Our Views:
This month’s theme is “Organised Crime”.
In the cybercrime landscape, Organised Crime Groups arguably cause the most harm to organisations by perpetrating crimes such as ransomware attacks, business email compromise, online fraud and data theft. They are the cybercrime actors with the capability and expertise to target big businesses, banks, and law firms.
Organised crime groups are motivated by profit. Online gambling is believed to have been the catalyst for organised crime groups developing an interest in cybercrime, which subsequently proved to be very profitable. They follow the “Willie Sutton Rule” by targeting “…where the money is” which in today’s landscape means focusing on online business activity. Researchers recently estimated that organised crime groups and networks globally cause around $445-600 billion US dollars of harm each year. Verizon’s 2020 Data Breach Investigation Report also indicated organised criminal groups were responsible for 55% of all data breaches in the last year.
Organised cybercrime groups form after connecting online and often consist of a core group of skilled actors who then develop an ancillary network of people to perform additional roles. They look to niche markets for specific expertise; for example, Dubai purportedly offers the best talent for laundering money. Their structure often closely resembles a corporate business consisting of partner networks, resellers, associates, and vendors. Sophisticated groups may even have dedicated call centres to handle ransomware victims’ requests. Roles are varied and include:
- Team Leaders to coordinate and communicate with the broader team
- Coders who have the expertise to develop hacking tools and vulnerabilities
- Network Administrators to manage Botnets and DDOS attack packets
- Intrusion Specialists to carry out an attack
- Data Analysts to clean and format stolen data for resale
- Money Specialists and Mules to launder the attack proceeds
Methods Used
Organised crime groups have taken traditional crime online. Illegal gambling groups, drug cartels, and prostitution and trafficking rings all sell their services online and launder their profits digitally. However, in addition to these traditional pursuits, they have also branched out into technical cybercrime primarily using malware such as ransomware, business email compromises including phishing and invoice fraud, and social engineering attacks to extort organisations for profit.
Ransomware serves multiple purposes for organised crime groups. Firstly, it poses a significant threat to organisations both directly and indirectly, such as when third party service providers and supply chains are impacted. Increasingly it is also being used as a smokescreen for stealing Personally Identifiable Information (PII) and confidential data which the organised crime groups then threaten to auction off unless payment is made. 2020 has seen a change in tactic away from scatter-gun campaigns to performing targeted ransomware attacks as well as adding new attack layers such as crypto mining.
In addition to conducting cybercrime attacks themselves, organised crime groups will also provide services to facilitate cybercrime (crime as a service) such as providing data and identity documents, made to order malware, botnet services and training on how to use vulnerabilities and exploits. Products sold by these groups on the deep web include: Zero-day exploits for between US$30,000 and $250,000, and malware exploit kits for around US$200-$600 per exploit.
One way organised crime groups benefit from ransomware attacks, while limiting their risk or need for a specialised resource, is to only conduct the network intrusion themselves (using multiple attack vectors and malware to gain entry). They then sell this access to different actors to perform privilege escalation, lateral movement, and ransomware deployment. Emotet malware is currently omnipresent and is setting the benchmark for modern malware with over 200,000 unique versions seen in the wild. Emotet deployed by organised crime groups can provide Access-as-a-Service (AaaS) functionality to other cybercriminals who then monetise the opportunity by deploying a second attack.
Organised crime groups rapidly change their tactics and techniques to evade security controls and recent developments in the sophistication of malware is an example of this in action. The Europol Internet Organised Crime Threat Assessment 2020 describes how these groups have recently converted some traditional banking trojans into more advanced, highly adaptive, modular malware with a broader set of capabilities that are increasingly difficult to combat. Each known malware strand can have a code that is distributed and operated differently in different areas of the world, and the more frequent use of polymorphic and fileless malware is also limiting the effectiveness of traditional signature-based antivirus products. The malware used by organised crime groups typically includes remote access tools (RATS) and trojans to gain control over infected computers.
Business Email Compromise also continues to increase as a threat. This growth is driven by organised crime groups who have sufficient resources to investigate an organisation thoroughly and target companies using knowledge of their internal business processes and system vulnerabilities. More sophisticated measures are being used by these groups to conduct complex man-in-the-middle attacks or even using Artificial Intelligence (AI) to mimic the voice of a CEO. Social engineering and phishing remain the primary methods of initial ingress into an employee’s email account, highlighting the constant need for user awareness training. Often a compromise of Office 365 is also possible due to a lack of security measures such as multi factor authentication.
Fighting Back
Prevention and awareness, as well as being prepared to manage an incident, are vital to combatting attacks from organised crime groups. Steps an organisation can take are:
Intelligence Sharing:
Organisations can help the global effort to thwart organised crime groups by reporting and sharing their knowledge and experiences. Incident reporting to national bodies such as CERTNZ or the NCSC allows a better picture of organised crime groups activity to be available to authorities. Additionally, sharing information with industry partners may assist in higher levels of awareness and preparedness to face emerging threats.
Deploying Advanced Endpoint Protection:
Traditional endpoint security tools such as firewalls and signature-based antivirus solutions depend on known threat information to detect possible attacks. In contrast, advanced solutions now use machine learning and behavioural analytics to protect endpoints from contemporary threats such as fileless and zero-day exploits.
Using Multi-Factor Authentication (MFA/2FA) and Strong Password Management Systems
All accounts should use application or hardware-based multi-factor authentication.
Conducting Regular User Awareness Training
Phishing schemes and social engineering attacks are still primary entry points for attacks leading to business email compromise, invoice fraud, ransomware and data exfiltration. Regularly reminding users of the possible risks and what to be mindful of will promote vigilance.
Timely Patching
Unpatched vulnerabilities are open doors for organised crime groups. Applying all security patches in a timely fashion will discourage any attackers looking for the low hanging fruit.
Developing Incident Response Capabilities
Develop a tested Incident Response Plan that contains specific playbooks for typical threats to your industry, such as Ransomware and Business Email Compromise. This will help ensure that your organisation has the resources, knowledge, and tools to quickly respond, contain, mitigate and recover from a cyber-attack.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 