Enterprise under attack: Dark web cyber criminals sell hacking tools aimed at business

Dark web listings of malware aimed at companies are on the rise.
Written by Danny Palmer, Senior Writer

There's been a significant rise in the number of dark web listings for malware and other hacking tools which target the enterprise, and an increasing number of underground vendors are touting tools that are designed to target particular industries.

A study by cybersecurity company Bromium and criminologists at the University of Surrey involved researchers studying underground forums and interacting with cyber-criminal vendors. The study found that the dark web is fast becoming a significant source of bespoke malware.

SEE: 10 tips for new cybersecurity pros (free PDF)

In many cases, the dark web sellers demonstrated intimate knowledge of email systems, networks and even cybersecurity protocols in a way that suggests they themselves have spent a lot of time inside enterprise networks, raising questions about security for some companies.

"What surprised me is the extent you could obtain malware targeting enterprise, you could obtain operational data relating to enterprise," Mike McGuire, senior lecturer in Criminology at the University of Surrey and author of the study, told ZDNet.

"There seems to be an awareness and sophistication among these cyber criminals, to go for the big fry, to go where the money is, as a criminal, and the enterprise is providing that," he said, adding: "What surprised me is just how easy it is to get hold of it if you want to."

McGuire and his team interacted with around 30 sellers on dark web marketplaces – sometimes on forums, sometimes via encrypted channels, sometimes by email – and the findings have been detailed in the Behind the Dark Net Black Mirror report.

The study calculated that since 2016, there's been a 20 percent rise in the number of dark web listings that have the potential to harm the enterprise.

Malware and distributed denial of service (DDoS) form almost half of the attacks on offer – a quarter of the listings examined advertised malware and one in five offered DDoS and botnet services. Other common services targeting enterprises that were for sale include espionage tools, such as remote-access Trojans and keyloggers

In many cases, attackers are specifically advertising their products as a means of compromising enterprises. For example, researchers found listings for Nuke malware being advertised in this way – a particularly worrying example because of how destructive it can be.

Not only does it allow users to open remote sessions and effectively take over an infected machine, it can bypass many kinds of Windows firewall protections used by the enterprise. On several Russian-language forums, Nuke is actively being advertised as an ideal attack tool for use against enterprise networks.

While all sectors are targeted by hackers, banking and finance were the most likely to be targeted by dark-web sellers – 35% of listings were for malicious tools specifically designed to target banks; e-commerce accounted for 20% of listings. Malware designed to work against healthcare, education and media targets were also found to be prominently advertised.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The study investigates vendors offering access to specific enterprise networks – be it via malware, stolen admin credentials or other backdoors into systems – such as remote-desktop protocols.

Over 60 percent of sellers were offering access to more than ten business networks – in some cases, the credentials were offered for as low as $2.

However, while posing as a potential buyer, researchers found that just under half of dark web sellers claimed they could offer services that specifically target FTSE 100 or Fortune 500 companies – depending on the company involved, these services were offered for as little s $150 and as much as $10,000.

"You can buy tailored malware where people had obviously got an understanding about a particular network, its functions, its protections – and it isn't necessarily zero-days, it's an interesting combination of human-backed cybercrime and some of this more refined software," said McGuire.

Gregory Webb, CEO of Bromium, told ZDNet that large enterprises should have eyes on the dark web, allowing them to see if criminals are talking about their network – and what malware and attacks are targeting them.

"It is a dark and strange place – but enterprise needs to be aware of it," he said. "The more you familiarize yourself with that environment, the better cybersecurity you'll end up having"

Editorial standards