Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods

The trend underscores the need for organisations of all sizes to be prepared to detect and respond to threats faster, CrowdStrike says. 

Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries.

New analysis by security vendor CrowdStrike's Falcon OverWatch threat-hunting team of intrusion detection engagements at customer locations between January and June this year shows a continued blurring of lines between methods employed by criminals and known nation-state actors.

This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike's OverWatch and security response team. "Sophisticated techniques are becoming a little more commoditized," she says. "Anything goes. Anyone can be a target."

One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses. 

CrowdStrike first observed TeamViewer being used for malicious purposes back in 2013 by Team Bear, a Russian advanced persistent threat actor. Team Bear used malicious versions of TeamViewer to remain hidden and persistent on victim machines and to enable communications with command-and-control servers. Since then, numerous other adversaries have begun employing the same tactics, including criminally motivated actors.

In the first quarter of this year, threat actors leveraging TeamViewer targeted the hospitality sector in particular. According to CrowdStrike, at least four major hospitality organisations experienced TeamViewer-related intrusions during the quarter. In each case, the attackers spoofed the TeamViewer binaries to make them appear like expected file names. The command and control infrastructure used in all four attacks were similar, suggesting the same attack group was behind them.  

In a separate incident, an unknown attacker used valid credentials to log into TeamViewer remotely and install various malware tools on systems belonging to a major organization in the entertainment industry.

The use of TeamViewer to gain remote access to target systems is not the only technique that less sophisticated, criminally motivated threat actors have begun borrowing from state-sponsored groups. In April of this year, CrowdStrike observed a criminal actor using a Trojanized version of Arkadin's Vision Desktop App software to drop malware on a system, allowing additional second stage tools to be installed on the compromised host.
China Rising

Such intrusions show that criminal actors, like their more sophisticated state-sponsored counterparts, are increasingly employing hands-on-the-keyboard tactics to break into systems, conduct reconnaissance, steal credentials, and move laterally, Ayers says.

"You want to be able to detect a threat in as close to real-time as possible," she says. CrowdStrike OverWatch's data shows that adversaries on average take just one hour and 58 minutes to begin moving laterally in a compromised network after gaining initial access to it. The vendor recommends that organizations ideally be able to detect an intrusion in less than one minute, investigate it in less than 10 minutes, and mitigate the threat in under one hour.

CrowdStrike's review of threat hunting data from the first half of this year also revealed an uptick in targeted intrusion attempts by China-based threat actors against organizations in multiple industries including biotech, pharmaceutical, defense, mining and professional services.

Of the 70 or so intrusions that CrowdStrike OverWatch was able to attribute to a specific actor or region, China-based actors were likely behind 40 of them. It's hard to say what specifically might be driving the uptick, though there has been an overall increase in cyber espionage activities, Ayers notes.

Dark Reading

You Might Also Read:

Cyber Criminals Catch Up With Nation-States:
 

 

« Corporate Cybercrime - A Hacker’s Point Of View
Build A Young Cyber Security Team »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Indelible Data

Indelible Data

Indelible Data is an established information security and technology consultancy and a Cyber Essentials Certification Body.

Roka Security

Roka Security

Roka Security is a boutique security firm specializing in full-scale network protection, defending against advanced attacks, and rapid response to security incidents.

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

Data Shepherd

Data Shepherd

Data Shepherds primary focus is to protect your business. We achieve this by offering extensive and unique expertise in innovative IT and Cyber security solutions.

NPCore

NPCore

NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior.

Virsec Systems

Virsec Systems

Virsec detects and remediates previously “indefensible” advanced memory-based attacks on critical applications and server endpoints.

Khipu Networks

Khipu Networks

Khipu Networks is an award winning Cyber Security Company delivering a wide range of network, wireless and security solutions, technologies and services across multiple sectors.

NSEIT

NSEIT

NSEIT offers end-to-end Information Technology products, solutions and services including cybersecurity to organizations in the financial sector.

PBOSecure

PBOSecure

PBOSecure is a dynamic and progressive IT consultancy company specializing in IT and Industrial Control System (ICS) security.

Siemens

Siemens

Siemens Industrial Security Services provide solutions for cybersecurity in automation environments based on the recommendations of the international standard IEC 62443.

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers is a multinational professional services network of firms headquartered in London, United Kingdom and operating in 157 countries.

HighPoint

HighPoint

HighPoint is a leading technology infrastructure solutions provider offering consultancy, solutions and managed services for network infrastructure and cybersecurity.

Rubrik

Rubrik

Rubrik helps enterprises achieve data control to drive business resiliency, cloud mobility, and regulatory compliance.

Acrisure

Acrisure

Acrisure is powered by the best of human and high-tech and offers insurance, reinsurance, real estate, cyber and more solutions to millions of clients around the world.

IgmGuru

IgmGuru

Igmguru offers certification online training courses for IT professionals and students. Get certified with high-in-demand job-oriented professional courses.

Apexanalytix

Apexanalytix

Apexanalytix is a leading provider of supplier onboarding, risk management and recovery solutions.