Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/14/2018
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Small-Time Cybercriminals Landing Steady Low Blows

High-end crime groups are acquiring the sorts of sophisticated capabilities only nation-states once had, while low-tier criminals maintain a steady stream of malicious activity, from cryptomining to PoS malware.

Sophisticated cybercrime groups and nation-stated backed adversaries are not the only threats to enterprise security. A steady level of malicious activity by relatively low-level criminals is impacting businesses all around the world as well and should not be ignored, a new report warns.

Secureworks' Counter Threat Unit recently analyzed one year's worth of incident response data and threat activity across 4,400 companies. The analysis showed that organizations are under siege by both high- and low-level criminals.

At the high end, sophisticated financially motivated cybercrime gangs have recently begun using tactics that were once associated only with nation-state backed actors to plunder organizations around the world. Though relatively small in number, these organized crime gangs are responsible for a bulk of the cybercrime-related damage that businesses are experiencing, Secureworks found.

Highly organized groups of criminal actors in Central and West Africa, for instance, are targeting organizations with sophisticated business email compromise and business email spoofing campaigns that over the years have resulted in billions of dollars in losses. Examples include Nigerian threat groups Gold Galleon, which targets shipping companies, and Gold Milton, which targets real-estate companies and law firms in Australia.

Other high-end criminal gangs, like the FIN7 group, are making millions by combining advanced social engineering and network-intrusion techniques with point-of-sale malware to steal payment card data. In August, the US Department of Justice indicted several members of FIN7 on charges related to the theft of 15 million payment cards from some 3,600 institutions.

Small groups of highly professional operators from Eastern Europe and elsewhere are targeting online retailers, cryptocurrency exchanges, banks, and ATMs in campaigns that are netting them millions of dollars. One example is an attack on an Indian bank's ATM infrastructure this August, which resulted in nearly $15 million in losses over a period of just three days. North Korea's infamous Lazarus Group is believed to be behind that attack. Other campaigns have involved so-called "cashout" and ATM "jackpotting" operations in which threat actors have stolen millions of dollars via coordinated withdrawals from dozens of ATMs across multiple countries.

"These kind of criminal actors are more difficult to track because their communications are private and they do not advertise their intentions in forums where they might be observed by security researchers or law enforcement," says Mike McLellan, senior security researcher at Secureworks CTU.

While sophisticated cybercriminals may make use of tools obtained from dark web forums or sell their capabilities on it, they are not openly doing business there — making them very hard to spot, he notes. As these groups increasingly acquire nation-state actor-like capabilities, attribution is going to become much harder, he says.

Low-level Criminality

At the same time, low and mid-tier cybercriminals are maintaining a steady level of malicious activity related to cryptocurrency mining, ransomware, spam, and banking and POS malware.

In 2017, one in three organizations encountered cryptocurrency mining software on their networks. It continues to remain a threat this year as well, contrary to common perception, McLellan says. "There is no evidence that cryptocurrency mining activity has decreased, despite the reduction in the market value of popular currencies such as Bitcoin and Monero."

Similarly, Secureworks' study found no letting up in ransomware activity. Between July 2017 and the end of June 2018, researchers from the company tracked 257 new ransomware families. The most prevalent of them was GandCrab, a ransomware tool distributed via Russian-language forums and exploit kits such as RIG and Grandsoft. In a majority of instances, ransomware targeting continues to be indiscriminate and many of the tools that have emerged over the last year are unsophisticated, Secureworks said in its report.

The easy availability of malware tools and services, and demand for personally identifiable information (PII) and other sensitive data continue to drive a lot of the malicious activity.

Secureworks regularly found comprehensive dossiers containing individual PII, payment card data and other information being offered for sale on underground forums at prices ranging from $10 to $25.

"Observed 'for sale' prices appear to have remained reasonably consistent, although there are a number of variables that come into play, such as the reputation of the seller and the nature of the PII," McLellan says.

Also lowering the bar for cybercriminals are underground marketplaces selling direct access to compromised systems and to anonymized servers for carrying out malicious activity. Numerous forums for instance offer access to Virtual Private Servers and dedicated hosting services for between $10 and $300.

Others are selling access to compromised Remote Desktop Protocol servers for prices ranging from as little as 50 cents to $400. Some advertised prices have ranged between $1,000 and $20,000 for broader access to an organization's network.

"Criminals might charge more where the organization is of a certain size, or in an industry vertical where they consider that the data it processes might have good inherent value," McLellan says. "The price will also depend on the type of access offered and whether the actor selling the access has pre-installed additional tools."

The trends highlight the need for enterprises to essentially make themselves a harder target. "Fundamentally, criminal actors want to make as much money as they can with the least possible effort and risk." By implementing best practices like patching, multi-factor authentication on Internet-facing applications, least privilege for users, and layered detective controls, organizations can encourage criminals to look elsewhere, McLellan says.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13951
PUBLISHED: 2019-07-18
The set_ipv4() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv4 address in zone data.
CVE-2019-13952
PUBLISHED: 2019-07-18
The set_ipv6() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv6 address in zone data.
CVE-2019-10100
PUBLISHED: 2019-07-18
The Sleuth Kit 4.6.0 and earlier is affected by: Integer Overflow. The impact is: Opening crafted disk image triggers crash in tsk/fs/hfs_dent.c:237. The component is: Overflow in fls tool used on HFS image. Bug is in tsk/fs/hfs.c file in function hfs_cat_traverse() in lines: 952, 1062. The attack v...
CVE-2019-10102
PUBLISHED: 2019-07-18
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt (https://github.com/saltstack/salt/blob/devel...
CVE-2019-10102
PUBLISHED: 2019-07-18
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically ...