Cyber Insights 2023: Criminal Gangs

The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple - or perhaps sophisticated - criminals who are more motivated by money than politics. "With the Russia-Ukraine War, many actors polarized, including players like Conti, Killnet and Anonymous. However, the ecosystem is much larger, and even with setbacks in cryptocurrency brokerage, which advanced the liquidity and economics of criminals online, criminal organizations are thriving, diversifying, and going gangbusters as we enter 2023," comments Sam Curry, CSO at Cybereason. "There are no signs of this letting up and all signs indicate that criminal organizations' real growth is e-crime going forward." An increasing sophistication among the more elite criminals together with a more streamlined organization of the infrastructure from which they operate has been apparent for many years. "Malware will continue to evolve in 2023 as attackers find new ways to hide it to maintain persistence and get what they came for," says Mike Parkin, senior technical engineer at Vulcan Cyber - adding, "The attack vectors they use to get a foothold will also evolve, taking advantage of new vulnerabilities, and leveraging variations of old ones." It is the increasing maturity of the criminal business that perhaps poses the greatest threat. "They are becoming platforms for other criminal groups with significantly less technical expertise to leverage." We've had ransomware-as-a-service and infostealers-as-a-service for a few years, but it is becoming more accurate to describe the process as a complete 'crime-as-a-service'. "While we've seen the crime-as-a-service infrastructure become very prevalent, it's probably likely we'll see an uptick in volume and/or pricing of these attacks in the year ahead," adds Barratt. "We've looked at numerous online forums and found such a rise and diversification in the many kinds of criminal 'as a service' offerings that people really can set up their own cybercrime business with little to no technical knowledge or skills," explains Christopher Budd, senior manager of threat research at Sophos. He expects the CaaS providers to continue to improve their support and services to accommodate a broader set of customers and affiliates, adding, "The net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks." "Malicious cyber tools are becoming more available to be purchased online which is leading to a greater number of attacks that are also less predictable. This includes vulnerabilities and exploits as well as hackers for hire, dramatically lowering the barrier of entry for anyone interested in launching a cyberattack." "Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers - opportunists with relatively low levels of technical skill - to access what they need to turn a profit." The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. "And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach." This means there are many more partnerships and boutique actors helping a variety of groups. "This specialization makes the ecosystem as a whole more resilient and more difficult to bring to justice." "Criminal organizations will continue to grow in scope and capabilities, with increased focus on functional areas," suggests Gray, AVP of security strategy at Deepwatch. "Specialization will allow these groups to maintain the razor margins needed to operate at levels that are capable of bypassing security program components at advanced targets and/or operate at scale against more susceptible targets." RaaS. The 'pay-per-use' version of delivering ransomware is, says, Camellia Chan, CEO and founder of X-Phy, "a sophisticated, and yet much more accessible form of ransomware, with malicious actors no longer requiring advanced technical skills to carry out attacks." This is a win for wannabe criminals who cannot code. It is also a win for the more elite coding criminals trying to avoid the eye of law enforcement. "While RaaS operators develop the infrastructure, access brokers focus on the identity posture and external access portals. To finish, the affiliate buying the RaaS handles the exfiltration of data to ransom, then deploying the actual ransomware payload.". He expects the dominant schemes to increase their capacity to support more affiliates. "Experienced cybercriminals under sanction by the U.S. authorities will make use of existing RaaS schemes as a way of complicating attribution of their attacks. At the other end of the spectrum, less sophisticated affiliates will conduct simplistic ransomware deployments against small numbers of hosts, rather than full blown, enterprise-wide encryption events." The Uber instance seems to be a variation on what Tanium's Vaughan describes as an MFA push exhaustion attack. "This," he explains, "Is where an attacker sends a large number of MFA acceptance prompts to a user's phone which may cause them to click accept in order to stop the barrage of requests." This whole process of SaaS-delivered stealers acquiring credentials and attackers defeating MFA will persist and increase in 2023. "Before cryptocurrency, they were lone wolves - or, occasionally, a loosely connected group who'd met online. Then they started working in teams, and because they were paid money those teams became tightly bonded. Over the next year we'll see more teams divide out into skills-based groups." He uses REvil as an example of a successful RaaS model offering an end-to-end solution for attackers that included encryption software, access tools, helpdesks for victims, payment services and much more. "But," he says, "There's still a market for smaller teams that focus on specific attack skills. For example, they may breach defenses to acquire user or admin credentials, or even install malware to provide back door entry for use at a later date." Providers of such a service don't need to take the risk of executing the attack or handling payment; they can make good money just by selling the access on dark web marketplaces. Knowing what cyber insurance a potential victim has could reveal the kinds of defenses they'll have in place and even how much they're insured for, so ransomware demands can be tailored." In this sense, VaaS can be seen as an extension and expansion of the existing access broker criminal service. "Going forward, subscription based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings and related algorithms more broadly for purchase." The quasi-APT. This continuing professionalization of the criminal fraternity is causing the inevitable emergence of what Omer Carmi, VP of cyber threat intelligence at Cybersixgill, calls the quasi-APT. "In 2023," he warns, "The quasi-APT's emergence will escalate due to the democratization of cyberweapons and the democratization of access enabled by powerful technology now accessible to the cybercrime underground." The growth of specialized roles and CaaS means that for as little as $10, threat actors can purchase access and gain a steady foothold into their targets' systems. "By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of an APT - hence the birth of the quasi-APT," he warns. The constantly improving sophistication and professionalization of the criminal underground will continue through 2023 and beyond. Mikko Hypponen, chief research officer at WithSecure, sees artificial intelligence adding a new string to the criminal bow in 2023. 2023 may see the beginning of a new crime gang service: AI-as-a-Service.

This Cyber News was published on www.securityweek.com. Publication date: Wed, 01 Feb 2023 12:46:03 +0000