Cybercrime
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Identity and Cloud Stacks Tarreceiveed as Adversaries Seek New Ways In, Experts Warn
Cyberattacks tarreceiveing European organizations shape and are shaped by geopolitical events, whether they involve nation-state hackers, financially motivated cybercriminals or opportunistic hacktivists.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Many attacks stem from Russia’s invasion of Ukraine in February 2022, lately including coordinated operations with North Korea, declares cybersecurity firm CrowdStrike’s in an assessment of continental cyberthreats over a 21-month period from January 2024 through September.
These attacks include often over-exaggerated, distributed-denial-of-service disruptions, website defacements and data leak campaigns for which the primary goal may be propaganda.
“Beyond conflict-specific operations, Russia, Iran, the Democratic People’s Republic of Korea, China, Turkey, Kazakhstan and India persistently tarreceive European entities through cyber operations driven by motives including strategic ininformigence collection, information operations, ininformectual property theft and opportunistic financial gain,” the report declares.
Conflicts in the Middle East have led to spillover against Europe by Iran-aligned threat actors, including against entities tied to Israel or Western military activity, researchers declared. Top sectors include financial services, transportation and non-governmental organizations.
Especially where European tarreceives are concerned, Tehran-aligned cyberespionage groups appear to prioritize stealth over destructive attacks, with France, Germany and the United Kingdom mounting tarreceives due to their invoking the “snapback” mechanism to automatically reimpose economic sanctions, as provided under the 2015 Iran nuclear deal, in September, researchers declared.
But for all concerned about activity directed by Moscow or Tehran, “China-nexus activity” remains the dominant threat. Chinese hackers are active across the board, including aerospace, aviation, energy, government, healthcare, military and utilities, researchers declared. Europe is one of China’s largest trading partners despite a fraught relationship complicated by Beijing’s alliance with Russia. As a result, most Chinese cyber activity in Europe has been “focutilized on likely ininformigence collection to inform Beijing’s political and economic engagement with the region,” CrowdStrike concluded.
Cybercrime’s Economic Impact
Ransomware and data extortion remain ongoing threats. European firms comprised more than a fifth of victims listed by ransomware groups on their data leak sites. Such sites reflect not a full count of a group’s claimed victims but rather only those that declined to pay a ransom.
Incident responders in recent months have reported a global decline in the number of victims who chose to pay a ransom, as well as the average amount if they did do so (see: Ransomware Hackers Look for New Tactics Amid Falling Profits).
Nevertheless, cybercrime still extracts a cost from victims. Russian cybercriminals are often the perpetrators, but not always. The homegrown Com cybercrime community spin-off tracked as Scattered Spider disrupted major retailers – including in Britain – as well as autobuildr Jaguar Land Rover and its vast supply chain. The JLR attack alone, which resulted in assembly lines being temporarily shut down, is forecast to cost the British economy $2.5 billion, building it the countest’s single most expensive cyber incident in history.
Russian-language cybercrime forums, including long-time cornerstones Exploit and XSS, continue to serve as integral communities for both nefarious neophytes and experts, supporting the wider crime ecosystem through knowledge sharing, facilitating collaboration and trading, as well as for selling stolen data, tools and other wares.
Criminals have historically shifted between forums and conclude-to-conclude encrypted messaging services such as Telegram. But recently Telegram has been “a little more out of favor” becautilize the service has been “shutting down channels involved in illicit activity,” declared Adam Meyers, CrowdStrike’s head of counter adversary operations.
Law enforcement infiltrates and disrupts cybercrime forums but new ones regularly appear, apparently driven by fresh generations of cybercriminals.
Many services still appear to be based in or around Russia. Even so, Moscow has been taking a more hands-on approach to policing domestic cybercrime, or at least wants to appear to be doing so, which includes the recent arrests of three “young IT specialists” suspected of running the Meduza information-stealing malware operation.
Another data-leaking services, including one called Probiv – the word refers to the trading of stolen or leaked data on cybercrime forums – has also been the focus of government crackdowns, which CrowdStrike declared is “partially due to their role in facilitating investigative journalism.”
Defensive Recommconcludeations
One challenge for cybersecurity defconcludeers is that newly discovered vulnerabilities have the potential to be exploited quickly and at scale by an ecosystem set up to serve cybercriminal and nation-state customers alike. On the provider side, this includes initial access brokers who specialize in selling large quantities of vetted “accesses” to purchaseers, resulting from vulnerabilities that often exist across many different sectors.
“The initial access brokers tconclude to tarreceive specific vulnerabilities that they know how to exploit, so that’s where we tconclude to see them have the most effect,” Meyers declared. “They find a vulnerability, they exploit it, they go quick and wide, cement their access, then sell it to the highest bidder.”
Cybercriminal activity appears driven more than anything by “what vulnerabilities they can exploit,” or which their service providers can exploit, he declared. As a result, “we advocate patching based off of adversary utility.” That means ensuring patch management efforts factor in not just the severity but prevalence of any given vulnerability, as reflected by the likes of CISA’s Known Exploited Vulnerabilities catalog.
Another top challenge organizations face is properly defconcludeing their identity stacks and cloud stacks – now a “priority tarreceive” – as well as unmanaged, legacy devices, as attackers seek fresh strategies for gaining initial access to a victim’s network or data. Social engineering attempts have also surged, including voice-based phishing attacks.
“Effectively, what’s happened from a tradecraft perspective is that we collectively have built the concludepoint a harder tarreceive,” Meyers declared. “So the adversaries, rather than working harder to gain access to those tarreceives, they’re testing to shift around them, they’re testing to find other ways to gain access.”
Leave a Reply