Sophos X-Ops uncovers hacker research competitions on criminal online forums to innovate and overcome security hurdles in a new report. These cybercriminal research competitions also award individual prizes of up to $80.000.
Sophos X-Ops describes in its new report “For the win? Offensive Research Contests on Criminal Forums” Hacker research contests conducted by cybercrime forums to drive new attack innovations. The competitions focus on new attack and evasion methods and reflect cybercrime trends such as taking down AV/EDR, cryptocurrency fraud and setting up command-and-control infrastructures.
Hacker groups compete to find new attack routes
The competitions are similar to the “call for papers” of legitimate security conferences and offer winners significant financial rewards, recognition from colleagues and potential job opportunities. The uncovered submitted posts provide cybersecurity experts with valuable insight into the modus operandi of cybercriminals and how they attempt to overcome security hurdles.
“The fact that cybercriminals host, participate in, and even sponsor these contests suggests that there is a collective goal to further develop their tactics and techniques. There is even evidence that these competitions serve as a recruiting tool for prominent cybercriminal groups,” says Christopher Budd, director of threat research at Sophos.
It used to be harmless, but today it's about big money
The fact that hacker competitions are held on criminal forums is nothing new; the practice has existed for years. What is interesting, however, is how they have evolved over time. Early promotions included quizzes, graphic design competitions and quizzes. Criminal forums now invite submissions of articles on technical topics, including source code, videos and/or screenshots. The collected works are then rated by the forum users and the winner is determined. However, the judging is not completely transparent as the forum owners and competition sponsors appear to have special voting rights.
“While our research shows an increased concentration of cybercrime on Web 3-related topics such as cryptocurrencies or NFTs, many of the winning contest submissions had broader applications. They were characterized by the fact that they could be used almost immediately and were often not particularly innovative. "This could either reveal the community's priorities, or it could be evidence that attackers want to keep their best research results to themselves in order to avoid being exposed and then use their new tactics profitably in real attacks," continued Christopher Budd .
Sophos examined two competitions in more detail
Sophos Prize money of $80.000 was available here in 2021. For several years, prominent members of the cybercrime community have sponsored these events, including All World Cards and Lockbit.
In recent competitions, Exploit has focused its bidding on cryptocurrencies, while XSS has focused on topics ranging from social manipulation and attack vectors to evasion methods and scam offers. Many of the winning entries focused on abusing legitimate tools like Cobalt Strike. A runner-up shared a tutorial on hosting initial coin offerings (ICOs) to raise funds for a new cryptocurrency and another on manipulating privileges to disable Windows Defender.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.