Secureworks has unveiled its 2024 State of the Threat Report, revealing a concerning 30% increase in active ransomware groups compared to the previous year. In total, 31 new groups have emerged in the ransomware landscape over the last 12 months, diverging from a previously limited number of dominant players. The report examines various aspects of the cybersecurity environment from June 2023 through July 2024, highlighting the shift towards a diverse set of ransomware tactics that businesses must now contend with.
Cybersecurity experts note that the evolving ecosystem of ransomware groups has resulted in a decrease in consistency in their operations. Organisations are now faced with a wider variety of tactics as these smaller groups establish themselves. This year's median dwell time—the period that attackers remain within a compromised network—has been recorded at 28 hours. This fluctuation is largely attributed to the variability in how these new partnerships operate. Some groups are executing rapid "smash-and-grab" attacks that happen within mere hours, while others exhibit persistence, lingering in networks for extreme durations that can last for hundreds of days.
A focus of the report is the rise of Account Takeover and Identity Theft Management (AiTM) attacks. These sophisticated techniques involve criminals stealing credentials and session cookies, which undermine the effectiveness of Multi-Factor Authentication (MFA) measures. Such attacks have been facilitated by automated phishing kits sold on underground marketplaces and Telegram channels, with popular examples including Evilginx2, EvilProxy, and Tycoon2FA.
The report further elaborates on the growing threat associated with artificial intelligence. Since mid-February 2023, Secureworks CTU researchers have observed an uptick in discussions on underground forums regarding the use of AI tools such as OpenAI's ChatGPT for cybercriminal activities. The conversations tend to revolve around low-level operations, including phishing schemes and basic script creation aimed at simplifying the execution of attacks.
Additionally, the report provides an overview of state-sponsored cyber activities involving several nations, notably China, Russia, Iran, and North Korea. A significant mention is made of threats from Hamas, which increased notably in the wake of the Israel-Hamas war that erupted in October 2023.
Chinese cyber activities have persisted in alignment with previous trends, primarily targeting sectors that support the high-level goals outlined in the Chinese Communist Party's Five Year Plan. In October 2023, a coalition of security agencies from the U.S., U.K., Australia, Canada, and New Zealand issued a warning about the extensive scale of Chinese espionage. These state-sponsored efforts face legal scrutiny, exemplified by a March 2024 indictment of seven individuals connected to the BRONZE VINEWOOD threat group, detailing over a decade of intrusions connected to their operations. The UK government has also pointed to China as behind malicious acts against the UK Electoral Commission in 2021 and 2022.
In the case of Iran, the report outlines a cyber strategy highly influenced by the nation’s political objectives, primarily focusing on adversaries such as Israel and certain Gulf states. Alongside this, Iranian cyber operators have frequently leveraged fake hacktivist identities to obfuscate their real motives while conducting these operations.
North Korean cyber activity remains oriented towards financial gains, particularly through cryptocurrency theft and fraudulent employment tactics. This year, the country has placed increased emphasis on targeting sectors within the U.S., South Korea, and Japan, coinciding with a burgeoning collaboration with Russia and Iran under the geopolitical tensions stemming from international sanctions.
The report identifies three threat groups affiliated with Hamas—ALUMINUM SHADYSIDE, ALUMINUM SARATOGA, and ALUMINUM THORN—as cyber activity surged following the Israel-Hamas conflict. Although much of this activity is attributed to hacktivist personas that appear Palestinian in origin, there is a suggestion that these could be linked more closely to Iranian or Russian operatives.
Lastly, Russian state-sponsored cyber operations remain heavily influenced by the ongoing conflict in Ukraine. Elements associated with various Russian intelligence agencies have consistently engaged in actions that focus on critical infrastructure within Ukraine. One noted instance involves cyber espionage operations by the group IRON VIKING targeting battlefield control systems deployed by Ukrainian defence forces.
As the cybersecurity landscape continues to evolve, organisations are advised to remain vigilant, adapting to the rapid changes and emerging threats posed by both diverse ransomware groups and state-sponsored cyber campaigns.
Source: Noah Wire Services