Leaked Exploits Have Fueled Cybercrime So Far in 2017, Says New Report

Leaked exploits and increased cybercrime-as-a-service offerings — along with the expanding digital footprints of organizations — helped to fuel cybercrime in the first half of 2017, according to a mid-year threat intelligence report from SurfWatch Labs.

The global outbreaks of WannaCry and NotPetya have dominated headlines so far this year. Although vastly different from the record-setting, Marai-powered DDoS attacks that disrupted services in the second half of 2016, the report noted that those events share a similar root cause: leaked exploits and source code.

Download the report: “Leaked Exploits Fuel Cybercrime: State-Sponsored Exploits and Cybercriminal Services Empower Malicious Actors.”

“A year ago, our mid-year report showed the interconnectedness of cybercrime through extensive supply chain hacks and compromised IoT devices,” said Adam Meyer, chief security strategist, SurfWatch Labs. “Find one weak link and maximize it for all it’s worth was the name of the game then … and that still happens today with even more evidence of how the criminal ecosystem maximizes efforts through shared resources, skills for hire and, sometimes, outright theft.”

CF_Types
SurfWatch Labs collected data on close to 4,000 different industry targets in the first half of 2017 across a variety of categories. The main categories – data breaches, cyber-attacks, illegal trading, vulnerabilities, advisories, and legal actions – are shown in the chart above, with larger circles indicating more threat intelligence activity for that target.

The leaked exploits and data from the NSA and CIA have received the most attention, but there was a wide range of other malware and source code leaks that could have consequences for organizations moving forward, such as:

  • the sale of the Kraken source code used in MongoDB and ElasticSearch extortion attacks;
  • the release of the Nuclear Bot (NukeBot) banking Trojan’s source code;
  • the creation of the Android BankBot Trojan from a commercial Trojan’s leaked source code;
  • and reports that claimed various malicious actors used tools leaked from surveillance company HackingTeam or created by Israeli cyber arms dealer the NSO Group in targeted attacks.

Just last week researchers reported that attackers were using modifying versions of NukeBot to target banks in France and the U.S.

“Much like leaked personal data, once those vulnerabilities, exploits, and tools are exposed, they forever remain in the cybercriminal public domain,” SurfWatch Labs’ report noted. “[Events such as WannaCry and NotPetya] reaffirmed that the most dangerous data breaches often involve the theft of such tools and exploits – and the impact of that type of information being leaked can spread further, wider, and be more long-lasting than perhaps any other type of cyber incident.”

SurfWatch Labs collected cyber threat data from thousands of open and dark web sources and then categorized, normalized and measured it for impact based on our CyberFact information model.

Some notable takeaways from the mid-year threat intelligence report include:

  • WannaCry ransomware was the most talked about malware out of nearly 1,200 tags, accounting for 8.6% of all malware tags, followed by the Industroyer malware at 4.8%.
  • Crimeware trade was the most prevalent tag related to cybercrime practices as malicious actors continued to buy, sell, and trade tools on dark web markets and cybercriminal forums, as well as develop more cybercrime-as-a-service options.
  • The percentage of extortion-related activity observed in 2017 has more than doubled from 2015 levels and increased by more than 40% when compared to 2016 levels. More industry targets were publicly tied to ransomware and extortion over just the first half of 2017 than in all of either 2014, 2015, or 2016.
  • Cybercriminals expanded upon successful business email compromise (BEC) scams to implement more attacks. For example, more than 200 organizations reported W-2 data breaches due to phishing messages in the first half of 2017 – a rise from the 175 reported in 2016.
  • The percent of government cybercrime-related threat data collected by SurfWatch Labs more than doubled from the previous two periods (from 13% to nearly 27%), and government was the top trending overall sector for the time frame (followed by IT at 25% and consumer goods at 17%).
  • The CIA was the top trending cybercrime target of the period due a nearly weekly series of data dumps from WikiLeaks (followed by Microsoft, the NSA, Twitter, and England’s National Health Service).

“As we’ve repeatedly seen over the past few years, a major breach is rarely isolated, and information stolen or leaked from one organization can be leveraged to attack numerous other organizations,” Meyer said. “Whether it is personal information, credentials, intellectual property, or vulnerabilities and exploits, actors will build off of that hard work and the previous success of other actors by incorporating that information into new campaigns.”

Read the full, complimentary report: http://info.surfwatchlabs.com/cyber-threat-trends-report-1h-2017

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

One thought on “Leaked Exploits Have Fueled Cybercrime So Far in 2017, Says New Report”

  1. Pingback: TheShadowBrokers Continue to Leak Exploits and Generate Profits – SurfWatch Labs, Inc.

Leave a comment