The Evolution of Cyberattacker Techniques

If cyber risk were constant, our defenses could be too. But when it comes to cybercrime, the rules of engagement are ever-changing, with new threat groups and techniques emerging all the time. As a result, staying ahead of cyber threats requires ongoing education and continual updating of controls.

Recent cyber incidents described in this report demonstrate a shift in the way that cybercriminals are gaining and leveraging access to organizations’ systems and data.

We’re seeing faster lateral movement across IT systems when hackers gain access and the speed of ransomware deployment is increasing as hackers’ tools become smarter and more efficient. The time it takes cybercriminals to exploit publicly disclosed vulnerabilities in software systems is growing faster too. Organizations need to be ready, not just for today’s new reality but for whatever tomorrow will bring.

If we want to keep these emerging trends from becoming significant issues, it’s essential for companies not only to keep tabs on attack groups and their techniques, but also to maintain a cyber risk management approach that is flexible enough to respond as risks emerge and evolve. Organizations must not only have basic controls already in place, but also enough resources and capacity to quickly implement new controls as needed.

Beazley’s Cyber Services team is here to help, and in this quarter’s Cyber Services Snapshot, we take a deep dive into the latest social engineering techniques and criminal gangs that are the masterminds behind well-publicised cyberattacks. Read on to learn more.

Alec Cramsie
Head of London Market Wholesale Cyber & Technology
Beazley

The evolution of social engineering techniques

The use of impersonation tactics has become increasingly common and effective. Cybercriminals imitate IT support staff to compel employees to install access tools and they impersonate employees to deceive IT support staff into inadvertently allowing access.

This was seen recently with high profile events involving casinos and other large organizations. It's believed that hacking group Scattered Spider gained access to these organizations’ systems by calling helpdesks and impersonating IT employees in attempts to reset a user’s password. This is not a new tactic – as it was seen as early as July 2022, when cryptocurrency payment system CoinsPaid lost US$37m due to a social engineering attack. The attackers spent six months preparing and learning operational details, allowing the theft of profiles, keys, and access to CoinsPaid’s IT infrastructure.

Claims example

Employees of a large communications firm were targeted by a phishing campaign. Text messages sent to their personal cell phones contained a link to a malicious site appearing to be the employer’s but designed to harvest username, password, and second-factor code. Immediately after their incident response team was notified of the campaign, their security operations center opened an investigation, which revealed that 15 employees had entered their credentials into the malicious website. Using the compromised credentials, the hacker accessed internal tools and reset customer email passwords on 27 customer email accounts. All employees that were compromised had their credentials locked and rotated and the 27 impacted customers had their passwords reset to prevent anyone from accessing the accounts further.

Attackers find new ways to bypass security controls

It’s important to evolve internal education practices to address emerging tactics. Campaigns that target specific kinds of employees can be particularly effective. Customized, specific security training provides a strong first line of defence.

Phishing-resistant forms of MFA can make it harder for cybercriminals to impersonate your employees. Consider measures such as hardware tokens like Yubikeys, or using passkeys instead of passwords. Eschew click-to-approve services in favor of number-matching MFA that requires users to enter numbers displayed on a login screen.

Finally, monitor your Identity and Access Management (IAM) solution to identify suspicious activity. Attackers may authenticate from unfamiliar locations or access systems using compromised accounts. User and Entity Behavior Analytics (UEBA) can help identify this anomalous behaviour.

Claims example

A community bank reported that its interactive teller machines (ITMs) were down after the vendor that provides and services the machines experienced a ransomware incident. Beazley received similar notices from a number of the vendor’s other credit union and bank customers. Forensic investigation determined that the hard drive was encrypted with BlackCat ransomware, deployed through software the vendor used to manage the ATMs and ITMs. No evidence of lateral movement or data exfiltration was discovered. Because the ITMs were managed on a separate network, the attackers were not able to pivot into the bank’s systems, and the impact of the incident was contained.

Getting to know “known” threat groups

Scattered Spider is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smishing) for initial access. It’s believed that they are mainly initial access brokers, which would explain why they come from so many different angles and use diverse tools, tactics, and techniques. There is often a lag between the time that they gain entry to the environment and the time it takes them to sell that access, lulling victims into a false sense of security.

Scattered Spider are also known for their sophistication when posing as employees contacting the helpdesk. Their English skills are so strong that native speakers have a hard time detecting an issue.

CL0P is unique in the sense that they're not a ransomware-as-a-service group. A very small but controlled group, their size helps them maintain an aggressive posture during negotiations.

CL0P is particularly well-known for the MoveIT hack. They figured out how to leverage several MoveIT vulnerabilities back in 2021 but they kept it a secret, waiting until 2023, when their intervention was fully automated, to exploit the vulnerability at scale.

Rather than see vulnerabilities and exploits as opportunities to quickly make money, they view their attack campaigns through the lens of various business strategies. The focus, persistence, and money behind their long-term attacks make them especially dangerous.

Forward thinking: keeping pace with the risks

As recent attacks have demonstrated, sufficiently motivated cybercriminals will eventually compromise a network perimeter or gain access to an environment. Accordingly, organizations must continually improve their abilities to respond if someone gets past their initial defences.

There is an asymmetric advantage that can tip organizations off if they look for the signs. Upon gaining initial access, hackers must gather information to better understand where to focus their efforts, and this reconnaissance can generate unusual network traffic or log data.

Regardless of cyber threat group or tactic, organizations can leverage this “home turf” advantage to effectively respond to potential breaches by temporarily disabling access to compromised accounts, endpoints, or servers, and physically quarantining compromised devices.