Published on: June 3, 2024
SafetyDetectives recently had the opportunity to interview Michael DeBolt, the Chief Intelligence Officer at Intel 471. Michael brings a wealth of experience to his role, having begun his career in the U.S. Marine Corps before moving into the cybersecurity field. His journey includes notable positions such as leading cyber counterintelligence operations at U.S. NCIS and serving as the Head of Cybercrime Intelligence at INTERPOL. At Intel 471, Michael oversees a global team dedicated to tracking financially motivated cybercriminals and providing actionable intelligence to protect customers from threats. In this interview, Michael shares insights from Intel 471’s latest Cyber Threat Report and discusses emerging trends and challenges in the cybersecurity landscape.
Can you tell us a bit about your background and your role at Intel 471?
I got my start by proudly serving in the U.S. Marine Corps. After my time with the Marines, I began my cybersecurity career. My career before Intel 471 spans from threat intelligence to cyber counterintelligence operations at U.S. NCIS, and I also worked as Head of Cybercrime Intelligence at INTERPOL. This led me to Intel 471, where I am the Chief Intelligence Officer. I am on the executive team here where I lead a global team of cyber threat intelligence (CTI) experts dedicated to tracking financially motivated cybercriminals and providing actionable intelligence to protect our customers from threats.
Can you provide an overview of Intel 471 and the key findings of your latest Cyber Threat Report?
Intel 471 empowers enterprises, government agencies and organizations worldwide to gain an advantage over cyber adversaries by understanding their tactics, techniques, procedures (TTPs), threat patterns and imminent attacks relevant to customers’ businesses. We provide actionable insights to help our clients mitigate cyber threats.
Our latest Cyber Threat Report highlights several emerging trends and evolving techniques among threat actors. A few findings I think you might find interesting are that nearly 60% of hacktivist incidents were linked to the pro-Russian NoName057(16) group. Ransomware attacks nearly doubled in 2023 compared to 2022, and there was a 43% rise in zero-day vulnerabilities. Additionally, we found that threat actors increasingly leveraged AI for cost-effective deepfakes.
LockBit has been identified as the most prevalent ransomware variant. What makes LockBit particularly effective and widespread compared to other ransomware variants?
Prior to law enforcement disruption efforts starting in February 2024, LockBit was the most prevalent ransomware variant, impacting 981 victims in 2023 — more than double those impacted by the next variant, ALPHV. LockBit’s effectiveness stems from its ability to continuously evolve and improve upon its techniques, making it harder for security solutions to detect them. Since the takedown efforts, we noticed a sharp decline in LockBit 3.0 attacks. In fact, starting in April, the ransomware landscape began to show the effects of the law enforcement action against the LockBit group and the termination of the ALPHV Ransomware-as-a-Service (RaaS) — the first and second most impactful groups of 2023, respectively. With these key groups out of the spotlight, less impactful yet consistent groups are gravitating to the top spots.
The report highlights a notable increase in the exploitation of zero-day vulnerabilities. Can you explain the impact of this trend and how organizations can mitigate the risks associated with zero-day exploits?
A zero-day vulnerability represents a critical, undisclosed security flaw in software, hardware or firmware, which offers attackers a covert path to unauthorized network access, undetected movement and/or extraction of sensitive information. Our team at Intel 471 observed 88 zero-day vulnerabilities exploited by threat actors and a 177.8% rise in the exploitation of software and web application vulnerabilities.
The increased focus on zero-day vulnerabilities among financially motivated threat actors, especially in ransomware, suggests a trend toward more covert and sophisticated methods for gaining initial access. To mitigate these risks, organizations should improve their detection and response capabilities with advanced threat intelligence and rapid incident response strategies to adopt a more proactive security posture. Industry-wide collaboration and threat intelligence sharing are crucial for anticipating and enhancing defenses against zero-day exploits, ensuring stronger cybersecurity in the face of evolving threats.
The report mentions a nearly doubling of ransomware attacks in 2023. What do you believe are the driving factors behind this significant increase?
Several factors contribute to the surge in ransomware attacks, including the increasing sophistication of ransomware groups and the profitability of attacks. Additionally, the continued commoditization of the initial access broker sub-economy and the proliferation of stolen credentials have also driven the increased volume of ransomware attacks of late.
Threat intelligence provides a window into the methods threat actors use to gain initial access and arms defenders to proactively mitigate early warning indicators before a breach can occur.
How are advancements in AI and deepfake technology being leveraged by cybercriminals, and what can be done to counter these emerging threats?
AI has played a supportive role in making it easier to do the things threat actors have already been doing. As the tools advance, cybercriminals can create content that is becoming more sophisticated, less detectable and overall, more convincing over time and leveraged for phishing and extortion. AI significantly impacted the threat landscape, particularly in social engineering campaigns, deepfakes, bypassing know-your-customer (KYC) verification bypass and chatbot abuse. In fact, the concept of deepfakes existed long before the recent surge in AI advancements, but cybercriminals struggled to find cost-effective creation methods. The available technology at the time also required a creator to obtain an extensive amount of audio, photographic or video material to produce anything resembling the intended victim, resulting in most content targeting celebrities due to their abundant online presence. Today, however, cybercriminals are developing AI-generated content to target common individuals and corporations more frequently.
To counter the rapidly evolving landscape of AI-based threats, it is essential to gain a comprehensive understanding of threat actors’ intentions, motivations and capabilities. This space is changing constantly, and actors are adapting, so we must be forward leaning and looking in the right places.
Based on the findings of the report, what predictions can you make about the future landscape of cyber threats? Are there specific areas you expect to see growth or change in?
- Yes, there are a few areas that I expect will be major players in the future landscape of cyber threats:
Ransomware will intensify: We’ve already seen vigorous attack activity directed at healthcare organizations and financial services recently, and this trend is likely to abate in the foreseeable future. RaaS offerings, which allow subgroups of threat actors to partner with malware and infrastructure providers, are fine-tuned and will grow, enabling lesser-skilled actors to enter into the ransomware space.
- AI remains a wild card: The proliferation of open-source large language models (LLMs) and services, some of which lack safety guardrails to prevent malicious use, means this area remains a wild card.
- Law Enforcement Will Pressure ‘The Com’: TheCom has used social engineering as an effective technique for carrying out waves of phishing campaigns to gain initial access to organizations. With the continued success of these campaigns and the limited resources required to conduct them, these threat actors will likely continue to conduct similar campaigns and inspire other threat actors to adopt the same methods.