Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods

Uploaded on 2018-10-18 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

The trend underscores the need for organisations of all sizes to be prepared to detect and respond to threats faster, CrowdStrike says. 

Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries.

New analysis by security vendor CrowdStrike's Falcon OverWatch threat-hunting team of intrusion detection engagements at customer locations between January and June this year shows a continued blurring of lines between methods employed by criminals and known nation-state actors.

This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike's OverWatch and security response team. "Sophisticated techniques are becoming a little more commoditized," she says. "Anything goes. Anyone can be a target."

One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses. 

CrowdStrike first observed TeamViewer being used for malicious purposes back in 2013 by Team Bear, a Russian advanced persistent threat actor. Team Bear used malicious versions of TeamViewer to remain hidden and persistent on victim machines and to enable communications with command-and-control servers. Since then, numerous other adversaries have begun employing the same tactics, including criminally motivated actors.

In the first quarter of this year, threat actors leveraging TeamViewer targeted the hospitality sector in particular. According to CrowdStrike, at least four major hospitality organisations experienced TeamViewer-related intrusions during the quarter. In each case, the attackers spoofed the TeamViewer binaries to make them appear like expected file names. The command and control infrastructure used in all four attacks were similar, suggesting the same attack group was behind them.  

In a separate incident, an unknown attacker used valid credentials to log into TeamViewer remotely and install various malware tools on systems belonging to a major organization in the entertainment industry.

The use of TeamViewer to gain remote access to target systems is not the only technique that less sophisticated, criminally motivated threat actors have begun borrowing from state-sponsored groups. In April of this year, CrowdStrike observed a criminal actor using a Trojanized version of Arkadin's Vision Desktop App software to drop malware on a system, allowing additional second stage tools to be installed on the compromised host.
China Rising

Such intrusions show that criminal actors, like their more sophisticated state-sponsored counterparts, are increasingly employing hands-on-the-keyboard tactics to break into systems, conduct reconnaissance, steal credentials, and move laterally, Ayers says.

"You want to be able to detect a threat in as close to real-time as possible," she says. CrowdStrike OverWatch's data shows that adversaries on average take just one hour and 58 minutes to begin moving laterally in a compromised network after gaining initial access to it. The vendor recommends that organizations ideally be able to detect an intrusion in less than one minute, investigate it in less than 10 minutes, and mitigate the threat in under one hour.

CrowdStrike's review of threat hunting data from the first half of this year also revealed an uptick in targeted intrusion attempts by China-based threat actors against organizations in multiple industries including biotech, pharmaceutical, defense, mining and professional services.

Of the 70 or so intrusions that CrowdStrike OverWatch was able to attribute to a specific actor or region, China-based actors were likely behind 40 of them. It's hard to say what specifically might be driving the uptick, though there has been an overall increase in cyber espionage activities, Ayers notes.

Dark Reading

You Might Also Read:

Cyber Criminals Catch Up With Nation-States:
 

 

« Corporate Cybercrime - A Hacker’s Point Of View
Build A Young Cyber Security Team »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Security Guru

IT Security Guru

IT Security Gurus publish daily breaking news. interviews with the key thinkers in IT security, videos and the top 10 stories as picked by our Editor.

Verlingue

Verlingue

Verlingue (formerly ICB Group) is a leading corporate insurance broker providing Insurance, Risk Management and related advice to businesses and private clients.

Netrix

Netrix

Netrix is a Mexican company specialized in IT Security, with more than 18 years of experience in Managed Services, Professional Services and Turnkey Solutions related to Security.

Elliptic

Elliptic

Elliptic solve the crucial problem of identity in cryptocurrencies, with the sole purpose of combating suspicious and criminal activity.

Sergeant Laboratories

Sergeant Laboratories

Sergeant Laboratories builds advanced technologies to prove compliance in complex IT security and regulatory compliance situations.

Snode Technologies

Snode Technologies

Snode's Guardian cybersecurity platform uses AI and machine learning to monitor, detect and proactively respond to all threats on every device within your network.

Inceptus

Inceptus

Inceptus is a next generation Managed Security Service Provider (MSSP). We are dedicated to keeping our customers safe, secure and protected while doing business on the Internet.

TestArmy

TestArmy

TestArmy CyberForces provide you with a broad spectrum of cybersecurity services to test every aspect of your IT infrastructure security and software development process.

Alpha Mountain AI (alphaMountain)

Alpha Mountain AI (alphaMountain)

alphaMountain provides up-to-date domain and IP intelligence for cybersecurity investigational and protection platforms.

Primus Institute of Technology

Primus Institute of Technology

At Primus Institute of Technology our mission is to inspire, support, and empower current and aspiring IT professionals through training and career development workshops.

Cyber1

Cyber1

CYBER1 is a leader in cyber security advisory and solutions. We are uniquely placed to help customers achieve cyber resilience and thus, safeguard reputation and value.

Hexiosec

Hexiosec

Hexiosec (formerly Red Maple Technologies) is a technical consultancy and product company founded and run by engineers from the UK Intelligence and Defence communities.

Oxylabs

Oxylabs

Oxylabs is the largest datacenter proxy pool in the market, with over 2 million proxies. Designed for high-traffic, fast web data gathering while ensuring superior performance.

CovertSwarm

CovertSwarm

Since 2020 CovertSwarm have been radically redefining how enterprise security risks are discovered. We outpace the cyber threats faced by our clients using a constant cyber attack methodology.

Sirar by STC

Sirar by STC

Sirar is an advanced technology and cybersecurity company established by STC, the MENA region’s ICT and digital services provider.

SELFY Project

SELFY Project

The SELFY project has developed a toolbox made up of collaborative solutions with the objective to improve the resilience of the Cooperative Connected Automated Mobility sector.