The rise of AI has increased the sophistication and threat vectors of potential cyberattacks with ransomware becoming a service for cybercriminals and emerging threats to iOS with Operation Triangulation in 2024.
5 August 2024
The cybersecurity threat landscape is constantly evolving as new threat actors, technologies and threats emerge, creating an uncertain world for organisations and the public alike with potential pitfalls in even opening an email. Cybersecurity professionals must stay vigilant and ahead of rapidly evolving schemes, threats and strategies by cybercriminals who are leveraging open source technologies and are becoming increasingly sophisticated.
A Broad Overview of the Threat Landscape
Based on the findings from the Kaspersky Incident Response Analyst Report 2023, the present scale of cyberthreats saw that 75% of cyberattack attempts exploited Microsoft Office. In terms of infection vectors, 42.3% of successful attempts used publicly available applications with 20.3% using compromised accounts while just 8.5% used brute force credentials.
When it comes to infection vectors, most incursions were on attackers using stolen or purchased credentials before committing a remote desktop protocol (RDP) attack, phishing emails loaded with malicious attachments and links and malicious files on public resources imitating document templates. As a silver lining, attack attempts dropped by 36% in Q1 of 2023 compared to the same period in 2022.
After incurring a cyberattack, the aftermath resulted in 33.3% of organisations getting their data encrypted, 21.1% incurring data theft and 12.2% encountered compromised active directories.
Based on a prior Kaspersky survey conducted in 2022, the biggest looming cyberthreat risk is ransomware (66%) along with data theft (also 66%), followed closely by cybersabotage (62%), supply chain attacks (60%) and DDos attacks (also 60%), cyberespionage (59%), advanced persistent threats [APT] (57%) and cryptomining (56%). For 2024, currently trending cyberthreats are primarily supply chain attacks (6.8%) and targeted phishing attempts (5.1%) which remain a clear and present threat for businesses.
Based on the same 2023 statistics, the most prolific target by threat actors was governments (27.9%), financial institutions (12.2%), manufacturing (17%) and IT companies (8.8%). In terms of targeted regions, Asia and CIS saw the most cybersecurity incidents at 47.3% followed by the Americas (21.8%), the Middle East (10.9%) and Europe (9.1%). “Governments were the most prolific target by threat actors followed distantly by manufacturing and financial institutions with the largest cyberthreat risk being ransomware and cybersabotage,” said Igor Kuznetsov, Director, Global Research & Analysis Team (GReAT) at Kaspersky.
Based on statistics from Kaspersky’s security solutions employed by clients, over 220,000 businesses were protected around the world with 6.1 billion attacks prevented with Kaspersky security solutions along with 437 million internet-borne threats detected and stopped. In addition, over 325,000 users were saved from financial loss after banking trojans were detected and thwarted.
To achieve this, Kaspersky security services detected over 411,000 unique malware samples daily in 2024 which is an increase over 403,000 daily in 2023. In terms of cybersecurity incidents, over 99% were detected by automatic systems. 2023 also saw 106 million unique malicious URLs detected and 200 advanced persistent threat (APTs) groups that are currently active.
Ransomware as a service (RaaS) coming to the fore
The prevailing trend is that cybercrime is often run as a business with the majority of detected cybersecurity incidents (71%) being financially driven. There was a marked rise in ransomware incidents that saw the percentage of users affected by targeted ransomware almost doubling in 2021-2022. This was borne with a survey that saw 68% of business owners surveyed believing that IT security risks keep rising.
“There are three popular myths in regards to ransomware,” said Igor,” the first being that cybercriminals are just criminals with an IT education, that the targets of ransomware are set before an attack and that ransomware gangs are acting along.” Contrary to popular opinion, most cyber incidents are opportunistic attacks while many ransomware gangs actually work with affiliates much like a business, performing ransomware as a service (RaaS).
RaaS operates as a sophisticated process, initially involving a ransomware developer and a packer developer to create the malware itself, which is then marketed to other cybercriminals. Various specialised threat actors contribute to the ransomware ecosystem:
- Access resellers offer entry to protected systems as a service, often selling their wares on specialised underground marketplaces.
- Rogue analysts identify the true value of targets and make strategic suggestions to professional negotiators. Once a malware payload has been delivered, these specialised negotiators come into play to ensure the ransom is paid using their social engineering skills. After payment, they facilitate the laundering of funds before the cycle repeats.
- State-sponsored Advanced Persistent Threat (APT) actors may exploit cybercriminals as convenient entry points into targets of interest, using these connections to conduct espionage or inflict damage on victims.
In some cases, these operations may include infiltration tactics (similar to red team exercises) to deploy ransomware effectively. This collaborative approach allows cybercriminals to pool their expertise, making ransomware attacks more sophisticated and challenging to defend against, while also ensuring the entire process from initial breach to fund laundering is handled by specialists at each stage.
To optimise the chances of success, cybercriminals may afford purchasing 0-day exploits from other criminals which was a luxury previously accessible only to state-sponsored actors but which is now up for the highest bidder. Crossplatform cryptors are also becoming more creative and adaptive and have enacted self-defense mechanisms to their malware to make them more difficult to decrypt.
These various specialised cybercriminals all play their part and once a malware payload has been delivered, specialised threat actors who act as professional negotiators come into play to get the ransom paid and after the ransom is paid, to then get the funds laundered before the cycle repeats itself.
“Ultimately, affected organisations must not pay a ransom which will perpetuate and enable more cybercrime,” said Igor. He warned that even if a ransom is paid, the data may have already been stolen and could be leaked later or used for further extortion attempts. Instead, Igor highlighted alternative solutions: “Victims can often recover their data without paying. Kaspersky maintains a vault of keys and tools to decrypt data locked by various ransomware families. Since 2018, over 1.5 million users worldwide have successfully recovered their data using these resources.”
Operation Triangulation
One of the biggest potential threat vectors that was discovered by Kaspersky was Operation Triangulation that targeted iOS devices with unknown malware and which exploited a hardware vulnerability inside Apple CPUs and employed four 0-day vulnerabilities to infect a target devices which would cost more than US$1 million in the black market to obtain.
When an iOS device is targeted, it will get an invisible iMessage with a malicious attachment with a non-interaction exploit from the message initiating code execution. Once the code is deployed, it connects to a service and then starts a multi-stage execution of the malware payload. Once this is completed, an attacker will gain full control over the compromised iOS device and all traces and logs are then wiped to eliminate any trace of the attack.
These vulnerabilities have already been patched by Apple but to prevent possible future cyberattacks, users of iOS devices need to regularly update their firmware, conduct regular reboots and disable iMessage to prevent it as a possible malware pathway.
Containerised Systems – Implementing Rules To Mitigate Risk
Supply chain attacks, closely tied to containerised systems running on open-source software, present another significant threat vector for 2024. These cloud-hosted systems enable services to operate independently from the host operating system, allowing execution in diverse environments. Containerisation facilitates lightweight, efficient applications that can run on various devices and in clusters, managing demanding workloads at scale. This versatility underpins many modern applications and systems, including open-source platforms like Kubernetes.
“Containerised systems often rely on numerous third-party dependencies, introducing significant supply chain risks from both malicious intent and unintentional flaws,” explains Igor. He cites two recent examples: “The Crowdstrike event caused an outage on millions of devices, demonstrating how a faulty update can have widespread impact. Additionally, a less publicised attack on XZ Linux utilities could have compromised millions of SSH-enabled devices, highlighting the potential for malicious exploitation in the supply chain.”
At present, hundreds of millions of open source packages are accessible to developers at popular sites like GitHub with over 100 million developers using the site. On average, 670 malicious open source packages are discovered every month and to date, over 12,000 vulnerable open source packages have been known and identified.
Proper security policies need to be enacted for containerised systems with close scrutiny to images to ensure no vulnerable or untrusted content, ensuring the image registry does not contain outdated or misconfigured settings, that the orchestrator has robust access and network control policies free of configuration and authentication errors, that containers have safe configurations and ensuring that host OS systems ensure shared kernels are managed responsibly while minimising potential attack surfaces.
More robust rules for containerised systems need to be implemented and a system such as Kaspersky Security Container that protects at multiple levels needs to be integrated into systems along with a comprehensive security policy.
Best cybersecurity practices for 2024
To avoid falling victim to a targeted attack by a known or unknown threat actor, organisations need to create and maintain a mature security posture through a combination of effective strategy, proper employee education on cybersecurity, updated threat intelligence from trusted cybersecurity providers and a proper application of technology. While no system is infallible or invulnerable, Kaspersky researchers recommend implementing the following security measures to maximise protection:
- Update your operating system, applications, and antivirus software regularly to patch any known vulnerabilities.
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
- For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- Investigate alerts and threats identified by security controls with Kaspersky’s Incident Response and Digital Forensics services to gain deeper insights.
More information can be found at Kaspersky