State-sponsored hackers and ransomware gangs are diversifying tactics to inflict more harm

The groups have been using off-the-shelf tooling and open source penetration testing tools at unprecedented scale, according to Accenture's 2020 Cyber Threatscape Report.

hacker

Igor Stevanovic, Getty Images/iStockphoto

Some of the world's most skilled nation-state cyber adversaries and notorious ransomware gangs are deploying an arsenal of new open-source tools, actively exploiting corporate email systems, and using online extortion to scare victims into paying ransoms, according to Accenture's 2020 Cyber Threatscape Report.

SEE: Identity theft protection policy (TechRepublic Premium)

"Since COVID-19 radically shifted the way we work and live, we've seen a wide range of cyber adversaries changing their tactics to take advantage of new vulnerabilities," said Josh Ray, who leads Accenture Security's global cyber defense practice, in a statement. "The biggest takeaway from our research is that organizations should expect cybercriminals to become more brazen as the potential opportunities and pay-outs from these campaigns climb to the stratosphere."

In this type of climate, organizations need to double down on putting the right controls in place and leverage reliable cyber threat intelligence to understand and expel the most complex threats, Ray said.

Sophisticated adversaries mask identities with off-the-shelf tools

Throughout 2020, suspected state-sponsored and organized criminal groups have been using a combination of off-the-shelf tooling—including "living off the land" tools, shared hosting infrastructure, and publicly developed exploit code—and open source penetration testing tools at unprecedented scale to carry out cyberattacks and hide their tracks, the report said.

SEE: Microsoft now the most impersonated brand in phishing attacks (TechRepublic)

For example, Accenture said it tracks the patterns and activities of an Iran-based hacker group referred to as SOURFACE (also known as Chafer or Remix Kitten). The group has been active since at least 2014 and is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the U.S., Israel, Europe, Saudi Arabia, Australia, and other regions, according to the firm.

Accenture CTI analysts have observed SOURFACE using legitimate Windows functions and freely available tools such as Mimikatz for credential dumping, the report said. This technique is used to steal user authentication credentials like usernames and passwords to allow attackers to escalate privileges or move across the network to compromise other systems and accounts while disguised as a valid user.

According to the report, it is highly likely that sophisticated actors, including state-sponsored and organized criminal groups, will continue to use off-the-shelf and penetration testing tools for the foreseeable future as they are easy to use, effective and cost-efficient.

New, sophisticated tactics target business continuity 

The report also notes how one notorious group has aggressively targeted systems supporting Microsoft Exchange and Outlook Web Access, and then uses these compromised systems as beachheads within a victim's environment to hide traffic, relay commands, compromise email, steal data and gather credentials for espionage efforts.

Operating from Russia, the group, which Accenture refers to as BELUGASTURGEON (also known as Turla or Snake), has been active for more than 10 years and is associated with numerous cyberattacks aimed at government agencies, foreign policy research firms and think tanks across the globe, according to the report.

Ransomware feeds new profitable, scalable business model

Ransomware has quickly become a more lucrative business model in the past year, with cybercriminals taking online extortion to a new level by threatening to publicly release stolen data or sell it and name and shame victims on dedicated websites, the report said.

The criminals behind the Maze, Sodinokibi (also known as REvil) and DoppelPaymer ransomware strains are the pioneers of this growing tactic, which is delivering bigger profits and resulting in a wave of copycat actors and new ransomware peddlers, according to the Accenture report.

Additionally, the infamous LockBit ransomware emerged earlier this year. Besides copying the extortion tactic, LockBit has gained attention due to its self-spreading feature that quickly infects other computers on a corporate network, the report said.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

The motivations behind LockBit appear to be financial, as well. Accenture said its CTI analysts have tracked cybercriminals behind it on Dark Web forums, where they are found to advertise regular updates and improvements to the ransomware, and actively recruit new members promising a portion of the ransom money.

The success of these hack-and-leak extortion methods, especially against larger organizations, means they will likely proliferate for the remainder of 2020 and could foreshadow future hacking trends in 2021. In fact, Accenture said CTI analysts have observed recruitment campaigns on a popular Dark Web forum from the threat actors behind Sodinokibi.

Also see