To discuss the global trends of cyber security, we must first discuss the motivation behind the actors who are delivering malware into environments, running distributed denial of services attacks and causing breaches across the industry. There are three main reasons for performing malicious attacks on a corporate environment: for profit, espionage and hacktivism.
For Profit, we see a lot of trends coming from Eastern Europe in which simple tools are used to steal personal identifiable information (PII) that can be used by the malicious actors or sold to anyone willing to purchase the data from the underground marketplace. These attacks are generally website compromises that lead to databases containing encrypted PII. The style of the attack is more of a smash and grab. This was recently seen with the breach at the Revenue department of the State of South Carolina where over 387,000 credit and debit cards were taken. Of the 387,000 records, only 16,000 were unencrypted and revealed in plain text.
There was a time when these types of illegal transactions took place in dark places and were unknown to the general public, but that’s no longer the case. The malicious actors now even offer free samples, verification services and replacement packages if cards are no longer valid. The size of the economy is largely unknown, but there was a researcher at McAfee that estimated the size to be in excess of $750 billion in 2011.
For Espionage, there is a completely different set of tools and goals. You are finding more long-term attacks. Spear phishing is used more prevalently in an attempt to deliver malware into an environment. We find that the attacks are primarily coming from Asia, and the intent is to escalate privileges until a level is reached in which data can be transferred quietly and efficiently out of an environment through a compromised third-party server. Attack experts believe that the malware’s first phase is to collect sensible information on the target networks and in a second phase, to erase tracks of its operation. It then destroys the infected machines making the subsequent forensic analysis by computer experts difficult. For example, there is an ecommerce site that has purchased a /32 bit subnet allowing them six hosts per segment, and the owner is only using one for his web server and another for a database server. The host web server is compromised with a recent zero-day exploit. The malicious actor would compromise the site, unknowingly to the ecommerce operator, and set up a communication tunnel from which they would transfer stolen data. The data will then be transferred to a collection server and then retrieved by actors located at the true origin of the attack. Before completing their mission, they would whip out the communication path so that there is not trace that they ever were there, making forensics impossible. This is a common technique used to transfer data without the true source being revealed.
For Hacktivism, this is a cause of social protest or to promote political ideology. Hacktivists employ operations such as denial of service(s), information theft, data breach(es), and website defacement(s). These are certainly not new tactics and were used back in the mid-90s by groups such as the Cult of the Dead Cow. We have seen groups stand up and act as both Robin Hood and Prince John in one. Robin Hood, in which they stand for righting the wrongs that has been committed on the Internet. For example, a group identifying a person who wrongfully committed Internet crimes against a minor that drove that person to take their own life. This person who committed the crime would have their lives published on the Internet for all to see and for law enforcement to track. The Prince Johns are those of the group who do not see the truth in what the other are attempting to do. They use the tools and access to use on low security financial institutions and targets of a convenient and easy nature to compromise. According to the study “Data Breach Investigations Report,” published by Verizon, hacktivists stole almost twice as many records of ordinary cyber crime from organizations and government agencies. Hacktivists are showing incredible skills and we expect the attacks to increase in numbers as well as impact. They were the representation of their generation and performed their operations of denial of services, information theft, data breach and website defacement.
To learn more about cyber crime, join Internap and Alert Logic for a Cyber Crime Evening Reception on December 5th. Click here to register.
References:
https://ddanchev.blogspot.com/2011/10/exposing-market-for-stolen-credit-cards.html
https://www.europol.europa.eu/content/press/cybercrime-business-digital-underground-economy-517
https://www.infosecisland.com/blogview/22460-Energy-Sector-Cyber-Espionage-Chinese-Hackers-are-not-Alone.html
https://securityaffairs.co/wordpress/4986/cyber-crime/they-are-not-what-you-think-they-are-they-are-hacktivists.html
Guest Contributor Stephen Coty is a member of the Alert Logic Security Research Team
