Sophos has uncovered a disturbing trend in cybercrime forums, where research contests are being used to inspire and refine new cyberattack methods and evasion techniques. These contests, which mirror legitimate security conferences, offer substantial rewards to winners, providing insights into the ever-evolving world of cybercriminal tactics.
12 September 2023 – Sophos, a global leader in cybersecurity services, has revealed the unsettling phenomenon of cybercriminals organizing research contests on underground forums to inspire and advance new methods of cyberattacks and evasion techniques. These contests, reminiscent of legitimate security conferences’ “Call For Papers,” offer substantial financial rewards, peer recognition, and even potential employment opportunities to winners. Sophos’ latest report, titled “For the Win? Offensive Research Contests on Criminal Forums,” sheds light on this alarming trend, showcasing how these contests are driving innovation within the cybercriminal community and providing invaluable insights into their evolving tactics.
Despite their long-standing presence, cybercrime contests have evolved significantly over the years. Initially featuring trivia quizzes and graphic design competitions, they have now transitioned into inviting cyber attackers to submit technical articles, complete with source code, videos, and screenshots. Once submitted, participants from the underground forums vote for the contest’s winner. However, transparency remains an issue, as forum owners and contest sponsors hold their own sway in the judging process.
Christopher Budd, Director of Threat Research at Sophos, emphasized the implications of these contests, stating, “The fact that cybercriminals are running, participating, and even sponsoring these contests, suggests that there is a community goal to advance their tactics and techniques. There is even evidence to suggest that these competitions act as a tool for recruitment amongst prominent threat actor groups.”
Sophos’ research highlights a shift towards Web 3.0 related topics, including cryptocurrency, smart contracts, and NFTs, in these contests. However, many winning entries possess broader applications and practical use, even if they aren’t entirely novel. This suggests that cyber attackers may retain their most innovative research for real-world attacks, where they can profit more.
The Sophos X-Ops research delved into two prominent annual contests: one hosted by the Russian-language cybercrime forum Exploit, with a total prize fund of $80,000 in 2021, and another conducted on the XSS forum, featuring a prize pool of $40,000 in 2022. These contests have garnered sponsorship from influential members of the cybercriminal community, including All World Cards and Lockbit.
In recent contests, Exploit centered its competition on cryptocurrencies, while XSS expanded its scope to include topics like social engineering, attack vectors, evasion techniques, and scam proposals. Winning entries frequently focused on exploiting legitimate tools like Cobalt Strike. Examples include a tutorial on targeting initial coin offerings (ICOs) to raise funds for new cryptocurrencies and manipulating privilege tokens to disable Windows Defender.
Sophos urges vigilance and awareness about these underground contests and their potential consequences. Cybersecurity professionals and organizations should remain vigilant to stay one step ahead of evolving cyber threats.