Malware-as-a-Service

Ransomware’s Uneven Playing Field: Re-Thinking Protection and Detection from Small and Medium Enterprises

Recently, Dark Lab attended a conference to present the lessons learnt from ransomware incidents impacting small and medium enterprises (“SMEs”), and how these lessons learnt can help us find effective measures against ransomware threats.

Apart from our experience dealing with ransomware, it has been reported by the industry, that 85% of ransomware attack victims are small businesses.[1] These businesses present as lucrative targets for opportunistic ransomware actors, given their limited access to resources to implement robust security solutions.

In the past year, we have responded to numerous ransomware incidents involving small to medium enterprises (“SMEs”) that lack of the resources to invest in advanced security tools such as Endpoint Detection and Response (“EDR”) or Security Information and Event Management (“SIEM”) systems. Despite the absence of these tools, our incident response efforts have revealed simple controls that can effectively serve as containment, preventive, or damage-control measures.

Our presentation covered several ransomware incidents involving both well-known operators and newcomers to the field. We provided our insights into the threat intelligence associated with these actors, analyse the Tactics, Techniques, and Procedures (“TTPs”) used compared to large-scale ransomware, and share lessons learned from handling these incidents, including mistakes made by the threat actors. We further note the potential applications of these strategies in larger enterprises as a means to strengthen their own posture.

This blog will deep dive into the threat intelligence associated with the current ransomware landscape, the Tactics, Techniques and Procedures (“TTPs”) behind ransomware attacks, and our lessons learnt along with the insights from previous incident experience.

The Current Ransomware Landscape

Figure 1: Overview of changes in the ransomware landscape

In 2024, we observe an increasingly unpredictable and diverse ransomware landscape following multiple disruptive events that have reshaped how the ransomware ecosystem operates today.

Figure 2: Timeline of 2024’s “major disruptors” in the ransomware and wider cybercriminal landscape

Significant catalysts for these shifts include the persistence of law enforcement disruptions against larger Ransomware-as-a-Service (RaaS) operators, as exemplified in the ongoing #OpCronos against LockBit. Not to mention BlackCat’s alleged exit scam following allegations of failure to payout their affiliate for their attack on UnitedHealth.

These two instances alone incited heightened scepticism and distrust within the cybercriminal community, leading to a shift away from these “market leaders”. Quickly, we observed smaller and new players seize this opportunity to establish their presence within the ransomware ecosystem. Not only applying the lessons learnt from the downfalls of bigger players, and factoring in the changes to the ways in which victims respond to ransomware attacks, we observe these new joiners seeking to distinguish themselves and increase their chances of success through alternative means of approaching ransomware attacks. For example;

Figure 3: Latest trends observed amongst newer ransomware groups

A Focus on SMEs

Contrary to the misconception that SMEs are not a priority for ransomware groups due to the lower payout opportunity, we observe the majority of ransomware attacks are targeted against SMEs. This is as larger enterprises are now well-equipped with security solutions designed to prevent and detect against impending threats, thus posing SMEs as enticing targets for a higher likelihood of success.

We attribute this to a number of factors; limited funds to invest in cybersecurity professionals and technologies, lack of preparedness to respond to an attack, and the impact that operational disruptions may have on the viability of the business. Statistically, 75% of SMEs could not continue operating beyond seven (7) days if hit by ransomware [2], whilst 20% of SMEs that fell victim to a ransomware attack paid the ransom.[3] Furthermore, learning from the cases of LockBit and BlackCats’ notoriety, newer players seek to evade attention from media and law enforcement; conducting lower-profile attacks to maintain their presence and longevity.

Who’s targeting SMEs?

Figure 4: Snapshot of ransomware operators known to target SMEs

As seen in the image above, we observe both established RaaS operators who we track and know well, and newer players, experimental in the approaches to ransomware attacks, targeting SMEs. We note that this list is not exhaustive given the opportunistic nature of ransomware actors, and is further applicable in the context of larger enterprises.

With newer groups diversifying their attack methods and creating an increasingly ‘unpredictable’ ransomware threat, how can we stay focused?

Focusing on the “critical path”

Despite the abundance of new players on the market – bringing new approaches and techniques used to facilitate their attacks – we still observe overarching commonalities in their Tactics, Techniques, and Procedures (“TTPs”).

Figure 5: MITRE ATT&CK Heatmap – highlighting the most frequently leveraged TTPs*

The above MITRE ATT&CK heatmap compiles the TTPs used by various aforementioned threat actors. By focusing on the most frequently used TTPs (highlighted in red and orange), we can prioritise our efforts to strengthen defences against these techniques, creating a ‘critical path’ for us to focus our efforts in devising protection and detection.

This critical path provides a holistic view of RaaS operators, not just applicable to SMEs but all types of victims. In the case of SMEs, given the limited access to resources, this critical path provides a realistic baseline to focus resources on preventing and detecting against ransomware threats.

Our experience responding to ransomware attacks against SMEs

To consider how this “critical path” translates into real life, we referenced some historic cases we have battled, and the lessons learnt. Specifically, we deep dived into three (3) case studies, attributed to RansomHouse, SEXi (a.k.a. APT Inc.), and LockBit, respectively.

Each case study shared commonality in that initial access was obtained via breaching perimeter devices e.g., SSLVPN. However, the case studies provided a useful comparison on the degree of impact incurred within an SME environment depending on the presence (or lack thereof) sufficient security controls.

Figure 6: Case Studies – highlighted in pink are the techniques performed in these incidents

Case Study 1: RansomHouse affiliate (an “Old Guard”)

Figure 7: High-level timeline of incident attributed to RansomHouse affiliate

In the first case study, the RansomHouse affiliate achieved initial access via a known vulnerability. The affiliate proceeded to perform account brute forcing and network scanning using the commonly leveraged, SoftPerfect Scanner. Obtaining a service account granted with administrative privileges, the affiliate proceeded to perform Remote Desktop Protocol (RDP) for lateral movement. Notably, the service account was secured with a weak password and the last date of password reset was the same as its creation date – a common issue we have observed across SMEs, whereby they use a weak password for account creation, and subsequently neglect to change the password later.

The affiliate further enumerated the victim’s environment, obtaining additional credentials to access their ESXi, Network Attached Storage (NAS), various databases and Software-as-a-Service (SaaS) platforms. With their better understanding of the victim’s environment and the “crown jewels” to target for sensitive data, the affiliate proceeded to deploy the AnyDesk remote access software and a PowerShell script. This resulted in large outbound data exfiltration over 700 gigabytes (GB) of data before removing backups and deploying ransomware across their Network Attached Storage (NAS), backup servers, and virtual infrastructure (VMware ESXi) servers.

This case study highlights the sheer impact of a ransomware attack in environments lacking network segmentation, password policy enforcement, and sufficient access controls.

Case Study 2: SEXi affiliate (“New Blood”)

Figure 8: High-level timeline of incident attributed to SEXi (a.k.a. APT Inc.) affiliate

In our incident attributed to an affiliate of SEXi (now rebranded as APT Inc.) ransomware, the affiliate infiltrated via a SSLVPN entry, landing on a demilitarised zone (DMZ) server subnet. The affiliate was also observed to deploy the SoftPerfect Scanner for network discovery, resulting in the identification of a vulnerable Veeam Backup & Replication server. Exploiting the vulnerability to create a new local admin account, the threat actor proceeded to perform credential dumping on the Veeam server, obtaining valid ESXi and NAS credentials.

Pivoting to the ESXi and NAS servers, the SEXi affiliate proceeded to deploy their ransomware and delete all backup data on the NAS. Due to network segmentation in place, ransomware deployment was contained within the DMZ, and no data exfiltration was observed.

Case Study 3: LockBit affiliate (another “Old Guard”)

Figure 9: High-level timeline of incident attributed to LockBit affiliate

In our latest battle with LockBit, the affiliate infiltrated via a SSLVPN server using a valid SSLVPN account. In this case, the SSLVPN account belonged to a third-party vendor and had a weak password which had not been changed for over three (3) years. The affiliate landed on a DMZ zone, though due to poor network segmentation in place, the SSLVPN account was capable of accessing a management subnet with /16 IP addresses – a significantly large IP address range for the threat actor to access, not to mention a vendor.

Due to password reuse, the LockBit affiliate proceeded to takeover an administrator account, leveraged to laterally move to additional environments via RDP protocol. Notably, the admin account was utilised to perform a DCSync attack on the Domain Controller (DC). The affiliate then proceeded to perform data staging, focused on discovering Excel, PDF, and Word documents contained within shared folders. At this point, the affiliate installed MegaSync, a legitimate tool for data transfers, and created a folder for file staging. The affiliate then deployed ransomware. However, due to outbound network restrictions in place – no data exfiltration was involved.

Notably, the victim was not observed to be listed on LockBit’s dedicated leak site, which we hypothesised was due to their inability to exfiltrate data from the victim’s environment. This highlights the effectiveness in file transfer restrictions in not only mitigating against the compromise of data, but the ability to avoid reputational damage from public awareness of the ransomware incident.

Case Study Comparison; Same Same (TTPs), But Different (Impact)

Comparison of these similar attacks highlight how enforcing simple controls to restrict malicious activity can significantly minimise the impact of ransomware attacks.

Figure 10: Case Studies – summary of key observations

Through our incident experience, we highlight the following common issues in SMEs:

Initial access is achieved through preventable “low hanging fruit”, such as;
- Commodity VPNs (e.g., Fortinet SSLVPN, SonicWall SSLVPN, etc.)
- Infostealer data and credentials leaked on dark web
Lack of awareness and/or implementation of:
- Strong password policies – guidelines that enforce the creation and use of complex, hard-to-crack passwords
- Patch management – regular updating of software to remediate susceptibility to vulnerabilities that otherwise may be exploited by malicious actors
- Perimeter services – security measures that protect the outer boundaries of a network, such as firewalls and intrusion detection systems (IDS)
- Network segmentation – practice of dividing a network into smaller, isolated segments to limit access and lateral movement opportunities

What can SMEs do to minimise the risk and impact of ransomware threats?

From basic hardening configurations within Active Directory to enabling detection with honeytokens and strategically planning network restrictions, we share practical tips and strategies that we have implemented in our clients’ environments. This demonstrates how small businesses can reduce their risk from a full-scale ransomware attack or minimize the impact of such events. Additionally, we note that these strategies can be further leveraged by larger entities to strengthen their own environments.

Initial Access

Threat actors often seek “low hanging fruit” to gain initial access. For example, exposed SSLVPN gateways are frequently brute forced by malicious actors using leaked credentials.

The following tips can aid SMEs in minimising their attack surface exposure to reduce the risk of unauthorised access.

On the perimeter-level, SMEs can consider the follow tips to minimise their attack surface exposure;

Stock take exposed services, patch or restrict administrative portals
Trim down access from SSL VPN to internal network
Isolate the systems with legacy operating systems

Access controls can further limit the opportunity for threat actors to infiltrate and/or persist in their post-compromise stages;

Housekeep accounts, and strengthen existing multi-factor authentication
Trim down access from SSL VPN to internal network
Use a separate set of credentials for SSL VPN access

Discovery

Threat actors typically use tools like Network Scanners (e.g., SoftPerfect) that rely on file shares to enumerate files for targeting.

A file share is a network resource that allows multiple users or devices to access and share the files and folders over a network. Threat actors frequently leverage these file shares to identify files of interest (e.g., containing ‘password’, ‘confidential’, ‘finance’, ‘secret’, ‘backup’, ‘admin’, etc.).

To restrict the opportunity for threat actors to perform discovery via file shares, we recommend:

Perform a stock-take on file servers to identify critical files housing sensitive and/or confidential data
Review what users are allowed to access critical files, and restrict access based on the principle of least privilege

Canary tokens[4], otherwise known as a honey tokens, provide another avenue for proactive threat detection. Canary tokens are a digital identifier embedded within files, URLs, or systems to detect unauthorised access or activity. When an attacker interacts with a canary token, it triggers an alert to notify administrators of a potential breach.

Figure 12: Canary Token for Network Folders[5]

Figure 13: Canary Token for Windows Folders[6]

Lateral Movement

Threat actors target privileged accounts as part of their intrusion, in particular Domain Admins, leveraging their heightened privileges to perform various activities, spanning from data collection and exfiltration to ransomware deployment.

This begs the question; Do we really need to use “Domain Admins” for day-to-day operations?

Tips to secure domain admin accounts and reduce opportunities for lateral movement:

Account tiering is an effective means to reduce the risk of credential theft for administrative accounts. In short, it is the process of categorizing accounts and systems into tiers based on criticality. According to Microsoft, the “tier model creates divisions between administrators based on what resources they manage….[so that] admins with control over user workstations are separated from those that control applications”.[7]

Enforce logon restrictions to ensure highly privileged accounts do not possess access to less secure resources. For example, domain admins (tier 0) should not possess permissions to access user workstations (tier 2).[8]

Restrict login attempts from Remote Desktop Services[9]

Ensure critical systems are kept up-to-date with regular patching. This involves referencing the systems categorized as critical (or “tier 0), and prioritizing these systems in your patch management process. As an example, Veeam Backup & Replication[10] and ESXi instances [11] are regularly targeted by multiple groups for ransomware deployment.

Exfiltration (and Remote Access)

Threat actors frequently abuse legitimate solutions to facilitate their remote access (e.g., AnyDesk, TeamViewer, etc.) and data exfiltration (e.g., MegaSync, Rclone, etc.). Furthermore, in some cases we observed that host-based firewall may have been controlled by a compromised administrative account.

To detect for the malicious misuse of these legitimate tooling and/or accounts, we advise the use of an Active Directory-Integrated DNS (ADIDNS) sinkhole – ensuring proper Access Control Lists (ACLs) are configured.

A DNS sinkhole, otherwise known as a sinkhole server, is a DNS server that provides false information to prevent the use of domain names. It is a strategy used to block malicious traffic. When a device attempts to access a known malicious domain, the DNS sinkhole redirects the request to a non-routable address, effectively “sinking” the traffic and preventing the device from connecting to a harmful site.[12]

Conclusion

As the ransomware landscape continues to evolve and diversify in the threats faced, focusing on identification of predictable TTPs, or even a ‘critical path’, helps us prioritize efforts to defend against the most pertinent threats.

Whilst SMEs may struggle due to their technical limitations and resources, we hope this blog helps provide insight in the simple, yet effective means in which SMEs can uplift their security posture. As a reminder, implementation of these strategies requires carefully designed architecture and process planning (e.g., appropriate access controls, standard operating processes) to maintain effectiveness. Furthermore, we note that these approaches are universal and applicable in larger enterprises, providing proactive opportunities to harden your security posture.

What lies ahead for the future of ransomware?

As organisations increasingly shift to cloud and integration of Software-as-a-Solution (SaaS), we expect to see increased targeting against these environments. Whilst we already observe ransomware actors selling compromised databases, we project an uptick in the reselling of access for re-intrusion into victim environments by other threat actors. The application of artificial intelligence (AI) and automation intelligence within the cybercriminal is a continued discussion, as we anticipate threat actors expanding beyond the use of AI for content generation (in the context of social engineering) to other applications. There’s no telling for certain what else the future holds, but for now, let’s concentrate on safeguarding ourselves against the most crucial threats.

MITRE ATT&CK TTPs for the “Critical Path”

We include the observed MITRE ATT&CK tactics and techniques highlighted in the “critical path”:

MITRE ID	MITRE ATT&CK Tactic	MITRE ATT&CK Technique
T1583	Resource Development	Acquire Infrastructure
T1587	Resource Development	Develop Capabilities
T1588	Resource Development	Obtain Capabilities
T1566	Initial Access	Phishing
T1190	Initial Access	Exploit Public-Facing Application
T1078	Initial Access	Valid Accounts
T1133	Initial Access	External Remote Services
T1059	Execution	Command and Scripting Interpreter
T1053	Execution	Scheduled Task/Job
T1047	Execution	Windows Management Instrumentation
T1106	Execution	Native API
T1204	Execution	User Execution
T1569	Execution	System Services
T1136	Persistence	Create Account
T1543	Persistence	Create or Modify System Process
T1098	Persistence	Account Manipulation
T1505	Persistence	Server Software Component
T1547	Persistence	Boot or Logon Autostart Execution
T1055	Privilege Escalation	Process Injection
T1134	Privilege Escalation	Access Token Manipulation
T1027	Defense Evasion	Obfuscated Files or Information
T1562	Defense Evasion	Impair Defenses
T1112	Defense Evasion	Modify Registry
T1140	Defense Evasion	Deobfuscate/Decode Files or Information
T1036	Defense Evasion	Masquerading
T1218	Defense Evasion	System Binary Proxy Execution
T1497	Defense Evasion	Virtualization/Sandbox Evasion
T1070	Defense Evasion	Indicator Removal on Host
T1222	Defense Evasion	File and Directory Permissions Modification
T1564	Defense Evasion	Hide Artifacts
T1003	Credential Access	OS Credential Dumping
T1083	Discovery	File and Directory Discovery
T1082	Discovery	System Information Discovery
T1018	Discovery	Remote System Discovery
T1057	Discovery	Process Discovery
T1135	Discovery	Network Share Discovery
T1016	Discovery	System Network Configuration Discovery
T1046	Discovery	Network Service Discovery
T1069	Discovery	Permission Groups Discovery
T1087	Discovery	Account Discovery
T1482	Discovery	Domain Trust Discovery
T1518	Discovery	Software Discovery
T1021	Lateral Movement	Remote Services
T1210	Lateral Movement	Exploitation of Remote Services
T1570	Lateral Movement	Lateral Tool Transfer
T1005	Collection	Data from Local System
T1560	Collection	Archive Collected Data
T1039	Collection	Data from Network Shared Drive
T1105	Command and Control	Ingress Tool Transfer
T1219	Command and Control	Remote Access Software
T1071	Command and Control	Application Layer Protocol
T1041	Exfiltration	Exfiltration Over C2 Channel
T1048	Exfiltration	Exfiltration Over Alternative Protocol
T1567	Exfiltration	Exfiltration Over Web Service
T1486	Impact	Data Encrypted for Impact
T1490	Impact	Inhibit System Recovery
T1485	Impact	Data Destruction

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Petty Thefts in Cybersecurity

Posted on August 12, 2024 by darklabhk

The term “data breach” has been engrained into the memories of board level executives to security engineers in the last few years. Typically referring to confidential or sensitive information being compromised by threat actors, we associate the term with all-out intrusions – from initial access from an exposed perimeter, to post-compromise activities aimed at facilitating the end goal of data exfiltration, often prior to ransomware deployment.

However, this trend is shifting. PwC’s Dark Lab describes an alarming trend of data breaches associated with a subset of cyberattacks targeting data platforms and web applications. We responded to multiple local incidents over the past few months in which less sophisticated threat actors operate on a smaller, yet impactful scale – such as the unauthorised access to a single system – to exfiltrate data and post on the dark web for financial gain. This still achieved significant reputation and legal implications due to the sensitive nature of the data, and aligns with our 2024 trends in which we observe independence from traditional Ransomware-as-a-Service (RaaS) groups and lowering of accessibility for threat actors to enter the cybercrime market.

A shift in focus – speed valued with single extortion the endgame

PwC’s Dark Lab monitors social media, cybercrime forums, ransomware leak sites, and various open-sources of threat intelligence. These data points not only give us good insight on the threat actors’ tactics, techniques and procedures (“TTPs”), but more importantly their behaviours from holistic view.

While in past years most of these would take form of a listing of the victim on a ransomware leak site, we now see an increasing shift to data being published in cybercriminal forums for low prices or even free to ‘boost’ threat actors’ reputation. Performed by threat actors we categorise as “commodity criminals”, stolen data can take multiple forms; ranging from a full dump of structured data from a database, to an excel spreadsheet with customer data, or purely a CSV file with user information – either leaked for free or offered for sale.

Less sophisticated than their cybercriminal counterparts, commodity criminals have carved a niche for themselves in performing “smash and grab” or “petty theft” attacks; exfiltrating sensitive information and listing on the dark web at pace. Whilst these threat actors and their attacks are not new, we assessed this trend of increasing “petty thefts” is aligned with our hypotheses from our 2024 Cyber Threat Landscape blog post.[1]

Firstly, we observe an expansion of the vulnerability “classes” exploited for initial access beyond Common Vulnerabilities and Exposures (CVEs) to misconfigurations, exposed administrative portals, and unintended exposure of remote services. Secondly, focusing on the RaaS landscape, we observe an increase in the crowdsourcing of efforts by ransomware affiliates; leveraging the specialisation of commodity criminals (e.g., Initial Access Brokers) to accelerate the speed and complexity of their attacks. Thirdly, the continuous shift to identity-based attacks has led to increasing demand for network access sales to expedite intrusions. We reference two recent incident response cases from 2024 to exemplify such “petty thefts”.

Case Study Number 1: Intrusion Through Exposed Credentials

Dark Lab recently responded to a significant data breach incident, involving the extraction of data from a public-facing admin portal of the victim’s Content Management System (CMS). The CMS served as the maintenance portal for the victim’s third-party development vendor. However, the customisation for business operations also introduced a number of significant vulnerabilities, including sensitive directory and configuration files exposure.

Inadequate security controls such as the lack of multi-factor authentication(MFA) or geo-fencing, enabled the threat actor to access and export the data from the CMS, including the source code and backup copies of database from the backend components. Although the attack did not result in any disruption of the victim’s operations, the threat actor published the compromised data for sale on a dark web hacking forum a few days after the attack.

Our investigation revealed that the end-to-end attack had completed in under an hour, with minimal interactions with the website by the threat actor, apart from the data export, and without the deployment of malware, or exploitation of vulnerabilities. We further supported the victim to put in place security controls including MFA and geofencing, and formulate a strategic approach to detect anomalies and deviation in access patterns specific to the CMS.

Case Study Number 2: Information Stealer Leaks Administrative Credentials of Web Application

Non-Profit Organisations (NGOs) are no stranger to falling victim to data breaches. In this incident, PwC responded to an incident whereby a threat actor gained initial access to the learning platform of a local NGO. We assessed with moderate confidence that the threat actor gained access via the use of leaked credentials, due to a lack of evidence suggesting activities such as brute-force or vulnerability exploitation.

During our investigation, we discovered the root cause to stem from the personal computer of a former employee of the victim, which had been compromised in late 2023 by the Lumma infostealer. The capabilities of the malware to extract stored credentials from browsers led to the leakage of the corporate credentials required for the initial access to the learning platform.

Lumma infostealer is a subscription-based Malware-as-a-Service (MaaS) offering that has been available since 2022, whilst the number of sightings of this malware being distributed on the dark web forum has been seen to be rising.[2] Cybercriminals leverage this malicious software to extract sensitive information for direct profit (e.g., network access sales), while others might choose to utilise the credentials for intrusions.

Forensic evidence suggests that whilst the leaked credentials were originally circulated on dark web forums in late 2023, they were only weaponised by the threat actor in mid-2024. Upon accessing one of the victim’s externally-facing servers using the valid account, the threat actor subsequently exploited a vulnerability to deploy a webshell to issue commands to the underlying system, as well as establishing a reverse shell for full, remote access. No notable further actions were observed; instead, the threat actor used the built-in export function of the learning platform to download user data including personal identifiable information (“PII”), all within 2.5 hours.

The information was posted for sale on a dark web forum shortly after the incident. Although there is no evidence connecting the threat actor with the sale, the format and content on the available sample data led us to assess that the data had originated from the learning platform. This incident showcases a prime example of a low-level capability threat actor causing a high impact attack.

Cybercriminal Market; A Wealth of (Malicious) Opportunity

The Cybercrime-as-a-Service (CaaS) market is an ever-growing industry of cybercriminals offering their malicious tools, techniques, and services to other cybercriminals who may not have the technical expertise to carry out sophisticated attacks on their own; or alternatively preferring to outsource portions of their attacks to focus efforts on achieving their objective. Through our continuous monitoring the CaaS ecosystem, we observe a notable uptick in the selling of data across various dark web forums and instant messaging channels. In March 2024 alone, 299+ million data records were compromised – a 58% increase from the prior month, and a further 613% year-on-year increase of data records compromised by threat actors.[3]

Whilst ransomware actors are not typically observed to frequent cybercrime forums, we observe ransomware groups broadening their means to achieve financial gain – particularly as the rate of victims obliging with ransom demands continues to dwindle. This is seen in the uprise of ransomware groups such as LockBit, Stormous, and Everest advertising network access sales on their dedicated leak site blogs, Telegram channels, as well as data leak sites.[4]

2023 saw the closure of multiple cybercriminal marketplaces, such as the law enforcement takedown of the notorious Genesis Market[5], voluntary closure of the TOR Market, and suspected ‘exit scams’ of Tor2Door[6] and Incognito[7]. As with all things, as a one door closes, another opens – new marketplaces emerge, existing ‘underdog’ marketplaces rise in popularity, and threat actors continue to innovate in their means of selling data.

Implications of a Data Breach

As the cybercriminal ecosystem evolves and the rise of “smash and grab” attacks intensify, it is crucial that organisations enhance their cyber resilience to defend against these not so “petty” thefts. This is evidenced in the average cost of a data breach being USD 4.88 million in 2023 – encapsulating the cost of operational downtime, loss of customer base, and cost of post-breach actions to enhance cyber resilience.[8] In the case of petty thefts, the most “immediate” cost acknowledged is that on an organisation’s reputation. Though, it is crucial to consider the legal and compliance consequences of such breaches.

Focusing locally, the June 2023 updates to the Hong Kong PCPD’s “Guidance on Data Breach Handling and Data Breach Notifications” have reinforced the severity in which data breaches should be treated. Whilst not mandated, the guideline sets a benchmark for the Personal Data (Privacy) Ordinance (PDPO) to determine if organisations subject to data breaches have met compliance requirements. This reiterates the sheer impact of data breaches, and the need for organisations to remain vigilant against threats of varying intents and capability.

Conclusion

While large cyberattacks shifts focus to the strategies in holistic defence, we observed tactics by less sophisticated cybercriminals to a simple yet effective means to impact company’s reputation and trust. Based on our observation in threat intelligence and dark web intelligence, this trend will likely continue with attacks of smaller scales becoming a threat to be considered. Remaining vigilant and adaptable in the face of evolving cyber threats is essential for companies of all sizes:

Widen the scope to monitor and minimise your attack surface to proactively identify and remediate potential entry-points. This should include;
- Enforce 24×7 dark web monitoring, social media listening, and brand reputation monitoring to identify mentions or impersonation attempts of your organisation, which may be indicative of potential or active targeting against your organisation.
- Adopt an offensive approach to threat and vulnerability management to achieve real-time visibility of your attack surface through autonomous, rapid detection and remediation against emerging threats.[9]
- Establish a structured process to attack surface management through stringent asset inventory management. This includes the discovery of Internet-facing assets (including on-premise and potentially, third-party-hosted assets), identification of the assets hosting critical data, and assessment and subsequent uplifting of the current security posture of these critical systems.
- Leverage bug bounty programs to crowdsource the expertise of ethical hackers to proactively identify otherwise unknown vulnerabilities or security weaknesses that could otherwise expose you to potential exploitation by malicious actors.

Strengthen identity security and access control. Our lessons learnt from case study two highlighted the importance of account housekeeping for unused accounts, particularly those assigned privileged access rights.
- Review and uplift the process for managing credentials, particularly in the case of offboarding or unused accounts. This includes timely revocation of access (termination of account), password changes for any shared accounts the employee had access to, and ensuring the offboarded member’s multi-factor authentication (MFA) mechanism is no longer linked to any corporate accounts.Log, audit, and monitor all privileged account sessions via real-time monitoring, facilitated by Privileged Access Account (PAM) and Privileged Account and Session Management (PASM) solutions.

Consider the role of cybersecurity in safeguarding data security. As the cybercriminal landscape shifts focus to data exfiltration and extortion, it is crucial to consider the interconnectedness between data privacy and the cyber threat landscape.
- Leverage threat intelligence and continuous monitoring of your attack surface to the critical data and systems hosting them, to assess systems and datasets with a heightened threat of targeting by malicious actors.
- Prioritise these systems hosting critical data with layered preventive and defensive protections to safeguard data (e.g., Data Loss Prevention (DLP).
- Conduct regular risk assessments against critical systems to evaluate the current state of your cybersecurity posture.
- Review and uplift the lifecycle of data, including considerations of;
  - Where data is being shared?
  - Who has access, including consideration of third-party risks posed by vendors’ access to internal data?
  - What internal policies are enforced to govern staff on the handling of data? For example, no sharing of internal data via external communication channels such as WhatsApp.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.