Sep 20, 2024

20 September 2024, 12.36pm Red Canary’s mid-year Threat Detection Report unveils shifts in top cyber-threats for 2024, with identity-based and web-native attacks leading the charge. Cybersecurity firm Red Canary today released a major mid-year update to its annual  Threat Detection Report , providing insight into how cybersecurity trends, threats, and adversary techniques evolved during the first six months of the year. The report confirms the central role of compromised identities in the attacker playbook, while underscoring the need for an operational approach to security to minimise exposure, detect threats faster, and reduce risk. While most of the threats and techniques identified in the 2024 report remain consistent with the mid-year update, some notable shifts were revealed. Email Hiding Rule – a technique in which adversaries use a compromised account to set up rules to block, redirect, or mark certain emails as spam to cover their tracks – was a new entrant to the list. Notably, combined with Cloud Accounts and Email Forwarding Rule, this meant three of the top ten techniques related directly to identity and cloud-native attacks. There were three notable shifts in the top ten threats in the past six months: Atomic Stealer – an infostealer that targets credentials, payment card data, keychain details, and cryptocurrency wallet information on macOS devices made a surprise entrance at number nine of the top ten threats. Scarlet Goldfinch – an ‘activity cluster’ that uses fake browser updates to trick users into downloading a legitimate remote management and monitoring tool that can be abused to deploy malicious software – was another new entrant at number seven. ChromeLoader – a malicious browser extension that reads and hijacks browser traffic to redirect it to specific sites, likely to conduct pay-per-click advertising fraud – rose from sixth place in 2023 to the number one slot. Within the top ten threats, there was a continued trend away from email toward web-based delivery mechanisms, which accounted for six of those on the list. This indicates that efforts to lock down emails and make it more difficult for adversaries to insert malicious payloads into documents are continuing to pay off. “While there are similarities with our previous list, it’s interesting to see ChromeLoader moving up the charts so dramatically, although this rise is due in part to improved detection capabilities for the threat. “It might seem innocuous, but its broad ability to steal browser data and the potential for bad actors to re-task it for more malicious purposes make it particularly concerning,” said Brian Donohue, principal security specialist, Red Canary. He added: “The fact that Atomic Stealer is in our top ten is also remarkable given the relatively low percentage of our sample formed by macOS devices. We’d strongly urge organisations with a significant macOS footprint to double down on user education around downloading software from untrusted sources. Recommended reading User identities are still the weak link in the chain The report also provides analysis of emergent or otherwise interesting threats and techniques that security professionals should take note of, such as: Adversary in the Middle (AitM) attacks: Adversaries frequently use AitM attacks to bypass multi-factor authentication (MFA). They create seemingly legitimate login pages to lure users into entering credentials and MFA codes, relaying the details in real time to gain access. Token theft: There is a growing trend of adversaries stealing session tokens to access identities, after compromising a cloud service or account. This technique is of especially high risk in AWS environments, where adversaries extract security tokens that ultimately allow them to perform actions within the cloud tenant. Permission sprawl: Organisations also need to be wary of permission sprawl, ensuring they maintain tight control of user privileges across different tools and systems. With thousands of users to manage, it is very easy to grant over-privileged access roles. Application consent phishing: Adversaries often register malicious applications then trick users into granting them permissions that allow the bad actor to access other systems and data via the cloud. “While identity compromise has always been a significant threat, our midyear update highlights it is becoming even more prevalent,” concludes Keith McCammon, chief security officer, Red Canary. “There are solutions that can fortify defenses against these threats, notably phishing-resistant multi-factor authentication, passwordless authentication, conditional access, and monitoring of behaviors and APIs. However, while some of these controls are broadly attainable, others can be expensive and operationally complex. “This is why it’s essential to seek out not only technical solutions, but to build teams and seek out partners who can maximize their effectiveness, and deliver around-the-clock operational capabilities.”