Cyber Insights 2023 | Criminal Gangs

SecurityWeek Cyber Insights 2023 | Criminal Gangs – Our intention here is to talk about cybercrime and cybercriminals. Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple – or perhaps sophisticated – criminals who are more motivated by money than politics.

“With the Russia-Ukraine War, many actors polarized, including players like Conti, Killnet and Anonymous. However, the ecosystem is much larger, and even with setbacks in cryptocurrency brokerage, which advanced the liquidity and economics of criminals online, criminal organizations are thriving, diversifying, and going gangbusters as we enter 2023,” comments Sam Curry, CSO at Cybereason.

“There are no signs of this letting up and all signs indicate that criminal organizations’ real growth is e-crime going forward.”

Know your enemy

An increasing sophistication among the more elite criminals together with a more streamlined organization of the infrastructure from which they operate has been apparent for many years. This process continues and will continue throughout 2023. It is apparent in both how the gangs operate and the tools they use.

“Malware will continue to evolve in 2023 as attackers find new ways to hide it to maintain persistence and get what they came for,” says Mike Parkin, senior technical engineer at Vulcan Cyber – adding, “The attack vectors they use to get a foothold will also evolve, taking advantage of new vulnerabilities, and leveraging variations of old ones.”

But it is the increasing maturity of the criminal business that perhaps poses the greatest threat. “There is a significant maturing of the tools used by cybercriminal groups,” explains Andrew Barratt, VP at Coalfire. “They are becoming platforms (as a service) for other criminal groups with significantly less technical expertise to leverage.”

We’ve had ransomware-as-a-service and infostealers-as-a-service for a few years, but it is becoming more accurate to describe the process as a complete ‘crime-as-a-service’. “While we’ve seen the crime-as-a-service infrastructure become very prevalent, it’s probably likely we’ll see an uptick in volume and/or pricing of these attacks in the year ahead,” adds Barratt.

Crime-as-a-Service

“We’ve looked at numerous online forums and found such a rise and diversification in the many kinds of criminal ‘as a service’ offerings that people really can set up their own cybercrime business with little to no technical knowledge or skills,” explains Christopher Budd, senior manager of threat research at Sophos. 

“Now you can find a vendor or supplier to cover your needs around targeting and initial compromise of victims, evasion and operational security, and malware delivery, among others.” These offerings often come with good marketing and customer service and support that meets – or even exceeds – those you get when paying for legitimate software.

Calling it malware-as-a-service (MaaS) rather than crime-as-a-service, Andrew Pendergast, EVP of product at ThreatConnect, adds, “MaaS operators act like a business, because they are a business – just an illegal one. Their goals are to make as much money as possible selling their product and services. This entails making it as accessible, trustable, reliable, and easy to use as possible for their ‘market’.”

He expects the CaaS providers to continue to improve their support and services to accommodate a broader set of customers and affiliates, adding, “The net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks.”

In fact, the service is now so complete that Benjamin Fabre, CEO at DataDome, points out new cybercriminals no longer need the technical skills to develop and execute cyberattacks on their own. “Cybercrime will require as much brains as holding a baseball bat to a shop owner’s window,” he comments.

Chris Vaughan, a VP of technical account management at Tanium, agrees with this assessment. “Malicious cyber tools are becoming more available to be purchased online which is leading to a greater number of attacks that are also less predictable. This includes vulnerabilities and exploits as well as hackers for hire, dramatically lowering the barrier of entry for anyone interested in launching a cyberattack.”

This leads us to another related concern for 2023: the potential. expansion of a recession-promoted cybercrime gig economy. “People may turn to ‘cyber hustling’ in the cybercrime gig economy to make quick cash during the economic downturn,” warns Alex Holland, senior malware analyst at HP Inc.

He fears a potential increase in the number of cyber hustlers seeking to make additional – or, indeed, any – income by scamming consumers who will themselves be looking for opportunities to raise some extra cash. “Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit.”

The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. “And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach.”

Crime gang career roles

Fundamental to the emergence of streamlined CaaS has been the evolution of career specializations within the gangs. “In many ways, the cybercrime ecosystem has developed specialized ‘career fields’ in a similar way that cybersecurity has developed specializations,” comments John Bambenek, principal threat hunter at Netenrich. 

This means there are many more partnerships and boutique actors helping a variety of groups. “Getting initial access is a specialized skill set, just like money laundering (in cryptocurrency) and ransomware development are skill sets,” he added. “This specialization makes the ecosystem as a whole more resilient and more difficult to bring to justice.”

This process of business refinement will continue through 2023. “Criminal organizations will continue to grow in scope and capabilities, with increased focus on functional areas,” suggests Chris Gray, AVP of security strategy at Deepwatch. “Specialization will allow these groups to maintain the razor margins needed to operate at levels that are capable of bypassing security program components at advanced targets and/or operate at scale against more susceptible targets.”

Three categories of CaaS to watch in 2023

Three categories of crime-as-a-service are likely to be prevalent in 2023: ransomware-as-a-service (RaaS), stealer-as-a-service (SaaS), and victims-as-a-service (VaaS).

RaaS

The ‘pay-per-use’ version of delivering ransomware is, says, Camellia Chan, CEO and founder of X-Phy, “a sophisticated, and yet much more accessible form of ransomware, with malicious actors no longer requiring advanced technical skills to carry out attacks.” This is a win for wannabe criminals who cannot code. 

But it is also a win for the more elite coding criminals trying to avoid the eye of law enforcement. “The number of different entities involved adds another layer of complexity,” explains Chan. “While RaaS operators develop the infrastructure, access brokers focus on the identity posture and external access portals. To finish, the affiliate buying the RaaS handles the exfiltration of data to ransom, then deploying the actual ransomware payload.”

Mike McLellan, director of intelligence at Secureworks, continues: “New RaaS schemes will continue to emerge, but the landscape will be dominated by a handful of cybercriminal groups operating a small number of very active schemes.”

He expects the dominant schemes to increase their capacity to support more affiliates. “Experienced cybercriminals under sanction by the U.S. authorities will make use of existing RaaS schemes as a way of complicating attribution of their attacks. At the other end of the spectrum, less sophisticated affiliates will conduct simplistic ransomware deployments against small numbers of hosts, rather than full blown, enterprise-wide encryption events.”

SaaS

A study published by Group-IB on November 23, 2022, reported that 34 Russian-speaking groups were distributing infostealers as part of stealers-as-a-service operations. On average, each of these groups has some 200 active members. 

Twenty-three of the groups distributed the Redline infostealer, while eight concentrated on Raccoon. “An infostealer,” explains Group-IB, “is a type of malware that collects credentials stored in browsers (including gaming accounts, email services, and social media), bank card details, and crypto wallet information from infected computers, and then sends all this data to the malware operator.”

Given that credentials remain the starting point for most cyberattacks, the demand is and will remain high. Group-IB suggests “Stealers are one of the top threats to watch in the coming year.” The company notes, “In the first seven months of 2022, the gangs collectively infected over 890,000 user devices and stole over 50 million passwords.”

While the targets are individual computers often used by gamers and remote workers, the potential knock-on effect against corporates should not be under-estimated. “The threat actor responsible for the most recent attack on Uber purchased the credentials compromised with the Raccoon stealer,” says Group-IB.

Uber itself explained the process in a statement: “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”

This demonstrates both the success of stealers and the failure of MFA to offer a complete access solution. The Uber instance seems to be a variation on what Tanium’s Vaughan describes as an MFA push exhaustion attack. “This,” he explains, “is where an attacker sends a large number of MFA acceptance prompts to a user’s phone which may cause them to click accept in order to stop the barrage of requests.”

This whole process of SaaS-delivered stealers acquiring credentials and attackers defeating MFA will persist and increase in 2023.

VaaS

Mark Warren, product specialist at Osirium, believes there is a new service offering on the rise: hacker teams offering victims-as-a-service. “For the last couple of years, threat actors have been team-based,” he explains. “Before cryptocurrency, they were lone wolves – or, occasionally, a loosely connected group who’d met online. Then they started working in teams, and because they were paid money those teams became tightly bonded. Over the next year we’ll see more teams divide out into skills-based groups.”

He uses REvil as an example of a successful RaaS model offering an end-to-end solution for attackers that included encryption software, access tools, helpdesks for victims, payment services and much more.  “But,” he says, “there’s still a market for smaller teams that focus on specific attack skills. For example, they may breach defenses to acquire user or admin credentials, or even install malware to provide back door entry for use at a later date.” 

Providers of such a service don’t need to take the risk of executing the attack or handling payment; they can make good money just by selling the access on dark web marketplaces. The access could be obtained via relatively risk-free phishing campaigns.

The approach could be modular. “Company intelligence may be another specialist service,” he suggests. “For example, knowing what cyber insurance a potential victim has could reveal the kinds of defenses they’ll have in place and even how much they’re insured for, so ransomware demands can be tailored.” In this sense, VaaS can be seen as an extension and expansion of the existing access broker criminal service.

And going forward…

Aamir Lakhani, cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs, adds further subtleties that will emerge. “Going forward, subscription based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings and related algorithms more broadly for purchase.”

The quasi-APT

This continuing professionalization of the criminal fraternity is causing the inevitable emergence of what Omer Carmi, VP of cyber threat intelligence at Cybersixgill, calls the quasi-APT. “In 2023,” he warns, “the quasi-APT’s emergence will escalate due to the democratization of cyberweapons and the democratization of access enabled by powerful technology now accessible to the cybercrime underground.” 

The growth of specialized roles and CaaS means that for as little as $10, threat actors can purchase access and gain a steady foothold into their targets’ systems. They can get a beachhead into highly secured organizations without having to bother with the complex, drawn-out process of gaining initial access on their own. 

“By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of an APT – hence the birth of the quasi-APT,” he warns.

The constantly improving sophistication and professionalization of the criminal underground will continue through 2023 and beyond. For example, Mikko Hypponen, chief research officer at WithSecure, sees artificial intelligence adding a new string to the criminal bow in 2023.

“Malware campaigns will move from human speed to machine speed,” he warns. “The most capable cybercrime groups will reach the capability to use simple machine learning techniques to automate the deployment and operation of malware campaigns, including automatic reaction to our defenses. Malware automation will include techniques like rewriting malicious emails, registering and creating malicious websites, and rewriting and compiling malware code to avoid detection.”

2023 may see the beginning of a new crime gang service: AI-as-a-Service.