CYBER CRIME TRENDS 2020–2021
Cyber criminals are taking advantage of the covid-19 pandemic as many staff work from home. criminal shifted from targeting individuals to targeting small and major corporations. some state sponsored threat actors are targeting government agencies to obtain classified information.
As everything has gone remote, criminals have targeted remote staff’s devices to inject malware that could get them access to the organizations services where they could laterally move to gain further information which could damage the organization even more.
Below is an assessment on organizations covid-19 impact by INTERPOL based on member countries feedback. Attack trends that have a huge impact on Organizations.
RANSOMWARE
Ransomware as a Service (RaaS) has become one of the most popular ways for adversaries to make huge amount of money.
Ransomware developers often lacked the tools and capabilities to infiltrate corporate networks, so they setup affiliate programs.
Ransomware Affiliate — These programs are set up to monetize a threat actor’s skill to penetrate corporate networks, when the ransom is paid by the victim, ransomware developers send a cut to the affiliates.
Public affiliates — where developers look for affiliates underground.
Private affiliates — they are not advertised and intended to bring threat actors like APT groups and trusted users.
MILITARY OPERATIONS
Intelligence Agencies are not only spying targets, they are actively attacking with the purpose of destroying critical infrastructure.
High-profile attack targets include
Nuclear facilities in Iran and India & Israel’s water supply system. During this incident, attackers attempted to poison water by altering chlorine levels in water.
According to Wikipedia, “In 2019, NPCIL confirmed identification of malware in the internet connected administrative network but said that the critical internal network was isolated. KNPP officials had earlier termed reports on the cyber attack as false. The malware was linked to the North Korea based Lazarus Group.”
As India has one of the largest reserves of Thorium, India has become the target to few threat-actors & APT groups.
TELECOMMUNICATIONS SECTOR
According to a report published by “Group-IBF, China is expanding its capacities in spying on mobile operators. As DDoS attack goes, threat actors have set a new record with 2.3Tb per second & 809 million packets per second.
As threat actors attack telecom operators in order to cause logical network congestion, which would affect multiple industries.
ENERGY SECTOR
Nuclear power has become an obvious target for attackers. As Iran’s nuclear energy facilities were sabotaged while India’s facilities were subject to espionage attacks. As mentioned early, attackers are interested in India because of developing nuclear technology and thorium-based reactors.
Air-gapped networks — Air gapped environment is a network security measure to ensure a computer or a computer network is physically isolated from unsecured networks. New tools for attacking air-gapped networks are discovered.
BANKING SECTOR
As users are getting more used to online banking, threat actors have started targeting the services provided by financial institutions online. The organizations had to make it difficult and more secure for the threat actors, adversaries have shifted their target towards the user/customer rather than the service provider itself.
As humans are more vulnerable to phishing, spam, advertising, drive-by downloads or social engineering. Users are more prone to fall for these campaigns and click on the disguised attachments.
Some of the Trojans that were targeted towards banks and other financial institutions are,
Dridex, QBot, ZBot/Zeus, SpyEye, Silent Night, TrickBot & Chronos.
These Trojans are used to steal your credential information. The collected data would be sold/auctioned in dark web. According to a report published by “Group-IB”, majority of the banking Trojans were created by Russian-speaking developers.
RETAIL SECTOR
The attacks on retails sectors also have increased, attacks on point-of-sale (POS) terminals, credential stuffing, ransomware & the big one, JS Sniffers.
The first state-sponsored group that used JS Sniffers was Lazarus Group.
A JavaScript/JS sniffer is a form of malware designed to steal financial data at the point of purchase through online stores
With these stolen data and credentials, which are then sold underground and used for “Carding”.
Carding is when the stolen credit cards are used to buy prepaid cards and then they can be used to buy goods or sold to others to obtain cash.
COUNTERACTING THESE CYBER ATTACKS
Some of the necessary steps to prevent/reduce the impact of cyber attacks.
- Updating and Patching software regularly. Conducting Security assessments and penetration tests to identify the vulnerabilities and establish possible threat vectors.
- Ensure that remote access services for OSs are not accessible externally. Ensure the services that are using MFA, Strong password policy & Role Based Access Control.
- Regularly check for known bad Indicator of Compromise (IOC) in the infrastructure.
- Use sufficient number of unique data sources when assessing. Ensure that the tools are up to date and are able to detect anomalous activity when legitimate software is used. Follow a good threat-hunting framework.
- Do not use/plugin untrusted USB devices.
- Regularly update CMS and plugins and control versions of website files to prevent or reduce the possibility of JS Sniffers. Enhance good password policy.
- Avoid re-using passwords for different services with the same email account.
- Use an external load balancer, increase bandwidth. Purchase filtering hardware. Consider operators with anti DDoS capacities.
- Perform timely updates and avoid clicking suspicious links or opening a suspicious email. Avoid downloading & installing software from unknown/suspicious sources.
- Always trust information/news from a verified and trusted source.
