“The biggest takeaway from our research is that organizations should expect cybercriminals to become more brazen as the potential opportunities and pay-outs from these campaigns climb to the stratosphere,” says Josh Ray, who leads Accenture Security’s cyber defense practice globally.

“Since COVID-19 radically shifted the way we work and live, we’ve seen a wide range of cyber adversaries changing their tactics to take advantage of new vulnerabilities,” said Accenture’s Josh Ray. “In such a climate, organizations need to double down on putting the right controls in place and by leveraging reliable cyber threat intelligence to understand and expel the most complex threats.”

Sophisticated adversaries mask identities with off-the-shelf tools

Throughout 2020, Accenture CTI analysts have observed suspected state-sponsored and organized criminal groups using a combination of off-the-shelf tooling — including “living off the land” tools, shared hosting infrastructure and publicly developed exploit code — and open source penetration testing tools at unprecedented scale to carry out cyberattacks and hide their tracks.
 
For example, Accenture tracks the patterns and activities of an Iran-based hacker group referred to as SOURFACE (also known as Chafer or Remix Kitten). Active since at least 2014, the group is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the U.S., Israel, Europe, Saudi Arabia, Australia and other regions. Accenture CTI analysts have observed SOURFACE using legitimate Windows functions and freely available tools such as Mimikatz for credential dumping. This technique is used to steal user authentication credentials like usernames and passwords to allow attackers to escalate privileges or move across the network to compromise other systems and accounts while disguised as a valid user.
 
According to the report, it is highly likely that sophisticated actors, including state-sponsored and organized criminal groups, will continue to use off-the-shelf and penetration testing tools for the foreseeable future as they are easy to use, effective and cost-efficient.

Ransomware feeds new profitable, scalable business model

Ransomware has quickly become a more lucrative business model in the past year, with cybercriminals taking online extortion to a new level by threatening to publicly release stolen data or sell it and name and shame victims on dedicated websites. The criminals behind the Maze, Sodinokibi (also known as REvil) and DoppelPaymer ransomware strains are the pioneers of this growing tactic, which is delivering bigger profits and resulting in a wave of copycat actors and new ransomware peddlers.
 
Additionally, the infamous LockBit ransomware emerged earlier this year, which — in addition to copying the extortion tactic — has gained attention due to its self-spreading feature that quickly infects other computers on a corporate network. The motivations behind LockBit appear to be financial, too. Accenture CTI analysts have tracked cybercriminals behind it on Dark Web forums, where they are found to advertise regular updates and improvements to the ransomware, and actively recruit new members promising a portion of the ransom money.
 
The success of these hack-and-leak extortion methods, especially against larger organizations, means they will likely proliferate for the remainder of 2020 and could foreshadow future hacking trends in 2021. In fact, Accenture CTI analysts have observed recruitment campaigns on a popular Dark Web forum from the threat actors behind Sodinokibi.