Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/14/2018
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Small-Time Cybercriminals Landing Steady Low Blows

High-end crime groups are acquiring the sorts of sophisticated capabilities only nation-states once had, while low-tier criminals maintain a steady stream of malicious activity, from cryptomining to PoS malware.

Sophisticated cybercrime groups and nation-stated backed adversaries are not the only threats to enterprise security. A steady level of malicious activity by relatively low-level criminals is impacting businesses all around the world as well and should not be ignored, a new report warns.

Secureworks' Counter Threat Unit recently analyzed one year's worth of incident response data and threat activity across 4,400 companies. The analysis showed that organizations are under siege by both high- and low-level criminals.

At the high end, sophisticated financially motivated cybercrime gangs have recently begun using tactics that were once associated only with nation-state backed actors to plunder organizations around the world. Though relatively small in number, these organized crime gangs are responsible for a bulk of the cybercrime-related damage that businesses are experiencing, Secureworks found.

Highly organized groups of criminal actors in Central and West Africa, for instance, are targeting organizations with sophisticated business email compromise and business email spoofing campaigns that over the years have resulted in billions of dollars in losses. Examples include Nigerian threat groups Gold Galleon, which targets shipping companies, and Gold Milton, which targets real-estate companies and law firms in Australia.

Other high-end criminal gangs, like the FIN7 group, are making millions by combining advanced social engineering and network-intrusion techniques with point-of-sale malware to steal payment card data. In August, the US Department of Justice indicted several members of FIN7 on charges related to the theft of 15 million payment cards from some 3,600 institutions.

Small groups of highly professional operators from Eastern Europe and elsewhere are targeting online retailers, cryptocurrency exchanges, banks, and ATMs in campaigns that are netting them millions of dollars. One example is an attack on an Indian bank's ATM infrastructure this August, which resulted in nearly $15 million in losses over a period of just three days. North Korea's infamous Lazarus Group is believed to be behind that attack. Other campaigns have involved so-called "cashout" and ATM "jackpotting" operations in which threat actors have stolen millions of dollars via coordinated withdrawals from dozens of ATMs across multiple countries.

"These kind of criminal actors are more difficult to track because their communications are private and they do not advertise their intentions in forums where they might be observed by security researchers or law enforcement," says Mike McLellan, senior security researcher at Secureworks CTU.

While sophisticated cybercriminals may make use of tools obtained from dark web forums or sell their capabilities on it, they are not openly doing business there — making them very hard to spot, he notes. As these groups increasingly acquire nation-state actor-like capabilities, attribution is going to become much harder, he says.

Low-level Criminality

At the same time, low and mid-tier cybercriminals are maintaining a steady level of malicious activity related to cryptocurrency mining, ransomware, spam, and banking and POS malware.

In 2017, one in three organizations encountered cryptocurrency mining software on their networks. It continues to remain a threat this year as well, contrary to common perception, McLellan says. "There is no evidence that cryptocurrency mining activity has decreased, despite the reduction in the market value of popular currencies such as Bitcoin and Monero."

Similarly, Secureworks' study found no letting up in ransomware activity. Between July 2017 and the end of June 2018, researchers from the company tracked 257 new ransomware families. The most prevalent of them was GandCrab, a ransomware tool distributed via Russian-language forums and exploit kits such as RIG and Grandsoft. In a majority of instances, ransomware targeting continues to be indiscriminate and many of the tools that have emerged over the last year are unsophisticated, Secureworks said in its report.

The easy availability of malware tools and services, and demand for personally identifiable information (PII) and other sensitive data continue to drive a lot of the malicious activity.

Secureworks regularly found comprehensive dossiers containing individual PII, payment card data and other information being offered for sale on underground forums at prices ranging from $10 to $25.

"Observed 'for sale' prices appear to have remained reasonably consistent, although there are a number of variables that come into play, such as the reputation of the seller and the nature of the PII," McLellan says.

Also lowering the bar for cybercriminals are underground marketplaces selling direct access to compromised systems and to anonymized servers for carrying out malicious activity. Numerous forums for instance offer access to Virtual Private Servers and dedicated hosting services for between $10 and $300.

Others are selling access to compromised Remote Desktop Protocol servers for prices ranging from as little as 50 cents to $400. Some advertised prices have ranged between $1,000 and $20,000 for broader access to an organization's network.

"Criminals might charge more where the organization is of a certain size, or in an industry vertical where they consider that the data it processes might have good inherent value," McLellan says. "The price will also depend on the type of access offered and whether the actor selling the access has pre-installed additional tools."

The trends highlight the need for enterprises to essentially make themselves a harder target. "Fundamentally, criminal actors want to make as much money as they can with the least possible effort and risk." By implementing best practices like patching, multi-factor authentication on Internet-facing applications, least privilege for users, and layered detective controls, organizations can encourage criminals to look elsewhere, McLellan says.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23347
PUBLISHED: 2021-03-03
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.
CVE-2021-25315
PUBLISHED: 2021-03-03
A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 ...
CVE-2021-27921
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
CVE-2021-27922
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
CVE-2021-27923
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.