Financially motivated attackers and nation-state groups alike are boosting their ability to break into target networks and move laterally once they gain a foothold, security researchers report.
In the "2021 Threat Hunting Report," the CrowdStrike Falcon OverWatch team points to a major increase in average breakout time, or the time it takes for an attacker to start moving laterally from their initial access point to other systems within a target network. The average between July 1, 2020, and June 30, 2021, is one hour and 32 minutes – a threefold drop from 2020, with 36% of attackers moving in less than 30 minutes.
Param Singh, vice president at OverWatch, points to ransomware-as-a-service (RaaS) as a factor bringing down the average breakout time.
"We feel that ransomware-as-a-service plays a critical role in that," he explains. "Threat actors are producing automated tools they're selling in the Dark Web that somebody can easily buy and automate lateral movement, driving the drop in breakout time."
Most ransomware operators who engaged in big game hunting, a tactic in which they focus on high-value data or assets, have also begun to threaten data extortion as a means of extracting payment from victims. Many have built dedicated data leak websites to publicize the data of victims that don't comply.
Attacks against police departments, state governments, and other major targets over the past year underscore how attackers are growing bolder and more capable, Singh notes. Anonymity provided by cryptocurrency and the ease of RaaS platforms give attackers greater confidence.
"Ransomware-as-a-service plays a big role because it breaks down the barrier to entry," he says. "Even if you're not technical, if you're not programming malicious code, you can still use this business model." One can easily buy stolen credentials on the Dark Web, access their target environment, and use an off-the-shelf RaaS offering to launch an attack, Singh adds.
These services have "excellent documentation," he also notes, which further drives attackers' ability to quickly move across a network. RaaS operators provide step-by-step instructions for targeting a healthcare institution, financial institution, and other potential victims. The process of conducting reconnaissance, previously a required skill for attackers, can now be automated.
Financially motivated attackers are also spending more time in target networks, a technique that has been historically common among nation-state groups, Singh adds. Ransomware attackers will maintain a foothold after an attack, place their malware as a sleeper cell, and wait until it's time to strike. Months after their initial campaign, they'll run the program again.
Researchers observed activity from 13 named eCrime groups, which CrowdStrikes tracks as "Spider." The most prolific of these is a group called Wizard Spider, for which the researchers double the number of intrusions seen for any other criminal group. Wizard Spider has been active since 2016 and has origins in Eastern Europe/Russian Federation, CrowdStrike notes.
Wizard Spider deployed the Cobalt Strike Beacon in more than half of its attacks over the past year, though other commonly used tools included Ryuk ransomware, the Windows backdoor access tool BazarLoader, and the Active Directory discovery tool AdFind. While many of their tactics have remained the same, Singh notes the group is improving its ability to maintain long-term access. It's very good at cleaning up its tracks after infecting a target network -- removing logs and cleaning systems -- so it's difficult to follow its activity.
In the year ending June 30, 2021, China-based attackers maintained a "high operational tempo" and are conducting "sustained and wide-ranging campaigns" that aim to steal intellectual property and collect intelligence, researchers explain in their report. North Korea-based groups demonstrated consistent level of activity and continue to make improvements to their toolsets.
The telecommunications industry is a prime target for state-sponsored attacks, accounting for 40% of all targeted activity in the past year and proving more affected than technology, healthcare, government, and academia, researchers report. Singh says there is a geopolitical component driving these types of attacks.
"Telecom has always been a gold mine, if you think about it from a surveillance perspective," he says, adding that attackers who target these organizations can then attract additional victims who use their services.
Researchers report attack groups from China, North Korea, and Iran are the source of most advanced persistent threat (APT) activity. However, over the past year they have tracked an increase in suspected state-sponsored activity not attributed to named attack groups. Singh says this could be linked to attackers' growing use of off-the-shelf tools in their primary toolset, as these make attribution difficult.
"The secondary tooling is more unique, but in our case we want to stop the attack early in the kill chain, so after initial access we block them," he says of how OverWatch detects and responds to threats. This means it tracks the primary toolset, which attackers use to gain initial access, but not the secondary payload that could help more easily identify the intruder.