Cyber criminals have packaged ransomware and other malware tools into as-a-service offerings so easy to use that even rank novices will be launching devastating cyber attacks during 2023 at almost no cost, a new assessment of the threat landscape has warned.
Once the purview of sophisticated gangs, ransomware has become so easy to use that “nearly all barriers to entry for committing cybercrime [have been] removed” through the expansion of cyber crime-as-a-service [CCaaS],” security giant Sophos warned in releasing its new 2023 Threat Report.
Nearly every aspect of a cybercriminal compromise – from initially infecting targets to avoiding detection, harvesting sensitive data and managing devastating ransomware attacks – can be purchased on an as-a-service basis from underground marketplaces, with Sophos principal threat researcher Sean Gallagher warning that “this isn’t just the usual fare, such as malware, scamming and phishing kits for sale.”
“Higher rung cybercriminals are now selling tools and capabilities that once were solely in the hands of some of the most sophisticated attackers” and sold to other cyber criminals, Gallagher explained.
Investigators recently saw ‘OPSEC-as-a-service’ advertisements, for example, that help attackers hide the activities of the Cobalt Strike penetration-testing kit – so widely problematic that Google this week released a set of tools to help potential victims flag Cobalt Strike infections in their networks.
Always looking for ways to scale up their operations, cyber criminals have long been outsourcing capabilities like scanning-as-a-service, which bundle commercial tools like Metasploit to scan targets for exploitable vulnerabilities.
Sophos highlights the ‘naughty nine’ rogue’s gallery of CCaaS services, including access, malware, phishing, operational security (OPSEC), crypting, scamming, spamming, and scanning; even vishing, in which automated AI bots handle calls from victims, can be rented.
Painting the cyber landscape for 2023
With massive and sophisticated credential theft and other cyber attacks available to anyone for a few dollars, access to the CCaaS services are likely to become stocking stuffers for the cyber criminal that has everything.
That means 2023 will see businesses progressively targeted by increasingly amateurish cyber criminals functioning with deadly effectiveness.
A recent Rubrik Labs survey of 1,625 IT and security decision makers, including 125 in Australia, highlighted the severity of risks that could well get worse as attack tools become more easily accessible.
Australian respondents said they were, on average, made aware of cyber attacks on their organisation 31 times during the last year – with 64 per cent of respondents saying they had suffered a data breach.
That was well above the global average of 52 per cent, corroborating recent reports suggesting that Australian boards of directors are the world’s least cyber-minded.
Despite efforts to change this by the likes of the federal government and Australian Institute of Company Directors (AICD) – and industry pledges to do better on security overall – chronic shortages of cyber security talent meant many local companies are likely to enter 2023 on the back foot.
That had left 73 per cent of Rubrik respondents admitting they would consider paying a ransom – including 47 per cent who said they would be ‘extremely’ or ‘very’ likely to pay up – suggesting that a small investment in CCaaS could turn into a nice little earner for even hobbyist cyber criminals.
Availability of tools is only one of several formative issues that Sophos flagged for 2023, however.
Noting that the war in Ukraine had driven an explosion of financially motivated scams and shaken up criminal alliances between Russian and Ukrainian criminal gangs, Sophos noted that cyber criminals’ innovation had known no boundaries.
Mobile devices “are now at the centre of new types of cyber crimes,” the firm warned, noting the surge in fake applications for delivering malware injectors, spyware and banking related malware as well as newer ‘pig butchering’ schemes that target cryptocurrency bigwigs.
Cyber criminals were also successfully refining their techniques for ‘living off the land’, in which they use legitimate and unsuspicious network tools to evade network security monitors and plant malware.
With groups such as Lockbit 3.0 adopting continuous improvement strategies such as bug bounties, Gallagher said, “ransomware has become, first and foremost, a business.”
“The commoditisation of nearly every component of cyber crime is impacting the threat landscape, and opening up opportunities for any type of attacker with any type of skill level.”