As the world switched to telecommuting last year, cybercriminals immediately raised the stakes to turn the fears of users, the concerns of business leaders, against their selected victims. But a pandemic is just one of the factors that increase the risks, because the development of technology and the spread of new generation platforms are always opening up new attack surfaces for those looking for opportunities.
As teleworking with us this year and after the epidemic IT professionals struggling to protect increasingly fragmented organizations will also have to reckon with evolving attacks from more and more directions, he called in Sophos ’annual Threat Report (2021 Threat Report), , which summarizes the experience and trend forecasts of the company’s researchers, threat hunters, rapid response team, and cloud security and AI experts.
This year, the scissors of criminals attacking extortion programs will open in terms of skills and resources. ete. The big crooks, who are the cream of the profession, are further refining their tactics, techniques and methods to achieve sophistication and elusiveness similar to state-sponsored dark actors and extorting millions of dollars from organizations by deploying program families such as last year’s much-mentioned Rock The average amount of their receivables is growing rapidly, rising 21 percent to $ 233,000 in the third quarter of last year, up from $ 84,000 a year earlier. SophosLabs refers here to Coveware data, and victims will of course have to pay in cryptocurrencies.
At the other end of the spectrum, Sophos expects a further expansion of the camp of attacking apprentices at the entry level. Criminals are looking for rentable and easy-to-use extortion programs like Dharma from the menu to shoot at the masses of victims with smaller, flatter wallets. Forced coercion is also an increasingly popular method in this corner of the cyberal world. In this case, in addition to encrypting the data, the blackmailer also steals confidential, sensitive information from the victim’s machine and threatens to disclose it in order to emphasize his claim. Sophos also spotted this practice last year for Maze, RagnarLocker, Netwalker, REvil, etc.
– The business model of extortion programs is complex and dynamic, said Chester Wisniewski , senior researcher at Sophos. – On the one hand, we see that competing attackers try to differentiate themselves with their abilities and targets, stand out from the field, and on the other hand, we find that program families share the best tools of their kind, they form cartels. Last year, both trends worked simultaneously. While some families, such as the Maze, may have taken it so far that they retired at a young age, but at least went on a long vacation, their tools and techniques did not rest because they were new players, in this case Eggor’s jersey still on the field. The threat environment does not tolerate a vacuum as soon as one threat disappears, another soon replaces it.
However, standard threats such as loaders and botnets, or human-controlled Initial Access Brokers. They may seem moderately dangerous, but they are designed to gain a foothold in the target network, collect critical data, and share the information with their control network, which then gives them further instructions. When people are behind these types of threats as operators, all compromised machines are scanned for their geographical location and other signs that promise more valuable prey, and then access to the most lucrative destinations is sold to the highest bidder, say, a major extortionist. Last year, for example, Ryuk used the Buer Loader to deliver the extortion program.
Legitimate tools, well-known utilities and websites are increasingly being abused by attackers to avoid falling behind and security measures and prevent analysis, detection and identification. In the disguise of legitimate devices, attackers can fly under the radar while moving within the victim’s network and preparing to launch the main part of the attack, which could be the activation of an extortion program. For example, attackers working with Robinhood extortion software first installed an otherwise harmless driver signed by hardware manufacturer Gigabyte on targeted machines to use the software vulnerability as a springboard. State-sponsored attackers, in particular, benefit from the fact that the use of legitimate means makes it difficult to identify, so that in spite of an action threatening an international scandal, the suspected actor may simply distance himself.
– With everyday tools and techniques the abuses committed test common methods of cyber defense, as the appearance of disguised attackers on the corporate network does not necessarily reach the stimulus threshold for intrusion detection, an automatic alert is lacking, Chester Wisniewski said. “The rapidly evolving field of man-led threat hunting and managed response is why it really shines its capabilities as such attacks take place. This is because security professionals are not escaped by subtle anomalies, such as the unexpected use of a legitimate device at an unusual time or place. Equipped with endpoint detection and response (EDR) tools, trained threat hunters or IT leaders suspect such telltale signals and alert security teams to the presence of an intruder or an ongoing attack.
Companies switching to telecommuting and online last year faced serious security risks, as the boundaries of their IT environment in need of protection suddenly spread to thousands of home networks, which increased the attack surface due to the fluctuating level of their security. Experience has shown that public cloud services serve most of the needs of companies seeking a secure environment, but differ from traditional corporate networks in that they pose specific challenges and tasks for IT teams
Although cybercriminals first showed themselves to be a good head in the epidemic and promised not to attack life-saving health facilities working on the front lines of the fight against the coronavirus, it has unfortunately proved that this was just an empty PR campaign on their part.
Contrary to their words, the underworld actors have tended to step up their activities, for example, they are open to a service-based economy and Crimeware-as-a-Service They have also started to offer their tools in a model that is thus more easily accessible to criminals who are less depleted, smaller or novice in terms of their financial and technological resources.
The model change may have been successful in the cyber world because, according to SophosLabs, it jumped from 0.58 per cent to 2.68 per cent worldwide last March at the time of the restrictions introduced in the first wave of the epidemic. Spam rate of Covid-19 or coronavirus in just two weeks
Expressing his shock Joshua Saxe, Sophos chief scientist last year in March, it issued a call on Twitter in response to which more than four thousand IT security professionals teamed up to create the Covid-19 Cyber Threat Coalition (CCTC) rapid response force on a Slack channel that day, facing counter-pandemic manipulation. The community is well on its way to gaining non-profit status under the auspices of the Cyber Threat Alliance.
Cybercriminals are not the only ones turning to new platforms when they hear the word of the times. The Sophos report also points out that data researchers are using methods such as biological epidemiology to study spam and hidden malware in order to help detect and dispose of it.
Our article was published in Computerworld magazine on February 10, 2021 (Volume LII, Issue 3)
Hardware, Software, Tests, Trivia, and Color News From the world of IT by clicking here