Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Criminals Move Markets to Remain in the Shadows

While malware families and targets continue to evolve, the most important shift might be happening in the background.

Fo cybercriminals, the Internet of Things (IoT) is becoming a bigger draw, ransomware is still a profitable tool, and there are ways around even major legal actions. Those are some of the conclusions in the "McAfee Labs Threats Report: December 2018," released this week.

A number of findings in the report show certain trends continuing long-term patterns. New examples of IoT malware grew 72% in the third quarter, part of a total malware increase of 203% in past four quarters. And while many analysts have seen the growth of cryptominers slow in recent months, cryptomining malware increased by 71%, a figure based largely on the continuing growth in the number of IoT devices themselves.

"Platforms based on Linux are predominantly being hit," the McAfee research team told Dark Reading in an email interview, as they explained the rise in IoT malware. "Whereas previously these were dominated by DDoS-related botnets – the introduction of cryptojacking has led to the increase."

While these numbers are impressive, the most important developments in the malware landscape may be occurring behind the scenes. "Several individual sellers have moved away from large markets and have opened their own specific marketplaces," the McAfee researchers said. Other marketplaces, such as Dream Market, Wall Street Market, and Olympus Market, have become popular replacements for the lost markets (though Olympus Market suddenly disappeared, taking money and trusted relationships with it).

In a continuing response to the legal takedown of major Dark Web markets like Hansa and AlphaBay, and the disappearance of Olympus Market, some criminals have created their own "dark commerce" sites where they do business with their customers, the researchers said. These smaller sites make it more difficult for law enforcement to gain access and conduct surveillance on criminal activity.

Another trend that makes life more challenging for law enforcement is a growing tendency by some criminals to forgo a Web-based market altogether and use communications networks such as Telegram to conduct their business.

The communication is critically important for the criminals due to the continuing growth of criminal affiliate networks, seen in the evolution and increase of affiliate-architected malware such as the GandCrab ransomware package. The affiliate model is also seen in the operation of "RDP shops" that sell remote desktop access to compromised servers so that criminals can install and run their illicit software. "RDP continues to be an Achilles heel for many organizations, judging by the amount of targeted ransomware attacks, such as SamSam, BitPaymer, and GandCrab, that leverage RDP as an entry method," the report states.

Malware's evolution makes McAfee's suggestion that security also continue to evolve an obvious step. "We have to consider the speed in which criminal operators are adapting techniques and leveraging new approaches to achieve their objectives," the research team told Dark Reading. "For example, the introduction of new exploit kits and the continual development of GandCrab suggests that security teams need to remain vigilant on the evolution of such new threats."

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
1/14/2019 | 10:29:27 PM
Wait for the network!
Honestly speaking, if I were a cyber criminal, I would be waiting for the IoT with bated breath. It all seems very wonderful - all this secret information in storage being made a all portable and freely communicated over a network. All you have to do is figure out how to get your fingers into that network to extract all that information. Seems easy enough!
MelBrandle
50%
50%
MelBrandle,
User Rank: Moderator
1/4/2019 | 3:20:35 AM
Criminal works
Even criminals know how to remain relevant in today's highly competitive industry. It is never a safe play to continue pursuing their illegal acts within the same sector in order to avoid being detected. They need to move swiftly in order to remain active but being completely discreet.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4248
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
CVE-2020-8329
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...
CVE-2020-8330
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, preventing subsequent print jobs until the printer is rebooted.
CVE-2020-4231
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow an authenticated user to perform unauthorized commands due to hazardous input validation. IBM X-Force ID: 175335.
CVE-2020-4232
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow an attacker to enumerate usernames to find valid login credentials which could be used to attempt further attacks against the system. IBM X-Force ID: 175336.