In order to keep your organization secure, you must be vigilant. Cybercriminals and security teams are in a constant cycle of adapting to one another and refining their tactics in the wake of these adaptations. While these changes can be incremental, over time they shift the entire threat landscape to the point where things look significantly different from month-to-month or year-to-year.
Intel 471’s Annual Threat Landscape report looks back at just how much those incremental shifts have altered the cybercrime underground. By examining how things have changed, organizations can better prepare themselves for further forthcoming shifts in an effort to keep vigilant and secure.
Here are 5 takeaways from the report:
Early detection is everything
Threat actors are frequently leveraging TTPs in the early stages of a cyberattack — both by obtaining and developing capabilities — highlighting the need to monitor threat actor activity, even if the activity is nascent.
The most frequent TTPs threat actors have adopted over the past year revealed that the formative stages of a cyberattack were more prevalent or easier to identify than the destructive latter stages. The acquisition and development of these particular capabilities often requires threat actors to surface in underground marketplaces and forums, which can provide indicators and warnings of future attacks. Additionally, actors focusing on scanning and exploitation of public facing applications shows how many cybercriminals are driven by opportunism. Cybercriminals are constantly looking for insecure targets, and will likely exploit them if they have the tools or connections to do so.
One of the most common initial access tactics Intel 471 observed is threat actors leveraging compromised credentials. Successful schemes require a foothold in victim networks, which can easily be obtained by using these credentials. Threat actors can gain initial access on their own or by working with other actors specialized in initial access techniques or selling stolen credentials. The range of techniques employed is extensive, often varying from one attack to the next, likely in response to information about a victim’s defenses gained through reconnaissance.
Cybercriminals want credentials for external remote services such as Citrix, remote desktop protocol (RDP), secure shell protocol (SSH) and virtual private networks (VPNs). Additionally, they can purchase exploits for vulnerabilities from brokers in the underground or develop exploits themselves. Whatever tactics used, we assess that the growth of threat actors focusing on initial access will continue.
The underground’s war efforts
The war in Ukraine has had an impact on the cybercriminal underground. Since the start of the conflict, we have observed a variety of actors claim allegiance to Russia or Ukraine.
The biggest shift has come in the appearance of new pro-Russian hacktivist groups, such as KillNet, which have been engaging in underground cybercriminal activity. KillNet was first observed in the underground in January 2022, primarily conducting DDoS attacks on entities in the financial, government, media and telecommunications sectors in Europe. It has since carried out attacks against entities in countries such as Italy, Lithuania, Poland and the United States. We assess there likely is a core unit of operators within KillNet that possess a robust knowledge of hacking and DDoS techniques, while the rest of the group consists of “script kiddies,” or individuals with little to no technical aptitude.
The group coordinated attacks through several Telegram channels and placed emphasis on producing video content to promote its activity and motivations. While entities in Europe and the U.S. were impacted by KillNet at the time of this report, if other countries provide further support for Ukraine, KillNet likely will perceive such action as hostile and launch attacks on entities in the nations involved. Additionally, KillNet’s call for ransomware groups to join its offensive operations could indicate a desire to move into financially-motivated activity, like ransomware attacks or extortion.
Looking forward, we likely will see continued recruitment efforts, by both pro-Russian and pro-Ukrainian hacktivists as fighting between the two nations continues. Although most of the underground marketplace likely consists of opportunistic financially motivated threat actors, Russia’s war on Ukraine likely will entice both individuals and groups who are politically and ideologically motivated to undertake cybercriminal activity.
Spotlight stays on supply chain attacks
Threat actors attempting to infiltrate companies by exploiting support networks or third-party vendors — commonly known as supply chain attacks — continue to pose a significant threat to organizations worldwide. This has been a growing trend over the past few years: In 2020, the U.S. FBI issued multiple private industry warnings that hackers were increasing the scope, complexity and frequency of attacks on third-party vendors and supply chains. According to open source reports, the volume of supply chain attacks increased by 430 percent in 2021. High-profile incidents, such as those involving Colonial Pipeline, JBS USA Holdings Inc., Kaseya Ltd. and SolarWinds garnered significant media attention on supply chain attacks and highlighted the potential threat third-party risk poses to an organization. While supply chain attacks are not new, their scope and impact have attracted the attention of other opportunistic, financially-motivated cybercriminals.
Gaining access to third-party or supply chain networks can grant cybercriminals sufficient upstream access to leverage and exploit possible downstream access for further illicit use. More cybercriminals are acutely aware of these third-party dependencies and will likely continue to attempt to increase the sophistication of attacks by targeting profitable organizations and their proprietary information. While risk of compromise remains one of the most serious impacts of supply chain attacks, businesses can feel the effects of such incidents even if they do not result in a breach of their data or networks. If upstream organizations are knocked out by a cyberattack, downstream entities whose operations depend on them can suffer from the interruption in business operations. This could result in significant financial loss. We assess supply chain attacks will remain a concern due to the large reward threat actors gain via additional access to hundreds or thousands of entities downstream.
Lockbit leads the way
Ransomware attacks against organizations continue to cause vast amounts of damage. Specifically, in May 2022, ransomware variants amounted to the highest percentage of breach events according to Intel 471 data – 80.5 percent – with LockBit 2.0 as the most-impactful strain at 30 percent of all reported breaches for that month.
First surfacing in September 2019, LockBit’s ransomware and its variants, along with the group’s abilities, were consistently named in our monthly and quarterly breach reports. Intel 471 observed the group continuing to add to its TTPs , recruiting insiders and deploying their ransomware more frequently, even in the wake of its own breach incident in 2021.
In June 2022, the group announced it was releasing a new version of its malware dubbed “Lockbit 3.0.” The new version reflected several changes: inclusion of a bug bounty program that promised to pay as much as US $1 million for vulnerabilities found in the group's data leak blog; a payment website; and peer-to-peer instant messaging services. LockBit 3.0 also allegedly incorporated several new extortion techniques to increase the likelihood of victims paying ransom demands. The new victim shaming blog reportedly possessed a feature that would auction victim data to third parties or victim organizations, who could purchase a download or permanently destroy the data. Additionally, the ransomware strain could now reportedly disable Microsoft’s Windows Defender protection and automatically elevate permissions, included a “safe mode” that allowed affiliates to bypass antivirus software and featured stronger overall encryption.
Overall, LockBit 3.0 will likely be as impactful as version 2.0 until the group is faced with insurmountable defense mechanisms, is taken down by law enforcement, or ceases operations.
The fall and rise of Emotet
One of the most dramatic changes in malware operations over the past year was the demise and resurrection of the Emotet botnet. A law enforcement task force took over Emotet in January 2021, but the malware resurfaced in November 2021. Upon observing the Emotet project in the wild again, it’s not clear if part of the group was trying to rebuild the botnet or if it was another actor who took over the project and brought it back to life.
When Intel 471 started to monitor the new Emotet botnet after its reappearance, it did not take long to realize the operation had changed. Emotet binaries no longer loaded third-party malware but would fire up Cobalt Strike instances to monetize the infections themselves. This ultimately led to full internal network takeovers and ransomware deployment.
What’s different about the resurrected Emotet operations is that the operators do not need to entrust malware delivery to another group nor buy installs. Their own capabilities enable them to grow the botnet by taking advantage of the infections they already have. Emotet operators do not need to acquire access to companies for ransomware purposes, as the malware already grants an initial foothold and that allows actors to compromise internal networks through Cobalt Strike for further business disruption.
Intel 471 expects to see continued activity from Emotet operators throughout 2022, which shows that prominent malware families can recover from a takedown by patiently regrouping and leveraging well-established connections in the underground. Prominent malware families such as Emotet will not go away easily and the possibility will likely always remain that while some operators may fail, others will pick up where they left off.
To read the full whitepaper, visit our download site here.
