Open-source technology has a largely positive image that often goes beyond the base elements of technology and embodies a mindset and a way of doing things that have ethics and morals at its heart. It’s viewed as a communal approach that strives for the common good rather than zero-sum gains for some at the expense of others. That it might be an approach that is used to conduct cyberattacks seems somewhat incongruent, therefore, but that’s precisely what Accenture’s latest Cyber Threatscape Report suggests.
The report reveals that some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities, with hackers and cybercriminals emboldened by the relative chaos caused by COVID-19 to become increasingly brazen and ambitious with their attacks. The annual report explores the techniques and tactics used by the latest generation of cybercriminals before looking ahead at how these might evolve in the year ahead.
"In the past year, security strategies and practices have been tested like no other," the report says.
"Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world."
The research highlights how cybercriminals are grasping the new opportunities presented by COVID-19, with the potential payouts from these attacks reaching unseen heights during 2020. It’s a landscape that Accenture believes means that organizations need to be working twice as hard to ensure they have the processes and controls in place to keep their systems and their organizations as secure as possible.
"Since our last report in 2019, our cyber threat intelligence and incident response teams have investigated numerous cases of suspected cyber espionage and financially-motivated targeting," they explain.
"During these investigations, threat intelligence analysts and incident responders have gained first-hand visibility of the tactics, techniques and procedures (TTPs) employed by some of the most sophisticated cyber adversaries."
The report reveals that criminals are increasingly able to mask their identities by using a range of off-the-shelf tools. With cybercrime increasingly the preserve of state-sponsored groups and organized criminal gangs, attacks are growing in sophistication and utilize shared hosting infrastructure, open-source penetration testing tools, and exploit code that has been publicly developed. These tools are not only being exploited at scale but also allow criminals to hide their tracks more effectively.
For instance, Accenture highlights the activities of Iranian hacking group SOURFACE, which have been especially targeted at the oil and gas sector but have also affected industries such as telecommunications and transportation in the United States, Europe, Saudi Arabia, and Israel. The group has used tools such as Mimikatz to steal authentication credentials, such as usernames and passwords, to provide them with access to networks and to compromise a wide range of systems disguised as a valid user.
"Criminals will still work to monetize access to data or networks, perhaps more frequently than before as the economy continues to be vulnerable," Accenture say. "As we have seen this year, supply chain compromise and off-the-shelf tools could feature heavily, as could ongoing evidence of custom tools designed to evade defenses."
Business continuity at risk
The report also reveals how systems supporting Outlook Web Access and Microsoft Exchange have been heavily and aggressively targeted during 2020. Once these systems have been compromised, they become beachheads through which attackers can engage in more sophisticated actions, such as stealing data, compromising email, hiding traffic, and harvesting credentials for espionage.
For instance, a Russian group, known as BELUGASTURGEON, has been particularly active in attacking policy-related groups, including think tanks, research agencies, and even government departments themselves.
These attacks have often taken the form of ransomware, which the report highlights has become not only highly profitable during COVID, but an increasingly scalable business model. The ability and willingness for cybercriminals to threaten to release or sell stolen data have taken online extortion to a new level.
One of the pioneers of ransomware attacks is DoppelPaymer, whose success has prompted a wave of imitators to join the action. For instance, at the start of 2020, the infamous LockBit attack was released. The attack was notable for its self-spreading nature that rapidly infected the network of the victims. What’s more, it was widely reported on various dark web forums where updates to the ransomware were shared and new members recruited.
This kind of “hack and leak” approach has proven highly effective and is therefore increasingly common. As such, Accenture argues that it’s likely to become a predominant feature of the threat landscape throughout 2021, with the company already observing significant recruitment campaigns by major players in the space.
The report concludes with four elements that Accenture believes are crucial to adaptive security in this landscape: a secure mindset, secure network access, secure work environments, and secure collaboration.
"CISOs should engage with business leaders to plan, prepare and practice for greater cybersecurity resilience, backed by the right resources and investments," the authors conclude. "Accenture believes a multi-dimensional crisis management strategy, with many work streams and teams that collaborate closely, often on a daily basis, is the way to help achieve cybersecurity resilience—and can help to protect enterprises from harm."