Cyber criminals are eager to gain access to corporate infrastructure, which is why it has become one of the most popular topics on Darknet forums, accounting for 12% of all messages in trade forum sections analysed.
So says Yuliya Novikova, head of security services analysis at Kaspersky, adding that their motivation is purely financially-driven.
“For cyber criminals, it comes down to making as much profit as possible from the initial access gained. They sell anything from valid credentials and user and admin cookies for Web panels to details on remote command execution vulnerabilities and access to an already uploaded Web-shell,” she says.
She says there are three ways these malicious users typically gain access.
They exploit vulnerabilities such as unpatched software, misconfigured services, zero-day attacks, and known vulnerabilities in Web applications. Secondly, and most commonly, through phishing, and thirdly, by using a data stealer.
“This is where malware infects a user’s device and intercepts data,” Novikova explains. “This data is collected in logs which are published on Darknet forums where they will be sold. Malicious users are looking for virtually any kind of data to steal. This includes payment and personal data, domain credentials, credentials for third-party services, social network accounts, and authorisation tokens.”
She says upon analysing nearly 200 posts on the Darknet where initial access to companies’ data was being offered, Kaspersky found that 75% of the posts offered the initial access through remote desktop protocols (RDP), each with different privileges that ranged from domain admin, local admin, and regular user rights.
“With remote working now a reality for many companies, where companies have introduced RDPs to enable computers on the same corporate network to be linked together and accessed remotely, this finding is a cause for concern,” Novikova says.
South African perspective
In SA, Kaspersky’s research reveals that RDP attacks are a growing concern, highlighting what the company considers to be a high hit rate of this type of attack in the country.
The demand for corporate data on the black market is significant. Kaspersky’s research shows that a large amount of initial access to companies’ data is being offered via RDP, shining the spotlight on the need for local businesses to gain visibility across the Darknet to enrich their threat intelligence, particularly in regions where remote or hybrid working models are employed.
“And because valid credentials for RDP access is the most common Darknet offer, organisations must start following best cyber security practices,” Novikova says.
This, she says, includes using reliable passwords, making all remote management interfaces only available through VPN, and using two-factor authentication for all management interfaces.
Share