Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/14/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Stronger Defenses Force Cybercriminals to Rethink Strategy

Researchers see the rise of new relationships and attack techniques as criminals put companies' resilience to the test.

As businesses ramp up defenses, cybercriminals and advanced persistent threat groups are rethinking their attack strategies to be more collaborative and complex, researchers report.

The more organizations invest in securing their networks and training staff, the harder and more expensive it becomes for attackers to disrupt them, Accenture iDefense analysts say in the "2019 Cyber Threatscape Report." Instead of backing down, adversaries are targeting victims with layered attacks, new techniques, and intricate relationships to disguise their identities.

"They've become more sophisticated; they've gone deeper underground," says Howard Marshall, director of cyber intelligence services, in an interview with Dark Reading. Conventional cybercrime operations remain active: Emotet, Loki Bot, Pony, NanoCore, and Nocturnal were the most common types of malware seen in 2018 and 2019, researchers found. The most common spam attachments deliver malware via weaponized Microsoft Office files.

As traditional campaigns continue to spread, law enforcement takedowns of popular communities, such as Alphabay and Hansa, have motivated attackers to swap open partnerships on underground forums for smaller, close-knit syndicates in order to remain hidden. "There's loss of visibility - the fact that it's a lot harder to get into some of these closed-network environments," adds Josh Ray, Accenture cyber defense lead, pointing to adversary cost.

That attack groups continue to remain operational despite crackdowns highlights a "significant increase" in the maturity and resilience of criminal networks, researchers say. As groups more closely work together, it disguises their identities and makes attribution harder.

Financially motivated campaigns aren't going away. The report describes an uptick in "big game hunting," in which cybercriminals launch targeted attacks for financial gain using a broad range of tailored malware or commodity crimeware that can be downloaded or purchased from underground forums. Criminals also conduct targeted attacks using legitimate pentesting tools, including Metasploit, Cobalt Strike, PowerShell Empire (PSE), Meterpreter, and Mimikatz.

Both Marshall and Ray point to the rise of disinformation as a threat to watch. In the report, analysts explain how new technologies can drive the spread of false information. Cybercriminals are likely to take advantage of high-profile global events to sway public opinion, and they have more tools to help, researchers say, citing 5G networks and artificial intelligence. New technologies will prove beneficial to businesses, but they may cause more damage when in the hands of an attacker.

Accenture predicts upcoming global events, including the 2020 Tokyo Summer Olympics, 2020 US presidential election, and events and activities related to NATO expansion, will become leverage for information operations, phishing campaigns, and other more destructive threats.

"Awareness around that activity has heightened," Ray says. Disinformation tactics can range from outright lies to the selection and distortion of facts to tell a misleading story. Social media remains the battlefield: It's free, and its presence in everyday life makes it an appealing tool.

"The near omnipresent role of social media in everyday life has positioned online communities as target-rich environments which exist beyond the conventional purview of corporations' security controls," researchers write in the report. "This has propelled social networks to the frontlines, as high-yield arenas for manipulation."

Ransomware: Bypassing Spam Campaigns
Ransomware is by no means a new concern to organizations around the world, but researchers anticipate the threat will be exacerbated. In addition to delivering ransomware via spam campaigns, attackers are also installing ransomware onto business networks by purchasing Remote Desktop Protocol (RDP) access to compromised servers on underground forums. This level of access is typically obtained through vulnerability exploitation and brute forcing.

Analysts predict ransomware will continue to drive cash flow for attackers. The median ransom demand observed in 2018 was around $10,000 per incident, with the highest reaching $8.5 million. But even with profits rising, researchers see mixed motives driving ransomware. Some attackers seek to destroy network environments in addition to, or instead of, making money.

Ransomware's ability to destroy information, slow performance, and disrupt services can help attackers hide evidence of crimes like espionage or fraud. Campaigns can also interfere with markets by using malware to lower a company's share price and increase its product cost. A ransomware attack can also send financial and political messages. Analysts point to GandCrab as an example of a threat that avoids targeting victims in certain countries.

What can businesses take from this? With respect to ransomware, researchers recommend maintaining regular backups of storage devices, servers, and users' information. If malware hits, they should "immediately disconnect" affected systems from the network, reimage infected systems whenever possible, and restore user data from backups. They should not pay ransom.

More broadly, Ray advises security admins to better understand their business' value chain. "A lot of security professionals don't understand how their companies make money," he says. This awareness can help downgrade the effectiveness of a cyberattack or disinformation campaign.

Business-savvy security leaders can also learn why different adversaries would target the firm, he adds. Attackers may focus on crown jewels you don't expect them to eye; marrying business acumen with threat data can provide a view of how a company appears to attackers.

Related Content:

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2916
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
CVE-2019-12757
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
CVE-2019-12758
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
CVE-2019-12759
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
CVE-2019-18372
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.