SOC, TI and IR posts

What to do if your company was mentioned on Darknet?

Every year is abundant with major data leaks, biggest data breaches and hacks drawing massive media attention (such as Medibank and Optus data breach, Twitter data breach, and Uber and Rockstar compromise in 2022 and in T-Mobile, MailChimp and  OpenAI in 2023). But are we really conscious of the true scale of the threat? To find out, in 2022 we created a list of 700 companies worldwide from different industries: industrial, telecommunication, financial, retail, and others. Then we searched through Darknet trying to answer the question of “How likely these companies have suffered a breach?”.

In the course of this research, we found out that the prevalent posts revolved around the sale of compromised accounts, internal databases, and documents, along with access to corporate infrastructures. While the darknet does facilitate the sale of diverse data types, for example, bank card information, driver licenses and ID photos, etc., our focus in this article will be on the aforementioned three threats, which are particularly relevant to enterprises.  As a result of our research, we found out that 223 in 700 companies were mentioned across Darknet in different data breach-related topics.

Distribution of industries, 2022 (download)

Statistically, it means that every third company was referenced in dark web posts associated with the sales of data or access, while from the news we know that even the companies with high cybersecurity maturity level were hacked.

Further in the article, we present a statistical overview encompassing all dark web posts regarding the sale, purchase, or free distribution of compromised accounts, data sourced from breaches, and corporate accesses spanning January 2022 to November 2023. This analysis goes beyond the scope of companies outlined in the aforementioned study.

Data breaches

A data breach exposes confidential, sensitive information and can cause major problems. The most common example are databases and internal documents, since every company of all sizes operate with confidential data which has a price. The leaks can affect the company itself, the employees, and the customers.

According to Kaspersky DFI Portal, around 1,700 unique posts appeared on Darknet every month related to sale, distribution, or purchase of data breaches.

Number of messages related to databases sale/purchase, January 2022 – November 2023 (download)

It should be noted that not every message represents a unique up-to-date leakage. Some of them are repeated advertisements on the same leakage. Some databases can be merged or divided by country, for example, saturated and presented as a brand new one or coming as a “Combolist”.

An example of a Combolist offer

An example of a Combolist offer

Other popular type of recirculating leakages are databases with scraped public data, such as names, profiles IDs and emails, from popular social networks. They remain valid in cybercriminal society as a valuable source for development of an attack. In 2021, the personal information of over 700 million LinkedIn users and 533 million Facebook users  was scraped and posted on the dark web.

An example of a leaked LinkedIn database distribution (screenshot was obtained from Kaspersky Digital Footprint Intelligence Portal)

An example of a leaked LinkedIn database distribution (screenshot was obtained from Kaspersky Digital Footprint Intelligence Portal)

An example of a leaked LinkedIn database distribution (screenshot was obtained from Kaspersky Digital Footprint Intelligence Portal)

Infrastructure accesses

Another popular type of data sold on Darknet is infrastructure accesses. Previously, we published a stand-alone research on the topic, so here we highlight only the main points. The reason for the infrastructure accesses popularity is simple: complex attacks almost invariably include several phases, such as reconnaissance, initial access to the infrastructure, gaining access to target systems and/or privileges, and the actual malicious acts (data theft, destruction or encryption, etc.). Different phases require different expertise, so cybercriminals frequently have specializations, and one who can easily obtain access may face difficulties in the development of the attack. In that case, the purchase of initial access simplifies the attack and is cost-effective for experienced cybercriminals.

For a business that wants to mitigate the risks related to infrastructure access sale, the very first challenge is to get to know about the sale. The huge difference of this data type compared to other types is that cybercriminals prefer not to mention the company’s name in the message so not to lose the access. Even if someone mentions the name, the community is always right there to advise their heedless colleagues not to share superfluous information.

Comment to a post offering an access for sale

Comment to a post offering an access for sale

In this case, how do you track this threat? There are attributes which cybercriminals usually put in the message, such as geographic location, industry, company size, and annual revenue.

A few examples of forum messages with companies' attributes

A few examples of forum messages with companies' attributes

A few examples of forum messages with companies' attributes

A few examples of forum messages with companies' attributes

A few examples of forum messages with companies’ attributes

In 2022, we found around 3000 unique infrastructure offers. By November 2023, we have already found more than 3100 offers. Typically, hacked access to corporate infrastructure includes accounts for a corporate VPN service and some servers or hosts in the internal networks (in general, access is performed via RDP or web shells).

Number of messages offering infrastructure access, January 2022 – November 2023 (download)

Compromised accounts

There is another category of data which is a real find for gaining initial access — compromised accounts. According to the source of origin, we divide all compromised accounts into three categories:

  • Public leakages that are freely distributed within cybercriminal society.
  • Leakages with limited access that are sold in hacker forums and private chats. Sometimes these are just small databases containing unverified information, which can even be generated.
  • Compromised users accounts from malware logs published on Darknet forums. Such credentials become available due to infostealers like REDLINE and VIDAR, which are now easily accessible in cybercriminal community via Malware-as-a-Service.

At first glance, there is no point for cybercriminals to share credentials for free. However, they still can do it if they do not need the data anymore and want to level up their rate among cybercriminal community on a specific darknet forum. Also, they can publish some pieces of malware log files containing compromised accounts to announce the next sale.

All three types of leaked credentials threaten companies since, despite prohibitions, employees use corporate email addresses to register on third-party websites. In a typical scenario, company employees are using the same passwords for external services and for corporate resources, which can help cybercriminals to get unauthorized access to the corporate infrastructure.

So, how likely is it that your stolen data is being sold on darknet right now? And what you should do with it? In the case of leakage, there is no time to regret your unrealized security controls or not conducted information security training. Rapid threat identification and competent incident response plan can neutralize the situation or at least reduce the damage. And we have prepared the Guideline on how to respond to Dark Web related incidents and Incident Response Playbook to help you with it.

What to do if your company was mentioned on Darknet?

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox