Optiv recently released their 2020 Cyber Threat Intelligence Estimate report, which gives organizations a detailed view into the current cyber threat landscape. This year, Digital Shadows (now ReliaQuest) was offered the opportunity to contribute to the report, and we covered quite a few different topics:
- The effects of COVID-19 on the threat landscape
- Incident analysis by alert classification and industry vertical
- Nation-state threat actor and cybercriminal activity
- Third-party risks and their potential impact
- Dark web and cybercriminal marketplace trend analysis
With the report now out and available for everyone to read, we wanted to give a recap of some of our insights, sourced from Digital Shadows SearchLight (now ReliaQuest GreyMatter DRP)™, Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection), open-source intelligence, human intelligence, and alerts that we’ve sent to our clients.
For real, though. If you haven’t looked at the report, we highly recommend that you check it out!
Onwards to #OptivCTIE2020 enlightenment!
The effects of COVID-19 on the threat landscape
COVID-19 has impacted most, if not all, facets of our lives. Throughout our research, Digital Shadows (now ReliaQuest) identified four main themes associated with COVID-19 in the threat landscape:
All sectors were affected, especially healthcare.
The organizations and sectors that were and are arguably at most risk of being targeted by cyber threat actors are those that are most important to the COVID-19 response (e.g. hospitals, pharmaceutical companies, medical research organizations, etc.). These organizations have been reportedly targeted by cyber threat actors with spearphishing campaigns that leveraged COVID-19-themed phishing lures. The pandemic’s effect has also been felt by financial services and government agencies, potentially raising their susceptibility to highly targeted spearphishing or ransomware campaigns.
Not all criminal forum users are created equal.
Forums that were primarily used for cybercrime began seeing atypical discussions, including users prohibiting others from taking advantage of the pandemic, voicing solidarity with affected countries, and even sharing general health and safety information.
Criminals can easily improvise, adapt, and overcome.
Since January 2020, cybercriminals have been taking advantage of people’s worries and doubts surrounding the pandemic. Cybercriminals will adjust their strategies to exploit what gives them the greatest chance of success. Operators of well-known trojans, like Emotet, switched to leveraging COVID-19 phishing lures. Other criminals have been advertising counterfeit or falsified personal protection equipment, selling fake “coronavirus cures”, and engaging in COVID-19 disinformation campaigns.
Remote work isn’t for everyone.
Throughout the COVID-19 pandemic, as social distancing became the new norm, many companies moved toward a virtual workspace. For others, remote work was a gradual change. Among some, this has become more difficult for organizations where remote work is less frequent (e.g. schools). Moving into virtual workplaces increases an enterprise’s attack surface outside of traditional internal networks, particularly when external third-party vendors are needed to maintain business continuity.
Incident analysis by alert classification and industry vertical
Digital Shadows (now ReliaQuest) consolidated and analyzed all of the alerts that were sent to our clients throughout 2019. We found that 66 percent of incidents were associated with the technology or financial services sector. More specifically, the technology sector (unfortunately) had the most credential theft incidents, while the financial services sector (again, unfortunately) led the pack in phishing incidents. To lift the lid on more incident types, we’ve listed our findings below:
Phishing and brand misuse accounted for 67 percent of the alerts that we sent to our clients. As we’ve said before, phishing is one of the main attack vectors that adversaries use to gain access to systems, deploy monetary scams, and spread malware, and is used by threat actors of all levels of sophistication.
Infrastructure issues accounted for 24 percent of the alerts that we sent to our clients. Another popular attack vector involves vulnerability exploitation. It’s easier said than done, but keeping up-to-date website certificates, patching vulnerabilities, and blocking access to sensitive ports can make or break an organization once they’re targeted.
Data Leakage accounted for nine percent of the alerts that we sent to our clients. When we say data leakage, we mean unmarked documents, customer details, protectively marked documents, technical leakage, and internally marked documents. Between an attacker accessing a sensitive document or finding your company’s network map, incidents of this type can be devastating to an organization’s security posture.
Nation-state threat actor and cybercriminal activity
Lazarus Group. This North Korean state-associated threat actor was especially active in 2019. The group is well known for carrying out financially motivated attacks to increase North Korean government revenues. This is uncommon for nation-state threat groups, who are typically focused on espionage operations to gather sensitive political and military information.
Although Windows remains the target operating system of choice for most threat actors, Lazarus’ targeting macOS systems was a notable phenomenon over 2019. For example, they targeted South Korean macOS users through macro-embedded documents that would execute a malicious PowerShell script. During 2019, Lazarus would also target Windows and macOS users as part of the same project, by separating infection procedures.
MuddyWater. In the first half of 2019, MuddyWater became particularly active. The Iranian threat actor conducted surveillance operations targeting various industries and regions such as the Middle East, Asia, Europe, and North America. MuddyWater used a surge of new or previously non-observed resources during its 2019 operations, which included a campaign using a previously unpublished PowerShell-based backdoor called “PowerStats v3”.
The second half of 2019 saw a significant decline in media coverage on MuddyWater, which likely had to do with coverage biases; cyber espionage activities are often documented either retrospectively or unreported until several months or years after they occur.
Fin6. Fin6 is a sophisticated, financially motivated threat actor well known for deploying malware on retail and hospitality point-of-sale (POS) networks; however, the group shifted beyond its conventional strategies and broadened its targeting to concentrate on e-commerce websites during 2019. The cybercrime group was also related to a campaign targeting an unidentified engineering company with the ransomware variant “LockerGoga” — another vector of attack not previously affiliated with Fin6.
The explanation for Fin6’s differing methods of attack is unclear. One possibility is that Fin6 is changing its strategies because there are more lucrative opportunities. However, the group has continued to target POS systems, suggesting that its conventional vector of attack remains common. Therefore, it is more probable that the group’s tactical complexity implies that they are capable of carrying out multiple types of attacks, rather than just being limited to a few.
TA505. In 2019, this cybercriminal group was highly successful. While well-known for targeting banking and retail organizations, TA505 possibly extended its operational effectiveness during the year, as demonstrated by the group ‘s increasing variety of target sectors and geographies. The scope of organizations targeted by the group and the regularity of its campaigns suggest that TA505 has the flexibility to execute several campaigns concurrently. The vast majority of TA505 operations included targeting victims with trojans used to collect and exfiltrate classified information.
ShinyHunters. ShinyHunters is a threat group found to be engaged in selling datasets, notably on Empire Market and RaidForums, from organizations across a range of sectors, including education, media, and technology. Initially, ShinyHunters gained notoriety in early 2020 when they listed 91 million Tokopedia user records for sale on the cybercriminal marketplace Empire, and since then added user records for additional organizations, including: Ulmon, Zoosk, Bhinneka, Chronicle of Education, HomeChef, Minted, Styleshare, Ggumim, Mindful, StarTribune and Chatbooks.
ShinyHunters is suspected of having ties to the previous threat collective known as “GnosticPlayers,” as they work in an almost identical fashion. ShinyHunters has published millions of user records on illegal marketplaces for sale and has regularly reached out to media outlets to claim responsibility for the compromise. Similarly, the GnosticPlayers threat group is suspected to be the organization behind over 40 major corporate breaches in 2019 and has approached media outlets to assert responsibility for the breaches. Realistically, it is possible that ShinyHunters has ties to or is originating from members of the GnosticPlayers threat group.
Third-party risks and their potential impact
Many notable data breaches occurred in 2019, with Capital One, Citrix, and Wipro among the high-profile organizations affected. A prevalent theme of the data breaches reported in 2019 was around third-party-related risks and challenges. These challenges are both presented through companies losing data after a supplier has been compromised and suppliers inadvertently leaking their clients’ data from unsecured cloud servers.
Third-party risks can include:
- Operational risk: The prospect of loss resulting from inadequate or failed procedures, systems, or policies
- Transaction risk: The risk of loss due to problems with the service or delivery
- Compliance/regulatory risk: The risk resulting from security breaches of third-party providers.
Ensuring that third-party risks are considered and measured is now more critical than ever. Organizations must take extra time to evaluate potential vendors, keep track of events that may impact their vendors, and include data leakage incidents in continuous third-party vendor monitoring.
Dark web and criminal marketplace trend analysis
During our analysis, we found that the most common advertisements on dark web marketplaces included passports and identity documents, carding guides, account accesses, counterfeit currency, malware, database dumps, and gift cards. The most prominent marketplaces in 2019 included Nightmare Market (closed), Berlusconi Market (closed), Empire Market, Apollon (closed), Wall Street Market (closed), and Tochka (closed). The fact that most of the listed marketplaces are now “closed” underlines the volatility of the criminal marketplace ecosystem.
Accessing dark web and deep web sources can be incredibly useful if you concentrate on relevant use cases. The most popular approaches we have found deploy strict conditions such as fraud detection, monitoring for threats, and detecting exposed credentials.
This sounds slightly difficult, but not to worry, Digital Shadows (now ReliaQuest) provides dark web monitoring technology with SearchLight™, so you can protect your exposed data when it appears on the deep and dark web. SearchLight™ continually monitors and indexes hundreds of millions of dark web pages, pastes, criminal forums, Telegram, IRC, and I2P pages and is programmed to look for specific risks to your organization.
Interested in learning more? Take a tour of the dark web with Digital Shadows (now ReliaQuest)’ Test Drive.
Keep the bad guys at bay.
Regardless of the sector or geography in which your organization resides, phishing and brand misuse, infrastructure, and data leakage risks can severely impact your security posture. To defend against digital risks, Digital Shadows (now ReliaQuest) recommends the following:
- Use in-house or external tools to monitor the cybercriminal landscape for threats to your organization or third-party vendors.
- Monitor for employee credentials included in leaked databases. On notification, credentials should be changed and accounts should be protected with multi-factor authentication. Passwords should not be reused across multiple services. Consider using a reputable password manager to store and generate secure, unique passwords. Valid accounts for former employees should be deactivated upon departure.
- Audit and document all software used by your organization. This will also help reduce the pain of patch management. Critical security patches should be applied as soon as they are made available. Do not rely on legacy or end of life software.
- Limit your organization’s attack surface by ensuring only devices absolutely critical for business operations are connected to the internet. Network storage devices, databases, and other internet-facing services should also be appropriately secured. Practice the principle of least access by restricting administrative access or elevated privileges only to employees for which it is absolutely required.