May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
In early October 2020, Europol released their Internet Organized Crime Threat Assessment (IOCTA) 2020, detailing the latest trends and impacts of cybercrime. After reading over the report, we wanted to explore some of their main points as they pertain to Digital Shadows (now ReliaQuest)’ research. This blog will revisit some of Europol’s leading trends and expand on relevant research we have conducted in recent months.
More specifically, we want to dissect the following topics:
“BEC remains an area of concern as it has increased, grown in sophistication, and become more targeted.”
For the fifth year running, BEC attacks, a specialized form of phishing, comprise the highest reported financial loss, a whopping $1.8 billion in 2019. In July 2020, Digital Shadows (now ReliaQuest) released an extensive report on Account Takeover (ATO), including the analysis of over 15 billion exposed credentials. Throughout the report and into our blog series, we explored BEC and the sheer impact it has on organizations.
The fallout from a credential breach extends beyond an organization and to its customers. The relevant accounts can hold (or have access to) incredibly sensitive information. Digital Shadows (now ReliaQuest) found that more than two million of the compromised credentials we identified contained email addresses and usernames related to departments dealing with sensitive information – [email protected] or [email protected], for example.
We found that email addresses containing “invoice” or “invoices” were by far the most common, accounting for about 1.3 million of the 2 million credentials. “Partners” and “payments” were tied for second place, both with roughly 200,000 credentials. Just imagine the type of data sitting in accounting inboxes! An attacker who gets their hands on credentials for valid accounts could inflict untold damage: logging into internal databases, exfiltrating sensitive data, or launching social-engineering attacks.
BEC has several different variants, but in one standard method, the attacker can either impersonate an executive’s email address or use a compromised business email account to target an employee, customer, or supplier to move funds or confidential information to the phisher. While they are not nearly as widespread as other, more common phishing attack types, the profitability offered by a successful BEC attack (think millions of dollars) continues to attract cybercriminals.
Trends from 2019 revealed a significant increase in BEC attacks that explicitly targeted the diversion of payroll funds. It is highly likely that threat actors will continue to use this method for monetary gain in future attacks.
“Cryptocurrencies continue to facilitate payments for various forms of cybercrime, as developments evolve with respect to privacy-oriented crypto coins and services.”
Over the past ten years, cryptocurrencies have become the go-to form of payment for the less law-abiding citizens of the world due to their secure and anonymous nature. The now-defunct dark web marketplace Silk Road pioneered Bitcoin’s use back in 2011, and other cybercriminal platforms soon followed. Even today, the use of cryptocurrencies shows no sign of abating; Forbes reported that the total value of Bitcoin transacted on the dark web grew by 340% over the past three years, with an increase of 65% in the past year alone.
While Bitcoin has generally been the most popular cryptocurrency among cybercriminals since its launch in 2008, several thousand alternative cryptocurrencies (“altcoins”) have been created in the intervening years, and names such as Litecoin, Ethereum, and Monero have become familiar terms in the dark web scene. Monero, in particular, has represented a real challenge to Bitcoin’s crown since its creation in 2014, mainly in part due to its core belief in security and the increased demand for anonymity. Being the original decentralized cryptocurrency, Bitcoin has been the staple of the cryptocurrency world since the beginning. This has naturally led to more media exposure and time to become the majority’s go-to cryptocurrency; it is popular, easy to get a hold of, and primarily accepted across an array of platforms. A textbook case of supply-and-demand. However, Bitcoin’s level of exposure has come at the risk of anonymity and law enforcement becoming more adept at tracing the blockchain.
As the most anonymous cryptocurrency on the market, Monero has represented a haven for threat actors recognizing Bitcoin’s value and its weaknesses due to its exposure and traceability. Monero has been seen as a way forward in an even more anonymous and secure payment method. As the demand for Monero has increased, both vendors and cybercriminal platforms have reacted accordingly. High profile takedowns of forums and marketplaces also highlight that maybe anonymity and security needs to take precedence over ease of access and usability if cybercriminals want to improve. Still, Monero might not be the answer the cybercriminal community has been looking for; after six years on the market, Monero has yet to reach the same level of exposure as Bitcoin, and the recent announcement of Monero reportedly being to some degree traceable might slow down its recent surge in popularity.
Bitcoin is still the most accessible and widely accepted cryptocurrency within the dark web community and is not likely to go away anytime soon. This is primarily due to its market share hold and the visible effort by threat actors to develop methods, tools, and services to secure Bitcoin. The case of Monero has shown that there are an array of alternative cryptocurrencies lining up which, if striking the balance of demand and security right, might eventually topple Bitcoin from the top — but only when the cybercriminal community starts to fully unite behind more anonymous and secure cryptocurrencies, such as Monero, will we begin to see a real shift.
“Ransomware remains the most dominant threat as criminals increase pressure by threatening publication of data if victims do not pay.”
Ransomware continues to be a thorn in everyone’s side, and attacks have evolved over the years to be impressively sophisticated and targeted. As ransomware was once primarily a threat to consumers (coined the “spray and pray” method), threat actors have switched gears to methodically target businesses, likely due to the sheer profitability and monetary value of employee data and organizations’ proprietary information. While 2019 was a big year for ransomware, which included the fall of GandCrab, the rise of Sodinokibi, and persistent attacks against various sectors with variants like Ryuk, 2020 has proven to be even more of a volatile epoch for organizations facing ransomware threats.
Ransomware operators have realized that there are alternative ways of monetizing the data they have encrypted, which can pressure companies more effectively into paying the ransom demands. This has led to the emergence of many ransomware data dump sites. This “pay or get breached” trend, when combined with a surge in new variants, makes ransomware an understandably prescient topic right now. Digital Shadows (now ReliaQuest) tracks a large number of ransomware dump sites. Unsurprisingly, the security teams we work with need this visibility to understand if their suppliers have been referenced on any of these ransomware blogs. Almost 80% of the Digital Shadows (now ReliaQuest)’ intelligence tippers are associated with just four ransomware data dump blogs – Conti, NetWalker, Sodinokibi, and Maze.
As criminals shift to target businesses and deploy enterprise-crippling ransomware, it is highly likely that organizations will have to strategically consider the reality of potentially falling victim to future ransomware attacks. With the introduction and continuous trend of the pay-or-get-breached ransomware model, organizations will also have to begin processing ransomware attacks like data breaches. In the coming months and years, it is highly probable that ransomware operators will continue to use multiple attack vectors, including vulnerability exploitation, spearphishing, and brute-force techniques as a method of compromise for monetary gain and sensitive data collection.
“The dark web environment has remained volatile, life cycles of dark web marketplaces have shortened, and no clear dominant market has risen over the past year compared to previous years to fill the vacuum left by the takedowns in 2019.”
We have repeated time and time that cybercriminal marketplaces and forums are incredibly volatile. In September 2020, a joint international operation resulted in 179 individuals’ arrest and the seizures of USD 6.5 million and 500 kilograms of illicit substances. The successful outcome of Operation DisrupTor (pause for appreciation of the operation name) elicited some strong words from the head of Europol’s European Cybercrime Centre (EC3). According to the EC3, “the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” followed by Europol claiming that “the golden age of the dark web marketplace is over.”
This discovery caused us to have a retrospective look at the history of dark web marketplaces, a gander down dark web memory lane if you will. How can one forget Silk Road and the “Dread Pirate Roberts”? Silk Road was one of the first dark web marketplaces to conduct sales using the once-strange concept of Bitcoin in February 2011. It quickly gained notoriety and popularity, but popularity drew attention from criminals and law enforcement alike. In 2013, as a result of action taken by the FBI, Silk Road was no more, and dark web marketplaces took off in the wake of its demise. Dread Pirate Roberts, Silk Road’s founder, received a life sentence, which was likely meant to be a deterrent. Still, some reports claim that dark web activity and drug listings multiplied after Silk Road’s fall.
We have observed multiple instances of dark web forums and marketplaces disappearing due to platform attrition, technological pitfalls, security errors, and law enforcement takedowns, including the Agora marketplace, AlphaBay, Hansa, Dream Market, Wall Street Market, and even more notable markets such as Apollon and Empire markets.
Clearly, there is a trend here. A dark web marketplace is created, it becomes popular, and it’s taken down – rinse and repeat. While Operation DisrupTor was, in many ways, a successful operation and a landmark for law enforcement activity from a dark web marketplace perspective, the belief that the “Golden Era” of dark web market activity is over is a bit far-fetched. It would be naive to assume that cybercriminals are unaware of law enforcement representatives maintaining a presence in these forums and marketplaces. In turn, this presence doesn’t stop them from continuing their wicked ways as the risk of being caught and likely will not outweigh the monetary reward they are achieving. The historical seizures of dark web marketplaces and marketplace exit scams have continually resulted in marketplace successors quickly taking over as top dog.
“The nature of the dark web community at administrator-level shows how adaptive it is under challenging times, including more effective cooperation in the search for better security solutions and safe dark web interaction.”
The dark web is incessantly plagued with DDoS attacks that knock cybercriminal forums and marketplaces offline, whether threat actors are incentivized by the thought of a significant pay-day through an extortion attempt, rival platforms disrupting their competition, or law enforcement trying to disable the platform. In May 2020, a Dread moderator announced a DDoS protection filter mechanism called “EndGame””EndGame” that would be free for the community. In a nutshell, EndGame is a collation of tools designed to prevent DDoS attacks on the front end against both dark web services, and whoever else might be interested. The collaborative effort to find a possible solution to an ongoing problem indicates the community’s intent to stop DDoS attacks against dark web services once and for all. While we cannot tell whether EndGame will eradicate DDoSing activities across the dark web community, a tool-set offering a number of features, customizations, and solutions moves the scene into a much better position than before.
In November 2019, a dark web search engine called “Kilos” emerged from the depths of the cybercriminal underground, ostensibly to play the role of new heavyweight champion of search engines for cybercriminal marketplaces, forums, and illicit products. And with this title, Kilos recognized the need to stand out from the crowd and ensure its entrance onto the scene was not one to be forgotten. Kilos possibly evolved from the well-known dark web search engine “Grams,” which ceased operations in 2017. Both Grams and Kilos are dark web search engines that imitate the Google search engine’s renowned design and functionalities. In a clever play on words, both follow a naming convention inspired by units of measure. Since going online in November 2019, Kilos appears to have taken on the task of indexing more platforms and adding more search functionalities than Grams ever did. Kilos has also introduced updates, new features, and services that aim to ensure security and anonymity for its users and add a more human element to the site not previously seen on other prominent dark web-based search engines.
In response to law enforcement coalitions tackling cybercriminal vendors on marketplaces, and their ability to track down vendors, criminal marketplace administrative teams may take more security-aware approaches, such as implementing PGP encryption, two-factor authentication (2FA), and leveraging Monero (XMR) to avoid tracking. Ultimately, cybercriminal marketplaces still have a purpose; it just might be in a different guise as to what it is now. While this may be the end of the golden era of marketplaces as we currently know them, vendors will still need to advertise via an open platform to acquire as many buyers as they can.
We’ll see what they come up with next.
Interested in learning more about BEC, ransomware, and dark web forums and marketplaces? Trust us, there’s plenty more to unpack – join us on the Digital Shadows (now ReliaQuest)’ Resources Center!