"We're stopping zero days before they're even used" — Security pros tell us how they are infiltrating cybercriminal networks and striking back from within

Cybercriminals are making basic mistakes, allowing the professionals to take them down from the inside.

featured-image

Attack surfaces are widening as organizations grow and take advantage of new technologies, threat actors are integrating AI into their campaigns, and cybercriminal knowledge-sharing hubs are gaining popularity to share vulnerabilities and tactics, techniques and procedures (TTPs), new research has claimed. Armis' report has outlined how cyberattacks increased 104% year-on-year in 2023, thanks to a number of factors. In face of these threats, Armis has taken the fight to cybercriminals by infiltrating their networks, gathering intelligence on how they work and their capabilities, and spotting the very vulnerabilities that attackers are looking to exploit.

Dark Web Detectives At an event attended by , Armis experts provided insight into how criminal networks, advanced persistent threats (APTs), and ransomware groups operate - including their motivations, tools, and modus operandi. As many businesses are all too aware, the world is currently facing a due to stress and trimmed budgets. Organizations are therefore lacking the level of defense needed to fix vulnerabilities and prevent attacks, with in 2024.



Given the growth of attack surfaces, short-staffed teams are facing a mountain of data, with the analogy of a needle in a haystack being all too familiar for most teams. Nadir Izreal, CTO and co-founder of Armis Security, provided the example of searching through every text message and email for the word “bomb” in the hopes of foiling an attack. It’s just not feasible.

AI-enhanced defensive tools are helping somewhat, but deployment of these tools takes time, and there are compliance, legal, budgetary issues to consider before they can be put to use - hindrances that attackers don’t have to consider. The cybercriminal underground Cybercriminals turn to the dark web and to conduct their business, and while they may think their activities are hidden, it is still possible for defenders to glean information on their activities. For example, cybercriminals will use such as a TOR browser, colloquially named after ‘the onion router’ project.

These networks operate by masking internet traffic and preventing anyone from seeing the data, location, and destination of a user while they are browsing. Dark web pages are used by cybercriminals to advertise their services, and usually accessed directly through TOR networks. Some of the more prolific sites will offer affiliate programs, allowing individuals to advertise and promote their work or services generating a significant income stream for both attacker and site hosts.

However, just as the websites we use on a daily basis can have vulnerabilities, so too do websites on the dark web. These can be exploited to gain insight into zero-day vulnerabilities attackers are looking to exploit, with Armis regularly spotting and stopping vulnerabilities months ahead of their listing on the CISA (KEV) list. One of the biggest money making schemes for attackers is double, or triple extortion.

In these circumstances attackers will deploy ransomware within a compromised network, encrypting and exfiltrating sensitive data from an organization. In double extortion, the victim will then have to make one payment for the decryption key and a second payment to stop the attackers leaking the exfiltrated data online. Cybercriminals may then search through the data they have collected, sometimes using AI, to look for email addresses or usernames that can be used to zero-in on important individuals both inside and outside the organization and threaten to leak their individual data if they aren’t paid.

Andrew Grealy, head of threat intelligence at Armis, also highlights that in some cases it is more valuable for the attacker to manipulate an executive or member of the C-suite into making changes within the organization itself that benefit the attacker. Threat actors are only human In the example presented at the Armis event, a senior member of a company was sent a file that appeared to be an academic paper relating to a potential business case. However, when opened, the file infected the network.

While inspecting how the file dumped its payload, Armis discovered a Drive link within the document’s metadata that linked to the threat actor’s command and control (C2) page. Armis also tracked the threat actor to multiple dark web sites where they advertised their services, and found that the threat actor built and sold a targeted phishing and exploit code toolkit hosted on Azure. While their work was impressive, threat actors are only human at the end of the day.

In exploring the linked C2 page, Armis discovered a number of other C2 pages used by the user. The threat actor, like many, failed to adhere to basic cyber hygiene principles, using the same password across all of these pages. A cross-site scripting vulnerability provided Armis access to the threat actors password, and therefore access to all the threat actors sites.

The attacker also advertised their toolkits by screen-recording them in action. For just a brief moment in one of these videos, the threat actor accidentally clicked on the Spotify client, exposing their full name. By using open-source intelligence, Armis was able to track down the threat actors' social media sites and discovered the page of what appeared to be a family man and prolific spender, with the page showing multiple cars, expensive clothing, and a recent motorbike purchase.

For want of unique passwords and cutting a few frames of footage, a $300,000 per month lifestyle disappeared. Turning the tide of new technology As mentioned, threat actors have no barriers to accessing new technology giving them a significant advantage and often keeping them one step ahead of defenders. in particular are giving attackers new ways to obfuscate their activity.

For example, some threat actors have been spotted using open source AI models that have been tweaked to remove guardrails, and then creating botnets of infected devices to provide compute that allows the AI model to hunt for cryptocurrency. Moreover, AI models that make attribution more difficult are also being developed. When writing code, it is sometimes possible to identify the location of its source at the country-level by looking for languages and certain characters.

AI tools have been spotted in the wild that can be fed exploits written in a different language or style, and then adapt the language of new code to make attribution more difficult. The bar for entry into the world of cybercrime is also being lowered. Cybercriminals are adapting their sources of income and selling their own exploits or access to organizations for others to use, or providing ransomware-as-a-service (RaaS).

Armis is fighting back Armis’ asset management and security platform, Centrix, monitors upwards of 5 billion endpoints for potential threats and intrusion. By keeping watch on threat actors as they develop exploit code for zero-day vulnerabilities, Armis is able to warn organizations ahead of its deployment, mitigating attacks before they happen, and far in advance of the KEV list. What is important for C-suites and executives to remember is that cyber defense and mitigation can not be quantified in dollars.

When setting budgets for security teams, it should be kept in mind that the return on investment is based on constantly protecting against cyber threats, and preventing the far higher cost of recovering from a cyberattack that can deal serious damage to business function, reputation, and revenue..