Hacking-as-a-Service: Crimeware emerging as a pay-to-play threat 

Any market is a balance of supply and demand, and at the moment there’s a high demand for data and personal information.

The supply side, run by a wide range of malicious threat actors, is growing quickly. This is thanks in large part to the emergence of crimeware; or, Hacking-as-a-Service.

Enterprises can no longer hide behind the fact that only a small number of individuals are skilled enough to exploit common and advanced vulnerabilities. Rather than take the responsibility themselves, attackers are building platforms that allow users to purchase and conduct their own attempts to extract data or a ransom from a business.

The recent takedown of a high-profile distributed denial of service (DDoS) website shows that a growing number of attempts are conducted through services that sell cyber-attacks for the price of a meal at your favourite restaurant. 

Authorities take down the home of million cyber-attacks 

Operation Power OFF hit headlines in late April when a joint task force consisting of 11 countries took down WebStresser in cooperation with Europol. The website was one of the most popular booter – in other words, DDoS-for-hire – platforms in the marketplace. So popular in fact, that eight other websites shut down because they relied on WebStresser to provide their illegal services, KrebsOnSecurity reported.

WebStresser helps its roughly 136,000 person userbase carry out between four and six million attacks since 2015, according to authorities. The financial toll of these DDoS attempts was astronomical given that the resulting website downtime could potentially impact sales and reputation, as well as lead to legal and remediation fees.

The victims weren’t always a local small business or the target of a Twitter feud; the website was used to target high-profile banking institutions in the UK in 2017, according to the BBC. The cyber-attacks had the power to cripple even the largest companies across the world and were sold for as cheap as $14.99 – or in other words, the price of a large pizza. 

WebStresser is the first domino 

WebStresser is a part of an emerging market that’s becoming more lucrative by the second. Hacking is a mainstream trend, and those who are at the top of their craft are now making even more money by selling their services to a growing consumer base that has little technical know-how, but grand ambitions.

Even at the highest level, Hacking-as-a-Service is gaining momentum. The EternalBlue exploit, which opened the door for the WannaCry and NotPetya ransomware attacks in 2017, was first obtained by the Shadow Brokers. After stealing the information from the Equation Group, the cyber security arm of the U.S. National Security Agency, Shadow Brokers initially sought to release the exploits in one of two ways, according to Dark Reading: 

  • A full release of the gathered intelligence for one million bitcoin. 
  • A monthly subscription service for 100 ZCash.

The idea that a criminal organisation can receive a monthly newsletter with the blueprint for future attacks is a new one, but it’s not going away anytime soon. WebStresser was the tip of the iceberg in the DDoS-for-hire industry; there are dozens of other websites just like it currently in operation, and a steady stream of new platforms being brought online every month, KrebsOnSecurity reported.

It’s a wide-open market, and WebStresser already proved that there’s a high demand for functional platforms. As more common vulnerability and exploits (CVEs) are found, expect crimeware kits of all quality to be built distinctly to take advantage of them. 

What crimeware means for your business 

Skilled hackers are packaging up the most exploitative codes to be used by the masses – whether they’re experienced or not. These platforms normally rely on CVEs, though there are rare instances where advanced tools or information are made available for the right price.

The average company saw a 27.4 percent increase in successful breach attempts in 2017, Accenture reported. Hacking-as-a-Service is one of a number of trends that make it easier for criminals to launch a barrage of attempts, hoping to hit the target. Now we’re finding that they’re accurate, more often than not.

Investing in cyber-threat intelligence is an important first step in understanding where high-risk vulnerabilities exist in an organisation. These are likely the same areas being targeted by mass distributed hacking platforms, and shoring up their defences can stop low-risk, high-reward threat actors before they have a chance to gain a foothold.

Similarly, foregoing fundamental cyber security tools like antivirus software can leave the company vulnerable to less sophisticated attacks. Ensure that your business’ posture aligns with industry best practices.

Enterprises of all size simply can’t have the mentality that an attack will never happen to them anymore. Launching a hack is now as easy as ordering a new pair of sunglasses online, and companies have to recognise the risks that come with it.