Threats are always changing and growing as attackers attempt to launch more sophisticated and successful attacks, forcing cybersecurity professionals to constantly adapt and evolve to defend against these attacks. Security service provider Ontinue’s 2H 2024 Threat Intelligence Report shows a number of disturbing recent trends in emerging and developing attack vectors and tactics, from vishing to zero-day exploitation. Organizations must keep up with threat trends and evolve their cybersecurity posture to protect against the most pressing risks as the threat landscape shifts.
Ransomware's Rising Threat Despite Decreasing Payouts
Recent ransomware trends outlined in the report should raise concerns for many organizations. Ransom payments have dropped by 35%, indicating that more businesses are following the advice of industry leaders and experts on responding to ransomware, but ransomware attacks have gone up 132% in spite of this. The industry sectors most impacted by this surge in ransomware incidents include manufacturing, services, and healthcare. The combination of these trends indicates a shift in tactics: cybercriminals are no longer simply launching these attacks simply to achieve the monetary payout from the ransom, instead focusing on double extortion, data destruction, and operational disruption.
As cybercriminals launch more complex ransomware attacks with impacts far beyond direct financial and data losses, it is crucial for organizations to update their ransomware prevention strategies. “Ultimately, this trend underscores the need for a multi-pronged approach to ransomware. It's not just about making it harder for attackers to succeed; it's about making the entire ecosystem less profitable for them,” says Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity. Protecting against ransomware in this evolving landscape requires “better defenses, smarter incident response, and continued collaboration between governments, law enforcement, and the private sector.”
The Vishing Phenomenon: AI-Powered Social Engineering
The report shows that there has also been a dramatic 1633% increase in incidents of video phishing, or vishing, as technological advances make these attacks more convincing and easier to launch. These attacks are commonly set up via other techniques. Ontinue cites the notable prominence of email bombing, where attackers overwhelm their targets with junk email to make their inboxes unusable, followed by impersonating help desk personnel to gain remote access to systems. Vishing is also often preceded by malvertising, where targets are redirected from malicious ads to deceptive sites, claiming their devices are compromised.
Notable examples of vishing attacks include the 2020 attack, where bad actors deceived Twitter employees into providing them access to a number of high-profile Twitter accounts, and the 2024 near-miss deepfake attack against Ferrari. Both of these incidents demonstrate that in order to protect against vishing, employee security awareness and vigilance is of the utmost importance. Vishing, like any other kind of phishing or social engineering, relies on the attacker’s ability to exploit the human element.
“Organizations must have clear instructions on how information can be passed on and what information can and cannot be given over the phone or in other forms of communication,” according to Boris Cipot, Senior Security Engineer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions. “Once this is established and understood within an organization, attackers are much less likely to pressure their target into giving them sensitive information based on a sense of urgency or the threat of being penalized.”
Increasing Exploitation of IoT and OT Systems
Another major part of the Ontinue report explores the fact that Internet of Things (IoT) and Operational Technology (OT) threats are on the rise. These environments are less monitored and protected than IT networks, and the increasing prevalence of shadow IT, remote and hybrid working, and bring-your-own-device (BYOD) arrangements introduce vulnerable tech that security teams often cannot monitor or defend. Common abuses of IoT and OT security include techniques like command injection, remote code execution, and privilege escalation in attacks, including distributed denial-of-service (DDoS) attacks and unauthorized system manipulation.
Recent IoT and OT attacks in the news have highlighted the need for the protection of these devices and systems, such as the Matrix threat actor’s double-pronged attacks on cloud services and IoT devices, DDoS attacks leveraging old Mirai malware, and the recent resurgence of the threat group Volt Typhoon exploiting unpatchable vulnerabilities in end-of-life devices. Best practices for securing these systems include achieving full visibility and maintaining an inventory of all IoT and OT assets, ensuring network segmentation, enforcing least privilege access, and implementing solutions to monitor for anomalous behavior and respond to potential incidents.
Adversary-in-the-Middle (AitM) Attacks and Authentication Vulnerabilities
AitM attacks enable threat actors to intercept communications between the target and a legitimate service, stealing data and impersonating each side of the interaction to the other. These attacks are becoming more sophisticated in an effort to evade security measures and continuously evolve tactics. Some attackers have been seen exploiting trusted Microsoft services like Quick Assist and Windows Hello in order to establish access and carry out AitM attacks without detection.
Enhancing authentication security can go a long way in defending against AitM attacks. This includes monitoring and auditing device registrations, enforcing strict access policies like multi-factor authentication and zero-trust principles, and revoking and removing compromised credentials and devices. Organizations are also encouraged to invest in applications and services with built-in security against these attacks and deploy tools that analyze traffic for anomalous activity that may indicate attackers impersonating legitimate services.
Malware Delivery via Browser Extensions and Malvertising
Malware trends noted in the report show an increase in threat actors exploiting browser extensions to stealthily reinfect targets with information-stealing malware upon importing browser profiles. Malware attackers have also used malicious ads to convince users to execute commands on their systems, often by deceiving them into believing that the action is a form of CAPTCHA verification or a necessary step to be rid of a purported threat detected on the device.
Protecting against malware delivery via these methods requires a robust combination of employee awareness and preventative measures to address both the underlying causes and the direct errors that enable these attacks. Employees should be taught threat indicators and best practices to avoid executing commands without question or unknowingly reimporting malicious code from browser data, and organizations should also implement solutions for detecting and blocking malicious code in advertisements or extensions.
Addressing the Zero-Day Exploitation Surge
There has also been a notable increase in threat activity exploiting zero-day vulnerabilities, especially in internet-facing services and edge network devices, as bad actors take advantage of new and unpatched flaws. Zero-day exploitation is effective in helping attackers evade traditional security measures designed to fill known security gaps and detect and block known threats. The surge in exploitation of zero-day vulnerabilities highlights the importance of rapidly patching software when security flaws are found and fixed.
Resilient cybersecurity infrastructure is necessary to avoid falling victim to an attack leveraging zero-day vulnerabilities. Security teams should establish strong patching procedures to quickly catch and fix zero-day vulnerabilities before threat actors can exploit them. It is also important to monitor traffic for anomalous activity, maintain visibility and documentation of all IT infrastructure, and create thorough incident response plans.
Conclusion
Proactive cybersecurity strategies are crucial for protecting against emerging and evolving threats. Traditional security solutions are not designed with the capability to respond to modern attack tactics and tools or the rapid evolution of the technology and threat landscapes. Recommendations for the current and ongoing security of organizations include maintaining strict access controls, ensuring employee security awareness, and deploying advanced tools for the detection and prevention of threats. As cybercriminals continue to adapt and evolve their methods for increased efficacy and efficiency of their attacks, it is vital for organizations to do the same with their defenses.
