Professional Documents
Culture Documents
Report 2024
An In-Depth Analysis of
the Cyber Threat Landscape
Ransomware Attacks per Year One reason could be that larger organizations
have become better at enforcing MFA, which
makes using stolen credentials as an initial
attack vector more difficult. Another reason
could be an influx of new cybercriminals that
can only conduct simple ransomware attacks
against smaller targets.
2022 2023
BEC Contained
It’s also evident that while the number of Data Theft Other
Vulnerability
A likely reason is that many large enterprises Distribution of Ransomware Attacks Against Different Sizes
of Organizations
are now aware of the need for cybersecurity
and also have the resources to invest in
proper cybersecurity. They’ve improved their
defenses and acquired effective managed
detection and response capabilities. This
makes them more difficult targets to breach,
so cybercriminals move on to easier victims.
Organized crime, protection fees, and similar The typical access broker will be opportunistic
extortion are so much a part of Russian in their approach to access gathering, often
business culture that it may have been using a combination of phishing and brute-
normalized in the eyes of the criminals. If you force password spraying to gain access
have poor cybersecurity, you’ll pay the price. to vulnerable networks. They then conduct
That’s the rule from their perspective. quick online checks for the annual turnover
of the company they have access to and
Ransomware operators are not hackers try to sell the credentials to ransomware
searching for thrills or fame. They’re criminals. This will, on average, cost between
motivated purely by financial gain. 1,000 and 10,000 euros per access, depending
Understanding these criminals’ business on the company’s size. This cost represents
models can help you guide your cyber a freelancing ransomware criminal’s
defenses, as not all ransomware investment for every attack.
groups target the same victims. Some
cybercriminals use simple, inexpensive The top-tier ransomware groups operate
methods. As in many other forms of business, large teams of cybercriminals working
it takes money to make money. together to breach networks and deploy
ransomware. These cybercrime syndicates
Novice cybercriminals don’t have the represent the most advanced and diverse
resources to buy expensive tools or access. threat to organizations. They continually invest
They buy inexpensive, primitive ransomware in developing custom tools, infrastructure, and
and use simple methods like password salaries for their employees. They prefer to
spraying or publicly available exploits to select relatively large companies as targets
vulnerabilities that have been known for for their attacks, as they want a return on
a long time. They mainly target smaller their investment in the form of a multimillion-
enterprises that can’t afford professional dollar ransom to make the attack worth their
incident response teams, as cheap investment in time and money, something only
ransomware often has flaws that can be more prominent victims can afford.
https://www.truesec.com/hub/blog/what-
is-anonymous-sudan
This year, we must begin by stating that all the challenges we presented in the 2023
Threat Intelligence Report are still valid concerns, as they illustrate techniques still used
by cybercriminals. Rather than restate the same challenges, we’ll focus on four emerging
challenges. This report is intended to be an update to last year’s report, not a replacement.
Each chapter details a particular challenge and provides advice on solutions. In addition, we
have exemplified many of the challenges with a real-world incident story that illustrates the
challenge we explain.
1.
Automation and AI in
Cyber Attacks
Challenge: When the AI
Becomes a Criminal
2.
Efficient Cybersecurity
Challenge: Cybercrime Is
Just Business
3.
New Laws and Regulations
Challenge: Knowing All New
Legal Responsibilities
4.
Protecting Your Digital Assets
Challenge: When the Threat
Actor Is Already Inside
Automation and AI in
Cyber Attacks
Challenge: When the AI
Becomes a Criminal
In recent years, Truesec has observed breaching networks. It’s still too early to say
increased automation in cyber attacks. how quickly this trend will develop or how
Malware developers are increasingly much it will affect the cybercrime scene,
providing criminals with complete attack but the likely outcome will be an increase in
frameworks with easy-to-understand GUIs the threat of cybercrime in the coming year
that make cyber attacks easier to conduct as more and more cybercriminals learn to
for novices. adopt these tools.
The hope that responsible guards in AI- At the same time, it’s important not to
powered chatbots would limit their use overstate the effect of cybercriminals using
for cybercrime appears to have been AI in their attacks. The likeliest outcome if
dashed. AI researchers have now begun to cybercriminals begin to adopt AI to assist
release AI-powered chatbots that are in their attacks is not that cybercriminals’
trained on the dark web and developed attacks will be technically more proficient or
specifically to help cybercriminals. The aim advanced but that experienced hackers, in
is to create malicious AI bots capable of some cases, will be faster and more effective
creating sophisticated phishing campaigns, in conducting their current attacks. AI
executing social engineering campaigns, chatbots will not replace criminals any more
exploiting vulnerabilities, and creating than they will replace developers.
and distributing malware.
AI chatbots can assist in social engineering
So far, a few malicious chatbots are now attacks, but using such tools to translate
available for use by cybercriminals, including text is usually not more revolutionary than
one trained to assist in solving scripting and using them to assist in coding. They can
coding problems and one that can assist help someone proficient in a language
cybercriminals in crafting better phishing to translate faster, but if used just as an
mail and social engineering attacks. advanced Google Translate, it will still mostly
yield unimpressive results.
Cybercriminals will use these tools to improve
their attacks and become more efficient in
Rightly used, AI can also help bolster our developments but also discern which
defenses, and cybersecurity companies technology tools will best meet their needs.
like Truesec are also investing in AI research
to offer even better protection in the future. An AI trained by senior analysts can assist a
Today, AI is far from capable of effectively junior analyst in a SOC, helping them learn
being used alone for cyber attacks or defense. about investigation, reverse engineering, or
threat hunting without any other resources,
It’s important to understand that AI will not just learning with the tool. To some extent,
remove the need for human operators. It will this can address the shortage of competent
instead empower them with new tools that let personnel within the cybersecurity field.
them do their job more efficiently. The key is
for security teams to consider how AI and ML In conclusion, rightly used AI can also help
models are trained with relevant data to not bolster our defenses, and cybersecurity
only provide correct information but also not companies like Truesec are also investing in
disclose sensitive or regulated data. If the AI AI research to offer even better protection
model lacks enough information, the answers in the future. Today, AI is far from capable of
delivered can often be biased, leading to effectively being used alone for cyber attacks
mistakes and security risks in cybersecurity. or defense. But when used intelligently, it can
bolster the capacity of human operators on
A strong Blue team of cybersecurity the defense, too.
defenders should consist of skilled security
specialists manning a SOC 24/7, empowered
by modern security tools that utilize AI and ML
to allow the security resources in your team
to become as effective as possible.
Cybercrime, in all its forms, is about exploitation of a known vulnerability, but the
cybercriminals exploiting weaknesses to decision to spend time to exploit an initial
make money. Cybercriminals make decisions breach and expand it until the environment
based on business calculations. Your risk is is completely taken over, is motivated by
thus directly proportional to your potential the perceived value of the target. Most
value to the attacker. ransomware criminals evaluate their victims
based on financial data, like annual turnover,
Cybercriminals evaluate their potential cyber insurance, etc. Espionage groups base
targets based on two criteria: how much their efforts on stolen information’s political
effort it takes to compromise them and how and economic value.
much value they represent if the attack
succeeds. The wealthier the target, the more A typical successful ransomware heist can
effort a cybercriminal may be willing to net the criminals 2% of the victim’s annual
spend to compromise it. turnover in profit for a couple of weeks’ work.
If we can’t make that unprofitable for the
A bulk of automated attacks can be criminals by lowering their success rate, you
blocked by taking basic precautions; novice can be sure the ransomware business will
cybercriminals don’t have the resources continue to grow.
to buy expensive tools or access. Simply
enabling MFA will be enough to stop many
of these attacks. As these criminals rely on
quantity to make a profit, the sophistication
of each attack, time spent to scout the target,
choice of specialized tools, social engineering,
and even man hours tend to be limited.
Below are some statistics for all serious exploitation of known vulnerabilities.
intrusion attempts our SOC has prevented Many large ransomware campaigns today
in the last three years. These numbers are begin with a threat actor that has written
normalized to how many endpoints we an exploit that allows them to compromise
defend, so changes reflect real changes in all unpatched machines with a particular
the cyber threat landscape. We can observe software. They use online scanning databases
how the number of intrusion attempts have to identify all vulnerable machines on the
increased to almost double the previous years. internet and run automated attacks to install
backdoors on vulnerable systems. Then, they
Intrustion Attempts Disarmed per Monitored Endpoints begin to pick them off, one by one.
Compared to 2021
Being a leader – a CEO, senior management (including privacy) have seen – and are
member, board member, etc. – is risky business. seeing – rapid change. With these changes,
And with ambitious threat actors hunting the responsibilities placed on organizations
for your organization’s data – hungering for and their leadership teams are also changing.
its money – and with legal responsibilities A shared theme across all changes is that
widening their scope, deepening their responsibilities are growing larger and
complexity, and placing liabilities on leaders more complex.
personally, it’s an ever-riskier business.
There is a shift of paradigms from “Comply or
For example, legislators and regulators require explain,” where legislation allows organizations
organizations to keep track of their data and its some leeway in how to fulfill the purpose of the
inherent sensitivity; of processing-of-personal- legislation, via “Explain to comply,” introduced
data activities, including categories of data, with the GDPR, demanding organizations to
data subjects, and potential risks; and of what document how they comply with the stipulated
technical, operational, and organizational requirements to be deemed fully compliant;
measures are appropriate and proportionate to “Prove to comply” introduced with NIS2,
to their determined aggregated risk exposure. demanding compliance, documentation, and
These requirements are not, in and of the ability to produce actual proof of how the
themselves, new or, to be fair, unwarranted. organization complies with the legislation in its
However, they do require organizations to everyday business to be deemed compliant.
allocate resources from revenue-generating
activities to “other” activities, or that’s at least This shift to “Prove to comply” amplifies the
the sentiment in many organizations. They onus that is put on senior management
don’t feel they have the legal maturity or and leadership to ensure not only that their
the necessary resources to carry the costs organizations comply with the legislative
related to cybersecurity compliance and data requirements but also to provide tangible
protection regulations. evidence of such compliance. Another notable
shift is the ever-extending downstream scope
At the same time, the laws and regulations of responsibility in ensuring your organization’s
related to cybersecurity and data protection supply chains’ level of compliance and
Having good cybersecurity has always been • How do we transfer the meaning of our
good business. The impact of a ransomware policies to our suppliers?
attack can cripple an enterprise both
financially and reputationally. The only • What if we don’t do this work? How will
difference is that now it can also be against the future of our organization look?
the law not to have proper cybersecurity
when handling customers’ data. If you don’t have the cyber legal knowledge
within your organization, you need to acquire
To understand if you comply with data it. You can’t always trust that the organization
protection laws and regulations, it’s not you outsource your IT to will act in your
enough to have proper policies in place. You best interests.
also must ask yourself these questions:
When your business is hit with a ransomware In recent years, threat actors that steal
attack, and your digital assets are held for information have become more and more
ransom, there’s no avoiding the fact that your refined, and we can rewind to February 2021,
IT environment is, in fact, unavailable. You’re and the Exchange Server exploit attributed
left with no choice: the glove is thrown, and to the Chinese threat actor known as “Silk
you must act immediately. Protecting your Typhoon.” Truesec investigated a set of
digital assets is about getting them back breaches where the threat actor gained
again. Your business is at a standstill until you access but wanted to stay undisturbed on
regain control of your network. the servers. To prevent other competitive
threat actors from gaining access, the first
The focus on ransomware and uptime threat actor updated the exchange server to
sometimes steals the attention from other, prevent further breaches. By doing this, they
more insidious threats. Many threat actors could work undisturbed and move much
want long-term network access and do slower, take a several months long pause in
everything to stay undetected. They abuse some cases, stay in the target environment,
their access to stealthily hijack information and figure out how to utilize the asset they
and abuse digital assets for their own now had at their disposal.
purposes. These digital parasites can remain
for years in your network, slowly feeding off In 2023, the Truesec Incident Response Team
your organization’s hard work. has seen this taken to the next level, where
the threat actor has not only gained access
The theft of intellectual property is a well- to a target environment but also established
known form of data theft. Despite how much access of such sort that they now are a
has been written about cyber espionage, distributor of digital services (SaaS), from
most organizations still don’t understand how the target’s environment, but through
widespread the theft of intellectual property black market sales channels. The target
and information about tenders is. When a environment gives information backend
Chinese competitor wins a tender with an functionality, and the threat actor lives as a
almost identical product, it’s considered a parasite of the “host body.”
business problem, not a cybersecurity problem.
there’s no clear breaking point. The threat long period of historical events.
actor is not interested in creating havoc or
chaos that would alert the victim to their •
Prepare containment strategies in
presence. Everything is working, with the advance and ensure you can
small caveat that a threat actor is now rapidly contain systems, applications,
robbing the customer. and network segments.
During a routine cybersecurity health check espionage campaign. It had all the markings
of a European manufacturing corporation, it of a broad cyber espionage campaign, like the
was discovered that a threat actor was inside Chinese Cloud Hopper attack.
the network. The response team assumed that
they had discovered a ransomware attack in When we delved into the threat actors’ goals,
progress. As the investigation continued, it was we observed that the main focus of the threat
soon discovered that this threat actor had actor’s efforts appeared to be the software
actually been inside the network for far longer used in products made by the manufacturer.
than is typical for a ransomware attack – the Like many manufacturers of advanced
earliest evidence of the threat actor being machines, their products included special
active in the environment dated almost two industrial software. The threat actor’s main
years back. focus appeared to be to continually exfiltrate
the latest updated version of this software.
The forensic team decided that it was likely
that the threat actor was not a cybercriminal There is a market for such software. China is
but a state-sponsored espionage group. The full of bootleg Western machinery. Sanctions
skill and evasion technique used by the threat against Russia mean that manufacturers won’t
actor supported this theory. The threat actor allow updates to industrial software in Russia.
relied entirely on living off-the-land binaries Bootleg copies of the same software stolen by
and techniques (LOLBins). this threat actor are also for sale on the dark web.
The threat actor managed to obtain full Truesec can’t definitively prove that the threat
access to the directory, and persistence was actor was a state-sponsored threat actor or
ensured by cloning machines joined to the AD for what nation they would have acted, but
that were not in use. The threat actor had the it’s clear that proprietary software for popular
AD under constant scrutiny and shifted clients modern industrial products is desirable
it cloned as the need arose. enough to make an advanced threat actor
go to great lengths to steal it. Like a parasite,
Evidence suggests the initial breach was they lodged themselves in the network to
the IT provider’s jump server. This, in turn, continually have access to the latest version
indicates the attack was part of a much larger of the software.
As the newer ransomware actors get absorbed into Even here in the Nordics, some organized crime
the established ransomware ecosystem, it’s also groups have begun to move part of their business into
likely that their skills will mature, as will their respect cyberspace, selling drugs on darknet marketplaces.
for the ecosystem’s internal rules. Just as traditional Some of the organized crime groups in the Nordics are
organized crime is moving into cyberspace to also capable of considerable violence. As organized
conduct fraud or sell drugs, organized cybercrime crime increasingly moves into the darknet, they can
will continue to adopt organizational structures establish more ties with cybercrime. Cybercriminals
reminiscent of real-world organized crime. could, in the future, pay other criminals to make good
on physical threats against victims who don’t pay their
No Longer Looking for Malware ransom or even blackmail victims to give them
The most effective ransomware groups are now access to networks.
capable of obtaining and using zero-days, which are
exploitable flaws in software that are, by definition, In the future, identity management will likely be even
initially unknown to the rest of the world. When a more critical than it is now. Whoever has admin access
threat actor has access to a zero-day that allows to the entire corporate environment could, in the future,
remote code execution, there’s only so much be a question of who needs physical protection.
www.truesec.com