LockBit really can’t catch a break. Following a year of law enforcement disruptions and loss of affiliate base, the world mostly recently witnessed one of the most notorious Ransomware-as-a-Service (RaaS) gangs hit by yet another setback – they’ve been hacked. On a gloomy Thursday morning, our analysts awoke to news of LockBit’s hack – and immediately snapped into action. Not only was this crucial given the many victims we have helped contain LockBit-attributed incidents, but it posed an excellent opportunity to gain insights into the RaaS’ inner workings.
This blog summarises our key takeaways from our analysis of LockBit’s leaked database.
So, what happened?
On 7 May, LockBit’s dedicated leak site was modified, replacing their usual display of victim listings with a plain message, and link to a ZIP archive curiously named “paneldb_dump.zip”.
LockBit’s leak site defaced by unknown actor
The archive contained one single “paneldb_dump.sql”, a full dump of the SQL database in a file, obtained from LockBit’s affiliate panel’s MySQL database.
Upon downloading the leaked files, we observed the following operational data disclosed:
Attack builds – disclosed specific malware created by affiliates, including respective public keys, and in some cases the corresponding victims’ name(s)
Configurations – specifying technical parameters for configuring encryption per ransomware strain (e.g., for ESXi variant – which ESXi servers should be skipped and what files should be encrypted)
Victim Negotiations – complete chat history between LockBit and victims, including the links to sample stolen data and tree of stolen data (though most links are expired)
Users – list of 75 administrators and affiliates with access to the affiliate panel, including their plaintext passwords
Assessing the Impact on Existing Victims
Our first priority when analysing the leak was to determine the scope and impact to our existing clients previously hit by LockBit. To do so, we first performed a check of the builds table to identify any relevant victim mentions. We then further referenced the chats table for any additional mentions. Upon identifying relevant victims, we rapidly notified them of the severity of the exposure and how they can respond to further safeguard their information.
Our Key Observations from Leak Analysis
1. Scope of impact was restricted to victims targeted by the LockBit 4.0 strain
Based on two key indicators, we ascertained the scope of the leakage was contained to the LockBit 4.0-related attacks. This is given (1) ransom notes referenced in the chat history(s) pertained to LockBit 4.0, and (2) the chats table which over 4.4K messages were dated between 19 December 2024 and 29 April 2025. This aligns exactly to the LockBit 4.0 public release on 19 December 2024.
2.Chat history revealed the initial access vectors used
Weak passwords. Though LockBit affiliates are known to leverage multiple means of intrusion (e.g., exploiting vulnerable servers, phishing, etc.) – weak passwords were the apparent theme across multiple chats. To quote one of the impacted victims, “So our vulnerability is simply that the password was too weak?” Yes.
Note: ironic, considering the leaked plaintext passwords of LockBit’s 75 admins and affiliates evidenced their own use of weak passwords (e.g., LockbitProud231, Weekendlover69)
3. Some victim domains contained in the ‘builds’ table were not observed on the leak site
Our initial hypothesis was that this corresponded to the 16 victims who paid the ransom. We validated this to be partially true, with only two (2) of the 16 victims who paid still listed on LockBit’s leak site. Additionally, per our recent LockBit-related incident experience, we observe cases in which compromised victims have not been listed on the leak site, which we suspect is due to the lack of data exfiltration performed during their intrusion.
4. Affiliates weaponise victims’ pre-installed AnyDesk instances for persistent access
LockBit, like many RaaS groups, leverage AnyDesk frequently for persistent, remote access to victim environments. In one instance, we observed a victim prompt the group to divulge how AnyDesk was used in their case. The negotiator confirmed that the affiliate leveraged multiple pre-installed (by the victim) AnyDesk instances to re-access multiple hosts.
5.Watch what you say, chats are ‘forever’
In at least one instance, the victim requested for LockBit to remove all chat content, to which LockBit confirmed they cannot clear the chat, only delete it. What we further observed is even if the chat was deleted, the content remains stored in their backend database. So, unless the database itself is deleted or scrubbed, any sensitive or leaked content shared within the chats remains stored on LockBit servers.
As an example, in one conversation we observed the victim gossiping with LockBit, and (whether jokingly or not) telling LockBit to attack their competitor’s site. A good reminder that anything shared on the Internet lives forever – in this case not only posing reputational damage, but potential implications regarding the victim’s negligence.
6. Victim invited to join the dark side
Referencing chats and builds, we observed something surprising. Following negotiations, one victim was offered the opportunity to join the RaaS affiliate network for USD 777. “Immediately after payment you will get access to LockBit ransomware control panel where you can create builds of Windows, ESXi, Linux encryptors and communicate with attacked victims.”
7. LockBit’s own OPSEC fails
Aside from their use of weak passwords, whilst the root cause has not been confirmed by LockBit operators, the panel was operating on a vulnerable version of PHP 8.1.2, susceptible to remote code execution vulnerability (CVE-2024-4577). This is not the first time LockBit’s operators have overlooked their attack surface exposure, as we recall their announcement regarding their February 2024 PHP-related “penetration test” intrusion:
This begs the question – is LockBit’s bug bounty program not active (or effective)? It is hard to tell, with LockBit only announcing the first bounty payout of USD 50K on 17 September 2022. Perhaps their standing payout incentive varying from “USD 1000 to 1 million” isn’t as incentivising as they had hoped…
LockBit’s announcement in 2022 re first bounty payoutLockBit’s bug bounty program
LockBit’s Response
On 8 May 2025, Rey shared their Tox conversation with LockBitSupp (LockBit developer). The operator claims that only the “light panel with auto-registration was hacked” – no decryptors, stolen victim data, or source code was compromised.[1]
Rey and LockBitSupp’s Tox Conversation (English translation)
This messaging was further reflected in an announcement on LockBit’s updated leak site. It additionally stated that the root cause has been determined and a rebuild is in progress – with the full panel and blog functioning back to normal. We also see LockBitSupp asking the same question on all of our minds – who was behind the leak? Defaulting to their bug bounty tactics, the group is willing to pay for information on the attackers behind the hack.
LockBit’s updated leak site on 8 May (English translation)
Conclusion
Per LockBit’s response, the group show no signs of halting operations – in spite of their latest battle. Whilst it is unknown who these attackers “from Prague” could be, we observe speculation within the community that DragonForce may be at fault.[2] Though we do not observe evidence to support this claim, it is plausible given the assumption that newer ransomware players could be seeking to ‘take out the competition’ in a bid for talent (affiliates).[3],[4] Whether true or not, we continue to observe new RaaS groups emerging with novel differentiators – both in the tooling and affiliate structure – as a means to establish presence within the ecosystem. As the threat of ransomware continues to evolve, it is crucial that organisations maintain preparedness to prevent, detect, and contain ransomware-related threats.
Recommendations
Incident Response (IR) Plan and Drills – create a detailed IR plan outlining roles, responsibilities, and procedures for responding to ransomware incidents. Regularly conduct IR drills to ensure readiness and identify areas for improvement. Ensure to factor in consideration of legal and regulatory compliance, including Data Protection Regulations, Mandatory Reporting and Timelines, Documentation, and so forth.
Maintain Offline, Encrypted Backups – Regularly back up and encrypt critical data and ensure backups are stored offline or in a secure cloud environment. Periodically test backup restoration processes to ensure data can be recovered quickly and accurately.
Security Awareness Training – Conduct regular training sessions to educate employees about social engineering techniques (e.g., infostealers, phishing, etc.) and safe online practices.
Restrict Lateral Movement Opportunities – to minimise ransomware propagation via remote service protocols (e.g., RDP, SMB) and use of third-party remote monitoring and management (RMM) tools, such as AnyDesk.
Reduce your “low hanging fruit” – monitor, minimise, and maintain visibility of your attack surface exposure to proactively identify and remediate potential security weaknesses that may expose you to external threats. Detailed recommendations here.[5]
Behavioural Based Detection – identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as ensuring coverage of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.
Further information
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.
2024 marked a pivotal shift in the cyber threat landscape, with threat actors increasingly experimental, yet intentional in their approaches to cyberattacks. Leveraging new and emerging technologies to weaponise trust and further lower the barrier to entry for cybercriminals, we anticipate no less for 2025. Based on PwC Dark Lab’s observations throughout 2024, we share our assessment of the potentially most prevalent threats and likely emerging trends for this year.
Identities will continue to be the primary target for threat actors, resulting in a gradual rise of infostealer infections and credential sales on the dark web
Hong Kong saw a 23% rise in infostealer infections in 2024, further reflected in our incident experience, as infostealers and leaked credentials persisted as a frequent root cause in cyberattacks. We assess this growth in infostealer usage is given the wider trend observed, whereby threat actors of varying motivations have increasingly shifted focus to identity-based attacks.
Through our ongoing dark web monitoring, we observed threat actors have become increasingly deliberate in their weaponisation of infostealers – intentionally targeting specific types of data during collection. This is as reflected in the uptick of network access sales for SSH, VPN, firewall, and cloud. We posit that credentials and database sales will remain a hot commodity within the dark web marketplaces given they allow for easy entry. Furthermore, we observed that data sales are not always need to be associated with an active data breach – as we repeatedly observe threat actors farming data from organisations’ exposed libraries, directories, publicly released information, as well as historically leaked data on the dark web – to publish as a single data dump on the dark web. We posit this repurposing and collating of already available information is performed by threat actors as a means to establish their reputation on dark web hacking forums.
As witnessed in our incident experience and open-source reporting, threat actors now target individuals’ personal devices with the intention to obtain access to enterprise environments. Thiswas most recently evidenced Cyberhaven’s Chrome extension security incident, whereby a phishing attack resulted in attacker takeover of their legitimate browser extension. Replacing the extension with a tampered, maliciously-embedded update designed to steal cookies and authenticated sessions, the extension was automatically dispensed to approximately 400,000 users.[1] In a previous incident, we observed that the victim organisation was compromised as a result of an infostealer deployed on their employee’s personal, unmanaged laptop, leading to the obtaining of valid corporate credentials and subsequent corporate compromise. We anticipate that threat actors will continue to adopt new means to distribute and weaponise infostealers at mass to collect valid identities to initiate their attacks.
Cybercriminals will exploit any means to deliver malware, with Search Engine Optimisation (SEO) being a good mode for compromise – bringing potential reputational damage
Search Engine Optimisation (SEO) plays a crucial role in today’s digital society, enabling visibility and accessibility of websites to seamlessly connect users with the most relevant information. As such, it’s no surprise that SEO has become a growing driver in malicious campaigns. Be it directing users to malicious sites impersonating legitimate brands, spreading of disinformation, or compromising legitimate websites to benefit from their SEO results, threat actors have continuously refined their means to weaponise, or ‘poison’, SEO.
SEO poisoning involves the manipulation of search engine results to direct users to harmful websites. This may be achieved via the use of popular search terms and keywords to increase their sites’ ranks, mimicking of legitimate websites, typosquatting, and/or leveraging cloaking and multiple redirection techniques. Recently, we observed public reports regarding the distribution of a novel multipurpose malware, PLAYFULGHOST, distributed as a trojanised version of trusted VPN applications via SEO poisoning techniques.[2] In other cases, we observe threat actors installing ‘SEO malware’ on compromised websites – designed to perform black hat SEO poisoning, whereby search engines display the attackers’ malicious webpages as though they were contained within the legitimate, compromised website.[3]
In mid-2024, PwC’s Dark Lab have observed a sharp uptick in phishing sites masquerading as online gambling operators. Targeted against users in Southeast Asia, we assessed this is likely due to regional crackdown on online gambling – as evidenced in Philippines’ ban of Philippine Offshore Gaming Operators (POGOs). A notable instigator for the ban on POGOs was the shift into illicit scamming activities by POGOs following the impact of COVID-19 (e.g., online fake shopping, cryptocurrency, and investment scams).[4]As we observe further crackdowns within the region, we anticipate a growth in SEO campaigns pushing online gambling phishing sites, preying on unsuspecting, or vulnerable users. Furthermore, this reflects on how threat actors continue to opportunistically weaponise current events to their benefit.
Growth in identity-based attacks highlights threat of domain abuse and need for stringent governance of top-level domains (TLDs)
The topic of internet hygiene has come to our attention amidst the significant uptick in the amount malicious sites impersonating local Hong Kong brands. Globally, the landscape of domain registration has become increasingly under question due to the ease and anonymity with which domains can be purchased, facilitated by the lack of regulations surrounding Know Your Customer (KYC) processes. This has fostered a favourable environment for malicious actors to disguise their infrastructure, gaining trust via ‘reputable’ top-level domains (TLDs). Whilst some TLDs like [.]xyz and [.]biz are widely regarded as ‘untrustworthy’, we observe commonly trusted TLDs [.]com and [.]top persist as the two most abused TLDs in 2024.[5]
DNS abuse can take many forms, though ICANN defines it as; botnet, malware delivery, phishing, pharming, and spam.[6] Distributed Denial of Service (DDoS) is an example of an ever-present DNS-related threat increasingly observed in 2024, with the motivations behind these attacks being hacktivist in nature and correlating with major geopolitical events (e.g., elections, ongoing tensions). We anticipate a continuation of geopolitical-motivated DDoS attacks in 2025, as threat actors recognise the success that may be achieved through these attacks; being reputational damage and heightened visibility towards their hacktivist cause. In Q2 2024, we uncovered an active campaign masquerading as multiple local brands including Mannings and Yuu using typosquatted domain names registered to [.]top, [.]shop, and [.]vip TLDs. This campaign revealed how customised attacks against individuals are becoming; targeting of personal data now spans beyond credential harvesting – further collecting a broader set of attributes such as the device you are using, user location, behaviour patterns, and even loyalty program details. As highlighted during our 2024 Hack A Day: Securing Identity, identity is now contextual – collecting various attributes or ‘unique identifiers’ to build your holistic identity-profile.
Through PwC Dark Lab’s ongoing efforts to safeguard Hong Kong citizens, we foresee a need for more structured and regular analysis of generic TLDs (gTLDs) – e.g., [.]com, [.]top and country code TLDs (ccTLDs) – e.g., [.]com.hk, [.]hk. To proactively identify and mitigate against these active threats, we anticipate that in the longer run, governance is necessary to enforce and ensure adherence on registrars. This includes intelligence-driven ongoing detection, establishing consistent definitions, uplifting KYC validations, and appropriate procedures to handle known-bad domains. With over 96% of Hong Kong’s population (aged 10 or above) using the Internet[7], it is crucial that registrars collaborate in the collective goal to secure the internet and disrupt threat actors’ infrastructure supply.
Sophistication of social engineering scams will amplify as threat actors ‘smish’, abuse legitimate services, and weaponise automation intelligence
As organisations worldwide have invested efforts into hardening their security posture, we observe threat actors adapting their attacks to find alternative means to bypass the heightened defences. SMS phishing (“smishing”) has become increasingly tailored in response to heightened user awareness. In some cases, we have observed smishing messages no longer containing links, only phone numbers – suggesting a preference to perform voice call phishing (“vishing”) as a means of increasing their chances of success. Beyond abuse of trusted identities, we observe threat actors weaponising legitimate services to disguise their malicious traffic behind legitimate sources.
In Q4 2024, we observed an unknown threat actor leverage multiple trusted domains in Hong Kong to front their Cobalt Strike Beacon C2. Domain fronting is a technique used to disguise the true destination of Internet traffic by using different domain names in different layers of an HTTPS connection to route traffic through a legitimate and highly trusted domain. Similarly, we have observed the use of legitimate platforms such as Ticketmaster and Cloudflare to host phishing sites. In another context, our global counterparts have observed advanced persistent threat (APT) actors utilising TryCloudflare tunnels to stage malware and circumvent DNS filtering solutions. We project that threat actors will continue to experiment with different, legitimate platforms to find means to facilitate their attacks.
As observed since the emergence of ChatGPT in late 2022, generative artificial intelligence (AI) has enabled threat actors to craft highly convincing, tailored social engineering contents at scale. This was observed in 2024, as the U.S. Federal Bureau of Investigation (FBI) observed a surge in AI-driven financial fraud, leveraging GenAI to generate convincing phishing emails, social engineering scripts, and deepfake audio and video to deceive victims.[8] We predict that the application of AI by cybercriminals will expand beyond content generation to automate vulnerability exploitation, malware distribution and development, and AI-enabled ransomware. On the flipside, as the integration of AI into business processes rises, the need to secure these AI systems will continue to mount.
The ransomware landscape will continue to diversify, weaponising emerging technologies, trusted identities and services to increase their chances of success
2024 was a transformative year for the ransomware landscape, following continued disruptions of the LockBit Ransomware-as-a-Service (RaaS) operations by international law enforcement agencies, and BlackCat’s alleged exit scam. These occurrences resulted in heightened scepticism, posing an opportunity for new ransomware actors to enter the market. As new groups arise, we observe them increasingly experimental in their approaches to ransomware attacks – both through the Techniques, Tactics, and Procedures (TTPs) used and their malware offerings – diversifying the threat of ransomware.
We anticipate that 2025 will see a continuation of this trend, with an increased focus on weaponising trusted identities and legitimate services to increase their chances of success. Infostealers and Initial Access Brokers (“IABs”) will likely persist as a growing infiltration vector for ransomware affiliates, as we project increased targeting against systems likely to house sensitive information to enable rapid “smash and grab” attacks, such as cloud, Software-as-a-Service (SaaS), and file transfer platforms. Target systems for ransomware encryption are expected to further expand – as we already observed in mid-2024, with threat actors increasingly developing custom strains to target macOS and Network Attached Storage (NAS). This is evidenced in the recent discovery following the arrest of a LockBit developer that the group are working on tailored variants to target Proxmox and Nutanix; virtualisation service providers.[9]
Furthermore, we have observed discussion within the cybersecurity community regarding “quantum-proof ransomware”. As quantum computing develops, we hypothesise that ransomware operators will leverage the technology to harden their encryption processes and eliminate opportunities for victims to decrypt their data without the attacker-provided decryptors. On the other hand, we observe “harvest now, decrypt later” repeatedly referenced in these discussions, as researchers anticipate threat actors will weaponise quantum computing to enable mass decryption of previously stolen information. We further suspect that this may lead to attackers collecting and storing data from recent attacks even if unable to crack in the meantime. This poses a threat to existing victims of ransomware attacks, given the potential for ransomware actors to recover highly sensitive information and repurpose their past attack to extort victims and/or sell databases on the dark web.
Recommendations to Secure Your 2025
As we enter 2025, there is no telling with certainty what threats lie ahead. However, our experiences from 2024 have provided valuable lessons on how organisations can continue to strengthen their defences against ever-evolving threats.
Reduce your “low hanging fruit”. Monitor, minimise, and maintain visibility of your attack surface exposure to proactively identify and remediate potential security weaknesses that may expose you to external threats.
Enforce 24×7 dark web monitoring to swiftly detect and mitigate potential threats, ensuring early detection of compromised data, i.e. leaked credentials from infostealer dumps.
Extend 24×7 monitoring to social media listening, and brand reputation monitoring to identify mentions or impersonation attempts of your organisation, which may be indicative of potential or active targeting against your organisation.
Adopt an offensive approach to Threat and Vulnerability Management (TVM) to achieve real-time visibility of your attack surface through autonomous, rapid detection and remediation against emerging threats.[10] This further allows for the discovery of shadow IT, which may otherwise fall under the radar and pose threats to your organisation.
Periodically review your asset inventory, ensuring Internet-facing applications, exposed administrative ports, and non-production servers are intended to be publicly accessible, are appropriately configured, and segmented from your internal network. Ensure Internet-facing applications are regularly kept up-to-date, and prioritised in your patch management process.
Leverage canary tokens both on the external perimeter and internal environment to detect unauthorised attempts to access your environment and/or resources. Further, leverage the canary token detection alerts to provide insight into the types of threats actively targeting your organisation and what services and/or data they seek to access.[11]
Uplift identity security and access control. 2024 showed no signs of threat actors weaponising identities, and shed light on the importance of account housekeeping and appropriate access control provisioning.
Govern and provision appropriate access controls and permissions following the principle of least privilege for all users. Ensure access is conditional and restricted only to the resources necessary for a user to perform their job functions. This includes enforcement of strong authentication mechanisms, such as strong password policies, multi-factor authentication (MFA), role-based access controls (RBAC), and continuous behavioural-based monitoring to detect anomalous behaviour.
Review and uplift the process for managing credentials, particularly in the case of offboarding or unused accounts. This includes timely revocation of access (termination of account), password changes for any shared accounts the employee had access to, and ensuring the offboarded member’s MFA mechanism is no longer linked to any corporate accounts.
Log, audit, and monitor all privileged account sessions via real-time monitoring, facilitated by Privileged Access Account (PAM) and Privileged Account and Session Management (PASM) solutions.
Protect your “crown jewels”. As threat actors become increasingly intentional in the systems and data they target, it is crucial that organisations identity, classify, and secure the critical systems most likely to be targeted.
Leverage threat intelligence and continuous monitoring of your attack surface (e.g., canary tokens) to identify the systems actively being targeted by threat actors.
Prioritise systems hosting critical data (e.g., file transfer systems) with layered preventive and detective strategies to safeguard data (e.g., Data Loss Prevention (DLP)).Regularly perform risk assessments against critical systems to evaluate the current state of its cybersecurity posture, and harden accordingly.
Regularly perform risk assessments against critical systems to evaluate the current state of its cybersecurity posture, and harden accordingly.
Review and uplift the lifecycle of data, including considerations of;
Where data is being shared?
Who has access, including consideration of third-party risks posed by vendors’ access to internal data?
What internal policies are enforced to govern staff on the handling of data? For example, no sharing of internal data via external communication channels such as WhatsApp.
Manage your “unknown” risks. Unmanaged devices, shadow IT, and third-party risks continue to pose significant threats to organisations, introducing potential opportunities for threat actors to exploit for infiltration and/or access to your sensitive data.
For unmanaged devices;
Develop a Bring Your Own Device (BYOD) policy to govern the use of personal devices allowed to access the corporate network, including guidelines to enforce use of strong passwords and encryption. Regularly perform user awareness training to ensure understanding and adherence with guidelines and best practices.
Consider implementation of a Mobile Device Management (MDM) or Endpoint Management solution to gain visibility and control over all devices connect to your network.
Isolate unmanaged devices from critical network segments to minimise potential damage and access to resources.
For shadow IT;
Ensure that only authorized personnel can create and publish webpages. Use role-based access controls to limit who can make changes to corporate web assets.
Consider use of a Content Management System (CMS) that requires approval from dedicate personnel(s) prior to webpage launch to ensure all webpages comply with security standards.
Conduct regular audits to identify unauthorized webpages and monitor for any new web assets that appear without proper authorization. Use automated tools to scan for shadow IT activities.
For third-party risks;
Perform thorough due diligence to vet third-party vendors and fourth-party vendors through vendor risk management and ongoing monitoring. This includes assessment of their vulnerability management processes, security controls, and incident response capabilities.
Implement robust vendor management program that includes regular assessments, audits, and contractual agreements that define security requirements and expectations.
Restrict third-party access to specific network segments, enforcing the principle of least privilege alongside stringent access controls.
Counter the threat of DNS abuse. As threat actors increasingly abuse DNS infrastructure to enhance the capabilities of their attacks, it is crucial that organisations and registrars maintain awareness of the latest threats.
For individuals and organisations; maintain awareness of the threat of DNS abuse, including visibility of which registrars should be perceived as higher-risk, and continuous tracking of DNS-related threats.
For registrars, we recommend reviewing and uplifting the Know Your Customer (KYC) process, and establishing continuous monitoring to proactively flag DNS abuse. Monitoring would cover DNS/WHOIS data, combined with community reports of suspicious domains (e.g., via VirusTotal, URLScan, etc.).
For ICANN, we recommend to lead the industry; establish and enforce the governance and security key risk indicators (KRIs) on whether registrars are in compliance; what are the penalties; what are the trends of threat actors, and how the registrars and organisations should detect, respond, and recover.
Further information
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.
2023 saw threat actors relentlessly innovating and specialising to remain sophisticated in speed and scale, through the use of automation intelligence, targeting against supply chains and managed service providers, and a shifted focus to identity-based attacks. As we ushered in the new year, we expected that these threats would continue to drive the cyber threat landscape in 2024 as threat actors continuously seek to outmanoeuvre defenders. In this blog, we outline Dark Lab’s expectations of the most prevalent issues in 2024, and validate that with observations from the first quarter of incident response insights and threat intelligence investigations.
Ransomware continues to evolve as affiliates seek independence from RaaS groups, weaponize supply chains, and crowdsource efforts by specializing in tradecraft
Ransomware attacks have surged, with a 65% increase in compromised victim listings observed in 2023. There are multiple reasons for this increase, such as the rapid exploitation of new and known vulnerabilities as well as managed service providers (MSPs) becoming prime targets due to their ability to launch downstream attacks on the MSP’s clients. However, we have observed other factors such as affiliates branching out to craft their own trade through specialization (e.g., leveraging crowdsourcing to procure credentials from Initial Access Brokers) and customization of ransomware tools. This is likely compounded by law enforcement efforts to dismantle prominent RaaS operators, such as Hive[1] in early 2023 and more recently BlackCat[2] and LockBit[3].
In 1Q 2024, we responded to an incident involving Mario ESXi ransomware strain. Consistent with other ransomware actors, the threat actor strategically targeted the victim’s backup systems to maximise damage and thereby increase their chances of receiving ransom payment. We assessed that the threat actor may be working with RansomHouse Ransomware-as-a-Service (RaaS) group to publish leaked data as part of their double extortion tactics. However, we had observed that RansomHouse collaborated with other opportunistic threat actors leveraging different strains of ransomware, such as 8BASE, BianLian, and White Rabbit. This specialization allows smaller threat actors to devote their limited resources to developing custom malware strains, potentially off leaked source code of other larger RaaS groups. For example, Mario ransomware utilised leaked Babuk code to develop the .emario variant to target ESXi and .nmario to target Network Attached Storage (NAS) devices.[4][5] We anticipate new, smaller RaaS groups in 2024, and a continued increase in ransomware attack volume.
Organisations must rethink how they define vulnerabilities as threat actors now leverage different “classes” to target their victims
Organisations have made efforts to mitigate the exploitation of Common Vulnerabilities and Exposures (CVEs) through timely patching and vulnerability management. However, opportunistic threat actors have adapted their attacks by targeting different “classes” of vulnerabilities, such as misconfigurations, exposed administrative portals, or unintended disclosure of sensitive information, as opposed to phishing as the ticket of entry for their attack.
In early 2024, we responded to a Business Email Compromise (BEC) incident in which there were two “classes” of vulnerabilities. First, the production web server had been misconfigured to expose the underlying directory listing; within that directory listing contained a configuration file (.env) that included plain text credentials of various email accounts. Second, those email accounts did not enable multi-factor authentication (MFA), which allowed the threat actor to login to Microsoft 365. Traditional penetration testing exercises may overlook these vulnerability “classes”, but threat actors have adapted their reconnaissance methods to identify these means of achieving initial access. It is crucial for organisations to rethink how they define vulnerabilities and consider any weakness that can be exploited by threat actors to gain access to their environment.
At the tail end of 1Q 2024, we observed a sophisticated supply chain attack unfold, as unknown threat actors attempted to inject malicious code into an open-source library.[6] Despite its assignment of a Common Vulnerabilities and Exposures Identifier, the “vulnerability” emphasises the heightened dependency on libraries and supply chain risks associated. Not only should these vulnerability “classes” be expedited for remediation, but they should also be treated as cyber-attacks given the nature of the impact. As this vulnerability “class” cannot be addressed through preventive or detective measures, it is crucial that organisations develop proactive response plans to enhance their cyber-readiness against such attacks. This includes maintaining asset inventories and cooperating with DevSecOps to identify impacted systems and containing the incident through patching and subsequent threat hunting.
Prioritise resources on securing identity, as this is becoming the most valuable and targeted asset
While organisations strengthen their security defenses through measures like rapid vulnerability patching and MFA enablement, threat actors would explore other means to bypass heightened controls. For example, phishing attacks once focused solely on obtaining valid credentials such as username and password. As MFA become more commonplace, threat actors had to shift their targeting to steal valid, authenticated sessions cookies that proves the victim’s ongoing and authenticated session within the website. Though adversary-in-the-middle (AiTM) has been observed at least since 2022[7], the adaptation has been rapidly accelerating, compounded by the availability of Phishing-as-a-Service toolkits to lower the technical entry thresholds of cybercriminals.
In 1Q 2024, we responded to two separate BEC incidents launched within days of each other against the same victim. While we were unable to confirm if they were two separate campaigns, they both harboured similar characteristics of AiTM attacks – such as the use of rented infrastructure in abnormal geographies to conceal true identity upon login; achieving persistence through manipulating inbox rules, deleting emails, and removing email notifications to hide suspicious actions; and impersonating the user as a trusted party to execute fraudulent transactions to internal users and external parties. This demonstrates the need to adopt a more robust security baseline to secure identities, including managing devices against a compliance profile together with innovative means to detect for AiTM attacks. Please look out for our upcoming blog post would elaborate the latest BEC incidents as well as our proprietary approach to detect and respond to AiTM attacks.
Artificial Intelligence (AI) is the new hype which both attackers and defenders are looking to weaponize
The emergence of AI has led to a significant wave of interest in how it can be leveraged in cybersecurity. From a threat actor’s perspective, we have observed since mid-2023 and throughout 1Q 2024 the use of AI in the form of “automation intelligence” to reduce the time to weaponize certain “classes” of vulnerabilities. For example, we have observed through our threat intelligence investigations that threat actors are rapidly generating new social media profiles to target unsuspecting victims. While their motivation and capabilities are unclear, it is evident they are exploring and fine-tuning their standard operating procedures due to potential operational security errors (e.g., use of male pronoun for a LinkedIn profile with a female picture, likely generated from AI). In other reports, we have observed that deepfakes have been utilized for financial gain, with one Hong Kong-based incident involving a digitally recreated version of its chief financial officer ordering money transfers in a video conference call.[8] It is likely that AI would be further adapted to be misused for various motivations.
This is a call for cyber defenders to explore how to weaponize AI to keep pace with threat actors. Machine learning techniques allow AI-embedded solutions to adapt to an organisation’s environment and distinguish between normal and anomalous behavioural activity. AI also has the potential to identify abnormal activity by regular users, indicating potential impersonation attempts or credential abuse, addressing the threat of identity-based attacks. Additionally, AI is employed in investigating and responding to incidents, as seen in solutions like Microsoft Copilot for Security, enables heightened efficiency and capabilities of defenders using generative AI. It is expected that AI will continue to uplift cybersecurity professionals by automating repetitive tasks, conducting analysis, proactively identifying threats, and accelerating knowledge acquisition.
Recommendations to Secure Your 2024
Whilst there is no telling for certain how the rest of 2024 will unfold, our 2023 experiences taught us invaluable lessons on how organisations can continue to harden their cyber security posture to adapt to the ever-evolving cyber threat landscape.
Continuously monitor and minimise your attack surface to proactively and rectify potential security weaknesses that may expose you to external threats and improve situational awareness to prioritise improvement areas in your cyber defense strategy.
Regularly review your asset inventory, ensuring Internet-facing applications, exposed administrative ports, and non-production servers are intended to be publicly accessible, are appropriately configured and segmented from your internal network, and prioritised in your vulnerability and patch management process.
Conduct dark web monitoring, social media listening, and young domain monitoring to identify mentions or impersonation attempts of your organisation that may indicate potential intent, opportunity, or active targeting against your organisation.
Leverage a bug bounty program to crowdsource the expertise of ethical hackers to identify otherwise unknown vulnerabilities and security weaknesses that could otherwise expose you to potential exploitation by malicious actors.
Protect identities through a layered defense strategy to prevent and detect unauthorised access, impersonation, or misuse of personal information.
Govern and apply appropriate access controls and permissions following the principle of least privilege for all users, ensuring access is conditional and restricted only to the resources necessary to perform their job functions. This includes implementing strong authentication mechanisms such as multi-factor authentication (MFA), role-based access controls (RBAC), and continuous monitoring of user activities to detect any suspicious behaviour.
Establish behavioural-based detection for user activity to monitor for anomalies, tuning rules to expire tokens and disable sign ins when suspicious behaviour is detected.
Prioritise the protection of privileged accounts by implementing strong privileged access management (PAM) controls, such as privileged identity and session management, regular credential rotation, and monitoring of privileged user activities, to mitigate the risk of unauthorised access and potential misuse of high-level privileges.
Adopt a zero trust strategy, enforcing authentication and authorisation at every access point, regardless of whether it is within or outside the organisation’s network perimeter.
Unify and consolidate applications to streamline access controls and reduce potential attack surfaces by eliminating unnecessary or redundant applications, minimising the complexity of managing access policies, and ensuring consistent security measures across the application landscape.
Implemented and enforce a compliance profile across your managed devices, regardless of whether it is corporate-provisioned or bring-your-own-device (BYOD).
Secure DevOps environments through the implementation of zero trust principles, ensuring cybersecurity is considered at the forefront of innovation and implementation of new technologies. Ensure appropriate training is provided to DevOps professionals to build and implement securely.
Consider the long term goal of transforming your security architecture to follow the Secure Access Service Edge (SASE) framework to enable a flexible, scalable, more secure approach to your network security strategy.
Manage supply chain risks posed by third- and fourth-party vendors through robust vendor risk management and ongoing monitoring
Conduct thorough due diligence before engaging with a third-party vendor or partner. Perform comprehensive due diligence to assess their security practices, including their vulnerability management processes, security controls, and incident response capabilities, to ensure they align with your organisation’s risk tolerance.
Implement a robust vendor management program that includes regular assessments, audits, and contractual agreements that define security requirements and expectations. This program should also outline the responsibilities of both parties regarding vulnerability management, incident reporting, and remediation timelines.
Continuously monitor third-party systems and conduct regular vulnerability assessments to identify potential weaknesses. This includes scanning for vulnerabilities, tracking patch management, and engaging in ongoing dialogue with vendors to address any identified vulnerabilities in a timely manner and mitigate supply chain risks.
Further information
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.
As the global cyber threat landscape continues to evolve, defenders will continue to play catch-up by finding ways to prevent, detect, respond and recover from cyber-attacks. However, we need to further democratize security and get citizens of all technical backgrounds more involved in order to fight back against latest threats that target both organizations and individuals alike.
The digital age has given rise to an urgent demand for cybersecurity professionals worldwide. However, this demand has surpassed the available workforce, resulting in a significant talent gap. The (ISC)² Cybersecurity Workforce Study 2022 reveals that despite a workforce of 4.7 million professionals, there are 3.4 million unfilled cybersecurity positions globally. [1] In the Asia Pacific region, where digital transformation is in full swing, the talent gap remains a concern. Nonetheless, there have been positive developments, with a 15.6% growth rate in the cybersecurity workforce. Singapore and South Korea stand out for their efforts in closing the talent gap within their countries.
In this article, we will explore diverse cybersecurity career paths, examine the factors contributing to the closure of the talent gap in certain regions, and discuss steps Hong Kong can take to address this pressing issue. Understanding the global cybersecurity talent landscape is vital for building a stronger and more secure digital future.
Understanding the Various Cybersecurity Roles and Responsibilities
In cybersecurity, roles are categorized using the InfoSec color wheel, which highlights the roles and responsibilities of different teams. [2] The primary roles include the Red Team (offensive security), Blue Team (defensive security, remediation and orchestration), and Yellow Team (combining security and development expertise). Collaboration between these teams leads to secondary roles: Purple Team (maximizing Red Team’s results and enhancing Blue Team capabilities), Green Team (improving code-based defense via DevSecOps), and Orange Team (increasing security awareness in software development).
To understand the tasks, competencies, skills, and knowledge associated with these roles, we can refer to frameworks such as the National Initiative for Cybersecurity Education (NICE) Framework [3] or the European Cybersecurity Skills Framework (ECSF). [4] The NICE Framework provides comprehensive insights into cybersecurity roles, including roles like Red Team Operator, Blue Team Analyst, Secure Software Assessor, and Compliance Manager. Meanwhile, the ECSF outlines competencies and knowledge domains, and encompasses roles such as Cybersecurity Engineer, Incident Responder, and Risk Manager. These frameworks serve as valuable references for individuals seeking to understand the specific responsibilities and requirements of various cybersecurity roles.
By embracing the diverse range of cybersecurity roles and promoting collaboration among them, organizations can establish a strong cybersecurity posture. This collaborative approach ensures effective defense against evolving cyber threats and enables a comprehensive security strategy.
Hong Kong’s Progress and Areas for Improvement
In recent years, Hong Kong has made notable advancements in its cybersecurity landscape. The introduction of Hong Kong Monetary Authority’s Cyber Resilience Assessment Framework (C-RAF) [5] and the Professional Development Programme (PDP) [6] has expanded the roles of red and blue teams alongside traditional compliance functions. Additionally, the adoption of public cloud technologies has driven growth in design/architect and develop/build roles, which has helped to boost the capacity and capabilities of the yellow team.
However, Hong Kong still faces challenges, particularly in building a sufficient talent pool for red and blue team roles. While Singapore boasts over 2,000 qualified candidates with credentials like CREST Registered Penetration Tester (CRT) and Offensive Security Certified Professionals (OSCP), Hong Kong has fewer than 300 qualified professionals, indicating a significant talent gap. Singapore stands out for its proactive approach to talent development. While individual licensing is not mandatory, companies offering licensable cybersecurity services must seek accreditation. [7] Furthermore, the Monetary Authority of Singapore has invested SGD 400 million in the Financial Sector Development Fund to enhance digital workforce competencies, including cybersecurity expertise. [8]
To strengthen Hong Kong’s cybersecurity workforce, it is crucial to invest in specialized training programs, foster collaborations between academia and industry, and promote recognized certifications and qualifications. Emulating Singapore’s commitment to talent development can help Hong Kong address the evolving cyber threats effectively.
How to Address the Talent Gap?
To tackle the potential problems surrounding the lack of cybersecurity talent in Hong Kong, it is crucial to ensure that the investments made are targeted and effectively utilized. While Hong Kong’s investment in cybersecurity is comparable [9], if not higher, than other regions, it is essential to focus on areas that require more talent, particularly in the primary colors of red and blue teams, rather than the traditional “white” team roles.
The talent gap in red team roles is already significant, with Singapore experiencing a tenfold gap compared to Hong Kong. To stay competitive, it is vital to nurture these talents at an early stage, even as early as secondary or tertiary education. This can only happen if the Hong Kong government recognizes the value of “ethical hacking” as a form of innovative problem-solving and includes it in educational curricula. However, it is concerning that the 2023-24 Budget page does not even mention cybersecurity, and that feels like a “missed opportunity” that should be addressed in future budgets. [10]
While demand generation efforts such as local bug bounty programs like Cyberbay [11] are valuable, they can only be fully effective with a steady supply of skilled and qualified professionals. It is crucial for the government to prioritize cybersecurity in its policies and allocate resources for the development of cybersecurity talent. By recognizing the importance of cultivating cybersecurity skills and incorporating them into educational initiatives, Hong Kong can build a robust talent pool and foster an ecosystem that supports the growth of the cybersecurity industry. This will help Hong Kong keep pace with market demands and maintain its position as a leading cybersecurity hub.
Conclusion
To support the ecosystem, we need an uplift of all talents, but in particular the red and blue teams. Those talents are severely lacking in Hong Kong as words like “hacking” are frowned upon by parents as well as the private and public sector. While demand generation such as bug bounty programs and supply programs such as Cyber Academies can help, this would not change until we either enforce the need to have such talent through law or regulation, or to have education programs that have sufficiently low barrier to entry, at least from a cost perspective, given our assessment that cybersecurity knowledge is actually a common good.
Further information
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.
As the cyber threat landscape continues to evolve and threat actors increasingly target vulnerable external-facing assets, bug bounties present organizations with an opportunity to proactively identify and remediate vulnerabilities before they can be exploited by attackers.
In today’s digital age, cyber threats have become increasingly prevalent, and enterprises are struggling to keep up with the pace of these threats. This is evident in the number of disclosed vulnerabilities and identified zero-days. For example, the number of vulnerabilities increased from 20,171 in 2021 to 25,227 in 2022, which represented a growth rate of 25 percent [1]; meanwhile, there were 80 zero-days exploited in the wild in 2021, which is more than double the previous record volume in 2019. [2] These statistics indicate that the traditional methods of cybersecurity are no longer sufficient to protect businesses from evolving cyber-attacks.
As a result, bug bounty programs have become increasingly popular as a way for organizations to identify and remediate vulnerabilities in their systems. These programs offer organizations the opportunity to leverage the skills of the global cybersecurity community to identify vulnerabilities in their systems and applications. PwC’s Dark Lab explores the benefits of bug bounty programs, along with the potential roadblocks that hinders its wide-scale implementation, and proposes potential solutions that reduces the barriers to entry such that enterprises can leverage it is a viable business risk management strategy to tackle the dynamic cyber risk landscape.
Bug Bounty Programs – An Overview
A bug bounty programme allows organizations to define and scope a program where security researchers are allowed to try to identify security vulnerabilities – often within a subset of the organisation’s technical infrastructure – in exchange for financial or non-financial ‘bounties’ for successfully validated vulnerabilities. Bug bounty programs were introduced by NetScape in 1995, though have evolved significantly since then. [3] Today, there are multiple bug bounty platforms and services available that provide organizations with a streamlined way to engage with the cybersecurity community, including HackerOne, BugCrowd, and YesWeHack. One notable example of a successful bug bounty program is the Microsoft Bug Bounty Program, in which US$13.7 million to more than 330 security researchers across 46 countries in 2021. [4]
Governments have also recognized the importance of bug bounty programs in strengthening their nation’s cybersecurity posture. For example, review of 2018 Cybersecurity Act Paragraph 5 suggests that service providers providing traditional cybersecurity assessment services (e.g., vulnerability scan or penetration test) must first obtain a license [5], whereas companies providing bug bounty platforms and/or services are exempted [6], implies that the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) regards bug bounty programs in higher esteem – more of a public good as it underscores a greater value brought to society.
Issues Faced by Bug Bounty Programs
Despite the growth of bug bounty programs, there are still market barriers that prevent the public good from being consumed. One major issue is the pricing of the vulnerability, given vendors determine the value of a bug. The lack of a “free market” in which security researchers are not properly incentivized leads to a “tragedy of the commons” situation, in which they seek for a greater economic reward of their proof-of-concepts in alternate markets, such as the dark web or to established threat actors. The pricing misalignment is compounded by the lack of legal protection and standardized guidance for security researchers to identify and disclose vulnerabilities, which further makes it less likely for them to obtain a payout due to the plethora of grey areas which may inadvertently lead to potential punishment. [7] This is also not helped by poor communication in certain cases, where there is a lack of criteria or requirements on the compensating schemes, restrictions and limitations, and handling of duplicated reports. [8]
Meanwhile, not all hackers are not motivated by money. For example, espionage threat actors are looking for information, and hence no amount of financial incentive would lead to them disclosing and/or monetizing their zero days. [9] And in general, most researchers are motivated by more than one or a combination of factors and motivations, such as prestige or to advance their career, for the challenge or to have fun, or for other ethical or ideological reasons, so it is not feasible to focus solely on financial incentives. [10] Meanwhile, bug bounty programs were also meant to address the lack of a large number of skilled and qualified security researchers who know how to “hack to earn” by crowdsourcing vulnerability identification; this continues to be an issue despite bug bounty programs being in place for over 25 years. [11]
How to Address those Issues?
There are several ways to fix the potential problems surrounding bug bounty programs. One solution is to have an independent platform that connects security researchers with organizations, similar to Uber. This platform would allow for rewards to be based on an amount that can be auctioned at the right price, with the oversight of the technology owner. This platform should connect the right level of talent with the right buyer, such that they can align on their incentives.
Another solution is to enhance legal frameworks, similar to what Singapore has done, to recognize the importance of bug bounty programs and to have certified or accredited personnel to perform this task. The legal framework should mandate companies to implement and operationalize a vulnerability disclosure policy (VDP) to provide straightforward guidelines for the cybersecurity research community and members of the general public on conducting good faith vulnerability discovery activities directed at public facing and/or internal applications and services. This VDP also instructs researchers on how to submit discovered vulnerabilities, impacted security vendor(s) (if applicable), and other relevant parties (where applicable) ethically and in a safe manner, with clear guidelines on how to disclose such vulnerabilities.
Finally, there needs to be an investment in talent development to ensure that there is a sufficient number of skilled and qualified security researchers who know how to “hack to earn” by finding vulnerabilities in the first place. Ideally, the legal framework should also mandate the need for security researchers to attain certifications and accreditations with practical elements. That would have a positive downstream impact on investment in cybersecurity education and training, thereby establishing a healthy pipeline of skilled cybersecurity professionals who can join bug bounty programs.
Conclusion
Despite the challenges, bug bounty programs offer significant benefits to organizations looking to strengthen their cybersecurity posture. By reducing the barriers to entry, bug bounty programs can be used as an effective business risk management strategy. In addition, the success of bug bounty programs may lead to the potential rise and fall of other connected markets. This includes the potential drop-off of cyber insurance as security researchers would look to profit in legal markets rather than parallel markets like the dark web, or the reduction in traditional vulnerability assessment and penetration testing services as bug bounty programs are continuously run. Meanwhile, new service offerings such as talent development may arise to ensure there is a greater demand of security researchers to meet the increased desire to identify and “supply” vulnerabilities. We expect the adoption of bug bounties in Hong Kong and globally to pick up in the next five years, as it is a cost-effective way to improve cybersecurity through crowdsourcing to qualified security researchers with diverse backgrounds and varying degrees of experience.
Further information
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.
In a blink of an eye, 2023 is upon us. As we bid farewell to another record-breaking year of increased disclosed vulnerabilities, ransomware incidents, phishing scams, data breaches, and crypto heists, it is hard not to imagine that this year will be any less eventful as threat actors aggressively lower the barriers to entry of “cybercriminalism” by crowdsourcing their tasks. Based on PwC Dark Lab’s observations throughout 2022, we share our assessment of the potentially most prevalent threats and potential trends in the upcoming year.
Hackers will weaponise exploits at an even faster rate and scale to bypass heightened controls, thus achieving near-instant impact beyond initial access
Threat actors have demonstrated their increasing sophistication in speed and scale through the decreased timeframe required to weaponise critical vulnerabilities. In 2022, threat actors were able to weaponise critical vulnerabilities such as Zimbra Collaboration arbitrary memcache command injection (CVE-2022-27924) and FortiOS authentication bypass (CVE-2022-40684) within three (3) days of the Proof-of-Concepts (POCs) being published to perform unauthenticated remote code execution. In extreme cases such as Log4Shell (CVE-2021-44228), we observed that the weaponisation occurred a mere eight (8) hours after public release from our first incident response of the year (read more here).
Part of the reason why threat actors need to go faster is due to improved security controls of service providers. For example, Microsoft announced in February 2022 that Microsoft Office would automatically block Visual Basic Applications (VBA) macros in all downloaded documents by default in a phased rollout approach between April and June. As a result, we observed threat actors expeditiously developing novel exploits to perform client-site execution that bypasses the newly introduced security controls. [1] This includes the Mark-of-the-Web (MOTW) vulnerability (CVE-2022-44698) which allows for specially crafted ZIP and ISO files to be downloaded and executed without undergoing integrity checks on the user’s endpoint. [2] PwC’s Dark Lab has actively responded to an incident in August 2022 that observed the threat actor deploying Magniber ransomware after exploiting the MOTW vulnerability.
Meanwhile, exploit toolkits are not new but are being matured to an extent where threat actors of all sophistication can utilise to achieve near-instant impact beyond just initial access. In the cases of Zimbra (CVE-2022-27924) and FortiOS (CVE-2022-40684), our incident response experience suggests that threat actors likely leveraged exploit toolkits to automatically chain the POC exploit with standardised steps to establish persistence, perform discovery, move laterally, and achieve elevated privileges if applicable. As a result, victims that did not swiftly apply patches or workarounds to mitigate the risks associated with critical vulnerabilities likely needed to conduct intelligence-led threat hunting to ensure that their environment was not further impacted in any way.
We hypothesise that the rate and scale of weaponisation would further increase as threat actors look to find novel means to bypass increasingly mature security controls at an organisation’s external perimeter, aided by threat actors maturing their automated toolkits to maximise impact upon initial access. The number of vulnerabilities in 2022 had already grown at an inexorable rate of 25 percent from the previous year from 20,171 to 25,226[3], including the SonicWall SSL VPN post-authentication arbitrary file read vulnerability zero-day (CVE-2022-22279) [4] that Dark Lab discovered in an incident response case by the LockBit Ransomware-as-a-Service (RaaS) group in March 2022 (read more here). In that case, we uncovered during our incident response that the exploit code was actively being circulated and discussed on dark web forums in February 2022 and actively weaponised by several threat actors several days after disclosure to circumvent multi-factor authentication (MFA) access controls if they had access to valid credentials.
Human-operated ransomware threat actors will increase their sophistication to make-up the shortfalls of the Crypto winter
Human-operated ransomware attacks have dominated the cyber threat landscape over the past three years, booming just prior to the wake of the Covid-19 pandemic in 2020. This is largely attributed to the rise of RaaS, such as LockBit 3.0 and BlackCat who have lowered the barriers to entry for low-level threat actors by providing a subscription-based affiliate model offering custom-developed ransomware packages.
Even as the cryptocurrency markets falter, our monitoring of the overall number of listed victims on ransomware group leak sites has not dropped significantly throughout 2022. To put this into context, since the downfall of the prominent industry-leading cryptocurrency exchange FTX [5], Bitcoin and other cryptocurrencies were down almost 70 percent relative to the start of the year. However, their value remains significantly higher in comparison to 2020 levels, suggesting that ransomware groups will not disappear.
We posit that ransomware attacks will continue to rise as threat actors look to increase their victim list to make up for the staggering decline in the value of cryptocurrencies and the extreme market volatility. Simple economics suggests that threat actors would need to make up their shortfall in cryptocurrency value decline by either increasing the ransom pay-out rate (i.e., probability) or increasing the number of victims (i.e., supply). As organisations’ defenses become more advanced, cybercriminals may also need to shift to more sophisticated techniques to achieve initial access. In a recent incident response, we also observed the RaaS group Black Basta achieve initial access via a mass-scale phishing campaign before deploying ransomware (read more in a future blog post!). We expect more of the same in 2023.
The race for talent is on – threat actors are collaborating, crowdsourcing, and leveraging artificial intelligence (AI) to innovate. Enterprises will level the playing field by embracing “learn to hack” and “hack to earn” concept.
Threat actors have always been looking to gain a competitive advantage by specialising and crowdsourcing their skillsets. In 2022, our dark web monitoring allowed us to observe a 400 percent increase in listings of Initial Access Brokers (IABs), which are specialised cybercriminals that sells access to compromised networks. This outsourcing model allows other cybercriminals, such as affiliates of RaaS groups including BlackCat/ALPHV, to focus on their domain expertise (read more here). This demonstrates that this model was effective to a large extent.
However, talent has never been more scarce. Innovative threat actors have resorted to other channels for growth and inspiration. For example, other RaaS groups such as LockBit 3.0 RaaS group introduced the first bug bounty programme offered by cybercriminals. This included up to US$ 1 million for hackers of all backgrounds should they identify critical flaws in their malware, tools, or infrastructure. [6] Other threat actors have been observed from our dark web monitoring to host regular hackathons promising prize pools of up to one (1) Bitcoin for technology-specific POCs. Finally, the introduction of new tools such as ChatGPT has pushed the barrier to entry to a much lower level, and it has never been easier for script kiddies to weaponise their exploits.
We theorise that threat actors would further seek out various means to improve their competitive advantage, including collaboration and crowdsourcing. This was already an existing trend due to the RaaS affiliate model and attack-as-a-service models such as IABs, but is being disrupted by bug bounty programmes, hackathons, and artificial intelligence as a means to overcome the global cybersecurity talent shortage and skills gap. [7] As a result, enterprises are now facing an uphill battle against threat actors that are led by organisations that are harnessing the power of the people. To level the playing field, we also expect that enterprises will explore how to embrace the “learn to hack” and “hack to earn” concepts. We posit that leading enterprises will participate in bug bounty programmes and shift away from regular vulnerability scans and penetration testing to continuous assessment by bounty hunters who may not be affiliated with any vendor. Meanwhile, we also expect to see the establishment of cyber academies with the intention of democratising security through the re-skilling and upskilling pf all interested individuals regardless of their technical background. This would also provide enterprises with a new talent pipeline to ensure we have sufficient resources to fight back against “cybercriminalism”.
Web-based exploitation and targeting of individual consumers will follow-up on the hype of metaverse and the web3 ecosystem
The metaverse has quickly gone from concept to working reality in the past years. A lot of talk in 2022 was focused on simulating physical operations on the metaverse activities through games, virtual experiences or shopping with cryptocurrency and other digital assets. These experiences are underpinned by technologies such as virtual reality (VR), augmented reality (AR) devices, and artificial intelligence (AI), which naturally introduce new risks and accentuates old ones due to interoperable platforms in web3. [8] In particular, phishing email and messaging scams are already successfully leveraged by threat actors to steal passwords, private keys, personal information and money. In the metaverse, that could be even easier, especially if people think they are speaking to the physical representation of somebody they know and trust, when it could be someone else entirely. [9]
We posit that 2023 would be the year where threat actors, in particular cybercriminals, make a large jump towards targeting both businesses and individual consumers, with an increased focus to exploit web-based vulnerabilities for initial access as a result of the growing connectivity and digitalisation. We had already observed this uprising trend in late 2022 with large-scale global smishing campaigns targeting Hong Kong and Singapore citizens by masquerading as trusted and reputable locally-based public and private postal service providers (read morehere). The metaverse and web3 exacerbates consumer-targeting and introduces new vulnerabilities to an increased attack surface. Aside from smart contract weaknesses, further web-application based vulnerabilities such as Spring4Shell (CVE-2022-22965) is expected to be discovered, weaponised, and utilised by threat actors to deploy cryptocurrency miners. [10] PwC’s Dark Lab had uncovered the Spring4Shell POC on the dark web two days prior to the disclosure of the zero-day vulnerability (read more here), which further emphasises on the notion that the rate of weaponisation continues to accelerate from weeks to days or even hours.
Recommendations to Secure Your 2023
There is no telling with certainty what 2023 holds, but our experience with the challenges of 2022 teach us a number of valuable lessons on how organisations can harden their cyber security posture to protect against a multitude of attack vectors.
Grow selective hands-on technical capabilities in-house, and look to outsource and crowdsource your organisation’s security –
Get started with bug bounty programmes: organisations should look to emulate threat actors’ by crowdsourcing specific parts of their security initiatives. In particular, organisations should explore onboarding to bug bounty programmes as it leverages the competitive advantage of the community to identify potential vulnerabilities and misconfigurations rapidly and continuously in their external perimeter. This would level the playing field, and ensure that enterprises are not alone in facing threats from threat actors groups and their affiliates by themselves. If this route were pursued, organisations should ensure they have proper governance and processes (e.g., Vulnerability Disclosure Policy) to ensure responsible disclosure of potential vulnerabilities by bounty hunters.
Upskill and reskill your current workforce’s technical capabilities: organisations should not just rely on purely outsourcing security tasks, given there is a global shortage of talent. Instead, they should look for practical hands-on technical courses that would upskill and/or reskill their existing workforce to be more proficient in cyber threat operations, including but not limited to offensive security, security operations, incident response, threat intelligence, and threat and vulnerability management.
Enforce a Layered Intrusion Defense Strategy
Continuously Discover and Harden Your Attack Surface: organisations should prioritise efforts to evaluate their attack surface exposure by reviewing public-facing services and technologies in order to assess the potential risks of internet-facing services and making necessary countermeasures to eliminate the risk, such as reducing internet-exposed infrastructure, network segmentation, or decoupling the demilitarised zone from the internal network.
Protect Privileged Accounts: as we observe threat actors pivot targeting to end users, it is critical to enforce strong credential protection and management strategies and solutions to limit credential theft and abuse. This includes leveraging technologies such as account tiering and managed services accounts, enforcing multi-factor authentication (MFA), credential hardening from privileged accounts, and regular reviewing of access rights ensuring that all practices align with zero trust and least privilege policies.
Review and Strengthen Email Security: review current email solution configurations to ensure coverage from preventative security solutions (including external firewalls and web proxies) and implementation of conditional access rules to restrict access of suspicious activity. Consider hardening email security by leveraging artificial intelligence and machine learning technologies to augment the authentication process and create an additional barrier to restrict potential threats from bypassing detecting and delivering to the victim.
Identifying and Protecting Critical Internal Systems: threat actors target critical systems (i.e. Domain Controllers, local and cloud backup servers, file servers, antivirus servers) that house highly sensitive information, which observed in various incidents were not protected by EDR solutions. It is crucial that organisations secure critical systems by enforcing heightened approach to devising security strategies for critical assets – including EDR, stringent patching standards, network segmentation and regular monitoring for anomolies and/or indicators of compromise.
Defending Against Lateral Movement: the majority of threat actors moving across network rely on mechanisms that are relatively easy to disrupt with security restrictions such as restriction of remote desktop protocol between user zones, network zoning for legacy systems, segmenting dedicated applications with limited users, and disabling Windows Remote Management, among others.
Continuously Assess your Attack Surface Exposure to understand what threats present the most prevalent challenges to your organisations and uplift preventive and detective strategies to protect against likely threats.
Establish a robust attack surface management programme to continuously identify potential vulnerabilities on your public-facing applications, discover potential shadow IT, and stay alert to potential security risks as a result of the changing threat landscape (e.g., newly registered domains that may look to impersonate your organisation). External-facing assets should be protected with the relevant security solutions and policies to prevent, detect, and restrict malicious activity, as well as to facilitate rapid response and recovery in the case of a breach.
Perform threat modelling to identify the threat actor groups most likely to target your region and/or sector, map your attack surface to the identified potential threats to assess how a threat actor could exploit your attack surface, and develop a plan of action to minimise that threat exposure. Regardless of whether there was a breach or not, we also recommend organisations conduct iterative intelligence-led threat hunting using the outputs of the threat modelling. As a result, the threat model also needs to be updated on a regular basis (i.e., several times a year, if not already continuously).
Establish continuous dark web monitoring to discover if there are data breaches related to your organisation, as well as if threat actors such as IABs looking to sell access to compromised accounts and breached external assets such as web applications and web servers.
Adopt a ‘Shift Left’ Mindset – embed cybersecurity at the forefront of innovation and implementation of new platforms, products, as well as the adoption of cloud or software solutions.
DevSecOps: embedding cybersecurity considerations from the initial development stage enables developers to identify and address bugs and security challenges early in the development progress, strengthening the security posture of the platform to reduce vulnerabilities and attack surface exposure.
Adoption of new technologies: the shift left mindset can also be applied to the adoption of cloud, security, and other software solutions. Organisations should be maintain oversight and awareness of new technologies being deployed in their network, assess the scope and coverage of the solutions, and subsequently develop a process to assess the security implications and risks of using these technologies.
Further information
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.
