Ce rapport fournit un aperçu des tactiques, techniques et procédures (TTP) utilisées par les cybercriminels sur le dark web et les sources à accès restreint pour compromettre les réseaux, déployer des logiciels malveillants destinés à voler des informations et obtenir des identifiants valides. Ces acteurs malveillants, appelés « courtiers d'accès initial », constituent un secteur spécialisé de la cybercriminalité qui permet à une grande majorité des ransomware attaques. Ce rapport comprend des informations recueillies à l'aide de la plateforme Recorded Future®, de sources du dark web et de techniques de renseignement open source (OSINT). Ceci est un résumé général de la chaîne d'événements qui permettent une attaque par ransomware. Il est destiné à fournir une vue d'ensemble aux professionnels de la cybersécurité qui n'ont pas de formation technique ou qui occupent des fonctions non techniques.

Executive Summary

Threat actors can gain initial access to networks through infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces. Other attack vectors, such as phishing, spearphishing, and code injection, are also common on dark web and special-access forums, but their immediate effects are often much less public and visible than the sale of compromised credentials. Using BlackMatter and Conti as examples, we examine the role of credential access in the execution of the attack, from initial access to ransomware deployment. We provide mitigations for credential breaches, infostealer malware infections, and ransomware attacks, as well as our assessment of the future of these tools and the larger ransomware threat landscape.

Key Judgments

• To conduct a successful ransomware attack, threat actors require remote access to compromised networks. The most common method by which threat actors obtain access is through the use of compromised valid credential pairs, which are often obtained via infostealer malware and sold on dark web and special-access sources.
• Compromised credentials are often sold on dark web and special-access forums and shops to ransomware affiliates, who use such access to move laterally through systems, escalate privileges, and use malware loaders to deploy ransomware.

Background

Threat actors require remote access to compromised networks to conduct successful attacks, such as malware loader deployment, data exfiltration, or espionage campaigns. These compromised access methods, often sold on dark web and special-access forums, are the work of specialized threat actors colloquially referred to as “initial access brokers” (IAB). IABs use several tools and TTPs to obtain such access, including obtaining valid credential pairs and session cookies from the successful deployment of infostealer malware, the purchase of infostealer “logs” or “bots” on dark web shops, credential stuffing, adversary-in-the-middle attacks, phishing, remote desktop protocol (RDP) “brute force guessing”, and more.

The most common credential pairs that appear for sale or auction on top-tier dark web and special-access sources, such as Exploit and XSS, are for corporate virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers (business email compromise, or BEC). Less common, but more sought-after, are ESXi root and Active Directory (AD) access methods, zero-day and n-day vulnerabilities, code injection points (HTML, SQL), and others. This report will outline the typical process by which an initial access broker obtains compromised access methods and sells them on dark web and special-access sources, and the use of such methods to conduct a successful ransomware attack.

Note de la rédaction : cet article est un extrait d'un rapport complet. Pour lire l'analyse complète, click here to download the report as a PDF.