Some of the world’s most skilled nation-state cyber adversaries and notorious ransomware gangs are deploying an arsenal of new open-sourced tools, actively exploiting corporate email systems and using online extortion to scare victims into paying ransoms, according to a new report.
US-based cybersecurity company Accenture said in its 2020 Cyber Threatscape Report that throughout 2020 its cyber threat intelligence (CTI) analysts observed suspected state-sponsored and organized criminal groups using a combination of off-the-shelf tooling and open source penetration testing tools at unprecedented scale to carry out cyberattacks and hide their tracks.
For example, Accenture said, the company is tracking the patterns and activities of an Iran-based hacker group referred to as SOURFACE (also known as Chafer or Remix Kitten). Active since at least 2014, the group is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the U.S., Israel, Europe, Saudi Arabia, Australia and other regions. Accenture CTI analysts are said to have observed SOURFACE using legitimate Windows functions and freely available tools such as Mimikatz for credential dumping. This technique is used to steal user authentication credentials like usernames and passwords to allow attackers to escalate privileges or move across the network to compromise other systems and accounts while disguised as a valid user, according to the company.
One notorious group is said to have aggressively targeted systems supporting Microsoft Exchange and Outlook Web Access, and then used these compromised systems as beachheads within a victim’s environment to hide traffic, relay commands, compromise e-mail, steal data and gather credentials for espionage efforts. Operating from Russia, the group, which Accenture refers to as BELUGASTURGEON (also known as Turla or Snake), has been active for more than 10 years and is associated with numerous cyberattacks aimed at government agencies, foreign policy research firms and think tanks across the globe, Accenture said.
Ransomware has quickly become a more lucrative business model in the past year, with cybercriminals taking online extortion to a new level by threatening to publicly release stolen data or sell it and name and shame victims on dedicated websites. This growing tactic is delivering bigger profits and resulting in a wave of copycat actors and new ransomware peddlers.
Accenture said that the success of the extortion methods, especially against larger organizations, means they will likely proliferate for the remainder of 2020 and could foreshadow future hacking trends in 2021. The company also noted that it is highly likely that sophisticated actors, including state-sponsored and organized criminal groups, will continue to use off-the-shelf and penetration testing tools for the foreseeable future as they are easy to use, effective and cost-efficient.
“Since COVID-19 radically shifted the way we work and live, we’ve seen a wide range of cyber adversaries changing their tactics to take advantage of new vulnerabilities,” said Josh Ray, global lead for Accenture’s cyber defense practice. “The biggest takeaway from our research is that organizations should expect cybercriminals to become more brazen as the potential opportunities and pay-outs from these campaigns climb to the stratosphere. In such a climate, organizations need to double down on putting the right controls in place and by leveraging reliable cyber threat intelligence to understand and expel the most complex threats.”