[By Dov Lerner, Cybersixgill]
Cybersecurity veterans often have a pessimistic view of the industry’s trends: attacks seem to be always on the rise, threat actors become more sophisticated, and breaches grow costlier than ever to their victims.
I’m happy to note that there’s some good news for a change, as my company discovered while compiling our State of the Underground 2024 report. We’ve learned that in some areas, attackers are being held off – or at least having less success than in the past.
To be sure, this doesn’t mean that those in the cybersecurity field can take it easy. As our latest report on industry trends discusses, security teams still face many areas of concern. In this article, I will summarize the highlights of that research.
Our underground intelligence about threat actors’ activities
Cybersixgill has long believed one of the best ways for organizations to defend themselves is to know as much as possible about their foes. So we have set up automated mechanisms that compile millions of items of intelligence from the clear, deep, and dark web EVERY DAY. With this massive amount of data and our methods for analyzing and categorizing it, we can paint a picture of cybercriminal activities that is both broad and detailed.
In our recent report, we compared data from 2023 with data in our earlier reports, as we do every year, to map out trends on the rise and those in decline and the resulting impact on intended targets.
So let’s start with those first bits of good news. (Although, as you’ll quickly see, I’ll have to temper the positive trend lines with other cautions.)
Exploited vulnerabilities tumble by 66%
CISA’s Catalog of Known Exploited Vulnerabilities listed 188 exploited vulnerabilities in 2023 compared to 556 in 2022 – a decline of 66%. By comparison, between 2021 and 2022 exploited vulnerabilities jumped by 44%.
Good news, in some respects, but it doesn’t mean that the overall number of attacks using CVEs fell as well. We also should note that the Common Vulnerability Scoring System (CVSS) has its limits. It looks at the potential severity of a vulnerability without assessing how likely that vulnerability will be targeted. Cybersixgill recognizes that it is important to monitor the activities of cybercriminals to see if they indeed are taking advantage of these vulnerabilities to determine the risk they present to various organizations.
Initial access markets: some shut down, others flaring up
We’ve seen the sales of access to compromised remote desktop protocols (RDPs) in underground marketplaces dropping for several years. The sales stopped completely in 2023 when the primary RDP market was taken down. Also good news: Genesis[1], a major market for compromised endpoints, was shut down by law enforcement in April 2023.
Unfortunately, threat actors could still get access to systems through compromised endpoints. Sales for those jumped by 88% from 2022 to 2023. And sales of compromised domains went up by 17% over the same time period.
The upshot: Cybercriminals still have ways of buying potential entry points into organizational systems through which they can execute ransomware demands and other attacks.
The mixed bag on ransomware
And speaking of ransomware, the good news is that attacks in terms of posts on leak sites dropped by more than 9%. Small comfort, though, because the average ransomware payout increased by almost 90%. Apparently, cybercriminals decided to aim their attacks at organizations that were in a better position to pay – and they succeeded.
But we can be encouraged that since our report came out in early February, an international law enforcement operation arrested and indicted members of the LockBit ransomware gang. In our report, we had calculated that in 2023, LockBit was responsible for 24% of all ransomware attacks. That’s the largest percentage attributable to a single organization. The question now becomes whether law enforcement will continue to have success against similar groups or whether – as has happened in the past – the cybercriminals will simply find another way of staying in business.
More stealer malware and new players
Stealers – malware that gathers valuable data from infected systems – continue to gain popularity in the underground market. Cybercriminals embraced four new types in 2023: Stealc, Risepro, Lumma, and Silencer. But the established stealers, such as Raccoon and Vidar, still were widely used, as they have a reputation for reliability and effectiveness, and their providers maintain them for their customers. These providers demonstrated resilience as well: Raccoon’s usage increased, even though one of its central administrators was arrested in 2022. It appears that the group was able to recover from this law enforcement action.
A slight upturn in underground credit card markets
One of the more encouraging trends in recent years has been the decline in the number of compromised credit cards for sale in underground markets. In 2019, sales of such cards totaled more than 140 million. By 2022, that number had slipped to only 9.1 million cards posted for sale.
In 2023, that number jumped again, but only by 25% to just over 12 million. Even so, the average price of a compromised credit card with CVV data dropped, slipping from $12.21 in 2022 to $9.72 in 2023.
What’s the reason? We speculate that better fraud prevention and detection, tighter e-commerce security, and effective law enforcement all had an impact. And even though sales increased, the lower average price for a sale suggests that cybercriminals are looking for more profitable alternatives. Even so, the 25% jump in compromised credit card sales should be taken as a warning for organizations not to get lax when it comes to protecting credit cards. We wouldn’t want to assume that in 2024, the trend will resume its downward fall: Cybercriminals may find new ways to compromise cards and monetize them.
Get the full picture by downloading the report
Cybercrime is a huge business, with estimates of its costs ranging in the trillions of dollars and threat actors taking advantage of multiple opportunities to exploit their victims. So it is difficult to reach simple conclusions about the trends from year to year.
We think it’s worthwhile to acknowledge the positive outcomes, particularly when credit can be given to smart business practices, good threat intelligence powering strong cybersecurity efforts, and law enforcement assistance. Even so, the disruptions we’re reporting shouldn’t be taken to mean that cybercriminals are in retreat. They are still largely continuing with business as usual. Accordingly, it’s up to cybersecurity professionals to stay vigilant and learn as much as they can about the forces they face.
Dov Lerner is Cybersixgill’s Security Research Lead.