Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Stronger Defenses Force Cybercriminals to Rethink Strategy

Researchers see the rise of new relationships and attack techniques as criminals put companies' resilience to the test.

As businesses ramp up defenses, cybercriminals and advanced persistent threat groups are rethinking their attack strategies to be more collaborative and complex, researchers report.

The more organizations invest in securing their networks and training staff, the harder and more expensive it becomes for attackers to disrupt them, Accenture iDefense analysts say in the "2019 Cyber Threatscape Report." Instead of backing down, adversaries are targeting victims with layered attacks, new techniques, and intricate relationships to disguise their identities.

"They've become more sophisticated; they've gone deeper underground," says Howard Marshall, director of cyber intelligence services, in an interview with Dark Reading. Conventional cybercrime operations remain active: Emotet, Loki Bot, Pony, NanoCore, and Nocturnal were the most common types of malware seen in 2018 and 2019, researchers found. The most common spam attachments deliver malware via weaponized Microsoft Office files.

As traditional campaigns continue to spread, law enforcement takedowns of popular communities, such as Alphabay and Hansa, have motivated attackers to swap open partnerships on underground forums for smaller, close-knit syndicates in order to remain hidden. "There's loss of visibility - the fact that it's a lot harder to get into some of these closed-network environments," adds Josh Ray, Accenture cyber defense lead, pointing to adversary cost.

That attack groups continue to remain operational despite crackdowns highlights a "significant increase" in the maturity and resilience of criminal networks, researchers say. As groups more closely work together, it disguises their identities and makes attribution harder.

Financially motivated campaigns aren't going away. The report describes an uptick in "big game hunting," in which cybercriminals launch targeted attacks for financial gain using a broad range of tailored malware or commodity crimeware that can be downloaded or purchased from underground forums. Criminals also conduct targeted attacks using legitimate pentesting tools, including Metasploit, Cobalt Strike, PowerShell Empire (PSE), Meterpreter, and Mimikatz.

Both Marshall and Ray point to the rise of disinformation as a threat to watch. In the report, analysts explain how new technologies can drive the spread of false information. Cybercriminals are likely to take advantage of high-profile global events to sway public opinion, and they have more tools to help, researchers say, citing 5G networks and artificial intelligence. New technologies will prove beneficial to businesses, but they may cause more damage when in the hands of an attacker.

Accenture predicts upcoming global events, including the 2020 Tokyo Summer Olympics, 2020 US presidential election, and events and activities related to NATO expansion, will become leverage for information operations, phishing campaigns, and other more destructive threats.

"Awareness around that activity has heightened," Ray says. Disinformation tactics can range from outright lies to the selection and distortion of facts to tell a misleading story. Social media remains the battlefield: It's free, and its presence in everyday life makes it an appealing tool.

"The near omnipresent role of social media in everyday life has positioned online communities as target-rich environments which exist beyond the conventional purview of corporations' security controls," researchers write in the report. "This has propelled social networks to the frontlines, as high-yield arenas for manipulation."

Ransomware: Bypassing Spam Campaigns
Ransomware is by no means a new concern to organizations around the world, but researchers anticipate the threat will be exacerbated. In addition to delivering ransomware via spam campaigns, attackers are also installing ransomware onto business networks by purchasing Remote Desktop Protocol (RDP) access to compromised servers on underground forums. This level of access is typically obtained through vulnerability exploitation and brute forcing.

Analysts predict ransomware will continue to drive cash flow for attackers. The median ransom demand observed in 2018 was around $10,000 per incident, with the highest reaching $8.5 million. But even with profits rising, researchers see mixed motives driving ransomware. Some attackers seek to destroy network environments in addition to, or instead of, making money.

Ransomware's ability to destroy information, slow performance, and disrupt services can help attackers hide evidence of crimes like espionage or fraud. Campaigns can also interfere with markets by using malware to lower a company's share price and increase its product cost. A ransomware attack can also send financial and political messages. Analysts point to GandCrab as an example of a threat that avoids targeting victims in certain countries.

What can businesses take from this? With respect to ransomware, researchers recommend maintaining regular backups of storage devices, servers, and users' information. If malware hits, they should "immediately disconnect" affected systems from the network, reimage infected systems whenever possible, and restore user data from backups. They should not pay ransom.

More broadly, Ray advises security admins to better understand their business' value chain. "A lot of security professionals don't understand how their companies make money," he says. This awareness can help downgrade the effectiveness of a cyberattack or disinformation campaign.

Business-savvy security leaders can also learn why different adversaries would target the firm, he adds. Attackers may focus on crown jewels you don't expect them to eye; marrying business acumen with threat data can provide a view of how a company appears to attackers.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...