Connect with us

Hi, what are you looking for?


Threat Intelligence

Threat Detection Report: Cloud Attacks Soar, Mac Threats and Malvertising Escalate

Red Canary’s 2024 Threat Detection Report is based on analysis of almost 60,000 threats across 216 petabytes of telemetry from over 1,000 customers’ endpoints.

2024 Threat Report

Cloud account attacks, increasing Mac malware, malvertising morphing from the distribution of adware to more dangerous malware, and more, are all discussed by Red Canary in its 2024 Threat Detection Report.

Released this week, the Report (PDF) is based on the analysis of almost 60,000 threats drawn from 216 petabytes of telemetry from more than 1,000 customers’ endpoints, identities, clouds, and SaaS applications throughout 2023.

The analysis tracks the most-used MITRE ATT&CK techniques used by adversaries through the year.  Notably, but perhaps unsurprisingly given the continuing migration to cloud first or hybrid infrastructures, cloud account attacks have increased dramatically. One indication is the steep increase in abuse of the email forwarding rule (T1114.003). Adversaries create email forwarding rules in compromised email accounts to collect sensitive information while hiding suspicious email activity from legitimate users.

This threat was detected in 6.2% of Red Canary’s customers and is ranked as the #4 threat of 2023 – an increase of almost 600% over 2022. Another cloud-centric attack technique detected was MITRE’s T1078.004 – detections increased 16x over the previous year. An important element of this growth of cloud attacks is the increasing use and abuse of web APIs.

Humans remain a primary threat vector – despite the growth in CVEs, humans and their identities remain the primary threat. The report calls out Scattered Spider as “exceptional at social engineering users, help desk or IT support technicians, and mobile service providers to gain access to identity management platforms by whatever means necessary.” 

{ Learn More at the Threat Detection & Incident Response Online Summit

It adds, “Organizations must harden identities with extensive security controls and have a comprehensive identity risk management plan that takes into account identity providers, IT support staff, and even mobile service carriers.”

The use of adversarial and defensive AI (specifically gen-AI) is growing, but so far, the defenders are prevailing. The report notes that while AI might increase the scale and sophistication of attacks, “they won’t require a fundamental reassessment of how we do security… We believe the benefits of AI will substantially outweigh the modest increases in risk from adversaries also using it.” 

Advertisement. Scroll to continue reading.

Threats to Mac devices are increasing, with greater stealer activity, reflective code loading and AppleScript abuse. Reflective code loading seeks to execute malware payloads in memory rather than from disk, thus avoiding detection and response from EDR tools. commercial antivirus (AV) products, and Apple’s own baked-in XProtect AV. The payloads are executed within the memory space of a host process (specifically Mach-O files) or through the compilation of a new host process to avoid Apple’s Hardened Runtime.

Malvertising is no longer just about adware, but is also used to deliver additional malware. The biggest standout threat detected in 2023 is the grouping known to Red Canary as Charcoal Stork. This threat only emerged in 2023, but by the end of the year it was the firm’s most detected, being found in almost 15% of all customers. It is malvertising, but spreads more than just adware.

Notably, it can lead to the delivery of ChromeLoader and SmashJacker (browser hijackers, with both appearing within Red Canary’s top ten most detected threats of 2023). ChromeLoader has already been implicated in the later delivery of ransomware, and it seems as if Charcoal Stork is successfully using malvertising to promote its role as an initial access broker for various nefarious malware.

Red Canary specializes in early detection and rapid response to attacks in progress. This skews its telemetry more heavily toward early stage threats rather than the later stage threats encountered by incident responders reacting to exfiltration and/or encryption detections.

An example can be found in its ransomware statistics. Since the firm is predicated on early detection, its success in detecting ransomware ‘precursors’ prevented any one ransomware group making it into the top twenty threats for 2023. This could, but does not, imply a lull in ransomware. 

Despite the lack of ransomware groups in the top twenty threats, half of Red Canary’s 2023 top twenty detected threats were ransomware precursors. The primary precursors are Impacket (#2), Mimikatz (3), SocGholish (#5), Qbot (#8), and Raspberry Robin (#9).

A screenshot of a computer screen

Description automatically generated

Red Canary also notes the increasing use of RaaS affiliates, and the extra layer of difficulty this brings to attribution. For example, while Mandiant attributed Veritas backup related intrusions to Alphv, its own analysis of one such intrusion provided similarities but insufficient confidence for a similar conclusion.

Related: Mac Malware ‘XCSSET’ Adapted for Devices With M1 Chips

Related: Ransomware, Malware-as-a-Service Dominate Threat Landscape

Related: ‘Raspberry Robin’ Windows Worm Abuses QNAP Devices

Related: Red Canary Raises $81 Million to Grow Security Operations Business

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.


Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Threat Intelligence

A new research report discusses the five most exploited vulnerabilities of 2022, and the five key risks that security teams should consider.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...