Cybercriminal activity surges as new tools & gangs emerge

In the past six months, the world has seen unprecedented levels of cybercriminal activity, according to the latest CyberThreat Report from cybersecurity firm Trellix. The June 2024 report highlights a range of factors contributing to the surge in cyber threats, including geopolitical tensions, the emergence of new ransomware gangs, and the increasing sophistication of cybercriminal tools.

The report notes a significant rise in activity from Advanced Persistent Threat (APT) groups, with Russia-linked Sandworm Team showing a 40% increase in activity. This uptick correlates with escalating geopolitical tensions, suggesting a direct link between international conflicts and cyber aggression.

China remains the leading originator of APT activities, with Trellix identifying over 21 million instances of malicious activities from China-aligned groups. A considerable portion of these activities, more than 22%, targeted governmental sectors worldwide, underlining the persistent threat these groups pose to national security.

A new China state-sponsored APT group, Volt Typhoon, has been particularly active, with over 7,100 malicious activities detected since January 2024. The group's unique behaviour patterns and targeted practices have drawn significant attention from cybersecurity experts.

Ransomware gangs have also seen considerable disruption. Operation Cronos, a global law enforcement initiative, exposed individuals masquerading as the notorious LockBit group. This has pressured the real LockBit operators to maintain their criminally lucrative enterprise amidst a tarnished reputation.

In a notable enforcement success, the true identity of LockBit’s leader was unveiled, leading to significant legal actions. Furthermore, a key affiliate of the REvil ransomware group, responsible for attacks on Kayesa and other organisations, was sentenced to 13 years in prison and ordered to repay USD $16 million.

The report highlights the emergence of the D0nut ransomware gang, notable for its innovative use of an EDR (endpoint detection and response) evasion tool. This advancement underscores the continuous evolution of tactics used by cybercriminals to bypass modern cybersecurity measures.

Another concerning development involves a tool called "Terminator" by developer Spyboy, used to target telecom sectors. This EDR evasion tool saw an 80% detection rate within telecom, signifying a targeted campaign in January 2024 aimed at undermining industry-specific security protocols.

The upcoming U.S. presidential elections have also become a focal point for cyber scams. The report outlines several scams utilising election imagery to solicit false donations, indicating a persistent threat posed to both the public and political systems during this sensitive period.

A particularly alarming trend is the availability of free AI-powered tools in the cybercriminal underground. A ChatGPT 4.0 Jabber tool has been observed, enabling threat actors to leverage generative AI for malicious purposes. This tool facilitates the creation and sharing of AI-driven knowledge bases among cybercriminals, potentially accelerating the sophistication and frequency of attacks.

John Fokker, Head of Threat Intelligence at Trellix, emphasises the importance of remaining vigilant and adopting advanced cybersecurity measures to combat these evolving threats. As cybercriminals continue to innovate, it is imperative for organisations and individuals alike to stay informed and prepared to mitigate risks effectively.