Cybercrime - minority of powerful groups cause majority of damage

Secureworks has released the findings of its State of Cybercrime Report 2018 to illuminate the cybercrime trends and events that shaped the year.

From July 2017 through June 2018, Secureworks Counter Threat Unit® (CTU®) researchers analysed incident response outcomes and conducted original research to gain insight into threat activity and behaviour across 4,400 companies.

Among their findings was evidence that a small subset of professional criminal actors is responsible for the bulk of cybercrime-related damage, employing tools and techniques as sophisticated, targeted and insidious as most nation-state actors. These sophisticated and capable criminal gangs operate largely outside of the dark web, although they may leverage low-level criminal tools occasionally when it serves their purposes.

At the same time, there has been no lull in the overall volume of threats, and low-level cybercriminal activity remains a robust market economy, often taking place in view of security researchers and law enforcement on the dark web. While relatively simple in their approach, these activities can still deal widespread damage.

“Cybercrime is a lucrative industry, and it’s not surprising it’s become the arm of powerful, organised groups,” says Don Smith, Senior Director, Cyber Intelligence Cell, Secureworks Counter Threat Unit. “To understand the complete picture of the cybercriminal world, we developed insights based on a combination of dark web monitoring and client brand surveillance with automated technical tracking of cybercriminal toolsets.”

Key Findings

Among the CTU researchers’ key findings were the following:

The boundary between nation-state and cybercriminal actors continues to blur.

  • Nation-state actors are increasingly using tools and techniques employed by cybercriminals, and vice versa. In August 2018, CTU researchers determined the Democratic People’s Republic of Korea was likely responsible for a Gandcrab ransomware campaign against the South Korean population and infrastructure, as part of a broader pattern of attacks. GandCrab is developed and sold ‘as-a-service’ and is more commonly associated with financially motivated criminal actors.
  • In March 2018, a threat actor likely associated with the Iranian government used access that had previously been leveraged for espionage to deploy a cryptocurrency miner across the environment. CTU researchers have also observed other government-backed espionage groups deploying cryptocurrency miners within compromised networks.
  • The assumption that nation-state-sponsored Advanced Persistent Threats (APTs) are dimensionally different from advanced cybercrime threats is fundamentally flawed.

Ransomware continues to be a serious threat.

  • There has been no significant decrease in the volume of ransomware, banking malware, point-of-sale (POS) memory scrapers or other threats available for purchase on underground forums.
  • The threat actors who developed SamsamCrypt and BitPaymer, the two most impactful ransomware threats observed by CTU researchers during the reporting period, have retained them for their exclusive and targeted use, showing the distinct threat these sophisticated cybercriminal groups pose.
  • The developers of Gandcrab -- a new piece of ransomware identified by CTU researchers in January and offered for sale on Russian-language underground forums – have been observed offering a partner program in which the developers received 30–40 percent of any resulting revenue from successful attacks.
  • There is no clear evidence that ransomware has been displaced by other capabilities such as cryptocurrency mining, and targeted ransomware attacks continue to be a worrying trend.
  • The growth of traditional file-encrypting ransomware did slow, but CTU researchers nevertheless observed no less than 257 new and distinct ransomware families during the reporting period.
  • Some of the more popular new ransomware-as-a-service families release regular updates and feature new additions.

Sophisticated criminal gangs are earning millions of dollars of revenue through stolen payment card data.

  • Sophisticated criminal gangs have combined advanced social engineering (expertise in deception and manipulation) and network intrusion techniques with point-of-sale (POS) malware to generate millions of dollars of revenue through stolen payment card data.
  • The price of credit card details on underground forums incentivises criminals to target POS terminals, where credit card details can be extracted from the memory of the running device using specialist malware.
  • Cybercriminals are also clever about monetising card data even after the theft has been discovered, and credit card dump sites such as JokerStash have come under scrutiny as a possible way for sophisticated criminals to do just that.

The dark web is not the darkest depth of the cybercriminal world.

  • Sophisticated, organised criminal groups are quietly dealing most of cybercrime’s damage each year, and they avoid the dark web where possible to evade detection by law enforcement and threat researchers.
  • These more sophisticated criminals may use simple and readily available tools in some cases, but their highly organised approach and evolving capabilities represent a significant threat.

“The observations of CTU researchers over the last 12 months show that the threat from cybercrime is adaptive and constantly evolving,” the report concludes. “To stay ahead of it, it is imperative that organisations develop a holistic understanding of the landscape and how it relates to them, and tailor their security controls to address both opportunistic and more highly targeted cybercriminal threats.”

Research shows ‘game needs to be changed,’ with security innovation years behind that of the attackers, the board a decade behind security discussions and regulation needing more industry input.
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that the UK’s Mid-Market IT Leadership expects to see a shortfall in IT spend in 2022. While 52% of IT decision-makers believe their 2021 budget met the ambitions of their team, there seems to be less certainty and confidence about future finances — 61% think their budget will need to increase in 2022, but only 13% expect it to.
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and operational cloud services that is unique on the market, enabling clients across the world to meet the challenges of managing their data in the edge to cloud continuum, in line with the highest jurisdictional data governance requirements. Part of the Atos' OneCloud initiative, Atos OneCloud Sovereign Shield is a comprehensive edge to cloud platform ecosystem and highly secure service that improves the level of control clients have over the data they produce and exchange, helping them regain control and effectively deal with legal dependencies.
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets across Europe with further expansion into APAC planned.
Research from Avast has found that employees in almost a third (31%) of Small and Medium Businesses (SMBs) in the UK are connecting to the corporate network using personal devices that do not have any security controls in place, according to IT Decision Makers (ITDMs) within SMBs.
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53% offer backup services.
Trend Micro has published new research revealing that 90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals. Additionally, 82% have felt pressured to downplay the severity of cyber risks to their board.
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real terms’ during 2022 – leading to increased cyber vulnerability.