• Home
  • /
  • Software
  • /
  • Maturing criminal marketplaces present new challenges to defenders

Maturing criminal marketplaces present new challenges to defenders

Johannesburg, 27 Feb 2023

Just as IT companies have shifted to ‘as a service’ offerings, so too has the cyber crime ecosystem. Access brokers, ransomware, information-stealing malware, malware delivery and other elements of cyber crime operations have lowered barriers to entry for would-be cyber criminals. 

TechTarget says the biggest cyber security threats for 2023 include ransomware, IOT security, AI, slashed security budgets due to economic pressure, skills gap and staffing issues, phishing, supply chain attacks and software supply chain security. “Sophos’ 2023 Threat Report lifts the lid off the burgeoning cyber risks in the market. We’ll take a close look at malware economics, ransomware evolution, turning offensive security tools to bad ends as discussed in this report, and we’ll also look at the link between cyber security and physical security devices such as surveillance cameras, DVRs and NVRs,” says Commercial ICT’s Charleen Rheeder, local distributor of Sophos technology.

Malware economics

Driving this trend in part are the emerging economics of cyber crime. Criminal marketplaces such as Genesis make it possible for entry-level cyber criminals to purchase malware and malware deployment services and then in turn sell stolen credentials and other data in bulk. Access brokers use commodity exploits of vulnerable software to gain footholds on hundreds of networks and then sell them to other criminals, often selling the same exploited access multiple times. And ransomware affiliates and other attackers purchase credentials and access to perform higher risk and higher reward criminal activities.

The industrialisation of ransomware has allowed for the development of ransomware ‘affiliates’ into more professional operations specialising in exploitation. Using professional offensive-security tools, legitimate administrative and technical support software, malware as a service and other market-obtained exploits and malware, Sophos has seen a convergence by actors around sets of tools, tactics and practices that can no longer be associated with specific ransomware operations, state-aligned espionage or other specific motives. These professionalised groups specialise in gaining (or purchasing) access for any motivated actor willing to pay – or, in some cases, multiple actors with multiple motives.

Information-stealing services are part of the supporting infrastructure of the malware economy – akin to, but larger than, the ‘[bad thing] as a service’ offerings. Thanks to malware as a service and malware deployment as a service offerings, would-be cyber criminals can get started with a small investment and not much in the way of skills other than the ability to log into web control panels and to gain access to credentials marketplaces.

Sophos has deployed a number of measures to block information stealers and has added cookie theft protection to prevent information-stealing efforts from harvesting session cookies.

Ransomware evolution

While there has been some disruption of ransomware groups over the past year thanks to (among other reasons) geopolitical unrest and the occasional prosecution, new groups have arisen from the old, and ransomware activity remains one of the most pervasive cyber crime threats to organisations. Ransomware operators continue to evolve their activities and mechanisms, both to evade detection and to incorporate novel techniques.

Some ransomware groups have embraced the use of new programming languages in an effort to make detection more difficult, to make the ransomware executable more easily compiled to run under different operating systems or platforms, or simply because the people developing malware payloads bring those skills and tools to the effort.

Turning offensive security tools to bad ends

The misapplication of offensive security tools – software intended to be used by information security teams to simulate active attacks – is common in many ransomware campaigns. But pirated copies of commercial offensive-security tools have become a standard part of more complex and professional attacks. Some groups advertise to hire people with skills in those areas. And pirated copies of Cobalt Strike and the commercial version of Metasploit are now so common that links to free copies are frequently posted on underground sites (though some may in fact be malware).

Crypto-currency mining software consumes computing power to perform crypto-graphic work in hopes of earning new ‘coins’ (tokens), usually participating as part of a networked pool of processors or machines.

For many crypto-currencies, mining requires specialised hardware with graphics-processing units dedicated to the processing-hungry work. But there are still opportunities for exploitation of general-purpose hardware to mine crypto-currency – and there are vast self-spreading networks of mining bots that still attempt to exploit vulnerable systems and steal processing power for profit.

While such malware does not impact organisations’ data, it does sap computing resources and raises electrical and cooling costs. And miner malware is often the harbinger of other malware, as it is usually deployed via easily exploitable network and software vulnerabilities.

It’s not only Windows-based systems that are vulnerable to attack, Linux systems have long been a target for the services that are most frequently deployed on that operating system, including organisational websites, virtual machine servers, network appliances, storage servers and enterprise application infrastructure. Increasingly, criminals are developing cross-platform ransomware and other malware to allow them to better target those resources for profit. In the first six months since Sophos unveiled its Linux protections, the company detected 14 individual Linux servers targeted by ransomware.

Much of the malware affecting Linux systems (as well as other server platforms) is built to mine crypto-currency. Over 40% of all its detections, and 72% of individual Linux devices detected with malware, are the result of miners.

On the macOS platform, the primary threat continues to be potentially unwanted applications, including apps that install plug-ins for Apple’s Safari browser (as well as other browser platforms). These apps inject content into web pages to redirect users to fraudulent or malicious content.

Because mobile applications have become the dominant way in which people interact with the internet, mobile devices are at the centre of a growing range of new types of cyber crime. While the Android platform still sees a steady flow of malware delivered in the form of fake applications and information stealers, both Android and iOS have increasingly been targeted by fraudulent and fake applications – and criminals have found ways to use social engineering to breach even the walled garden of Apple’s mobile devices.

Across the entire threat landscape, two things stand out: the continuous lowering of barriers to entry for would-be cyber criminals and the commodification of what once would have been considered ‘advanced persistent threat’ tools and tactics. While there has long been a thriving marketplace for hacking tools, malware and access to vulnerable networks, the lessons learned from the recent history of ransomware operations and other well-funded malicious actors are more rapidly becoming available to the wider criminal community – as are commercial security tools designed to defeat some defences.

Surveillance cameras, DVRs, NVRs and smart devices — the hardware cyber risks

While software and IT hardware are highly vulnerable to cyber attacks, attention should also be paid to physical security systems such as surveillance cameras, NVRs (network video recorders), DVRs (digital video recorders) and smart devices (electronic device, generally connected to other devices or networks via different wireless protocols that can operate to some extent interactively and autonomously).

Keeping your security cameras and smart devices safe from hackers is an essential step if you're going to bring these recording devices into your business or home. If you can access your camera/smart devices over the internet, someone else theoretically can access or ‘hack’ it as well.

Data breaches are one of the largest cyber threats today. This makes secure data storage critical for any enterprise operating a video camera security system.

There are a few ways in which you can reduce the risk of your camera being hacked:

  • Put standalone security cameras on a network of their own.
  • Update your camera’s firmware.
  • Use strong passwords.
  • Turn on WPA2 encryption.
  • Deploy proven cyber security software.
  • Restrict access.
  • Use a security camera that encrypts data at rest and in transit.
  • Use defined user permissions.

There is also a risk from NVR and DVR systems. This is often due to the introduction of NVR port forwarding or DVR port forwarding. Providers have worked to minimise these known vulnerabilities.

DVRs can be hacked through hacking tools. These allow attackers to extract plaintext credentials for DVR systems and gain access to video data. Unless the DVR system is entirely air-gapped from the wider network, it will present some level of vulnerability.

Smart devices communicate via their own protocols (like ZigBee) and through your WiFi network. Unsecured WiFi networks can be monitored by hackers, which means the information your smart devices are sending your apps and other devices can be intercepted.

“It’s clear that anyone using the internet, generally, or more specifically IP surveillance systems, needs to take every precaution to safeguard against hacking and other cyber attacks. The team at Commercial ICT/Elvey Group works closely with clients to mitigate these risks with technology from reputable suppliers like Sophos,” says Rheeder.

For more information, contact CICT, (+27) 010 590 6177,


Elvey Group

Elvey Group

Marketing and Corporate Affairs

Elvey Group Head Office,

27 Greenstone Place, Greenstone Hill, Edenvale 1609

Editorial contacts