Some of the world’s most skilled nation-state cyber adversaries and notorious ransomware gangs are deploying an arsenal of new open-sourced tools, actively exploiting corporate email systems and using online extortion to scare victims into paying ransoms, according to a report from Accenture.
The report examines the tactics, techniques and procedures employed by some of the most sophisticated cyber adversaries and explores how cyber incidents could evolve over the next year.
“Since COVID-19 radically shifted the way we work and live, we’ve seen a wide range of cyber adversaries changing their tactics to take advantage of new vulnerabilities,” said Josh Ray, who leads Accenture Security’s cyber defense practice globally.
“The biggest takeaway from our research is that organizations should expect cybercriminals to become more brazen as the potential opportunities and pay-outs from these campaigns climb to the stratosphere.
“In such a climate, organizations need to double down on putting the right controls in place and by leveraging reliable cyber threat intelligence to understand and expel the most complex threats.”
Sophisticated adversaries mask identities with off-the-shelf tools
Throughout 2020, CTI analysts have observed suspected state-sponsored and organized criminal groups using a combination of off-the-shelf tooling — including “living off the land” tools, shared hosting infrastructure and publicly developed exploit code — and open source penetration testing tools at unprecedented scale to carry out cyberattacks and hide their tracks.
For example, Accenture tracks the patterns and activities of an Iran-based hacker group referred to as SOURFACE (also known as Chafer or Remix Kitten). Active since at least 2014, the group is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the U.S., Israel, Europe, Saudi Arabia, Australia and other regions.
CTI analysts have observed SOURFACE using legitimate Windows functions and freely available tools such as Mimikatz for credential dumping. This technique is used to steal user authentication credentials like usernames and passwords to allow attackers to escalate privileges or move across the network to compromise other systems and accounts while disguised as a valid user.
According to the report, it is highly likely that sophisticated actors, including state-sponsored and organized criminal groups, will continue to use off-the-shelf and penetration testing tools for the foreseeable future as they are easy to use, effective and cost-efficient.
New, sophisticated tactics target business continuity
The report notes how one notorious group has aggressively targeted systems supporting Microsoft Exchange and Outlook Web Access, and then uses these compromised systems as beachheads within a victim’s environment to hide traffic, relay commands, compromise e-mail, steal data and gather credentials for espionage efforts.
Operating from Russia, the group, refered to as BELUGASTURGEON (also known as Turla or Snake), has been active for more than 10 years and is associated with numerous cyberattacks aimed at government agencies, foreign policy research firms and think tanks across the globe.
Ransomware feeds new profitable, scalable business model
Ransomware has quickly become a more lucrative business model in the past year, with cybercriminals taking online extortion to a new level by threatening to publicly release stolen data or sell it and name and shame victims on dedicated websites.
The criminals behind the Maze, Sodinokibi (also known as REvil) and DoppelPaymer ransomware strains are the pioneers of this growing tactic, which is delivering bigger profits and resulting in a wave of copycat actors and new ransomware peddlers.
Additionally, the infamous LockBit ransomware emerged earlier this year, which — in addition to copying the extortion tactic — has gained attention due to its self-spreading feature that quickly infects other computers on a corporate network.
The motivations behind LockBit appear to be financial, too. CTI analysts have tracked cybercriminals behind it on Dark Web forums, where they are found to advertise regular updates and improvements to the ransomware, and actively recruit new members promising a portion of the ransom money.
The success of these hack-and-leak extortion methods, especially against larger organizations, means they will likely proliferate for the remainder of 2020 and could foreshadow future hacking trends in 2021. In fact, CTI analysts have observed recruitment campaigns on a popular Dark Web forum from the threat actors behind Sodinokibi.
While there has been a year-over-year decrease in publicly disclosed data breaches, an Arctic Wolf report reveals that the number of corporate credentials with plaintext passwords on the dark web has increased by 429 percent since March.
For a typical organization, this means there are now, on average, 17 sets of corporate credentials available on the dark web that could be used by hackers.
With access to just one corporate account, attackers can easily execute account takeover attacks, which allow them to move laterally within an organization’s corporate network and gain access to sensitive data, intellectual property, competitive information, or funds.
Cybersecurity incidents now occur after hours
The sharp increase in corporate credential leaks underscores the need for organizations to have dedicated 24×7 monitoring of their network, endpoint, and cloud environments in order to prevent targeted attacks that could happen at any time.
Of the high-risk security incidents observed, 35% occur between the hours of 8:00 PM and 8:00 AM, and 14% occur on weekends; times when many in-house security teams are not online.
“The cybersecurity industry has an effectiveness problem. Every year new technologies, vendors, and solutions emerge. Yet, despite this constant innovation, we continue to see breaches in the headlines.
“The only way to eliminate cybersecurity challenges like ransomware, account takeover attacks, and cloud misconfigurations is by embracing security operations capabilities that fully integrate people, processes, and technology,” said Mark Manglicmot, VP Security Services, Arctic Wolf.
COVID-19 increasing the number of security operations challenges
- A 64 percent increase in phishing and ransomware attempts – Hackers have created new phishing lures around COVID-19 topics and adapted traditional lures seeking to take advantage of remote workers.
- Critical vulnerability patch time has increased by 40 days – A combination of higher common vulnerabilities and exposures (CVE) volumes, more critical CVEs, and the emergence of a remote workforce have significantly slowed the patching programs at many organizations.
- Unsecured Wi-Fi usage is up by over 240 percent – Remote workforces connecting to open and unsecured Wi-Fi networks outside of their office or home are now facing increased risks of malware exposure, credential theft, and browser session hijacking.
The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. The Europol IOCTA 2020 cybercrime report takes a look at this evolving threat landscape.
Although this crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.
Europol IOCTA 2020
Social engineering and phishing remain an effective threat to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.
Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
Encryption continues to be a clear feature of an increasing number of services and tools. One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.
The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.
Malware reigns supreme
Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance. While the pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis.
Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.
Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.
Child sexual abuse material continues to increase
The main threats related to online child abuse exploitation have remained stable in recent years, however detection of online child sexual abuse material saw a sharp spike at the peak of the COVID-19 crisis.
Offenders keep using a number of ways to hide this horrifying crime, such as P2P networks, social networking platforms and using encrypted communications applications.
Dark web communities and forums are meeting places where participation is structured with affiliation rules to promote individuals based on their contribution to the community, which they do by recording and posting their abuse of children, encouraging others to do the same.
Livestream of child abuse continues to increase, becoming even more popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children. In some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.
Payment fraud: SIM swapping a new trend
SIM swapping, which allows perpetrators to take over accounts, is one of the new trends. As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.
Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.
Criminal abuse of the dark web
In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year.
Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralized marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year.
OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.
VP for Promoting our European Way of Life, Margaritis Schinas, who is leading the European Commission’s work on the European Security Union, said: “Cybercrime is a hard reality. While the digital transformation of our societies evolves, so does cybercrime which is becoming more present and sophisticated.
“We will spare no efforts to further enhance our cybersecurity and step up law enforcement capabilities to fight against these evolving threats.”
EU Commissioner for Home Affairs, Ylva Johansson, said: “The Coronavirus Pandemic has slowed many aspects of our normal lives. But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children.
As the economic fallout of the COVID-19 crisis continues to unfold, a research from Next Caller, reveals the pervasive impact that COVID-related fraud has had on Americans, as well as emerging trends that threaten the security of contact centers, as we head towards what may be another wave of call activity.
The company’s latest report found that 55% of Americans believe they’ve been a victim of COVID-related fraud, up more than 20% from when the company conducted a similar study in April.
Perhaps even more worrisome is the fact that 59% of Americans claim they haven’t taken any additional precautions to protect themselves from these attacks.
“Even with massive amounts of PII circulating the dark web and so many new opportunities for criminals to exploit because of the pandemic, it’s still alarming that over half of the country thinks they’ve been targeted by COVID-related fraud,” said Ian Roncoroni, CEO, Next Caller.
“Compounding the problem is COVID’s unique ability to distract and disengage people from carefully monitoring their accounts. Criminals who are already well-equipped to bypass security can now operate longer without detection, worsening the impact exponentially.”
Data has shown the clear correlation between the economic fallout of the crisis – specifically stimulus related events – and the meteoric spikes in overall call volumes and the number of high-risk calls taking place inside contact centers across today’s biggest brands.
Fraudsters eager to replicate their initial success
A pending second stimulus package, combined with a clear urgency from Americans around receiving it, indicates that another wave of activity from customers and criminals is on the horizon.
In regards to the latest findings, Roncoroni said, “We have to prepare for a more sophisticated criminal strategy this time around. Rising reports of fraud activity signal not only that fraudsters are eager to replicate their initial success, but that some of those early schemes may just be getting started.
“The phony mailing address unceremoniously added to a bank account in April is likely just the trojan horse for a scheme ready to be set in motion under the cover of the next stimulus package.”
- 55% of Americans believe they’ve been targeted by COVID-related fraud
- Despite that, 59% of Americans claiming that they have not taken any additional precautions to protect themselves from attacks
- Almost 1-in-3 Americans are more worried about becoming a victim of fraud than they are about contracting the virus
- 56% believe brands are equally responsible for providing flexible and accommodating customer service and protecting personal information
- When asked about their view of the next stimulus checks, 41% of Americans said “I really need another check”
- 53% of Americans say that they have already sought out information related to the next round of checks
As technology constantly advances, software development teams are bombarded with security alerts at an increasing rate. This has made it nearly impossible to remediate every vulnerability, rendering the ability to properly prioritize remediation all the more critical, according to WhiteSource and CYR3CON.
This research examines the most common methods software development teams use to prioritize software vulnerabilities for remediation, and compares those practices to data gathered from the discussions of hacker communities, including the dark web and deep web.
Key research findings
- Software development teams tend to prioritize based on available data such as vulnerability severity score (CVSS), ease of remediation, and publication date, but hackers don’t target vulnerabilities based on these parameters.
- Hackers are drawn to specific vulnerability types (CWEs), including CWE-20 (Input Validation), CWE-125 (Out-of-bound Read), CWE-79 (XSS), and CWE-200 (Information Leak/Disclosure).
- Organizations tend to prioritize “fresh” vulnerabilities, while hackers often discuss vulnerabilities for over 6 months following exploitation, with even older vulnerabilities re-emerging in hacker community discussions as they reappear in new exploits or malware.
You can’t fix everything
“As development teams face an ever-rising number of disclosed vulnerabilities, it becomes impossible to fix everything and it’s imperative that teams focus on addressing the most urgent issues first,” said Rami Sass, CEO, WhiteSource.
“All too often companies unknowingly accept risk by using out-dated methods of vulnerability prioritization – and this report sheds light on the shortcomings of those approaches. Combining threat intelligence and machine learning overcomes those shortcomings, highlighting previously unidentified risks in the process,” said CYR3CON CEO Paulo Shakarian.
Credit card details, online banking logins, and social media credentials are available on the dark web at worryingly low prices, according to Privacy Affairs.
- Online banking logins cost an average of $35
- Full credit card details including associated data cost $12-20
- A full range of documents and account details allowing identity theft can be obtained for $1,500
Forged documents including driving licenses, passports, and auto-insurance cards can be ordered to match stolen data.
The research team scanned dark web marketplaces, forums, and websites, to create the price index for a range of products and services relating to personal data, counterfeit documents, and social media.
Online banking logins cost an average of $35
Online banking credentials typically include login information, as well as name and address of the account holder and specific details on how to access the account undetected.
Full credit card details including associated data costs: $12-20
Credit card details are usually formatted as a simple code that includes card number, associated dates and CVV, along with account holders’ data such as address, ZIP code, email address, and phone number.
A full range of documents and account details allowing identity theft can be obtained for $1285.
Criminals can switch the European ID for a U.S. passport for an additional $950, bringing the total to $2,235 for enough data and documents to do any number of fraudulent transactions.
Malware installation on compromised systems is prevalent
Remote installation of software on 1,000 computers at a time allows criminals to target the public with malware such as ransomware in various countries with a 70% success rate.
Stolen data is very easy to obtain
The general public needs to not only be aware of how prevalent the threat of identity theft is but also how to mitigate that threat by applying due diligence in all aspects of their daily lives.
A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums.
The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users.
After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected users can use to check whether they’ve been affected. He also dated the data dump to 2017 because the year was included in the data dump’s file name.
When did the breach happen?
The story of this data breach and leak is an interesting one.
There have been rumors about a supposed LiveJournal breach for years, though the blogging platform, which is owned by Russian media company Rambler Media Group, never confirmed them.
Back in 2018, Hunt received reports about a sextortion campaign targeting LiveJournal users and using their passwords:
— Troy Hunt (@troyhunt) October 11, 2018
Denise Paolucci, one of the owners of Dreamwidth, an online journal service based on the LiveJournal codebase (and with a significant crossover in user base), said on Tuesday that the data dump has been available on the black market since at least October of 2018, when they first reported people getting spam extortion emails with passwords in them.
“Beginning in March of 2020, and again in May of 2020, we saw several instances of Dreamwidth accounts being broken into and used for spam. We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data. Every user we asked whether they had used the compromised password on LiveJournal before confirmed that they had,” she explained.
“We have no way to tell for sure whether LiveJournal has actually had a data breach, or whether the file that’s circulating is real or fake. All we can say for certain is that none of the evidence we’ve seen has disproven the claim made by the people offering the file that the file contains usernames and passwords taken from LiveJournal. We’ve contacted LiveJournal about our findings several times, and they’ve told us each time that they don’t believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.”
Past and current LiveJournal users are advised to change their passwords to a new, long and unique one and to do the same on any other account where they used the same one.
There is a flood of interest in accessing corporate networks on the dark web, according to Positive Technologies.
In Q1 2020, the number of postings advertising access to these networks increased by 69 percent compared to the previous quarter. This may pose a significant risk to corporate infrastructure, especially now that many employees are working remotely.
“Access for sale” on the dark web is a generic term, referring to software, exploits, credentials, or anything else that allows illicitly controlling one or more remote computers.
In Q4 2019, over 50 access points to the networks of major companies from all over the world were publicly available for sale – the same number as during all of 2018. In Q1 2020, this number rose to 80.
Criminals mostly sell access to industrial companies, professional services companies, finance, science and education, and IT (together accounting for 58 percent of these offers).
Criminals targeting major companies
Only a year ago, criminals seemed to be more interested in trading in individual servers. Access to them was sold on the dark web for as little as to $20. However, in the second half of 2019, there has been an increasing interest in the purchase of access to local corporate networks.
Prices have also skyrocketed: we’ve seen hackers offer a commission of up to 30 percent of the potential profit from a hack of a company’s infrastructure – with annual income exceeding $500 million. The average cost of privileged access to a single local network is in the range of $5,000.
Some major companies become the victims of these crimes, with annual incomes running into the hundreds of millions or even billions of dollars. In terms of location, hackers’ primary target is U.S. companies (more than a third of the total), followed by Italy and the United Kingdom (5.2 percent each), Brazil (4.4 percent), and Germany (3.1 percent).
In the U.S., criminals predominately sell access to professional services companies (20 percent), industrial companies (18 percent), and government institutions (14 percent). In Italy, industrial companies lead (25 percent), followed by professional services (17 percent).
In the United Kingdom, science and educational organizations account for 25 percent, and finance for 17 percent. In Germany, IT and professional services each account for 29 percent of access points for sale.
Network access sold to other dark web criminals
In most cases, access to these networks is sold to other dark web criminals. They either develop an attack on business systems themselves or hire a team of more skilled hackers to escalate network privileges and infect critical hosts in the victim’s infrastructure with malware. Ransomware operators were among the first to use this scheme.
Positive Technologies senior analyst Vadim Solovyov said: “Large companies stand to become a source of easy money for low-skilled hackers. Now that so many employees are working from home, hackers will look for any and all security lapses on the network perimeter. The larger the hacked company is, and the higher the obtained privileges, the more profitable the attack becomes.
“To stay safe, companies should ensure comprehensive infrastructure protection, both on the network perimeter and within the local network. Make sure that all services on the perimeter are protected and security events on the local network are properly monitored to detect intruders in time.
“Regular retrospective analysis of security events allows teams to discover previously undetected attacks and address threats before criminals can steal data or disrupt business processes.”
Fraud guides accounted for nearly half (49%) of the data being sold on the dark web, followed by personal data at 15.6%, according to Terbium Labs. Researchers surveyed three major dark web marketplaces: “The Canadian HeadQuarters”, “Empire Market” and “White House Market,” sorting all data listings into six categories: personal data, payment cards, financial accounts and credentials, non-financial accounts and credentials, fraud guides and fraud tools and templates. Dark web marketplaces mimic big box retailers … More
The U.S. Department of Justice’s Cybersecurity Unit has released guidelines for organizations that want to gather cyber threat intelligence from dark web forums/markets but, at the same time, want to stay on the right side of the (U.S. federal criminal) law.
The document focuses on “information security practitioners’ cyber threat intelligence-gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold. It also contemplates situations in which private actors attempt to purchase malware, security vulnerabilities, or their own stolen data—or stolen data belonging to others with the data owners’ authorization—in Dark Markets.”
It was compiled based on input from the US DOJ’s various divisions, the FBI, the U.S. Secret Service and the U.S. Treasury Department’s Office of Foreign Asset Control. In it, DOJ’s Cybersecurity Unit advises organizations on how to avoid becoming a perpertrator (consult with legat counsel, ask the FBI’s opinion before engaging in some legally murky activities) and a victim (institute security safeguards and adhere to cybersecurity practices that will minimize the risk of being victimized).
DOs and DON’Ts
- Gather cyber threat intelligence passively
- Access forums lawfully (by obtaining login credentials legitimately, for entirely fake personas)
- Ask questions and solicit advice on the forum (but document that they are doing that just for the purpose of gathering info, not committing a crime)
- Access forums unlawfully (by using stolen credentials, impersonating the identity of an actual person, including a government official, or using an exploit)
- Surreptitiously intercept communications occurring on a forum
- Provide the forum operator with malware or stolen personal info in order to gain access to the forum or provide other forum participants with useful information, services, or tools that can be used to commit crimes in order to get their trust
- Solicit or induce the commission of a computer crime
- Assist others engaged in criminal conduct (through advice or action)
- Involve their legal department in operational planning
- Share information about an ongoing or impending computer crime uncovered during intelligence gathering activities with law enforcement
Cybersecurity companies that monitor dark markets for specific types of information as a service to their customers – whether that’s stolen customer records offered for sale, malware or security vulnerabilities that target their customers’ networks or products – have additional specific things to take into consideration when attempting to purchase it (e.g., buying the data from a foreign terrorist organization is unlawful, and so is buying malware that is designed to intercept electronic communications surreptitiously).