Worry (Cybercriminals) – Threat Actor

Overview

Common targets

Retail Trade

Australia

Attack Vectors

Software Vulnerabilities

How they operate

At the core of Worry’s operations is a combination of targeted social engineering and exploitation of vulnerabilities in both current and archived systems. Worry is adept at identifying organizations with weak or outdated security measures, particularly those that store significant amounts of data, including legacy or archived information. Unlike many other threat actors who focus on accessing real-time data, Worry demonstrates a keen interest in breaching long-term repositories, often overlooked by companies. This approach reveals a strategic understanding of the value of historical data, which can still hold considerable worth in dark web markets. Worry’s recent attack on Early Settler, which involved an archived database from 2022, serves as a prime example of this method.

The group’s operational style also reflects the trend of cybercrime commodification. Worry is known for offering stolen data for sale on underground hacking forums, where it can be monetized by other criminals. In the Early Settler case, the group posted the stolen customer data for USD 2,000, emphasizing the commercial aspect of modern cybercrime. The stolen data, although in many instances incomplete, included unique email addresses, highlighting that Worry targets valuable and identifiable information. This commercialization of stolen data is a key aspect of Worry’s technical operations, as it has turned data theft into a commodity that can be easily traded.

In terms of attack methodology, Worry likely utilizes a mix of manual and automated techniques to compromise an organization’s infrastructure. This includes exploiting misconfigurations in databases, using credential stuffing or phishing to gain access to employee accounts, and deploying malware that can extract data undetected. Once the data is harvested, it is exfiltrated using encrypted channels to avoid detection by traditional security monitoring tools. In some instances, Worry has been known to deploy exfiltration methods that bypass intrusion detection systems (IDS) and intrusion prevention systems (IPS), ensuring that the stolen data is removed without triggering alarms.

Another notable technical characteristic of Worry is its reliance on a decentralized network for operations. The group operates with a network of compromised servers, often leveraging anonymizing technologies like Tor or VPNs to mask their true origin. This decentralized infrastructure makes it harder for law enforcement and cybersecurity professionals to trace and shut down Worry’s activities. By utilizing multiple layers of obfuscation and encryption, the group minimizes the risk of detection, making it a persistent and elusive threat.

Ultimately, Worry’s technical operations reflect a broader shift in cybercrime tactics. The group’s combination of advanced targeting, exploitation of both active and archived data, and the commodification of stolen information serves as a model for other cybercriminal organizations. As cyber threats continue to evolve in complexity and sophistication, businesses must be proactive in securing all data, not just the data that is actively in use. The threat posed by actors like Worry demonstrates the growing need for comprehensive cybersecurity measures that can detect and prevent not only current threats but also the exploitation of historical vulnerabilities.

• Hacker Targets Early Settler Furniture, Customer Data on Dark Web