“Augmented usage of ransomware as a service platform, a SaaS model for eCrime”

CrowdStrike Inc., a global cybersecurity leader, recently released the 2023 CrowdStrike Global Threat Report. According to the annual Global Threat Report, the threat landscape saw a number of significant shifts and trends.

From a significant increase in interactive intrusions to the proliferation of access brokers on the dark web, and the re-weaponization of vulnerabilities, the report paints a picture of a threat landscape that is becoming increasingly sophisticated and difficult to defend against and an area of grave worry.

Adam Meyers, Head of Intelligence at CrowdStrike delved into an insightful interaction with Minu Sirsalewala Executive Editor – Special Projects, Dataquest about the trends and what they mean for organizations going forward.  Meyers has over 20 years of experience in the cybersecurity industry and is an expert in cyber threat intelligence and investigations.

Meyers speaks about the most significant findings in the report and offers some practical advice on improving response times, to more strategic considerations for developing a comprehensive cybersecurity strategy, he offers valuable insights for organizations looking to stay ahead of the curve and secure their digital assets.

How have the last 12 months been like, and what do you envision the next 12 months?

To start with, I think the biggest story or the biggest concern that people should have is the trend towards data exploitation. We have seen threat actors from the eCrime world, nation, state threat actors and hacktivists, all weaponizing data against their victims, and that’s the most concerning area and we have pointed out in the report that 28% of ransomware actors are no longer even bothering to do ransomware. They are moving surely to data extortion, and this is significant, because they are able to expand their target set, and they are able to get more money from the victim. As with data extortion, they can actually make more money, because the fundamental model of ransomware is to cause downtime, and that downtime can be measured in financial dollars and cents. But it is not about downtime, it's about the legal, regulatory and compliance impact of the data being leaked, which with all of the various privacy laws out there that can greatly eclipse the ransom demand, so they can effectively get paid more and faster. Another important thing in the report, that was pretty significant was the fact that Cloud is now in the adversary sights. There are increasing incidents involving Cloud. We saw 95% more Cloud-related incidents in 2022, and the number of threat actors that understood how to operate in the Cloud nearly tripled, (288%). So Cloud, which was previously not a huge security concern, and was largely being targeted by people deploying crypto miners, is now a real concern.

What kind of specific tactics are these adversaries using now to target the Cloud environment? How do you think organizations are going to better protect themselves against these kinds of attacks?

Adversaries have been using the Cloud for setting up infrastructure for their campaigns, and using the Cloud for spinning up phishing sites and the likes. But the Cloud conscious actors understand, that when you go into a Cloud environment to do reconnaissance, you are not running a port scanner you are going to be querying the billing API's inside that Cloud to understand what Cloud systems are deployed, and rather than running packet sniffers to monitor activity inside the enterprise, you may use some of the extended logging API's inside that Cloud, so they really understand how to operate in the Cloud. They understand how to jump between tenants, so threat actors have really evolved their capabilities in the Cloud, and we are seeing more and more threat actors targeting Cloud workloads.

The solution to this is twofold. One is using technology like CNAPP - Cloud Native Application Protection platforms, which allow you to monitor configurations. A big challenge with Cloud is posture -- how secure does this Cloud look, and is it configured properly? So that's kind of an assessment that you can do, and start to understand what vulnerabilities may exist or what gaps are there in the defenses. The other part of CNAPP is continuous monitoring of the Cloud environment to look for changes that could either be problematic or indicative of a threat actor doing something inside of that environment.  The other area where we have seen threat actors able to leverage are external sources, when people are posting things into a Git repository that have API keys, and then they don't remove it, they actually just put a new commit on top of it and assume that it's gone, but threat actors are very adept at combing through those Git repos to find Cloud credentials. We also point to actors, SLIPPY Spider, and SCATTERED Spider in this report as they have gotten into a lot of these organizations; they bypass multifactor authentication and get into the enterprise, and then they get onto platforms like Slack, and start going through Slack where people are sharing API keys with each other in some cases. So, there's an identity component to this problem as well, requiring strong identity protection and monitoring to make sure that you don't have unauthorized logins of legitimate credentials.

The report mentioned that there's a 50% increase in interactive intrusions involving hands-on keyboard activities by adversaries. So why are these types of attacks particularly difficult to defend, and why is it such an issue for the organization?

The report mentioned that there is 70% more malware-free intrusion. Threat actors in the past years relied particularly on the eCrime space as they relied a lot on malware, and banking Trojans. They are fairly heavy-duty and require a lot of development time and infrastructure maintenance, but because the threat has moved away from stealing bank credentials and conducting wire fraud to ransomware, or data extortion, they don't need all those heavy tools. They could just use interactive activity inside the environment, and that gives them the ability to accomplish their goals, and malware is not easy, and that's another reason why perhaps they are moving away from ransomware. It gets detected very quickly, when you are using hands-on keyboard and not using malware, it's harder to detect. It blends into legitimate behavior inside the enterprise, so the attacker can have a better chance of accomplishing their goals.

Talking about the SCATTERED Spider, and SLIPPY Spider, would you like to elaborate on their pattern, and why are they so dangerous?

To explain with an example, Microsoft got compromised by LAPSUS$ last summer, and this is a threat actor. This is a 17-year-old kid logging in from Oxford, England, and was able to defeat the security measures of a trillion-dollar company, using social engineering and hands-on keyboard, and, that gives you a sense that if done well, it could be an extremely potent attack, and it can be accomplished by anyone -- a teenager can do it. These hands-on keyboard attacks are way harder to identify and stop.

Talking about access broker advertisements on the Dark Web, what exactly are access brokers? Why are they becoming more prevalent on the Dark Web?

So, if you look at the eCrime ecosystem -- and we actually measure this with our eCrime index, or ECX – as an example if you wanted to conduct ransomware right now and you spoke Russian, the first step is to find a ransomware as a service platform, think of this as a SaaS model for eCrime, and you would get access to it, and you would demonstrate what you are doing. They would take 20% of all of your ransom proceeds for using their platform, and that platform manages all the encryption keys, It manages the negotiation, it is like an end-to-end service, once the ransomware is deployed. So, now you have got ransomware, you don't have to build your own ransomware, you are going to use somebody else's. Then the second thing that you are going to need to do is, you are going to have to find a victim and break in. Now, you could do that yourself if you are really skilled, but if you want to get a head start, you can buy access, and there are two ways that you might do that. One is through an access broker, what an access broker does is that they leverage an identified vulnerability that they are really good at exploiting. They don't necessarily want to be involved in ransomware and negotiating and works, but they can get into organizations really effectively. They hack into companies, look up their revenue, and look at things like Zoom info. They take that information to evaluate the location and size and then access it. So, they basically hack in, establish a foothold, and then sell that access to the highest bidder. So, now you as a ransomware actor, have access and all you have to do is be the hands-on keyboard that takes that access, gets domain access and pushes out the ransomware.

The report also highlights the Russia - Ukraine war that it was overhyped, but not of course, insignificant. What specific cyber tactics have been observed in this conflict, and what lessons can organizations learn from these events to better defend themselves in the future?

The war in Ukraine really started in the spring of 2014, when Russia annexed Crimea, and since then Ukraine has been under a constant barrage of cyberattacks from Russia. They turned off the power in 2015 and 2016. They deployed, NotPetya in 2017, which was really the most significant concern, leading into the most recent escalation in 2022, because NotPetya is spread in an unconstrained manner outside of Ukraine, and according to the White House caused 10 billion$ in damages. The concern was that as Russia was moving into an armed conflict with Ukraine again, they would perhaps deploy similar tooling to disrupt Ukraine, and if they did that, there could be an unconstrained impact against NATO and other Western countries. Russia didn't do this, and I think one of the big concerns that Russia had was that they thought this was going to be a 3-day war. So, they didn't have these kinds of widespread disruptive attacks, at the onset of the war but the war started going poorly for them and their logistics fell apart. So, we didn't see widespread disruptive attacks, but what we saw instead was the tactical use of cyber capabilities, deploying wiper attacks in concert with kinetic operations. For example, they started firing cruise missiles at television stations and TV broadcast equipment, and while at it, they were also deploying wipers in those environments. Also, at the beginning of the war, when everybody was going into western Ukraine to evacuate to Poland, the refugees, they started using wipers to disrupt border control services. So, all of these operations were very tactical in nature and not strategic.

We know how Log4Shell has given sleepless nights to every IT person involved. The report also mentioned that they are re-weaponizing, re-exploiting these vulnerabilities. How can organizations, mitigate the risk associated with these vulnerabilities?

This is really an interesting one, so the vulnerability landscape has definitely evolved, and I think when you look at the re-exploitation that we talked about, there are a couple of pieces to that. The first is when a vendor like Microsoft patches, in the past, they would patch it, and the adversary would move on, but what we are seeing increasingly is that threat actors look at those patches and then find ways around them. They go on to re-exploit that same vulnerability by finding a way around the patch. The second piece of this too is as you mentioned Log4Shell, Log4j is a library that was used in lots of different products. In fact, GCDC (Global Cyber Defense Centre) when we were working with them to mitigate the impact of Log4j created a Git Repo with all of the impacted products and recommended patches, and I think it exceeded 3500 or something like that. It's very widely used, and threat actors saw these libraries as a good opportunity to be able to kind of weaponize, re-weaponize this exploit, meaning each product had its own implementation of it. And if you can find that implementation of Log4j in the product, then you can find a way to trigger the vulnerability that maybe the company didn't think was possible. So being able to take the same vulnerability and exploited it on multiple platforms because it involved a framework or a library.

 An interesting finding of the report is the rise in China Nexus adversary, why is this a prominent concern?

I think it's really important. Everybody was worried about the Chinese Spy Balloon, and the reality is that the amount of data that China has been stealing for the last 20 years through cyber operations, completely eclipses any intelligence that could be collected by a balloon over the United States. Around 2015, the US and many other countries signed these bilateral agreements with China, to say that, there would be no economic hacking henceforth, but the reality is China, I think sign those agreements, knowing that they were reorganizing the PLA, the People's Liberation Army. From seven military regions to five theater commands, and that would completely disrupt their offensive cyber capabilities for several years while they were doing that organization. President Xi Jinping signed that agreement as he wasn't going to be able to run these large operations, compromising various businesses to steal intellectual property, because the PLA was being reorganized. What we have seen since 2017 - 2018, is that those actors are still slowly realigning, and coming back online, and in the last year, China was endemic and they are everywhere. Every business vertical, that we monitor, every geolocation that we track, China's doing offensive cyber operations for economic espionage purposes, and this is part of their strategy to be a regional, hegemon, and ultimately a global hegemon. They are pushing Chinese technology into countries around the world. They will be in projects, development projects all around the world, and Africa and Central and South America, and Asia Pacific, in order to expand Chinese influence, and by using cyber espionage to kind of help drive this, their goal is to have unimpeded influence across the globe.

The report acknowledges the potential for non-nation state actors to use cyber-attacks as part of military campaigns. How can governments and organizations better defend against these types of attacks? What role can cyber security companies like CrowdStrike play in this effort?

It comes down to a couple of things. One, the table stakes, you absolutely have to have visibility into the enterprise, and you get that from Endpoint detection and response (EDR). Antivirus is so dead, that it's fossilized, this is 90s technology, signature-based technology, and if you are running Antivirus, then you are in trouble. So having that visibility from EDR, and as we continue to evolve as an industry, you will see that, XDR will play a prominent role as well, which is extended detection and response, which lets you wrap the same kind of capabilities around other enterprise systems that wouldn't otherwise be monitored.

The second thing and this is a big one is identity protection. You may have seen people talking about zero trust in the last year or so. Data weaponization requires and necessitates a new approach. We used to say trust, but verify, and now we are saying that we have to have a paradigm shift, and it has to say, verify, then trust, which turns the entire thing that we have been doing for years upside down. What this means is that we have multi-factor authentication, if they get the username and password, it's okay because we have multi-factor authentication as a fallback, and they won't be able to get in. Threat actors have evolved to work around multifactor authentication, and so now you actually need to enforce multi-factor authentication to ensure their credibility. There is behavioral analytics that you can bring to bear to ensure that the identity of the person logging in is verified, and that is huge, and I think more and more organizations face data extortion, and data weaponization absolutely needs to move into identity protection.

The third thing for organizations that are using Cloud infrastructure and Cloud services, they need to be working on Cloud security. Clearly, we have seen an uptick in threat actors targeting the Cloud, and so we need to make sure that we have adequate solutions like CNAPP platforms deployed to protect those Cloud environments.

The fourth thing, which really gets to why did we release this report? What are you supposed to do with it, is intelligence, whatever geo-location you are in, whatever business vertical you are in, you have a unique and differentiated set of threat actors, and as of today, if you go to the CrowdStrike Adversary Universe (https://www.crowdstrike.com/adversaries), you can put in your geo-location, your business vertical, and get a customized threat landscape, and that will give you the ability to see what threats you face, and then prioritize your security investment, because security isn't free, and you get what you pay for. You need to have good security tools in place and understand what threats are targeting you and how they operate. You are in a better position to make an informed decision about what security you are using, and that threat changes constantly. So, you need to be able to move with that threat.