5 Hotspots for Threat Actor Activity

Where are malicious actors hiding on the web? Though it might seem like they’re mostly on the dark web, they can be hiding in plain sight on the clear web too. They can lurk on websites and messaging platforms you may use, like Telegram or Discord. By understanding how malicious actors can take advantage of websites and community platforms on the clear web, you can get the whole picture of how to best monitor your organization’s external attack surface.

With your monitoring strategy, it’s important to not think of it solely as checking a list of places to look, but rather monitoring the whole ecosystem. Comprehensive cyber threat intelligence (CTI) spans your organization’s complete external digital footprint. Malicious actors are searching for vulnerabilities there, so it’s like a race to see who can get to this valuable information first.

So where are malicious actors lurking?

Important Areas to Include in Your Cyber Threat Intelligence Monitoring

1. Infected Devices

Infected device markets, which sell access to devices infected with ransomware and raccoon malware which enable malicious actors to gain access to online accounts, on the clear and dark web. Though many of these markets are on the dark web, Genesis Market is on the clear web. The cost of a bot on the Genesis Market can be as low as less than $1, to over $170, with an average price of $15.77. An unsophisticated actor can easily buy an infected device and potentially use it to bypass MFA controls.

[Alt text: Process of intellectual property theft through an infected device and the dark web. An example employee at ACME Inc, Jack Smith, downloads and installs malware, and access to his infected computer is sold on the Genesis Market. A malicious actor buys the infected device to gain access into ACME Slack and then access confidential data through social engineering and requesting access from ACME IT.] 

2. Instant Messaging Platforms

Many malicious actors are switching to instant messaging platforms like Telegram, Discord, and Jabber. These platforms describe themselves as gathering places for online communities, such as for school student groups, podcast listeners, and more. Though it was not the original intention, illicit communities thrive in these groups too. 

There are 2 main motivations for why malicious actors are choosing these platforms:

  1. They’re easy to use: It’s simpler to share multimedia content or proof of compromise than it is to share on a dark web forum. It’s also more reliable than a forum that constantly changes hosting systems. Also, the strict privacy policies establish a sense of safety.
  2. The interactions are “less permanent”: When people publish something on forums, it can be there forever and be a part of the public archives on the internet. However, for instant messaging platforms, there is the sense that since only people on the member list can see the message, the message will disappear within the flow of incoming messages. Cybercriminals can tend to be more talkative on these platforms and take some risks with opening up because they feel that there’s less data retention. 

3. Paste Sites

Paste sites, like Pastebin, are platforms where people can paste and share large text documents online, often used by developers to share code. Employees can unintentionally share data that they shouldn’t, and it’s become a popular place for malicious actors to look for leaked information or share information.

4. Github

Graphic of how interconnected a company’s systems and employees are with their GitHub repository, which can contribute to risks. Domains, GitHub users, and emails can contribute to the GitHub repository. Domains can be mentioned in GitHub repositories too.

Github is a platform for software development collaboration. As beneficial as this tool is, it can also be a source of damage through source code leaks.

2019 study by North Carolina State University found that over 100,000 repositories included exposed secrets like API tokens, and thousands of repositories continue to leak new information each day. 

Also, 81% of this sensitive data took two weeks or more to remove. This means that the developers working with this information probably weren’t aware they had accidentally exposed these secrets, which leaves more time and opportunities for malicious actors to take advantage. 

This research specifically found large organizations leaking information, including AWS credentials for a U.S. site that millions of college applicants use, and AWS secrets for a Western European country’s major government agency.

Recently, the Flare platform detected that a previous employee at a large financial institution had posted sensitive data. After notifying the customer’s CTI team, they promptly identified and contacted the former employee’s superior, who reached out to their previous employee and asked them to remove the content from Github. Less than 30 minutes after the alert, CTI team contained the incident. 

5. File Scanning Tools

There are various file scanning tools online that are free and open source, which work with somebody uploading a document, and the tool checks if there are viruses in that document. VirusTotal and other online scanning tools archive the analysis report and files uploaded, which can sometimes include peoples’ Social Security numbers, full names, addresses, and other sensitive information. Trello or online services can store and disclose sensitive information too. 

Setting a Comprehensive Cyber Threat Intelligence Strategy

It’s crucial to gain a holistic view of how threat actors could target your organization. Focusing on one area only provides a partial view, and can leave a lot of the external surface attack area exposed. 

Malicious actors don’t stay in one community, which is why a strong CTI strategy requires a holistic view. For example, they could have a marketplace on the dark web, and they refer people there to communicate on Telegram and share samples via Pastebin. A comprehensive CTI process enables organizations’ cybersecurity teams to gain the whole picture of different cyber threats.

How Flare Can Help

With Flare, organizations can gain additional context with a total view into their digital footprint. This provides important additional context into threats, for example: where an employee leaked the data, where a threat actor found the data, and where that threat actor then sold the data to another threat actor. This visibility wouldn’t be possible if an organization was only monitoring the dark web or only monitoring Github.

Flare provides a unified approach to: 

  • Identifying external threats across the clear and dark web, including infected devices, leaked credentials, data leaks, and other threats
  • Conduct detailed investigations on malicious actors that may have listed IOC’s associated with your organization
  • Understanding your organization’s external data exposure (digital footprint) with prioritized recommendations for remediation
Share This Article

Related Content