Threat Intelligence

Criminals Move Markets to Remain in the Shadows

While malware families and targets continue to evolve, the most important shift might be happening in the background.

Fo cybercriminals, the Internet of Things (IoT) is becoming a bigger draw, ransomware is still a profitable tool, and there are ways around even major legal actions. Those are some of the conclusions in the "McAfee Labs Threats Report: December 2018," released this week.

A number of findings in the report show certain trends continuing long-term patterns. New examples of IoT malware grew 72% in the third quarter, part of a total malware increase of 203% in past four quarters. And while many analysts have seen the growth of cryptominers slow in recent months, cryptomining malware increased by 71%, a figure based largely on the continuing growth in the number of IoT devices themselves.

"Platforms based on Linux are predominantly being hit," the McAfee research team told Dark Reading in an email interview, as they explained the rise in IoT malware. "Whereas previously these were dominated by DDoS-related botnets – the introduction of cryptojacking has led to the increase."

While these numbers are impressive, the most important developments in the malware landscape may be occurring behind the scenes. "Several individual sellers have moved away from large markets and have opened their own specific marketplaces," the McAfee researchers said. Other marketplaces, such as Dream Market, Wall Street Market, and Olympus Market, have become popular replacements for the lost markets (though Olympus Market suddenly disappeared, taking money and trusted relationships with it).

In a continuing response to the legal takedown of major Dark Web markets like Hansa and AlphaBay, and the disappearance of Olympus Market, some criminals have created their own "dark commerce" sites where they do business with their customers, the researchers said. These smaller sites make it more difficult for law enforcement to gain access and conduct surveillance on criminal activity.

Another trend that makes life more challenging for law enforcement is a growing tendency by some criminals to forgo a Web-based market altogether and use communications networks such as Telegram to conduct their business.

The communication is critically important for the criminals due to the continuing growth of criminal affiliate networks, seen in the evolution and increase of affiliate-architected malware such as the GandCrab ransomware package. The affiliate model is also seen in the operation of "RDP shops" that sell remote desktop access to compromised servers so that criminals can install and run their illicit software. "RDP continues to be an Achilles heel for many organizations, judging by the amount of targeted ransomware attacks, such as SamSam, BitPaymer, and GandCrab, that leverage RDP as an entry method," the report states.

Malware's evolution makes McAfee's suggestion that security also continue to evolve an obvious step. "We have to consider the speed in which criminal operators are adapting techniques and leveraging new approaches to achieve their objectives," the research team told Dark Reading. "For example, the introduction of new exploit kits and the continual development of GandCrab suggests that security teams need to remain vigilant on the evolution of such new threats."

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
1/14/2019 | 10:29:27 PM
Wait for the network!
Honestly speaking, if I were a cyber criminal, I would be waiting for the IoT with bated breath. It all seems very wonderful - all this secret information in storage being made a all portable and freely communicated over a network. All you have to do is figure out how to get your fingers into that network to extract all that information. Seems easy enough!
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
1/4/2019 | 3:20:35 AM
Criminal works
Even criminals know how to remain relevant in today's highly competitive industry. It is never a safe play to continue pursuing their illegal acts within the same sector in order to avoid being detected. They need to move swiftly in order to remain active but being completely discreet.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.