Bryley Partner Huntress Releases its 2024 Threat Report
Its main findings involve ransomware changes and the abuse of remote access software
Last year the FBI announced a major, international disruption to a ransomware-delivering botnet (botnets are networked, task-executing computers). While to be celebrated, from the new data it doesn’t look like ransomware criminals have given up – they have found other ways of stealing and causing havoc.
According to Huntress’ researchers ransomware continues to be a significant and growing threat that affects businesses of all sizes. Over the past year cybercriminals have ramped up their efforts to exfiltrate sensitive data so they can extort large sums of money. And in 2023 until now Huntress’ data scientists have seen a shift in adversarial tactics, with threat actors using trusted tools – like remote access software – to exploit vulnerabilities.
Leveraging data collected from millions of endpoints and user entities under Huntress’ protection, their security experts have analyzed emerging trends, attack patterns and tactics. These insights are compiled in Huntress’ comprehensive 2024 Cyber Threat Report (registration required).
The criminals scattered and doubled-down
Qakbot (pronounced like quack-bot) was written more than fifteen years ago to steal banking login credentials, but later was used as a delivery mechanism for other types of malware1. It’s this use as a delivery mechanism, or backdoor, for criminals that makes infection on a computer especially dangerous – it can install ransomware, keyloggers (to capture typed credentials), software to steal intellectual property and Remote Access Trojans that let a remote attacker see and do what they want on an infected machine.
In its report, Huntress finds that dismantling Qakbot created a power vacuum, and from August to September 2023, there were large increases in malware including DarkGate, Akira ransomware and Lockbit ransomware … followed by the reemergence of Qakbot.
Off-the-shelf remote management software abuse
Another notable trend, Huntress reports, is the weaponization of legitimate tools to hide in plain sight, particularly remote monitoring and management (RMM) tools. Using off-the-shelf versions of these tools attackers can accomplish their goals without having to develop new malware. This, therefore, lowers their bar of entry and [allows] them to blend in with the target’s environment. Many RMMs do not even require any authentication of the person downloading and using the software’s trial version; there’s an apparent missed opportunity on behalf of the software providers to help thwart would-be attackers by locking down random trials.
The US Cybersecurity and Infrastructure Security Administration (CISA) has a public bulletin with real-life examples of this type of legitimate software abuse. CISA gives example that came via phone and email with each directing users to a malware-laden website. The recipient visiting the first-stage malicious domain triggers the download of an executable. The executable then connects to a “second-stage” malicious domain, from which it downloads additional RMM software.2
Where do we go from here?
Huntress explains that over its ten year history it has seen that its dataset – derived from protecting small- to medium-sized businesses – is predictive of emerging criminal trends. Businesses that fall below the line of large enterprises serve as a testbed for attackers to try out new techniques and tactics, as well as establish initial footholds.
This means a layered security approach is important for small- to medium-sized businesses. Layering means that you have the tools in place like anti-malware, XDR and machine-learning-enabled email protection and also a continual, drip-drip program of Security Awareness Training, so your first line of defense, your people, is as strong as you can have it.
Bryley is available to advise regarding your organization’s cyber-defenses – since 1987 Bryley has helped organizations build networks and manage threats. To speak to Roy Pacitto, please complete the form, below, call 978.562.6077 x217 or email RPacitto@Bryley.com or schedule a 15-minute call via Roy’s Calendly.
1 https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/qakbot-malware/
2 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a
Lawrence writes about networking and security. He’s written for Bryley since 2015.