Cybersecurity professionals struggle to feel optimistic about their efforts to thwart cybercriminals. Cybercrime attacks continue to increase in frequency, scale and impact. While security teams become more sophisticated, so do their adversaries. Millions of dollars are spent on tools, technologies and resources to stop breaches. Yet millions more are spent recovering from malware and ransomware attacks that succeed.
In light of this gloomy scenario, it’s not all bad news for cybercrime trends. As reported by the threat analyst team at Cybersixgill in the annual State of the Underground 2024 report, attackers are being blocked in some areas, or at least are seeing some of their rates of success diminish, thanks to heightened, more collaborative law enforcement efforts, stricter compliance mandates by governments and industries and more aggressive cyberdefense measures.
This is not to send a message that security teams can take their feet off the pedal. Unfortunately, while some malicious activities are being hindered, there still are plenty of ways that cybercriminals can do damage, as our recent report on underground cybercriminal trends explains.
The ability to effectively counteract your foes rests on how much you know about them and their attack plans. Using extensive, automated mechanisms that compile millions of items of intelligence from the clear, deep and dark web, Cybersixgill has elaborate methods for analyzing and categorizing this unending flood of data. In so doing, we provide organizations with the ability to gain broad and detailed insights into cybercriminal activities across the globe.
In our State of the Underground 2024 report, we contrasted data from 2023 with the data compiled and analyzed in earlier reports to see which trends are on the rise, which are in decline and the likely impact on intended targets. Below is a summary of our findings.
In 2022, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) catalog of Common Vulnerabilities and Exposures (CVEs) listed 556 exploited vulnerabilities. In 2023, that tumbled to 188 – 66% lower than the previous year. That’s a stark turnaround from the 2021 to 2022 exploited vulnerabilities trend, which showed CVEs increasing by 44%.
The decline in new CVEs could be a positive sign; however, it’s important to remember that the number of attacks using CVEs is a separate measure. We can also look to the Common Vulnerability Scoring System (CVSS) to help us understand the potential severity of a vulnerability. However, the CVSS doesn’t account for how likely a given vulnerability will be exploited, whether cybercriminals are making use of the vulnerability, and what types of organizations they are targeting. In other words, the CVSS score isn’t useful in helping teams understand what vulnerabilities are being used to launch attacks or how to prioritize which vulnerabilities to patch.
For several years, we’ve seen a decline in sales of access to compromised remote desktop protocols (RDPs) in underground marketplaces. In 2023, sales stopped completely when the primary RDP market was taken down. Additionally, law enforcement agencies shut down Genesis[1], a major market for compromised endpoints.
The bad news was that cybercriminals still could worm their way into targeted systems through compromised endpoints. Sales jumped by 88% from 2022 to 2023 for such entry points and sales of compromised domains increased by 17% as well. Meaning that cybercriminals can still execute ransomware demands and launch other attacks with these compromised entry points.
Ransomware is another one of those cases in which declining numbers aren’t much comfort. While the number of posts on leak sites dropped by more than 9%, the average ransomware payout increased by almost 90%. The data points to the possibility that cybercriminals have realized they’d benefit by launching fewer attacks but targeting organizations and industries that could generate higher payouts.
Even so, there’s encouraging news that was reported after we published State of the Underground 2024. In early February, an international law enforcement operation arrested and indicted members of the LockBit ransomware gang. As we noted in our report, this gang was responsible for roughly 24% of all ransomware attacks – a higher percentage than any other group. Whether this takedown will have a lasting effect or whether the cybercriminals will regroup and find another way of plying their trade remains to be seen.
For some time, malware known as stealers have been popular in the underground market, employed to steal valuable data from infected systems. Four new names emerged in 2023: Stealc, Risepro, Lumma and Silencer. Even so, established brands such as Raccoon and Vidar remained widely used. As with vendors in legitimate markets, established stealer brands build loyalty due to their reliability, effectiveness and ongoing maintenance. That may be why Raccoon’s usage increased, despite the arrest in 2022 of one of its central administrators.
One of the more encouraging trends in recent years has been the decline in the number of compromised credit cards for sale in underground markets. In 2019, sales of such cards totaled more than 140 million. By 2022, that number had slipped to only 9.1 million cards posted for sale.
During 2023 that number jumped again, but only by 25% to just over 12 million. Even so, the average price of a compromised credit card with CVV data dropped, slipping from $12.21 in 2022 to $9.72 in 2023. The downward trend suggests fraud prevention and detection and better e-commerce security played a role.
At first glance, the increased sales of compromised credit cards at the end of 2023 seemed to be a blip. But in the first few months of 2024, those sales have continued upward. We’ve since discovered that a deep web storefront for the cards that had been dormant had been resurrected. Law enforcement had been effective in shutting down such illegal stores in the past, and this new trend may draw their attention again.
Additionally, a new version of the regulations affecting legitimate merchants – the Payment Card Industry Data Security Standard (PCI DSS) 4.0 – that goes into effect this year may slow sales of compromised cards. PCI DSS 4.0 reflects significant changes in technology and cybersecurity since the one it replaces went into effect in 2016. Merchants will be expected to take several measures that should reduce the likelihood of cards being compromised.
Of course, it’s difficult to reach a sweeping conclusion about the trends in cybercrime when it’s such a complex and large business. Threat actors use multiple opportunities to reach their goals, extracting billions in the process.
Still, we should take a moment to give thanks to those who’ve stemmed the tide in at least some areas thanks to smart business practices, good threat intelligence powering strong cybersecurity efforts, and law enforcement assistance. Yet we need to be mindful of the ongoing areas of concern. Cybercriminals are not about to give up – this is how they make their living. So it’s up to cybersecurity professionals to stay vigilant and learn as much as they can about the forces they face.