The adage “teamwork makes dreamwork” extends to cybercriminals as well. To launch more successful cyberattacks, malicious actors with different specialised skills have conglomerated to form Cybercrime as a Service (CaaS).
We’re now seeing people and groups specialise in various parts of the attack lifecycle. This means that we’re likely going to see less mistakes made leading to detections, and we should expect multiple groups colonising an infected network.
Within CaaS there are four types of cyber crime groups:
Thinking from an incident response mentality, this means they will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks. Identifying the commonly used tactics, techniques, and procedures (TTPs) can help CISOs and security leaders strengthen their cybersecurity strategy and minimise risk.
Types of Cyber Crime Groups
Trend Micro Research analysed Access as a Service (AaaS), a service offering in the undergrounds whereby malicious actors are selling access into business networks.
AaaS is composed of individuals and groups that use numerous methods to obtain remote access into an organisation’s network. There are three types of AaaS sellers:
- Opportunistic actors who noticed a demand and decided to turn a profit.
- Dedicated sellers—their full-time job is gaining and selling access. They even market their services and leverage their extensive network to make sales.
- Online shops, which typically only guarantee access to a single machine, not a network or corporation.
Groups who specialise in gaining access to networks and then purposely selling it to others are more worrisome as their access is usually solid and ensures their buyers that they can deliver their service. Both types of AaaS actors can be troublesome, but the latter is certainly the group that will trouble more organisations due to the complexity of attributing the initial attacker.
Credited as one of the reasons ransomware attacks continue to increase, RaaS has enabled less-skilled hackers to launch costly attacks on large organisations – like SolarWinds – by providing the necessary tools and techniques.
This newfound accessibility has led to a dramatic 63.2% increase of RaaS extortion groups in the first quarter of 2022. The Trend Micro Research 2022 Midyear Cybersecurity Report found that over 50 active RaaS and extortion groups victimised more than 1,200 organisations in the first half of 2022.
LockBit, Conti, and Blackhat were the most prominent RaaS threat actors in the first six months, but new ransomware families like Black Basta and SolidBit are growing.
Reliable web hosting services that can withstand abuse complaints and law enforcement takedown requests are critical to keeping a cybercriminal operation running smoothly and covertly. Bulletproof hosting services are essentially leased hideouts where malicious actors can store files or even the malware necessary for their attack campaigns.
Void Griffin offered its first fast-flux bulletproof hosting service in 2015 and has been home to many different APT groups and prominent malware families since.
Cybercriminals have turned to crowdsourcing their offensive research and development processes to find new attack methods. This relatively new type of cyber crime had increased in the last two years. Trend Micro Research observed an uptick in malware actors holding public contests in the criminal underground to find new creative attack methods.
Some contests will seek talent (like The Voice or American Idol), but these are rarer. Most contests are seeking knowledge; they’re looking for technical articles on new attack techniques, vulnerabilities, etc. And yes, a prize – or even multiple – are awarded to the best or most innovative technical proposal. Oftentimes the requests are more generic versus limiting the topic to a specific domain.
Trend Micro Research anticipates an increase in the number of crowdsourcing competitions, which in turn will accelerate criminal innovation. And such evolutions do not need to be major; small tactical wins can allow criminals to bypass current defences.
Cybersecurity Defense Strategies
So, how can you address the different types of cyber crime groups? Unfortunately, enterprises can’t jump into the cybercriminal underground and stop crowdsourcing. But they can work to prevent or limit the scope of the outcome by implementing a cybersecurity defence strategy that focuses on detecting and preventing the initial access breach.
The earlier you can detect the initial access of an attack, the more likely you can prevent the following components of the attack lifecycle from occurring, like ransomware. Here are other components to consider when creating an effective security strategy:
1. Partner with a security vendor that leverages global threat research to constantly monitor public breaches and bulletproof hosting services in the criminal underground. This ensures your solutions are optimised to defend against the latest threats. Additionally, by proactively locating and blocking the bulletproof hosting infrastructure, defenders can block attacks in the earlier stages of the kill chain.
2. Follow a zero trust approach to network security by implementing a SASE architecture. SASE is composed of Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB) capabilities to strengthen protection and control across the attack surface.
3. Establish an incident response (IR) playbook to surface any security gaps. Make sure your IR teams or vendor understand the multi-attacker scenario and know where to focus their efforts.
4. Establish a strong patch management strategy to limit the scope of exploits. This should include identifying the most relevant patches, making a zero-day exploit plan, communicating with vendors, and utilising virtual patching.
5. Leverage trusted cybersecurity frameworks for password best practices like the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). The Center of Internet Security (CIS) provides thorough guidance on prioritisation and resource management, as well as filling any gaps that could be exposed by attackers.
For more insights into types of cyber crime groups and how to strengthen your defence strategy, check out the following resources: