Connect with us

Market Research

FortiGuard Labs Predicts the Convergence of Advanced Persistent Threat Methods with Cybercrime

Published

on

Fortinet has unveiled predictions from the FortiGuard Labs global threat intelligence and research team about the cyber threat landscape for the next 12 months and beyond. From quickly evolving Cybercrime-as-a-Service (CaaS)-fueled attacks to new exploits on nontraditional targets like edge devices or online worlds, the volume, variety, and scale of cyber threats will keep security teams on high alert in 2023 and beyond.

Derek Manky, Chief Security Strategist and VP for Global Threat Intelligence, FortiGuard Labs said, “As cybercrime converges with advanced persistent threat methods, cybercriminals are finding ways to weaponize new technologies at scale to enable more disruption and destruction. They are not just targeting the traditional attack surface but also beneath it, meaning both outside and inside traditional network environments. At the same time, they are spending more time on reconnaissance to attempt to evade detection, intelligence, and controls. All of this means cyber risk continues to escalate, and CISOs need to be just as nimble and methodical as the adversary. Organizations will be better positioned to protect against these attacks with a cybersecurity platform integrated across networks, endpoints, and clouds to enable automated and actionable threat intelligence, coupled with advanced behavioral-based detection and response capabilities.”

Success of RaaS is a Preview of What Is to Come with CaaS
Given cybercriminal success with Ransomware-as-a-Service (RaaS), a growing number of additional attack vectors will be made available as a service through the dark web to fuel a significant expansion of Cybercrime-as-a-Service. Beyond the sale of ransomware and other Malware-as-a-Service offerings, new a la carte services will emerge. CaaS presents an attractive business model for threat actors. With varying skill levels they can easily take advantage of turnkey offerings without investing the time and resources upfront to craft their own unique attack plan.

And for seasoned cybercriminals, creating and selling attack portfolios as-a-service offers a simple, quick, and repeatable payday. Going forward, subscription-based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings, and related algorithms more broadly for purchase.

One of the most important methods to defend against these developments is cybersecurity awareness education and training. While many organizations offer basic security training programs for employees, organizations should consider adding new modules that provide education on spotting evolving methods such as AI-enabled threats.

Reconnaissance-as-a-Service Models Could Make Attacks More Effective
Another aspect of how the organized nature of cybercrime will enable more effective attack strategies involves the future of reconnaissance. As attacks become more targeted, threat actors will likely hire “detectives” on the dark web to gather intelligence on a particular target before launching an attack. Like the insights one might gain from hiring a private investigator, Reconnaissance-as-a-Service offerings may serve up attack blueprints to include an organization’s security schema, key cybersecurity personnel, the number of servers they have, known external vulnerabilities, and even compromised credentials for sale, or more, to help a cybercriminal carry out a highly targeted and effective attack.

Attacks fueled by CaaS models mean stopping adversaries earlier during reconnaissance will be important. Luring cybercriminals with deception technology will be a helpful way to not only counter RaaS but also CaaS at the reconnaissance phase. Cybersecurity deception coupled with a digital risk protection (DRP) service can help organizations know the enemy and gain an advantage.

Money Laundering Gets a Boost from Automation to Create LaaS
To grow cybercriminal organizations, leaders, and affiliate programs employ money mules who are knowingly or unknowingly used to help launder money. The money shuffling is typically done through anonymous wire transfer services or through crypto exchanges to avoid detection. Setting up money mule recruitment campaigns has historically been a time-consuming process, as cybercrime leaders go to great lengths to create websites for fake organizations and subsequent job listings to make their businesses seem legitimate.

Cybercriminals will soon start using machine learning (ML) for recruitment targeting, helping them to better identify potential mules while reducing the time it takes to find these recruits. Manual mule campaigns will be replaced with automated services that move money through layers of crypto exchanges, making the process faster and more challenging to trace. Money Laundering-as-a-Service (LaaS) could quickly become mainstream as part of the growing CaaS portfolio. And for the organizations or individuals that fall victim to this type of cybercrime, the move to automation means that money laundering will be harder to trace, decreasing the chances of recovering stolen funds.

Looking outside an organization for clues about future attack methods will be more important than ever, to help prepare before attacks take place. DRP services are critical for external threat surface assessments, to find and remediate security issues, and help gain contextual insights on current and imminent threats before an attack takes place.

Virtual Cities and Online Worlds Are New Attack Surfaces to Fuel Cybercrime
The metaverse is giving rise to new, fully immersive experiences in the online world, and virtual cities are some of the first to foray into this new version of the internet-driven through augmented reality technologies. Retailers are even launching digital goods available for purchase in these virtual worlds. While these new online destinations open a world of possibilities, they also open the door to an unprecedented increase in cybercrime in unchartered territory.

For example, an individual’s avatar is essentially a gateway to personally identifiable information (PII), making them prime targets for attackers. Because individuals can purchase goods and services in virtual cities, digital wallets, crypto exchanges, NFTs, and any currencies used to transact offer threat actors yet another emerging attack surface. Biometric hacking could also become a real possibility because of the AR and VR-driven components of virtual cities, making it easier for a cybercriminal to steal fingerprint mapping, facial recognition data, or retina scans and then use them for malicious purposes.

In addition, the applications, protocols, and transactions within these environments are also possible targets for adversaries. Regardless of work-from-anywhere, learning-from-anywhere, or immersive experiences-from-anywhere, real-time visibility, protection, and mitigation is essential with advanced endpoint detection and response (EDR) to enable real-time analysis, protection, and remediation.

Commoditization of Wiper Malware Will Enable More Destructive Attacks
Wiper malware has made a dramatic comeback in 2022, with attackers introducing new variants of this decade-old attack method. According to the 1H 2022 FortiGuard Labs Global Threat Landscape report, there was an increase in disk-wiping malware in conjunction with the war in Ukraine, but it was also detected in 24 additional countries, not just in Europe. Its growth in prevalence is alarming because this could be just the start of something more destructive.

Beyond the existing reality of threat actors combining a computer worm with wiper malware, and even ransomware for maximum impact, the concern going forward is the commoditization of wiper malware for cybercriminals. Malware that may have been developed and deployed by nation-state actors could be picked up and re-used by criminal groups and used throughout the CaaS model. Given its broader availability combined with the right exploit, wiper malware could cause massive destruction in a short period of time given the organized nature of cybercrime today.

This makes time for detection and the speed at which security teams can remediate paramountly. Using AI-powered inline sandboxing is a good starting point to protect against sophisticated ransomware and wiper malware threats. It allows real-time protection against evolving attacks because it can ensure only benign files will be delivered to endpoints if integrated with a cybersecurity platform.

What These Attack Trends Mean for Cybersecurity Professionals
The world of cybercrime and the attack methods of cyber adversaries, in general, continue to scale at great speed. The good news is that many of the tactics they are using to execute these attacks are familiar, which better positions security teams to protect against them.

Security solutions should be enhanced with machine learning (ML) and artificial intelligence (AI) so they can detect attack patterns and stop threats in real-time. However, a collection of point security solutions is not effective in today’s landscape. A broad, integrated, and automated cybersecurity mesh platform is essential for reducing complexity and increasing security resiliency. It can enable tighter integration, improved visibility, and more rapid, coordinated, and effective response to threats across the network.

Market Research

Trellix Predicts Heightened Hacktivism and Geopolitical Cyberattacks in 2023

Published

on

Trellix has released its annual threat predictions report for 2023. Forecasts from the Trellix Advanced Research Center anticipate spikes in geopolitically motivated attacks across Asia and Europe, hacktivism fueled by tensions from opposing political parties, and vulnerabilities in core software supply chains. “Analysing current trends is necessary but being predictive in cybersecurity is vital. While organizations focus on near-term threats, we advise all to look beyond the horizon to ensure a proactive posture,” said John Fokker, Head of Threat Intelligence, Trellix. “Global political events and the adoption of new technology will breed novel threats from more innovative threat actors.”

The Trellix Advanced Research Center brings together hundreds of the world’s most skilled security analysts and researchers to serve the global threat intelligence community and organizations with the latest threat indicators and insights collected from Trellix’s extensive sensor network. Trellix Advanced Research Center forecasts the following threats in 2023:

  • Geopolitics and grey-zone conflict. Geopolitical factors will continue to be a high motivation for misinformation campaigns and cyberattacks timed with kinetic military activity.
  • Hacktivism takes center stage. As groups of loosely organized individuals fueled by propaganda align for a common cause, they will ramp up their use of cyber tools to voice their anger and cause disruption across the globe.
  • Skeletons in the software closet will multiply. Both threat actors and security researchers will heighten their study of underlying software frameworks and libraries resulting in an increase in breaches related to software supply chain issues.
  • Increasing activity by teen cybercriminals. Teens and young adults will engage at increasing levels in cybercrime – everything from large-scale attacks on enterprises and governments to low-level crimes that target family, friends, peers, and strangers.
  • Declining accuracy of code-based attribution. The outsourcing of malware creation and operation, diversification of malware development, and use of leaked source code will make attribution of cyberthreats to specific threat actors increasingly challenging.
  • Imminent global cyberthreat to critical infrastructure as cyberwarfare evolves. A significant rise in advanced cyberactors causing disruptions to critical infrastructure in vulnerable targets will be observed.
  • With more collaboration comes more phishing. Weaponised phishing attacks will increase across commonly used business communication services and apps, like Microsoft Teams, Slack, and others.
  • “Alexa, start mining bitcoins.”The advanced capabilities of consumer and enterprise IoT devices will be leveraged by hackers to mine cryptocurrencies.
  • Space hacking: only going up from here. The compromise of satellites and other space assets will increase and become more public in 2023.
  • Here’s my number, so call me, maybe. There will be a huge jump in reverse vishing – or voice phishing – attacks, with fewer tech-aware users being the primary target.
  • Attacks against the Windows domain will scale. More domain privilege escalation vulnerabilities will be discovered as well as more real-world attacks against Microsoft Windows with the explicit goal of complete network takeover.

“We started 2022 with an industry-wide vulnerability in Log4J, which was closely followed by cyber and physical war targeting Ukraine. We’re closing the year observing hacktivists taking matters into their own hands, new actors in operation, and a changed but increasingly active ransomware landscape. As stress continues to weigh on the global economy, as we head into the new year, organizations should expect increased activity from threat actors looking to advance their own agenda – whether for political or financial gain,” commented Vibin Shaju, VP EMEA, Solutions Engineering, Trellix. “To outwit and outpace bad actors and advance defenses proactively, security must be always-on and always learning.”

Continue Reading

Market Research

North Korea-Linked Group Launches Dolphin Backdoor: ESET Research

Published

on

ESET researchers analyzed a previously unreported sophisticated backdoor used by the ScarCruft APT group. The backdoor, which ESET named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices, exfiltrating files of interest, keylogging, taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after the initial compromise using less advanced malware. Dolphin abuses cloud storage services — specifically Google Drive — for Command and Control communication.

ScarCruft, also known as APT37 or Reaper, is an espionage group that has been operating since at least 2012. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea.

“After being deployed on selected targets, it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive. One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably to maintain Gmail account access for the threat actors,” says ESET researcher Filip Jurčacko, who analyzed the Dolphin backdoor.

In 2021, ScarCruft conducted a watering-hole attack on a South Korean online newspaper focused on North Korea. The attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT.

“In the previous reports, the BLUELIGHT backdoor was described as the attack’s final payload. However, when analyzing the attack, we discovered through ESET telemetry a second, more sophisticated backdoor deployed on selected victims via this first backdoor. We named this backdoor Dolphin based on a PDB path found in the executable,” explains Jurčacko.

Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection.

While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims. Both backdoors are capable of exfiltrating files from a path specified in a command, but Dolphin also actively searches drives and automatically exfiltrates files with interesting extensions.

The backdoor collects basic information about the targeted machine, including the operating system version, malware version, list of installed security products, username, and computer name. By default, Dolphin searches all fixed (HDD) and non-fixed drives (USBs), creates directory listings, and exfiltrates files by extension. Dolphin also searches portable devices, such as smartphones, via the Windows Portable Device API. The backdoor also steals credentials from browsers, and is capable of keylogging and taking screenshots. Finally, it stages this data in encrypted ZIP archives before uploading it to Google Drive.

Continue Reading

Market Research

Kingston Reiterates the Role of Encrypted Hardware in Mobile Healthcare Data Security

Published

on

Kingston Technology Europe has emphasised the importance of hardware-based encryption in strengthening mobile healthcare data protection efforts across the globe. The company made the statement as data breaches remain one of the biggest digital threats within the healthcare industry, thereby raising the need for stronger data security protocols and stringent compliance with relevant policies.

The average total cost of a healthcare data breach worldwide rose by almost $1 million to reach $10.10 million in 2022, according to IBM Security analysis of research data compiled by Ponemon Institute. Healthcare breach costs have been the most expensive industry for 12 consecutive years, increasing by 41.6% since the 2020 report.

Kingston maintained that hardware encryption can help bridge gaps by providing a fortified layer of data protection through an encryption process designed to be unbreakable or hard to intercept. Whether stored or transported, the medical data saved in encrypted hardware devices such as USBs can be accessed only through authentication codes set by authorised individuals.

The encryption feature is also separate from any PC, mobile phone, or network systems to keep the data out of reach in the event cybercriminal breaks into the gadgets or online networks. Security is also assured even if the encrypted device ends up being misplaced, lost, or stolen. “Encrypted drives such as IronKey encrypted USBs are made to keep the data from falling into the wrong hands. Many are equipped with top-notch features that can also detect and respond to physical tampering and provide automatic data protection upon drive removal for added peace of mind,” said Antoine Harb, the Team Leader for Middle East and North Africa at Kingston Technology.

“Such capabilities are vital given that human error is considered one of the common causes of data breaches. One recent example took place in Japan where a worker reportedly lost a memory stick that contained the personal data of all residents of a Japanese city after a night out. The data had been encrypted and password-protected, preventing unauthorized access, Hardware-based encryption not only offers strong and reliable protection but is also a practical and easy-to-use approach to safeguarding private healthcare-related information,” added Harb.

According to Harb, it offers out-of-the-box cybersecurity measures minus the need for regular updates like those required in the software-based encryption processes. “Cybercrimes are on the rise worldwide, resulting in astronomical financial and reputational costs. In the Middle East, IBM Security reported that the region had the second highest average total data breach cost reaching $7.46 million in 2022 from $6.93 million last year,” the company said.

Among other factors, the Middle Eastern countries’ financial and economic status has been cited as one of the main reasons behind the online network attacks. In the Gulf region, the attacks on Dubai-based NHS Moorfield Hospital and GlobeMed Saudi were considered one of the top breaches in the UAE and Saudi Arabia, respectively.

Calls for improved data security levels are, therefore, mounting. Across the globe, laws, and regulations, including the General Data Protection Regulation, have already been enforced for a higher level of data privacy and security. In the UAE, the government has also imposed strict compliance of healthcare providers with its Health Data Law. “We can only expect that online network intrusions will grow and become even more sophisticated and bold as the world transitions to an ultra-connected society. Implementing or using encrypted devices is an important cybersecurity protocol that both individuals and corporations can adopt for stronger and easier-to-use data protection. Understanding one’s needs and, in the case of healthcare providers, knowing the importance of protecting the patients’ private mobile data, among others, play an important role in choosing the right encrypted hardware,” Harb added.

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.