The Cybercrime-as-a-Service (CCaaS) market has matured over the past few years. What began as a few lone rogue hackers selling zero-days and user credentials in IRC chatrooms or darknet forums has now evolved into professional and commercial entities.
A massive injection of money has created huge incentives for criminals, and acted as a catalyst for professionalization and increasing specialization in the CCaaS marketplace.
A diverse range of cybercrime offerings caters to anyone with sufficient cryptocurrency: from access brokers who sell pilfered credentials for compromised accounts, to bullet proof hosting providers that can deliver reliable and anonymous infrastructure to conduct offensive criminal cyber operations.
The future cybercriminal will own nothing and be happy about it
The discerning cybercrime operator in 2021 can build customized toolchains out of composable microservices and off-the-shelf solutions, tailoring attacks, and repurposing compromises for a variety of criminal endeavours (such as crypto mining, banking credential theft, ransomware, or DDoS-for-hire). Cybercriminals can lease and hire everything that is required, from the infrastructure to access to victims.
The ability to mix and match different capabilities and to deploy modular payloads means that a threat can evolve and mutate continuously throughout a compromise. An infected system that is used to send out spam one day can be modified to spread malware or encrypt network files the next.
Customers of these criminal services gain convenient and fast access to new attacks, exploits, and evasive techniques, with innovations proliferating rapidly across the adversary ecosystem. This gives criminal operators a high level of agility and adaptability, and frequently an early mover advantage that businesses and public agencies struggle to catch up with.
The sophistication of the criminal services has also improved: self-service and turnkey deployments have become common, and enterprise-grade service level agreements available. Anyone with sufficient cryptocurrency can buy and hire everything they require to launch sophisticated cyber operations effective enough to take out critical infrastructure. SOAR’s evil twin, threat actor automation, is enabling attacks that are being conducted at volume.
The widespread use of offensive off-the-shelf tooling also complicates attribution, with many different operators leveraging CCaaS offerings and making it difficult to ultimately identify who is behind a given campaign without addition sources of intelligence. Nation state threat actors are suspected of having made use of such services for that reason.
Strategic victim profiling and targeting show growing operational maturity
Many trends in the cybercrime market and shadow economy mirror those in the legitimate world, and this is also the case with how cybercriminals are profiling and targeting victims.
The Colonial Pipeline breach triggered a serious reaction from the US government, including some stark warnings to criminal cyber operators, CCaaS vendors and any countries hosting them, that a ransomware may lead to a kinetic response or even inadvertently trigger a war.
Not long after, the criminal gang suspected to be behind the attack resurfaced under a new name, BlackMatter, and advertised that they are buying access from brokers with very specific criteria. Seeking companies with revenue of at least 100 million US dollars per year and 500 to 15,000 hosts, the gang offered $100,000, but also provided a clear list of targets they wanted to avoid, including critical infrastructure and hospitals.
It’s a net positive if the criminals actively avoid disrupting critical infrastructure and important targets such as hospitals. But the rationale is not out of altruism or social conscience, but instead to avoid being declared enemies of all mankind, or Hostis Humanis Generis, and losing the protection of sympathetic or complicit nation states that host them.
To compensate, the gangs will shift their focus to alternative targets. If your organization is not on the list that includes hospitals, critical infrastructure facilities, oil and gas industry, defence industry, non-profit companies, and the government sector, you are the new target of preference.
The recent leak by a disgruntled “employee” of the Conti ransomware gang also contained instructions to affiliates to research the revenue of prospective targets.
These examples provide insight into how strategically criminal operations now plan and operate, with objectives to maximize revenue while minimizing the risk of causing too much damage as to risk the ire of the powers that be.
Speed and adaptability versus speed and adaptability
While CCaaS has democratized effective offensive cyber capabilities and made them available to a wider variety of criminal operators, there is a silver lining: more criminals are using the same tools and infrastructure.
Criminals may benefit from a mature and professional supply chain, but that supply chain is beginning to consolidate and standardize. Diversity through mixing and matching different cybercrime microservices and the ability to quickly repurpose compromised infrastructure is offset by the reuse of a limited number of building blocks.
One sloppy operator with bad operation security using the same blocks means that all operators are at risk once threat researchers have shared the details with the community. Even without known indicators, it is possible to effectively detect such attacks, instead focusing on behavior and techniques.
Just as attackers are conducting big game hunting for targets such as Managed Service Providers that will allow them to hit multiple victims at once, law enforcement are increasingly focusing on CCaaS vendors, allowing them to observe and gather evidence on the entire criminal customer base. If not properly managed, the Cybercrime-as-a-Service supply chain will become as a great a risk to criminals as the supply chain has become to businesses, for similar reasons.
The consumerization of cybercrime means that criminals now have professional quality tools readily at their disposal. Mixing and matching of off-the-shelf capabilities, rapid access to new exploits and attack techniques and the ability to repurpose compromised systems and infrastructure are potent advantages– but ones that are mirrored in the cyber security industry.
Moving to a threat oriented and zero-trust security posture and making sure you have the right tools and processes in place to provide adequate coverage across all critical attack vectors is the most effective way to be resilient against increasingly sophisticated attackers.