Written by John Fokker, Ernesto Fernández Provecho & Bevan Read at the Trellix Advanced Research Center
The region’s CISOs may feel like they have little to celebrate this New Year’s Eve. A burgeoning threat landscape; fewer technological and human resources; sprawling, unknowable infrastructure; and more sophisticated threats. Let’s take a closer look at the last challenge on that list. Attackers are agile and flexible. They have to be. When one avenue of infiltration is closed off, they pivot to another. This is the same in the longer term. New methods have arisen, sometimes because of the advent of some new technology, and other times because threat actors have figured out how to leverage an existing vector differently.
It is hard to keep track. There are a lot of sources CISOs must consult to keep abreast of dangerous developments. So, as we roll from 2023 into 2024, consider the following our New Year’s gift to you. Our experts have gathered three major developments in attack behaviour into a single spot in the hope this gives you an edge in the battles ahead.
Supply Chain Attacks Against Managed File Transfers Solutions
Managed file transfer (MFT) solutions, designed to securely exchange sensitive data between entities, inherently hold a treasure trove of confidential information. This ranges from intellectual property, customer data, financial records, and much more. MFT solutions play a critical role in modern business operations, with organizations relying heavily on them to facilitate seamless data sharing both internally and externally. Any disruption or compromise of these systems can lead to significant operational downtime, tarnished reputations, and financial losses. This makes them highly attractive targets for ransomware actors who are aware of how the potential impact enhances the potency of their extortion demands.
Furthermore, the complexity of MFT systems and their integration into the internal business network often creates security weaknesses and vulnerabilities that can be exploited by cybercriminals. Just in the last month, we saw the Cl0P group exploiting the Go-anywhere MFT solution and the MOVEit breach, turning one successful exploit into a major global software supply chain breach. In the next year, we expect these types of attacks only to increase, with participation from numerous threat actors. Organizations are strongly advised to thoroughly review their managed file transfer solution, implement DLP solutions and encrypt sensitive data to protect themselves.
Malware Threats are Becoming Polyglot
In recent years, there has been a noticeable rise in the utilization of programming languages like Golang, Nim, and Rust for the development of malicious software. While the volume is still low compared to other languages like C or C++, that is something we expect to change in the future.
Go’s simplicity and concurrency capabilities have made it a favourite for crafting lightweight and speedy malware. Nim’s focus on performance and expressiveness has rendered it useful for creating intricate malware. Meanwhile, Rust’s memory management features are attractive to ransomware groups and other threat actors concerned about the encryption efficiency of malware samples.
What adds to the complexity of this burgeoning space is the lack of comprehensive analysis tools for these languages. The relative newness of Nim and Rust means that established security tooling is less abundant compared to languages like C or Python. This scarcity of analysis tools poses a significant challenge for cybersecurity experts aiming to dissect and counteract malware written in these languages.
We’re already starting to observe an increase in Golang-based malware in recent months, and thus, predict that 2024 will see a notable surge in malware from these languages.
Even More Layers of Ransomware Extortion
As ransomware groups are primarily financially driven, it’s unsurprising to see them find new ways to extort their victims for more money and pressure them to pay the ransom. We are starting to see ransomware groups contact the clients of their victims as a new way to apply pressure and combat recent ransomware mitigations. This allows them to ransom the stolen data not only with the direct victim of their attack but also with any clients of the victim who may be impacted by the stolen data.
Ransomware groups finding ways to leverage the media and public pressure onto their victims isn’t new. Back in 2022, one of Australia’s most significant health insurance companies suffered from a data breach. In tandem with their ransom to the insurance company, the threat actors publicized much of the medical data — leading to pressure from the public and officials to pay the ransomware actors to take down the medical information. In addition, due to the tremendously private nature of data being released, clients walked into the insurance company’s shopfronts and offered to pay for their details to be removed. In 2023, observing a similar event, a ransomware group threatened to contact the clients of companies they had compromised, offering them the option to pay to remove their personal and private details from the exposed data.
As this additional form of extortion grows in popularity, it adds a 5th avenue for these attackers to ransom those affected. We expect to see a shift in the landscape where ransomware groups more often look to target entities that handle not only sensitive personal information, but intimate details that can be used to extort clients. It would not be surprising for the healthcare, social media, education, and SaaS industries to come further under fire in 2024 from these groups.
Ready Your Sword
Take heart. The road ahead is filled with peril, but knowledge is your sword. With it, you can sustain your SOC team and let them know what to look out for. Attackers should not be the only ones who adapt. We must do the same. Have a safe 2024.