustworthy programs and services, including their security updates, and your organization’s software supply chains where threat actors could be hiding unnoticed.