Cybercrimes with the purpose of profit are growing, and with these new roles are affirmed, destined to favor industrial espionage and the infiltration of organizations and companies. This is what emerges from the 2021 edition of the Report on global threats published by Crowdstrike, one of the main multinationals in the sector, which in the year of the covid recorded an important increase in crimes conducted for the purpose of obtaining illicit profits or industrial information. Growth such as to require the creation of a specific index, the eCrime index, which makes it possible to keep track of global threats in order to assist companies and prevent criminal episodes. But not only that: Crowdstrike’s intelligence experts also report the emergence of the so-called initial access brokers (from the English, first access broker): intermediaries able to infiltrate a company and then sell its keys to the highest bidder.
“The eCrime groups and those responsible for targeted intrusions identified by us with certain attribution are a total of 149, 19 of which added during 2020”, Stefano Lamonato, manager of architectural solutions for Europe at Crowdstrike, explained to the press. : “To create this attribution it is necessary to analyze and correlate large amounts of data related to attacks perpetrated by these groups, which CrowdStrike collects thanks to its Threat Intelligence, Threat Hunting (OverWatch) and Incident Response teams, as well as through the cloud platform based on ThreatGraph ”.
All this contributes to the creation of the index, identified by the acronym Ecx, which allows us to focus on significant changes worthy of further analysis, and which in the latest Crowdstrike report scored 328.36 points, with an increase of 123.97 % compared to the data collected in the week of October 19, 2020. “This attribution activity has definitely benefited from the increase in the volume of attacks in 2020, linked to the double delivery with the spread of the pandemic”, Lamonato comments.
And it is precisely the pandemic that, according to Crowdstrike, has determined the constant increase in attacks for profit, more widespread than those not attributed – the origin of which is unknown – or for espionage purposes. However significant, the latter are the so-called state-sponsored attacks, generally conducted on the recommendation or with the support of a national state. “While when we talk about e-crime we mainly refer to organized groups operating from Eastern European nations and Russia, the most active State-Sponsored groups linked to targeted and high-profile attacks are China, Iran , Russia and North Korea ”, observes the expert. But even if e-crime groups carry out attacks for profit, unlike groups specialized in espionage, the expert highlights an exception: “It is some State-Sponsored groups in North Korea that, instead of being dedicated to espionage, they are focused on profit activities and the collection of large sums in cryptocurrencies “. An approach probably encouraged by the international embargoes imposed on the country, whose criminal activities on the web are also under the magnifying glass of the United Nations.
But among the effects that the pandemic could have had (or rather, the runaway virtualization of work achieved by it) there is also that of having created space for new roles up to now still relatively marginal in the cybercrime market, as in the case of initial access broker, of which one is started talking at the beginning of 2020. These are groups of cyber attackers – the so-called black hats, i.e. hackers who use their skills to damage a system or gain an economic advantage – who violate the systems of large companies or government bodies and sell them accesses on underground forums or through private channels. Malware operators who acquire direct access to systems can proceed directly to the extortion and have much higher earning prospects, since they do not have to spend time identifying victims and infiltrating their systems. “Some brokers use the privilege escalation technique to gain access as a domain administrator – advertising it as ‘full access’ – while others simply provide the credentials and endpoints to be used to access the system – explains Lamonato -. The result is a well-organized digital crime ecosystem, where the various groups can specialize in one or more phases of the attack, while maintaining their ability to monetize their actions ”.
More difficult to detect and counter, the initial access broker they are somewhat comparable to an elite dedicated only to breakthrough activities: they specialize in the creation of malware capable of compromising an infrastructure in order to obtain initial access, “without being noticed and causing visible damage to the user” , underlines the expert, according to which “their diffusion is justified by the interest of more and more criminal groups to compromise the affected organization in an extensive and significant way, putting operations in check with the greatest possible impact and forcing payment these entities “.
And there is no good news for users who use Linux, a family of open source operating systems very popular among security experts and in the field of servers, generally preferred for its security features. Being less common in the desktop environment – compared to its Microsoft and Apple counterparts – Linux has long enjoyed the reputation of a “secure system”, as it is less used and therefore less interesting in the eyes of a malware developer. However, things are changing, notes the Crowdstrike report, which indicates a greater spread of malware specific to this environment as well, which somehow mark the end of a truce: “Linux-based infrastructures are often exposed on the internet as a server to deliver services and this makes them vulnerable to multiple forms of compromise: from the exploitation of known or unknown vulnerabilities in application services, to the activation of remote interfaces through flaws in web applications, through the incorrect configuration that exposes details or access unwanted – observes Lamonato -, for this reason we recommend having an EDR (Endpoint Detection & Response) tool that allows you to constantly monitor these systems and alert / block any compromise attempts, as well as to extend these capabilities in any cloud environments by equipping them with CSPM extension (Cloud Security Posture Management) designed to verify the conf igurations and instances running or exposed to the outside world ”.
But in general, the report highlights the main role of companies, the privileged target of cyber attacks, which often find in poorly trained employees the best ally. “Companies that have invested in employee training have certainly made a correct move because, in order to avoid attacks, it is essential that users are aware of the risks and enlisted in the battle for corporate security”, explains Lamonato: “It is early for say whether the results are significant, since Covid-19 has changed many paradigms, impacting remote working or the massive use of employee-owned tools, while providing many themes that attract the attention of users who if exploited for malicious campaigns could facilitate infiltration ”.
Preventive preparation and the ability to respond to any attacks in a very short time (1 minute to reveal the attack, 10 minutes to isolate the systems and 60 minutes to restore operations, suggests the expert) is one of the possible answers to mounting campaigns information technology, now discounted against companies and SMEs. This is why all the actors involved on the defense side must know their place of action and intervene promptly, with the assistance of analysts, “before the attacks become more extensive compromises, with devastating impacts”.