Threat actors are actively seeing pen testers to join various ransomware affiliate programs, including Apos, Lynx and Rabbit Hole.
This according to the findings from Cato Network’s Cato Cyber Threats Research Lab (CTRL) in its new Q3 2024 Cato CTRL SASE Threat Report.
Multiple Russian-language job listings have been discovered following the firm’s monitoring of discussions on the Russian Anonymous Marketplace (RAMP).
“Penetration testing is a term from the security side of things when we try to reach our own systems to see if there are any holes. Now, ransomware gangs are hiring people with the same level of expertise - not to secure systems, but to target systems,” said Etay Maor, Chief Security Strategist at Cato Networks, speaking to press at an event in Stuttgart, Germany on November 12.
“There's a whole economy in the criminal underground just behind this area of ransomware.”
Any good developer knows that software needs to be tested before deploying in production environments, Cato Networks noted.
This is also true for ransomware gangs. They want to ensure that their ransomware can be deployed successfully against organizations. This is why Maor’s team believes they are recruiting people with these skills.
“[Ransomware-as-a-service] is constantly evolving. I think they're going into much more details than before, especially in some of their recruitment,” he said.
Ransomware-as-a-Service Live and Kicking
Other observations Maor and his team made when analyzing the dark web included an example of locker source code being sold for $45,000.
“The bar keeps going down in terms of how much it takes to be a criminal,” Maor said.
In the past cybercriminals may have needed to know how to program. Then in the early 2000s, you could buy viruses, he noted.
“Now you don't need to even buy them because [other cybercriminals] will do this for you,” Maor commented.
He added that AI is playing a large role in lowering the barrier to entry for cybercriminals.
Typically, these tactics are being exploited ransomware gangs motivated by financial gain.
Another example showed a user under the name ‘eloncrypto’ selling a builder for MAKOP ransomware, an offshoot of the PHOBOS ransomware variant.
Shadow AI and TLS Attack Attempts
Other observations made in the Threat Report included the increased threat from Shadow AI.
Shadow AI typically involves employees or departments adopting AI solutions independently and bypassing formal vetting processes and governance controls.
Out of the hundreds of AI applications that Cato CTRL monitors, the researchers tracked 10 AI applications used by organizations (Bodygram, Craiyon, Otter.ai, Writesonic, Poe, HIX.AI, Fireflies.ai, PeekYou, Character.AI and Luma AI) and observed various security risks.
The top concern relating to shadow AI is data privacy.
Finally, the firm noted that Transport Layer Security (TLS) is not being utilized enough.
TLS inspection allows organizations to decrypt, inspect and re-encrypt traffic. However, TLS inspection can break applications and access to some domains.
As such, Cato CTRL said that many organizations choose to forgo TLS inspection entirely or bypass inspection for a large portion of their traffic.
Cato CTRL found that only 45% of participating organizations enable TLS inspection. Only 3% of organizations inspected all relevant TLS-encrypted sessions.
This leaves the door open for threat actors to utilize TLS traffic and remain undetected. Organizations must inspect TLS sessions to protect themselves.
In Q3 2024, Cato CTRL found that 60% of attempts to exploit CVEs were blocked in TLS traffic. CVEs included Log4j, SolarWinds and ConnectWise.
The Q3 2024 Cato CTRL SASE Threat Report summarizes findings from Cato CTRL’s analysis of 1.46 trillion network flows across more than 2500 customers globally between July and September 2024.