Key Points
- Phishing was observed in 37% of customer incidents in the reporting period from May 1 to July 31, 2024, demonstrating threat actors’ desire to gain access to organizations’ networks.
- Used to support initial access efforts, exposed credentials pose a significant threat to businesses, accounting for 88.75% of customer alerts during the reporting period.
- The “SocGholish” remote access trojan (RAT) was the most prevalent malware in critical customer incidents, appearing in 23.4% of those incidents in the reporting period.
- By implementing relevant ReliaQuest Automated Respond Plays (ARPs), organizations can improve their Mean Time to Contain (MTTC) for the threats outlined in this report.
Between May 1 to July 31, 2024 (“the reporting period”), ReliaQuest analyzed customer incident data and insights posted on cybercriminal forums to determine the most common MITRE ATT&CK tactics, techniques, and procedures (TTPs) and collect additional intelligence and context. We also explored the most observed malware and indicators of compromise (IOCs) in those incidents, the most prevalent GreyMatter Digital Risk Protection (GMDRP) alerts, as well as trends discussed on the dark web.
The cyber threats highlighted in this report can affect any organization, regardless of sector or region. However, the final section focuses on sectors and regions that have been disproportionately targeted by ransomware campaigns. By proactively implementing the practical recommendations provided, including pertinent ReliaQuest detection rules and ARPs, organizations can stay ahead of the described threats.
Top MITRE ATT&CK Techniques
Below, we analyze verified true-positive customer incidents using the MITRE ATT&CK framework to identify common adversary techniques and understand the current cyber threat landscape.
Top Techniques
Initial access methods—attempts by adversaries to gain a foothold in an organization’s network—were the most observed techniques in the reporting period. Combined, the techniques phishing (T1566) and phishing for information (T1598), which featured both malicious links and attachments, appeared in 37% of true-positive customer incidents in the reporting period. This marked a slight decrease from the same period in 2023; however, this is probably a natural deviation rather than indicative of an overall decline in phishing activity. The enduring dominance of phishing as an initial access technique underscores its effectiveness and persistence in the face of cybersecurity advancements and more sophisticated methodologies. Its success lies in its simplicity and its ability to exploit the weakest link in security systems: humans. Employees across many organizations are likely still failing to recognize phishing emails, allowing attackers to progress their attacks in this way.
Despite phishing’s simplicity, there are many ways for threat actors to streamline and tailor their phishing attacks for ultimate effectiveness. One method adversaries use to increase their chances of a successful attack is internal spearphishing (T1534) (appearing in 7.5% of customer incidents). Internal spearphishing was the most observed lateral movement technique in the reporting period, but its use declined marginally from the same period in 2023. As before, the decline is more likely a result of natural variation rather than a true decrease in phishing activity. In internal spearphishing, which occurs after gaining access to a compromised legitimate user account, attackers use an internal, trusted email account to send emails with malicious links or attachments or to spread malicious content over internal chat applications, like Microsoft Teams or Slack.
An email originating from an internal account is less likely to be caught by email filtering rules than those coming from impersonating domains. Other users within the network are also more likely to interact with an email sent by an internal user account than those coming from external parties, something attackers conducting business email compromise (BEC) capitalize on. Both factors increase the attacker’s chances of successfully compromising more accounts across the network. Internal spearphishing attacks also often target users with high privilege levels, allowing attackers to escalate their privileges and gain greater control over a network to action their objectives.
Top Sub-Techniques
Only two of the top ten sub-techniques we observed did not relate to initial access: Malicious File (T1204.002) and Email Hiding Rules (T1564.008). However, these were both intrinsically linked with phishing campaigns. It is realistically possible that our data is biased towards initial access techniques as we can detect and stop customer incidents early in the kill chain by using GreyMatter Detect and ARPs.
We observed adversaries using rules to hide or delete inbound emails in a compromised user’s email mailbox, thus preventing the mailbox owner from seeing replies to emails they did not send or security products flagging suspicious activity, which enables an attacker to remain undetected in the network for longer.
Figure 1: Top MITRE sub-techniques in true-positive incidents, shown as a percentage of overall incident count, May 1–July 31, 2024
The top execution sub-technique observed in the reporting period was the introduction of malicious files to a target network. Malicious files are often deployed immediately after initial access, and adversaries rely on users opening these files to execute malicious code. Once the malicious code is executed on the compromised device, attackers can deploy additional payloads to control or encrypt the network and/or exfiltrate sensitive data.
- Case Study: In July 2024, the “Malicious Email Outlook Rule Created via API/Portal” detection rule fired in a ReliaQuest customer’s environment. An Outlook rule had been created on a user’s account to move all content to a folder named RSS Feeds, which was likely created to obfuscate an outbound phishing campaign and avoid detection. The threat actor created a OneNote document containing malicious domains hosting credential harvesters and enumerated the user’s SharePoint, likely in search of sensitive data. Probably with the aim of exfiltrating stolen data and credentials, the threat actor then altered the OneNote document to provide external access. By running the GreyMatter Respond Plays “Terminate Active Sessions” and “Reset Passwords,” ReliaQuest quickly restored the user’s account, preventing further data exfiltration. We also recommended blocking all domains contained within the OneNote document. Without the quick action taken, the attacker could have stolen more information from the customer and compromised more accounts on the network.
Successful phishing campaigns have far-reaching consequences for businesses. Phishing emails often serve as a delivery mechanism for malware and ransomware, or they can convince employees to transfer funds illicitly, both of which can result in financial losses for businesses. Access stemming from phishing often results in threat actors accessing sensitive information, and such public breaches can result in hefty fines from regulatory bodies and a reduction in consumer trust. If phishing leads to the compromise or takeover of critical systems or highly privileged accounts, this can lead to operational downtime, which in turn has financial implications and therefore requires a rapid response.
Recommendations
Preventing phishing emails from reaching a user’s inbox and empowering employees to spot and report phishing emails is key to avoiding the consequences listed above. To defend against internal spearphishing, businesses should monitor user behavior and set up automated alerts for activity that is unusual for that user, such as new email rules and logins from unfamiliar locations or at irregular times. Knowing a user’s standard behavior makes identifying suspicious activity easier, thereby preventing attackers persisting within a network and conducting malicious activity.
For the fastest remediation, GreyMatter ARPs can be enabled to contain threats automatically. Enabling ARPs will significantly improve your MTTC, ensuring threats are remediated promptly, and the potential for damage and ongoing compromise is limited. Enabling the automated “Terminate Active Sessions” and “Reset Password” plays will ensure that any sessions hijacked by an attacker will be terminated and any compromised user credentials will be rotated to prevent further compromise. These respond plays were two of the most used ARPs within our customer base during the reporting period, demonstrating their effectiveness in preventing phishing attackers from progressing within a network. Organizations can also consider automating the “Disable User” respond play, provided critical business processes will not be affected, to stop re-compromise if credentials cannot be rotated. By enabling ARPs, phishing threats can be contained quicker than when a manual response is employed.
Top Malware
To identify the top malware variants affecting our customer base, we analyzed a select group of true-positive customer incidents that had the potential to result in data breaches or theft (e.g., incidents that involved extortion, espionage, custom malware, hands-on-keyboard operations, or commodity threat), categorized as “critical security incidents.”
Figure 2: Top malware observed in critical security incidents, May 1-July 31, 2024
SocGholish
SocGholish (aka “FakeUpdates“) is a RAT that disguises itself as a fake browser update, deceiving users into downloading and executing the update. Adversaries target high-ranking websites to inject SocGholish, making these infected sites appear trustworthy in search results. As a result, users are less likely to suspect malicious intent when prompted with the fake update. SocGholish has been the most frequently observed malware in critical customer incidents throughout 2023 and remains the most prevalent into 2024. The malware held the top spot within the reporting period and was observed in 74% of all incidents involving malware loaders in the first half of 2024. It poses a significant risk if it infiltrates an organization’s network, potentially leading to data breaches and operational disruptions. SocGholish is operated by the initial access broker (IAB) “Mustard Tempest” (aka ”DEV-0206” and “Purple Vallhund”). Once the malware successfully compromises a host, Mustard Tempest is known to sell this access to other threat actors, who conduct high impact follow-on attacks, such as deploying ransomware to conduct extortion.
SocGholish primarily targets North America and Europe, predominantly the US, Canada, France, Spain, and the UK. It also primarily targets the government, healthcare, education, and financial services sectors; however, SocGholish should be considered a significant threat by all businesses globally. To protect against SocGholish, we recommend that organizations implement a group policy to force JavaScript files to open in Notepad, which will prevent the execution of SocGholish when distributed as a .js file. Organizations can also control applications used by employees which will limit the use of applications needed by SocGholish, such as PowerShell and Python, to successfully execute and establish persistence.
-
Case Study: In July 2024, we responded to a customer incident involving the delivery of a suspicious email using a lure based on the upcoming US election. The email originated from a legitimate domain, which redirected to another legitimate, but compromised, domain. The second domain was known for dropping SocGholish after pretending to be a fake update for Chrome. The customer in this incident did not have Respond Plays enabled; as such, we could only make recommendations to contain the activity. Since malware was suspected, we recommended running the ARPs “Isolate Host” and “Block IOCs,” as well as running “Terminate Active Sessions” and “Reset Password” as a precaution. The compromised domain seen in this incident was also featured in 15 more true-positive customer incidents in July 2024, demonstrating the ubiquity of active campaigns that deploy SocGholish.
To best defend against the methods SocGholish uses to target this sector, ReliaQuest offers its customers detection rules. Implementing these rules will allow defenders to identify suspicious activity and unauthorized software that violate policy obligations. These rules need to be calibrated to each organization’s environment to attain a higher level of fidelity and reduce false positives. In addition, we also provide containment and respond plays for each detection rule. These automated or customer-triggered plays can be executed to mitigate threats when they are enabled.
Top GMDRP Alerts
Figure 3: Top GMDRP alerts for customers, represented as a percentage of all GMDRP alerts, May 1–July 31, 2024
ReliaQuest’s GMDRP capability continually monitors open-, deep-, and dark-web sources to generate alerts about external threats. The alerts are divided into risk types and are presented alongside accompanying content and intelligence. This information allows security operations teams to make informed decisions about threats to their environments.
There has been a marked increase in “Credential Exposure” GMDRP alerts since the same period in 2023 (88.75% in 2024 vs. 59.91% in 2023, of all GMDRP alerts). This alert type refers to email and password pairs that are often leaked as part of publicly exposed data leaks or advertised for sale on cybercriminal platforms. Sensitive credentials can also be leaked accidentally through misconfigured files and storage systems. The second-most observed GMDRP alert type, “Impersonating Domain,” appears in significantly fewer customer alerts in the reporting period, which highlights the significant dominance of credential exposure as a threat to businesses.
Exposed credentials present a significant security risk to all businesses, regardless of sector, region, or technology. Leaked credentials are often used in credential-stuffing attacks, where attackers use automated tools to gain access to personal and corporate accounts of employees by using stolen credentials. This technique is prevalent and often proves effective in securing initial access.
Threat actors can misuse leaked credentials to access internal systems, databases, and customer accounts, leading to information theft, fraudulent account transactions, or manipulation of records. An attack using exposed credentials can ultimately result in financial losses, operational disruptions, and loss of consumer trust for all organizations. To mitigate the damage caused by exposed credentials, organizations should enable multifactor authentication (MFA) for all accounts, enforce conditional access policies, and activate the “Reset Password” ARP, compelling users to change their passwords upon next login.
Dark Web Insights
Throughout the reporting period, the topics discussed by threat actors on online cybercriminal forums lacked novelty yet highlighted their persistent drive to discover new methods to address enduring challenges. Cybercriminals most actively discussed leaked databases, exposed credentials, and information stealer logs, which are troves of stolen data. Often, cybercriminals will offer leaked data or stolen credentials for free to increase their reputation on the forum. These threat actors habitually collate data from previous breaches to make new data sets; the prevalence of unique, new data sets is low when compared to the activity levels in these subforums. For businesses, this means that old, leaked credentials still pose a threat if passwords are not changed, as cybercriminals are likely to recycle such details in new campaigns.
In the reporting period, multiple forum users advertised subscription services for information stealer logs, which demonstrates a business-like approach, guaranteeing new logs from regions like the US and European Union, and a minimum number of logs per month. These logs are typically shared via Telegram, reflecting a shift to this platform away from traditional criminal marketplaces. We also observed a forum user sharing an article describing how to abuse Microsoft’s WebViewer2 to steal credentials and cookies (see Figure 4). In addition, threat actors are increasingly abusing legitimate tools to evade detection: Figure 4 below highlights a new method for capturing keystrokes and bypassing two-factor authentication by extracting cookies.
Figure 4: An XSS user shares an article titled “Attack using WebView2 application”
The popularity of these topics underscores the threat that exposed credentials and data pose to organizations. Criminals actively seek this data to support their initial access attempts or to use in future fraud activity. The use of a legitimate application, such as WebViewer2, to steal credentials heightens the risk further. This is particularly apparent for organizations that store vast amounts of customer credentials, such as retail or financial services entities, whose loss would substantially affect their reputations. By abusing legitimate tools, threat actors can hide their activity for longer, meaning more time in a network to steal or encrypt sensitive data without intervention. It is important for businesses to baseline the usual activity in their systems so that any unusual activity conducted by legitimate applications can be identified and remediated swiftly.
Vulnerabilities are also often discussed on cybercriminal forums, typically regarding how to exploit them. The active interest in vulnerabilities from forum users demonstrates that exploiting unpatched flaws remains a key initial access method for many cybercriminals. In the reporting period, forum users spent much time discussing CVE-2024-26229, a heap buffer overflow vulnerability in Windows CSC Service. Exploitation of this vulnerability could afford an attacker full system privileges. Many users have expressed receiving error codes when trying to exploit this flaw and engaged in conversations centered on sharing tips to bypass the errors. Forum users have also continued to discuss CVE-2024-21762 (an out-of-bounds write vulnerability in certain versions of Fortinet FortiOS), even though proof of concept exploits (PoCs) were initially shared in March 2024. Additionally, users have expressed difficulty applying the exploits or building their own.
Many forum users are often more interested in older, tried-and-tested vulnerabilities that are seemingly easier for them to exploit. However, some users still express difficulty exploiting these flaws. One user posted that they “decided to try to exploit vulnerability CVE-2020-9484” (see Figure 5, translated from Russian). CVE-2020-9484 is a remote code execution vulnerability in Apache Tomcat, for which PoCs have been released. The user goes on to say, “Tell me, if you know something/can help. Right now I’m just learning.” These discussions serve as an important reminder for businesses that patching older and easy-to-exploit vulnerabilities is just as important as, if not more important than, patching new flaws to prevent attackers gaining access to networks in this way.
Figure 5: An XSS user seeks help exploiting a 2020 vulnerability
Forum users also widely discuss how to conduct successful heap-spraying attacks. These attacks involve an attacker sending malicious code to multiple public-facing hosts that are vulnerable to a code execution flaw, specifically targeting the heap, a section of memory that stores a program’s data. By “spraying” malicious code across multiple hosts, the attacker increases the chances of successfully exploiting the vulnerability, which would grant them remote access for further malicious actions. Most hosts would not be impacted by heap-spraying attacks because many security tools protect against it. However, initial access listings on cybercriminal forums suggest that most users target, or attempt to target, small businesses based on the likely lack of security controls on their public assets, and heap-spraying attacks are most likely to be successful against such entities.
It is realistically possible that the discussions we observed about vulnerabilities and heap-spraying attacks demonstrate a lack of sophistication when it comes to exploiting vulnerabilities for many cybercriminal forum users. Most of the discussions centered around users looking for help on how to execute attacks or exploit vulnerabilities, suggesting a lack of knowledge or technical capability amongst forum users. We often expect mass exploitation of new vulnerabilities to occur when new PoCs are published, since exploitation should be easier; however, based on the apparent lack of technical expertise demonstrated by these threat actors, it is likely that only more sophisticated threat actors—such as ransomware groups or nation-state-associated actors—have the capability to successfully exploit many flaws. Despite this, businesses should ensure that systems are kept up to date, giving particular attention to old and easy-to-exploit flaws, and that public-facing assets have security controls in place to prevent heap-spraying attacks.
Trending IOCs
Throughout the reporting period, we observed thousands of IOCs in our customer true-positive incidents. We excluded those relating to our customers’ networks, leaving us to analyze those that seemingly related to attacker infrastructure. By tracking attacker IOCs, ReliaQuest GreyMatter can use threat intelligence and our Artificial Intelligence model to provide recommendations on alerts triggered by malicious IOCs and take containment action on behalf of our customers, significantly improving their MTTC.
Domains
Threat actors frequently set up new infrastructure to use in attacks because it is cheap and easy. New infrastructure is also more likely to bypass threat detection tools as it won’t be linked to previous attack campaigns, posing a threat to businesses that rely on blocking based on reputation scores. Likewise, because new infrastructure is not linked to previous campaigns, it confounds attribution efforts, making it hard for businesses to track attackers via infrastructure alone. We recommend using behavior-based detections or running hunt packages to help detect attacks where IOCs are not linked to known threats.
Newly created domains account for 40% of all true-positive customer incidents in the reporting period, while older domains accounted for 60%.
The older domains used in the attacks we analyzed were typically compromised domains. Since they are legitimate infrastructure, they are likely to bypass threat detection tools, making this option attractive to attackers. Old domains were also used for software hosting services. Obscure software hosting sites are common places for attackers to hide malware, in the hope users will visit the site and download malicious content. It is recommended that businesses monitor traffic to such sites, focusing on keywords such as freeware or shareware.
Malicious Files
Often, end-user phishing training focuses on emails that contain malicious links or attachments, so users are likely to spot those. However, in the customer true-positive incidents that we analyzed, the malicious files that attackers were attempting to deploy on customer networks were consistently disguised as PDF documents or online PDF generator tools. While malicious attachments can be blocked or quarantined by security tools to prevent execution within a network, these approaches do not address the risk of installing unverified tools, such as those used to create PDF files, on a device. Users should also be educated that installing such tools can also lead to malware execution, which can have harmful effects for businesses, such as data theft, encryption, or account takeovers.
Additionally, most malicious files we observed during the reporting period did not have valid signatures. Organizations should consider implementing application control policies that only allow files with valid signatures to successfully pass through to prevent those files executing on the network and conducting malicious activity.
IP Addresses
We observed two IP addresses in a total of 423 customer incidents during the reporting period: 185.195.232[.]153 and 185.248.85[.]51. Both resolve to European data centers that have likely been used by multiple attackers to hide their true origins. We also found that attacker-controlled IP addresses were mostly hosted in the US (28%), Russia (24%), and the Netherlands (12%). The Netherlands, in particular, is known for having many large data centers that can be abused by threat actors for malicious activity. Since the data centers are large, it is harder for those operating them to pinpoint and stop malicious activity.
We found that IP addresses that provide reconnaissance or brute-forcing functions do so exclusively. This means that businesses can confidently block traffic originating from such infrastructure, safe in the knowledge that business operations will not be affected. In terms of C2 servers connecting to customer networks, we most frequently observed infrastructure associated with the legitimate, but often abused, penetration-testing tool Cobalt Strike (50% of all customer true-positive incidents) and the Sliver C2 framework (25%). Both tools combine advanced capabilities with flexibility, making them powerful tools in a threat actor’s arsenal. Their effectiveness at evading detection and maintaining control over compromised systems is why we see these tools favored by adversaries in their attacks.
To remediate malicious IP addresses, it is recommended that ReliaQuest customers run the “Block IP” respond play. This ARP allows customers to automatically block an IP address across all their networks in response to a positive detection. The ARP can also be used to automatically block requests originating from hosts on IP addresses that have previously been associated with malicious activity. By blocking a malicious IP address, threat actors will be unable to connect to a targeted network, preventing malicious activity occurring or developing. The “Block IP” respond play was the top ARP run by ReliaQuest customers in the reporting period, demonstrating the effectiveness of the respond play in handling malicious threats. We have observed the implementation of ARPs considerably boosts customer MTTCs, ensuring quick threat resolution and reducing the potential for extended damage and continued compromise.
Ransomware Targeting Patterns
Although we recently reported a decline in ransomware activity in Q2 2024, likely due to an “ALPHV” exit scam and law enforcement’s takedown of “LockBit,” ransomware remains a global threat. The US is consistently the most targeted region, accounting for 48.6% of all businesses named to ransomware data-leak sites (slightly down from the 50.7% observed 12 months ago). Ransomware groups favor targeting US-based organizations due to their perceived ability to pay ransoms.
Figure 6: Number of organizations listed on ransomware data-leak sites, by sector, May 1–July 31, 2024 vs May 1–July 31, 2023
Ransomware groups disproportionately target the manufacturing and professional, scientific, and technical services (PSTS) sectors. To keep production running, many manufacturing organizations rely on outdated operational technology (OT) systems that were historically isolated from the internet and not systematically patched like IT systems are. As OT systems become increasingly interconnected with IT systems, they are vulnerable to exploitation by initial access brokers and ransomware groups. Ransomware groups view the manufacturing sector as more likely to pay a ransom because financial and reputation costs associated with disruptions to production and operational downtime could amount to more than the ransom amount.
The critical nature of data held by organizations in the PSTS sector makes it an attractive target for many threat actors, including ransomware groups. Such organizations often manage highly sensitive data, including proprietary research, patents, technical designs, and client information. Ransomware groups will likely leverage this knowledge to elicit ransoms from the PSTS sector so organizations can avoid data loss and unavailability, which can have severe operational and financial repercussions.
Mitigations
Top mitigations for ransomware include hardening remote desktop protocol (RDP) settings, restricting and monitoring PowerShell execution policies and usage, and regularly patching systems with a focus on addressing vulnerabilities. Additionally, applying a defense-in-depth strategy, with a focus on tracking threat actor TTPs, ensuring visibility across the environment, and implementing multiple security controls can help detect and prevent ransomware activity. By implementing appropriate security measures and ensuring comprehensive monitoring, organizations can detect and thwart the TTPs used by many ransomware groups. By implementing the ARPs mentioned in this report, such as “Isolate Host,” “Reset Password,” and “Disable User,” organizations can minimize or even prevent the impact of ransomware attacks, improving MTTC and safeguarding businesses from significant harm.