In this exclusive opinion piece, Roland Daccache, Systems Engineer Manager MEA, CrowdStrike, writes on the trends of cybercrimes.
The danger of becoming the victim of a cyberattack is constantly increasing – this is underpinned by the latest OverWatch report from CrowdStrike.
Last year alone, the Threat Hunters observed 60 percent more attack attempts than in the same period of the previous year. But not only has the number of attack attempts increased – the report also shows that eCrime attackers are gaining targeted access to critical networks three times faster than in the past. The average breakout time, the time it takes for an attacker to move laterally from their initial point of attack to other systems on the network has decreased to just one hour and 32 minutes. This represents an acceleration by a factor of three since 2020.
SaaS and double extortion – the big trends in the eCrime cosmos
eCrime groups in particular, which are responsible for 75 per cent of all attack activity observed by OverWatch, are continuously adapting their tactics, techniques and procedures (TTPs), becoming faster and more sophisticated.
Ransomware-as-a-Service (RaaS) offerings play a central role here. Threat actors can buy tools on the dark web that, among other things, automate attack processes such as lateral movement in the victim network, which has a direct impact on breakout times by shortening them. In addition, RaaS also enables less technically skilled criminals, who are unable to develop malware themselves, to use this business model. The barrier to entry is being lowered and the number of attacks is increasing.
A continuing trend from the eCrime and ransomware cosmos is double extortion. The actors no longer only use data encryption as leverage for their demanded ransom but increasingly threaten their victims with data leaks to enforce previously made ransom demands. Experts are observing this relatively new technique more and more frequently in the eCrime ecosystem and it seems to be becoming increasingly popular among ransomware operators to obtain the sums demanded.
Many of these criminal groups have even set up special Data Leak Sites (DLS) to expose victims’ stolen data to the public. Indrik Spider aka EVIL CORP is just one of the players taking advantage of this approach.
CrowdStrike has observed 13 named eCrime groups during the reporting period (July 2020 to June 221), which are listed by experts as “Spider”. The most active of these is the Wizard Spider group, which has been around since 2016. It was involved in almost twice as many hacking attacks as any other eCrime group last year.
Wizard Spider used COBALT STRIKE in over half of the cases. Other commonly used tools from this group include the ransomware Ryuk, the Windows backdoor access tool BazarLoader and the Active Directory discovery tool AdFind. Recently, it has also been behind targeted attacks with the Conti ransomware.
China, North Korea and Iran are the most active state actors
But nation-state cyber activities, so-called “targeted intrusions”, are also regularly observed by OverWatch experts and account for almost a quarter of all attacks. The spectrum ranges from cyber espionage to state-sponsored sabotage attacks to foreign currency procurement to support a regime.
The telecommunications industry is a particularly popular target. It accounted for 40 per cent of all targeted attacks last year and was hit harder than the technology, healthcare, government and science sectors.
Most of the attacks on the telecom sector came from China-related groups, so-called PANDAS. However, actors with an Iranian background (KITTEN) have also been spotted attacking telecom systems.
Targeted attacks can be used to realise their own reconnaissance, intelligence and counterintelligence missions. A comprehensive, proactive cyber defence that also detects and successfully defends against these activities is therefore indispensable, especially for critical infrastructures.
The constantly increasing number of cyber activities makes it clear how important comprehensive and proactive threat hunting is for companies. Especially when you consider that the OverWatch experts also observed several attack attempts that could not be assigned to any of the adversary groups tracked by CrowdStrike Intelligence. This underlines how diverse the threat landscape has become and how important it is to learn as much as possible about your individual threat landscape.
In order to successfully counter the tactics and techniques of modern attackers, it is urgently advisable to rely not only on the latest technologies but also on human know-how and active threat hunting.