What To Do If Your Company Was Mentioned on Darknet?

Cyber Security Threat Summary:
This article examines different scenarios where your company may be mentioned on the darkweb, and what you can do to navigate and mitigate the potential risks associated. Specifically, the article focuses on the sale of compromised accounts, internal databases and documents, as well as access to corporate infrastructure, and the sale of personal identifiable information like ID photos, drivers licenses, etc.

Most alarmingly, the article says that during their research they found 223 instances where a company with a likely high cybersecurity maturity levels were listed with access for sale on the darkweb. In some cases this data was listed for purchase, but at times free distribution of compromised accounts was also released.

Security Officer Comments:
While access to compromised accounts is concerning, data breaches that expose confidential and sensitive information can also cause major problems. The most common listings are for internal databases and documents, and impact companies of all sizes. These leaks can affect the company itself, the employees, and the customers. According to Kaspersky DFI Portal, around 1,700 unique posts appeared on Darknet every month related to sale, distribution, or purchase of data breaches.

“Other popular type of recirculating leakages are databases with scraped public data, such as names, profiles IDs and emails, from popular social networks. They remain valid in cybercriminal society as a valuable source for development of an attack. In 2021, the personal information of over 700 million LinkedIn users and 533 million Facebook users was scraped and posted on the dark web” (Secure List, 2023).

Looking back at the sale of infrastructure access, this data will be purchased for use in reconnaissance, initial access, privilege escalation and more. Depending on the specialization of the cybercriminal, they may purchase different types of access to use in attacks.

Suggested Correction(s):
The first challenge in mitigating the sale of infrastructure access, is to know about the listing. Many cybercriminals will not fully list the victim company’s name, as to not draw attention and lose the access they have. The listings do often contain attributes which cybercriminals usually put in the message, such as geographic location, industry, company size, and annual revenue. These details can sometimes be used to understand who the victim is.

In 2022, the researchers found around 3000 unique infrastructure offers. By November of 2023, they have already found more than 3100 offers. Most often for sale were compromised corporate VPN accounts, but also included access to servers or hosts connected to internal networks, typically via RDP or webshells.

Compromised accounts were also often listed for sale, and fell into three categories:

  • Public leakages that are freely distributed within cybercriminal society.
  • Leakages with limited access that are sold in hacker forums and private chats. Sometimes these are just small databases containing unverified information, which can even be generated.
  • Compromised users accounts from malware logs published on Darknet forums. Such credentials become available due to infostealers like REDLINE and VIDAR, which are now easily accessible in cybercriminal community via Malware-as-a-Service.
A common question is why would a cybercriminal list the credentials for free? Cybercriminals will list the data as a way to increase their rank in the cybercriminal community and darknet forums. This up-for-grabs access can be very dangerous as multiple threat actors may attempt to use the credentials for access.

The best defense against dark web leaks is to bolster security for access controls and to conduct frequent information security training. Impossible travel alerts, tracking strange log-in times, and applying multi-factor authentication can help mitigate the sale of stolen credentials. Organizations should follow the principle of least privilege, and follow password rotation best practices.

It can be difficult to monitor the darkweb for specific instances of your company’s name manually, there are services and vendors out there that can assist in this monitoring, should an organization want to be proactive against threats.