Threat Research

“2024 H1: Trends in Malware and Vulnerabilities Report”

RecordedFuture

Short Summary

The “H1 2024 Malware and Vulnerability Trends Report” highlights the evolving tactics of threat actors, particularly in exploiting zero-day vulnerabilities and the rise of infostealer malware. Key trends include a significant increase in Magecart attacks and the evolution of ransomware tactics, emphasizing the need for organizations to strengthen their cybersecurity measures.

Key Points

  • Zero-day Vulnerabilities: Attackers exploited vulnerabilities in remote access software despite available patches.
  • Infostealer Malware: Infostealers like LummaC2 became prevalent, targeting sensitive personal information.
  • Ransomware Evolution: Ransomware groups adopted new tactics, including password validation to evade detection.
  • Magecart Attacks: A 103% increase in Magecart attacks targeting e-commerce platforms was observed.
  • Protection Strategies: Organizations are encouraged to improve patch management, implement advanced detection systems, educate employees, and strengthen e-commerce security.

MITRE ATT&CK TTPs – created by AI

  • Credential Dumping (T1003)
    • Procedure: Infostealers harvest credentials and sensitive information for financial gain.
  • Exploitation of Remote Services (T1210)
    • Procedure: Attackers exploit vulnerabilities in remote access software like Ivanti Secure Connect and PAN-OS.
  • Data Encrypted for Impact (T1486)
    • Procedure: Ransomware groups encrypt data to demand ransom, using techniques to hinder analysis.
  • Web Shell (T1100)
    • Procedure: Magecart attacks inject malicious code into e-commerce sites to steal customer data.

insikt-group-logo-updated-3-300x48.png

Summary:

The "H1 2024 Malware and Vulnerability Trends Report" shares how threat actors refined their tactics and exploited zero-day vulnerabilities, leaving organizations increasingly vulnerable. Key trends include the rise of infostealer malware, which dominated the threat landscape, and a significant 103% surge in Magecart attacks targeting e-commerce platforms. Ransomware groups have also evolved, using new techniques such as passwords to validate execution and prevent analysis. The exploitation of widely used remote access software like Ivanti Secure Connect, PAN-OS, and Microsoft SmartScreen was a focal point for cybercriminals and state-sponsored actors.

The first half of 2024 witnessed an escalation in sophisticated cyberattacks, with threat actors sharpening their techniques to exploit newly disclosed vulnerabilities, evade detection, and cause greater damage. In this report, we delve into the key trends shaping the cybersecurity landscape and what organizations can do to protect themselves.

Zero-day Vulnerabilities

Zero-day vulnerabilities, particularly those affecting remote access and security solutions, became prime targets for cybercriminals and state-sponsored groups. Despite the availability of patches, attackers continued exploiting these vulnerabilities, which later became known as n-days. The ease of exploitation, combined with proof-of-concept (PoC) exploit code circulating online, made these vulnerabilities attractive to less-sophisticated hackers. The top vulnerabilities exploited in H1 2024 included flaws in Ivanti Secure Connect, PAN-OS, and Microsoft Windows SmartScreen.

Infostealers Dominate the Malware Landscape

Infostealers dominated the malware landscape as the most prevalent malware category in the first half of 2024. LummaC2, a stealthy malware designed to harvest sensitive information, became the most active, replacing other well-known infostealers like RedLine. These types of malware steal personal information, such as credit card details and login credentials, which are then sold on underground forums. The financial motivation behind these attacks has driven an increase in infostealer activity, posing a severe risk to businesses and individuals alike.

Ransomware Groups Evolve Their Tactics

Ransomware continued to be a significant threat, with groups like Fog, RansomHub, and 3AM adopting tactics to hinder analysis and evade detection. Notably, these ransomware operators began using passwords to validate the execution of their payloads, a technique that prevents security tools from automatically analyzing the malicious code. Additionally, we saw ransomware paired with malware loaders like GuLoader and Remcos, creating attack chains that were more difficult to detect and block.

Magecart Attacks Surge

Magecart, a form of cyberattack that targets e-commerce platforms by injecting malicious code to steal customer data, saw a staggering 103% increase in H1 2024. This surge was likely attributed to vulnerabilities in widely used platforms like Adobe Commerce and the appearance of new e-skimming tools, such as "Sniffer by Fleras." As online retail continues to grow, these attacks present a significant risk to businesses and their customers, highlighting the need for stronger security measures on e-commerce sites.

How to Protect Your Organization

To mitigate the risks posed by these evolving threats, organizations must adopt a layered defense strategy that includes proactive monitoring, patch management, and employee education. Here are key steps to take:

  1. Improve Patch Management: Ensure that vulnerabilities, especially in remote access software, are patched promptly. Automating patch management can help reduce the window of opportunity for attackers.
  2. Implement Heuristic and Behavior-Based Detection: Deploy advanced threat detection systems that can identify suspicious behaviors, such as process hollowing or the use of less-common programming languages, like Lua or NIM.
  3. Educate Employees: Social engineering remains a key entry point for malware. Continuous education on phishing tactics and malware distribution methods is critical to reducing human error.
  4. Strengthen E-commerce Security: Businesses that rely on e-commerce must prioritize security by regularly auditing third-party integrations, implementing strict content security policies (CSPs), and conducting frequent vulnerability scans.

Looking Ahead: What to Expect for the Rest of 2024

The remainder of 2024 will likely see an increase in the exploitation of newly discovered vulnerabilities in widely used enterprise software. Remote access tools and next-generation firewalls are expected to remain key targets due to their widespread use. Additionally, the trend of infostealers dominating the malware landscape will continue as demand for stolen credentials on underground markets persists. Magecart attacks are also expected to remain a serious threat, with attackers continuing to experiment with new e-skimming techniques.

To read the entire analysis, click here to download the report as a PDF.

Source: Original Post

Tags: VULNERABILITY, CREDENTIAL, EXPLOIT, PATCH, ZERO-DAY, SOCIAL ENGINEERING, WINDOWS, PHISHING