Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods

Uploaded on 2018-10-18 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

The trend underscores the need for organisations of all sizes to be prepared to detect and respond to threats faster, CrowdStrike says. 

Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries.

New analysis by security vendor CrowdStrike's Falcon OverWatch threat-hunting team of intrusion detection engagements at customer locations between January and June this year shows a continued blurring of lines between methods employed by criminals and known nation-state actors.

This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike's OverWatch and security response team. "Sophisticated techniques are becoming a little more commoditized," she says. "Anything goes. Anyone can be a target."

One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses. 

CrowdStrike first observed TeamViewer being used for malicious purposes back in 2013 by Team Bear, a Russian advanced persistent threat actor. Team Bear used malicious versions of TeamViewer to remain hidden and persistent on victim machines and to enable communications with command-and-control servers. Since then, numerous other adversaries have begun employing the same tactics, including criminally motivated actors.

In the first quarter of this year, threat actors leveraging TeamViewer targeted the hospitality sector in particular. According to CrowdStrike, at least four major hospitality organisations experienced TeamViewer-related intrusions during the quarter. In each case, the attackers spoofed the TeamViewer binaries to make them appear like expected file names. The command and control infrastructure used in all four attacks were similar, suggesting the same attack group was behind them.  

In a separate incident, an unknown attacker used valid credentials to log into TeamViewer remotely and install various malware tools on systems belonging to a major organization in the entertainment industry.

The use of TeamViewer to gain remote access to target systems is not the only technique that less sophisticated, criminally motivated threat actors have begun borrowing from state-sponsored groups. In April of this year, CrowdStrike observed a criminal actor using a Trojanized version of Arkadin's Vision Desktop App software to drop malware on a system, allowing additional second stage tools to be installed on the compromised host.
China Rising

Such intrusions show that criminal actors, like their more sophisticated state-sponsored counterparts, are increasingly employing hands-on-the-keyboard tactics to break into systems, conduct reconnaissance, steal credentials, and move laterally, Ayers says.

"You want to be able to detect a threat in as close to real-time as possible," she says. CrowdStrike OverWatch's data shows that adversaries on average take just one hour and 58 minutes to begin moving laterally in a compromised network after gaining initial access to it. The vendor recommends that organizations ideally be able to detect an intrusion in less than one minute, investigate it in less than 10 minutes, and mitigate the threat in under one hour.

CrowdStrike's review of threat hunting data from the first half of this year also revealed an uptick in targeted intrusion attempts by China-based threat actors against organizations in multiple industries including biotech, pharmaceutical, defense, mining and professional services.

Of the 70 or so intrusions that CrowdStrike OverWatch was able to attribute to a specific actor or region, China-based actors were likely behind 40 of them. It's hard to say what specifically might be driving the uptick, though there has been an overall increase in cyber espionage activities, Ayers notes.

Dark Reading

You Might Also Read:

Cyber Criminals Catch Up With Nation-States:
 

 

« Corporate Cybercrime - A Hacker’s Point Of View
Build A Young Cyber Security Team »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CyberSecurityJobsite.com

CyberSecurityJobsite.com

CyberSecurityJobsite.com is a specialist job board designed to attract candidates working within Cyber Security, Information Security or Information Assurance.

StoneFly

StoneFly

StoneFly offers High Availability, high performance cluster and scale out storage, and backup and disaster recovery appliances.

International Federation of Robotics (IFR)

International Federation of Robotics (IFR)

The International Federation of Robotics connects the world of robotics around the globe. Our members come from the robotics industry, industry associations and research & development institutes.

Mitek Systems

Mitek Systems

Mitek's global mobile capture and identity verification technology optimizes the digital user experience for thousands of financial services organizations.

Codified Security

Codified Security

Codified is a testing platform for mobile application software. We make it easier than ever for companies to detect and fix security vulnerabilities and ensure their applications are compliant.

Mvine

Mvine

Mvine's primary business is authoring and selling Cyber-Secure Platforms for Collaboration Portals and for Identity Management as well as delivering cloud support services.

MagicCube

MagicCube

MagicCube is a device independent IoT security platform that protects against on-device, cloud, and network attacks.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

Privacera

Privacera

Privacera enables consistent data governance, security, and compliance across all your data services - on-premises and in the cloud - so you can maximize the value of your data.

Informatics International

Informatics International

Informatics is a leading ICT provider in Sri Lanka, providing cutting-edge software & infrastructure solutions and services including cyber security.

Everything Blockchain

Everything Blockchain

Everything Blockchain is a development, architecture, and software designer of Blockchain that also provides services specializing in blockchain technologies and decentralized processing.

N-able

N-able

N-Able deliver simple and sophisticated monitoring, security, and business solutions that empower you to solve your toughest IT challenges.

FCI

FCI

FCI is a NIST-Based Managed Security Service Provider (MSSP) offering Cybersecurity Compliance Enablement Technologies & Services to Financial Services organizations.

Moore ClearComm

Moore ClearComm

Moore ClearComm is part of Moore Kingston Smith a leading UK firm of accountants and business advisers. Our services include Data Privacy, Cyber Security, Business Continuity and Information Security.

Eficens Systems

Eficens Systems

Eficens Systems is a global IT services and consulting company. We specialize in empowering businesses to harness the potential of Information Technology as a strategic asset.

Mediatech

Mediatech

Mediatech, specialized in managed Cybersecurity and Cloud services, a single point of contact for your company's IT and infrastructure.