07.22.22

Corvus Threat Intel

Keeping up with Cybercriminals: The Future of Online Threats

We’re all familiar with lifelong enemies Tom and Jerry. Under the spell of their natural instincts, they play predictable parts: cat chases mouse and mouse blows up cat. Tom is stubborn enough to go through physical torture to catch his prey, and Jerry is smart enough to escape an untimely demise. While threat actors aren’t carrying around mallets and cybersecurity experts don’t frequently reckon with barrels of dynamite, the continued battle between the two plays out in real life with tangible consequences. Threat actors seem nearly impervious to broad efforts to crack down, but a large and growing contingent of cybersecurity pros have proven that there is hope. 

As ransomware (plus phishing, hacktivism, and more) make headlines, organizations are increasingly concerned about their cybersecurity, and insurers are requiring stricter security controls for new and returning policyholders. The positive here? We’re making the job of a cybercriminal a lot harder by implementing multi-factor authentication (MFA), secure backups, and other increasingly popular security measures. The downside? Threat actors are forced to be innovative as they chase a profit and, much like Tom, they’re determined. 

As we get tougher and threat actors get more creative, we’ll keep an eye out for innovative threats, including the following noteworthy tactics:

 

#1 Beating the First Line of Defense: Circumventing MFA

Let’s make it clear: you are much, much better protected with MFA than without. But like all cybersecurity, it’s not the end-all-be-all of your risk mitigation efforts. MFA requires the user to provide two or more credentials in order to gain access to an account. Adding that extra layer of security forces threat actors to work harder to access your systems and keeps you from being seen as low-hanging fruit.

MFA is often one of the first things cybersecurity professionals will recommend for an organization in the early stages of their security journey because it’s relatively affordable and easy to implement. However, you can’t just “set it and forget it.” Threat actors are finding ways to get around the first line of defense by finding weaknesses in MFA.

Exploiting MFA Exceptions

When you log into your work email and get a ping from an app like Duo or Okta on your phone requiring you to enter a code, you know your user login credentials are protected. Service accounts, operated by applications rather than people, aren’t as straightforward. They typically exist to execute applications or send and receive data created either manually or during software installation. Since there’s no actual human user to authenticate, they’re often left unattended to perform their tasks in the background. However, a surplus of service accounts — which mirror the functionality of user accounts — expands your attack surface. If hackers can access one of these service accounts, they’re easily granted the opportunity to elevate their privileges and gain access to your organization’s sensitive data. Leaving default passwords in place, having over-privileged service accounts, and failing to remove unnecessary service accounts are all bad practices that make your organization an easy target. 

 

[BLOG] Talk the Talk -  Cyber Insurance Terminology Guide

 

Cookie Hijacking

“An oldie but a goodie,” is probably what a threat actor would say about this one, if we asked. When you sign into Gmail, close the tab, and reopen it, all while staying logged in, you can thank the session cookie for your convenience. Unfortunately, that same perk also helps threat actors bypass MFA. This isn’t a new tactic. Cookie hijacking has been around for decades. In 1989, banks in Brazil and South America were a notable target. 

While there are numerous methods to this approach, one example starts with another old favorite: a phishing attempt. Someone clicks on a fake website and tries to login, and the threat actor steals their session cookie. By doing so, they can put your cookie in their browser, refresh, change the password, and then move freely as if they are you. At this point, MFA can’t stop them because it believes it’s already done its job.

By avoiding weaker forms of MFA, like through SMS, and instead opting for push notifications with time-based passwords, you can decrease the chances of a threat actor circumventing your first line of defense.

#2 The Ransomware Alternative: Business Email Compromise 

Everyone is concerned about their job security, even threat actors. Law enforcement agencies across the world have announced that they are enforcing crackdowns on ransomware hackers, and in November, the US and European Union announced seven arrests related to the deployment of malicious software.

In combination with U.S. Treasury sanctions, it may be getting harder for threat actors to rake in the payouts they’ve become accustomed to. While ransomware remains a top concern for cybersecurity professionals and organizations alike, security researchers are doing their best to see into a future where the pressure forces threat actors to rebrand. What would that entail, and what should we be prepared for? 

Let’s take a look at Business Email Compromise (BEC), a profitable but less technical approach to cybercrime. BEC is an attack that involves using the medium of email to trick an individual into giving up something of value. The key is the individual. These are targeted, intentional attempts that leverage social engineering tactics like impersonating an executive or using stolen credentials to increase the chance of success. While ransomware attacks are often disruptive (and more likely to attract headlines), BEC remains significantly more profitable than ransomware, according to the FBI. For threat actors looking to fly under the radar, that may be the perfect solution.

While there has been no clear collaboration between Eastern European ransomware actors and West African BEC actors (who are responsible for a large portion of BEC attacks), there has been evidence of ransomware actors showing interest in BEC on criminal forums. With the ransomware ecosystem in flux and once-reliable cryptocurrency flows being tightened by regulations, the ability to extract dollars directly from a business has obvious appeal. Add in the technical sophistication of Eastern European ransomware actors bringing tailored malware to a BEC attack, and there’s an understandable concern for what’s to come.

But don’t panic — we can prevent BEC. A crucial first step is enforcing out-of-band authentication at your organization. An example of this would be calling a known and trusted phone number to confirm a change in payment instructions sent via email from a vendor. The use of separate channels mitigates the risk of a successful funds transfer fraud from taking place. This, plus other measures like MFA, security awareness training, and email security tools will prepare your organization’s cybersecurity defenses.

 

[BLOG] A Chilling Campfire Tale of Business Email Compromise (How BEC Schemes Work - In Detail)

 

#3 Diversifying the Business Model: Data Theft

As we mentioned earlier, ransomware actors are feeling some pressure to shift gears. Or as they say in corporate: diversify the business model. Numerous data theft groups emerged in 2021, including Marketo, Bonaci Group, BlackTor, Lapsus$, and Karakurt among others. Threat actors believe that this will shield them from the scrutiny of law enforcement. Cybercriminals involved in data theft simply steal the data, alert the victim, and demand a ransom. Otherwise, they’ll release the sensitive information, potentially putting pressure on downstream victims to pay up to have their data removed.

According to ArcticWolf, it is believed that data theft group Karakurt is an offshoot of ransomware group Conti, trying out a new approach. The Conti Leaks provide us valuable insight into the thought process behind the evolution. Chats between Trickbot Group managers show a history of trying to figure out how to expand their business model with ideas that included selling exfiltrated data or access to victims. 

The latest strategy in the extortion business comes from the ALPHV/BlackCat ransomware operation — a database full of their victim’s information, made to be easily searchable. BleepingComputer reports that Karakurt also has a leak site with a search function. This puts the pressure on victims to pay up, as specific details are readily available at any cybercriminal’s fingertips.

 

Our Takeaway

While this might be a lot to take in, we’d like to highlight that all of this innovation means our approach to combat cybercriminals has been effective. While for the foreseeable future there will always be some give and take (some days you’re Tom, some days you’re Jerry), we know what security measures seriously reduce your risk. We also know that our work in cybersecurity is never over because threat actors will keep trying. But then again, so will we.

[RELATED POST] How Inside-out Insights Shape Cyber Risk Assessment

How Inside-out Insights Shape Cyber Risk Assessment

This week, our team at Corvus was pleased to take part in a major announcement by SentinelOne of its WatchTower Vital Signs Report app in the Singularity Marketplace. For cyber underwriters like Corvus, this app provides a real-time “inside-out” view of an enterprise’s cybersecurity health for improved policy accessibility and reduced underwriting risk. This represents an exciting and needed development in our industry, as insurers contend with major shifts in the nature of organizations’ IT systems and the nature of the threats they’re exposed to, and in policyholder expectations. 

[RELATED POST] A Chilling Campfire Tale of Data Extortion (How Data Theft Happens — In Detail)

A Chilling Campfire Tale of Data Extortion (How Data Theft Happens — In Detail)

Welcome to our (cybersecurity) campsite, where even the forest is going digital. We’ve got the essentials: a warm fire, marshmallows to toast, and some very passionate horror enthusiasts. What’s a cool, fall night in the woods without the retelling of a cybersecurity nightmare? This time, we’ll be following a data exfiltration attack at Parakeet Incorporated, a research-driven pharmaceutical company.