Trustwave SpiderLabs: understanding attack trends

Ziv Mador, VP Security Research at Trustwave SpiderLabs discusses the aftermath of the takedown of the REvil ransomware group

Cyber magazine speaks to Ziv Mador, VP Security Research at Trustwave SpiderLabs.

How do cybersecurity researchers and businesses use the dark web to understand attack trends and techniques? 

While the Dark Web or Tor was originally created to protect US intelligence communications online, it has since evolved into a collaborative space and safe haven for criminals and cybercrime. In addition to the sale of illegal goods, much of the Dark Web is used to share cyberattack techniques and sell stolen data and credentials.

However, the Dark Web is also becoming a vital resource for businesses to monitor cybercriminal trends and activity to keep up with current attack methods or discover new viruses, malware or bots in order to get ahead of attackers and be prepared to combat potential malicious activity against them. Using knowledge of Dark Web hacking trends combined with known enterprise security weaknesses, security teams can test their environments to find gaps and strengthen their overall security posture. Some researchers can take it a step further and develop tools that detect exploits and block attacks as they emerge and advance their own security methods by doing so.

In addition, the Dark Web can allow businesses to monitor for breached data, including company domain names, email addresses, facility references and the names and information of executives. Not all data will necessarily show up, but it’s still worth monitoring for. CISOs and the security team can then be alerted that the company has been breached, how much data has been leaked, and then take appropriate incident response actions from there. 

We hear news about law enforcement from different countries collaborating to take down cybercriminals – can you shed some light on how that works?

Much of that collaboration is not visible outside of law enforcement agencies unless they choose to publicise it, which if they do, usually happens after the fact. 

Given how cybercrime crosses borders and often spans over multiple countries, based on past operations, law enforcement agencies from different countries worked together to investigate major cybercriminal activity and if possible, confiscate equipment, arrest the people involved and bring them to justice. In many cases, one law enforcement agency provides evidence information against certain cybercriminals, and the police in the country where they reside arrests them. That rarely happened when these criminals operated from Russia so the recent operation by the Russian police FSB was a striking change.

Furthermore, sometimes these law enforcement agencies are aided by technical data and analysis which are provided by security vendors.

Following the REvil ransomware group arrests, how did other cybercriminals react?

Back in November 2021 we started to see rumours and rumblings of cybercriminals feeling uneasy about the “secret negotiations” on cybercrime between the Russian Federation and the United States and they were urging one another to prepare for potentially serious actions from Russia. 

One commentator even went so far as to predict arrests would take place within two months. Given this prediction was made in November, it actually turned out to be fairly accurate with the arrests of the REvil group occurring in January of this year.

While monitoring the Dark Web, we noticed different chatter following the REvil group arrests. The comments posted from other cybercriminals on the Dark Web forums highlighted a general fear of being arrested, the possibility that their homeland is no longer a safe haven, and that cooperation between the US and Russia will be a problem for their operations moving forward. Some have even started discussing the positive or negative aspects of moving their operations out of Russia and into places such as India, China, the Middle East, or even Israel.  

Furthermore, while some forum members have been exchanging tips on how to stay off of law enforcement’s radar, others have been criticising REvil’s actions that led to its downfall, saying they should have been more careful rather than boasting about their accomplishments. 

Another running theme we’re seeing is cybercriminals worrying that their fellow hackers will turn on them. Through our research we saw one forum member suggest that one of the forum administrators may be working with law enforcement. Since many administrators have access to the contact information of forum members, the concern expressed here is understandable. If members do not trust each other anymore, it will be a lot harder for them to conduct business on these forums. 

Overall, this level of worry and fear expressed by Dark Web forum members is something we have not seen before. It’ll be interesting to see how long their feelings of uncertainty and fear go on for and whether it really is enough to force them out of their own country. 

Share

Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security