Attacks/Breaches

11/14/2018
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Small-Time Cybercriminals Landing Steady Low Blows

High-end crime groups are acquiring the sorts of sophisticated capabilities only nation-states once had, while low-tier criminals maintain a steady stream of malicious activity, from cryptomining to PoS malware.

Sophisticated cybercrime groups and nation-stated backed adversaries are not the only threats to enterprise security. A steady level of malicious activity by relatively low-level criminals is impacting businesses all around the world as well and should not be ignored, a new report warns.

Secureworks' Counter Threat Unit recently analyzed one year's worth of incident response data and threat activity across 4,400 companies. The analysis showed that organizations are under siege by both high- and low-level criminals.

At the high end, sophisticated financially motivated cybercrime gangs have recently begun using tactics that were once associated only with nation-state backed actors to plunder organizations around the world. Though relatively small in number, these organized crime gangs are responsible for a bulk of the cybercrime-related damage that businesses are experiencing, Secureworks found.

Highly organized groups of criminal actors in Central and West Africa, for instance, are targeting organizations with sophisticated business email compromise and business email spoofing campaigns that over the years have resulted in billions of dollars in losses. Examples include Nigerian threat groups Gold Galleon, which targets shipping companies, and Gold Milton, which targets real-estate companies and law firms in Australia.

Other high-end criminal gangs, like the FIN7 group, are making millions by combining advanced social engineering and network-intrusion techniques with point-of-sale malware to steal payment card data. In August, the US Department of Justice indicted several members of FIN7 on charges related to the theft of 15 million payment cards from some 3,600 institutions.

Small groups of highly professional operators from Eastern Europe and elsewhere are targeting online retailers, cryptocurrency exchanges, banks, and ATMs in campaigns that are netting them millions of dollars. One example is an attack on an Indian bank's ATM infrastructure this August, which resulted in nearly $15 million in losses over a period of just three days. North Korea's infamous Lazarus Group is believed to be behind that attack. Other campaigns have involved so-called "cashout" and ATM "jackpotting" operations in which threat actors have stolen millions of dollars via coordinated withdrawals from dozens of ATMs across multiple countries.

"These kind of criminal actors are more difficult to track because their communications are private and they do not advertise their intentions in forums where they might be observed by security researchers or law enforcement," says Mike McLellan, senior security researcher at Secureworks CTU.

While sophisticated cybercriminals may make use of tools obtained from dark web forums or sell their capabilities on it, they are not openly doing business there — making them very hard to spot, he notes. As these groups increasingly acquire nation-state actor-like capabilities, attribution is going to become much harder, he says.

Low-level Criminality

At the same time, low and mid-tier cybercriminals are maintaining a steady level of malicious activity related to cryptocurrency mining, ransomware, spam, and banking and POS malware.

In 2017, one in three organizations encountered cryptocurrency mining software on their networks. It continues to remain a threat this year as well, contrary to common perception, McLellan says. "There is no evidence that cryptocurrency mining activity has decreased, despite the reduction in the market value of popular currencies such as Bitcoin and Monero."

Similarly, Secureworks' study found no letting up in ransomware activity. Between July 2017 and the end of June 2018, researchers from the company tracked 257 new ransomware families. The most prevalent of them was GandCrab, a ransomware tool distributed via Russian-language forums and exploit kits such as RIG and Grandsoft. In a majority of instances, ransomware targeting continues to be indiscriminate and many of the tools that have emerged over the last year are unsophisticated, Secureworks said in its report.

The easy availability of malware tools and services, and demand for personally identifiable information (PII) and other sensitive data continue to drive a lot of the malicious activity.

Secureworks regularly found comprehensive dossiers containing individual PII, payment card data and other information being offered for sale on underground forums at prices ranging from $10 to $25.

"Observed 'for sale' prices appear to have remained reasonably consistent, although there are a number of variables that come into play, such as the reputation of the seller and the nature of the PII," McLellan says.

Also lowering the bar for cybercriminals are underground marketplaces selling direct access to compromised systems and to anonymized servers for carrying out malicious activity. Numerous forums for instance offer access to Virtual Private Servers and dedicated hosting services for between $10 and $300.

Others are selling access to compromised Remote Desktop Protocol servers for prices ranging from as little as 50 cents to $400. Some advertised prices have ranged between $1,000 and $20,000 for broader access to an organization's network.

"Criminals might charge more where the organization is of a certain size, or in an industry vertical where they consider that the data it processes might have good inherent value," McLellan says. "The price will also depend on the type of access offered and whether the actor selling the access has pre-installed additional tools."

The trends highlight the need for enterprises to essentially make themselves a harder target. "Fundamentally, criminal actors want to make as much money as they can with the least possible effort and risk." By implementing best practices like patching, multi-factor authentication on Internet-facing applications, least privilege for users, and layered detective controls, organizations can encourage criminals to look elsewhere, McLellan says.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
CVE-2018-15805
PUBLISHED: 2018-12-10
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
CVE-2018-16635
PUBLISHED: 2018-12-10
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.