Dec 5, 2022
To move beyond the mental image of the lone hooded figure sitting in a dimly-lit basement as cigarette smoke wisps up from a dirty ashtray, it's helpful to take stock of the world of cybercrime as it exists today: strategic and professional.
Editor's note: This story originally appeared in Dark Reading.
Just like you keep up with the latest news, tools, and thought leadership in protecting and securing your organization from cybercriminals, your adversary is doing the same. They are connecting on forums, evaluating new software tools, talking with potential buyers, and searching for new ways to outsmart your security stack.
It’s hard to fathom what tools are available to them without peeking into their world. They have advanced capabilities that often outmaneuver well-funded security teams and corporate security tools, especially when pitted against legacy solutions like signature-based antivirus. Many security operations centers (SOCs) fail to prioritize real threats while wasting time trying to solve others that they can realistically never scale to meet.
To move beyond the mental image of the lone hooded figure sitting in a dimly-lit basement as cigarette smoke wisps up from a dirty ashtray, it's helpful to take stock of the world of cybercrime as it exists today: strategic, commoditized, and collaborative (if you have money to spend).
Strategic intent backs every attack
Adversaries always have a business purpose; there’s a plan for every piece of malware. To begin, cybercriminals snoop around for access to your environment looking for something they can steal or they’re something they resell to someone else. While an attacker may not know exactly what they want to do once they gain access to your environment, they tend to recognize value when they see it.
They may perform reconnaissance by looking for misconfigurations or exposed ports to exploit, a process often made trivially easy by known CVE databases and free open port scanners. Initial compromise can also be accomplished by stealing a user’s credentials to access the environment, a process that’s sometimes even easier, before moving laterally to identify key assets.
The cyber weapons black market is maturing
Cybercriminals have developed a sophisticated underground marketplace. Tools have evolved from relatively inexpensive and low-tech products into those with advanced capabilities delivered via business models familiar to legitimate consumers, like software as a service (SaaS). Threat hunters are witnessing the commoditization of hacking tools.
Phishing kits, pre-packaged exploits, and website cloning tools used to be very common. Designed to mimic website login pages, such as Microsoft Office 365 or Netflix, these tools were quite effective at capturing users’ credentials for many years.
Over the last two decades, though, the security community responded to this type of activity with techniques like pattern recognition, URL crawling, and shared threat intelligence. Tools like VirusTotal have made it a common practice for the discovery of malicious files to be shared with the wider security community almost instantaneously. Naturally, adversaries are well aware of this and have adapted.
A new phishing methodology
Today’s adversaries have also learned to capitalize on the rise of multi-factor authentication (MFA) by hijacking the verification process.
One new type of phishing kit is called EvilProxy. Like kits of the past, it mimics website login pages to trick users into giving away their login credentials. Unlike phishing kits of the past that were sold as one-time purchases, this new methodology—sold by specialists in access compromise—operates via a rental model whereby the seller rents out space on their own server for running phishing campaigns.
They host a proxy server that operates like a SaaS model. The service costs about $250 for 10 days of access. This allows the SaaS providers to make more money and enables them to collect statistics they can then publish on hacker forums to market their products and compete against other sellers.
New kits have built-in protections to defend their phishing environment from unexpected visitors. Since they obviously don’t want web crawlers indexing their sites, they use bot protection to block crawlers, nuanced virtualization detection technology to ward off security operations teams doing reconnaissance through a virtual machine (VM), and automation detection to prevent security researchers from crawling their kit websites from different angles.
The “adversary in the middle” scenario
In the context of bypassing MFA, acting as a reverse proxy to the authentic login page content creates big problems for typical phishing detection. By sitting between the user and the target website, the reverse proxy server allows the adversary to gain access to the username, password, and session cookie that is set after MFA is completed. They can then replay the session back into a browser and act as the user on that destination.
To the user, everything looks normal. By using slight variations of names in the URLs, the cybercriminals can make the site seem completely legitimate with everything working as it should be. Meanwhile, they have gained unauthorized access through that user, which can then be exploited for their own purposes or auctioned off to the highest bidder.
The adversary’s business model
In addition to new phishing methodologies, malware is sold openly on the internet and operates in a sort of gray space, floating between legal and illegal. One such example is BreakingSecurity.net. They market the software as a remote surveillance tool for enterprise.
Every piece of malware has a price point associated with it to drive an outcome. And these outcomes have a clear business intent, whether it’s to steal credentials, generate cryptocurrency, demand a ransom, or gain spy capabilities to snoop around a network infrastructure.
Nowadays the creators of these tools are partnering with the buyers through affiliate programs. Similar to a multi-level marketing scheme, they say to the affiliate buyer of the tool, “Come to me when you get in.” They even offer product guarantees and 24/7 support of the tool in exchange for splitting the profits. This allows them to scale and build a hierarchy. Other types of cybercriminal entrepreneurs sell pre-existing compromises to the highest bidder. There are multiple business models at play.
Today’s reality: why you need an advanced cloud sandbox
It's important for security teams to understand the reality of what today’s adversaries do and how quickly their actions can play out. The advanced malware on the market now is even more serious than phishing. Whether it’s Maldocs that evade filters, ransomware, information stealers, remote access trojans (RATs), or post-exploitation tools that combine toolsets together, the capabilities are more advanced than ever before—and so are the business models.
All of this underscores the importance of having an advanced inline cloud sandbox. Standard sandboxes have limited capabilities that don’t provide much in the way of inline prevention. But AI-powered detection solutions are able to stop the stealthiest threats in real-time and at scale. With advanced threat protection, known threats are blocked automatically and unknown threats are sandboxed before hitting the network. They also accelerate investigations and improve response times.
If you’re not evolving with adversaries, you're falling behind. Because today’s cybercriminals are as professional and on their game as you.
What to read next
Social engineering tactics are changing. Awareness training must too
Recommended