Understanding the infrastructure behind cybercrime helps detect and stop operations
The findings come from the second of a three-part report series looking at how the underground hosting market operates. The findings show that cryptocurrency mining activity should be the indicator for IT security teams to be on high alert.
While cryptomining may not cause disruption or financial losses on its own, mining software is usually deployed to monetize compromised servers that are sitting idle while criminals plot larger money-making schemes. These include exfiltrating valuable data, selling server access for further abuse, or preparing for a targeted ransomware attack. Any servers found to contain cryptominers should be flagged for immediate remediation and investigation.
“From dedicated bulletproof hosting to anonymizing services, domain name provision and compromised legitimate assets, the cybercriminal underground boasts a sophisticated range of infrastructure offerings to support monetization campaigns of all types,” said Bob McArdle, director of forward-looking threat research for Trend Micro. “Our goal is to raise awareness and understanding of cybercriminal infrastructure to help law enforcement agencies, customers and other researchers block avenues for cybercrime and drive costs up for threat actors.”
The report lists the main underground hosting services available today, providing technical details of how they work and how criminals use them to run their businesses. This includes a detailed description of the typical lifecycle of a compromised server, from initial compromise to final attack.
Cloud servers are particularly exposed to compromise and use in underground hosting infrastructure as they may be lacking the protection of their on-premises equivalents.
McArdle continued, “Compromised legitimate corporate assets can be infiltrated and abused whether on-premise or in the cloud. A good rule of thumb is that whatever is most exposed is most likely to be exploited.”
Cybercriminals might look to exploit vulnerabilities in server software, use brute-force attacks to compromise credentials, or steal logins and deploy malware via phishing attacks. They may even target infrastructure management software (cloud API keys), which allows them to create new instances of virtual machines or supply resources.
Once compromised, these cloud server assets could be sold on underground forums, dedicated marketplaces and even social networks for use in a range of attacks.
The report also covers emerging trends for underground infrastructure services, including abuse of telephony services and satellite infrastructure, and “parasitic” computing for rent including hidden RDP and VNC.
To read the report, download here.