Your adversaries are doing exactly, what you are doing in terms of keeping up with the latest news, tools, and thought leadership. This will enable them to defend your organization against cyber criminals. Their efforts mainly focus on networking on forums, evaluating the latest software tools, interacting with potential buyers, and searching for ways to outsmart your security systems.
Considering their capabilities reveals that they can outmaneuver well-funded security teams and corporate security tools, especially when compared with legacy solutions such as signature-based antivirus solutions. As a result, several security operation centers (SOCs) fail to prioritize the real threats but instead waste their time and energy on solving problems that, realistically, they will never be able to address at scale.
To effectively defend against cyberattacks, security experts need to move beyond the mental image they tend to associate with the lone hooded figure sitting in a dimly lit basement where cigarette smoke seeps from a filthy ashtray. Consider the state of cybercrime in the modern world as it stands today: strategic, commoditized, and collaborative (especially in a world where there is money to be made).
Every attack is backed by strategic intent
Every time a piece of malware is released, there is a purpose for it. There is always a plan for what the malware will do. First and foremost, cybercriminals spy on your environment to gain access to it. They are looking for something they can steal and potentially re-sell to another person or organization. Once an attacker gains access to your environment, they quickly recognize the value that can be accessed as soon as they become aware of it. This is even if they do not know what they may do with it.
During reconnaissance, these attackers may exploit misconfigurations or open ports. This is often facilitated by the known CVE databases and free network scanners, which make this task easier. There is also a possibility that a breach can be facilitated at the beginning by stealing the credentials of a user to gain access to the environment. This process can sometimes be a lot simpler than identifying assets later.
Cyber weapons’ black market is maturing at a rapid pace
There is an underground marketplace managed by cybercriminals that have developed over the years. The evolution of tools from relatively inexpensive and low-tech products to more advanced capabilities that are delivered using business models familiar to legitimate consumers, such as software as a service (SaaS), has helped improve their accessibility to legitimate consumers. The commoditization of hacking tools is a phenomenon that threat hunters have been experiencing recently.
There was a time when phishing kits, pre-packaged exploits, and website cloning tools were very common and used by several people. This tool is designed to simulate the login pages used by many websites for authentication purposes. For example, Microsoft Office 365 or Netflix has been pretty effective at collecting passwords from the user for many years.
There has been a considerable amount of response to this type of activity over the past 20 years. This response includes pattern recognition, URL crawling, and the sharing of threat intelligence tools. Through tools such as VirusTotal, it has become almost instantaneous for data on malicious files to be shared with the security community. This is within a few days of discovery. As a result, adversaries have adapted to these conditions and are well aware of their presence.
Phishing: A New Methodology
By taking advantage of the rise of multi-factor authentication (MFA), today’s adversaries have also been able to steal the verification process to benefit their activities.
The EvilProxy phishing scam is a new type of phishing scam that has emerged. In the same way as previous kits, this kit mimics the login page on the user’s website to trick them into providing their login credentials. In contrast to the one-off purchases of phishing kits of the past, these updated methodologies are sold by companies specializing in access compromise and operate via a rental model where the company rents out space on its server to conduct fraud campaigns.
This company hosts a proxy server that works similarly to a SaaS model in terms of how it operates. To access the service for ten days, it costs about $250. It enables SaaS providers to earn more money, as well as gives them the possibility to analyze the information they collect. This will make them able to publish it on forums for hackers. In this way, they will be able to market their products and compete against other sellers who sell similar products.
As part of the redesigned model, several built-in protections are included to protect the phishing environment against an uninvited visitor. To prevent web crawlers from indexing their sites, they implement bot protection to block crawlers. As well as using nuanced virtualization detection technology to ward off reconnaissance teams using virtual machines (VMs), the security operations team also relies on automation detection to avoid security researchers crawling their kit websites from different angles by using automation detection.
Read the full article here
