The banking sector is increasingly being targeted by initial access brokers on the dark web, according to research by Searchlight Cyber. \n\nThe dark web intelligence company has also found evidence of insiders sharing information on their organization or being recruited by cybercriminals on the dark web, and of threat actors undertaking infrastructure reconnaissance to target financial service supply chains.\n\nBut these threats, hidden in plain sight on the dark web, also present banks with a great opportunity, the company said in a new study.\n\n\u201cWith dark web intelligence that alerts them to potential malicious activity while criminals are still in the \u2018pre-attack\u2019 stage of their operations; security teams can adjust and improve their defenses based on what might happen in the future, not just respond to things that have happened in the past,\u201d it said. \n\nThe research is based on an investigation by Searchlight Cyber analysts using dark web data gathered from 2020 to date.\n\nInitial access brokers target banks\n\nThe vast majority of activity observed against the banking sector on the dark web consisted of posts from initial access brokers, offering to sell access to banking systems to third party threat actors. The researchers found a variety of different types of access advertised on dark web hacking forums such as Exploit, XSS, and BreachForums.\n\n\u201cFor security teams, data on initial access broker activity can be a valuable source of pre-attack intelligence,\u201d the company said. The researchers also observed ransomware groups interacting with some of these posts. \n\nBank security teams and independent security researchers can use these posts to analyze the capabilities and assess the threat level of the actors posting and interacting with them. \n\nAmong the initial access brokers posts, those offering remote network access via Remote Desktop Protocol (RDP) and virtual private networks (VPNs) were the most common. The exploitation of a privileged accounts could potentially lead to malware or ransomware being deployed on the system, control over operating infrastructure, access to sensitive databases and file storage, and the harvesting of confidential information used to blackmail the victim into paying a ransom. \n\nSearchlight Cyber also found several posts offering to sell web shells, which can be used to install backdoors into a compromised system, or remote code execution (RCE) access, which when exploited enables the attacker to make an application execute code they choose, rather than doing what the application should be doing. \n\nInsider threat activity on the dark web\n\nThe researchers also observed two main insider threats leveraging the dark web. The first involves employees with access to an organization\u2019s systems advertising it on the dark web, while in the second threat actors try to recruit malicious insiders on the dark web. \n\n\u201cFor a security team that has to consider malicious insiders with privileged access as part of their threat model, these posts do provide a valuable starting point to investigate and mitigate the risk of compromised employees,\u201d Searchlight Cyber said. \n\nThe cybersecurity firm advised that security teams should also be aware of, and monitoring, employees using tools such as Tor to access dark web networks, communicate with the wider cybercriminal underworld, or to leak data. \u201cIn addition to monitoring dark web forums for malicious insiders, traffic between Tor and the company network can also be used as an early warning sign of a potential insider threat,\u201d it said. \n\nThreat actors also use the dark web to collaborate and plan their paths of attack, and monitoring for this can provide an opportunity to stop a breach, it said.\n\n\u201cThese two tactics are significant because they are the only ones that focus on the period of time before the network is breached,\u201d Searchlight Cyber said. \n\nBanks and financial institutions should also monitor the dark web for details of key suppliers, as this can help them identify when they are being targeted by threat actors.\n\n\u201cFor example, continuously searching for employee credentials, IP addresses, company datasets, devices, and software can alert the enterprise to suspicious activity against their supplier that may indicate a potential attack,\u201d it said.