Polimi CS - Notes

Cybercrime Threat Landscape

12 min read

  • internal threats
  • external threats
  • cybercrime ecosystem
  • threat
  • threats

From the Computer Security perspective, the Cybercrime Threat Landscape is the set of threats that organizations face in the digital world. These threats can be internal or external, generic or targeted, and financially motivated or have other motivations. The landscape of threats is constantly evolving, with new threats emerging all the time.

Definitions

The Risk is a statistical and economical evaluation of the exposure to damage of a good due to the presence of vulnerabilities and threats. The risk is a function of the asset, vulnerabilities, and threats.

where is the good we want to protect.

We define Security as managing risk vs. cost threat landscape.

The landscape of threats can be divided into three “dimensions”:

  1. Internal vs. External: this dimension refers to the origin of the threat. Internal threats are those that come from within the organization (such as disgruntled employees), while external threats come from outside the organization.
  2. Generic vs. Targeted: this dimension refers to the specificity of the threat. Generic threats are those that are not specifically targeted at a particular organization, while targeted threats are aimed at a specific organization.
  3. Financially motivated vs. others: this dimension refers to the motivation behind the threat. Financially motivated threats are those that are aimed at making money, while others are motivated by other factors.

The Gartner Quadrant of Threats is a model that classifies threats based on these dimensions. The model divides threats into four quadrants: generic internal threats, generic external threats, targeted internal threats, and targeted external threats.

GenericSpecific
InternalDisgruntled employeeSocially-engineered or dishonest employee
ExternalCriminals, usually looking to make moneyA variety of advanced attackers

This classification helps organizations understand the nature of the threats they face and develop appropriate strategies to mitigate them. It is important for organizations to be aware of both generic and specific threats in order to effectively protect their assets and manage their cybersecurity risks. Internal-specific and exteral-generic threats are the most common types of threats and aim to make money from their attacks.

Internal Threats

Internal threats are primarily posed by employees who may have various motivations, such as being disgruntled or being manipulated by external parties. These threats can have financial motives or other underlying reasons.

  • Malicious Insiders: These are employees or partners who exploit their authorized access to confidential data for personal gain or to harm the organization.
  • Inside Agents: Malicious insiders who are recruited by external parties to steal, alter, misuse, or delete confidential data.
  • Emotional Employees: These attackers seek to cause harm to their organization as a form of revenge for perceived unfairness or injustice.
  • Reckless Employees: Employees or partners who disregard an organization’s cybersecurity policies, leading to security incidents.
  • Third-Party Employees: Vendors or contractors who abuse their access to an organization’s network to compromise the security of sensitive information.

Internal threats can have serious consequences for an organization’s security and should be addressed through robust security measures, employee training, and regular monitoring of access privileges.

Data Breaches and Targeted Attacks

Internal threats pose significant risks to organizations, with data breaches and targeted attacks being two prevalent types.

Definitions

  • A data breach refers to unauthorized access to an organization’s network, resulting in the theft of sensitive information.
  • A targeted attacks are sophisticated and specifically aimed attacks at a particular organization or individual.

These attacks are often orchestrated by advanced threat actors who seek financial gain from their malicious activities.

Data breaches can have severe consequences, including financial losses, reputational damage, and legal liabilities. Attackers exploit vulnerabilities in an organization’s security infrastructure to gain access to sensitive data, such as customer information, intellectual property, or financial records. They may employ various techniques, including social engineering, malware, or exploiting weak passwords, to infiltrate the network and exfiltrate valuable data.

Targeted attacks, also known as advanced persistent threats (APTs), are highly focused and tailored to exploit specific vulnerabilities within an organization. These attacks involve a prolonged and stealthy intrusion, with the objective of gaining unauthorized access to sensitive information or disrupting critical operations. APTs are typically carried out by well-funded and skilled threat actors, such as nation-state-sponsored groups or organized cybercriminal syndicates.

To mitigate the risks associated with internal threats, organizations must implement robust security measures, including network segmentation, access control, encryption, and intrusion detection systems. Regular security assessments, employee training on cybersecurity best practices, and incident response plans are also crucial for effective threat management.

30 Years of Malicious Software

Malicious software, or malware, has been a threat to organizations for over 30 years. However, the nature of malware has evolved over time, with attackers now focusing on monetizing their attacks.

Between 1990 and 2000, when the internet was still in its infancy and people were just beginning to use computers for personal and business purposes, malware was mostly used for pranks and vandalism, to demonstrate the capabilities of the attacker, or to gain notoriety.

In the early 2000s, malware became more sophisticated and began to be used for financial gain. Attackers started to focus on monetizing their attacks and organize themself into groups to carry out coordinated attacks. This led to the rise of financially-oriented malware, such as ransomware, fake antivirus software, and premium call services. In this period, there were developed the first botnets, which were used to carry out distributed denial-of-service (DDoS) attacks against high-profile websites.

Beginning in the 2010s, attackers began to focus on high-profile targets, such as government agencies, financial institutions, and large corporations, with the aim of stealing sensitive information or disrupting their operations. Most of the time, the purpose of these attacks was to make money, but also for political or ideological reasons, such as hacktivism and espionage.

The main purpose of these attacks is to make money. Attackers use various techniques to monetize their attacks and the most common one is direct monetization: making credit card or bank account frauds, spreading ransomware, selling fake antivirus software, or providing premium call services.

Financially-Oriented Attacks

Financially-oriented attacks are carried out by cybercriminals who are motivated by financial gain. These attacks can take various forms, such as credit card fraud, identity theft, ransomware, and phishing scams. Cybercriminals use a variety of techniques to carry out these attacks, including social engineering, malware, and exploit kits.

There are two main ways to monetize a cyber attack: direct and indirect monetization.

Direct Monetization and ransomware

The fastest way to make money is through ransomware.

Definition

Ransomware is a type of malware that encrypts the victim’s files and demands a ransom in exchange for the decryption key. Usually, ransomware uses a symmetric key (AES) to encrypt the files and an asymmetric key (RSA) to encrypt the symmetric key. To decrypt the files, the victim must obtain both keys.

Ransomware has become one of the most common types of malware and has been used to carry out attacks against individuals, businesses, and government agencies. Ransomware attacks work following the same pattern:

  1. Coming from an email attachment or a malicious link, the ransomware is downloaded and executed on the victim’s computer. It then encrypts the victim’s files with an AES key available directly from the ransomware installer
  2. Then another big key is downloaded from the C&C server and used to encrypt the AES key
  3. AES key encrypted with the RSA key is embedded in the encrypted file

The victim is then asked to pay a ransom in Bitcoin or other cryptocurrencies to get the decryption key. If the victim refuses to pay, the attacker may threaten to delete the decryption key or publish the victim’s data online.

Ransomware is a highly profitable venture for cybercriminals, as evidenced by the following statistics:

  • In 2020, ransomware affected approximately 51% of surveyed businesses.
  • The average ransom demand in a ransomware attack was $178,000 in 2020.
  • On the dark web, the average cost for a ransomware attack is $5,900.
  • It is estimated that 1 in 4 victims of ransomware actually pay the hackers.
  • By 2021, ransom payments made by companies are projected to reach $11 billion.
  • The largest ransom demand in 2020 was €10 million, targeting French construction firm Bouygues.

Indirect Monetization

In addition to direct monetization through ransomware, attackers can also profit indirectly from their attacks. They achieve this by stealing sensitive information, abusing the victim’s computing resources, or renting/selling botnet infrastructures.

One way attackers monetize their attacks is by selling the stolen information on the dark web. This includes personal data, financial records, or any other valuable information that can be used for identity theft or fraud.

Another method is to abuse the victim’s computing resources for cryptocurrency mining. By using the victim’s computer power, attackers can mine cryptocurrencies like Bitcoin, Monero, or Ethereum, generating profits for themselves.

Furthermore, attackers may rent or sell botnet infrastructures to other malicious actors.

Definition

A botnet is a network of compromised computers controlled by the attacker.

These botnets can be used for various purposes, such as launching DDoS attacks, distributing spam emails, or carrying out further cybercrimes.

By understanding these indirect monetization techniques, organizations can better protect themselves against cybercriminals and mitigate the potential impact of such attacks.

Rise of the Bots

The emergence of bots as a malicious software threat began in the late 1990s with the exploitation of IRC bots for Distributed Denial of Service (DDoS) attacks. One notable example is the IRCwars incident, where the trinoo DDoS attack tool was used to target a server at the University of Minnesota. This attack involved at least 227 bots and took place in August 1999. Originally designed for Solaris, the trinoo botnet was later adapted for Windows. The attack garnered significant media attention, highlighting the growing prevalence of DDoS attacks. Throughout the 2000s, numerous high-profile websites, including Amazon, CNN, and eBay, fell victim to DDoS attacks, further underscoring the need for robust cybersecurity measures.

A study conducted in 2020 by the spamhouse organization revealed that the United States, Russia, and Netherlands have a high presence of Command and Control (C&C) servers. The study collected data intentionally sent by participants, indicating that these countries are most affected by C&C servers and have significant botnet activity. China, on the other hand, shows a decreasing trend in C&C server presence, particularly outside its borders. Another study highlights the prevalence of credential stealer bots as the most common type of bot in affected countries, followed by remote access tools (RATs) used for controlling victim’s computers remotely.

Anatomy of a Drive-By Download

A drive-by download is a type of attack that occurs when a user visits a website that has been infected with malware.

  1. The user visits a website that has been infected with malware. The compromised URL is usually sent to the victim via email or social media
  2. When the user clicks on the link, a redirection chain is triggered, leading the user to a landing page that contains the exploit kit
  3. The exploit kit scans the user’s browser for vulnerabilities and exploits them to download and execute the malware on the user’s computer
  4. At the same time, the attackers use the exploit kit to collect information about the user, such as their IP address, geolocation, and browser version using the infected website as a proxy
  5. The malware then communicates with the command-and-control server to receive further instructions and exfiltrate data from the victim’s computer starting the infection chain

The Cybercrime Ecosystem

The cybercrime ecosystem is made up of organized groups that carry out various activities, such as exploit development and procurement, site infection, victim monitoring, and selling exploit kits. These groups often offer support hotlines to help their customers carry out attacks.

The ecosystem is a complex and interconnected network of actors who work together to carry out attacks and monetize their activities. The ecosystem is constantly evolving, with new actors and techniques emerging all the time. There are:

  • individuals who develop exploit kits
  • sellers who sell exploit kits to criminal groups
  • service enablers who provide infrastructure and support for cybercriminal activities in order to hosting the exploit kit, consulting, and support services and money laundering
  • money mules who help cybercriminals launder money and move it across borders
  • buyers who purchase exploit kits and use them to carry out attacks
  • victims who are targeted by cybercriminals and have their data stolen or compromised

One of the most famous exploit kits is the Blackhole exploit kit, which was developed by Dmitry “Paunch” Fedotov and was used to carry out a large number of attacks before he was arrested in October 2013. This exploit kit was used to carry out drive-by download attacks and infect users with malware, such as ransomware and banking trojans. It collected information about the victim’s computer and sent it back to the command-and-control server, which then used it to carry out further attacks.

Monetization on the Dark Web

Definition

The dark web is a hidden part of the internet that is not indexed by search engines and is only accessible using special software, such as Tor.

The dark web is a haven for cybercriminals, who use it to carry out a wide range of illegal activities, such as selling drugs, weapons, and stolen data. Cybercriminals also use the dark web to monetize their attacks by selling stolen information, such as credit card numbers, social security numbers, and bank account details. They also use the dark web to sell exploit kits, botnets, and other tools that can be used to carry out attacks.

Money Mules

Definition

Money mules are individuals who are recruited by cybercriminals to help them launder money and move it across borders.

Money mules are often unaware that they are involved in criminal activities and are recruited through job ads, social media, or online forums. Money mules are used to transfer money from one account to another, often using cryptocurrencies or other untraceable methods. Money mules are an essential part of the cybercrime ecosystem and are used by cybercriminals to move money around the world quickly and anonymously.

Backlinks

Graph View