The following is part of Flashpoint’s 2021 Intel Wrap-Up series. Like every article in the series, this report is based on data derived from a curated weekly analysis of threat actor activity within Flashpoint collections. The following report is based on data from January through November.
1. Most discussed malware types and hacking services
The top 10 most discussed malware types and hacking services discussed over the last year were dominated by phishing, stealers, Zero-day attacks, and ransomware, which has notably been banned from a number of top-tier illicit forums.
2. Most popular forums
The most popular forums where threat actors advertised and solicited breached reporting were Raid Forums and Exploit, by far.
3. Most targeted sectors
The most targeted sectors in 2021 were:
- Government (commonplace were Social Security Numbers (SSNs), driver’s licenses, passports, and other government-issued identity documents);
- Financial (fullz, bank logs, and databases, online retailers that store financial data)
- Healthcare (mostly U.S.-based, personally identifiable information (PII), protected health information (PHI), financial data, and login credentials)
- Education (compromised credentials, e.g.)
- Retail (holiday fraud, e.g.)
4. Most popular access advertised
The most popular access advertised on forums was admin- or user-level access for Remote Desktop Protocol (RDP) / virtual private network (VPN) and content management systems (CMS). This type of access could lead to the compromise of customer personal information and, in some cases, financial information.
5. The rise of SQL injection ads
Advertisement of SQL injections (SQLI) trended upward, gaining steam in popularity as a method for sellers to guarantee data integrity to their customers.
6. Pricing is being withheld
Recently, threat actors have been omitting pricing information more than usual although it’s unclear exactly what motivations may be spurring this emerging trend. It is possible that withholding the desired sale price leads only seriously interested buyers to contact the seller. This trend further increases the difficulty of assessing data pricing within illicit forums. Since negotiations are being held in private chats and listing and sale prices are increasingly being withheld, it remains difficult to know the exact value of these data types.
7. Negotiations via chat
Negotiations (including communications around vouching and proof-of-concept) have appeared to shift to encrypted chat services from the forum themselves.
8. Geographical disclosures
Threat actors, most of whom are out for financial gain, are increasingly disclosing geographical information about the data and access they advertise. According to our collections, the “unknown” category—which denotes data for sale without location-specific information—is down almost 42%.
9. Zero-Day and phishing ads dominate Raid
Raid Forums—traditionally popular amongst threat actors for buying and selling breach data—emerged as a major player in malware and hacking services as well in 2021. Zero-day and phishing attacks were by far the most advertised exploits.
10. Ransomware is taboo
Ransomware has been widely banned on major forums as evidenced by referring to their ransomware offerings as “crypters” or “lockers” to avoid their post or account getting immediately banned.
Identify and mitigate cyber risks with Flashpoint
Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a demo or free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.
