According to Kaspersky's Digital Footprint Intelligence (DFI) report for the Asia Pacific region, database breaches in the region account for 95% of all advertising. Singapore and Australia have by far the largest data breach markets when looking at the number of orders weighted by GDP (gross domestic product).
The report's findings can help businesses and countries monitor external threats and stay abreast of potential cybercriminal activity, including topics discussed on the Dark Web.
Monitoring external data sources, including dark web sources, in the Kaspersky Digital Footprint Intelligence service provides insight into cybercriminal activity through the different stages of the attack lifecycle. In the second part of the report, the company presents the results of the dark web analysis.
When analyzing an organization's digital footprint, two main types of data were found: fraudulent activity and cyberattack traces. While Kaspersky found many signs of fraud, the focus in the report remains on attack detection.
Dark Web activity related to the impact of attacks (ads about selling data breaches and compromised data) dominated the statistics as it spread over time and cybercriminals began selling, reselling and repackaging much of the compromised data from the past.
Phase 1: Creating the Demand to Buy Access
Cybercriminals offering invitations to access found a huge market for this promotional content. Businesses from Australia, India, China and Pakistan were the primary targets for launching attacks. These countries accounted for 84% of the ads in the attack preparation category.
Pakistan and Australia attract significant interest, as evidenced by the number of orders weighted by their gross domestic product (GDP).
China received less attention in terms of infrastructure, commerce and industrialization. This may be due to the language barrier and complexity of layered network access in that country/region.
An order to purchase access refers to the purchase of access to a specific business or industry in a specific region or list.
However, an order to purchase internal permissions is a request to purchase services that could lead to credentials or data leakage within the enterprise, the source of the information gathering service (e.g., destruction of PII data upon request).
The most promising findings are in the execution phase of the attack: manual analysis indicates that the adversary has the ability or has accessed the organization's network or services, but has not yet had an impact on the business. In terms of advertisements on the dark web, showing ongoing attacks, Australia, India, mainland China and the Philippines accounted for 75% of those detected by Kaspersky.
Phase 2: Accessed commands ready for execution
Evidence was found that the attackers had the ability or authority to access the organization's systems or services, but no businesses were affected. As for the ads on the Dark Web, this means that the attack is complete, with Australia, India, China and the Philippines accounting for 75% of the ads detected by Kaspersky.
Such ads fall into three permission types.
Initial access brokers - orders that provide access to specific businesses, or orders that provide bulk access to businesses grouped by industry and/or region.
Insider Sales Orders - Insiders selling insider services that could lead to credential leaks, information gathering service sources, or data breaches. The source is usually a staff member within the enterprise.
Distribution malware - Credential-stealing malware collects credentials and turns them into data that can be resold or accessed through account usernames and passwords.
Businesses in the Philippines, Pakistan, Singapore, Australia and Thailand were the most attacked on a GDP-weighted basis.
The Philippines, India and mainland China dominate the dark web services market with 82% of the order turnover.
Phase 3: Data Breach and Data Sale
Once a data breach occurs, both sales and free access to stolen information follow. Indicators of a breach can be data leaks as well as internal activity orders - sales or free access to internal data, including but not limited to databases, confidential documents, PII, credit cards, VIP information, financial data, etc.
Hacker groups from Australia, mainland China, India and Singapore accounted for 84% of all data breach sales on the Dark Web.
Singapore and Australia are the two largest markets for leaked data sold on the Dark Web in terms of the number of orders weighted by GDP.
It should be noted that organizations in the Philippines, Pakistan and Thailand were among the attackers that launched attacks or appeared to be threatened, but the number of data breaches was comparable to the other countries in the middle group.
Chris Connell, Managing Director of Kaspersky Asia Pacific, said, "The dark web cybercrime activity beneath the surface of the web is clearly very busy. From attack preparation and execution, to the impact of data breaches, to the sale and resale of stolen information, these functional malicious activities pose a serious threat to businesses and organizations in the Asia Pacific region."
"Selling data and getting inside a company's network often go hand in hand. This means that a successful attack on your business could be two-fold. Your confidential information can be stolen and sold, and cybercriminals can unlock and make your infected systems available to additional malicious hacking groups. Facing multiple attacks requires proactive defense, including robust incident response and dark web monitoring capabilities through real-time, in-depth threat intelligence reporting."
Cybercriminals on the dark web often provide remote access via RDP. To protect your company's infrastructure from attacks on remote access and control services, ensure that connections over this protocol are secure by
Grant access to services (such as RDP) only through VPN
Use strong passwords and network-level authentication
Use dual authentication for all services
Monitor data access leaks, Kaspersky Threat Intelligence provides dark web monitoring services.
Kaspersky's key findings
Kaspersky Digital Footprint Intelligence discovered 103,058 unpatched exposed web services. Government agencies' network resources are most affected by known vulnerabilities.
More than one-tenth of the vulnerabilities encountered in an organization's external boundaries were ProxyLogon. In Japan, this vulnerability was found in 43% of the unpatched services.
16,003 remote access and management services are available to attackers. Government agencies are the most affected organizations.
On the Dark Web, hackers prefer to buy and sell access to businesses from Australia, mainland China, India and Japan.
Australia, mainland China, India and Singapore accounted for 84 percent of all data breach sales orders on dark web forums.