Cloud account attacks, increasing Mac malware, malvertising morphing from the distribution of adware to more dangerous malware, and more, are all discussed by Red Canary in its 2024 Threat Detection Report.
Released this week, the Report (PDF) is based on the analysis of almost 60,000 threats drawn from 216 petabytes of telemetry from more than 1,000 customers’ endpoints, identities, clouds, and SaaS applications throughout 2023.
The analysis tracks the most-used MITRE ATT&CK techniques used by adversaries through the year. Notably, but perhaps unsurprisingly given the continuing migration to cloud first or hybrid infrastructures, cloud account attacks have increased dramatically. One indication is the steep increase in abuse of the email forwarding rule (T1114.003). Adversaries create email forwarding rules in compromised email accounts to collect sensitive information while hiding suspicious email activity from legitimate users.
This threat was detected in 6.2% of Red Canary’s customers and is ranked as the #4 threat of 2023 – an increase of almost 600% over 2022. Another cloud-centric attack technique detected was MITRE’s T1078.004 – detections increased 16x over the previous year. An important element of this growth of cloud attacks is the increasing use and abuse of web APIs.
Humans remain a primary threat vector – despite the growth in CVEs, humans and their identities remain the primary threat. The report calls out Scattered Spider as “exceptional at social engineering users, help desk or IT support technicians, and mobile service providers to gain access to identity management platforms by whatever means necessary.”
{ Learn More at the Threat Detection & Incident Response Online Summit }
It adds, “Organizations must harden identities with extensive security controls and have a comprehensive identity risk management plan that takes into account identity providers, IT support staff, and even mobile service carriers.”
The use of adversarial and defensive AI (specifically gen-AI) is growing, but so far, the defenders are prevailing. The report notes that while AI might increase the scale and sophistication of attacks, “they won’t require a fundamental reassessment of how we do security… We believe the benefits of AI will substantially outweigh the modest increases in risk from adversaries also using it.”
Threats to Mac devices are increasing, with greater stealer activity, reflective code loading and AppleScript abuse. Reflective code loading seeks to execute malware payloads in memory rather than from disk, thus avoiding detection and response from EDR tools. commercial antivirus (AV) products, and Apple’s own baked-in XProtect AV. The payloads are executed within the memory space of a host process (specifically Mach-O files) or through the compilation of a new host process to avoid Apple’s Hardened Runtime.
Malvertising is no longer just about adware, but is also used to deliver additional malware. The biggest standout threat detected in 2023 is the grouping known to Red Canary as Charcoal Stork. This threat only emerged in 2023, but by the end of the year it was the firm’s most detected, being found in almost 15% of all customers. It is malvertising, but spreads more than just adware.
Notably, it can lead to the delivery of ChromeLoader and SmashJacker (browser hijackers, with both appearing within Red Canary’s top ten most detected threats of 2023). ChromeLoader has already been implicated in the later delivery of ransomware, and it seems as if Charcoal Stork is successfully using malvertising to promote its role as an initial access broker for various nefarious malware.
Red Canary specializes in early detection and rapid response to attacks in progress. This skews its telemetry more heavily toward early stage threats rather than the later stage threats encountered by incident responders reacting to exfiltration and/or encryption detections.
An example can be found in its ransomware statistics. Since the firm is predicated on early detection, its success in detecting ransomware ‘precursors’ prevented any one ransomware group making it into the top twenty threats for 2023. This could, but does not, imply a lull in ransomware.
Despite the lack of ransomware groups in the top twenty threats, half of Red Canary’s 2023 top twenty detected threats were ransomware precursors. The primary precursors are Impacket (#2), Mimikatz (3), SocGholish (#5), Qbot (#8), and Raspberry Robin (#9).
Red Canary also notes the increasing use of RaaS affiliates, and the extra layer of difficulty this brings to attribution. For example, while Mandiant attributed Veritas backup related intrusions to Alphv, its own analysis of one such intrusion provided similarities but insufficient confidence for a similar conclusion.
Related: Mac Malware ‘XCSSET’ Adapted for Devices With M1 Chips
Related: Ransomware, Malware-as-a-Service Dominate Threat Landscape
Related: ‘Raspberry Robin’ Windows Worm Abuses QNAP Devices
Related: Red Canary Raises $81 Million to Grow Security Operations Business
