Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Small-Time Cybercriminals Landing Steady Low Blows

High-end crime groups are acquiring the sorts of sophisticated capabilities only nation-states once had, while low-tier criminals maintain a steady stream of malicious activity, from cryptomining to PoS malware.

Sophisticated cybercrime groups and nation-stated backed adversaries are not the only threats to enterprise security. A steady level of malicious activity by relatively low-level criminals is impacting businesses all around the world as well and should not be ignored, a new report warns.

Secureworks' Counter Threat Unit recently analyzed one year's worth of incident response data and threat activity across 4,400 companies. The analysis showed that organizations are under siege by both high- and low-level criminals.

At the high end, sophisticated financially motivated cybercrime gangs have recently begun using tactics that were once associated only with nation-state backed actors to plunder organizations around the world. Though relatively small in number, these organized crime gangs are responsible for a bulk of the cybercrime-related damage that businesses are experiencing, Secureworks found.

Highly organized groups of criminal actors in Central and West Africa, for instance, are targeting organizations with sophisticated business email compromise and business email spoofing campaigns that over the years have resulted in billions of dollars in losses. Examples include Nigerian threat groups Gold Galleon, which targets shipping companies, and Gold Milton, which targets real-estate companies and law firms in Australia.

Other high-end criminal gangs, like the FIN7 group, are making millions by combining advanced social engineering and network-intrusion techniques with point-of-sale malware to steal payment card data. In August, the US Department of Justice indicted several members of FIN7 on charges related to the theft of 15 million payment cards from some 3,600 institutions.

Small groups of highly professional operators from Eastern Europe and elsewhere are targeting online retailers, cryptocurrency exchanges, banks, and ATMs in campaigns that are netting them millions of dollars. One example is an attack on an Indian bank's ATM infrastructure this August, which resulted in nearly $15 million in losses over a period of just three days. North Korea's infamous Lazarus Group is believed to be behind that attack. Other campaigns have involved so-called "cashout" and ATM "jackpotting" operations in which threat actors have stolen millions of dollars via coordinated withdrawals from dozens of ATMs across multiple countries.

"These kind of criminal actors are more difficult to track because their communications are private and they do not advertise their intentions in forums where they might be observed by security researchers or law enforcement," says Mike McLellan, senior security researcher at Secureworks CTU.

While sophisticated cybercriminals may make use of tools obtained from dark web forums or sell their capabilities on it, they are not openly doing business there — making them very hard to spot, he notes. As these groups increasingly acquire nation-state actor-like capabilities, attribution is going to become much harder, he says.

Low-level Criminality

At the same time, low and mid-tier cybercriminals are maintaining a steady level of malicious activity related to cryptocurrency mining, ransomware, spam, and banking and POS malware.

In 2017, one in three organizations encountered cryptocurrency mining software on their networks. It continues to remain a threat this year as well, contrary to common perception, McLellan says. "There is no evidence that cryptocurrency mining activity has decreased, despite the reduction in the market value of popular currencies such as Bitcoin and Monero."

Similarly, Secureworks' study found no letting up in ransomware activity. Between July 2017 and the end of June 2018, researchers from the company tracked 257 new ransomware families. The most prevalent of them was GandCrab, a ransomware tool distributed via Russian-language forums and exploit kits such as RIG and Grandsoft. In a majority of instances, ransomware targeting continues to be indiscriminate and many of the tools that have emerged over the last year are unsophisticated, Secureworks said in its report.

The easy availability of malware tools and services, and demand for personally identifiable information (PII) and other sensitive data continue to drive a lot of the malicious activity.

Secureworks regularly found comprehensive dossiers containing individual PII, payment card data and other information being offered for sale on underground forums at prices ranging from $10 to $25.

"Observed 'for sale' prices appear to have remained reasonably consistent, although there are a number of variables that come into play, such as the reputation of the seller and the nature of the PII," McLellan says.

Also lowering the bar for cybercriminals are underground marketplaces selling direct access to compromised systems and to anonymized servers for carrying out malicious activity. Numerous forums for instance offer access to Virtual Private Servers and dedicated hosting services for between $10 and $300.

Others are selling access to compromised Remote Desktop Protocol servers for prices ranging from as little as 50 cents to $400. Some advertised prices have ranged between $1,000 and $20,000 for broader access to an organization's network.

"Criminals might charge more where the organization is of a certain size, or in an industry vertical where they consider that the data it processes might have good inherent value," McLellan says. "The price will also depend on the type of access offered and whether the actor selling the access has pre-installed additional tools."

The trends highlight the need for enterprises to essentially make themselves a harder target. "Fundamentally, criminal actors want to make as much money as they can with the least possible effort and risk." By implementing best practices like patching, multi-factor authentication on Internet-facing applications, least privilege for users, and layered detective controls, organizations can encourage criminals to look elsewhere, McLellan says.

Related Content:



Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...