As businesses ramp up defenses, cybercriminals and advanced persistent threat groups are rethinking their attack strategies to be more collaborative and complex, researchers report.
The more organizations invest in securing their networks and training staff, the harder and more expensive it becomes for attackers to disrupt them, Accenture iDefense analysts say in the "2019 Cyber Threatscape Report." Instead of backing down, adversaries are targeting victims with layered attacks, new techniques, and intricate relationships to disguise their identities.
"They've become more sophisticated; they've gone deeper underground," says Howard Marshall, director of cyber intelligence services, in an interview with Dark Reading. Conventional cybercrime operations remain active: Emotet, Loki Bot, Pony, NanoCore, and Nocturnal were the most common types of malware seen in 2018 and 2019, researchers found. The most common spam attachments deliver malware via weaponized Microsoft Office files.
As traditional campaigns continue to spread, law enforcement takedowns of popular communities, such as Alphabay and Hansa, have motivated attackers to swap open partnerships on underground forums for smaller, close-knit syndicates in order to remain hidden. "There's loss of visibility - the fact that it's a lot harder to get into some of these closed-network environments," adds Josh Ray, Accenture cyber defense lead, pointing to adversary cost.
That attack groups continue to remain operational despite crackdowns highlights a "significant increase" in the maturity and resilience of criminal networks, researchers say. As groups more closely work together, it disguises their identities and makes attribution harder.
Financially motivated campaigns aren't going away. The report describes an uptick in "big game hunting," in which cybercriminals launch targeted attacks for financial gain using a broad range of tailored malware or commodity crimeware that can be downloaded or purchased from underground forums. Criminals also conduct targeted attacks using legitimate pentesting tools, including Metasploit, Cobalt Strike, PowerShell Empire (PSE), Meterpreter, and Mimikatz.
Both Marshall and Ray point to the rise of disinformation as a threat to watch. In the report, analysts explain how new technologies can drive the spread of false information. Cybercriminals are likely to take advantage of high-profile global events to sway public opinion, and they have more tools to help, researchers say, citing 5G networks and artificial intelligence. New technologies will prove beneficial to businesses, but they may cause more damage when in the hands of an attacker.
Accenture predicts upcoming global events, including the 2020 Tokyo Summer Olympics, 2020 US presidential election, and events and activities related to NATO expansion, will become leverage for information operations, phishing campaigns, and other more destructive threats.
"Awareness around that activity has heightened," Ray says. Disinformation tactics can range from outright lies to the selection and distortion of facts to tell a misleading story. Social media remains the battlefield: It's free, and its presence in everyday life makes it an appealing tool.
"The near omnipresent role of social media in everyday life has positioned online communities as target-rich environments which exist beyond the conventional purview of corporations' security controls," researchers write in the report. "This has propelled social networks to the frontlines, as high-yield arenas for manipulation."
Ransomware: Bypassing Spam Campaigns
Ransomware is by no means a new concern to organizations around the world, but researchers anticipate the threat will be exacerbated. In addition to delivering ransomware via spam campaigns, attackers are also installing ransomware onto business networks by purchasing Remote Desktop Protocol (RDP) access to compromised servers on underground forums. This level of access is typically obtained through vulnerability exploitation and brute forcing.
Analysts predict ransomware will continue to drive cash flow for attackers. The median ransom demand observed in 2018 was around $10,000 per incident, with the highest reaching $8.5 million. But even with profits rising, researchers see mixed motives driving ransomware. Some attackers seek to destroy network environments in addition to, or instead of, making money.
Ransomware's ability to destroy information, slow performance, and disrupt services can help attackers hide evidence of crimes like espionage or fraud. Campaigns can also interfere with markets by using malware to lower a company's share price and increase its product cost. A ransomware attack can also send financial and political messages. Analysts point to GandCrab as an example of a threat that avoids targeting victims in certain countries.
What can businesses take from this? With respect to ransomware, researchers recommend maintaining regular backups of storage devices, servers, and users' information. If malware hits, they should "immediately disconnect" affected systems from the network, reimage infected systems whenever possible, and restore user data from backups. They should not pay ransom.
More broadly, Ray advises security admins to better understand their business' value chain. "A lot of security professionals don't understand how their companies make money," he says. This awareness can help downgrade the effectiveness of a cyberattack or disinformation campaign.
Business-savvy security leaders can also learn why different adversaries would target the firm, he adds. Attackers may focus on crown jewels you don't expect them to eye; marrying business acumen with threat data can provide a view of how a company appears to attackers.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio