Attacks/Breaches

10/9/2018
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods

The trend underscores the need for organizations of all sizes to be prepared to detect and respond to threats faster, CrowdStrike says.



Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries.

New analysis by security vendor CrowdStrike's Falcon OverWatch threat-hunting team of intrusion detection engagements at customer locations between January and June this year shows a continued blurring of lines between methods employed by criminals and known nation-state actors.

This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike's OverWatch and security response team. "Sophisticated techniques are becoming a little more commoditized," she says. "Anything goes. Anyone can be a target."

One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses. 

CrowdStrike first observed TeamViewer being used for malicious purposes back in 2013 by Team Bear, a Russian advanced persistent threat actor. Team Bear used malicious versions of TeamViewer to remain hidden and persistent on victim machines and to enable communications with command-and-control servers. Since then, numerous other adversaries have begun employing the same tactics, including criminally motivated actors.

In the first quarter of this year, threat actors leveraging TeamViewer targeted the hospitality sector in particular. According to CrowdStrike, at least four major hospitality organizations experienced TeamViewer-related intrusions during the quarter. In each case, the attackers spoofed the TeamViewer binaries to make them appear like expected file names. The command and control infrastructure used in all four attacks were similar, suggesting the same attack group was behind them.  

In a separate incident, an unknown attacker used valid credentials to log into TeamViewer remotely and install various malware tools on systems belonging to a major organization in the entertainment industry.

The use of TeamViewer to gain remote access to target systems is not the only technique that less sophisticated, criminally motivated threat actors have begun borrowing from state-sponsored groups. In April of this year, CrowdStrike observed a criminal actor using a Trojanized version of Arkadin's Vision Desktop App software to drop malware on a system, allowing additional second stage tools to be installed on the compromised host.

China Rising

Such intrusions show that criminal actors—like their more sophisticated state-sponsored counterparts—are increasingly employing hands-on-the-keyboard tactics to break into systems, conduct reconnaissance, steal credentials, and move laterally, Ayers says.

"You want to be able to detect a threat in as close to real-time as possible," she says. CrowdStrike OverWatch's data shows that adversaries on average take just one hour and 58 minutes to begin moving laterally in a compromised network after gaining initial access to it. The vendor recommends that organizations ideally be able to detect an intrusion in less than one minute, investigate it in less than 10 minutes, and mitigate the threat in under one hour.

CrowdStrike's review of threat hunting data from the first half of this year also revealed an uptick in targeted intrusion attempts by China-based threat actors against organizations in multiple industries including biotech, pharmaceutical, defense, mining and professional services.

Of the 70 or so intrusions that CrowdStrike OverWatch was able to attribute to a specific actor or region, China-based actors were likely behind 40 of them. It's hard to say what specifically might be driving the uptick, though there has been an overall increase in cyber espionage activities, Ayers notes.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
2018 Was Second-Most Active Year for Data Breaches
Jai Vijayan, Freelance writer,  2/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8948
PUBLISHED: 2019-02-20
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
CVE-2019-8950
PUBLISHED: 2019-02-20
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
CVE-2019-8942
PUBLISHED: 2019-02-20
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image c...
CVE-2019-8943
PUBLISHED: 2019-02-20
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...
CVE-2019-8944
PUBLISHED: 2019-02-20
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.