Kaspersky’s new report gives the corporate’s view on the superior persistent threats panorama for 2024. Existing APT methods will maintain getting used, and new ones will possible emerge, equivalent to the rise in AI utilization, hacktivism and concentrating on of good house tech. New botnets and rootkits can even possible seem, and hacker-for-hire companies would possibly improve, as will provide chain assaults, which could be supplied as a service on cybercriminals’ underground boards.
Jump to:
More exploitation of cellular units and good house tech
Operation Triangulation, as uncovered prior to now yr, revealed a really refined cyberespionage marketing campaign principally operated by concentrating on iOS units and leveraging 5 vulnerabilities — together with 4 zero-day vulnerabilities.
Must-read safety protection
A exceptional attribute of these exploits is that they didn’t simply goal Apple smartphones, but additionally tablets, laptops, wearable units, Apple TV and Apple Watch units and could be used for eavesdropping.
Igor Kuznetsov, director, Global Research and Analysis Team at Kaspersky, instructed TechRepublic in a written interview: “Malware can indeed be used for eavesdropping. A recent example is the microphone-recording module in Operation Triangulation. Its features do not confine to the expected ones, such as how long to record for; it includes sophisticated functions like stopping recording when the device screen activates or stopping recording when system logs are captured.”
According to Kaspersky, APT attackers would possibly increase their surveillance efforts to incorporate extra good house know-how units, equivalent to good house cameras and related automobile programs. This is especially attention-grabbing for attackers as a result of these units are sometimes uncontrolled, not up to date or patched and topic to misconfigurations. This can be a priority as a result of extra individuals earn a living from home these days, and their firms could possibly be focused through weak factors within the house employee units.
New botnets will emerge
Botnets are usually extra prevalent in cybercrime actions in comparison with APT, but Kaspersky expects the latter to start out utilizing them extra.
The first cause is to deliver extra confusion for the protection. Attacks leveraging botnets would possibly “obscure the targeted nature of the attack behind seemingly widespread assaults,” in line with the researchers. In that case, defenders would possibly discover it more difficult to attribute the assault to a menace actor and would possibly consider they face a generic widespread assault.
The second cause is to masks the attackers’ infrastructure. The botnet can act as a community of proxies, but additionally as intermediate command and management servers.
Kaspersky mentions the ZuoRAT case that exploited small workplace / house workplace routers to contaminate the units with malware and expects to see new assaults of this type in 2024.
More kernel-level code shall be deployed
Microsoft elevated the Windows protections towards rootkits, these malicious items of code working code on the kernel-level, with plenty of safety measures equivalent to Kernel Mode Code Signing or the Secure Kernel structure, to call a number of.
From the attacker’s viewpoint, it grew to become tougher to run code at kernel-level however remained doable. Kaspersky has seen quite a few APT and cybercrime menace actors execute code within the kernel-mode of focused programs, regardless of all the brand new safety measures from Microsoft. Recent examples embrace the Netfilter rootkit, the FiveSys rootkit and the POORTRY malware.
Kaspersky believes three elements will empower menace actors with the potential of working kernel-level code inside Windows working programs:
Extended validation certificates and stolen code-signing certificates shall be more and more unfold/bought on underground markets.
More abuse of developer accounts to get malicious code signed by means of Microsoft code-signing companies equivalent to Windows Hardware Compatibility Program.
An improve in BYOVD (Bring Your Own Vulnerable Driver) assaults in menace actors’ arsenals
More hacktivism tied to APTs
Kaspersky states that “it is hard to imagine any future conflict without hacktivist involvement,” which could be achieved in a number of methods. Running Distributed Denial of Service assaults has change into more and more widespread, together with false hack claims that result in pointless investigations for cybersecurity researchers and incident handlers.
Deepfakes and impersonation/disinformation instruments are additionally more and more utilized by menace actors.
In addition, damaging and disruptive operations could be achieved. The use of wipers in a number of present political conflicts or the disruption of energy in Ukraine are good examples of each sorts of operations.
Supply chain assaults as a service
Small and medium-sized companies usually lack strong safety towards APT assaults and are used as gateways for hackers to entry the info and infrastructure of their actual targets.
As a hanging instance, the info breach of Okta, an id administration firm, in 2022 and 2023, affected greater than 18,000 clients worldwide, who might doubtlessly be compromised later.
Kaspersky believes the availability chain assault pattern would possibly evolve in varied methods. For starters, open supply software program could possibly be compromised by goal organizations. Then, underground marketplaces would possibly introduce new choices equivalent to full entry packages offering entry to varied software program distributors or IT service suppliers, providing actual provide chain assaults as a service.
More teams within the hack-for-hire enterprise
Kaspersky expects to see extra teams working the identical method as DeathStalker, an notorious menace actor who targets legislation corporations and monetary firms, offering hacking companies and appearing as an info dealer moderately than working as a conventional APT menace actor, in line with the researchers.
Some APT teams are anticipated to leverage hack-for-hire companies and increase their actions to promote such companies as a result of it could be a approach to generate earnings to maintain all their cyberespionage actions.
Kuznetsov instructed TechRepublic that, “We’ve seen APT actors target developers, for example, during the Winnti attacks on gaming companies. This hacking group is notorious for precise attacks on global private companies, particularly in gaming. Their main objective is to steal source codes for online gaming projects and digital certificates of legitimate software vendors. While it’s speculative at this point, there should not be any hinders for such threat actors from expanding their services if there is a market demand.”
Increase in AI use for spearphishing
The international improve in utilizing chatbots and generative AI instruments has been helpful in lots of sectors during the last yr. Cybercriminals and APT menace actors have began utilizing generative AI of their actions, with massive language fashions explicitly designed for malicious functions. These generative AI instruments lack the moral constraints and content material restrictions inherent in genuine AI implementations.
Cybercriminals discovered that such instruments facilitate the mass manufacturing of spearphishing e-mail content material, which is usually used because the preliminary vector of an infection when concentrating on organizations. The messages written by the instruments are extra persuasive and well-written when in comparison with those written by cybercriminals. It may additionally mimic the writing model of particular people.
Kaspersky expects attackers to develop new strategies for automating cyberespionage. One technique could possibly be to automate the gathering of data associated to victims in each side of their on-line presence: social media, web sites and extra, so long as it pertains to the victims’ id.
MFT programs concentrating on will develop
Managed File Transfer programs have change into necessary for a lot of organizations to securely switch information, together with mental property or monetary information.
In 2023, assaults on MOVEit and GoAnywhere revealed that ransomware actors have been significantly serious about concentrating on these programs, however different menace actors could be as serious about compromising MFTs.
As talked about by Kaspersky, “the intricate architecture of MFT systems, coupled with their integration into broader business networks, potentially harbors security weaknesses that are ripe for exploitation. As cyber-adversaries continue to hone their skills, the exploitation of vulnerabilities within MFT systems is anticipated to become a more pronounced threat vector.”
How to guard from these APT threats
To defend towards APT assaults, it’s crucial to guard private and company units and programs.
In a company atmosphere, utilizing options equivalent to prolonged detection and response, safety info and occasion administration and cellular system administration programs tremendously helps detect threats, centralize information, speed up evaluation and correlate safety occasions from varied sources.
Implementing strict entry controls is extremely advisable. The precept of least privilege ought to all the time be in use for any useful resource. Multifactor authentication must be deployed wherever doable.
Network segmentation would possibly restrict an attacker’s exploration of compromised networks. Critical programs specifically must be completely remoted from the remainder of the company community.
Organizations ought to have an updated incident response plan that can assist in case of an APT assault. The plan ought to include steps to take, in addition to a listing of individuals and companies to succeed in in case of emergency. This plan must be recurrently examined by conducting assault simulations.
DOWNLOAD this Incident Response Policy from TechRepublic Premium
Regular audits and assessments should be performed to determine potential vulnerabilities and weaknesses within the company infrastructure. Unnecessary or unknown units discovered inside the infrastructure must be disabled to cut back the assault floor.
IT groups ought to have entry to Cyber Threat Intelligence feeds that include the newest APT ways, methods and procedures but additionally the newest Indicators of Compromise. Those must be run towards the company atmosphere to continually examine that there is no such thing as a signal of compromise from an APT menace actor.
Collaboration with business friends can be advisable to reinforce collective protection towards APTs and trade greatest practices and ideas.
All programs and units should be updated and patched to keep away from being compromised by a typical vulnerability.
Users should be educated to detect cyberattacks, significantly spearphishing. They additionally want a straightforward approach to report suspected fraud to the IT division, equivalent to a clickable button of their e-mail consumer or of their browser.
Disclosure: I work for Trend Micro, however the views expressed on this article are mine.