Tech Trends: Cybercrime Update

As a leader in tech, in can be difficult (and sometimes downright terrifying) to try and keep up to date with the latest developments in the cybercrime threat landscape. That being said, it has become an imperative for every good tech leader to try and keep at least somewhat abreast of the latest news, trends, and updates within the field of cybersecurity, and of course to have an overview of modern cybercrime. This is primarily to do with the worryingly high levels of innovation cybercrime industry has seen over the last decade. With the advent of powerful AI systems, cybercriminals utilising AI have also become a very real and terrifying reality. That’s why in this edition of tech trends, we’ll be summing up some of the latest cybercrime stories and developments, to provide you with a general overview of what should be on your radar for the second half of 2023.

Facts and Stats

We of course won’t know the full picture of how 2023 compares to 2022 in terms of general cybercrime statistics until the end of the year. However, the current status of the threat landscape is frightening to say the least. Astra’s August security audit can give us a bit of insight into how extensive global cybercrime is for 2023 so far. They predict that “33 billion accounts will be breached in 2023 that converts into 2328 per day, 97 cybercrime victims per hour. Cyber-attacks of 800,000 have been recorded in total, and on average, there is a hacker attack every 39 seconds.” That’s around 2328 individual attacks of some form thought to be committed every day.

Most of these will be fairly low-level phishing and Identity-based attacks.? However, the current geo-political landscape - coupled with technological innovation - has meant that state sponsored, or incredibly sophisticated groups of cybercriminals essentially have free reign to commit massive ransomware or data breach attacks utilising new programmes which are impossible to defend against (as they haven’t been seen yet.)

This isn’t just a prediction, either. If we look at cyber-insurance statistics, we can see that claims have increased by 100% over the last three years, signifying a large-scale ramping up of both the scale and number of these attacks.

Let’s take a closer look at Ransomware and Data Breaches, as these are easily the costliest forms of attacks for global businesses. There’s no easy way to sugar coat this: there is roughly one ransomware attack every 19 seconds, with the average cost coming in at $1.85 million. At the current growth rate, this form of cybercrime alone is expected to cost victims around $265 billion annually by 2031, with a ransomware attack occurring every two seconds by this time.

Don’t panic! This isn’t as bad as it initially seems when you factor in that increasing levels of cyber resilience in businesses cross-sector, as well as the high-profile nature of these attacks resulting in increased awareness, has resulted in 90% of ransomware attacks not causing any loss (either due to insurance, or vigilance). That should give you an idea of just how costly and high profile the ones that manage to slip through are, however.

The story is slightly different for data breaches. Almost 22% of all data breaches are as a result of phishing which is relatively easily preventable if you ensure as a leader, you’re encouraging cyber resilience within your organisation. On top of this, nearly half of all data breaches were cloud based. This demonstrates the importance of the current push within Cloud Security and experimenting with techniques such as Zero-Trust infrastructure.

With the average cost of a data breach coming in at $4.35 million, it’s now more important than ever to make internal awareness of phishing and identity-based crimes a priority rather than an afterthought in your businesses’ cyber security strategy.

Recent Developments

To kick things off, we have an update to the recent spree of high-profile cryptocurrency attacks believed to be perpetrated by the North-Korea backed Lazarus Group. To give you a quick breakdown, over the last few months a series of crypto thefts was recorded by the FBI which have been traced back to the aforementioned group. All of these attacks involved large sums of money, with a notable example being the attack on ‘Atomic Wallet’ in June, which resulted in 5,500 wallets being compromised and the attackers making off with $100 million in equivalent Crypto. While it cannot be 100% verified that Lazarus Group were behind this and other related attacks (such as the $60 million stolen from AlphaPro and the $37 million stolen from CoinsPaid), the laundering of the stolen assets apparently followed “a series of steps that exactly match those employed to launder the proceeds of past hacks perpetrated by Lazarus Group.” According to Blockchain analysis firm Elliptic.

The method used by Lazarus Group is simple, but very effective. They go after employees of Crypto companies, utilising various social engineering tactics across a wide range of platforms. An example of this taken from an FBI advisory on the matter includes sending ‘spear phishing’ emails – essentially emails containing a high paying job offer to entice their victims into downloading a Cryptocurrency app infected with a Trojan virus which attacks the victim’s network through the employee ‘breach’, stealing private keys or exploiting any other gaps in security. This gives the hackers power to commit a number of further illegal activities, such as spoofing blockchain transactions or gaining access to customer’s wallets. This tactic is being labelled as ‘TraderTraitor’ by the US Government.

The latest development in this story comes straight from the FBI, who warned Crypto companies that it had tracked over $40 million worth of Bitcoin which is currently held in six separate wallets by the hackers. They stated that a cash out is imminent and have advised Bitcoin exchanges to “be vigilant in guarding against transactions directly with or derived from the addresses.” This situation is indicative of a growing problem stemming from North Korea’s state backed cybercriminals, who look to steal eye-watering sums of crypto in order to then generate revenue for the country’s regime. What’s even more concerning is that these funds have been linked to the funding for the country’s nuclear programme – which has been subject to international sanctions for years.

The scale of this problem is just as concerning, with TRM Labs reporting that hackers with ties to the regime have stolen around $2 billion in assets since 2018. So far, the US government is offering a $10 million reward for any information on North Korea’s state sponsored cybercriminals, but this seems to be doing little to curb the growth of these actors.

Ransomware in the Cloud

The Cloud has always been a tempting target for cybercriminals. The sheer quantity of high-quality user data, passwords, even entry points into business networks is the equivalent of dangling fish heads off the side of a boat in shark infested waters.

Cloud host CloudNordic got to experience this first hand, recently, following a large-scale ransomware attack on its data centre systems resulting in a near-total loss of customer data. The attack on the Denmark based Cloud host began with criminals shutting down all of their systems, as well as encrypting customer systems and websites. This resulted in a system-wide crash which lost the company nearly all of its customer data (including those stored on backups). While CloudNordic admitted that there had been a complete and irreversible encryption of customer data, there was additionally no evidence to suggest that said data had been extracted from its systems. The company also stated that it did not have the funds to purchase the hacker’s decryption key, and if they did, they would not pay the sum based on principle. The attack is believed to have been so successful as the criminals had access to the company’s internal administrative systems, from which they could encrypt entire hard drive disks without a problem. A statement on the company’s website reads “Unfortunately, it has proved impossible to restore more data, and the majority of our customers have thus lost all data with us.”

While CloudNordic are unsure of how the attack started, they predicted that it was fuelled by moving infected systems between database centres, which in turn were linked to their internal network which manages all their servers. What’s more, this seems to have been part of a wider attack on parent company Certiqa Holding, as CloudNordic’s sister company Azero has also been affected. The attack has thus left both companies reeling, understandably causing a massive hit to profit and customer confidence as well as knee-capping their current communications. So far, no actor or group has come forward to claim responsibility for the attack.

Day Zero

We’d like to cap off this edition of tech trends by highlighting a growing issue within the realm of cybersecurity – Day Zero vulnerabilities. In simple terms, a Day Zero vulnerability in a system or programme refers to a previously unknown vulnerability which has not been picked up on by developers. If dedicated criminals manage to find one of these exploits, they can cause untold amounts of damage without developers even knowing what is happening. Astra predict a rise in the level and scale of Day Zero attacks as we move further into 2023, especially for those focused on supply chains. This in turn makes it more imperative than ever to triple check that your vendors are implementing rigorous and extensive cyber security solutions as well as pre-launch testing into their offerings to minimise the risk of a Day Zero exploit, and to increase the speed at which one can be addressed if an attack does happen.

WinRAR, the popular archiving tool, has been on the receiving end of one such attack recently. What’s notable here is that the developers of the tool themselves had no idea the exploit existed and was being used, rather, an independent Cybersecurity firm – Group-IB, noticed the exploit back in June. The vulnerability in question affects the processing of ZIP files by the tool, which allowed hackers to hide infected scripts in archive files labelled as .txt or .jpg in order to compromise targets. This has primarily been used as a vehicle to send malicious scripts to trading forums (at least 8 so far), which Group IB is currently not naming. For some of these forums, admins were able to notice the sharing of malicious files by certain accounts and take steps to block said accounts as well as warn their users. However, there is evidence that these criminals were able to unblock their accounts and continue causing damage. With this kind of attack, once a target opens an infected file, the criminal is then able to access their victim’s brokerage accounts, causing all manner of damage through illicit transactions and stealing funds. At least 130 traders are believed to have been affected by this vulnerability. Similarly, to the CloudNordic example, it is unknown who is behind this attack. Group-IB have stated that they suspect the Evilnum group of orchestrating this, however, as the hackers were observed to use ‘DarkMe’ a trojan associated with the group.

Day Zero vulnerabilities are a concern, then, not just for developers but also for companies utilising software vendors as well. Even some of the largest tech companies like Windows are not immune to these issues, as the Windows ALPC Day Zero exploit back in January proves. These kinds of threats, alongside others highlighted in this article are just some of the myriad ways in which hackers can cost your company millions in damages. That is why it is so important to become cybersecurity obsessed as a tech leader. Keeping up to date with the latest attacks, as well as the latest solutions available, is the best defence you can have against the growing rate of malicious cyber actions taking place across the planet.

?