Always on the lookout ways to optimize their nefarious endeavors, major groups specializing in advanced persistent threats (APTs) are opting to buy access to compromised systems from smaller operators rather than doing the initial dirty work themselves. For their part, small bad actors benefit from the quick monetization of successful attacks. What does this new outsourcing trend mean to you? It’s time to reconsider the role of common cyberincidents in your network.

Last year saw a rise in successful attacks on corporate networks through fairly simple, mass malware such as Trickbot. Meanwhile, interest in selling and buying off-the-shelf access to corporate networks has grown significantly on the dark web. Instead of stealing valuable data and demanding ransom or seeking buyers for it, attackers are now selling direct access to victims’ infrastructure on the black market. Their list of regular clients likely includes APT groups preparing targeted campaigns.

Using “simple” malware and buying ready-made access addresses two issues from the bad guys’ standpont. First, it deflects attention from the group’s own malicious tools and makes attribution harder if the initial access attempt is detected. Second, it reduces the cost of penetration. Because security staff, by studying malware and publishing threat indicators, have learned to respond effectively to compromise attempts, selective target attacks have become ever more time-consuming and in some cases even futile.

APT tools quickly fall under the scrutiny of infosec analysts, but ordinary malware that isn’t directly related to APT groups or that doesn’t cause significant damage attracts far less attention. It can remain unnoticed longer, and any consequences of detection will be minor. However, developers of simple Trojans are nothing if not persistent, so a slightly modified version of a mundane Trojan sent in a new phishing e-mail could — maybe not the second or the third, but perhaps the fifth time — slip through the security net and linger in the corporate network.

Consequently, major actors are likely to keep turning to other cybercriminals to gain access to the computers of targeted organizations.

Kaspersky’s advice: Pay serious attention to any unauthorized network access attempts involving common malware. A regular Trojan detected and blocked by an antivirus utility is not a significant problem by itself, but it could indicate that a sophisticated APT group is trying to seize your intellectual property.

