Trellix 2024 Threat Predictions
November 2023 by Trellix
Ransomware, nation states, social media, and a shifting reliance on a remote workforce made headlines in 2021, proving that bad actors only continue to rise to the challenge. Defiantly, they thwart solution stacks and gain momentum each time they succeed – with this confidence driving them to be bolder and even more proliferate.
We’ve seen the impact of their determination and how it is empowering them to inflict more damage. The average ransomware request grew from $5,000 in 2018 to around $200,000 in 2020. This whopping 3900% increase in just two years proves the power that comes each time a bad actor is successful. It makes sense after all, to want to keep reaping the fruits that determination and willpower can create.
This success has been achieved through adaptability. The notion that if first you do not succeed, try again. They act as a living, breathing entity with this steadfastness, knowing organizations are between a rock and a hard place to maintain business as usual.
“Over this past year, we have seen cybercriminals get smarter and quicker at retooling their tactics to follow new bad actor schemes – from ransomware to nation states – and we don’t anticipate that changing in 2022,” said Raj Samani, fellow and chief scientist at Trellix. “With the evolving threat landscape and continued impact of the global pandemic, it is crucial that enterprises stay aware of cybersecurity trends so that they can be proactive and actionable in protecting their information.”
To outwit and outpace bad actors and stop the year-over-year trend of increasing attacks and breaches, security must adopt their tactics by being always-on and adaptable to stay one step ahead. Below, skilled engineers and security architects from Trellix outline just how crucial this shift in mindset and approach is as we head into 2022.
• The Threat of Artificial Intelligence
o The Resurrection of Script Kiddies
o Underground Development of Malicious LLMs
o AI-generated Voice Scams for Social Engineering
• Shifting Trends in Threat Actor Behavior
o Supply Chain Attacks Against Managed File Transfers (MFT) Solutions
o Malware Threats are Becoming Polyglot
o Even More Layers of Ransomware Extortion
o Election Security Must Start with Protecting the Human-in-the-Loop
• Emerging Threats and Attack Methods
o The Growing Battle of the (QR) Codes
o The Stealthy Assault on Edge Devices
o Unmasking The Silent Surge in Insider Threats
o Python in Excel Creates a Potential New Vector for Attacks
o LOL Drivers Are Becoming a Game Changer
The Threat of Artificial Intelligence
The Resurrection of Script Kiddies
Author: Ajeeth S
The availability of free and open source software is what originally led to the rise of those known as “Script Kiddies,” individuals with little to no technical expertise using pre-existing automated tools or scripts to launch attacks on computer systems or networks. Though they are sometimes dismissed as unskilled amateurs or Blackhat wannabes – the growing availability of advanced generative AI tools, and their potential for malicious malware usage, means Script Kiddies pose a significant and growing threat to the market.
The internet is now filled with tools that use AI to make people’s life easier, from creating presentations, generate voice notes, writing argumentative papers, and much more. Many of the best-known tools like ChatGPT, Bard, or Perplexity AI come with security mechanisms to prevent the chatbot from writing malicious code. This is not the case for all AI tools available in the market, especially the ones being developed on the dark web.
It is only a matter of time until cybercriminals have access to an unrestricted generative AI which can write malicious codes, create deepfake videos, assist with social engineering schemes and more. This will make it easier than ever for unskilled actors to execute sophisticated attacks at scale. Furthermore, widespread leveraging of such tools to exploit vulnerabilities will also make root cause analysis of attacks more challenging for defenders. We consider this to be an area to monitor carefully in 2024.
Underground Development of Malicious LLMs
Author: Shyava Tripathi
Recent advancements in AI have given rise to large language models (LLMs) capable of generating human-like text. While LLMs exhibit remarkable technological potential for positive applications, their dual-use nature also makes them vulnerable to malicious exploitation. One significant security concern associated with LLMs lies in their potential misuse by cybercriminals for large-scale attacks.
Leading LLMs like GPT-3.5, GPT-4, Claude and PaLM2 have achieved unparalleled capabilities in generating coherent text, answering intricate queries, problem-solving, and coding, among various other natural language tasks. The availability and ease of use of these advanced LLMs, particularly models like GPT-4 introduced in late 2022, have opened a new era for cybercriminals. Unlike earlier, less sophisticated AI systems, today’s LLMs offer a potent and cost-effective tool for hackers, eliminating the need for extensive expertise, time, and resources.
Setting up the infrastructure for large-scale phishing campaigns has become cheaper & more accessible, even for individuals with limited technical skills. Tools like FraudGPT and WormGPT are already prominent in cybercriminal networks. Popular darknet forums today are serving as platforms for the development of phishing emails, counterfeit webpages, as well as the creation of malware and vulnerabilities designed to evade detection to thousands of users already. It’s clear that these LLM applications can assist in mitigating considerable challenges encountered by cybercriminals – and we expect malicious usage of these tools to accelerate in 2024.
AI-generated Voice Scams for Social Engineering
Author: Rafael Pena
The rise of scams involving AI-generated voices is a concerning trend that is set to grow in the coming years, driven by various factors that pose significant risks to individuals and organizations. These scams often involve social engineering tactics, where scammers use psychological manipulation techniques to deceive individuals into taking specific actions, such as disclosing personal information or executing financial transactions. AI-generated voices play a crucial role in this, as they can instill trust or urgency in victims, making them more susceptible to manipulation.
Recent advancements in artificial intelligence have greatly improved the quality of AI-generated voices. They now closely mimic human speech patterns and nuances, making it increasingly difficult to differentiate between real and fake voices. Furthermore, the accessibility and affordability of AI voice generation tools have democratized their use. Even individuals without technical expertise can easily employ these tools to create convincing artificial voices, empowering scammers.
Scalability is another key factor. Scammers can leverage AI-generated voices to automate and amplify their fraudulent activities. They can target numerous potential victims simultaneously with personalized voice messages or calls, increasing their reach and effectiveness. Detecting AI-generated voices in real-time is a significant challenge, particularly for individuals who are not familiar with AI technology. The increasing authenticity of AI voices makes it difficult for victims to distinguish between genuine and fraudulent communications. Additionally, these scams are not limited by language barriers. AI-generated voices can be programmed to speak multiple languages, allowing scammers to target victims across diverse geographic regions and linguistic backgrounds.
Phishing and vishing attacks are both on the rise. It’s only a logical next step that as the technology for AI-generated voices improves, threat actors will leverage these applications with victims on live phone calls – impersonating legitimate entities and amplifying the effectiveness of their scams.
Shifting Trends in Threat Actor Behavior
Supply Chain Attacks Against Managed File Transfers (MFT) Solutions
Author: John Fokker
Managed file transfer solutions, designed to securely exchange sensitive data between entities, inherently hold a treasure trove of confidential information. This ranges from intellectual property, customer data, financial records, and much more. MFT solutions play a critical role in modern business operations, with organizations relying heavily on them to facilitate seamless data sharing both internally and externally. Any disruption or compromise of these systems can lead to significant operational downtime, tarnished reputations, and financial losses. This makes them highly attractive targets for cybercriminals who are aware of how the potential impact enhances the potency of their extortion demands.
Furthermore, the complexity of MFT systems and their integration into the internal business network often creates security weaknesses and vulnerabilities that can be exploited by cybercriminals. Just in the last month, we saw the Cl0P group exploiting the Go-anywhere MFT solution and the MOVEit breach –
turning one successful exploit into a major global software supply chain breach. In the next year, we expect these types of attacks only to increase, with participation from numerous threat actors. Organizations are strongly advised to thoroughly review their managed file transfer solution, implement DLP solutions and encrypt sensitive data at rest to protect themselves.
Malware Threats are Becoming Polyglot
Author: Ernesto Fernández Provecho
In recent years, there has been a noticeable rise in the utilization of programming languages like Golang, Nim, and Rust for the development of malicious software. While its volume is still low compared to other languages like C or C++, that is something we expect to change in the future.
Go’s simplicity and concurrency capabilities have made it a favorite for crafting lightweight and speedy malware. Nim’s focus on performance and expressiveness has rendered it useful for creating intricate malware. Meanwhile, Rust’s memory management features have attracted threat actors, specially ransomware groups concerned about the encryption efficiency of the samples.
What adds to the complexity is the lack of comprehensive analysis tools for these languages. The relative newness of Nim and Rust means that established security tooling is less abundant compared to languages like C or Python. This scarcity of analysis tools poses a significant challenge for cybersecurity experts aiming to dissect and counteract malware written in these languages.
We’re already starting to observe an increase in Golang-based malware in recent months, and thus predict that 2024 will see a notable surge in malware from these languages.
Even More Layers of Ransomware Extortion
Author: Bevan Read
As ransomware groups are primarily financially-driven, it’s unsurprising to see them find new ways to extort their victims for more money and pressure them to pay the ransom. We are starting to see ransomware groups contact the clients of their victims as a new way to apply pressure and combat recent ransomware mitigations. This allows them to ransom the stolen data not only with the direct victim of their attack, but also any clients of the victim who may be impacted by the stolen data.
Ransomware groups finding ways to leverage the media and public pressure onto their victims isn’t new. Back in 2022, one of Australia’s most significant health insurance companies suffered from a data breach. In tandem with their ransom to the insurance company, the threat actors publicized much of the medical data – leading to pressure from the public and officials to pay the ransomware actors to take down the medical information. But in 2023, observing a similar event, a ransomware group instead threatened to contact the clients of companies they had compromised – offering those clients the option to pay to remove their personal data from the exposed data.
As this additional form of extortion grows in popularity, adding a 5th avenue for these attackers to ransom affected organizations, it’s expected that we will see a shift in the landscape where ransomware groups more often look to target entities that handle sensitive personal information, communications and storage. It would not be surprising for the healthcare, education, and SaaS industries to come further under fire in 2024 from these groups.
Election Security Must Start with Protecting the Human-in-the-Loop
Author: Patrick Flynn
A critical threat to election security remains in the basics, and often starts with emails or SMS messages where “bad actors” actively target election officials through creative phishing schemes to compromise credentials. We only need to look back three years where this was prominently used to focus on key officials in 4 battleground states. It will be no different this election cycle unless the individuals involved at the city, county, state and federal level – ranging from city and country election officials to volunteers – are protected.
Cyber-attacks, such as spear phishing and sophisticated impersonation, continue to use email as the main entry point because it can be highly customized and focuses on increased levels of successful exploitation. As we inch closer to the 2024 election cycle, everyone involved in elections must continue examining emails closely and not trust unrecognizable hyperlinks. They should be extra wary of highly targeted and sophisticated impersonation and business email compromise (BEC) attacks and spear-phishing campaigns, and consider leveraging solutions to detect and stop advanced malicious files and URLs.
Playing a role in elections empowers all individuals, but these roles also come with a critical responsibility, and everyone must be aware of those who seek to influence the electoral process through illicit means.
Emerging Threats and Attack Methods
The Growing Battle of the (QR) Codes
Author: Raghav Kapoor, Shyava Tripathi
The rise of QR code-based phishing campaigns represents a significant and alarming trend. As our daily lives become increasingly reliant on digital interactions, attackers are adapting their tactics to exploit new vulnerabilities. QR codes, originally designed for their convenience and efficiency, have become an enticing tool for cybercriminals to use it as attack vector.
One of the primary reasons behind the expected increase in QR code-focused phishing campaigns is their inherent trustworthiness. QR codes have become essential in various aspects of daily life, from contactless payments to restaurant menus during the COVID-19 pandemic. As a result, people have grown accustomed to scanning QR codes without much thought, assuming they are safe. This sense of trust can be exploited by cybercriminals who embed malicious links or redirect victims to fake websites. We expect that QR codes will also be used to distribute widely recognized malware families.
The ease of QR code creation and distribution has lowered the barrier for entry into the world of phishing and malware distribution. Anyone can generate a QR code and embed malicious links within, making it a cost-effective and accessible method for cybercriminals to target victims. Moreover, QR codes offer a discreet way for hackers to deliver their payloads. Users may not even realize they have fallen victim to a phishing attack until it’s too late, making detection and prevention more challenging.
To combat the growing threat of QR code-focused phishing, users must exercise caution when scanning codes, especially from unknown or suspicious sources. Traditional email products fail to detect these attacks which makes them an attractive option for cybercriminals today. As attackers continue to refine their tactics and craft convincing phishing lures, the potential for success in these campaigns will be on the rise.
The Stealthy Assault on Edge Devices
Author: Pham Duy Phuc
There is a significant and somewhat stealthy shift in the threat landscape underway, centering on the often-overlooked realm of edge devices. These unassuming components, including firewalls, routers, VPNs, switches, multiplexers, and gateways are becoming the new frontier for threat actors, particularly Advanced Persistent Threat (APT) groups. What sets this apart from normal is the subtlety of the threat; it’s not about the easily foreseen IoT vulnerabilities, but rather the less conspicuous challenges posed by edge devices themselves.
Edge devices have their unique complexities. However, the issue lies in their inherent inability to detect intrusions. Unlike traditional network components, it’s not as simple as bolting on another IDS or IPS. The gateways to our digital world are, by design, the first and last line of defense. This makes them both the target and the blind spot. The evolving tactics of APT groups, combined with the multiplicity of edge device architectures, present a formidable challenge. For example, solutions for platforms like MIPS or ARM are still in their infancy when it comes to robust intrusion detection. In essence, for the threat landscape that is a constant game of cats and mice – this is an area where the mice are becoming increasingly elusive.
As we continue to move into the digital age, with more connected devices and services constantly proliferating through our lives, the cyber battleground isn’t always where we expect it to be. The year 2024 brings with it a new reality: the under-explored vulnerabilities in our gateways, routers, and VPNs are being scrutinized and exploited with finesse. To safeguard our digital realms, we must adapt and fortify our defenses against these subtle yet determined adversaries.
Unmasking The Silent Surge in Insider Threats
Author: Manoj Reddy M.V
In recent years, insider threats have posed a multifaceted and evolving risk that affects both public and private organizations globally. An insider threat would refer to any person who had or currently has access to critical organizational assets including facilities, information, networks, systems and are either an employee, contractor, partner, or someone with rogue access. Based on recent industry analysis, Insider threats have increased by 47% over the last two years, incurring a loss of $15.38 million for the containment of the incident and 70% of the attacks are not reported externally.
This threat undermines the confidentiality, integrity, availability of the organization while aiding adversaries in gathering intelligence, carrying out sabotage operations, and using subterfuge methods to achieve their nefarious objectives. As connected devices continue to proliferate and hybrid and remote workforces persist, insider threats will only continue to grow. The rapidly growing nature of insider threats presents a formidable challenge to people, processes technology and organizations must prioritize security measures to retain stakeholder confidence. It is essential for organizations to Identify, evaluate, detect, and manage these insider threats in today’s threat landscape.
Python in Excel Creates a Potential New Vector for Attacks
Author: Max Kersten
With Microsoft implementing default defensive measures to block internet Macros in excel, Macro usage by threat actors has seen an expected drop. Instead, they are exploring alternative attack vectors for their latest attacks, including lesser known or utilised ones such as OneNote documents. With the recent creation and release of Python in Excel, we expect this to be a potential new vector for cybercriminals. As both attackers and defenders continue to explore the functionality of Python in Excel, it is guaranteed that attacks will start to leverage this new technology as part of cyberattacks.
As the Python code is executed in containers on Azure, it can access local files with the help of Power Query. Now, Microsoft did keep security in mind with the creation and release of Python in Excel, and as such states there is no possible connection between Python code and Visual Basic for Applications (VBA) macros. Additionally, it provides very limited access of the local machine and the internet while only utilising a subset of the Anaconda Distribution for Python.
However, there is potential this could still be abused via a vulnerability and/or misconfiguration, if found by an actor. Microsoft’ limitations narrow the playing field, but don’t change the fact that there still is a field for threat actors to play on.
LOL Drivers Are Becoming a Game Changer
Author: Adithya Chandra
Many recent security incidents have shown that vulnerable drivers pose a significant threat. Signed vulnerable drivers are stealing the show, as they can be used for stealthy persistence and to disable security solutions in the very early stage of attack. In such attacks, malicious actors drop legitimate drivers signed with a valid certificate and capable of running with kernel privileges on the victims’ devices. Successful exploitation allows attackers to achieve kernel-level privilege escalation, which grants them the highest level of access and control over system resources on a target.
The ZeroMemoryEx Blackout project, The Terminator tool by Spyboy, the AuKill tool, are some of the examples that recently hit the headlines, in the use of vulnerable driver technique to bypass security controls and execute malicious codes. There are some features and initiatives to protect against this attack, such as Vulnerable Driver Blocklist by Microsoft and the LOL Drivers project. However, it doesn’t change the fact that these attacks are easier to execute, with a lower cost, increased likelihood of successful infections, and greater accessibility of vulnerable drivers. For these reasons, we anticipate seeing more such vulnerable driver-based exploits which have a wide impact in 2024.