Selling access to corporate infrastructure is one of the most popular topics on Darknet forums currently, accounting for 12% of all messages in trade forum sections analysed.

This is according to Yuliya Novikova, head of security services analysis at Kaspersky, who recently presented a webinar looking at ‘Dark market for corporate data: how cybercriminals sell access to your company.

“The motivation is purely financially-driven. For cybercriminals, it comes down to making as much profit as possible from the initial access gained. They sell anything from valid credentials and user and admin cookies for Web panels to details on remote command execution vulnerabilities and access to an already uploaded Web-shell,” she says.

Typically, there are three ways these malicious users gain access. They can exploit vulnerabilities like unpatched software, misconfigured services, Zero Day attacks, and known vulnerabilities in Web applications. Secondly, phishing occurs which is the most common form of attack. This takes the form of business correspondence from partners, emails on undelivered messages requesting users to go to an ‘email portal’ to access them, fake notifications about meetings in Microsoft Teams, messages about important documents sent via SharePoint, and even COVID-related emails.

The third way attackers can gain access is infection using a data stealer. This is where malware infects a user’s device and intercepts data. This data is collected in logs which are published on Darknet forums where they will be sold. Malicious users are looking for virtually any kind of data to steal. This includes payment and personal data, domain credentials, credentials for third-party services, social network accounts, and authorisation tokens.

“Upon analysing nearly 200 posts on the Darknet where initial access to companies’ data was being offered, we found that 75% of the posts offered the initial access through Remote Desktop Protocols (RDP), each with different privileges that ranged from domain admin, local admin, and regular user rights. With remote working now a reality for many companies, where companies have introduced RDPs to enable computers on the same corporate network to be linked together and accessed remotely, this finding is a cause for concern,” Novikova says.

In South Africa, Kaspersky’s research shows that RDP attacks are a growing threat, showing what the company considers to be a high hit rate of such attacks in the country.

Novikova adds; “Kaspersky has noted how significant the demand for corporate data on the black market is. With our research showing a large portion of initial access to companies’ data being offered via RDP, we are stressing the need for local businesses to gain visibility across the Darknet to enrich their threat intelligence, especially in regions where remote work or a hybrid working model, as a result of the pandemic, is followed. And because valid credentials for RDP access is the most common Darknet offer, organisations must start following best cybersecurity practices.”

For example, this includes using reliable passwords, making all remote management interfaces only available through VPN, and using two-factor authentication for all management interfaces.

“With initial access easy to obtain by cybercriminals, companies must realise that it is more cost-effective to invest in cybersecurity than it is to deal with the consequences of a successful attack,” Novikova concludes.