Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/14/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Stronger Defenses Force Cybercriminals to Rethink Strategy

Researchers see the rise of new relationships and attack techniques as criminals put companies' resilience to the test.

As businesses ramp up defenses, cybercriminals and advanced persistent threat groups are rethinking their attack strategies to be more collaborative and complex, researchers report.

The more organizations invest in securing their networks and training staff, the harder and more expensive it becomes for attackers to disrupt them, Accenture iDefense analysts say in the "2019 Cyber Threatscape Report." Instead of backing down, adversaries are targeting victims with layered attacks, new techniques, and intricate relationships to disguise their identities.

"They've become more sophisticated; they've gone deeper underground," says Howard Marshall, director of cyber intelligence services, in an interview with Dark Reading. Conventional cybercrime operations remain active: Emotet, Loki Bot, Pony, NanoCore, and Nocturnal were the most common types of malware seen in 2018 and 2019, researchers found. The most common spam attachments deliver malware via weaponized Microsoft Office files.

As traditional campaigns continue to spread, law enforcement takedowns of popular communities, such as Alphabay and Hansa, have motivated attackers to swap open partnerships on underground forums for smaller, close-knit syndicates in order to remain hidden. "There's loss of visibility - the fact that it's a lot harder to get into some of these closed-network environments," adds Josh Ray, Accenture cyber defense lead, pointing to adversary cost.

That attack groups continue to remain operational despite crackdowns highlights a "significant increase" in the maturity and resilience of criminal networks, researchers say. As groups more closely work together, it disguises their identities and makes attribution harder.

Financially motivated campaigns aren't going away. The report describes an uptick in "big game hunting," in which cybercriminals launch targeted attacks for financial gain using a broad range of tailored malware or commodity crimeware that can be downloaded or purchased from underground forums. Criminals also conduct targeted attacks using legitimate pentesting tools, including Metasploit, Cobalt Strike, PowerShell Empire (PSE), Meterpreter, and Mimikatz.

Both Marshall and Ray point to the rise of disinformation as a threat to watch. In the report, analysts explain how new technologies can drive the spread of false information. Cybercriminals are likely to take advantage of high-profile global events to sway public opinion, and they have more tools to help, researchers say, citing 5G networks and artificial intelligence. New technologies will prove beneficial to businesses, but they may cause more damage when in the hands of an attacker.

Accenture predicts upcoming global events, including the 2020 Tokyo Summer Olympics, 2020 US presidential election, and events and activities related to NATO expansion, will become leverage for information operations, phishing campaigns, and other more destructive threats.

"Awareness around that activity has heightened," Ray says. Disinformation tactics can range from outright lies to the selection and distortion of facts to tell a misleading story. Social media remains the battlefield: It's free, and its presence in everyday life makes it an appealing tool.

"The near omnipresent role of social media in everyday life has positioned online communities as target-rich environments which exist beyond the conventional purview of corporations' security controls," researchers write in the report. "This has propelled social networks to the frontlines, as high-yield arenas for manipulation."

Ransomware: Bypassing Spam Campaigns
Ransomware is by no means a new concern to organizations around the world, but researchers anticipate the threat will be exacerbated. In addition to delivering ransomware via spam campaigns, attackers are also installing ransomware onto business networks by purchasing Remote Desktop Protocol (RDP) access to compromised servers on underground forums. This level of access is typically obtained through vulnerability exploitation and brute forcing.

Analysts predict ransomware will continue to drive cash flow for attackers. The median ransom demand observed in 2018 was around $10,000 per incident, with the highest reaching $8.5 million. But even with profits rising, researchers see mixed motives driving ransomware. Some attackers seek to destroy network environments in addition to, or instead of, making money.

Ransomware's ability to destroy information, slow performance, and disrupt services can help attackers hide evidence of crimes like espionage or fraud. Campaigns can also interfere with markets by using malware to lower a company's share price and increase its product cost. A ransomware attack can also send financial and political messages. Analysts point to GandCrab as an example of a threat that avoids targeting victims in certain countries.

What can businesses take from this? With respect to ransomware, researchers recommend maintaining regular backups of storage devices, servers, and users' information. If malware hits, they should "immediately disconnect" affected systems from the network, reimage infected systems whenever possible, and restore user data from backups. They should not pay ransom.

More broadly, Ray advises security admins to better understand their business' value chain. "A lot of security professionals don't understand how their companies make money," he says. This awareness can help downgrade the effectiveness of a cyberattack or disinformation campaign.

Business-savvy security leaders can also learn why different adversaries would target the firm, he adds. Attackers may focus on crown jewels you don't expect them to eye; marrying business acumen with threat data can provide a view of how a company appears to attackers.

Related Content:

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...