Commercialization of cybercrime leading to rising global threat of Cyber outsourcing or Cybercrime-as-a-Service

Rajesh Uppal July 26, 2020 Cyber, Threats Comments Off on Commercialization of cybercrime leading to rising global threat of Cyber outsourcing or Cybercrime-as-a-Service 1,123 Views

Cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind. Beyond a nefarious hobby, cybercrime has become a way for cybercriminals to earn a living. While it remains underground, it is a business nonetheless; attackers cooperate, and work to maximize profits and minimize risk of arrest. Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues.

The impact on society is reflected in the numbers. Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.

Rapid rise of Cybercrime and cybercriminals have led to wide-spread adoption of cyber outsourcing or “as-a-service” model for cyber attack, wherein the attacker can purchase the desired“service” through the dark web without so much as a cursory understanding of what is involved in its execution. The anonymity of darknet, through the Tor and Bitcoin protects the bad guys from being easily identified and prosecuted.

Cybercrime-as-a-service (CaaS) help Bad actors and cyber criminals with an expanding range of resources, tools and technologies from exploit kits to ransomware to build threats and launch attacks. Large number of malicious sites offer a wide range of services for cybercriminals to leverage.

Recently Saudi Arabia hacked into the phone of Amazon.com Chief Executive Officer Jeff Bezos, as investigators have alleged, the oil rich nation likely utilized its preferred method of cyber espionage: outsourcing. The Middle Eastern nation’s cyber arsenal is believed to be primarily composed of outsourced espionage tools, which it has combined with disinformation tactics on social media, they said. These purchased weapons can be “highly sophisticated, but of limited scope,” according to Jon Bateman, a cybersecurity fellow at the Carnegie Endowment for International Peace. While Saudi Arabia has tools that can be technically complex, countries that have invested in developing indigenous offensive and defensive capabilities — such as Saudi Arabia’s Middle Eastern neighbors Iran and Israel .

The purchase of cyber weapons — including from marketplaces in the Middle East and Europe, and possibly from criminals — isn’t unique to Saudi Arabia, experts say. Other countries, such as Vietnam and the United Arab Emirates, have also utilized their defense budgets to outsource cyber arsenals.

Many countries are utilising the services so-called Advanced Persistent Threat (APT) groups allied with and funded by nation state agencies, but not embedded within them. These groups and entities double-hat their activities, conducting likely state-mandated operations while freelancing for personal gain as well. They are vulnerable to playing in hands of terrorists to develop Cyber Dirty Bomb which could be used to attack critical infrastructure.

Lt.-Gen Vincent Stewart, former deputy chief of U.S. Cyber Command and director of the Pentagon’s Defense Intelligence Agency, warned that Israel and the West are vulnerable to the cyber equivalent of a “dirty bomb.” There is also threat of terrorists employing cyber out sourcingor Cybercrime-as-a-service. Stewart has warned that if al-Qaeda or ISIS were able to purchase cyberattack capabilities or even services from such a group then swathes of critical infrastructure could be at risk. Russia and China have such capabilities, but play the balance between impact and implications—causing damage but stopping short of prompting devastating repercussions. Terror groups have no such constraints and often operate at the margins of their capabilities.

Stewart singled out power grids as a particular danger, and one can only imagine the war-gaming and theorizing around such an attack within Cyber Command during his tenure. “Losing power for an extended period of time,” he warned, “is not just about inconvenience,” with hospitals and cold supply chains at particular risk. We have seen attacks on power companies and assets from both East and West. It has become something of a frontline.

Cybercrime is increasing in scale and impact

The advent of the Internet of Everything (IoE) combined with the ever increasing number of Internet users globally creates a broader attack surface, new attack vectors and more points of entry, including social engineering methods, for criminals to exploit, making endpoint security even more important. The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen.

Malware is becoming increasingly sophisticated, intelligent, versatile, available, and is affecting a broader range of targets and devices. E-commerce related fraud has increased in line with the growing number of online payments, affecting major industries such as airlines and hotels. Key factors fuelling the increase are largescale data breaches supplying compromised card data to underground forums and a low prevalence of preventive measures implemented by merchants and the financial industry, such as 3D Secure.

In general, trends suggest considerable increases in scope, sophistication, number and types of attacks, number of victims and economic damage. The EU will remain a key target for cybercrime activities because of its relative wealth, high degree of Internet penetration, its advanced Internet infrastructure and increasingly Internet-dependent economies and payment systems. Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations.

Commercialization of cybercrime as a Global Threat

Cybercrime has become commercialized according to Crime-as-a-Service (CaaS) business model and financial gain accrued by cybercrime experts further stimulates the commercialization of cybercrime as well as its innovation and further sophistication. This has made the process of conducting cyber-attacks easier, facilitating a move by traditional organised crime groups (OCGs) into cybercrime areas.

The hottest growth segment in cybercrime-as-a-service is ransomware, a technique which quietly encrypts files before freezing a computer or server and demanding money to decrypt a company or individual’s data. The number of ransomware domains tracked in the DNS Threat Index has increased 35 times from its baseline value. Cyber attacks deploying ransomware to demand money from victims have soared 50 per cent in the last year, hitting financial services, healthcare and the public sector the hardest, according to Verizon’s closely watched annual data breach report.A separate report by security firm Symantec found that the average amount paid by victims of ransomware had risen to $1,077 (£834).

Ransomware has hit the big time — not just in the sheer number of malicious websites involved, but also in the scale of attacks and the nature of the targets. Ransomware used to be associated with small-scale attacks aimed largely at consumers or small businesses. Now, enterprise-strength ransomware attacks can target even the largest organizations. According to Marc Spitler, senior manager in Verizon’s security research division, attacks on businesses were stealthier. Often, he said, attackers burrowed deeper into a company’s infrastructure to find key databases that were then scrambled before payment was sought.

Criminals are freely able to procure commercial services that facilitate almost any type of cybercrime, such as the rental of botnets, denial-of-service attacks, malware development, data theft and password cracking, according to the 2014 iOCTA report. The services encompass the complete cyber criminal value chain consisting of the primary activities of vulnerability discovery, exploitation development, exploitation delivery, and attack, as well as the supporting roles of cyberattack life-cycle operations, human resources, marketing and delivery, and technical support.

The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities. Vulnerability refers not only to weaknesses in software or hardware in IT/OT systems,but also to weaknesses found in processes,policy, and the human component of an organization.

Exploit kits that automate the development and delivery of malware are a well-established industry. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. In order to increase the chances of success of an attack, multiple vulnerabilities may be targeted as a part of an “exploit kit”. For example, the well-known exploit kits, such as Angler, Magnitude, Neutrino, Nuclear,RIG, etc., are continually updated to reliably exploit technical vulnerabilities and guarantee continued success in disrupting normal function of the targeted system.

The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example.

Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each.

Criminal marketplaces are complemented by anonymous payment mechanisms such as virtual currencies. While in principle legitimate, they are abused by criminals for criminal transactions and money laundering. Centralised schemes such as WebMoney are commonly exploited.

The criminals are also abusing anonymisation techniques such as Darknets that allow citizens to communicate freely without the risk of being traced. However, the features of these privacy networks are also of primary interest to criminals that abuse such anonymity on a massive scale for illicit online trade in drugs, weapons, stolen goods, forged IDs and child sexual exploitation.

This new method of developing cyber-threats leaves little trace and poses a huge challenge to those trying to combat cybercrime, and is ultimately making the process of conducting cyber-attacks easier, especially for those with little or no experience or knowledge.

Combating Cybercrime

Combating cybercrime requires a different approach from that which has been traditionally taken in respect of most crimes. In contrast to the off-line world where criminals normally need to be physically present at the crime scene and can typically only commit one offence at a time (i.e. rob one bank or burgle one house at a time), criminals in cyberspace do not need to be close to the crime scene, they might never even travel to the target country, and can attack a large number of victims globally with minimum effort and risk by hiding their identity.

iOCTA Recommendations

The trans-national nature of cybercrime poses huge challenges for law enforcement to secure and analyse electronic evidence in countries from where the attacks originate, where there may be no or ineffective legal tools in place or insufficient capacity.

The report recommends that Law enforcement should increase its visibility and presence online to increase public confidence, create awareness campaigns about cyber threats and establish norms of social conduct in cyberspace. The agencies should acquire necessary skills, expertise, knowledge and tools to perform cybercrime investigations, Big Data analysis and Internet of Everything (IoE) related digital forensics.

The dynamic, evolving and trans-national nature of cybercrime demands an equally diverse and flexible response by law enforcement in close international strategic and operational partnership with all relevant stakeholders. Legislators in the EU need to provide law enforcement with the legal instruments it requires to allow it to disrupt and investigate criminal activity, and to access the information it needs in order to apprehend criminals that undermine public safety and economic interests.

Law enforcement should concentrate on pro-active, intelligence-led approaches to combating cybercrime in a prioritised manner, focusing on high impact areas. In order to measure the scale and scope of cybercrime in a consistent way, there is a need for improved monitoring, reporting and sharing of cybercrime-related data in a standardised EU-wide manner.

Law enforcement should focus with priority on dismantling criminal infrastructure, disrupting the key services that support or enable cybercrime and prosecuting those responsible for malware development, as the numbers of highly skilled cybercriminals are limited and their skills are hard to replace. The increase of both cyber-enabled and facilitated crime should be met with a proportionate increase of relevant resources and skills within law.

The Internet Organised Crime Threat Assessment (iOCTA) informs decision makers at strategic, policy and tactical levels about on-going developments and emerging threats of cybercrime affecting governments, businesses and citizens in the EU.