Group-IB, a global threat hunting and intelligence company, has presented its annual Hi-Tech Crime Trends 2020/2021 report*, which charted a spike in cybercrime over the review period of 2H19 and 1H20; the rise of an underground market selling access to corporate networks and an over two-fold growth of the carding market.
Report highlights include:
Asia-Pacific is a primary target for advanced persistent threat (APT) groups
Asia-Pacific became the most actively attacked region by state-sponsored threat actors. A total of 34 campaigns were carried out in this region, and APT groups from China, North Korea, Iran, and Pakistan were the most active.
Most state-sponsored threat actors originate from China (23), followed by Iran (eight APT groups), North Korea and Russia (four APT groups each), India (three), and Pakistan and Gaza (two each). South Korea, Turkey, and Vietnam are reported to have only one APT group each.
Cybersecurity researchers have also detected seven previously unknown APT groups, namely Tortoiseshell (Iran), Poison Carp (China), Higaisa (South Korea), AVIVORE (China), Nuo Chong Lions (KSA), as well as Chimera and WildPressure, whose geographical affiliation remains unknown. At least three of the groups – Poison Carp, Higaisa, and Chimera – operate in the Asia-Pacific. In addition, six known groups that remained unnoticed in recent years resumed their operations.
Military operations conducted by various intelligence services are becoming increasingly common. Group-IB has identified a continuing trend where physical destruction of infrastructure is replacing espionage. Attacker toolkits are being updated with instruments intended for attacks on air-gapped networks.
The nuclear industry is turning into the No. 1 target for state-sponsored threat actors. Unlike the previous reporting period, during which no attacks were observed, the current one was marked by attacks on nuclear energy facilities in Iran and India.
State-sponsored APT groups are still interested in the telecommunications sector. Over the review period, it was targeted by at least 11 groups affiliated with intelligence services. Threat actors’ main goals remain spying on telecommunications operators or attempts to disable infrastructure. Threat actors have also set a new record in distributed denial of service (DDoS) attack power: 2.3 Tb per second and 809 million packets per second. Border Gateway Protocol (BGP) hijacking and route leaks remain a serious problem as well. Over the past year, nine significant cases have been made public.
Ransomware cost the world over US$1 billion
Late 2019 and all of 2020 were marked by an unprecedented surge in ransomware attacks. Neither private sector companies nor government agencies turned out to be immune to the ransomware plague. Over the reporting period, more than 500 successful ransomware attacks in more than 45 countries were reported. Since attackers are motivated by financial gain alone, any company regardless of size and industry could fall victim to ransomware attacks. Meanwhile, if the necessary technical toolsets and data restoring capabilities are not in place, ransomware attacks could not only cause downtime in manufacturing but also bring operations to a standstill. Asia accounted for about 7% of the total number of reported ransomware incidents, with the most frequently-attacked countries in the region being India and China.
According to Group-IB’s conservative estimates, the total financial damage from ransomware operations amounted to over US$1 billion, but the actual damage is likely to be much higher. Victims often remain silent about incidents and pay ransoms quietly, while attackers do not always publish data from compromised networks. The top five most frequently attacked industries include manufacturing (94 victims), retail (51 victims), state agencies (39 victims), healthcare (38 victims), and construction (30 victims).
Maze and REvil are considered to have the largest appetite: the operators of these two strains are believed to be behind more than half of all successful attacks. Ryuk, NetWalker, and DoppelPaymer come in as a joint second.
Group-IB said the ransomware pandemic was triggered by active development of private and public affiliate programmes that bring together ransomware operators and cybercriminals involved in compromising corporate networks. Another reason for an increase in ransomware attacks is that traditional security solutions, still widely used by a lot of companies on the market, very often fail to detect and block ransomware activity at early stages. Ransomware operators buy access and then encrypt devices on the network. After receiving the ransom from the victim, they pay a fixed rate to their partners under the affiliate programme. The main ways to gain access to corporate networks include brute-force attacks on remote access interfaces (Remote Desktop Protocol [RDP], Secure Shell [SSH], virtual private network [VPN]), malware (e.g., downloaders), and new types of botnets (brute-force botnets). The latter are used for distributed brute-force attacks from a large number of infected devices, including servers.
In late 2019, ransomware operators adopted a new technique. They began downloading all the information from victim organisations and then blackmailed them to increase the chances of the ransom being paid. Maze (who allegedly called it quits not long ago) pioneered the tactic of publishing sensitive data as leverage to extort money. If a victim refuses to pay the ransom, they risk not only losing all their data but also having it leaked. In June 2020, REvil started auctioning stolen data.
Sales of access to compromised corporate networks grow fourfold
Sales of access to compromised corporate networks have been increasing from year to year and peaked in 2020. It is difficult to assess the size of the market for selling access as offers published on underground forums often do not include the price, while some deals are cut in private. Nevertheless, Group-IB’s technologies for monitoring underground forums (which make it possible to see deleted and hidden posts) helped the company’s experts assess the total market size for access sold in the review period: US$6.2 million. This is a fourfold increase compared to the previous review period (2H18 to 1H19), when it totalled US$1.6 million.
In 1H20 alone, 277 offers of access to corporate networks were put up for sale on underground forums. During this period, 63 sellers were active, and 52 of them began selling access in 2020. By comparison, during all of 2018, only 37 access sellers were active, while in 2019 there were 50 sellers who offered access to 130 corporate networks. In total, the sales of corporate network access grew by 162% compared to the previous period (138 offers against 362).
After analysing offers of access to corporate networks, Group-IB experts found correlations with ransomware attacks: most threat actors offered access to US companies (27%), while manufacturing was the most frequently attacked industry in 2019 (10.5%). In 2020, access to state agency networks (10.5%), educational institutions (10.5%), and IT companies (9%) was in high demand. It should be noted that sellers of access to corporate networks increasingly rarely mention company names, their geographical location and industry, which makes it almost impossible to identify the victim without contacting the attackers.
As per Group-IB data, in 2020, in Asia-Pacific, the majority of companies the access to corporate networks of which was put up for sale on underground forums were from China (2.2%), Australia (1.9%), and India (1.1%). In 2019, the same countries were in the top three, though with different shares: Australia (4.6%), India (3.8%), and China (1.5%).
Group-IB notes that selling access to a company’s network is only one aspect of an attack: the privileges gained could be used for both launching ransomware and stealing data, with the aim of later selling it on underground forums or spying.
Market for stolen credit card data reached almost US$2 billion
The threat of bank card data leaks is most acute for retail companies that have online sales channels, e-commerce companies that offer goods and services online, and banks that unwittingly become involved in incidents, Group-IB said. Over the review period, the carding market grew by 116%, from US$880 million to US$1.9 billion. The quick growth applies to both textual data (bank card numbers, expiration dates, holder names, addresses, card verification values [CVVs]) and dumps (magnetic stripe data). The amount of textual data offered for sale increased by 133%, from 12.5 to 28.3 million cards, while dumps surged by 55%, from 41 to 63.7 million. The maximum price for card textual data is US$150 and it is US$500 for a dump.
Dumps are mainly obtained by infecting computers with connected point-of-sale (POS) terminals with special Trojans and thereby collecting data from random-access memory. Over the review period, 14 Trojans used for collecting dumps were found to be active. Bank card data of bank customers in India and South Korea are the second and third most desirable targets for cybercriminals, with US bank data in first place. Over the review period, the total price of all the bank card dumps offered for sale amounted to US$1.5 billion, while textual data – to US$361.7 million.
Textual data is collected through phishing websites and PC/Android banking Trojans, by compromising e-commerce websites, and by using JS sniffers. The latter were one of the main instruments for stealing large amounts of payment data over the past year. JavaScript (JS) sniffers also became more popular in light of the trend of reselling access to various websites and organisations on underground forums.
Group-IB is currently monitoring the activities of 96 JS sniffer families. This is a 2.5-fold increase compared to the previous reporting period, during which there were 38 families on the company’s radar. According to Group-IB's findings, nearly 460,000 bank cards were compromised using JS sniffers over the past year.
*Group-IB has been publishing the annual report for the past seven years, combining data gathered as a result of the company's own investigations with incident response findings worldwide.
No comments:
Post a Comment