Dark Web Threats: From Technical to Tactical

Posted: 29th November 2017
Dark Web Threats: From Technical to Tactical

The dark web is a mass of marketplaces and communities that can only be accessed through encrypted connections. The nature of dark web content is diverse, and the characters who live there range from those looking to purchase counterfeit goods, to drug dealers and cybercriminals. We’ll be focusing on this last category and exploring some examples of how threat actors use the dark web to conduct business, develop new threats, and trade techniques.

Selling Data and Credentials

Certain dark web marketplaces have become synonymous with the sale of credentials from large-scale hacks and data breaches. There are a few ways that unscrupulous individuals can look to profit from using these stolen credentials, including identity theft, or using email and social media accounts to defraud others. Some sellers of credentials have even specialized in trading logins for remote access to servers, or for spear phishing employees.

There’s also a market for corporate data, including intellectual property or customer information in dark web communities, and this kind of information is also sometimes made available by insiders looking to profit from their access to valuable data.

In this short video, Recorded Future’s Andrei Barysevich explains how threat actors are monetizing personal data breached from healthcare systems.

Discussing Vulnerabilities and Trading Exploits

There are a number of forums that focus specifically on discussing vulnerabilities, as well as developing and trading exploits. Recent research from Recorded Future revealed that 75 percent of all disclosed vulnerabilities will be referenced on sources like blogs, forums, social media, and the dark web before appearing on NVD (National Vulnerability Database), the official site for these announcements.

As information on new vulnerabilities is made available, they present opportunities for capable threat actors to investigate the potential to exploit them. Often, the details of these new vulnerabilities will be translated from English into languages more commonly used in criminal forums to enable faster dissemination. Proof-of-concept malware shared to code repositories like GitHub may also be publicized on dark web sites. The ultimate aim for many actors in these communities is selling zero-day or one-day exploits for these vulnerabilities. These exploits are most effective when they are fresh, so new ones that target the right technologies can earn their creators hundreds of thousands of dollars.


As vulnerabilities are weaponized and exploited, the risk of attacks and breaches increases.

The management and patching of vulnerabilities is universally acknowledged as a vital but exceptionally difficult aspect of information security. Any intelligence that helps define true risk from a vulnerability that could affect systems used in corporate organizations can be applied to make the process more effective and efficient. In many cases, the mechanics of how these vulnerabilities are ultimately commoditized are only visible in dark web communities and other unindexed areas of the open web, but the insight this intelligence can provide presents significant security benefits.


References to CVE-2017-8759 across numerous sources of intelligence.

In this example, CVE-2017-8759 is a vulnerability which affects Microsoft .NET framework. It was officially disclosed on September 12. The official disclosure appears in public and searchable sources, but it’s when the processes of exploitation and monetization for threat actors begin that references to the vulnerability become less visible. Only two days after this CVE was disclosed, proof-of-concept code started being shared to GitHub (a code repository), and an exploit builder was advertised for sale in a dark web forum. Within seven days, the vulnerability was being actively exploited in spam email attachments sent to targets in Argentina.

Recruiting Expertise and Insiders

According to Avivah Litan, a Gartner analyst who specializes in information security, “Insiders are being actively recruited by criminals operating on the dark web, according to Gartner clients. Disgruntled employees working at companies across many sectors, such as financial services, pharma, retail, tech, and government are gladly selling their services to the bad guys in order to inflict harm on their employers. Seeking harm and revenge on employers is a bigger incentive for insider threats than stealing money from employers, according to our clients.”


Threat actor with access to an insider seeks malware to infect a bank.


Recorded Future caches this information to make sure that intelligence from volatile sources isn’t lost or deleted.

Criminal forums and marketplaces are well known for facilitating all types of illicit transactions. Insider threat advertisements are frequently used by actors promoting their illicit services on dark web sites, from retail cash-out services to carding operations, to bank insiders facilitating theft. Many of these advertisements lie on closed source forum sites, requiring extensive vetting and personas to maintain persistent access.

Note: You can learn more about applying threat intelligence to insider threats by downloading our white paper, “Insider Threats to Financial Services: Uncovering Evidence With External Intelligence.”

Intelligence From the Dark Web Is an Extra Layer That Informs Risk

Collecting and analyzing available intelligence from the dark web presents a new opportunity to understand and potentially pre-empt attacks. This kind of information can be weighed in the balance to quantify risk, and ultimately, determine what action you might need to take to address it.

You can see more real-world examples of dark web intelligence and get a greater understanding of how to use the information in our white paper, “How You Can Use the Dark Web for Threat Intelligence.”