Threat actors are shifting tactics and embracing new tools to run more efficient and impactful operations.
“Attackers are now often looking to build an economy of scale,” Wendi Whitmore, SVP of Unit 42 at Palo Alto Networks said Wednesday during a keynote at the company’s annual user summit.
Instead of using one attack vector against one company, threat actors are targeting an entire supply chain.
Likewise, instead of encrypting data, then decrypting it on the back end, ransomware groups can just steal the information and threaten to release it publicly if their ransom demand isn’t met.
The concept of quadruple extortion, a hot trend in ransomware yesteryear, is less in vogue, Whitmore said. Those four modes of attack include data encryption, the theft and release of data, a DDoS attack, and harassment of the targeted organization’s most sensitive clients with stolen information.
The same goes for zero-day exploits that take significant time and money to research, build and create.
“Attackers are moving toward conducting their operations as efficiently as possible,” Whitmore said.
When data is stolen, organizations’ top priority is to quickly resolve issues and ensure client data isn’t exposed. This includes compliance with regulatory and notification requirements.
Threat actors know that and they’re optimizing business operations not just in techniques or processes, but also in the tooling they use, Whitmore said.
“We’re seeing this concept of commonality and convergence of these actual toolsets they’re using,” she said. This includes tools originally developed by red team security researchers.
Brute Ratel C4 serves a warning sign
Unit 42 researchers last year discovered threat actors deploying Brute Ratel C4, a malicious payload capable of bypassing antivirus and endpoint detection and response protections.
Whitmore’s colleagues determined the tool originally designed for legitimate use was involved in a ransomware attack against an enterprise client.
“Not surprisingly, the initial attack vector was through a phishing email,” she said. When the recipient opened the email, it executed a zip file containing a malware downloader that was installed in one endpoint throughout the enterprise’s entire environment spanning tens of thousands of systems.
Once the threat actor installed a reverse shell that allowed it to gain access to four servers, it installed Brute Ratel C4.
“They understood very quickly which data that they wanted to steal and they successfully exfiltrated that data,” Whitmore said. “After they stole the data, they then installed malware throughout the environment and demanded a settlement for tens of millions of dollars.”
Unit 42 expects to see more threat actors leveraging the skills, techniques and technologies that are commercially available, regardless of who developed it.
“What we expect to see moving forward is even more actors using whatever tooling it takes to get the job done and increasing their efficiency as much as possible,” Whitmore said. “As long as there are secrets to be stolen and money to be made, there are going to be new attacks and new attackers for us to deal with.”