Businesses relying on the upcoming holiday shopping season should expect a spike in activity from cybercriminal gangs and other threat actors. That’s according to the latest forecast from CrowdStike, which tracks threats via its eCrime Index.
Increased attacks during the holiday shopping season are nothing new, but this year is especially precarious, arriving amid a world turned upside down by the ongoing pandemic and severe supply chain bottlenecks.
The supply chain problem extends beyond gridlocked container ships outside U.S. ports. As we’ve seen in the case of the Sunburst exploits against Microsoft software and high-profile ransomware attacks against multiple critical industry sectors including food, gasoline, and the supply chain attack in the case of Kaseya, threat actors are racing to monetize vulnerabilities and exploits against the software supply chain.
Adam Meyers, SVP of Intelligence at CrowdStrike, outlined historical eCrime Index data and what it says about the road ahead in a recent video presentation.
“As long as there’s money to be made, threat actors will strike,” he said. “When they are taken down, others will emerge to take their place.”
All of this has happened before — and will happen again
Meyers points to familiar patterns in how threat actors operate during certain times of year:
- During Black Friday and Cyber Monday, attacks escalate.
- Between Christmas and Orthodox Christmas, the eCrime Index dips as the bad guys take time off.
- After the start of the New Year, attack activity creeps back up.
Additionally, Meyers noted how last January, attackers quickly pounced after Microsoft released its monthly security patches to fix 56 vulnerabilities — 11 of them marked as critical.
“Vulnerabilities and exploits are the currency of the underground economy,” he said.
The eCrime Index shot back up last March, when vulnerabilities in Microsoft Exchange came under attack and Chinese threat actors deployed web shells for use in future espionage campaigns.
The Index dropped in early May 2021, and then the widely public ransomware attack against Colonial Pipeline occurred. As the U.S. government responded to Colonial and additional ransomware attacks against meat supplier JBS and IT management software provider Kaseya, cybercriminals pulled back and the Index dropped, only to rise again as they resumed attacks.
eCrime Index backstory
The eCrime Index was created to track what’s going on in the underworld economy and what’s coming ahead, and is modeled after the original Dow Jones index. As Meyers explained in the video, the Dow Jones has been a reliable indicator of how the health of the larger economy is faring. He noted, for example, that in the 1940s, the Dow climbed as the world came to peace following WWII. In the 1970s, amid the energy crisis, inflation and unemployment, the Dow shed almost half its value. It hit a 12-year low amid the 2008 financial meltdown and crashed again at the start of the pandemic early last year.
“We looked at how the Dow works, how the global supply chain works and how the cyber supply chain impacts overall economic health -- and started looking at different threat actors and the underground economy they represent,” he said.
How it works and how it helps
CrowdStrike’s eCrime Index has emerged as one of the more important tools to help businesses and security teams better understand threat activity and how to prepare for future attacks. It views threat actors as nation states, lone criminals and hacktivists -- not just those working in their own self-interest, but those working together.
Today, the Index tracks more than 30 different factors, including:
- Access brokers who leverage exploits to hack into different organizations and then sell stolen assets to the highest bidder,
- Those who sell ransomware as a service, which has made it easier for attackers to launch such attacks regardless of skill,
- Avenues of distribution, including spam and exploit kits
- Criminal actors who leverage financial services to negotiate ransom amounts and payment options.
As for the threat actors the Index is tracking, the most active these days include:
PINCHY SPIDER: criminal group behind the development and operation of the GandCrab and REvil ransomware families. It sells access to their ransomware under a partnership program with a limited number of accounts.
WIZARD SPIDER: criminal group behind the core development and distribution of a sophisticated arsenal of criminal tools like TrickBot, Ryuk, Conti and BazarLoader, that allow them to run multiple different types of operations.
DOPPEL SPIDER: criminal actor group responsible for the likes of DoppelDridex and DoppelPaymer. CrowdStrike Intelligence believes this group has splintered from INDRIK SPIDER and is now using forked malware code to run their own Big Game Hunting operations.
Visit this page for more on those threat actors and other insights from the eCrime Index, and how companies can use it to plan their defenses accordingly.