New Cybercrime Operating Model Among Threat Groups
Cybercrime campaigns and high-profile advanced persistent threat groups are shifting how they target victims and focusing more on intricate relationships with “secure syndicate” partnerships to disguise activity, according to the latest 2019 Cyber Threatscape Report from Accenture.
Leveraging Accenture Security threat-intelligence capabilities and research from primary and secondary open-source materials, the annual report provides insights and predictions on the cybercrime landscape and how it will shift over the next year. The goal is to help organizations stay ahead of threats relevant to their organization, industry and geography.
“Over the past year, cybercriminals have continued to test the resilience of organizations by layering attacks, updating techniques. They also established new, intricate relationships to better disguise their identities. Consequently, attribution becomes more difficult to pursue,” said Josh Ray, a managing director at Accenture Security. “Organizations should understand the tangible elements, or the bread crumb trail left behind. It can help reveal the motivations, operational procedures and tool use, to create a profile of the adversary. This process is critical for organizations to understand so they can proactively be involved in properly allocating resources and improving their security posture to avoid becoming cybercrime’s next victim.”
A shift in high-profile cybercrime operating models
The report notes a significant increase in threat actors and groups conducting targeted intrusions for financial gain (“big game hunting”). Despite the arrests of individuals associated with online underground marketplaces, activity among infamous threat actor groups – such as Cobalt Group, FIN7 and Contract Crew – has continued.
Accenture Security analysts have also observed the shared use of tools. Most of them automate the process of mass-producing malicious documents to spread malware. One prominent example would be More_Eggs, which is used in both conventional crimeware campaigns and targeted attacks.
The continued activity indicates relationships forming among “secure syndicates” that closely collaborate and use the same tools. This is suggesting a major change in how threat actors work together in the underground economy. With syndicates working together, the lines are even more blurred between threat actor groups, making attribution more difficult.
In addition, Accenture Security analysts have observed a shift in the way Cobalt Group targets victims to gain access to the victims’ supply chain networks. Threat actors have typically sent malware to internet users via phishing emails. However, analysts now see an emergence of malware executed through web browsers focused on targeting online merchants and retailers specifically.
The global disinformation battlefield
The report also finds evidence of a continued global disinformation battlefield influencing social media users. Furthermore, it cautions that threat actors are becoming more skilled at exploiting legitimate tools. Disinformation campaigns to influence both domestic or foreign political sentiment and sway national elections will continue. However, the wider potential impact of disinformation on global financial markets is even more concerning.
The financial services industry – and, more specifically, high-frequency trading algorithms, which rely upon fast, text-driven sources of information – are likely to be the targets of large-scale disinformation efforts in the future.
Rise in ransomware: network access for sale
In addition, ransomware is increasingly plaguing businesses and government infrastructures, with the number of ransomware attacks more than tripling in just the past two years. Aside from delivery via spam campaigns, analysts have witnessed threat groups Nikolay and GandCrab planting ransomware directly on networks through network access intrusions.
Actors are also offering to sell remote desktop protocol (RDP) access to corporate networks to underground community buyers. They’ve likely gained these protocols through compromised servers and RDP brute forcing.