Microsoft’s Digital Defense Report traces threat research across Microsoft’s software and intelligence ecosystem, providing in-depth reporting on one of the top technology providers in the world. The 2024 edition covers July of 2023 to June of 2024. Ascent’s Threat Intelligence Manager, Brandon Parsons, identifies three callouts for security teams:
- The 2.75 times increase in human operated ransomware
- Social engineering and identity compromise
- Exploiting public-facing applications or unpatched operating systems
1: 2.75x Increase in Human-Operated Ransomware-Linked Encounters
Although international law enforcement successfully disrupted LockBit’s Ransomware as a Service (RaaS) infrastructure and reputation, most of LockBit’s affiliates joined other ransomware groups and continue to conduct business as usual. The same could be said with several of BlackCat/ALPHV’s affiliates following their exit scam.
Even though it’s not listed as a top 5 ransomware family in the MDDR 24 due to the covered time period, RansomHub RaaS is a group every organization should monitor closely. RansomHub RaaS attracted many former affiliates from both LockBit and BlackCat/ALPHV and their alliance with Scattered Spider (aka “The Com,” Octo Tempest, Muddled Libra, UNC3944).
In just a short amount of time (February 24 to present), RansomHub RaaS rose to prominence across the ransomware underground and listed nearly 250 victims on its leak page. Ascent’s Cyber Threat Intelligence team has extensively recorded and tracked RansomHub’s activities since the group’s inception earlier this year.
2: The Most Prevalent Initial Access Techniques: Social Engineering & Identity Compromise
“The most prevalent initial access techniques continue to be social engineering—specifically email phishing, SMS phishing, and voice phishing—identity compromise, and exploiting vulnerabilities in public facing applications or unpatched operating systems (p. 27).”
Microsoft’s analysis is also consistent with nearly every security vendor who has published quarterly, mid-year, or annual reports throughout 2024. But what aren’t we seeing? I don’t think we connect the dots between alerts and eventual compromise.
Social engineering and identity compromise fuel the ransomware underground. In fact, threat actors have built an entire economy around selling compromised identities on the Dark Web. For example, imagine a where compromised login credentials take a month to sell on the Dark Web. Once sold, the next attack could start with Valid Accounts (T1078) and end with the deployment of ransomware (T1486). This is exactly why Ascent’s cyber threat intelligence team is watching attack chains involving deployment of an information stealer (infostealer) of some sort—lately the Lumma InfoStealer. Safeguarding your user identities is essential, and it’s crucial to understand the consequences of failing to do so.
3: The Most Prevalent Initial Access Techniques: Exploiting Public Facing Applications or Unpatched Operating Systems
“Threat Actors continue to take advantage of newly identified common vulnerabilities and exposures (CVE) with Common Vulnerability Scoring System (CVSS) scores above 8 (p. 27).”
In 2023, threat actors frequently exploited vulnerabilities in public-facing applications (T1190) or external remote services (T1133) as initial access vectors. Almost all ransomware groups we monitor have demonstrated this capability, with some acting more swiftly than others. Nevertheless, specific criteria must be satisfied before raising the panic alarm.
At Ascent, our Security Operations Center (SOC) and Cyber Threat Intelligence teams evaluate new CVEs by applying the formula Asset X Vulnerability X Threat = Risk irrespective of its CVSS score. Products with a long history of exploitation also contribute to our considerations.
This is why it’s absolutely crucial for the security team to have an accurate and up to date understanding of their asset inventory. When we notice new vulnerabilities, we consider if similar vulnerabilities—vendor agnostic at times—have been targeted by which threat actors and how. The latest example of the efficacy behind our formula was the recently disclosed Veeam Back Up and Replication vulnerability tracked as CVE-2024-40711 (CVSS V3.1 9.8 / 10).
Following its disclosure, our team issued an intelligence bulletin detailing this vulnerability alongside others contained in the security update. We also included analysis of how similar vulnerabilities have been exploited by threat actors and advised our customers to promptly apply the relevant security patch.
Not even a week after disclosure, WatchTowr Labs published a video detailing how they were able attain remote code execution in a video but withheld the complete technical proof-of-concept (PoC) to demonstrate the severity of CVE-2024-40711. Soon after, Sophos highlighted threat actors leveraging compromised credentials and a known vulnerability in Veeam (CVE-2024-40711) to create an account and attempt to deploy ransomware.
Organizations must stay alert for technical proof of concepts detailing third-party exploitation. If the organization has to assume risk and apply patching at a later date, stay vigilant for both proof-of-concept reports regarding exploitation. Threat actors watch for new vulnerabilities just like you do (or should be doing).
Ascent Cyber Threat Intelligence as a Services (CTIaaS)
Building a resilient organization requires reactive and proactive cybersecurity measures. Ascent’s Cyber Threat Intelligence as a Service provides customers with actionable, time-sensitive reporting on the threats most relevant to your business. Reach out to info@meetascent.com to meet with one of our experts today.
