The three main ways dark web criminals attack corporate infrastructure

How to attack corporate infrastructure has become one of the most popular topics on dark web forums, accounting for 12 percent of technical discussion posts on dark web forums. This means that cybercriminals are eager to gain control of corporate infrastructure.

Their motivation is purely profit-driven, said Yuliya Novikova, head of analysis at Kaspersky Security Services.

For cybercriminals, the ultimate goal is to make as much profit as possible from the initial access they gain," she said. They sell anything from valid credentials for Web panels, cookie authentication information for users and administrators, to details of remote command execution exploits and access to uploaded Webshell backdoors."

These malicious criminals in the dark web typically gain access in three ways, she said.

First, exploiting vulnerabilities, such as unpatched software bugs, misconfigured services, 0day attacks and known vulnerabilities in Web applications.

Second, phishing, which is more common and targets corporate staff, usually customer service.

Third, obtaining direct access credentials through the use of data-stealing programs, such as RDP.

Malware infects user devices and intercepts data, which is collected in logs,, and published on dark web forums where they will be sold," Novikova explained. Malicious users are looking for almost any type of data to steal. This includes payment and personal data, domain credentials, third-party service credentials, social network accounts and authorization tokens."

After analyzing nearly 200 posts on the Dark Web that provided initial access to corporate data, Kaspersky found that 75 percent of the posts provided initial access via Remote Desktop Protocol ((RDP), each with different permissions, from domain administrator, local administrator and normal user permissions, she said.

Novikova said, "With remote working now a reality for many companies, the finding that companies have introduced RDP to enable computers on the same corporate network to be connected together and accessed remotely is a cause for concern."

Kaspersky's research shows the growing interest in RDP attacks, highlighting what the security firm sees as the high hit rate of such attacks globally.

The black market is in high demand for corporate data. Kaspersky's research shows that significant initial access to corporate data is largely provided through RDP, highlighting the need for local businesses to gain visibility across the dark web to enrich their threat intelligence, particularly in areas that employ remote or hybrid working models.

Novikova said, "And because valid credentials for RDP access are the most common dark web product, it is imperative that enterprises begin to follow best cybersecurity practices."

This includes using reliable passwords, making all remote management interfaces accessible only through VPNs, and using dual authentication for all management interfaces, she said.