Sophos 2023 Threat Report: the continued evolution of “Crime-as-a-Service”

 Today, we are releasing the 2023 edition of Sophos’ annual threat report. Based on a combination of telemetry, incident response data, and other threat intelligence gathering, the report presents a snapshot of the threat landscape today and examines the trends we’ve seen emerging in malicious activity. And one of the clearest trends is the continued evolution of a mature cybercrime industry that mirrors in many respects the trends in legitimate software and digital services.

Ransomware operators were a leading adopter of the “as-a-service” model for cybercrime. In 2022, we saw the model adopted more widely across the cybercrime space, with underground digital marketplaces now offering virtually all of the components of the cybercrime toolkit to those willing to pay for them—targeting and initial compromise of victims, evasion and operational security, and malware delivery, among others.

Also widely available are professional attack tools—complete with “cracked” or bypassed licensing. Cobalt Strike, intended to be used by security professionals to emulate advanced attackers, is now seen in a majority of ransomware incidents. Brute Ratel, another advanced exploitation tool advertised as a Cobalt Strike replacement, is also now widely available and has been seen in a handful of ransomware incidents thus far.

The operations of ransomware operators themselves continue to mature. LockBit 3.0, for example, now offers a bug bounty program to crowd-source testing of its malware and performs market research in the criminal community to improve the group’s operations. Other groups have offered “subscription” programs for their leak data.

All of this has happened against the backdrop of the continued war in Ukraine, which led to divisions and break-ups in Russian-language cybercrime groups, with resulting doxing and data breaches from Conti and other ransomware groups. It also led to a rash of new fraud, using the government of Ukraine’s appeal for funds as the lure for a wave of cryptocurrency scams and other financial fakery.

Abuse of other legitimate software, as well as components of the Windows operating system itself, continue to challenge defenders. Criminal actors continued to expand use of legitimate executables (such as “trial” versions of commercial software products, including remote access tools),  and of  “living off the land binaries” (LOLBins) to evade detection and launch malware.

We also saw a return to “bring your own driver” attacks, with malicious actors using vulnerable drivers from legitimate software to elevate privilege and attempt to shut down endpoint detection and response products to evade detection.

On the mobile front, we continued to see malicious or fraudulent fake applications evading detection by the major mobile app marketplaces. Some of these apps are part of a rapidly expanding class of cybercrime: financial trading fraud.  Sophos has tracked the rapid expansion of crypto and other trading scams, such as “pig butchering” schemes, over the past year; these schemes have found new ways to use fake applications to dupe victims into exposing their mobile crypto wallets or to get them to directly transfer funds, including abuse of Apple’s iOS ad-hoc application deployment schemes.

More details on these and other findings can be found in the full report.

Latest Posts