Ransomware, Malware-as-a-Service Dominate Threat Landscape
Ransomware continues to expand with double-extortion now the standard; the malware-as-a-service model is now common; and criminals are increasingly ‘living off the land’, according to data from Red Canary.
Red Canary’s 2022 Threat Detection Report (PDF) analyzed more than 30,000 confirmed threats across the firm’s customer base. The report notes that ransomware criminals have responded to improving target company backups by introducing sensitive data exfiltration and the threat of exposure (double extortion). “Backups will allow an organization to get back up and running more easily, but will not protect you against leaked data,” according to the report.
However, it is worth exploring the latest format-preserving encryption or cloud-based vaultless tokenization offerings to protect sensitive data. If both the systems (backups) and data (encryption/tokenization) are protected, then the need to pay a ransom is reduced. If the criminals are not paid, they will cease to use ransomware, and move instead to a new or more rewarding type of attack. Note, however, that a third extortion method remains – the addition of a DDoS attack (sometimes called ‘triple extortion’).
“An adversary known as Fancy Lazarus (no affiliation to Fancy Bear [although the group has claimed to be Fancy Bear] or Lazarus Group) extorted victims by threatening to conduct a distributed denial of service (DDoS) intrusion if they didn’t pay,” notes Red Canary. The FBI first issued a Flash alert (MU-000132-DD) on the group in August 2020, and Proofpoint followed up with an analysis of a new campaign in June 2021. There are, of course, mitigations against DDoS available.
The move towards criminals living off the land (that is, using common commercial tools such as Cobalt Strike or built-in operating system tools) to avoid detection continues. Red Canary detected an increase in the criminal use of remote monitoring and management tools (RMM). RMM is legitimately used by help desk technicians to resolve issues on client computers. “These software suites,” warns the report, “allow users to remotely control hosts, providing adversaries with a user-friendly graphical interface, secure network connections via cloud hosted infrastructure, and host persistence.”
The reason for this development is simple. As malware detection has become more efficient, the criminals have moved towards a methodology that is difficult to detect. Legitimate tools are not automatically flagged as nefarious, allowing the adversary to get more deeply entrenched without or before detection.
Impacket is also being used. Impacket a collection of Python classes focused on providing low-level programmatic access to packets and some protocol implementations. “This is the first time that Impacket has made the top 10 threats,” according to the Red Canary report.
The third continuing trend highlighted in the report is the move towards malware-as-a-service. This is an example of the business efficiency of the modern criminal. By using affiliates, the malware developers can increase their own profits while remaining more hidden from law enforcement and security researchers. For legitimate business, it means that many more unsophisticated attackers can use sophisticated malware. “This model has now become the norm for bad actors,” says Red Canary. “Between Phishing-as-a-Service (PhaaS), Access-as-a-Service, and Crypters-as-a-Service, it has never been easier to find an adversary for hire.”
The report also highlights four new or noteworthy threats emerging in 2021. TA551, an email-based threat actor, was the top threat – affecting more than 10% of the firm’s customers. Rose Flamingo is a new activity cluster that focuses on opportunistic, financially motivated malware and uses SEO poisoning to lure victims. It is ranked at number 29 in the top threats, having affected 1.1% of Red Canary’s customers. Silver Sparrow is a macOS activity cluster with fully functional distribution methods and infrastructure but no final payload.
The fourth, Gootkit, is ranked at number 9 in Red Canary’s top ten threats, affecting nearly 4% of its customers. Gootkit is not new, having been around for more than a decade. It is almost always delivered after the victim visits a compromised website. The firm believes it may be part of access broking for subsequent ransomware deliveries, but has also seen it dropping the Osiris banking trojan.
Denver, Colo.-based managed detection and response (MDR) firm Red Canary was founded in 2014 by Brian Beyer (CEO), Chris Rothe, and Keith McCammon (CSO). It raised $81 million in a Series C funding round led by Summit Partners in February 2021 following growth equity funding of $34 million in April 2021 – and has raised a total of $129.9M.