Cybersecurity threat landscape: Emerging threats and mitigating risks in 2024 

0

The cybersecurity threat landscape is constantly evolving as new threat actors, technologies  and threats emerge, creating an uncertain world for organisations and the public alike with  potential pitfalls in even opening an email. Cybersecurity professionals must stay vigilant and  ahead of rapidly evolving schemes, threats and strategies by cybercriminals who are leveraging  open source technologies and are becoming increasingly sophisticated.  

A broad overview of the threat landscape 

Based on the findings from the Kaspersky Incident Response Analyst Report 2023, the present  scale of cyberthreats saw that 75% of cyberattack attempts exploited Microsoft Office. In terms  of infection vectors, 42.3% of successful attempts used publicly available applications with  20.3% using compromised accounts while just 8.5% used brute force credentials. 

When it comes to infection vectors, most incursions were on attackers using stolen or purchased  credentials before committing a remote desktop protocol (RDP) attack, phishing emails loaded  with malicious attachments and links and malicious files on public resources imitating document  templates. At a silver lining, attack attempts dropped by 36% in Q1 of 2023 compared to the  same period in 2022.

After incurring a cyberattack, the aftermath resulted in 33.3% of organisations getting their data  encrypted, 21.1% incurring data theft and 12.2% encountered compromised active directories.  

Based on a prior Kaspersky survey conducted in 2022, the biggest looming cyberthreat risk is  ransomware (66%) along with data theft (also 66%), followed closely by cybersabotage (62%),  supply chain attacks (60%) and DDos attacks (also 60%), cyberespionage (59%), advanced  persistent threats [APT] (57%) and cryptomining (56%). For 2024, currently trending  cyberthreats are primarily supply chain attacks (6.8%) and targeted phishing attempts (5.1%)  which remain a clear and present threat for businesses. 

Based on the same 2023 statistics, the most prolific target by threat actors was governments  (27.9%), financial institutions (12.2%), manufacturing (17%) and IT companies (8.8%). In terms  of targeted regions, Asia and CIS saw the most cybersecurity incidents at 47.3% followed by  the Americas (21.8%), the Middle East (10.9%) and Europe (9.1%). “Governments were the  most prolific target by threat actors followed distantly by manufacturing and financial institutions  with the largest cyberthreat risk being ransomware and cybersabotage,” said Igor Kuznetsov,  Director, Global Research & Analysis Team (GReAT) at Kaspersky. 

Based on statistics from Kaspersky’s security solutions employed by clients, over 220,000  businesses were protected around the world with 6.1 billion attacks prevented with Kaspersky  security solutions along with 437 million internet-borne threats detected and stopped. In addition,  over 325,000 users were saved from financial loss after banking trojans were detected and  thwarted. 

To achieve this, Kaspersky security services detected over 411,000 unique malware samples  daily in 2024 which is an increase over 403,000 daily in 2023. In terms of cybersecurity incidents,  over 99% were detected by automatic systems. 2023 also saw 106 million unique malicious  URLs detected and 200 advanced persistent threat (APTs) groups that are currently active.  

Ransomware as a service (RaaS) coming to the fore 

The prevailing trend is that cybercrime is often run as a business with the majority of detected  cybersecurity incidents (71%) being financially driven. There was a marked rise in ransomware  incidents that saw the percentage of users affected by targeted ransomware almost doubling in  2021-2022. This was borne with a survey that saw 68% of business owners surveyed believing  that IT security risks keep rising.  

“There are three popular myths in regards to ransomware,” said Igor,” the first being that  cybercriminals are just criminals with an IT education, that the targets of ransomware are set  before an attack and that ransomware gangs are acting along.” Contrary to popular opinion,  most cyber incidents are opportunistic attacks while many ransomware gangs actually work with  affiliates much like a business, performing ransomware as a service (RaaS).

RaaS operates as a sophisticated process, initially involving a ransomware developer and a  packer developer to create the malware itself, which is then marketed to other cybercriminals.  Various specialised threat actors contribute to the ransomware ecosystem: 

  1. Access resellers offer entry to protected systems as a service, often selling their wares  on specialised underground marketplaces. 
  2. Rogue analysts identify the true value of targets and make strategic suggestions to  professional negotiators. Once a malware payload has been delivered, these specialised  negotiators come into play to ensure the ransom is paid using their social engineering  skills. After payment, they facilitate the laundering of funds before the cycle repeats. 
  3. State-sponsored Advanced Persistent Threat (APT) actors may exploit cybercriminals  as convenient entry points into targets of interest, using these connections to conduct  espionage or inflict damage on victims. 

In some cases, these operations may include infiltration tactics (similar to red team exercises)  to deploy ransomware effectively. This collaborative approach allows cybercriminals to pool their  expertise, making ransomware attacks more sophisticated and challenging to defend against,  while also ensuring the entire process from initial breach to fund laundering is handled by  specialists at each stage. 

To optimise the chances of success, cybercriminals may afford purchasing 0-day exploits from  other criminals which was a luxury previously accessible only to state-sponsored actors but  which is now up for the highest bidder. Cross Platform cryptors are also becoming more creative  and adaptive and have enacted self-defence mechanisms to their malware to make them more  difficult to decrypt. 

These various specialised cybercriminals all play their part and once a malware payload has  been delivered, specialised threat actors who act as professional negotiators come into play to  get the ransom paid and after the ransom is paid, to then get the funds laundered before the  cycle repeats itself. 

“Ultimately, affected organisations must not pay a ransom which will perpetuate and enable  more cybercrime,” said Igor. He warned that even if a ransom is paid, the data may have already  been stolen and could be leaked later or used for further extortion attempts. Instead, Igor  highlighted alternative solutions: “Victims can often recover their data without paying. Kaspersky  maintains a vault of keys and tools to decrypt data locked by various ransomware families. Since  2018, over 1.5 million users worldwide have successfully recovered their data using these  resources.” 

Operation triangulation

One of the biggest potential threat vectors that was discovered by Kaspersky was Operation  Triangulation that targeted iOS devices with unknown malware and which exploited a hardware  vulnerability inside Apple CPUs and employed four 0-day vulnerabilities to infect a target devices which would cost more than US$1 million in the black market to obtain.  

When an iOS device is targeted, it will get an invisible iMessage with a malicious attachment  with a non-interaction exploit from the message initiating code execution. Once the code is  deployed, it connects to a service and then starts a multi-stage execution of the malware  payload. Once this is completed, an attacker will gain full control over the compromised iOS  device and all traces and logs are then wiped to eliminate any trace of the attack. 

These vulnerabilities have already been patched by Apple but to prevent possible future  cyberattacks, users of iOS devices need to regularly update their firmware, conduct regular  reboots and disable iMessage to prevent it as a possible malware pathway. 

Containerised systems – Implementing rules to mitigate risk 

Supply chain attacks, closely tied to containerised systems running on open-source software,  present another significant threat vector for 2024. These cloud-hosted systems enable services  to operate independently from the host operating system, allowing execution in diverse  environments. Containerisation facilitates lightweight, efficient applications that can run on  various devices and in clusters, managing demanding workloads at scale. This versatility  underpins many modern applications and systems, including open-source platforms like  Kubernetes. 

“Containerised systems often rely on numerous third-party dependencies, introducing significant  supply chain risks from both malicious intent and unintentional flaws,” explains Igor. He cites  two recent examples: “The Crowdstrike event caused an outage on millions of devices,  demonstrating how a faulty update can have widespread impact. Additionally, a less publicised  attack on XZ Linux utilities could have compromised millions of SSH-enabled devices,  highlighting the potential for malicious exploitation in the supply chain.” 

At present, hundreds of millions of open source packages are accessible to developers at  popular sites like GitHub with over 100 million developers using the site. On average, 670  malicious open source packages are discovered every month and to date, over 12,000  vulnerable open source packages have been known and identified. 

Proper security policies need to be enacted for containerised systems with close scrutiny to  images to ensure no vulnerable or untrusted content, ensuring the image registry does not  contain outdated or misconfigured settings, that the orchestrator has robust access and network  control policies free of configuration and authentication errors, that containers have safe configurations and ensuring that host OS systems ensure shared kernels are managed  responsibly while minimising potential attack surfaces.  

More robust rules for containerised systems need to be implemented and a system such as  Kaspersky Security Container that protects at multiple levels needs to be integrated into systems  along with a comprehensive security policy. 

Best cybersecurity practices for 2024 

To avoid falling victim to a targeted attack by a known or unknown threat actor, organisations need to  create and maintain a mature security poster through a combination of effective strategy, proper employee  education on cybersecurity, updated threat intelligence from trusted cybersecurity providers and a proper  application of technology. While no system is infallible or invulnerable, Kaspersky researchers  recommend implementing the following security measures to maximise protection:  

  • Update your operating system, applications, and antivirus software regularly to patch any known  vulnerabilities. 
  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat  Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and  insights gathered by Kaspersky spanning over 20 years. 
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training  developed by GReAT experts. 
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR  solutions such as Kaspersky Endpoint Detection and Response. 
  • Investigate alerts and threats identified by security controls with Kaspersky’s Incident Response  and Digital Forensics services to gain deeper insights. 

LEAVE A REPLY

Please enter your comment!
Please enter your name here