Beyond standard underground offerings such as malware and exploit kits, cybercriminals also value having a stable hosting infrastructure that underpins all their activities. Such an infrastructure could host malicious content and the necessary components for controlling their operations (e.g., bulletproof hosting that run backend hacker infrastructure or a rented botnet of compromised machines).
In many respects, transactions among cybercriminals occur in ways similar to those in legitimate businesses. Amateurs and professionals alike rely on marketing their products across various platforms — some use social media, while some only do so in controlled, vetted underground forums.
Our first article in this research series provided an overview of the underground market, where services, infrastructures, and tools used to conduct illegal activities are bought and sold. Offerings are diverse and cater to every need. This part of the research series provides a look into the dynamics of the cybercrime ecosystem: the services offered in the underground and how infrastructures are set up for certain criminal applications.
Cybercriminal business models vary; they usually include a mix of dedicated and compromised assets along with resilient domain provisioning and anonymization services. Our research detailed some of the major service categories and new ways cybercriminals use different infrastructure services to defend against other criminals and law enforcement probes. What are the common service offerings?
We covered dedicated bulletproof hosting services in part one of our research series. Web hosting services offer access to different malicious and criminal activities. Dedicated servers are ideal for cybercrime setups that need to be highly resistant to disruption and takedown.
Dedicated and virtual private servers: An in-house data center in Ukraine
Source: Security Service of Ukraine’s official YouTube channel
Dedicated and virtual private servers (VPS) are used to host criminal infrastructure components such as botnet control panels and phishing pages or used as “jump servers” for securely accessing other infrastructures. Sometimes, criminals use “in-house” infrastructures in countries with relatively lenient legal frameworks. Racks of servers, located in side rooms of private properties, are offered to threat actors, as opposed to hosting them in larger commercial entities.
Modern fast-flux: Cost comparisons in hosting services
Fast-flux infrastructures allow criminals to constantly change their server location, consequently increasing their resistance to operation disruptions. Since fast-flux-backed services require maintenance of a pool of IP addresses with high availability, they are more expensive to operate than the usual bulletproof hosting services.
The use and abuse of legitimate assets are common in the underground. Cybercriminals have increasingly depended on compromising machines to support their services. Some services resell compromised sites for further use as landing phishing pages, exploit kit hosting pages, or SEO doorways.
Compromised machines used as dedicated servers: A site selling access to compromised RDPs
Legitimate assets are compromised and used for hosting in at least one of the steps in a criminal’s monetization lifecycle. Exposed servers are exploited through vulnerabilities in server software, brute-force credential attacks, or phishing campaigns. Compromised assets are sold on online portals, underground forums, and dedicated marketplaces in social networks.
Botnets for rent (regular PCs): Botnet rental service offering with access to C&C panel
A PC-based botnet with over 1,000 connected PCs could cost US$800 and include functions for cryptocurrency mining, distributed denial-of-service (DDoS), and arbitrary file execution. Botnet owners commonly prohibit ransomware, cryptolockers, and files that have detections on VirusTotal since such compromise could be immediately exposed to the PC owner.
Below is a case study examining the overall lifecycle of a compromised asset and how they are typically used for malicious purposes. The figure indicates the various spin-offs a server goes through once it’s compromised, how it can be monetized and resold, and when security teams eventually deal with it.
Click around the graphic to see more information on specific components
Cybercriminal takeover The server takeover is the earliest stage, where exposed assets are enumerated (i.e., via network scanners), accessed, and categorized by features (e.g., availability, bandwidth, and type of GPU) for further malicious purposes.
Categorization and estimation of monetization paths Compromised servers are categorized based on simple criteria that can be automatically collected by software tools used by underground actors (e.g., computing power, bandwidth, location, victim). A compromised asset can be taken over, monetized, and resold several times.
Sensitive data exfiltration This category includes theft from the compromised server of credentials, PII, financial information, and scanned or sensitive documents using a variety of automated keyword search tools.
Resale for targeted attacks Advanced categorization may find servers that are of interest to industrial espionage actors looking to dissociate themselves from the initial compromise. Particularly sensitive assets can be sold in underground auctions for hundreds of thousands of USD.
Resale for criminal monetization Some platforms offered in the underground automate the processing and monetizing of compromised servers, whereby sellers can collaborate to deliver more than a hundred compromised servers per day in some scenarios, sometimes called the “access as a service” model.
Criminal monetization A compromised server commonly gets monetized through cryptocurrency mining and malicious hosting. Ransomware attacks, especially targeted ones, may also be employed by actors who have in-depth knowledge about the infrastructure. Cryptocurrency mining should be of particular interest to defenders, as it often indicates a compromised asset that is in an idle state prior to being resold or having ransomware deployed.
Incident response The typical instances wherein a compromise or malicious activity is detected, and an incident response (IR) team deals with the threat.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.