Kurt Hems (12:49)

So Trend micro actually since 2011 have now published 49 branches into where we look into the underground marketplaces. The last one, this one would have been the 48th publication. Since then there's been one more on the Spanish underground. But we just like to keep tabs on where the cyber criminal underground is going and, you know, everything just around the underground. So where we can help protect our customers and the Internet at large. Just kind of get a gauge of where everything is and what cybercriminals are trying to do.

Dave Bittner (13:29)

Well, let's dig into some of the details here. I mean, in terms of operations and offerings, what are some of the significant changes you all have tracked?

Kurt Hems (13:39)

Yeah, since 2015 was the first English underground, there actually has been a notable decline in the sales of drugs and weapons, specifically on English speaking forums. While access as a service is dominating. Over 50% of the threads that we observe are about access as a service. And crimeware is pretty, pretty stable there, where people are trying to buy malware, counter AV solutions, things like that as well.

Dave Bittner (14:12)

What about the activity of law enforcement? Has that had a significant influence on what you're tracking here?

Kurt Hems (14:18)

Yeah, so I think that's one of the big reasons why you see drugs and weapons decline is there has been a lot of action against Forums that are selling those types of things specifically and law enforcement action obviously has helped hinder those operations. However, with that said, every time we there's a forum takedown, just like this week or last week, there was cracked and null have been taken down or disrupted in some way and even then something's going to come in its replacement. But it's the trust factor that guides the criminals to where they're going and whether they use it and adopt it in mass. I mean we constantly see this after takedowns is there's a shift in migration of which one's going to become the next big underground marketplace or underground forum for criminals to converse at.

Dave Bittner (15:17)

Yeah, I guess age old game of whack a mole?

Kurt Hems (15:20)

Pretty much, yes.

Dave Bittner (15:21)

Yeah. What about technological advancements? I mean obviously everybody's talking about AI these days. Has that, has the dynamic of that had an effect on these cybercriminal communities?

Kurt Hems (15:35)

Absolutely. Cybercriminals are using AI technologies to help create phishing content and to help bypass security measures as well as other things where there's you know, been talk about criminal AI itself, which are AI technologies that criminals are trying to train to be more on the malicious sides that gets around the walls of information that they're trying not to prevent or prevent from people to get. Like you can't go to major AI platforms and ask it to create you malware. However the criminal ones would allow you to do that just off, you know, without any of those handbrakes or anything like that involved. So yeah, AI is definitely something we're seeing an uptake in. However, it's still kind of hyped out to where it's not what you know, the media sometimes is saying it is, but they are using it. And you can see it as specifically when they're talking about using it for fishing exercise. You know, phishing attempts to, to make a better use of English speaking in the cases of that. So it doesn't matter, doesn't matter where you came from. You can do a pretty good English translation with AI.

Dave Bittner (16:58)

Yeah. One of the things that caught my eye in the report was this idea that some of these English speaking forums will converge with the non English speaking ones. Can you explain that to us?

Kurt Hems (17:12)

Yeah. So the idea is that as we do more disruptions and more takedowns, you're seeing people move into other forums that become more multilingual. And that's definitely due to the intensified law enforcement actions that migrated into jurisdictions with more lenient regulations. The shift is led to blending English speaking forums with other Languages you'll see on what used to be typically a Russian forum, sometimes you'll see English threads with what appears to be a native English speaker, not a trying to converse and create. By doing that, they're trying to converse more broadly and creating a more diverse and interconnected cyber criminal ecosystem.

Dave Bittner (18:05)

Yeah. What are the predominant goods and services that you're seeing these days on these forums?

Kurt Hems (18:10)

As we mentioned earlier, Dave, access as a service is dominating for sure and we're seeing a lot of, a little bit of ransomware here and there. But cryptocurrency, money laundering services, cash outs to convert your services to convert illicit gains into legitimate currencies as example, that's a lot of what we're seeing is, you know, in the English forums, everyone wants their money and how to get it out from being a stolen or acquired cryptocurrency. How can I make that into real money?

Dave Bittner (18:54)

One of the things the reports touches on is the use of various platforms, you things like Telegram. How has that changed the way that these folks communicate since the last time you tracked it almost a decade ago.

Kurt Hems (19:10)

Yeah, so Telegram is definitely a new and rising platform of communication for the underground. From 2020, 2015, when we originally released the English speaking underground research. Yeah, it's grown significantly. That's a, a large part of it. There was a little shift last year. People are using other services such as talks and have migrated to signal channels as well. But Telegram is a very important piece to track of where people are communicating. And that's one of the big reasons why cyber criminals are utilizing Telegram is because it's a little harder to take down that communication, easier for them to just move it into new channels. And also they're moving into more secure communication channels, which then reduces the exposure of sensitive information, such as if they're talking about their bitcoin addresses or emails or anything like that before, if you put that in an open forum, somebody could grab that where in these little more private chats, you may go under the radar for a little bit longer.

Dave Bittner (20:32)

Yeah, I guess it makes it a little more challenging for law enforcement.

Kurt Hems (20:36)

Yeah, that's kind of the, as we mentioned earlier, the whack a mole approach. Every time you hit the mole, the mole gets a little bit better at hiding itself.

Dave Bittner (20:46)

Right, right. What about globalization? I mean these are English speaking forums, but it seems to me like, you know, when we see takedowns, they are international efforts. Is the globalization of these groups a growing concern?

Kurt Hems (21:05)

Yeah, the globalization of groups does provide more of a concern. You'll actually see Some of this in cybercrime forums where they're actually trying to find English speaking people and they're well known that they're out of that country. They're trying to get somebody who speaks English to do the crime for them in that jurisdiction. They actually sometimes will go after teenagers trying to get them because they know that their crime is more leniently punished. And then once they hit 18, you know, then crimes become real, especially in the United States. Not real, but more penalized. So cyber criminals are increasingly operating in jurisdictions with more lenient regulations and then they create a diverse interconnected network of criminals. This tends to underscore the need for global approach to combat cybercrime and have more standardized regulations. You know, you can't, it's very hard for people to go after, you know, known criminals in that are orchestrating these crimes that are in areas where their regulations are a lot more lenient towards cybercrime.

Dave Bittner (22:30)

What are the take homes for you from this report? What do you hope that folks get out of it from reading that?

Kurt Hems (22:36)

It's an evolving market. The, the marketplace is ever evolving. Cybercrime is changing, especially with technology changing and you know, what was relevant 15 years ago or 10 years ago, you know, from 2011 to today, things have evolved, except for the one thing that hasn't really evolved is cyber crime itself is something that criminals are going to do. It has evolved to the point where cybercrime has been more, you know, you have these different factions of it and it's grown from, you know, just some people on the Internet and you know, little tiny groups here and there causing problems to very large cyber criminal organizations that are best compared to being a corporation. They'll have, you know, in ransomware groups, they have them, you know, employee of the month and HR groups and you know, how to handle with onboarding and offboarding. And it's not just, you know, you know, people just out there trying to make a little bit of money. It's people trying to make a mass amount of money trying to do crime and trying to harm people, you know, for whatever, for their own personal gains.

Dave Bittner (24:04)

That's Stephen Hilt from Trend Micro. We'll have a link to their research in our show notes. And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools Expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools, It's time to rethink your security. Zscaler Zero Trust AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.

Stephen Hilt (25:40)

Imagine what's possible when learning doesn't get in the way of life at Capella University. Our game changing flexpath learning format lets you set your own deadline so you can learn at a time and pace that works for you. It's an education you can tailor to your schedule. That means you don't have to put your life on hold to pursue your professional goals. Instead, enjoy learning your way and earn your degree without missing a beat. A different future is closer than you think with Capella University. Learn more@capella.edu.

Dave Bittner (26:16)

And finally, two penetration testers from Threat Spike Labs learned the hard way that miscommunication can be more dangerous than actual hacking. During a simulated breach at a corporate office in Malta, the duo successfully gained unauthorized access, stole a master keycard, and retrieved sensitive data, all part of an approved security assessment. But then things took a turn. The general manager who authorized the test panicked and called the police, convinced that real criminals were at work despite waiving their authorization documents. Like a backstage pass at a concert, the testers were arrested and hauled in for questioning. Later, Kurt Hems reflected on the experience, saying, penetration tests don't always end with a report. Sometimes they end with flashing lights and handcuffs. Lesson learned. Tell law enforcement about security tests before they happen. Ironically, the security test worked. The company's response was swift, even if it resulted in unnecessary arrests. And that's the Cyber Wire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. Were mixed by Trey Hester with original music and sound design by Elliot Peltzman Our executive producer is Jennifer Ivan. Peter Kilby is our publisher. And I, Dave Bittner. Thanks for listening. We'll see you back here tomorrow.