The dynamics of cyber threats have taken on a new level of complexity, driven by the escalating interdependency among various types of threat actors. In a thriving cybercrime-as-a-service (CaaS) economy, attackers are sharing their malicious tradecraft through readily available kits and tools and collaborating efficiently by leveraging shared services conveniently accessible on the dark web.
For enterprises, growing levels of interdependence amongst cybercriminals poses new challenges on the cybersecurity front. As threat actors pool their resources and knowledge, the sophistication and scale of attacks has been seen rising exponentially. The sharing of malicious tools and services also shortens the time it takes for new threats to emerge.
In this post, we explore the complex and growing web of interconnection that links sophisticated nation-state actors, threat gangs, and all levels of cyber criminals together. Understanding the shape of today’s cyber threat landscape is an essential prerequisite for all modern cyber defenders.
How Attackers Share Knowledge & Malicious Tradecraft
In recent years, the availability of cybercrime services has become firmly established amongst various levels of cybercriminals, leading to significant specialization within criminal networks and fostering cooperation among illicit vendors.
Cybercrime-as-a-service (CaaS) models allow attackers to share technical knowledge and malicious tradecraft through dark markets. This ecosystem operates much like a legitimate business, where aspiring attackers can purchase or rent tools, techniques, and expertise to launch their own campaigns.
Illicit service providers can efficiently serve numerous criminal entities by providing obfuscation, IoT botnet rentals, phishing services, backdoor generators, and more. These offerings are frequently marketed or sold on private forums and the dark web.
Navigating the Dark Web | Breeding Grounds for A New Wave of Cybercrime
A fertile ground for modern cybercrime, the dark web serves as a hub where cybercriminals can sell and share expertise, tools, and stolen data. These illicit spaces have driven interdependency among cybercriminals and amplified the scale and complexity of cyber threats.
Most popularly powered by TOR and .onion addresses, other darknet services are out there that can support criminal enterprises, including I2P (the Invisible Internet Project) and Hyphanet. While such services also serve legitimate purposes for anonymous and private network connections, internet privacy and censorship resistance, there is no doubt that the cybercriminals have benefited hugely from their availability.
Monetizing Breaches | The Emergence of Initial Access Brokers
While dark markets facilitate the tools, code, and services needed to perform cyberattacks, Initial Access Brokers (IABs) sell unauthorized access to compromised systems, enabling buyers to initiate their attacks. Their emergence has introduced a layer of monetization to data breaches, which underscores the transformation of cyber threats into a vastly profitable commodity.
Initial Access Brokers also offer a marketplace for stolen credentials and software vulnerabilities, which empower a broader range of attackers with diverse expertise. With such ready access to potential targets, cybercriminals are able to exploit these gateways to rapidly launch new campaigns.
Outsourcing Expertise for Profit | The Role of Cyber Affiliates
The shift in how threat actors collaborate is also attributed to cyber affiliates; individuals or groups that leverage their skills to assist in cyber attacks in exchange for a share of the profits. This decentralized approach enables specialization within the criminal ecosystem, where different actors contribute their expertise to create a more diversified and potent threat ecosystem.
Affiliates serve as integral components within the ransomware-as-a-service (RaaS) framework. Affiliates leverage the specialized resources and tools provided by the RaaS platform, enabling them to launch sophisticated campaigns even without advanced technical skills.
In return for their services, affiliates share a portion of the ransom payments with the RaaS operators. This collaboration amplifies the reach and severity of ransomware attacks since affiliates operate autonomously under the RaaS umbrella, expanding the threat landscape and generating profits for both parties involved.
Behind the Scenes | The Enablers Behind Cybercriminals
Beneath the surface of the cybercrime landscape lies a network of enablers that fuel their malicious operations. Crypter developers, for example, create tools that attempt to disguise malware, in the hopes of evading detection by less-sophisticated security software.
Malware kits and droppers offer pre-packaged malicious code, further lowering the barrier to entry to cybercrime and attracting a new breed of would-be criminals with less technical knowledge.
Bulletproof hosting plays a pivotal role in interconnecting cybercriminals. This type of hosting service provides a safe haven for illegal online activities by offering infrastructure that is resistant to takedowns and law enforcement actions. Bulletproof hosting providers set up their infrastructure in jurisdictions that are known to have lenient or inadequate internet regulations in place, making it difficult for authorities to shut down or seize their servers. The hosts generally have minimal content monitoring or restrictions, allowing cybercriminals to host illegal content, malware distribution, phishing sites, and other malicious activities.
By providing a reliable and secure platform, bulletproof hosting providers attract a range of cybercriminals, including those involved in malware distribution, phishing campaigns, and other illicit operations. This fosters an environment where cybercriminals can collaborate, share resources, and even coordinate attacks, making their collective impact much larger than if they had operated independently.
VPNs are among the most common services used by malware operators and scammers. Criminal VPN providers work by hosting proxies that users can route their traffic through to conceal their IP address as well as the content of the traffic. These services are typically advertised specifically to attackers on the darkweb.
Anonymizing Transactions | The Role of Cryptocurrency In The Threat Arena
Behind the explosion of cybercrime in recent years is the ability of criminals to move money without oversight. Cryptocurrency like bitcoin has transformed how threat actors manage their ill-gotten gains and conduct various illegal activities. Given its decentralized nature, anonymity, and ease of use, cryptocurrency has become a unifying means of handling criminal proceeds across diverse criminal activity.
Crypto wallets securely store digital assets and enable anonymous transactions through unique addresses. Mixers, or tumblers, shuffle multiple transactions, ensuring that the origin of funds is difficult to trace. Threat actors also use crypto swappers to convert from one cryptocurrency to another, which adds an additional layer of complexity. These tools collectively help cybercriminals mask their financial activities, making the detection and tracking of illegal proceeds more challenging for authorities to pin down.
The increasing interdependence observed among cybercriminals reflects the intricate nature of the modern cybercrime landscape. It also demonstrates the urgency for organizations to establish end-to-end cybersecurity strategies that are capable of safeguarding various attack surfaces autonomously.
While disruption of the cybercrime ecosystem is primarily a task for collaborative law enforcement and government policy, security leaders can play their part by ensuring that their solutions provide deep visibility across all systems, detect and respond to threats in real-time, and can scale as needed as the organization grows.
SentinelOne is ready to help security leaders defend their organizations against every level of cyberattack. To learn how we can help you build a robust security posture, contact us today or book a demo.