• United States



Apurva Venkat
Special Correspondent

Initial access broker posts targeting banks increase on dark web

Jul 19, 20234 mins
CybercrimeFinancial Services IndustryNetwork Security

Financial institutions should continuously monitor the dark web to identify threats and prevent breaches, Searchlight Cyber advises in a new study.

radar grid / computer circuits / intrusion detection / scanning
Credit: Peterscode / Getty Images

The banking sector is increasingly being targeted by initial access brokers on the dark web, according to research by Searchlight Cyber. 

The dark web intelligence company has also found evidence of insiders sharing information on their organization or being recruited by cybercriminals on the dark web, and of threat actors undertaking infrastructure reconnaissance to target financial service supply chains.

But these threats, hidden in plain sight on the dark web, also present banks with a great opportunity, the company said in a new study.

"With dark web intelligence that alerts them to potential malicious activity while criminals are still in the 'pre-attack' stage of their operations; security teams can adjust and improve their defenses based on what might happen in the future, not just respond to things that have happened in the past," it said. 

The research is based on an investigation by Searchlight Cyber analysts using dark web data gathered from 2020 to date.

Initial access brokers target banks

The vast majority of activity observed against the banking sector on the dark web consisted of posts from initial access brokers, offering to sell access to banking systems to third party threat actors. The researchers found a variety of different types of access advertised on dark web hacking forums such as Exploit, XSS, and BreachForums.

"For security teams, data on initial access broker activity can be a valuable source of pre-attack intelligence," the company said. The researchers also observed ransomware groups interacting with some of these posts. 

Bank security teams and independent security researchers can use these posts to analyze the capabilities and assess the threat level of the actors posting and interacting with them. 

Among the initial access brokers posts, those offering remote network access via Remote Desktop Protocol (RDP) and virtual private networks (VPNs) were the most common. The exploitation of a privileged accounts could potentially lead to malware or ransomware being deployed on the system, control over operating infrastructure, access to sensitive databases and file storage, and the harvesting of confidential information used to blackmail the victim into paying a ransom. 

Searchlight Cyber also found several posts offering to sell web shells, which can be used to install backdoors into a compromised system, or remote code execution (RCE) access, which when exploited enables the attacker to make an application execute code they choose, rather than doing what the application should be doing. 

Insider threat activity on the dark web

The researchers also observed two main insider threats leveraging the dark web. The first involves employees with access to an organization's systems advertising it on the dark web, while in the second threat actors try to recruit malicious insiders on the dark web. 

"For a security team that has to consider malicious insiders with privileged access as part of their threat model, these posts do provide a valuable starting point to investigate and mitigate the risk of compromised employees," Searchlight Cyber said. 

The cybersecurity firm advised that security teams should also be aware of, and monitoring, employees using tools such as Tor to access dark web networks, communicate with the wider cybercriminal underworld, or to leak data. "In addition to monitoring dark web forums for malicious insiders, traffic between Tor and the company network can also be used as an early warning sign of a potential insider threat," it said. 

Threat actors also use the dark web to collaborate and plan their paths of attack, and  monitoring for this can provide an opportunity to stop a breach, it said.

"These two tactics are significant because they are the only ones that focus on the period of time before the network is breached," Searchlight Cyber said. 

Banks and financial institutions should also monitor the dark web for details of key suppliers, as this can help them identify when they are being targeted by threat actors.

"For example, continuously searching for employee credentials, IP addresses, company datasets, devices, and software can alert the enterprise to suspicious activity against their supplier that may indicate a potential attack," it said.

Apurva Venkat
Special Correspondent

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld. She has previously worked at ISMG, IDG India, Bangalore Mirror, and Business Standard, where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news, and education.

More from this author