Your adversaries are doing exactly, what you are doing in terms of keeping up with the latest news, tools, and thought leadership. This will enable them to defend your organization against cyber criminals. Their efforts mainly focus on networking on forums, evaluating the latest software tools, interacting with potential buyers, and searching for ways to outsmart your security systems.
Considering their capabilities reveals that they can outmaneuver well-funded security teams and corporate security tools, especially when compared with legacy solutions such as signature-based antivirus solutions. As a result, several security operation centers (SOCs) fail to prioritize the real threats but instead waste their time and energy on solving problems that, realistically, they will never be able to address at scale.
To effectively defend against cyberattacks, security experts need to move beyond the mental image they tend to associate with the lone hooded figure sitting in a dimly lit basement where cigarette smoke seeps from a filthy ashtray. Consider the state of cybercrime in the modern world as it stands today: strategic, commoditized, and collaborative (especially in a world where there is money to be made).
Every attack is backed by strategic intent
Every time a piece of malware is released, there is a purpose for it. There is always a plan for what the malware will do. First and foremost, cybercriminals spy on your environment to gain access to it. They are looking for something they can steal and potentially re-sell to another person or organization. Once an attacker gains access to your environment, they quickly recognize the value that can be accessed as soon as they become aware of it. This is even if they do not know what they may do with it.
During reconnaissance, these attackers may exploit misconfigurations or open ports. This is often facilitated by the known CVE databases and free network scanners, which make this task easier. There is also a possibility that a breach can be facilitated at the beginning by stealing the credentials of a user to gain access to the environment. This process can sometimes be a lot simpler than identifying assets later.
Cyber weapons' black market is maturing at a rapid pace
There is an underground marketplace managed by cybercriminals that have developed over the years. The evolution of tools from relatively inexpensive and low-tech products to more advanced capabilities that are delivered using business models familiar to legitimate consumers, such as software as a service (SaaS), has helped improve their accessibility to legitimate consumers. The commoditization of hacking tools is a phenomenon that threat hunters have been experiencing recently.
There was a time when phishing kits, pre-packaged exploits, and website cloning tools were very common and used by several people. This tool is designed to simulate the login pages used by many websites for authentication purposes. For example, Microsoft Office 365 or Netflix has been pretty effective at collecting passwords from the user for many years.
There has been a considerable amount of response to this type of activity over the past 20 years. This response includes pattern recognition, URL crawling, and the sharing of threat intelligence tools. Through tools such as VirusTotal, it has become almost instantaneous for data on malicious files to be shared with the security community. This is within a few days of discovery. As a result, adversaries have adapted to these conditions and are well aware of their presence.
Phishing: A New Methodology
By taking advantage of the rise of multi-factor authentication (MFA), today's adversaries have also been able to steal the verification process to benefit their activities.
The EvilProxy phishing scam is a new type of phishing scam that has emerged. In the same way as previous kits, this kit mimics the login page on the user's website to trick them into providing their login credentials. In contrast to the one-off purchases of phishing kits of the past, these updated methodologies are sold by companies specializing in access compromise and operate via a rental model where the company rents out space on its server to conduct fraud campaigns.
This company hosts a proxy server that works similarly to a SaaS model in terms of how it operates. To access the service for ten days, it costs about $250. It enables SaaS providers to earn more money, as well as gives them the possibility to analyze the information they collect. This will make them able to publish it on forums for hackers. In this way, they will be able to market their products and compete against other sellers who sell similar products.
As part of the redesigned model, several built-in protections are included to protect the phishing environment against an uninvited visitor. To prevent web crawlers from indexing their sites, they implement bot protection to block crawlers. As well as using nuanced virtualization detection technology to ward off reconnaissance teams using virtual machines (VMs), the security operations team also relies on automation detection to avoid security researchers crawling their kit websites from different angles by using automation detection.
A scenario is known as "Adversary in the Middle"
Serving as a reverse proxy to authenticate login page content created by bypassing MFA presents several problems for detecting phishing attacks. Using the reverse proxy server, the adversary can acquire access to sensitive information such as the username, password, and session cookie. This information was previously set by MFA between the user and the target website. By replaying the session, the user can then access the website and assume the role of the user at the destination they are visiting.
At first, everything appears normal to the user. A cybercriminal can create the impression that the website is authentic by using slight variations in the names in the URLs. This will disguise the fact that everything works as it should. As a result, they have gained unauthorized access through that user. After gaining unauthorized access to the website, they may be able to exploit it or sell it for profit to the highest bidder.
What is the business model of the adversary?
Malware is being sold illegally over the Internet, and new phishing techniques are also. The malware is sold in a gray area, near the line between legal and illegal. It is one of many companies offering security software like BreakingSecurity.net, which aims to provide enterprises with remote surveillance tools.
The price point associated with each malware is intended to motivate it to achieve some results. The results of these attacks have a clear business intent in mind. This is whether it's stealing credentials, generating cryptocurrency, requesting a ransom, or gaining spy capabilities to snoop around a network's infrastructure to steal information.
Today, developers of these tools have partnered with buyers through affiliate programs to create a connection between these two parties. The affiliate marketing scheme functions very similarly to a multi-level marketing scheme. The affiliate will be told to come to the affiliate company when they have an affiliate product that they wish to sell. They will even give them product guarantees and 24/7 customer support if they decide to split profits with them. By doing so, they can build a hierarchy and scale their business.
