By monitoring the darknet, as well as underground forums, Cynet is able to identify and prepare for the latest cybersecurity threats before they reach deafening levels.
By Eyal Gruner, Co-Founder and CEO of Cynet
Data breaches are far from new, but the scale of attacks and sophistication of the attackers has reached all new levels in recent years. Since the pandemic, with the rise in remote work environments and work from home setups, compromised credentials became the most common initial access vector for data breaches in 2022 according to IBM – leading to rampant cybersecurity attacks. Because of the anonymity it offers, the darknet is fertile ground for bad actors looking to buy, sell, and trade large datasets of credential that can be used to access compromised accounts and systems left unchecked.
The alarming rise in compromised credentials led Cynet to launch its Lighthouse Service which monitors underground forums, private groups, and malicious servers for evidence of compromised credentials within the environment – taking its MDR team (CyOps) into the darknet and underground forums to search for potential cybersecurity threats before they become full-on attacks. Unlike traditional darknet monitoring services, Cynet focuses primarily on credential theft monitoring because of the swift rise in leaked credentials.
A Primer on the Darknet and Underground Forums
Unlike the internet we all use to work, shop, and connect online, users must download a special Tor browser or browser add-ons to navigate the darknet. Because there is no link between a user and the user’s IP, the darknet requires specific access (software, configurations, authorization) – thus making it a prime location for illegal activity. Industry analysts estimate that the darknet accounts for 4% to 6% of internet content, with as many as three million users per day.
But the darknet is not the only gathering spot for cybercriminals. The internet we use on a daily basis (Clearnet) also houses underground forums that fuel and empower threat actors. The now seized “RaidForums” and its predecessor, “Breached,” are two popular sites that can be accessed via common web browsers. While the two are accessible to the public, their forums are not accessible. A lot of these underground forums are inaccessible for most people and require certain levels of “street cred” among the community of hackers to enter. To access these forums, users often must be known on other similar forums or have other users vouch for them. Another option is to pay for access.
Because these forums still rely on anonymity, the communities have developed an ecosystem where users can buy credits and then transfer the credits into currency used to purchase databases, services, and malware posted on the forums.
By monitoring these forums, along with conversations and activity happening across the darknet, Cynet’s research team is able to access the very places where threat actors share information, data, and malware with each other.
Things You Learn about Cybersecurity While Monitoring the Darknet
One of the primary cybersecurity insights Cynet has gained through its Lighthouse Service is that there is an enormous market for “Info Stealer” malware (malicious software that captures personal information from a computer). Once upon a time, hackers were heavily focused on attacking banking and financial information, but that’s no longer the case. Cyber criminals are using “Info Stealer” malware to find compromised credentials for all organizations, actively planning large, sophisticated campaigns to target assets for both enterprises and small to midsize businesses.
This malicious activity has led to an entire ecosystem of compromised credentials available on darknet marketplaces in the last few years. And it’s not just “Info Stealer” malware that’s causing serious concerns among cybersecurity professionals. Hackers are still leaning heavily on the tools they’ve been using since the dawn of cybercrime: ransomware, Trojans, Spyware and adware to name a few.
Lighthouse Services: An Additional Layer of Cybersecurity Protection for the Security Teams That Need It Most
No matter how effective your cybersecurity solution may be, company assets can still be compromised when used outside of the organization’s security boundaries. When business devices (laptops, phones and tablets) are not secured by the organization’s EDR or XDR platforms, they create a blind spot for the cybersecurity team charged with safeguarding the business. While security professionals are monitoring their networks watching for attacks, a hacker can simply walk into the perimeter using compromised credentials.
Cynet’s Lighthouse Service helps prevent these attacks by monitoring daily activity on underground communities, hunting for new threats and pinpointing leaked credentials. Lighthouse’s capabilities allow Cynet to link a host computer to any compromised credentials found so that it can help its clients identify the exact device that was compromised vs. trying to figure out which user was connected to the compromised assets.
Another worthy mention is Cynet’s research team (Orion) that tracks new techniques and malware. The combination of Lighthouse and the Orion team’s efforts validates that Cynet customers are protected both in the organization parameter and outside of it. Cynet can implement new detections to stop related attacks. Not only have Cynet customers gained an added layer of protection, Cynet is able to assist organizations that are not Cynet users, notifying multiple global CERT teams regarding critical infrastructure credentials that have been found within the darknet and underground communities.
As part of the cybersecurity industry, Cynet’s ultimate goal is to create a safer world for companies and consumers alike. Its Lighthouse Service is another layer of defense for outside parameters – going into the darkest places online so that customers don’t have to.
About the Author
Eyal Gruner is the Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s atm to show the weakness of their security and has been recognized in Google’s security Hall of Fame.