Cybercriminal strategies continue to evolve. For some time it has been very clear that the purposes of an attack are essentially two: extortion and damage. In the first case, the attacks aim at obtaining money for the release of hostage data and information (ransomware). In the second, in most cases the goal is to damage an infrastructure, either for demonstration purposes or more often to cause damage to an entire country. We have also seen this in the Russia-Ukraine conflict: cyber warfare is now an integral part of a broader strategy within a political conflict.
The pursuit of these goals, however, takes place in new ways. Through a “democratization” of criminal activities and the so-called “crime as-a-service”. Cybercrime is no longer relegated to a few hired groups who work on commission or for ideological purposes, but it spreads like wildfire, because it needs more and more resources, or devices from which to launch the attack. Often, as in the case of botnets, the attackers may be unaware, or they may be laymen who quickly turn into cybercriminals.
Because on the dark web the tools to launch an attack are available to anyone, at very affordable prices. According to a recent report by the Italian company Swascan, the best-selling services on the dark web are the so-called “hacking tools”, followed by drugs, credit card data, access credentials to application services and, finally, weapons. In short, drugs and weapons have abdicated in favor of digital-related services and tools.
Zero Trust, don’t trust anyone on principle
“According to the Global Cybersecurity Outlook 2023 presented at the World Economic Forum in Davos – recalls Massimo Palermo – Country Manager, Fortinet Italia & Malta – 93% of cyber leaders and 86% of business leaders involved in the research expect a catastrophic IT event and far-reaching over the next two years.” Fear, and therefore also awareness, are growing all over the world and, for this reason, it is not only necessary to keep the level of attention high but to continue to insist on totally changing the approach to the problem.
“What is called Zero Trust – continues the manager of Fortinet Italia – must be a corporate vision, a cultural model”. Zero Trust essentially means not trusting anything or anyone. It assumes that every device, every application code, and every person is vulnerable by definition. This is why it almost makes no sense to hypothesize about escaping an attack but, rather, the aim is to block as much as possible and limit the damage.
The big vendors of security solutions, such as Fortinet, continue to spread the word of Zero Trust but still collide with some obstacles, often cultural. As has happened since the introduction of the GDPR, it seems that only the regulatory obligation can “stir the consciences” of company managers. But maybe not only that. “The analysis firm Gartner – continues Palermo – predicts that by 2025 60% of corporate transactions or business engagements will be influenced by a cybersecurity assessment of the companies involved”. This means that if a company does not objectively demonstrate that it adequately protects its data, it risks a devaluation on the market or in any case losing its appeal to potential customers or buyers. And it would also risk reputational and economic damage. Because, since today the security of a large company is closely correlated to that of its suppliers, given that computer systems are increasingly interconnected, it is easy to imagine that, during the selection phase, the same company excludes those suppliers who do not give sufficient guarantees of protection of their computer systems.
What are the most common attacks? The FortiGuard Labs report
But what is happening, in the world and in Italy? Periodically, Fortinet’s FortiGuard Labs publishes the Global Threat Landscape Report, the analysis of the main trends observed in the second half of 2022, thanks to its privileged observation point. The Fortinet laboratory, in fact, collects data on attacks and anomalies that are observed in corporate networks overseen by the American company’s security platforms. This means having daily visibility into billions of pieces of information coming from all over the world.
According to Fortinet, wiper malware – the one that has the sole purpose of locking systems without necessarily providing a ransom for unlocking – has increased by 50% since the last survey. And the tools to carry out these attacks are cheap and easily retrievable on the dark web. To be clear, wiper-type malware is used to neutralize infrastructure in the Russia-Ukraine conflict.
According to the report, cybercrime with a financial background remains the cause of the highest number of incidents (73.9%). In 2022, 82% of financially motivated cybercrimes involved ransomware or malicious scripts, thanks to the growing popularity of Ransomware-as-a-Service (RaaS) on the dark web. That is, the supply of all the necessary kit for a Ransomware attack in the form of a blocked paid service.
Cybercrime does not throw anything away
The cybercrime economy, as mentioned, is certainly the most worrying phenomenon. It is democratized, making attack tools available at low cost, and the model is industrialized, also thanks to the recycling and reuse of malicious code. In fact, according to the report, the GrandCrab malware reported in 2018 remains at the top of the list of the most widespread. Again from the point of view of recycling, the use of historical botnets should be interpreted. For example, the Morto botnet, first observed in 2011, exploded in late 2022. Others, such as Mirai and Gh0st.Rat, continue to spread across geographies. And sadly, the mythical Log4j vulnerability continues to be active.
Despite being reported as early as 2021, too many organizations still haven’t applied the appropriate security patches or controls to protect against Log4j. In the second half of 2022, the vulnerability was still largely active in all regions and ranked second in terms of impact on businesses.
Ultimately, what to do? In the report, Fortinet underscores the importance of global partnerships between cybersecurity leaders, businesses and governments. In order to effectively counter the cybercrime economy, in addition to awareness, a general collaborative effort is needed in all organizations of all sectors, public and private. Because the security of digital infrastructures is a global problem, which does not only lead to economic losses.
“In particular – concludes Palermo – the prevalence of the public sector and SMEs are the two great Italian weaknesses. We are facing a structural gap with respect to the European Union in the Public Administration. It is not for nothing that the largest part of the PNRR funding for the digitization of the public administration is concentrated on the protection of its infrastructures. The skills gap in the digital field (just look at Italy’s positioning as regards Human Capital in the DESI index) and cyber as well as the low level of investments in cyber security in relation to other countries also have an impact. Unfortunately, there is still a long way to go: Italian spending on cybersecurity is only 0.1% of GDP, against 0.19% in France and 0.18% in Germany. These are some of the reasons why Italy, as confirmed by the latest Clusit report in 2022, was one of the countries that recorded a high percentage growth in attacks (8+169%). Basically we are still poorly protected and not adequately prepared and therefore very attractive and profitable for cybercrime, with the aggravating circumstance that it operates globally by exploiting the absence of digital borders.”.