Sophos 2023 Threat Report
Defending against the new malware “as-a-service” global economy
The gloves came off in 2022. While Russia-based threat actor groups spread misinformation and launched multiple cyberattacks against Ukraine, China-based (and likely sponsored) threat actor groups attacked hardware security products made by nearly every company in the cybersecurity and infrastructure industries.
During this time, the cybercriminal economy has increasingly transformed into an industry. Information technology companies have shifted to “as-a-service” offerings, and the cybercrime ecosystem has done the same. Access brokers, ransomware, information-stealing malware, malware delivery, and other elements of cybercrime operations have lowered barriers to entry for would-be cybercriminals.
Malware-as-a-service continues to change the economic landscape of cybercrime
Criminal marketplaces such as Genesis enable entry-level cybercriminals to purchase malware and malware deployment services and sell stolen credentials and other data in bulk. Access brokers are increasingly selling vulnerable software exploits and credentials to other criminal organizations.
This industrialization of ransomware has allowed ransomware “affiliates” to evolve into professional operations specializing in exploitation. These professional groups specialize in gaining (or purchasing) access for any motivated actor willing to pay—or, in some cases, multiple actors with multiple motives.
In this report, you’ll learn about:
- Geopolitical Impacts and Conditions
- Attack-as-a-service Variations
- Notable Attack Tool Detections
- The Infostealer Ecosystem
- Ransomware Attack Trends for Practitioners
Cybercrime-as-a-service: The Naughty Nine
Gaining access to compromised accounts and systems in bulk through RDP and VPN credentials, web shells, and exploitable vulnerabilities.
Facilitating the distribution of malware within specific regions or sectors with watering-hole attacks, crossover with access-as-a-service listings, and other vulnerabilities
How threat actors are offering end-to-end services for cloned sites, hosting, emails to bypass spam filters, and other phishing campaigns
Bundled services provided by threat actors designed to hide Cobalt Strike infections to minimize the risk of detection
Common on many forums, crypting as a service involves the use of encrypted malware to bypass detection for a one-time purchase or subscription.
Designed as classified ads, scamming kits and services help threat actors pose as support specialists for cryptocurrency scams
How threat actors offer to rent voice systems to receive calls where victims opt out and speak to a bot, rather than a human
Infrastructure designed to build or manage bulk spamming services through a variety of mechanisms, including SMS and email
Offering access at discount prices for legitimate commercial tools such as Metasploit and Burp Suite to find and exploit vulnerabilities
How Sophos is Keeping Up in 2023
Real-time threat intelligence, Sophos X-Ops threat response specialists, and world-leading AI with deep learning capabilities enable Sophos to continually evolve against criminal activities. The Sophos 2023 Threat Report provides key insights to help organizations and security practitioners defend against new ransomware groups and services designed to launch multiple malware attacks and steal information.
Sophos is a worldwide leader in next-generation cybersecurity and protects more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats. Sophos delivers a broad portfolio of advanced security services and products to protect corporations and individuals against a wide range of cyberattacks.