Secureworks annual State of The Threat Report
outlines cybercriminals response as law enforcement operations
successfully cause widespread disruption to ransomware
operations
ATLANTA, Oct. 8, 2024 /PRNewswire/ --
Secureworks® (NASDAQ: SCWX) 2024 State of the Threat
Report has revealed a 30% year-over-year rise in active ransomware
groups, which demonstrates fragmentation of an established criminal
ecosystem. 31 new groups entered the ransomware ecosystem during
the last 12 months, and based on numbers of victims listed the
three most active groups are:
- LockBit:The long established 'top dog' of ransomware groups
accounted for 17% of listings, down 8% from last year, proving even
further how the takedown has impacted their operations.
- PLAY: The second most active group, PLAY doubled its victim
count year-over-year.
- RansomHub: A new group, emerging only a week after the LockBit
takedown, is already the third most active group with 7% of the
share of victims listed.
A landscape previously dominated by a few, is now home to a
broader set of emerging ransomware players. As smaller groups look
to become established, it means there is less repeatability and
structure in how they operate and organizations need to continue to
remain alert for a wider variety of tactics. This year's median
dwell time of 28 hours reflects the newness of these partnerships.
While some clusters of groups are executing fast 'smash-and-grab'
attacks within hours, others spend hundreds of days in networks in
the most extreme cases. As the new ecosystem continues to take
shape, we can expect to see further variation and shifts in dwell
times and methodology.
The annual State of the Threat Report examines the
cybersecurity landscape from June
2023 to July 2024. Additional
key findings include:
- Law enforcement activity targeting GOLD MYSTIC (LockBit) and
GOLD BLAZER (BlackCat/ALPV) caused significant disruption to the
status quo of the ransomware operating landscape.
- The number of active ransomware groups using "name and
shame" leak sites grew 30% year-over-year.
- Despite this growth in ransomware groups, victim numbers did
not rise at the same pace, showing a significantly more
fragmented landscape posing the question of how successful these
new groups might be.
- Scan-and-exploit and stolen credentials remain the two largest
initial access vectors (IAV) observed in ransomware
engagements based on our observations.
- Observed increase in adversary-in-the-middle (AiTM)
attacks – a notable and concerning trend for cyber defenders.
- AI is growing in use and in variation for cybercriminals
– expanding the scale and credibility of existing scams like CEO
fraud or "obituary pirates."
Shifting Sands of Ransomware
"Ransomware is a business that is nothing without its affiliate
model. In the last year, law enforcement activity has shattered old
allegiances, reshaping the business of cybercrime. Originally
chaotic in their response, threat actors have refined their
business operations and how they work. The result is a larger
number of groups, underpinned by substantial affiliate migration,"
said Don Smith, VP Threat
Intelligence, Secureworks Counter Threat Unit™ (CTU™). "As the
ecosystem evolves, we have entropy in threat groups, but also
unpredictability in playbooks, adding significant complexity for
network defenders."
AiTM and AI as Growing Threats
In the past year, threat actors are increasingly stealing
credentials and session cookies to gain access by using AiTM
attacks. This potentially reduces the effectiveness of some types
of MFA, a worrying trend for network defenders. These attacks are
facilitated and automated by phishing kits that are available for
hire on underground marketplaces and Telegram. Popular kits include
Evilginx2, EvilProxy and Tycoon2FA.
As AI tools have become widespread and readily available, it was
inevitable that cybercriminals would take note as they look to
scale. Since mid-February 2023,
Secureworks CTU researchers have observed an increase in posts on
underground forums about OpenAI ChatGPT and how it can be employed
for nefarious purposes. Much of the discussion relates to
relatively low-level activity including phishing attacks and basic
script creation.
"The cybercrime landscape continues to evolve, sometimes minor,
occasionally more significant. The growing use of AI lends scale to
threat actors, however the increase of AiTM attacks presents a more
immediate problem for enterprises, reinforcing that identity is the
perimeter and should cause enterprises to take stock and reflect on
their defensive posture," continued Smith.
One novel example of AI being used by threat actors, as observed
by Secureworks researchers, was the role it played in a fraud
perpetrated by so-called obituary pirates. Threat actors monitored
Google trends following a death to identify interest in obituaries
and then used generative AI to create lengthy tributes on sites
that were manipulated to the top of Google search results by SEO
poisoning. They then directed users to other sites pushing adware
or potentially unwanted programs.
State-Sponsored Threat Activity – A Summary
The report also examines the significant activities and trends
in the behavior of state-sponsored threat groups belonging to
China, Russia, Iran,
and North Korea. This year, we are
also including threat group activity from Hamas, which has seen a
notable increase since the outbreak of the Israel-Hamas war, now
spilling over into the public domain and our aperture. The primary
drivers for these countries are geopolitical.
China:
Chinese cyber activity has continued to track with previous
Secureworks observations. Their aims are broadly focused on
information theft for political, economic, and military gain. Much
of this activity targeted at industrial sectors that align with the
high-level objectives of the Chinese Communist Party's (CCP) Five
Year Plan. In October 2023, the heads
of the US, UK, Australian, Canadian, and New Zealand security agencies warned of the
"epic scale" of Chinese espionage. State-sponsored threat actors
were not immune to the law enforcement activity. In March 2024, the US State Department unsealed
indictments against seven named individuals all part of the BRONZE
VINEWOOD threat group. The indictments contain details of an
extensive campaign of intrusions committed by the group over more
than a decade of malicious activity. In the same month, the UK
government stated that China was
responsible for two malicious campaigns against the UK Electoral
Commission between 2021 and 2022. However, no information was
released about the group responsible.
Iran:
Iranian internal and external cyber activity remained driven by
its political imperatives. Internationally, Iran primarily focuses on Israel, regional adversaries including
Saudi Arabia, United Arab Emirates and Kuwait, and the US. Iran makes regular use of fake hacktivist
personas to target enemies, allowing itself plausible deniability.
There are two primary Iranian sponsors of cyber activity: the
Islamic Revolutionary Guard Corp (IRGC) and the Ministry of
Intelligence and Security (MOIS).
North Korea:
North Korean threat actors continued their pursuit of revenue
generation via cryptocurrency theft and sophisticated fraudulent
employment schemes to gain access to Western jobs. They were
persistent in targeting the IT sector and weaknesses in the supply
chain. There was a major focus on entities in the US, South Korea, and Japan. These activities were set within the
geopolitical context of an increased willingness on the part of
North Korea to work with
Russia and Iran, with the intent to foster relations with
countries that are prepared to confront related, perceived enemies
despite international sanctions.
Hamas:
Secureworks tracks three threat groups: ALUMINUM SHADYSIDE,
ALUMINUM SARATOGA and ALUMINUM THORN considered to be aligned with
Hamas, the militant group that governs the Gaza Strip. The outbreak of the Israel-Hamas
war in October 2023 led to an uptick
of cyber activity targeted at Israel and countries perceived to be aligned
with them. However, much of that activity is thought to have been
the work of hacktivist groups and personas masquerading as
Palestinian but more likely linked to Iran or Russia.
Russia:
The war in Ukraine continues to
drive Russian state-sponsored cyber activity, both in Ukraine and abroad. Groups associated with all
three of Russia's intelligence
agencies were active throughout the past year. CTU researchers
assess that Russia's most
aggressive use of cyber capabilities in sabotage operations will
remain focused on critical infrastructure targets within
Ukraine. One notable example of
this kind of activity this year was IRON VIKING's cyber espionage
attacks against battlefield control systems used by Ukrainian
defense forces.
State of the Threat Report 2024
This 8th edition of Secureworks State of the Threat
Report provides a concise analysis of how the global cybersecurity
threat landscape has evolved over the last 12 months. The
information within the report is drawn from the Secureworks CTU
firsthand observations of threat actor tooling and behaviors and
includes actual incidents. Our annual threat analysis provides a
deep dive insight into the threats our team has observed on the
front line of cybersecurity.
The Secureworks State of the Threat Report can be read in full
here: https://www.secureworks.com/resources/rp-state-of-the-threat-2024
About Secureworks
Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that
secures human progress with Secureworks® Taegis™, a
SaaS-based, open XDR platform built on 20+ years of real-world
detection data, security operations expertise, and threat
intelligence and research. Taegis is embedded in the security
operations of thousands of organizations around the world who use
its advanced, AI-driven capabilities to detect advanced threats,
streamline and collaborate on investigations, and automate the
right actions.
Connect with Secureworks
via LinkedIn and Facebook or Read the
Secureworks Blog
Logo -
https://mma.prnewswire.com/media/1558509/Secureworks_V1_Logo.jpg
View original
content:https://www.prnewswire.co.uk/news-releases/active-ransomware-threat-groups-up-30-in-2024-302267742.html
