To many financially motivated cybercriminals, one of the most valuable commodities is data. But not all data is valued equally. They want data that is fresh, good quality and easily monetized. For credit cards and prepaid cards this translates into low balances and high credit limits or card values. For healthcare data it means health history that includes personally identifiable information. And in the case of credentials, admin credentials are more valuable than user credentials, although we’ve seen email credentials for sale in various criminal online markets for use in spam and phishing campaigns. Intellectual property is also quite valuable – designs for the next sporting goods shoe, tablet PC or sports car hold tremendous value in certain circles.
Geography and authenticity also factor into the ability to monetize data. Areas where there is more credit activity and use of online banking, like in the U.S. or U.K., present more opportunities to capture financial data. While legitimate passports, utility bills and driver’s licenses have more value than forged, different levels of faked documents carry different levels of value.
However, cybercriminals can’t predict with certainty the type of data they’ll be able to access and exfiltrate. Once they have invested the time and resources to execute an attack, how do they maximize their returns? Known for continuously innovating, attackers are increasingly turning to a blend of threats that provide multiple revenue streams and exploit new niches based on the type of data uncovered.
Malware that targets sensitive financial data has been around for some time and has netted operators some serious money. Slightly later to the party was ransomware – programs that seek to deny access to users’ files unless they pay a fee for unlocking them. Now cybercriminals are combining the two types of campaigns.
One of the first examples was a banking Trojan called GameOver Zeus that rose in infamy in 2014. It was reported that if the malware could not locate any financial information on a computer, some strains of the malware would install Cryptolocker. Where the attackers could not find value in the data to commit fraud, they would turn to extortion. This kind of reuse of “waste product” demonstrates the sheer determination of the attackers to squeeze any possible profit from their victims.
But GameOver Zeus was just the start. Since 2014, other malware campaigns have sought to apply this dual revenue stream approach. For example, a recent ransomware variant dubbed “RAA” was identified being delivered with the Pony credential-harvesting malware. Other ransomware variants, such as “CryptXXX” and “Crysis,” reportedly possessed credential-stealing capabilities. The discoveries of malware like these are becoming more frequent and, if they make cybercriminals money, they will continue.
As a security professional you must prepare for the possibility that your organization’s data will be stolen or held hostage. To help prepare for these types of dual revenue attacks, here are 10 things you can do.
Credential compromise:
1. Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity. Update security awareness training to include the risks associated with password reuse. Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.
2. Proactively monitor for credential dumps relevant to your organization’s accounts. Consider additional monitoring for your high value targets’ (e.g.: executives) non-enterprise accounts. Evaluate credential dumps to determine if the dumps are new or have been previously leaked.
3. Implement multi-factor authentication for external facing corporate services like Microsoft Outlook Web Access, and Secure Sockets Layer Virtual Private Networks, as well as for software-as-a-service offerings like Google Applications, Office365 and Salesforce.
4. Understand and document any internal services that aren’t federated for faster and more complete incident response to any breach that impacts an organizational account.
5. Ensure that you have an emergency password reset process in place. Make sure that all of the users’ accounts are included, not just Microsoft Active Directory accounts.
Ransomware:
1. Ensure that operating systems, software and firmware on devices are kept patched and updated. A centralized patch management system may facilitate this process.
2. Regularly back up data using cloud-based or physical backups and verify its integrity. Ensure that backups are remote from the main corporate network and machines they are backing up.
3. Categorize data based on organizational value and then physical or logical separate networks can be created for different business functions.
4. Provide awareness and training on the threat of ransomware, how it is delivered, how to avoid becoming a victim, and how to report suspected phishing attempts.
5. Manage the use of privileged accounts and ensure the principal of least privilege is implemented not just for data but also for file, directory and network share permissions.
Developing awareness about these dual revenue attacks is the first step in preparing your organization to deal with these threats. By applying a combination of technical and process controls you can strengthen your defenses against innovative cybercriminals and minimize the impact should you become a victim.
