When the once-notorious computer hacker Marcus Hutchins was arrested by FBI agents in August 2017, he was staying in a Las Vegas mansion. Years earlier, as a precocious 16-year-old, Hutchins had accepted thousands of dollars in bitcoin to develop what eventually became the Kronos banking trojan. His dark secret was unknown to anyone except a single dark web contact who led agents to his arrest.
Today, society is full of people like Hutchins who are just a little better at hiding. They might be the elusive rich guy living on your street. They might be the sandal-wearing hipster who sits in the corner of your local coffee shop. No matter how they appear, they are the mafiosos and kingpins of our time, and their victims are global businesses and consumers.
As the cybercriminal underclass grows, so, too, does the black market for malware, exploits and sensitive data harvested from major organizations. And although it’s comforting to think that holding a Fortune 500 banking institution for ransom requires God-like powers, it doesn’t — all it requires is a lack of moral scruples and the basic know-how to exploit backdoor channels hidden across all modern websites and apps.
In the first half of 2021, the frequency of ransomware attacks increased by nearly 100% from the year before, with an average cost (including payout and recovery) of $2 million. One of these incidents stands apart for a surprising twist in the story: The parties responsible apologized for their actions.
DarkSide, the Russian-based hacking group behind the May 2021 ransomware attack on Colonial Pipeline, operates on a ransomware-as-a-service model, “renting” their code out to anonymous clients in exchange for payment. Following the attack, DarkSide claimed ignorance that its victim was a public utility, providing oil and gas across the eastern United States.
Dubious as that claim may be, it is far from impossible. The number of professional cybercriminals acting on a rental model has exploded, accounting for two out of every three data breaches in 2020. These ventures can achieve high levels of automation, offering everything from control of large botnets to zero-day attacks and “trusted insiders.”
With these shadow markets in place, hacking skills aren’t needed to target a business or its customers: nation-states, terrorist groups and profit-seekers can infiltrate a business by simply paying someone else to do it for them. But where do professional cybercriminals get the resources to offer their services consistently, at scale? The answer is buried in nearly every website you visit.
The Backdoor Channels To Your Website
Despite the amount of news coverage devoted to cyberattacks, no amount of awareness seems to stunt their growth. Approximately 50% of CEOs plan to increase their cybersecurity investment in the near future, and the government pours billions into it every year. Yet, the number and scale of data breaches continue to climb, barely fettered by any counter-efforts.
Although the reasons for this phenomenon are multifaceted, some are relatively straightforward: Major channels for malicious activity against businesses, consumers and government organizations are left almost completely unmonitored and unprotected. Take third-party code, for instance.
Today, nearly every website and mobile application depend heavily on third-party code to provide rich features like shopping cart and payment features, media rendering, advertising and customer support (including live and AI-based chat). In fact, up to 98% of websites are vulnerable to “client-side” attacks due to third-party vulnerabilities.
Not only can these backdoor channels be used to form botnets of user devices, skim credit card information and target delivery of ransomware to specific organizations, they can also be bought and sold like any other exploit, turning otherwise upstanding websites into pawns of the organized cybercriminal game.
The Web: The Next Frontier For Cybersecurity
Today, most CEOs have some level of cybersecurity consciousness. They are wary of phishing attacks via email. They ensure that antivirus software is deployed throughout their organization. Meanwhile, CSOs and CISOs encourage secure coding practices and strong passwords, and — following the attack on SolarWinds — they may even vet third-party software vendors.
But all of them have blind spots. The cybersecurity landscape is always changing, and email is no longer the most dangerous channel for phishing attacks or malware delivery — the web is. Proprietary code is no longer the greatest factor in customer safety or experience across websites and apps — third-party code is. That’s how ransomware as a service works.
Ultimately, today’s organizations have a wealth of tools at their disposal to handle traditional sources of risk, but few have looked for solutions to handle the risk emanating from their own digital ecosystems. Going forward, security-conscious executives must familiarize themselves with the vast infrastructure of digital third parties their business depends on and invest in solutions to detect malicious code before it executes. The safety of their customers depends on it.