Over the past 12 months, ATS has analysed and codified over 1,900 emerging threats, encompassing more than 56,000 TTPs and IoCs. Our efforts in investigating over 780 potential threats and addressing over 117 significant threat incidents have been crucial in maintaining the security posture of our client base during this period. The operational efficiency achieved by the ATS team has led to an estimated average of 324 hours saved per month this year, demonstrating both proactivity and effectiveness.
- Emerging and Evolving Threats: Cyberattackers are increasingly exploiting vulnerabilities in widely-used technologies, such as Ivanti Connect Secure VPN and GlobalProtect VPN (CVE-2024-3400). Attackers are also evolving tactics, as evidenced by LockBit ransomware’s use of new encryptors and sophisticated phishing attacks by groups like TA4903 targeting the US government and small businesses.
- Targeted Campaigns and Nation-State Actors: Chinese state-sponsored hackers continue to target defense and government entities, using ScreenConnect and F5 bugs to gain unauthorised access. New advanced persistent threat (APT) groups like Actor240524 have emerged, focusing on healthcare and financial sectors. Additionally, the DEEP#GOSU and PHANTOM#SPIKE campaigns are increasingly aimed at high-value organisations for espionage.
- Cloud and Malware Techniques: Cybercriminals are exploiting cloud services for malware distribution, utilising Unicode tricks to deceive users and evade security filters. Meanwhile, new techniques like DLL sideloading are being employed to inject malicious code into legitimate software, making detection and mitigation harder.
- Advanced Backdoors and Malware: New threats like the SUBTLE-PAWS PowerShell backdoor in Ukraine and the EDRKillShifter malware are advancing in complexity. These tools disable security mechanisms like endpoint detection and response (EDR) and antivirus, giving attackers undetected access to networks.
- Disruptions and Vulnerabilities in Critical Infrastructure: Notable disruptions, such as the CrowdStrike outage, highlight the vulnerabilities in cloud-based security solutions. Additionally, vulnerabilities like the FortiJump bug and the SLOW#TEMPEST campaign (DLL path traversal vulnerability) underscore ongoing risks in critical infrastructure sectors, especially in telecommunications and defense.
Securonix Threat Research 2024
The year 2024 saw a diverse range of cyberattack campaigns and vulnerabilities, highlighting an ongoing evolution of attack techniques, threat actor sophistication, and the targeted sectors. Key trends included advanced phishing campaigns, PowerShell and VBScript-based malware, as well as the exploitation of vulnerabilities in widely used platforms. Threat groups employed obfuscation, social engineering, and novel tools to bypass detection and gain persistent access to compromised systems. For a summarised overview of the notable campaigns and tactics identified by Securonix Threat Research.
Notable events such as the LockBit ransomware resurgence, the Snowflake breach, and the CrowdStrike crash underscore the vulnerability of even well-established cybersecurity infrastructures. Additionally, the exploitation of critical vulnerabilities in widely used platforms like Ivanti Connect Secure, Palo Alto Networks PAN-OS, and VMware further emphasised the importance of timely patching and vulnerability management.
APT groups, particularly from North Korea and newly emerging actors like Actor240524, have intensified their operations, employing highly targeted spear-phishing, credential theft, and malware campaigns to steal sensitive information, disrupt organisations, and achieve geopolitical or financial objectives.
- Timely Patching and Vulnerability Management: Ensure that all critical systems and software, such as Ivanti Connect Secure, Palo Alto Networks PAN-OS, and VMware, are promptly patched to mitigate exploitation risks. Apply patches as soon as they are released and continuously monitor for new vulnerabilities.
- Multi-Factor Authentication (MFA): Enforce MFA across all systems, especially for remote access and high-value accounts, to significantly reduce the impact of stolen credentials, as seen in the Snowflake breach.
- Advanced Threat Detection Tools: Implement advanced endpoint detection and response (EDR) solutions that can identify and block sophisticated attacks like DLL sideloading, PowerShell-based malware, and obfuscated payloads. Regularly update and fine-tune these tools to keep pace with evolving attack techniques.
- Employee Training and Awareness: Regularly educate employees on the dangers of phishing, social engineering, and malicious attachments. Encourage vigilance when interacting with unsolicited emails or unfamiliar links, especially those disguised as official communications.
