Introduction
This last year we have seen upheaval across the cybersecurity landscape. The need for effective, worldwide threat intelligence continues to grow as geopolitical and economic developments create an increasingly complicated and uncertain world for both businesses and consumers. Threat actors continue to evolve with new players and threats emerging globally — in addition to novel ways of leveraging or executing older tactics and approaches. Security experts should assume that no organization or individual is truly safe from a cyber threat and that there is an increasing urgency to monitor and research threats resurging and evolving at a rapid pace and scale.
Ransomware remains an ever-present plague for many organizations worldwide as these families increase in scale and sophistication, including coordinating and partnering with other threat actors through underground forums. Socially engineered ploys to trick and deceive individuals into compromising their devices or personal information are becoming more cunning and targeted, and simultaneously harder for both victims and security tools to catch and identify. Furthermore, the trend continues of cyberattacks being used in the service of political, economic, and territorial ambitions through nation-states executing espionage, warfare and disinformation, as observed through threat activity in Ukraine, Taiwan, Israel and other regions.
“The cyber landscape today is more complex than ever before. Cybercriminals from ransomware families to nation-states actors are getting smarter, quicker, and more coordinated in retooling their tactics to follow new schemes — and we don’t anticipate that changing in 2024,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “In order to break away from escalating attacks and start outsmarting and outmaneuvering threat actors, all industries need to embrace a cyber strategy that is constantly vigilant, actionably comprehensible, and adaptable to new threats. That is how we can ensure a one-step lead over cybercriminals in the coming year.”
Below, the cybersecurity experts and threat researchers from the Trellix Advanced Research Center team have compiled their predictions for trends, tactics, and threats that organizations should keep top of mind as we approach 2024. We invite you to read through our forewarnings for the coming year, and see what we will be keeping a keen eye on moving forward.
- The Threat of Artificial Intelligence
- Underground Development of Malicious LLMs
- The Resurrection of Script Kiddies
- AI-generated Voice Scams for Social Engineering
- Shifting Trends in Threat Actor Behavior
- Supply Chain Attacks Against Managed File Transfers Solutions
- Malware Threats are Becoming Polyglot
- Even More Layers of Ransomware Extortion
- Election Security Must Start with Protecting the Human-in-the-Loop
- Emerging Threats and Attack Methods
- Unmasking The Silent Surge in Insider Threats
- The Growing Battle of the (QR) Codes
- The Stealthy Assault on Edge Devices
- Python in Excel Creates a Potential New Vector for Attacks
- LOL Drivers Are Becoming a Game Changer
The Threat of Artificial Intelligence
Underground Development of Malicious LLMs
Author: Shyava Tripathi
Recent advancements in AI have given rise to large language models (LLMs) capable of generating human-like text. While LLMs exhibit remarkable technological potential for positive applications, their dual-use nature also makes them vulnerable to malicious exploitation. One significant security concern associated with LLMs lies in their potential misuse by cybercriminals for large-scale attacks.
Leading LLMs like GPT-4, Claude, and PaLM2 have achieved unparalleled capabilities in generating coherent text, answering intricate queries, problem-solving, coding, and numerous other natural language tasks. The availability and ease of use of these advanced LLMs have opened a new era for cybercriminals. Unlike earlier, less sophisticated AI systems, today’s LLMs offer a potent and cost-effective tool for hackers, eliminating the need for extensive expertise, time, and resources. And this value has not been lost on the cybercriminal underground.
Setting up the infrastructure for large-scale phishing campaigns has become cheaper and more accessible, even for individuals with limited technical skills. Tools like FraudGPT and WormGPT are already prominent in cybercriminal networks. Popular darknet forums today often serve as platforms for the coordinated development of phishing emails, counterfeit webpages, as well as the creation of malware and vulnerabilities designed to evade detection to thousands of users already. These LLM applications can assist in mitigating considerable challenges encountered by cybercriminals, – and we expect the development and malicious usage of these tools to accelerate in 2024.
The Resurrection of Script Kiddies
Author: Ajeeth S.
The availability of free and open-source software is what originally led to the rise of those known as “Script Kiddies,” individuals with little to no technical expertise using pre-existing automated tools or scripts to launch cyberattacks. Though they are sometimes dismissed as unskilled amateurs or Blackhat wannabes — the growing availability of advanced generative AI tools, and their potential for malicious malware usage, means Script Kiddies pose a significant and growing threat to the market.
The internet is now filled with tools that use AI to make people’s lives easier, from creating presentations, generating voice notes, writing argumentative papers, and much more. Many of the best-known tools like ChatGPT, Bard, or Perplexity AI come with security mechanisms to prevent them from writing malicious code. This is not the case for all AI tools available on the market however, especially the ones being developed on the dark web.
It is only a matter of time until cybercriminals have access to an unrestricted generative AI that can write malicious codes, create deepfake videos, assist with social engineering schemes and more. This will make it easier than ever for unskilled actors to execute sophisticated attacks at scale. Furthermore, widespread leveraging of such tools to exploit vulnerabilities will make root cause analysis of attacks more challenging for defenders. We consider this to be an area to monitor carefully in 2024.
AI-generated Voice Scams for Social Engineering
Author: Rafael Pena
The rise of scams involving AI-generated voices is a concerning trend that is set to grow in the coming year, posing significant risks to individuals and organizations. These scams often involve social engineering tactics, where scammers use psychological manipulation techniques to deceive individuals into taking specific actions, such as disclosing personal information or executing financial transactions. AI-generated voices play a crucial role in this, as they can instill trust and urgency in victims, making them more susceptible to manipulation.
Recent advancements in artificial intelligence have greatly improved the quality of AI-generated voices. They can now closely mimic human speech patterns and nuances, making it increasingly difficult to differentiate between real and fake voices. Furthermore, the accessibility and affordability of AI-voice generation tools have democratized their use. Even individuals without technical expertise can easily employ these tools to create convincing artificial voices, empowering scammers.
Scalability is another key factor. Scammers can leverage AI-generated voices to automate and amplify their fraudulent activities. They can target numerous potential victims simultaneously with personalized voice messages or calls, increasing their reach and effectiveness. Detecting AI-generated voices in real-time is a significant challenge, particularly for individuals who are not familiar with the technology. The increasing authenticity of AI voices makes it difficult for victims to distinguish between genuine and fraudulent communications. Additionally, these scams are not limited by language barriers, allowing scammers to target victims across diverse geographic regions and linguistic backgrounds.
Phishing and vishing attacks are both on the rise. It’s only a logical next step that as the technology for AI-generated voices improves, threat actors will leverage these applications with victims on live phone calls — impersonating legitimate entities to amplify the effectiveness of their scams.
Shifting Trends in Threat Actor Behavior
Supply Chain Attacks Against Managed File Transfers Solutions
Author: John Fokker
Managed file transfer (MFT) solutions, designed to securely exchange sensitive data between entities, inherently hold a treasure trove of confidential information. This ranges from intellectual property, customer data, financial records, and much more. MFT solutions play a critical role in modern business operations, with organizations relying heavily on them to facilitate seamless data sharing both internally and externally. Any disruption or compromise of these systems can lead to significant operational downtime, tarnished reputations, and financial losses. This makes them highly attractive targets for ransomware actors who are aware of how the potential impact enhances the potency of their extortion demands.
Furthermore, the complexity of MFT systems and their integration into the internal business network often creates security weaknesses and vulnerabilities that can be exploited by cybercriminals. Just in the last month, we saw the Cl0P group exploiting the Go-anywhere MFT solution and the MOVEit breach, turning one successful exploit into a major global software supply chain breach. In the next year, we expect these types of attacks only to increase, with participation from numerous threat actors. Organizations are strongly advised to thoroughly review their managed file transfer solution, implement DLP solutions and encrypt sensitive data to protect themselves.
Malware Threats are Becoming Polyglot
Author: Ernesto Fernández Provecho
In recent years, there has been a noticeable rise in the utilization of programming languages like Golang, Nim, and Rust for the development of malicious software. While the volume is still low compared to other languages like C or C++, that is something we expect to change in the future.
Go’s simplicity and concurrency capabilities have made it a favorite for crafting lightweight and speedy malware. Nim’s focus on performance and expressiveness has rendered it useful for creating intricate malware. Meanwhile, Rust’s memory management features are attractive to ransomware groups and other threat actors concerned about the encryption efficiency of malware samples.
What adds to the complexity of this burgeoning space is the lack of comprehensive analysis tools for these languages. The relative newness of Nim and Rust means that established security tooling is less abundant compared to languages like C or Python. This scarcity of analysis tools poses a significant challenge for cybersecurity experts aiming to dissect and counteract malware written in these languages.
We’re already starting to observe an increase in Golang-based malware in recent months, and thus, predict that 2024 will see a notable surge in malware from these languages.
Even More Layers of Ransomware Extortion
Author: Bevan Read
As ransomware groups are primarily financially driven, it’s unsurprising to see them find new ways to extort their victims for more money and pressure them to pay the ransom. We are starting to see ransomware groups contact the clients of their victims as a new way to apply pressure and combat recent ransomware mitigations. This allows them to ransom the stolen data not only with the direct victim of their attack, but also any clients of the victim who may be impacted by the stolen data.
Ransomware groups finding ways to leverage the media and public pressure onto their victims isn’t new. Back in 2022, one of Australia’s most significant health insurance companies suffered from a data breach. In tandem with their ransom to the insurance company, the threat actors publicized much of the medical data — leading to pressure from the public and officials to pay the ransomware actors to take down the medical information. In addition, due to the tremendously private nature of data being released, clients walked into the insurance company’s shopfronts and offered to pay for their own details to be removed. In 2023, observing a similar event, a ransomware group threatened to contact the clients of companies they had compromised, offering them the option to pay to remove their personal and private details from the exposed data.
As this additional form of extortion grows in popularity, it adds a 5th avenue for these attackers to ransom those affected. We expect to see a shift in the landscape where ransomware groups more often look to target entities that handle not only sensitive personal information, but intimate details that can be used to extort clients. It would not be surprising for the healthcare, social media, education, and SaaS industries to come further under fire in 2024 from these groups.
Election Security Must Start with Protecting the Human-in-the-Loop
Author: Patrick Flynn
A critical threat to election security remains in the basics, and often starts with emails or SMS messages where “bad actors” actively target election officials through creative phishing schemes to compromise credentials. We only need to look back three years where this was prominently used to focus on key officials in four battleground states. It will be no different this coming election cycle unless the individuals involved at every level — ranging from city and country election officials to volunteers — are protected.
Cyber-attacks, such as spear phishing and sophisticated impersonation, continue to use email as the main entry point because it can be highly customized and focuses on increased levels of successful exploitation. As we inch closer to the 2024 election cycle, everyone involved in elections must continue examining emails closely and not trust unrecognizable hyperlinks. They should be extra wary of highly targeted and sophisticated impersonation and business email compromise (BEC) attacks and spear-phishing campaigns, and consider leveraging solutions to detect and stop advanced malicious files and URLs.
Playing a role in elections empowers all individuals, but these roles also come with a critical responsibility. Every participant must be aware of and prepared for those who seek to influence the electoral process through illicit means.
Emerging Threats and Attack Methods
Unmasking The Silent Surge in Insider Threats
Author: Manoj Reddy M.V.
In recent years, insider threats have posed a multifaceted risk that affects both public and private organizations globally. An insider threat refers to any person, – whether an employee, contractor, partner, or someone with rogue access, who had or currently has access to critical organizational assets including facilities, information, networks, and systems. Based on recent industry analysis, insider threats have increased by 47% over the last two years, incurring a totals loss of $15.38 million for the containment of these incidents.
This threat undermines the confidentiality and integrity of the organization while aiding adversaries in gathering intelligence, carrying out sabotage operations, and using subterfuge methods to achieve their nefarious objectives. As connected devices continue to proliferate, and hybrid and remote workforces persist, insider threats will only continue to grow. The rapidly growing nature of insider threats presents a formidable challenge to people, processes, and technology. It is essential for organizations to identify, evaluate, detect, and manage these insider threats in today’s threat landscape to retain stakeholder confidence.
The Growing Battle of the (QR) Codes
Authors: Raghav Kapoor & Shyava Tripathi
The rise of QR code-based phishing campaigns represents an alarming trend. As our daily lives become increasingly reliant on digital interactions, attackers are adapting their tactics to exploit new vulnerabilities. QR codes, originally designed for their convenience and efficiency, have become an enticing tool for cybercriminals to use as an attack vector.
One of the primary reasons behind the expected increase in QR code-focused phishing campaigns is their inherent trustworthiness. QR codes become essential in various aspects of daily life during the COVID-19 pandemic, from contactless payments to restaurant menus. As a result, people have grown accustomed to scanning QR codes without much thought, assuming they are safe. This sense of trust can be exploited by cybercriminals who embed malicious links or redirect victims to fake websites. We expect that QR codes will also be used to distribute widely recognized malware families.
The ease of QR code creation and distribution has lowered the barrier for entry into the world of phishing and malware distribution. Anyone can generate a QR code and embed malicious links within, making it a cost-effective and accessible method for cybercriminals to target victims. Moreover, QR codes offer a discreet way for hackers to deliver their payloads. Users may not even realize they have fallen victim to a phishing attack until it’s too late, making detection and prevention more challenging.
Traditional email products often fail to detect these attacks, which makes them an attractive option for cybercriminals today. As attackers continue to refine their tactics and craft convincing phishing lures, the potential for success in these campaigns will be on the rise. To combat the growing threat of QR code-focused phishing, users must exercise caution when scanning codes, especially from unknown or suspicious sources.
The Stealthy Assault on Edge Devices
Author: Pham Duy Phuc
There is a somewhat stealthy shift in the threat landscape underway, centering on the often-overlooked realm of edge devices. These unassuming components, including firewalls, routers, VPNs, switches, multiplexers, and gateways are becoming the new frontier for Advanced Persistent Threat (APT) groups. What sets this apart from normal is the subtlety of the threat; it’s not about the easily foreseen IoT vulnerabilities, but rather the less conspicuous challenges posed by edge devices themselves.
Edge devices have their unique complexities. However, the issue lies in their inherent inability to detect intrusions. Unlike traditional network components, it’s not as simple as bolting on another IDS or IPS. The gateways to our digital world are, by design, the first and last line of defense. This makes them both the target and the blind spot. The evolving tactics of APT groups, combined with the multiplicity of edge device architectures, present a formidable challenge. Solutions for platforms like MIPS or ARM are still in their infancy when it comes to robust intrusion detection. For the threat landscape that is a constant game of cats and mice, – this is an area where the mice are incredibly elusive.
As we continue to move into the digital age, with more connected devices and services constantly proliferating through our lives, the cyber battleground isn’t always where we expect it to be. The year 2024 brings with it a new reality: the under-explored vulnerabilities in our gateways, routers, and VPNs are being scrutinized and exploited with finesse. To safeguard our digital devices, we must adapt and fortify our defenses against subtle yet determined adversaries.
Python in Excel Creates a Potential New Vector for Attacks
Author: Max Kersten
With Microsoft implementing default defensive measures to block internet Macros in Excel, Macro usage by threat actors has seen an expected drop. Instead, they are exploring alternative attack vectors for their latest attacks, including lesser known or underutilized ones such as OneNote documents. However, with the recent creation and release of Python in Excel, we expect this to be a potential new vector for cybercriminals.
As both attackers and defenders continue to explore the functionality of Python in Excel, it is guaranteed that bad actors will start to leverage this new technology as part of cyberattacks. As the Python code is executed in containers on Azure, it can access local files with the help of Power Query. Now, Microsoft did keep security security in mind with the creation and release of Python in Excel and claims that there is no possible connection between Python code and Visual Basic for Applications (VBA) macros. Additionally, it provides very limited access to the local machine and the internet while only utilizing a subset of the Anaconda Distribution for Python.
However, there is potential this could still be abused via a vulnerability or misconfiguration if found by a threat actor. Microsoft’s limitations narrow the playing field, but don’t change the fact that this new functionality creates a new field for threat actors to play on.
LOL Drivers Are Becoming a Game Changer
Author: Adithya Chandra
Many recent security incidents have shown that vulnerable drivers pose a significant threat. Signed vulnerable drivers are stealing the show, as they can be used for stealthy persistence and to disable security solutions in the very early stages of attack. In such attacks, malicious actors drop legitimate drivers signed with a valid certificate and capable of running with kernel privileges on the victims’ devices. Successful exploitation allows attackers to achieve kernel-level privilege escalation, which grants them the highest level of access and control over system resources on a target.
The ZeroMemoryEx Blackout project, The Terminator tool by Spyboy, and the AuKill tool, are all examples of vulnerable driver techniques to bypass security controls and execute malicious codes that recently hit the headlines. There are some features and initiatives to protect against this attack, such as Vulnerable Driver Blocklist by Microsoft and the LOL Drivers project. However, it doesn’t change the fact that these attacks are easy and simple to execute, with increased likelihood of successful infections, and greater accessibility of vulnerable drivers. For these reasons, we anticipate seeing more such vulnerable driver-based exploits, which will have a wide impact in 2024.