In the online underground, crime not only pays but attackers are rapidly developing tools and networks that rival those of legitimate enterprises today.

Recent news of the hack by a Russian espionage group against vaccine development organizations and wholesale hijacking of Twitter accounts, including those of prominent business and government leaders, could well be nothing more than the opening notes in a full symphony.

In the current threat landscape, cybercriminals are actively using sophisticated scanning software to test antivirus programs before deploying malware, running highly effective phishing campaigns which bypass security certificates, and finding new ways to avoid detection by laundering cryptocurrency reaped from successful ransomware attacks.

There are too many holes to plug in the wall and vulnerability statistics have become increasingly grim. Verizon Inc. recently reported that 40% of attacks now feature malware that only appears once, an ominous sign that “threat actors” are becoming highly adept at coding new forms of malicious intent. Researchers at RSA disclosed earlier this month that while Canadian users were being hit with 70% of phishing attacks in today’s COVID-19 environment, a majority of those exploits were coming from U.S.-based internet and hosting service providers.

And then there is the “human element,” the theme of RSA’s U.S. security conference in February and again for its virtual-only Asia Pacific and Japan event held this past week. When one security researcher managed to engage in dialogue with hackers behind the HildaCrypt ransomware virus over the course of several weeks, he found a group of five young Russian men who had branched their enterprise into additional malware “families” with plans to develop even more.

“These guys are amazing coders and they know what they are doing,” Brook Chelmo, senior product strategist at SonicWall, said during a conference presentation on Thursday. “They’re developing new features all the time, they have big plans and a big vision for what they want to do. And here’s the kicker: they hate you.”

Evading detection

Indeed, a running theme throughout RSA’s three-day online event focused on a growing body of evidence that organized syndicates, which comprise 55% of threat actors according to Verizon, have become technologically adept to a remarkable degree.

SonicWall maintains a publicly accessible map on its website that visually tracks origins and targets of online attacks around the world based on real-time analysis of telemetry data. Not a single attack is shown coming from Russia.

“Russia is always black,” Chelmo noted. “Why? It’s because they are all using virtual private networks to connect to a command-and-control server. In the case of HildaCrypt, their command-and-control server is located in Sweden.”

Tracking cryptocurrency payments made through ransomware attacks has been difficult as well. They’ve bedeviled a rising number of companies and municipal governments to the tune of a minimum global cost last year of $6 billion to $25 billion in paid ransoms to unlock stolen data. Although most ransomware payments are made in bitcoin, which logs every transaction tied to users, the HildaCrypt gang rapidly converts ransoms into private currencies such as Dash or other crypto instruments that cannot be easily traced, according to Chelmo.

Testing malware

Perhaps more troubling is that attackers are becoming adept at using sophisticated tools to evaluate malware’s potency before fully deploying it on a network. On Thursday, cybersecurity analysts from Blueliv presented research which documented the use of “no-distribute” antivirus scanners to test malicious files.

The scanners are marketed on the dark web, a shady part of the internet reachable with special software, in much the same way that online shoppers might evaluate the effectiveness of pest control products in a backyard garden. The researchers found advertising material from one enterprising developer which showed the results of a malware test against 30 of the top antivirus products on the market today. Only one product caught the malware before deployment.

“The top dog for no-distribute scanners right now is DynCheck,” said Liv Rowley, threat intelligence analyst at Blueliv. “Cybercriminals are using these products to help themselves improve in their cybercrime.”

The price point for many of these tools is attractive too. They range from free for limited features to a monthly subscription of $50 to $299 for more robust packages, according to the researchers. Criminals can also select an “a la carte” approach.

“For DynCheck, we found that doing one static scan against one antivirus product cost one cent,” Rowley said.

No longer trusted

If antivirus tools can be rendered ineffective against cybercriminal testing tools, the security community has believed that users will still be protected by SSL certificates, small data files that digitally tie a cryptographic key to a legitimate website.

However, as social engineering attacks have risen significantly during the COVID-19 crisis, security researchers from IBM Corp. discovered that cybercriminals have found ways around what were once viewed as reliable controls for safe browsing.

“We used to tell people to look for a padlock symbol in the browser or ‘https’ in the URL,” Danna Pelleg, Cybersecurity Web Research Group Manager at IBM, said Thursday. “Now we know it’s not even relevant. Attackers are starting to use SSL certificates in their phishing sites.”

IBM’s research is yet another sobering example of how cybercrime has essentially moved into a new dimension, one where much of what was once accepted as real could indeed be dangerously fake.

The rise of deepfakes, completely fictitious renderings of audio files, still photos and videos, has ushered in a new era of untrustworthy online content. And it has the potential to affect a much wider audience than phishing or ransomware attacks.

“This is the attack vector that attackers are using against all of us,” said Alyssa Miller, application security advocate at Snyk Ltd. “It affects our very ability to perceive the world around us. We cannot trust the things that we see or hear.”

The tools for producing deepfakes do not require a visit to the dark web. Sites such as Deepfakes.web and Faceswap are fully available on the open internet, offering all that an amateur user needs to create believable false content. Even Disney Corp.’s Research Studio has devoted considerable resources to enhancing its own deepfake technology through highly realistic pixel resolution.

Deepfake tools have created a cottage industry of frivolous content, such as numerous renderings of Tesla Corp. Chief Executive Elon Musk as a baby. Yet what if those same tools were applied by an attacker to create a fake video of Musk delivering negative news in a private meeting with investors and manipulate the stock market?

“Of course, when the markets open the next morning, that stock is going to drop significantly,” Miller said. “Now the attacker can buy up that stock. Now they’ve made a tidy little profit without any insider information at all.”

As cybercriminals have upped their game, there’s added vulnerability brought about by a global pandemic. The sudden conversion of work from inside firewall-protected business networks to home routers has galvanized the cybercrime world and created concern in the security community about widening the attack surface considerably.

“The next time you contact your bank, just remember that the person you’re talking with is accessing your financial details from their living room,” RSA President Rohit Ghai said during his conference keynote remarks on Wednesday.

Whether the enterprise world is up to the task of confronting the rapid advances and highly developed technology ecosystem of the cybercrime community remains to be seen. It will take the human element, as RSA proclaimed, to shore up defenses and match wits with very smart adversaries.

When Chelmo asked “Twig,” the ringleader of the HildaCrypt ransomware group, about the ease with which they gained access to corporate networks through absurd passwords, the hacker had a ready answer.

“Twig’s favorite password he ever found was literally two quotation marks,” Chelmo said. “Some IT admin thought that wasn’t too easy to guess.”

Photo: SiliconANGLE