Sophos, a Top 40 MDR service provider for 2023, has delved into the murky world of research contests run by cybercrime forums that ultimately help attackers find new ways to infiltrate victims and evade detection.
In its recently released report, For the Win? Offensive Research Contests on Criminal Forums, Sophos researchers found that the contests mimic legitimate "Call for Papers" security conferences, offering substantial financial rewards, peer recognition and possible employment for the winners. Sophos’ analysts posited that the contest entries provided insight into how cybercriminals attempt to skirt security defenses.
Cybercrime Contests Probed
Sophos checked out two contests:
- One contest run by Russian-language cybercrime forum Exploit offers a total prize fund of $80,000 to the winner of its contest in 2021.
- A contest on the XSS forum had a prize pool of $40,000 in 2022.
For several years, notable crews in the cybercriminal community have sponsored these events, including All World Cards and Lockbit, Sophos said.
Here are some details of what Sophos found in the contests it examined:
- Exploit themed its competition around cryptocurrencies.
- XSS opened its contest up to a range of topics from social engineering and attack vectors to evasion and scam proposals.
- Many of the winning entries focused on abusing legitimate tools such as Cobalt Strike.
- One runner-up shared a tutorial on targeting initial coin offerings (ICOs) to raise funds for a new cryptocurrency and another on manipulating privilege tokens to disable Windows Defender.
Here is some more information on the contests:
- Early cybercrime contests involved trivia quizzes, graphic design competitions and guessing games.
- Now criminal forums are inviting attackers to submit articles on technical topics, complete with source code, videos, and/or screenshots.
- Once submitted, all forum users are invited to vote for the contest winner.
- The judging is not completely transparent as the forum owners and contest sponsors have their own votes in the matter.
Contests Advance Cybercrime Contests and Techniques
Christopher Budd, Sophos director of Threat Research, said that a goal in the underground community for the contests is to “advance their tactics and techniques”:
“The fact that cybercriminals are running, participating, and even sponsoring these contests, suggests that there is a community goal to advance their tactics and techniques. There is even evidence to suggest that these competitions act as a tool for recruitment amongst prominent threat actor groups.
While our research shows an increased focus on Web-3 related topics such as cryptocurrency, smart contracts and NFTs, many of the winning entries had a broader appeal and could be put to practical use, even if they weren’t particularly novel. This may be reflective of the priorities of the community but could indicate that attackers keep their best research to themselves as they can profit more from using them in real-world attacks.”