Skip to main content
close search
site logo

Attackers reduce complexity to catch more potential victims

Palo Alto Networks warns attackers are building economies of scale by conducting more efficient operations and complementing their skills with commercially available tools.

Published Feb. 23, 2023
Matt Kapko's headshot
Senior Reporter
Gulls swarm to eat fishing waste from vessel.
Matt Cardy / Stringer via Getty Images

Threat actors are shifting tactics and embracing new tools to run more efficient and impactful operations.

“Attackers are now often looking to build an economy of scale,” Wendi Whitmore, SVP of Unit 42 at Palo Alto Networks said Wednesday during a keynote at the company’s annual user summit.

Instead of using one attack vector against one company, threat actors are targeting an entire supply chain.

Likewise, instead of encrypting data, then decrypting it on the back end, ransomware groups can just steal the information and threaten to release it publicly if their ransom demand isn’t met.

The concept of quadruple extortion, a hot trend in ransomware yesteryear, is less in vogue, Whitmore said. Those four modes of attack include data encryption, the theft and release of data, a DDoS attack, and harassment of the targeted organization’s most sensitive clients with stolen information.

The same goes for zero-day exploits that take significant time and money to research, build and create.

“Attackers are moving toward conducting their operations as efficiently as possible,” Whitmore said.

When data is stolen, organizations’ top priority is to quickly resolve issues and ensure client data isn’t exposed. This includes compliance with regulatory and notification requirements.

Threat actors know that and they’re optimizing business operations not just in techniques or processes, but also in the tooling they use, Whitmore said.

“We’re seeing this concept of commonality and convergence of these actual toolsets they’re using,” she said. This includes tools originally developed by red team security researchers.

Brute Ratel C4 serves a warning sign

Unit 42 researchers last year discovered threat actors deploying Brute Ratel C4, a malicious payload capable of bypassing antivirus and endpoint detection and response protections.

Whitmore’s colleagues determined the tool originally designed for legitimate use was involved in a ransomware attack against an enterprise client.

“Not surprisingly, the initial attack vector was through a phishing email,” she said. When the recipient opened the email, it executed a zip file containing a malware downloader that was installed in one endpoint throughout the enterprise’s entire environment spanning tens of thousands of systems.

Once the threat actor installed a reverse shell that allowed it to gain access to four servers, it installed Brute Ratel C4.

“They understood very quickly which data that they wanted to steal and they successfully exfiltrated that data,” Whitmore said. “After they stole the data, they then installed malware throughout the environment and demanded a settlement for tens of millions of dollars.”

Unit 42 expects to see more threat actors leveraging the skills, techniques and technologies that are commercially available, regardless of who developed it.

“What we expect to see moving forward is even more actors using whatever tooling it takes to get the job done and increasing their efficiency as much as possible,” Whitmore said. “As long as there are secrets to be stolen and money to be made, there are going to be new attacks and new attackers for us to deal with.”

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell