Three major categories of intrusions faced by most organisations are:
1. State-Sponsored Intrusions, around 18-25%
2. Unattributed Intrusions
3. Cyber-crimes (eCrimes), around 70-80%
The frequency of eCrime activity has already surpassed state-sponsored activity. Against 1 State-Sponsored campaign, there are 3-4 eCrime activities. Cyber-criminals are achieving enormous success with their “big game hunting” (BGH) campaigns. They are being facilitated greatly by the availability of commodity malwares as ransomware-as-a-service (RaaS) models has contributed huge.
Another big trend worth remembering is that the following industries have faced more intrusions than others:
1. Technology
2. Manufacturing
3. Telecommunications
4. Financial
The escalation of activity in these sectors has occurred in terms of both the quantity and sophistication of the intrusions. Manufacturing industry, in particular, facing more intrusion-activities by State-Sponsored actors as well as cyber-criminals. There is no part of world that is not facing these highly sophisticated intrusions.
In recent times, the world has witnessed the global COVID-19 pandemic place unprecedented pressure on global healthcare systems. Concurrently, the pandemic has been the catalyst for a paradigm shift in the way organizations operate, with many businesses scrambling to stand up a remote workforce. This has created a PERFECT STORM for adversaries to launch attacks against an overstretched healthcare industry.
There are many legitimate software applications are being frequently used by threat actors, e.g.,
• Process Hacker, ProcDump, Advanced IP Scanner, TeamViewer, Advanced Port Scanner, IObit Unlocker, PowerTool, PC Hunter, GMER, AnyDesk among others.
The list of pentesting tools deployed is quite fascinating too...
• Mimikatz, Cobalt Strike, PowerShell Empire, PowerSploit, Meterpreter, LaZagne, SharpHound, Powerkatz, PowerCat, Rubeus, etc.
Before you ask, let me share the top-5 ransomware type for year 2020 with you. They were Dharma, Phobos, Medusa Locker, REvil/Sodinoki, Makop.
The smartness of these threat actors is that --They are using security software discovery in almost all intrusion attempts. They are employing more sophisticated methods when trying to understand their victims and evade their defense.
There is one more consistent trend that most employees are falling prey to 'Unsolicited' Job opportunities!
Finally, defenders in today’s environment need to be aware that eCrime operations are not only prolific but are also being run like businesses. Threat actors are continually innovating and maturing their processes to maximize their impact and ultimately their profit margins.
-
WHAT IS BIG GAME HUNTING?
I would share how INDRIK SPIDER' has evovd from Dridex Wire Fraud to BitPaymer Targeted Ransomware...
INDRIK SPIDER (also known as Evil Corp or TA505) is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime BANKING TROJAN on the market.
It is estimated that since 2014, the Dridex trojan has earned millions of dollars for this group. These group has made many updates with this trojan, as they added new modules, and added some new anti-analysis features to it.
In August 2017, it was reported that a new ransomwae 'BitPaymer' arrived and UK's National Health Service (NHS) had to pay a high ransom demand of 53 BTC ($ 2,00,000 approx) to the hackers.
This targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex.
Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.
It was a turning point in INDRIK SPIDER’s operation of Dridex. After that Dridex spam campaigns where were targeted to individuals, significantly declined. All of their new campaigns started moving from high volume and frequency, to smaller, targeted distribution. The rapid development of Dridex also slowed during this time, with fewer versions released during 2017 than in previous years.
---------------------------------------
CrowdStrike Falcon Intelligence also observed (in 2020) a strong correlation between Dridex infections and BitPaymer ransomware. During incidents that involved BitPaymer, Dridex was installed on the victim network prior to the deployment of the BitPaymer malware. Also unusual was the observation that both Dridex and BitPaymer were spread through the victim network using lateral movement techniques traditionally associated with nation-state actors and penetration testing.
These new tactics of selectively targeting organizations for high ransomware payouts have signaled a shift in INDRIK SPIDER’s operation with a new focus on targeted, low-volume, high-return criminal activity.
---------------------------------------
Since this shift, INDRIK SPIDER has used BitPaymer ransomware as a key vehicle for these operations, having netted around $1.5M USD in the first 15 months of ransomware operations.
---------------------------------------
The third Evolution…DoppelPaymer!
DoppelPaymer was first seen in the wild in June 2019, however, remnants of the malware have been seen since April 2019. June 2019 was the first time a fully built of the ransomware found. DoppelPaymer is an evolution of BitPaymer, that looks very similar, but is a bit more complex.
It is a type of cybercrime operation we now refer to as 'Big Game Hunting'.
-
THESE ARE POWERFUL ATTACKS…
Big-game hunting is essentially the process of cybercriminals focusing on high-value data or assets within businesses. They choose targets they know are sensitive to downtime because they’ll be more likely to pay a ransom, regardless of how costly that ransom is.
Big Game Hunters select and study specific targets, and usually employ sophisticated methods to install ransomware in their victims’ networks. As a result, groups can spend several months lurking in a victim’s network before deploying ransomware or stealing any data. One of the most common ways that these cybercriminals are gaining access is by exploiting the Remote Desktop Protocol (RDP) servers.
-
One particular group, ‘DarkSide’ which has made headlines over the past couple of months, claims to have already made “millions of dollars of profit” from previous ransomware partnerships. The group announced itself in a press release as “a new product on the market, but that does not mean we have no experience and we came from nowhere”, and claims that it exclusively targets large profitable corporations. Allegedly, at least one victim has already paid a ransom of over $1 million (£765,000).
The ransoms apparently range from $200,000 (£150,000) to $2 million (£1.5 million), but those numbers double if an initial payment window isn't met. If the ransom isn’t paid then Darkside will leak the company’s data online, via the dark web.
-
What Can You Do To Mitigate The Risk Of Becoming A Victim of Big Hunting Game?
The only possible remedy is that companies must invest in PROACTIVE and expert human threat hunting. Interactive attacks use stealthy or novel techniques designed to bypass automated monitoring and detection. Continuous threat hunting is the best way to detect and prevent these types of sophisticated or persistent attacks.
Second protection is the compulsory deployment of EDR or HIDS or both, so that you don't have any blind-spot at least.
Finally, Cyber Threat Intelligence can be extremely helpful in optimizing your cybersecurity strategy.
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM