Despite lingering, dated depictions of dark-hooded figures, cyber crime has matured into a highly professional business sector. With strong backing by organized crime syndicates and nation states, many operations look a lot like any other established business, complete with org charts, marketing teams and HR departments.
As we gear up for CyberArk Impact 2022, we asked Lavi Lazarovitz, senior director of cyber research, CyberArk Labs, to weigh in on the underground industry’s increasing ability to scale and diversify its operations, its rapidly growing managed services economy, and what attack commoditization means for defenders.
Come One, Come All: How Cyber Crime Transformation Has Leveled the Playing Field
Legitimate enterprises across every industry are undergoing major IT transformation initiatives – involving cloud migration, automation, DevOps, hybrid work and more – to become more agile and resilient. A recent EY study found that 84% of organizations are adapting operating models, with many finding their path to transformation through managed services. “Cyber criminal enterprises are no exception, and like many businesses, they’ve been heading toward ‘as a service’ models for some time,” says Lazarovitz.
The meteoric rise in cloud services accelerated this shift. “Cyber attackers gained access to the development tools, infrastructure and other resources needed to scale their approaches,” Lazarovitz explains. Today, the dark web is teeming with darknet marketplaces such as AlphaBay and underground forums like xss[.]is and exploit[.]in, from which threat actors can sell or lease malicious tools and services. And as soon as law enforcement shuts one market down, it seems another one opens or relaunches. “Underground customers with little malware development experience can find virtually anything they need directly off the shelf, paying anonymously with cryptocurrency,” says Lazarovitz.
Ransomware-as-a-Service and Conti’s Lasting Legacy
Ransomware-as-a-service (RaaS) affiliate models – in which sophisticated threat actors typically develop malware, and either sell it as a service and profit off extortions or hire others to do their dirty work – have proven to be particularly lucrative. “Of the ransomware strains observed by CyberArk Labs, two ransomware families, Conti and LockBit, made their way to the top 10 most distributed families, based on the number of variants identified in the wild,” notes Lazarovitz.
The Conti group was a particularly sophisticated and dangerous RaaS operation, known for infiltrating organizations around the globe and weaponizing the Log4j vulnerability. However, geopolitical tensions purportedly drove a wedge between group members, leading to a massive data leak on Twitter in early 2022. The data – analyzed by CyberArk Labs – revealed information about the inner workings of the group, including its common tactics, techniques and procedures (TTPs) as well as source code for malware and tools. Increased scrutiny from law enforcement followed and the group supposedly shuttered operations in May 2022. However, based on threat intelligence reports, Conti members have started to work closely with their former associate team, TrickBot. And using the leaked Conti “blueprint,” other criminal groups have been able to fast-track development of their own RaaS variants. We’ll explore this in depth during this week’s Impact 2022 session, “Cyber Warfare: What We Can Learn from the Russia-Ukraine Cyber Attacks.”
In upleveling their businesses, organized RaaS groups have also rolled out offerings such as negotiation, payment dispute arbitration and 24/7 help centers for victim organizations. And ransomware groups keep innovating to boost their bottom lines. For instance, last year, Conti ransomware actors started selling access to victims’ networks so other groups could launch follow-on attacks, according to CISA. And triple extortions, a popular REvil technique, are increasing. These groups have proven that cyber crime pays, and as long as the returns exceed the costs, such attacks will continue to increase – especially since almost anyone can get in the game.
The Rise of “Access-as-a-Service” and Its Far-Reaching Implications
“By utilizing RaaS, ransomware operators can focus on leveraging the access they have or have purchased to make more money and impact instead of focusing on writing their own malware,” says Lazarovitz. “And just like anyone can buy a RaaS kit from one of these groups, anyone can go shopping on the dark web for RDP access for as little as $1 to $10.”
Lazarovitz explains that over the past few years, remote access has become a key commodity. Attacks targeting remote employees, third parties and exposed RDP ports are almost constant today. “Remote desktop credentials are frequently used in ransomware campaigns, such as the recent Conti campaigns, for initial access and lateral movement,” he notes. Ninety-seven percent of senior security executives say attackers are increasingly trying to steal one or more types of credentials, which often end up for sale on the dark web, a trend that has driven credential access to the top of the enterprise cyber-risk list.
Lazarovitz explains that cheap, on-demand access to human and machine identities gives attackers of all skill levels numerous opportunities that extend far beyond ransomware. “Access-as-a-service provides a legitimate way to get through the door and gain a foothold within an enterprise,” he says. And the ability to obtain privileged identities without expending much effort is a huge benefit for attackers. “By solving the identity piece of the equation, threat actors can move faster along the attack chain, reach further across supply chains and optimize the operation – making the malware more durable and flexible to run in any environment and reduce its signature, which makes it more difficult to detect,” notes Lazarovitz.
CISOs and security leaders are under enormous pressure to keep pace with this ever-evolving threat landscape – it’s a challenge that no team should face alone. This week at Impact 2022, CyberArk Labs, CyberArk Red Team and other company experts will share a series of research-based presentations and interactive sessions – on everything from how attackers are exploiting identities and risks across the blockchain, to lessons learned from WhisperGate, HermeticWiper and other dangerous malware strains being used in cyber warfare, to new credential attack methods targeting Chromium-based browsers – to help our customers better understand what they’re up against, collaboratively tackle challenges and apply proven Identity Security approaches that reduce risk without compromise.
Explore the full agenda and get ready to make an impact at Impact 2022.
