06

Aug

2024

Data Leakage 2024+ in a Nutshell: Current Cyberthreat Tactics and Beyond

PART I: Current Threat Landscape, Tactics and Impacts of Data Leakage

1        Outline

 

The world is more interconnected than ever before. In this digital era, numerous opportunities and possibilities await. However, it also harbours serious dangers, particularly due to the escalating professionalisation and commercialisation of cybercrime. The pursuit of financial gain, coupled with shockingly low barriers to enter into this ecosystem, presents significant challenges for defenders. Data is a pivotal element in this context. Unauthorised access to data places threat actors in an ideal position to advance their illegal activities. Due to the opportunism exhibited in cybercrime, no one is safe. Data leakage knows no boundaries and can impact anyone indiscriminately from individuals and small businesses to large organisations. This makes it all the more important to delve this pervasive threat and understand how adversaries obtain valuable data and what they do with it pursuing their malicious objectives.

That having said, we welcome you to the series Data Leakage 2024+ in a Nutshell: Current Cyberthreat Tactics and Beyond. As the name suggests, the series is dedicated to data leakage as one of the most serious threats from cyberspace. The focus of PART I in this series provides an overview of the present situation in this playing field of criminals and state actors. We examine the current threat landscape based on recent incidents that reach far into 2024 and derive trends from them (Section 2). Furthermore, insights into the top tactics used by threat actors are provided to infiltrate systems and digitally harvest them. At this point, we draw on analogies to offer relatable real-world examples making the tactic more tangible and less technical (Section 3). Additionally, we explore the dark ecosystem, which also fuels the extent of data leakage (Section 4). Closing PART I, implications associated to that threat are addressed (Section 5).

In the interest of clarity, we seek to outline the scope of the term “data leakage“. Despite the intuitively understanding of that term by a broad audience, various discussions in scientific literature and among security experts exist as well. Most about these debates deal with nuances and so no broadly accepted definition exists to date leading to ambiguity and misconception at the very end. These circumstances are obviously not expedient in times where data is the world’s most valuable resource requiring ample attention in terms of protection. For the purpose of this article, a pragmatical approach is conducted to shape data leakage into a fairly simple yet precise definition. It leans on the description given in [1] but also takes into consideration the current and constantly evolving threat surface. On that account, we define data leakage as any security-related incident that leads to the distribution of private or sensitive data to unauthorised entities regardless of whether the concrete incident was caused accidentally or on purpose. Hence, data leakage can be considered arbitrary interceptions or unwanted exfiltration of valuable information that results in disclosure of high-valued data whether the incident occurred in-use, in-motion or at-rest. In this spirit, we wish you an enjoyable read of this article and, above all, valuable insights.

 

2        Current Threat Landscape: An Overview

 

In today’s digital landscape, data leakage is a pressing concern for individuals and organisations and it moves into the spotlight of threat actors more than ever before. In fact, independent observations have noted a significant rise in leakage attempts with an increase of more than 70 percent recently [2], [3]. This section addresses the current attack surface associated to such operations. Given the overlap with traditional attack vectors, such as social engineering and ransomware, we briefly touch upon the state of these classic threats as well.

2.1      Prevalent Attack Surface

The tool of choice for digital outlaws: Ransomware.

According to current official assessments, ransomware attacks continue to be the dominant factor in the threat canvas [4], [5]. Incidents caused by this specific type of malicious software (malware) encrypt data on infected computer systems enabling threat actors to extort ransom money in exchange for the decryption key. A recent case at MGM Resorts – a renowned enterprise from the hotel and casino industry – makes it clear that ransomware puts enormous pressure on victims. Due to the encryption, serious operational disruptions occurred as MGM was forced to shut down significant portions of its internal network to contain the attack. As a result, more than 30 hotels and casinos could not operate properly over an extended period of time [6]. That incident also demonstrates a scheme known as big game hunting (BGH), i.e. the hunt for large, high-revenue companies, which is a trend for ransomware gangs [7], [8]. From a sectoral perspective, this trend cannot be narrowed down that easy. Looking at individual cybercriminal groups, however, one can see an increasing conspicuousness in the form of specialisation. According to statistics on one of the globally most active gangs in recent times named “LockBit”, for example, around 51 percent of the operations carried out by this gang are aimed at specific sectors. The manufacturing, services, retail, banking and finance sectors are particularly at risk from LockBit [5].

Social engineering and its value in shifting situations.

For malware such as ransomware to be effectively deployed and to achieve its full potential, the human factor often plays a decisive role. Commonly known as social engineering, the exploitation of this factor is one of the most popular and efficient methods in the repertoire of cybercriminal actors. According to observations, the volume of such attacks rose by 6 percent last year, reaching a new high [9]. This is not surprising, especially since social engineering can be used in various ways and can be tailored to reference current situations. For example, in the past, the global pandemic situation related to remote work or natural disasters like the earthquake in Turkey and Syria have been extensively exploited through social engineering [10], [11]. It is also used in the context of geopolitical conflicts. An example of this is the ongoing Russian aggression against Ukraine. In this context, social engineering is conducted with the aim of propaganda and sabotage, targeting entities in Ukraine and European states including government institutions, defence companies and non-governmental organisations [5].

About attacks against availability and manifesting hybrid threats.

However, not just because of the war in Ukraine but also due to the overall tense global political situation to date, the merging of conventional cybercrime with state interests has become apparent causing the boundaries between purely state, state-funded, and terrorist actors to increasingly blur. This manifesting trend of hybrid threats aiming at societal destabilisation and influencing public opinion, is reflected in the significant increase of so-called Distributed Denial of Services (DDoS) attacks by state-supported hacktivists. These attacks disrupt the availability of network and computer systems by flooding them with unwanted data traffic. For example, observations show that the number of DDoS attacks on Sweden increased by 466 percent in early 2024 following the country’s accession to the NATO alliance – a pattern established after Finland’s NATO membership in 2023 [12]. Amid the Gaza war, there have been predominantly DDoS attacks, along with other suspected hacktivist activities since October 2023. Official assessments suggest that the impact is restricted locally [13]. Another indication can be found in the context of the 2024 European elections, where various political parties were targeted by pro-Russian actors [14]. It remains to be seen what else will happen in the major election year of 2024. Incidents triggered by autocratic states are particularly expected in the context of the US presidential elections. Experts mainly see Russia, Iran, and North Korea as primary actors [15]. But other big international events like the 2024 European Football Championship are also the focus of cyberattacks. In advance, German authorities warned of cyberattacks and disinformation [16], some of which have been confirmed. Reports from the media highlighted the use of manipulated images and audios on social media platforms to spread fake news and create political narratives [17].

2.2      The Rise of Data Leakage

Motives and types of sensitive data leaked.

It comes as no surprise that one can make money with data and there is much to suggest that the primary objective of adversaries is monetary gain particularly in relation to data leakage. At least this is the result of a recent study [18]. According to this analysis, around 95 percent of all security incidents with confirmed data exposure are motivated by financial gain. Besides, espionage also plays a major role in terms of motivation, but not to the same extent as financial incentives. It occurs in around 5 percent of verified leaks across all sectors as per that study. The value of the data naturally plays a decisive role here, so that threat actors essentially hunt for data that is of special importance to their victims, can be easily sold or is useful for espionage purposes. This includes intellectual property (IP) such as patents, technical documentations or proprietary source code. The latter was a key factor in an incident at Microsoft in January 2024 in which a Kremlin-affiliated group gained unauthorised access to internal code repositories and ultimately stole the source code [19]. Personal information (PI) of customers, vendors and employees as well as financial data are also very lucrative and illegally traded. In this context, incidents at an event ticket provider [20] and a US bank [21] came to headlines in June 2024 in which precisely this type of sensitive data ended up in the hands of cybercriminals, now being sold on underground marketplaces. Attackers are also targeting government-related data either motivated by intelligence purposes or simply driven by crypto. In April 2024, for example, an attack on a company that collaborates closely with US authorities revealed a data theft of sensitive documents including confidential files as the attackers claim [22]. In addition, an espionage campaign by a group allied with the Russian Federation could be observed in February 2024. The objective of that campaign was to spy on government and military authorities in Europe and Iranian embassies [23]. Lastly, we would like to stress healthcare data. They represent very private information for individuals and thus are extremely valuable. As such, healthcare stands on the list of top targets for threat actors followed by the financial sector [3].

Nexus of data leakage and ransomware.

One might not immediately think of it, but when discussing the current threat landscape in the context of malware and especially ransomware, we are often discussing about data leakage as well. For instance, the MGM Resort incident stated in Section 2.1 can be revisited for that purpose: Despite bizarre scenes that went viral in social media such as long queues of frustrated hotel guests waiting for their check-in, empty arcades and many slot machines displaying the error message “out of service“ on their screens due to the ransomware attack [24], sensitive customer data was stolen to a great extent. Among these were email and postal addresses, dates of birth, driver’s licenses and social security numbers [25]. Also other cases such as the ransomware incident at a software provider are a testament to this. Latest post-mortem investigations reveal that around 1.3 million files were leaked and are available for sale in shady online forums. Around 5 percent of that data volume could be related to the federal administration of Switzerland. These documents also held very sensitive content, including PI, technical specifics and classified data as per the investigation [26]. However, these mentioned cases are just the tip of the iceberg when it comes to ransomware. According to a survey conducted among international companies and organisations between January and February 2024, data leaks are omnipresent in approximately 32 percent of all ransomware attacks, with notable industry-specific differences. For instance, in the IT and telecommunications sector, nearly every second case involves data exfiltration, whereas in federal and local government agencies, about two out of five incidents related to ransomware are affected by data theft [8].

Hack and leak: The evolution of extortion by focusing on essentials.

While we saw that ransomware and leak operations often occur in tandem, also other tactics such as ransomware and DDoS or a combination of all three can be observed in the wild. But why is that the case? Well, the reason for their combination is quite straightforward: increasing the pressure on victims where possible. At least this became the standard modi operandi in recent time [27], [28]. It enables adversaries with additional escalation levels they can launch. In the so-called double extortion scheme, for example, data is not only encrypted but also published on dedicated leak sites (DLS). In triple extortion, actors add a further threat: a DDoS attack, either by just intimidating to sabotage availability or by giving a direct taste of it demonstrating dominance. Lately, however, one can observe a streamlining of extortion tactics to a fairly simple one, i.e. data extortion or hack and leak. The motives for this are quite understandable. Cybercriminals do not necessarily have to encrypt data in the target environment to draw profits. That means effort and might generate noise that in turn can lead to an early detection potentially interfering the malicious operation. To cause the necessary concern among victims, it is sufficient to leave the data unchanged at the target and just steal a copy of it instead. This approach essentially offers threat actors two options for action: Either exfiltrated material can be offered for sale in the underground as mentioned earlier or hush money is extorted. Due to the opportunistic nature of cybercriminals, sometimes both options are applied at the same time or portions of the data are placed on DLS in order to get the necessary publicity. In the context of BGH, particularly the latter case is manifesting as numbers of DLS increased by 76 percent with respect to some observations [7]. Combined, this makes hack and leak an ideal and lean monetarisation vector and according to official assessments, it is becoming a serious threat [5], [29].

Hack and leak besides financial incentives.

In light of the geopolitical shifts mentioned in Section 2.1, hack and leak operations can also be used to pursue the hidden agenda of state, state-financed or intrinsically motivated actors which is obviously beyond illegal moneymaking objectives. In particular, the targeted hunt for data on specific victims can be used to sow political discord with precision. Public shaming is one of these practices that can be a result of hack and leak leading to severe reputational damage. In addition, politicians or parties can come under immense pressure once such a data theft becomes public. Manipulation of stolen data is conceivable too right before the documents are published in order to spread disinformation at the very end. Especially in elections, this can greatly interfere with the open political process of shaping opinions and will. Security authorities warned about hack and leak operations in the run-up to the major election year 2024 to be a serious threat [30]. This warning proved to be true, as the following two cases illustrate: Shortly before the European election in June 2024, there was a cyberattack on the German Christian Democratic Union where actors infiltrated the party’s environment and were apparently able to move freely within the network for about two weeks. According to media reports, this incident likely involved data exfiltration operations [31], [32]. In preparation to the same elections, a further incident came to light targeting an application portal of the European Parliament collating sensitive information on approximately 8.000 candidates for temporary positions including parliamentary assistants and contractual agents. A spokesperson stated that all potentially affected individuals have been informed about the breach. It is interesting to note that the attack was detected at a time when the European Parliament announced to increase efforts to strengthen cybersecurity [33]. For both cases, forensic work is still ongoing and so it is unclear how big the leaks actually were. Yet, they showcase efforts to stir up unrest in order to undermine trust in democratic institutions and to create political instability in the long run.

Supply-chain attacks: A threat to our data.

Software supply-chain attacks are rapidly emerging as a predominant method among threat actors, significantly expanding the general threat surface. In addition to sabotage, which has become established in this type of attack, it is also increasingly used to obtain highly sensitive corporate data [5]. The attractiveness of such attacks lies in the ongoing digitalisation across industries, which creates a complex web of dependencies. Not directly connected to a cyberattack but showcasing that these complex dependencies are real was demonstrated by a malfunction of an antimalware application in July 2024 installed on a wide range of computer systems. According to the manufacturer, the issue was due to a faulty content update [34] and caused global IT outages impacting operations at airports, supermarkets and banks among others. Obviously, this interconnectedness offers a broad attack surface for cybercriminals to exploit. Furthermore, software supply-chain attacks are highly scalable, enabling attackers to impact numerous targets through a single compromised component. A recent survey highlights the growing concern among security experts, with 50 percent of respondents classifying software supply-chain attacks as a high or extreme threat. Open-source software is a critical factor in this context, as 94 percent of companies report using at least one open-source platform [35]. The original belief that open-source software would inherently reduce bugs and vulnerabilities due to its publicly accessible code has proven to be a misconception. Despite the transparency, the increasing complexity of open-source projects with million lines of code produced makes it challenging to maintain high-security standards [36]. Observations have shown a significant rise in malicious activity within open-source ecosystems. For instance, the Python Package Index (PyPI) platform experienced a 400 percent increase in malicious packages over the past year, with the majority being information stealers (infostealer) – a type of malware designed to exfiltrate sensitive data [37].

 

3        Positioning for Data Leakage Excellence

 

With this given overview on today’s threat landscape, grasping the intricacies of adversaries’ methodologies is no longer optional – it’s an essential prerequisite for safeguarding our organisations and to prevent leakages of digital assets at the very end. While conventional wisdom might suggest that attackers need direct access to data before exfiltrating it, this assumption is not always true. Reality is far more insidious and malicious actors try to limit a victim’s scope of action more than ever before. In what follows, we provide insights into the four key tactics (cf. T1 to T4) that bring threat actors in the ideal position to perform leaking operations from the inside and at the perimeter of a target environment. At this point, it is irrelevant how that environment looks. It might be a private computer, an enterprise or authority network, a cloud or a public-facing application. While shedding light on their modus operandi, we explicitly draw on a real-life analogy for a better sense of understanding, i.e. we put ourselves in the shoes of a homeowner whose property is broken into by a burglar trying to steal valuables. Additionally, we touch on insiders and demonstrate that they are not just a myth debated in casual conversations, but a formidable threat.

3.1      Inside the top Tactics

T1 – Levering the door with a crowbar.

Technically exploiting security gaps in a computer device or network system is like a skilful burglar trying to break down the front door to an apartment or family home. These so-called vulnerabilities, whether caused by programming errors, design flaws or faulty configurations, represent an Achilles’ heel through which threat actors can sneak in and gain initial access to an organisation. Just as a burglar uses various tools including crowbars or lock picks, threat actors use malicious code or scripts, known as exploits, to leverage these vulnerabilities. Therefore, vulnerabilities offer the ideal gateway and are becoming increasingly popular in cybercriminal operations [38], [39]. This trend is also encouraged by latest official statistics indicating that on average around 70 new vulnerabilities are discovered every day, which represents an increase of 24% compared to previous observations [4]. These figures are extremely worrying, especially as in-depth technical analyses often quickly become public for known vulnerabilities and can be exploited by adversaries until the security gap is closed by suitable patches or updates – and this maintenance activities can take a considerable amount of time. Even under ideal conditions, i.e. for known vulnerabilities to the general public, organisations require approximately 183 days to detect and additional 70 days to contain the gap according to a survey [40]. The situation is even more serious in the case of unknown vulnerabilities or so-called zero-days. Together with their exploits, they can be considered the holy grail for cybercrime, as by definition no countermeasures exist enabling undetected initial access right away. As a result, the exploitation of vulnerabilities brings external actors a decisive step closer to the corporate assets they are after.

T2 – The art and use of persuasion.

Despite its age, phishing is still among the top tactics with respect to several recent reports [38], [39], [40] and the ultimate arsenal for threat actors to infiltrate individuals, organisations or to harvest sensitive information instantaneously. In its simplest form, little to no technical knowledge is required as it is essentially about exploiting perceived human weaknesses such as fear, curiosity or blind obedience by tricking the victim into doing something they would not otherwise do. Phishing is therefore a form of social engineering (cf. Section 2.1). Much like a confidence artist who stands at the front door of a house and uses a pretext and the power of persuasion to convince the unsuspecting homeowner to let him in. Additionally, the homeowner can also be engaged in conversation and so secret information are leaked right at the doorstep without the victim becoming suspicious. With a few carefully crafted emails and deceptive websites, threat actors can achieve a great deal. In fact, both are the most common forms in which phishing appears according to [41]. By opening the attachments of such scam emails, malicious payload can be executed. Victims are also tricked into clicking on a link within the email, which has the same effect of downloading malware. On the other side, luring the victim to a deceptively real mimic of a legitimate website, such as a bank institute or a government agency, can cause the victim to willingly disclose sensitive data such as user credentials or credit card numbers. Recalling that phishing is currently one of the most dominant techniques, it should not remain unmentioned that other flavours including spear phishing, whaling, SMS phishing (smishing) and voice phishing (vishing) are manifesting in the threat canvas as well [5]. Spear phishing targets specific organisations or individuals, while whaling is aimed particularly at key individuals such as politicians, CEOs and security researchers. Smishing and vishing in turn utilise alternative communication channels such as SMS or phone calls.

T3 – Go shopping for the door key and use it.

To a certain extent, breaking into an apartment or house through the front door using a specific forged crowbar or pretexting a playbook to trick the homeowner, taking all eventualities into account, can be considered a time-consuming endeavour even for a very professional burglar. To get a foothold on private premises, it might be much easier to use a copy of the door key instead. Like the homeowner, the burglar simply inserts the key into the door lock, turns it and gains immediate access. At this point, the central question arises: How does the burglar obtain the valuable derivative? Well, it may sound disturbing to some, but there is an entire underground industry dedicated to trade stolen credentials. This market is thriving (cf. Chapter 4) and around 49 percent of all data leaks are actually based on credential misuse according to some study [18]. These credentials either originate from a directed attack or a campaign in which data leakage played a primary or secondary role. If the stolen data is a side product, it is sold quite cheaply in underground forums. Other actors, so-called access brokers, specialise in providing access in exchange for crypto and give guarantees for particularly exposed accesses. Oftentimes, one can also see illegal auctions where access to enterprises is sold to the highest tenderer. These auctions may provide very compelling details such as the name of the enterprise, its revenue, the corresponding sector it is operating in or the expected type of sensitive information that can be leaked out (cf. [42], [43]).

T4 – Entering through third parties: “Open sesame”.

The phrase “you are only as secure as the weakest link in the chain”, which is widely preached by security experts, literally proves to be true in the case of supply-chain attacks. The direct focus here is not on compromising a selected target organisation using one of the aforementioned tactics. Threat actors often target IT service providers in these attacks. If they succeed, attackers have an easy time moving laterally further due to the natural digital affiliation of these providers in organisations that use their services. In this way, the actors reach the actual target via indirect routes in order to ultimately gain access to its digital assets and drain them for their own purposes. A direct analogy to our everyday life can be derived from this: Imagine a homeowner eagerly waiting for the doorbell to ring to receive a parcel delivery from its favourite retailer. Yet, the fact that the parcel contains not only the desired items, but also harmful elements remain hidden from the homeowner. These harmful elements can be a doorstop to either leave the front door ajar or other malicious mechanisms to automatically search inside the homeowner’s private space for valuable items to steal. As it is not just our known homeowner who receives this delivery, but it is distributed to a much larger audience, the scalability of such attacks becomes obvious. In this respect, experts predict that by the year 2025, 45 percent of global organisations will be in some way affected by such an incident [44]. One indication of this is the increasing observation of malicious packages in popular open-source software and libraries, which attackers inject into open code repositories (cf. Section 2.2).

3.2      Enemies Within: The Hidden Risk

Insider threats: Less evident in statistics but more efficient and severe.

When discussing about the top tactics on positioning best to perform data leakage operations, the threat posed by internal actors also known as insiders cannot remain unmentioned. Despite often being absent from the top rankings of cybersecurity reports due to a naturally high number of unreported incidents, the risk of insider threats is omnipresent and rated by international cybersecurity authorities as the most efficient avenue for infiltrating an organisation’s internals and its digital assets respectively [5]. Recent cases, such as the leakage of IP from a South Korean consumer electronics enterprise via the popular chatbot ChatGPT in March 2023 [45], the admission by US Air Force member Jack T. in March 2024 to leaking classified documents [46], and investigations leading to the arrests of four German nationals for alleged espionage in April 2024 [47], [48], underpin the severity of that statement. In fact, 19 percent of all observed breaches can be attributed to internal actors according to a recent study [18].

Nexus of insider threats and top tactics on data leakage.

Insider threats are interwined with some of the tactics discussed earlier. To grasp the essence of this menace, let us first envision a typical insider: We often imagine a disgruntled employee who deliberately leaks data or performs other types of damage in order to take revenge at his employer for a perceived wrong. However, portraying an insider this why is one-sided, as there are not only malicious insiders. A person can also become an insider through unintentional acts. One can think of an accidental or a negligent action that can cause significant damage. Hence, employees who, for example, fall victim to fraudulent operations like phishing and inadvertently disclose sensitive information can be considered an insider in the broader sense as well. Obviously, this directly relates to tactic T2. A particularly high-risk group comprises IT service suppliers. Individuals belonging to that group develop software, perform maintenance tasks and thus frequently possess elevated privileges that grant them access to sensitive data, potentially leading to an easy leak, which aligns to previously mentioned tactic T4. Lastly, we must consider collusive threats – a subset of malicious insiders. Here, one or more insiders collaborate with external actors to facilitate fraud, IP theft, espionage or a combination of these activities [49]. To do so, employees promote their services in dubious online forums. Experts discern between employees in entry-level positions and members of the core staff. Although the former has no elevated privileges, such an admission ticket is often enough for cybercriminals to carry out their malicious operations. In addition, they do not yet have an established relationship with the organisation and can therefore be easily instrumentalise by threat actors. Members of the core staff, on the other hand, have higher privileges and are often driven by private financial shortages to sell their access [50]. Another way to recruit insiders are aggressive promotion campaigns conducted by cybercriminals directly. They lure potential insiders with exorbitant one-off payments to act on their behalf. Evidence for this could be seen on calls for insiders in underground forums by LockBit [51]. Another notorious cybercrime gang causing a stir in this direction is “Lapsus$” [52] and according to some report, collusive data leaks can be observed more often today than in previous year [18].

 

4        Dark Ecosystem as Catalyst for Data Leakage

 

The phenomenon on commercialising cybercrime.

As already indicated in Section 3, tools and services play a key role in the event of selective or large-scale data leakage campaigns and other threat operations. They are the decisive catalyst for the current and expanding threat situation from cyberspace, which are offered for rent or sale on underground marketplaces. This commercialisation of cybercrime makes it much easier to plan, penetrate and achieve the desired damaging effect of an attack. While attacks used to require laborious and time-consuming planning, they can now be fully automated in many cases thanks to Crime-as-a-Service (CaaS). This development drastically lowers the inhibition threshold for cybercriminal activities and significantly favours the practice of data theft where monetisation can be considered as the prime motive (cf. Section 2.2).

Data leakage made easy: Tools and services.

In recent years, a multitude of illegal goods changed hands in the underground particularly with regards to the leakage of data. In what follows, some of these tools and services that gained prominence are contextualised along the previously mentioned top tactics (cf. Section 3.1): First of all, there is Phishing-as-a-Service (PhaaS) which is offered by so-called phishing kits. These are among the most commonly used tools for tactic T2, featuring pre-made templates for websites or emails with detailed instructions for phishing attacks. They are designed to bypass security mechanisms such as multi-factor authentication (MFA) using reverse proxies and a highly potent variant of this type, known as EvilProxy, boasts an estimated success rate of up to 40% per attack [2]. Secondly, zero-day exploits can be highlighted, for which a much higher rate can be attested, giving defenders little to no chance of protection against the attack (cf. tactic T1). However, due to the cumbersome and inconsistent management of updates and patches to fix open security gaps in organisations, exploits for known vulnerabilities are still very promising from an attacker’s perspective too. On the other side, they are also much more affordable than zero-day exploits, as certain economic principles equally apply in the underground, i.e. demand dictates price. A concrete example for the pricing of an exploit enabling remote code execution due to a known vulnerability within a widespread software product was around US$ 30.000 in 2023 [53]. The final crucial aspect of the CaaS economy that warrants repeated mention due to its critical nature is the illegal trade of access credentials (cf. tactic T3). Commonly termed Access-as-a-Service (AaaS) by security experts, that business is gaining momentum and has more than doubled according to some recent and independent observations [7], [54]. Such login details are offered in the underground at relatively affordable prices, making them accessible to a wide range of further threat actors. They are harvested and specifically offered by access brokers, often using specialised malware such as infostealers (cf. Section 2.2) or by providing direct access to compromised network environments. One of the most notorious infostealers that is provided as part of Malware-as-a-Service (MaaS) in recent times is the “Redline Stealer”. It is accountable for every second infection on this specific malware category between 2020 and 2023 [55]. Within its standard operating mode, it is capable to steal login credentials, bank information or performing systematic inventory scans of infected systems while flushing these digital assets in the hands of deploying actor. Newer versions of Redline Stealer also enable the exfiltration of cryptocurrency wallets [56].

Modern cybercrime gangs and competition.

One should not assume that an attacker is responsible for harvesting data from individuals, enterprises or other organisations alone. The notion of a solitary attacker is more of an exception rather than the norm particularly when considering sophisticated leakage operations [18]. The ecosystem typically evolves in organised groups, as exemplified by AaaS and PhaaS models. In these setups, access brokers specialise in credential exfiltration and trading, while others focus on developing phishing kits. Furthermore, within these specialised groups, distinct tasks are assigned, resembling the operational structure of a modern business with hierarchical layers. With respect to some analyses, such a medium-sized gang comprises 6 to 49 members, with two management layers, generating annual revenues of up to US$ 50 million [57]. Among these gangs, there are affiliates as well collaborating with CaaS operators to distribute and execute malware in exchange for some piece of the cake. Typically, they are known for Ransomware-as-a-Service (RaaS) but business models can be simply adopted for other tools and services as well. However, what emerged with affiliate programs as a trend some years ago is now returning as a boomerang constituting competition all over the place [4], [58]: If one CaaS provider outperforms another, affiliates may switch sides, prompting malicious operators to strive for excellence.

 

5        Today’s Impact of Data Leakage

 

Whether caused in-use, in-motion or at-rest, data leaks can have devastating consequences and are always a painful experience for those being exposed. In this section, we provide insights to costs caused by data leakage based on recent findings.

Global impact is high but smaller businesses are hit the hardest.

According to estimates from a recent report [40], the average global economic costs for a security-related incidents in the sense of this article stands at approximately US$ 4.45 million for the year 2023. This figure represents a new peak and marks a 2.25 percent increase compared to the previous year. Malicious insider threats are the most devastating in terms of impact, although they are less prevalent in terms of frequency (cf. Section 3.2). Financial losses resulting from phishing or attacks using stolen credentials are by far the most common. Zero-day vulnerabilities and misconfigured clouds fall in the mid-range in terms of frequency. Regarding the size of an organisation, it must be mentioned that smaller companies (<5000 employees) are the most severely affected in terms of increasing costs. On average, they rose by 18.37 percent in 2023 compared to the previous year. The report also highlights the financial losses per leaked record. On average, the cost for leaked customer PI is US$ 183, while for employee PI, it is US$ 181. Costs for the loss of IP account for US$ 156 per record. In this respect, one can observe a steady increase of the costs per record over the years. Taking the year 2020 as baseline, a growth of 13 percent can be attested compared to 2023.

Sector-wise impact and top 5 countries/regions.

In addition to the general, impacts reported in [40] for 2023 are also significant when broken down by industry. The impact of data theft is by far the highest in the healthcare sector. Estimated costs for this sector are US$ 10.93 million, nearly double those in the financial sector. The pharmaceutical, energy, industrial, technology and professional services sectors follow with average costs of US$ 4.69 million, slightly above the global average. Turning to countries and regions with highest average costs, the USA, the Middle East, and Canada consistently occupy the top ranks in 2023, followed by Germany and Japan. Costs in the USA are particularly high at US$ 9.48 million. The costs for the other four mentioned countries and regions are US$ 1.15 million above the global average.

Impact breakdown.

When breaking down the impact related to data leakage, the highest percentage of costs can be attributed to business losses and the detection and execution of escalation steps accounting for 64.72 percent of the total on a global level. The remaining costs are attributed to post-detection responses including notifications [40]. Other studies provide insights into the impact of data leakage with slightly different categories. With a focus on German enterprises, reputational damage (+49.58 percent) and data extortion (+50.47 percent) stands out what stresses the trend for hack and leak apart from classic ransomware (cf. Section 2.2). The decrease in outages caused by these operations is encouraging at this point (-15.66 percent). However, the costs for investigation and replacement measures have increased massively (+149.50 percent) [59].

References

About the Author/s
Dr. Frank Beer