In late 2023, the takedown of Qakbot (also known as Qbot), a notorious malware strain active for nearly two decades, offered a temporary relief for security teams around the world.
However, some are warning of its likely return, highlighting the ever-evolving threat landscape and the challenges of dismantling cybercrime ecosystems.
Qakbot's extensive capabilities, evolving from a basic banking trojan to a 'Swiss Army knife' of malicious tools, showcased the growing sophistication of cyberattacks. The continued existence of its supporting backend infrastructure despite the takedown also underscores the difficulty of achieving lasting victories in the cybersecurity realm.
Nation-state actors blur the lines
The cyber threat landscape extends beyond traditional crime. State-backed groups specialising in espionage and information gathering target critical infrastructure such as power grids and water management systems.
Their stealthy tactics, including web shells and 'living-off-the-land' techniques, make them difficult to detect and disrupt. The recent FBI takedown of a botnet operated by KV-botnet, suspected to be backed by a state actor, further illustrates the complexities involved.
Unlike Qakbot, dismantling KV-botnet might prove more challenging due to its architecture and the jurisdictional limitations in holding state actors accountable. This incident highlights the potential for cyber warfare, where attacks disrupt critical services and inflict significant harm on civilian populations.
The increasing interconnectedness of attacks, as seen in the compromise of Cloudflare's systems due to a chain reaction stemming from a breached personal account, further underscores the potential for widespread disruption.
A growing ecosystem
Cybercrime is also becoming more specialised. Initial Access Brokers (IABs) focus on breaching systems and selling access to other actors for deploying ransomware or further exploitation.
This division of labour allows each group to hone its expertise, making attribution – identifying the culprits – more challenging. Advanced Persistent Threat (APT) groups further complicate matters by collaborating, with each leveraging the other's skills and resources.
This collaborative approach, akin to a pack of wolves working together to take down larger prey, exemplifies the increasing sophistication of cybercrime operations.
The rise of Ransomware-as-a-Service (RaaS) and Distributed Denial-of-Service (DDoS)-as-a-Service (DaaS) models further lowers the barrier to entry for cyberattacks. RaaS groups like the previously mentioned Egregor offer ransomware as a 'service,' providing everything needed to launch an attack, from malware to user manuals.
Similarly, DDoS-as-a-Service groups like KillNet rent out their DDoS capabilities, making it easier for even less skilled attackers to disrupt online services. This commoditisation of cybercrime allows attackers to specialise and collaborate, creating a complex and resilient ecosystem.
Improving security in a changing landscape
While the evolving threat landscape presents daunting challenges, organisations can take proactive steps to strengthen their security posture. Four to consider are:
1. Maintain a comprehensive inventory of systems:
Track all devices on your organisation's network, including Internet of Things (IoT), Industrial Control Systems (ICS), and Operational Technology (OT) devices. Understand their function, ownership, and intended purpose. Unidentified devices pose significant security risks. And always remember, you cannot secure what you are not aware of.
2. Establish communication baselines:
Develop a comprehensive understanding of normal system communication patterns. Analyse network traffic to identify typical data flows and communication protocols. This baseline serves as a reference point for detecting anomalies that might indicate a potential attack.
3. Create security policies and implement risk management strategies:
Develop security policies and segmentation strategies based on a "need-to-know" basis. Restrict remote access to systems and continuously monitor for unusual activity. Utilise security information and event management (SIEM) solutions to correlate data from various security tools to identify suspicious activity patterns.
4. Implement a comprehensive security strategy and test It regularly:
Don't overlook your application and cloud deployments. Include them in your security inventory and implement best practices using appropriate security tools to ensure consistency and maintain confidence in their integrity. Conduct regular penetration testing by internal or external red teams to expose vulnerabilities.
Building a culture of security
While these recommendations provide a strong foundation for cybersecurity, a truly secure organisation goes beyond technical measures, as building a culture of security is essential.
This involves raising awareness among employees about cyber threats and best practices for protecting themselves and organisational data. Regular security training sessions can equip employees with the knowledge and skills to identify phishing attempts, avoid social engineering tactics, and report suspicious activity.
The need for collaboration
The ever-evolving threat landscape necessitates constant vigilance and adaptation. By acknowledging the growing sophistication of cyberattacks, implementing the recommendations outlined above, and fostering a culture of security, organisations can significantly improve their security posture.
However, the challenges posed by cybercrime require collaboration beyond individual organisations. Increased information sharing between companies and government agencies can help identify emerging threats and develop more effective defensive strategies.
Additionally, international co-operation is crucial for holding state-backed actors accountable and disrupting cybercrime ecosystems.
As the threat landscape continues to evolve, a collective effort will be essential to safeguard the digital world.