The Increasing Affordability of Crimeware as a Service
- Many experienced hackers have shifted from directly attacking targets to creating products to sell to less tech-savvy customers.
- This new business model of “crimeware as a service” resembles lawful business practices in many ways. Cybercriminals offer subscription services and competitive pricing, and look for ways to maximize their rate of return. Many focus on quantity over quality, with fewer vulnerabilities exploited more widely.
- Threat intelligence becomes useful in identifying which vulnerabilities threat actors are actually targeting. Many threat intelligence vendors have access to privileged spaces, like private marketplaces on the dark web where these products and services are bought and sold, that can provide much better context and visibility to the threats that are actually out there.
To the public, the figure of the hacker, the threat actor, or the cybercriminal remains shrouded in mystery. Even now, when most people have smartphones and regularly use computers in their work, hackers seem to operate in a realm far removed from the day-to-day activities of the average person. A quick Google image search for “cybercriminal” turns up stock photos of bandits in balaclavas sitting at a laptop, hunched over with malicious intent, and the stereotypical hacker in a Hollywood blockbuster or crime show is something of a pale-faced magician — a few animated keystrokes at a screen lined with complicated symbols, some rapid-fire dialogue filled with mysterious technobabble, and they’ve broken into a secure government database, stolen precious files from a private server, or hacked into someone’s phone line.
The unfortunate reality today, however, is that anyone with the money to spend can become a wannabe hacker, as cybercriminals increasingly turn to a crimeware-as-a-service business model in the pursuit of more stable profits.
The last five to 10 years have seen a growing trend toward this business model. In the past, attacks more commonly came directly from experienced software engineers who designed bespoke products that targeted specific systems or organizations, but recently, many of those less morally scrupulous experts have realized that their greatest profits could be made by creating packages for sale to anyone willing to pay.
These economic drivers mean that common lines of attack have narrowed to focus on fewer vulnerabilities, particularly those that are present in the greatest number of potential targets. According to Recorded Future’s research of the top 10 vulnerabilities that were exploited in 2017, seven were in Microsoft products and three were in Adobe products. The reason is simple: These are some of the most popular products on the market today, meaning threat actors who target vulnerabilities in these products will have the greatest and most consistent rates of return. It’s a methodological shift from trying to hone an expertise in lockpicking to crack an expensive safe to just kicking down as many doors as possible — and, of course, this change in attackers’ methodology has significant implications for those on the defense.
Microsoft in the Crosshairs
Just as the most commonly targeted vulnerabilities last year were in Microsoft products, mostly because of how popular those products are, the methods of attack targeting those vulnerabilities are also aimed at reaching the widest possible audience. The most exploited vulnerability in 2017, CVE-2017-0199, was part of a feature in Microsoft Office products that let users embed documents within other documents. Exploits targeting this vulnerability would appear as a regular Word file, but when opened, an HTML Executable file would be downloaded, giving attackers the ability to run any code of their choosing.
The most primitive weapons often work best. The most common method threat actors relied on when exploiting CVE-2017-0199 was spear-phishing, which targets individuals within an organization by sending them a message, typically an email, that appears as though coming from a trusted source, like a colleague or friend. For the messages to appear more authentic, attackers will gather personal data on the target, such as their friends, employers, where they live, and so on — the sort of information that so many of us freely share on social media.
Spear-phishing attacks are effective in bulk, even when they do not include enough personal information to convincingly pass as an authentic message under close scrutiny, because there will usually be at least a few people in any given organization who will open an email without looking at it too closely. The Verizon 2018 Data Breach Investigations Report (DBIR) indicated that around 93 percent of breaches come from phishing and pretexting attacks (Verizon defines pretexting as “the creation of a false narrative to obtain information or influence behavior” — the line between a spear-phishing attack and pretexting is blurred). The vast majority of these breaches come in the form of emails, and although Verizon reports that 78 percent of people do not ever open phishing emails, an average of about four percent of people will open one in any given phishing campaign. For an attack exploiting a vulnerability like CVE-2017-0199, that’s all it takes for an attacker to get full control over a network.
Cybercriminals seeking to make a steady income have now turned to business models hardly distinguishable from legitimate enterprises. In 2016, for example, the hacker group Shadow Brokers surfaced with a bundle of leaks and hacking tools they claimed to have stolen from the Equation Group, the premiere cyberattack group in the United States National Security Agency. Shadow Brokers said that the leak contained numerous zero-day vulnerabilities and other valuable information. Rather than choosing to exploit those vulnerabilities themselves, Shadow Brokers tried to profit indirectly from them, first setting a price for a full dump at one million bitcoin in August 2016 (around $600 million at the time) and then, in the summer of 2017, proposing a subscription model of 100 ZCash coins per month (about $23,000) for a steady trickle of data.
Other would-be merchants sell access to botnets, a powerful resource in the growing Internet-of-Things (IoT) environment. In short, a botnet is a network of infected devices that are controlled as a unit and without the knowledge of the owners of those devices. Today, that can include not only computers, but also smartphones, routers, printers, and any of the countless devices that now have internet access. Botnets come in handy for performing distributed denial-of-service (DDoS) attacks, where a great volume of devices will try to access a network at the same time to overwhelm and crash it, or for sending spam messages at scale. The price for renting botnets is broad and depends on the functionality and volume needed, but can be as cheap as a few tens or hundreds of dollars to reach thousands of victims.
Subscription access to popular backdoor services — attacks that get around traditional security mechanisms like firewalls and other forms of authentication — can now be found for as little as 40 or 50 dollars a month. Subscriptions to phishing attacks are even cheaper, with some going for as low as just a few dollars a month.
Threat Intelligence Helps Narrow the List
As threat actors increasingly standardize their products and services, the number of vulnerabilities they target shrinks, and their methods of attack also become simpler in many cases to accommodate customers who are not tech savvy. But this does not mean that the work of professionals in cybersecurity has gotten any easier — many security analysts find themselves increasingly overwhelmed in a flood of alerts, false positives, leads that go nowhere, and irrelevant security updates. Threat intelligence is not just another source of news, but a way to provide context and narrow down the list to the vulnerabilities in your systems that are actually being exploited in the wild.