Data is invaluable nowadays, and criminals are using increasingly sophisticated methods to access sensitive information. But that’s not all. Hackers are increasingly organizing themselves along professional lines and marketing their fraudulent services as ‘Crime-as-a-Service’ (CaaS). By effectively mimicking legitimate cloud services, they give criminal actors access to specialist skills and tools. This means that people with no specialist skills can carry out fraudulent activities. Consequently, the efficiency and scale of cybercrime have increased significantly, as evidenced by the Europol report ‘Cyber-attacks: the apex of crime-as-a-service’. Particularly popular methods of penetrating other people’s systems include phishing emails that contain malware, exploiting vulnerabilities as well as Remote Desktop Protocol (RDP). Added to this is a network of services from which high-ranking cybercriminals benefit greatly. This usually starts with stolen data offered for sale on marketplaces on the dark web. Read on to learn about the malicious actors behind this, their methods, and how a stolen password can become a kill chain.
Behind the scenes: initial access brokers, Dropper-as-a-Service and crypter developers
Various criminal services are offered online:
- Initial Access Brokers
The business model of Initial Access Brokers (IAB) plays an important role in cyberattacks. It is based on selling access to already compromised systems to other cybercriminals, who can use this as a starting point for further attacks. As intermediaries for illegal access, IABs specialise in identifying, infiltrating and compromising computer systems. They search for network vulnerabilities through unpatched programs or servers, software bugs or by circumventing security mechanisms, for example, using social engineering. They then sell the stolen data, usually on the dark web.
A ‘dropper’ is a program that is installed as malware on a specific target computer. It acts as a link between the attack vector that delivers the malware and the actual malware. Dropper-as-a-Service allows even cybercriminals who lack any in-depth technical expertise to spread malware. They simply subscribe to the service and can customise and configure the software to their specific requirements.
- Crypter developers
Crypters are tools that cybercriminals use to disguise malware, making it more difficult for security software to detect. The developers program the software with such flexibility that it can conceal various types of malware. This allows criminals to maximise the effectiveness of their malicious software across various environments and against different security solutions. In many cases, these tools also contain mechanisms to delay or prevent any attempt to execute malware in isolated test environments (sandboxes).
The kill chain of stolen data using the example of an IAB
The sale of stolen data begins a dangerous chain of events. Hackers use this data not only to trigger transactions but also to implement a comprehensive kill chain.
Cybercriminals start by obtaining sensitive data in various ways, be it through phishing, brute force attacks, or exploiting various vulnerabilities. Users often make it easy for attackers by using the same password for different accounts. Should this password fall into the wrong hands, the attacker can access not just one account but ALL of them in the worst case.
In a second step, cybercriminals sell the stolen information on darknet marketplaces, which leads to a lucrative trade. The stolen data serves as a starting point for further attacks. One of the most popular methods is ransomware, which not only encrypts the data but also increasingly leads to what is known as ‘double extortion’. This is when the hackers not only threaten not to decrypt the encrypted data but also to release it into the public domain. The result is that more stolen data ends up on the dark net, and the ‘game’ starts all over again. For companies, this can cause major reputational damage and, in the worst case, can lead to financial disaster.
Nipping problems in the bud: data protection begins with CIAM
If you want to protect yourself against threatening developments, it is essential to prioritise data protection. If sensitive information falls into cybercriminals' hands, it can mean the end. Customer identity and access management (CIAM) protect sensitive data. Strong authentication methods such as two-factor authentication can make it more difficult to access accounts, thwarting malicious actors' efforts. This also helps to ensure compliance with data protection and security standards. CIAM systems that proactively guarantee the protection of identities and secure access to resources can effectively break the kill chain.