Kaspersky’s new report provides the company’s view on the advanced persistent threats landscape for 2024. Existing APT techniques will keep being used, and new ones will likely emerge, such as the increase in AI usage, hacktivism and targeting of smart home tech. New botnets and rootkits will also likely appear, and hacker-for-hire services might increase, as will supply chain attacks, which might be provided as a service on cybercriminals’ underground forums.
More exploitation of mobile devices and smart home tech
Operation Triangulation, as exposed in the past year, revealed a very sophisticated cyberespionage campaign mostly operated by targeting iOS devices and leveraging five vulnerabilities — including four zero-day vulnerabilities.
A remarkable characteristic of those exploits is that they did not just target Apple smartphones, but also tablets, laptops, wearable devices, Apple TV and Apple Watch devices and might be used for eavesdropping.
Igor Kuznetsov, director, Global Research and Analysis Team at Kaspersky, told TechRepublic in a written interview: “Malware can indeed be used for eavesdropping. A recent example is the microphone-recording module in Operation Triangulation. Its features do not confine to the expected ones, such as how long to record for; it includes sophisticated functions like stopping recording when the device screen activates or stopping recording when system logs are captured.”
According to Kaspersky, APT attackers might expand their surveillance efforts to include more smart home technology devices, such as smart home cameras and connected car systems. This is particularly interesting for attackers because those devices are often uncontrolled, not updated or patched and subject to misconfigurations. This is also a concern because more people work from home nowadays, and their companies could be targeted via weak points in the home worker devices.
New botnets will emerge
Botnets are typically more prevalent in cybercrime activities compared to APT, yet Kaspersky expects the latter to start using them more.
The first reason is to bring more confusion for the defense. Attacks leveraging botnets might “obscure the targeted nature of the attack behind seemingly widespread assaults,” according to the researchers. In that case, defenders might find it more challenging to attribute the attack to a threat actor and might believe they face a generic widespread attack.
The second reason is to mask the attackers’ infrastructure. The botnet can act as a network of proxies, but also as intermediate command and control servers.
Kaspersky mentions the ZuoRAT case that exploited small office / home office routers to infect the devices with malware and expects to see new attacks of this kind in 2024.
More kernel-level code will be deployed
Microsoft increased the Windows protections against rootkits, those malicious pieces of code running code at the kernel-level, with a number of security measures such as Kernel Mode Code Signing or the Secure Kernel architecture, to name a few.
From the attacker’s point of view, it became harder to run code at kernel-level but remained possible. Kaspersky has seen numerous APT and cybercrime threat actors execute code in the kernel-mode of targeted systems, despite all the new security measures from Microsoft. Recent examples include the Netfilter rootkit, the FiveSys rootkit and the POORTRY malware.
Kaspersky believes three factors will empower threat actors with the capability of running kernel-level code within Windows operating systems:
- Extended validation certificates and stolen code-signing certificates will be increasingly spread/sold on underground markets.
- More abuse of developer accounts to get malicious code signed through Microsoft code-signing services such as Windows Hardware Compatibility Program.
- An increase in BYOVD (Bring Your Own Vulnerable Driver) attacks in threat actors’ arsenals
More hacktivism tied to APTs
Kaspersky states that “it is hard to imagine any future conflict without hacktivist involvement,” which can be done in several ways. Running Distributed Denial of Service attacks has become increasingly common, along with false hack claims that lead to unnecessary investigations for cybersecurity researchers and incident handlers.
Deepfakes and impersonation/disinformation tools are also increasingly used by threat actors.
In addition, destructive and disruptive operations can be done. The use of wipers in several current political conflicts or the disruption of power in Ukraine are good examples of both types of operations.
Supply chain attacks as a service
Small and medium-sized businesses often lack robust security against APT attacks and are used as gateways for hackers to access the data and infrastructure of their real targets.
As a striking example, the data breach of Okta, an identity management company, in 2022 and 2023, affected more than 18,000 customers worldwide, who could potentially be compromised later.
Kaspersky believes the supply chain attack trend might evolve in various ways. For starters, open source software could be compromised by target organizations. Then, underground marketplaces might introduce new offerings such as full access packages providing access to various software vendors or IT service suppliers, offering real supply chain attacks as a service.
More groups in the hack-for-hire business
Kaspersky expects to see more groups working the same way as DeathStalker, an infamous threat actor who targets law firms and financial companies, providing hacking services and acting as an information broker rather than operating as a traditional APT threat actor, according to the researchers.
Some APT groups are expected to leverage hack-for-hire services and expand their activities to sell such services because it might be a way to generate income to sustain all their cyberespionage activities.
Kuznetsov told TechRepublic that, “We’ve seen APT actors target developers, for example, during the Winnti attacks on gaming companies. This hacking group is notorious for precise attacks on global private companies, particularly in gaming. Their main objective is to steal source codes for online gaming projects and digital certificates of legitimate software vendors. While it’s speculative at this point, there should not be any hinders for such threat actors from expanding their services if there is a market demand.”
Increase in AI use for spearphishing
The global increase in using chatbots and generative AI tools has been beneficial in many sectors over the last year. Cybercriminals and APT threat actors have started using generative AI in their activities, with large language models explicitly designed for malicious purposes. These generative AI tools lack the ethical constraints and content restrictions inherent in authentic AI implementations.
Cybercriminals found out that such tools facilitate the mass production of spearphishing email content, which is often used as the initial vector of infection when targeting organizations. The messages written by the tools are more persuasive and well-written when compared to the ones written by cybercriminals. It might also mimic the writing style of specific individuals.
Kaspersky expects attackers to develop new methods for automating cyberespionage. One method could be to automate the collection of information related to victims in every aspect of their online presence: social media, websites and more, as long as it relates to the victims’ identity.
MFT systems targeting will grow
Managed File Transfer systems have become mandatory for many organizations to safely transfer data, including intellectual property or financial records.
As mentioned by Kaspersky, “the intricate architecture of MFT systems, coupled with their integration into broader business networks, potentially harbors security weaknesses that are ripe for exploitation. As cyber-adversaries continue to hone their skills, the exploitation of vulnerabilities within MFT systems is anticipated to become a more pronounced threat vector.”
How to protect from these APT threats
To protect against APT attacks, it is necessary to protect personal and corporate devices and systems.
In a corporate environment, using solutions such as extended detection and response, security information and event management and mobile device management systems greatly helps detect threats, centralize data, accelerate analysis and correlate security events from various sources.
Implementing strict access controls is highly recommended. The principle of least privilege should always be in use for any resource. Multifactor authentication should be deployed wherever possible.
Network segmentation might limit an attacker’s exploration of compromised networks. Critical systems in particular should be totally isolated from the rest of the corporate network.
Organizations should have an up to date incident response plan that will help in case of an APT attack. The plan should contain steps to take, as well as a list of people and services to reach in case of emergency. This plan should be regularly tested by conducting attack simulations.
DOWNLOAD this Incident Response Policy from TechRepublic Premium
Regular audits and assessments must be conducted to identify potential vulnerabilities and weaknesses in the corporate infrastructure. Unnecessary or unknown devices found within the infrastructure should be disabled to reduce the attack surface.
IT teams should have access to Cyber Threat Intelligence feeds that contain the latest APT tactics, techniques and procedures but also the latest Indicators of Compromise. Those should be run against the corporate environment to constantly check that there is no sign of compromise from an APT threat actor.
Collaboration with industry peers is also recommended to enhance collective defense against APTs and exchange best practices and thoughts.
All systems and devices must be up to date and patched to avoid being compromised by a common vulnerability.
Users must be trained to detect cyberattacks, particularly spearphishing. They also need an easy way to report suspected fraud to the IT department, such as a clickable button in their email client or in their browser.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Source of Article