Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/5/2019
01:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Crimeware: How Criminals Built a Business to Target Businesses

A new report investigates the evolution of crimeware, how businesses underestimate the threat, and why they should be concerned.

As businesses large and small have shifted their security concerns from financial cyberattacks to sophisticated threats, criminals have been constructing a well-run crimeware organization. An enterprise of its own, this lets them develop, leverage, and distribute new infection methods.

Chronicle, the enterprise cybersecurity division under Alphabet and recent addition to Google Cloud, today published a report investigating the evolution of crimeware from 2013 to 2018. Researchers explain how crimeware, traditionally considered a "commodity threat," has grown into a highly lucrative institution fueling sophistication of malware and attack strategies.

"These guys run straight businesses," says Brandon Levene, head of applied intelligence at Chronicle and report author, explaining the services offered and analytics used. "Everything is well documented. The data is extraordinarily rich. … I think that has been a really big tell" for how organized these criminal organizations are.

Instances of crimeware have steadily grown each year, Levene says, and the prevalence and frequency of attacks have desensitized security teams. "Crimeware fatigue," as he describes it, distracts targets from malicious activity that has become inexpensive and low effort for financially motivated criminals. Once attackers are on a corporate network, they know how to conduct reconnaissance, see what's valuable to them, and where they sit in an organization.

"They are able to select their victims for maximum value," he continues. Years of deploying massive, broad attacks have taught cybercriminals how to optimize for volume and speed; now, they leverage traditional workplace standards to generate profit. A shift to consolidation and "crimeware-as-a-service" showcases their ability to grow this business while finding new tactics.

All the while, as attackers have refined their techniques and profited off enterprise victims, law enforcement has lagged behind. Criminals model risk based on law enforcement's efforts and adjust their tactics based on the funds they generate, Levene says. Unburdened by geography and other factors that limit law enforcement's ability to find and arrest attackers, crimeware operators have had an advantage in building their capabilities to further outpace the good guys.

So, how did we get here? How have criminals adjusted their operations, and why are they leveraging their more advanced capabilities to target businesses instead of consumers?

A Snapshot of Crimeware's Evolution
In 2012 and 2013, which marked the start of Levene's research, there was a "pretty broad range" of people conducting malware operations. Over time, these parties began to consolidate, likely in response to the risks of running malware operations. Infrastructure hosting was consolidated, and malware began to consolidate as well, he explains. While we still see multiple malware families, it's typically the same four to five names instead of the 20 to 30 seen in the past.

While crimeware is generally increasing, different attacks have seen different trends. Banker malware, for example, was "relatively flat" from 2013 to 2017, then spiked 1,130% in the second quarter of 2017. Ransomware's growth track was more reliable, increasing in 13 of the 20 total quarters analyzed. Information stealers' growth was stable from 2013 to 2018. Miners were pretty uncommon until they appeared in the transition from 2017 to 2018, Levene reports.

Emotet, which is recently less active but historically has a strong relationship with the criminal community, is one example of a threat that has adjusted its technique. Its operators have moved from a banking Trojan model to running "enormous" malware spam campaigns in which they can gain, and subsequently sell, access to businesses. TrickBot has also stepped up its pace, Levene says. Emotet was used as a dropper for TrickBot, which can launch ransomware attacks.

One of the biggest shifts in technique was the transition to the "as-a-service" model. In this environment, trusted affiliates could manage malware distribution, command and control, data collection, and payouts. More criminals owned "as-a-service" platforms or bought into them, eliminating the need for people to run their own malware operations. Attackers don't need to share source code with customers, who can launch campaigns with less-advanced skills.

"Executing a well-run operation from beginning to end is much easier," Levene says, once a criminal is able to enter one of these operations or pay for a relationship to the operators. "A lot of these businesses are run on trust," he notes, and many have been around for years.

Why Businesses Should Be Worried
Today's organizations underestimate the threat of crimeware; instead, they're worried about advanced persistent threats (APTs) and advanced attacks. "One of the misconceptions is that financially motivated threat actors are not as sophisticated as these targeted intruders, nation-state intruders," he says.

APTs are low-prevalence, high-impact threats, Levene adds. Crimeware is high prevalence, high impact. Businesses that can't stop high-prevalence intrusions have no chance of stopping an APT. "The competence of financially motivated threat actors has gotten to a point where they can disrupt an organization or an enterprise just as badly as an APT."

There are two ways attackers normally try to break into a business environment. The first is sending emails laced with malicious links or attachments, which Levene calls "the bread and butter" of cybercriminals. "That accounts for the huge majority of targeting," he points out. Unlike in 2013 or 2015, when criminals used exploit kits, they now rely on social engineering.

The second is Internet-facing remote access protocols including TeamView, VNC Viewer, and Windows Desktop. All offer public-facing remote access into an enterprise server but are often protected with weak passwords. Criminals will gain access into these environments and launch tailored ransomware attacks. Levene notes this tactic, which has become prevalent in the past two years, requires more labor, knowledge, interaction, and availability to distribute malware.

He anticipates in the future, ransomware and destructive malware should be a growing concern, especially as attackers tailor access to chosen environments. Loaders will get smaller, droppers will improve, and better recon tools will be more lightweight. Recon will become a lot more routine, and organizations will be forced to quickly react when they realize data is at risk.

"I think it's going to be a shock to them, when they realize how valuable their data is," Levene says of small and large businesses alike. "This places the onus for defense on network defenders themselves, which may not be equipped to handle it."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Jim_Gordon
100%
0%
Jim_Gordon,
User Rank: Author
9/10/2019 | 5:19:18 PM
Economic incentives of hacking
So true.  Well said.  The economic incentives of hacking have long since been the root cause of what has been a global losing battle.  Breaking the economics could do more than even the most advanced set of security technologies.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.