Video: 10 Minute IT Jams - An update from CrowdStrike
Cyber threats are changing fast. Organisations across the globe find themselves facing an increasingly complex and dangerous digital landscape. Scott Jarkoff, Director of the Strategic Threat Advisory Group for CrowdStrike in Asia-Pacific, Japan, and EMEA, recently outlined the most pressing trends in cybercrime during an interview.
Jarkoff explained that threat actors have continued to sharpen their tactics, with ransomware remaining a dominant force. "We've seen about an 82 percent increase in leaks associated with ransomware," he said, referencing CrowdStrike's latest Global Threat Report. But he stressed that criminals now go beyond traditional ransomware, with a new focus on "extortion without necessarily deploying ransomware," a trend observed clearly in the activities of the Lapsus$ group, which CrowdStrike tracks as 'Slippy Spider'. "We're at least keeping an eye on that... we're seeing it with a few different groups," he said.
Malware-free attacks have also become more prevalent. According to Jarkoff, "In 2020, I think it was a 51 percent use of malware-free versus malware... and then last year that climbed up to 62 percent." He explained that these attacks often leverage so-called "living off the land" methods, which involve using legitimate operating system tools for malicious purposes. This shift makes it harder for traditional security tools to detect intrusions. "The vast majority of the detections are now malware-free, primarily using native operating system binaries," he noted.
State-sponsored hacking is also evolving. Jarkoff described how adversaries linked to China are focusing on exploiting vulnerabilities at a staggering rate. "There's a 600 percent increase year-over-year in the number of new vulnerabilities that the pandas targeted between 2020 and 2021," he said, adding that these attacks often hone in on the latest, least-protected weaknesses in systems.
Cloud environments, which have rapidly expanded as organisations adapted to remote work during the COVID-19 pandemic, are another flashpoint. "We're all moving to the cloud... it's a natural evolution for the adversaries to go after those cloud-based environments," he explained. A particularly notorious threat, the LemonDuck botnet, has become adept at targeting these spaces. "LemonDuck is a crypto mining botnet that targets Docker containers," Jarkoff said. Its aim is to hijack computing resources for cryptocurrency mining, especially Monero, across Linux systems.
One of the dangers of LemonDuck is its exploitation of "misconfigurations in publicly-facing Docker containers," he continued, highlighting how security professionals must pay attention to properly configuring these cloud technologies. "The move to the cloud is fraught with some areas where people need a bit more focus and understanding on the potential vulnerabilities," Jarkoff warned.
LemonDuck has additional capabilities that make it especially problematic, including the ability to evade detection—such as disabling Alibaba's cloud monitoring service—and to exploit well-known vulnerabilities like ProxyLogon and EternalBlue, the latter being infamous from the 2017 WannaCry ransomware outbreak. "Everyone's heard of WannaCry, so that's another thing," Jarkoff commented.
APIs, the building blocks that let software systems communicate, have shot up on attackers' hit lists. Jarkoff gave the example of a high-profile theft from a decentralised finance platform called Badger, in which criminals generated an unauthorised API key, inserted malicious code, and ultimately tricked users into allowing their funds to be stolen. "Here's another example of API utilisation that allowed some access into the environment which then resulted in a huge amount of money being stolen from users," he said.
As threat actors see success with these techniques, Jarkoff predicted more will follow. "They'll start to gravitate towards that just because that's what the adversaries do... they'll focus on what works and then use that to their advantage," he explained.
Initial access, whether by stealing credentials or exploiting weaknesses, is only the first step in the attack process. What follows—post-exploitation—can be far more destructive. "The goal is to get inside the house... where all the crown jewels are," Jarkoff said, comparing digital intrusion to a burglar looking for the safe. He stressed the importance for organisations not just to block attackers at the entry point, but also to monitor and defend against what happens if security fails. "Organisations need to not just focus on initial access but also on post-exploitation activity."
To help in the post-exploitation phase, cybercriminals often turn to ready-made exploitation frameworks. "An adversary that may not be skilled in developing their own tools can just grab one of those existing frameworks out there and use that, because it's usually pretty easy," Jarkoff said. He mentioned frameworks like IceApple and IceGiant, the latter specifically targeting Microsoft's IIS web servers.
Frameworks such as IceApple can contain a wide array of tools. "Our Overwatch teams conducted a number of investigations around IceApple... there's like 18 different modules that were found, with functionality that ranges from discovery to harvesting of credentials to deletion of parts of the file system, data exfiltration etc," he said.
The end result is that a successful intrusion can provide adversaries with "a broad array of tools that can allow them to do all kinds of... bad things," Jarkoff concluded.
Reflecting on his work in the sector, Jarkoff said: "This is like a passion of mine, so anything that anyone wants to talk about, by all means reach out and let us know."