Cybercriminal Forums Host Adversary-Backed Research Contests on Attacks and Evasion: Sophos

Sophos has announced its discovery regarding the role of research contests within cybercrime forums. These contests serve as a source of inspiration for the development of new attack techniques and methods to evade detection. Remarkably, these contests closely resemble legitimate security conferences’ “Call For Papers” and offer substantial financial rewards, peer recognition, and potential job opportunities to the winners.

Sophos X-Ops has detailed these findings in its latest report, titled “For the Win? Offensive Research Contests on Criminal Forums.” The primary objective of these contests is to foster innovation, and upon closer examination, the submitted entries provide invaluable insights into how cybercriminals strategize to overcome security challenges.

Interestingly, the landscape of these criminal forum competitions has evolved significantly over time. In the early days, cybercrime contests featured trivia quizzes, graphic design competitions, and guessing games. However, contemporary criminal forums are now encouraging attackers to submit comprehensive articles on technical subjects, complete with source code, videos, and screenshots. Following the submission, all forum users are invited to vote for the contest’s victor. Nevertheless, it’s worth noting that the judging process isn’t entirely transparent, as forum owners and contest sponsors also hold influence over the final decision.

“The fact that cybercriminals are running, participating, and even sponsoring these contests, suggests that there is a community goal to advance their tactics and techniques. There is even evidence to suggest that these competitions act as a tool for recruitment amongst prominent threat actor groups,” said Christopher Budd, director of threat research, Sophos. “While our research shows an increased focus on Web-3 related topics such as cryptocurrency, smart contracts and NFTs, many of the winning entries had a broader appeal and could be put to practical use, even if they weren’t particularly novel. This may be reflective of the priorities of the community but could indicate that attackers keep their best research to themselves as they can profit more from using them in real-world attacks.”

Sophos X-Ops delved into the examination of two notable annual competitions: one hosted by the Russian-language cybercrime platform Exploit, which offered a substantial prize pool of $80,000 to its 2021 contest winner, and another conducted on the XSS forum, featuring a prize fund of $40,000 in the year 2022. These contests have received sponsorship from influential figures within the cybercriminal community over several years, with notable contributors including All World Cards and Lockbit.

In the most recent iterations of these contests, Exploit centered its competition around the theme of cryptocurrencies, whereas XSS broadened its scope to encompass various topics, ranging from social engineering and attack vectors to evasion tactics and scam proposals. Many of the victorious entries concentrated on the exploitation of legitimate tools, such as Cobalt Strike. One of the runners-up even shared a tutorial on targeting initial coin offerings (ICOs) to raise funds for a new cryptocurrency, while another provided insights into manipulating privilege tokens to disable Windows Defender.