Russian Cyber-criminals Switch to Cloud
Cybersecurity firm Kaspersky today released research on Russian-speaking cyber-criminal activity and how it has changed over the past six years.
The study by Kaspersky’s Computer Incident Investigation Department found that historically favored attacks targeting banks and other financial organizations with money-stealing malware have largely been replaced. Nowadays, cyber-criminals prefer to hit their targets with ransomware and data-stealing attacks delivered via spear-phishing emails with malicious attachments.
“Back in 2016, our primary focus was on big cyber-gangs that targeted financial institutions, especially banks,” said Ruslan Sabitov, security expert at Kaspersky. “Big names such as Lurk, Buhtrap, Metel, RTM, Fibbit, and Carbanak boldly terrorized banks nation-wide, and in some cases internationally. Yet, they have eventually fallen apart or ended up behind bars – with our help.”
Researchers observed that the old attack method was reliant on the existence of security holes in popular web browsers and suggested that improvements to the security of browser and other technology was behind the switch.
Another key change recorded was a move away from developing malware in-house and toward public cloud infrastructure. Researchers found that cyber-criminals now prefer to use publicly available penetration testing and remote access software that can bypass security defenses by appearing to be legitimate.
Cyber-criminals were found to be working together in much smaller groups than before. And, instead of hitting Russia and the Commonwealth of Independent States territories, they are striking targets overseas.
“No longer needing to create their own malicious tools together with active usage of cloud infrastructure allows them to conduct malicious activity in much smaller groups than was previously possible,” noted researchers.
“With the exploit mitigations put in place by browser vendors, the difficulty of weaponizing a one-day vulnerability is substantially higher. Simultaneously, the lifetime of any weaponized exploit is much lower thanks to automatic updates,” BreachQuest co-founder and CTO, Jake Williams, told Infosecurity Magazine.
He added: “We expect over time to see groups continue to become more specialized in the targeting of their operations. And given the difficulty of weaponizing exploits, it’s a near certainty that we’ll contend with more social engineering as an initial entry vector.”