The term “data breach” has been engrained into the memories of board level executives to security engineers in the last few years. Typically referring to confidential or sensitive information being compromised by threat actors, we associate the term with all-out intrusions – from initial access from an exposed perimeter, to post-compromise activities aimed at facilitating the end goal of data exfiltration, often prior to ransomware deployment.
However, this trend is shifting. PwC’s Dark Lab describes an alarming trend of data breaches associated with a subset of cyberattacks targeting data platforms and web applications. We responded to multiple local incidents over the past few months in which less sophisticated threat actors operate on a smaller, yet impactful scale – such as the unauthorised access to a single system – to exfiltrate data and post on the dark web for financial gain. This still achieved significant reputation and legal implications due to the sensitive nature of the data, and aligns with our 2024 trends in which we observe independence from traditional Ransomware-as-a-Service (RaaS) groups and lowering of accessibility for threat actors to enter the cybercrime market.
A shift in focus – speed valued with single extortion the endgame
PwC’s Dark Lab monitors social media, cybercrime forums, ransomware leak sites, and various open-sources of threat intelligence. These data points not only give us good insight on the threat actors’ tactics, techniques and procedures (“TTPs”), but more importantly their behaviours from holistic view.
While in past years most of these would take form of a listing of the victim on a ransomware leak site, we now see an increasing shift to data being published in cybercriminal forums for low prices or even free to ‘boost’ threat actors’ reputation. Performed by threat actors we categorise as “commodity criminals”, stolen data can take multiple forms; ranging from a full dump of structured data from a database, to an excel spreadsheet with customer data, or purely a CSV file with user information – either leaked for free or offered for sale.
Less sophisticated than their cybercriminal counterparts, commodity criminals have carved a niche for themselves in performing “smash and grab” or “petty theft” attacks; exfiltrating sensitive information and listing on the dark web at pace. Whilst these threat actors and their attacks are not new, we assessed this trend of increasing “petty thefts” is aligned with our hypotheses from our 2024 Cyber Threat Landscape blog post.[1]
Firstly, we observe an expansion of the vulnerability “classes” exploited for initial access beyond Common Vulnerabilities and Exposures (CVEs) to misconfigurations, exposed administrative portals, and unintended exposure of remote services. Secondly, focusing on the RaaS landscape, we observe an increase in the crowdsourcing of efforts by ransomware affiliates; leveraging the specialisation of commodity criminals (e.g., Initial Access Brokers) to accelerate the speed and complexity of their attacks. Thirdly, the continuous shift to identity-based attacks has led to increasing demand for network access sales to expedite intrusions. We reference two recent incident response cases from 2024 to exemplify such “petty thefts”.
Case Study Number 1: Intrusion Through Exposed Credentials
Dark Lab recently responded to a significant data breach incident, involving the extraction of data from a public-facing admin portal of the victim’s Content Management System (CMS). The CMS served as the maintenance portal for the victim’s third-party development vendor. However, the customisation for business operations also introduced a number of significant vulnerabilities, including sensitive directory and configuration files exposure.
Inadequate security controls such as the lack of multi-factor authentication(MFA) or geo-fencing, enabled the threat actor to access and export the data from the CMS, including the source code and backup copies of database from the backend components. Although the attack did not result in any disruption of the victim’s operations, the threat actor published the compromised data for sale on a dark web hacking forum a few days after the attack.
Our investigation revealed that the end-to-end attack had completed in under an hour, with minimal interactions with the website by the threat actor, apart from the data export, and without the deployment of malware, or exploitation of vulnerabilities. We further supported the victim to put in place security controls including MFA and geofencing, and formulate a strategic approach to detect anomalies and deviation in access patterns specific to the CMS.
Case Study Number 2: Information Stealer Leaks Administrative Credentials of Web Application
Non-Profit Organisations (NGOs) are no stranger to falling victim to data breaches. In this incident, PwC responded to an incident whereby a threat actor gained initial access to the learning platform of a local NGO. We assessed with moderate confidence that the threat actor gained access via the use of leaked credentials, due to a lack of evidence suggesting activities such as brute-force or vulnerability exploitation.
During our investigation, we discovered the root cause to stem from the personal computer of a former employee of the victim, which had been compromised in late 2023 by the Lumma infostealer. The capabilities of the malware to extract stored credentials from browsers led to the leakage of the corporate credentials required for the initial access to the learning platform.
Lumma infostealer is a subscription-based Malware-as-a-Service (MaaS) offering that has been available since 2022, whilst the number of sightings of this malware being distributed on the dark web forum has been seen to be rising.[2] Cybercriminals leverage this malicious software to extract sensitive information for direct profit (e.g., network access sales), while others might choose to utilise the credentials for intrusions.
Forensic evidence suggests that whilst the leaked credentials were originally circulated on dark web forums in late 2023, they were only weaponised by the threat actor in mid-2024. Upon accessing one of the victim’s externally-facing servers using the valid account, the threat actor subsequently exploited a vulnerability to deploy a webshell to issue commands to the underlying system, as well as establishing a reverse shell for full, remote access. No notable further actions were observed; instead, the threat actor used the built-in export function of the learning platform to download user data including personal identifiable information (“PII”), all within 2.5 hours.
The information was posted for sale on a dark web forum shortly after the incident. Although there is no evidence connecting the threat actor with the sale, the format and content on the available sample data led us to assess that the data had originated from the learning platform. This incident showcases a prime example of a low-level capability threat actor causing a high impact attack.
Cybercriminal Market; A Wealth of (Malicious) Opportunity
The Cybercrime-as-a-Service (CaaS) market is an ever-growing industry of cybercriminals offering their malicious tools, techniques, and services to other cybercriminals who may not have the technical expertise to carry out sophisticated attacks on their own; or alternatively preferring to outsource portions of their attacks to focus efforts on achieving their objective. Through our continuous monitoring the CaaS ecosystem, we observe a notable uptick in the selling of data across various dark web forums and instant messaging channels. In March 2024 alone, 299+ million data records were compromised – a 58% increase from the prior month, and a further 613% year-on-year increase of data records compromised by threat actors.[3]
Whilst ransomware actors are not typically observed to frequent cybercrime forums, we observe ransomware groups broadening their means to achieve financial gain – particularly as the rate of victims obliging with ransom demands continues to dwindle. This is seen in the uprise of ransomware groups such as LockBit, Stormous, and Everest advertising network access sales on their dedicated leak site blogs, Telegram channels, as well as data leak sites.[4]
2023 saw the closure of multiple cybercriminal marketplaces, such as the law enforcement takedown of the notorious Genesis Market[5], voluntary closure of the TOR Market, and suspected ‘exit scams’ of Tor2Door[6] and Incognito[7]. As with all things, as a one door closes, another opens – new marketplaces emerge, existing ‘underdog’ marketplaces rise in popularity, and threat actors continue to innovate in their means of selling data.
Implications of a Data Breach
As the cybercriminal ecosystem evolves and the rise of “smash and grab” attacks intensify, it is crucial that organisations enhance their cyber resilience to defend against these not so “petty” thefts. This is evidenced in the average cost of a data breach being USD 4.88 million in 2023 – encapsulating the cost of operational downtime, loss of customer base, and cost of post-breach actions to enhance cyber resilience.[8] In the case of petty thefts, the most “immediate” cost acknowledged is that on an organisation’s reputation. Though, it is crucial to consider the legal and compliance consequences of such breaches.
Focusing locally, the June 2023 updates to the Hong Kong PCPD’s “Guidance on Data Breach Handling and Data Breach Notifications” have reinforced the severity in which data breaches should be treated. Whilst not mandated, the guideline sets a benchmark for the Personal Data (Privacy) Ordinance (PDPO) to determine if organisations subject to data breaches have met compliance requirements. This reiterates the sheer impact of data breaches, and the need for organisations to remain vigilant against threats of varying intents and capability.
Conclusion
While large cyberattacks shifts focus to the strategies in holistic defence, we observed tactics by less sophisticated cybercriminals to a simple yet effective means to impact company’s reputation and trust. Based on our observation in threat intelligence and dark web intelligence, this trend will likely continue with attacks of smaller scales becoming a threat to be considered. Remaining vigilant and adaptable in the face of evolving cyber threats is essential for companies of all sizes:
- Widen the scope to monitor and minimise your attack surface to proactively identify and remediate potential entry-points. This should include;
- Enforce 24×7 dark web monitoring, social media listening, and brand reputation monitoring to identify mentions or impersonation attempts of your organisation, which may be indicative of potential or active targeting against your organisation.
- Adopt an offensive approach to threat and vulnerability management to achieve real-time visibility of your attack surface through autonomous, rapid detection and remediation against emerging threats.[9]
- Establish a structured process to attack surface management through stringent asset inventory management. This includes the discovery of Internet-facing assets (including on-premise and potentially, third-party-hosted assets), identification of the assets hosting critical data, and assessment and subsequent uplifting of the current security posture of these critical systems.
- Leverage bug bounty programs to crowdsource the expertise of ethical hackers to proactively identify otherwise unknown vulnerabilities or security weaknesses that could otherwise expose you to potential exploitation by malicious actors.
- Strengthen identity security and access control. Our lessons learnt from case study two highlighted the importance of account housekeeping for unused accounts, particularly those assigned privileged access rights.
- Review and uplift the process for managing credentials, particularly in the case of offboarding or unused accounts. This includes timely revocation of access (termination of account), password changes for any shared accounts the employee had access to, and ensuring the offboarded member’s multi-factor authentication (MFA) mechanism is no longer linked to any corporate accounts.Log, audit, and monitor all privileged account sessions via real-time monitoring, facilitated by Privileged Access Account (PAM) and Privileged Account and Session Management (PASM) solutions.
- Consider the role of cybersecurity in safeguarding data security. As the cybercriminal landscape shifts focus to data exfiltration and extortion, it is crucial to consider the interconnectedness between data privacy and the cyber threat landscape.
- Leverage threat intelligence and continuous monitoring of your attack surface to the critical data and systems hosting them, to assess systems and datasets with a heightened threat of targeting by malicious actors.
- Prioritise these systems hosting critical data with layered preventive and defensive protections to safeguard data (e.g., Data Loss Prevention (DLP).
- Conduct regular risk assessments against critical systems to evaluate the current state of your cybersecurity posture.
- Review and uplift the lifecycle of data, including considerations of;
- Where data is being shared?
- Who has access, including consideration of third-party risks posed by vendors’ access to internal data?
- What internal policies are enforced to govern staff on the handling of data? For example, no sharing of internal data via external communication channels such as WhatsApp.
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.