In Q1 2024, the number of incidents increased by 7% compared to the previous quarter. One of the most common consequences of successful cyberattacks was again the leak of confidential information—72% for individuals and 54% for organizations. Attackers more frequently used malware against individuals: the share of such incidents increased by 9% compared to the previous quarter, reaching 68%. In successful attacks on organizations, we see a reduction of 11% in the use of ransomware compared to the previous quarter (from 54% to 43%). Meanwhile, there was an increase in the use of remote access tools by attackers in attacks on both organizations (32%) and individuals (37%): an increase of 10% and 27% respectively compared to the previous quarter. Social engineering remains the most dangerous threat for individuals, accounting for 85% of such incidents, and one of the most popular attack vectors on organizations, accounting for 52%. There were again major leaks of personal user data, as well as mass attacks by groups exploiting vulnerabilities with the ultimate aim of delivering malware. To deliver malware to victims' devices, criminals also used legitimate IT project collaboration services and open repositories of software development packages.

High-profile vulnerabilities: zero-day attacks abound

In one third (34%) of successful attacks on organizations, attackers exploited vulnerabilities. According to data from Coalition, the number of CVEs in various software products could increase by 25% in 2024, reaching approximately 2,900 new vulnerabilities each month. Attackers actively exploited flaws in Ivanti Connect Secure (a solution providing employees, partners, and clients with access to corporate data and applications) and Ivanti Policy Secure products (a network access control solution). Specifically, there were two vulnerabilities: CVE-2023-46805 (high severity) and CVE-2024-21887 (critical severity). The first vulnerability allows attackers to bypass the authentication protocol, while the second allows the execution of arbitrary commands. Experts first recorded the use of these vulnerabilities in December 2023 and linked them to the UNC5221 group. After the public disclosure of these flaws, others joined this group in exploiting these vulnerabilities. This was noted by Ivanti, who reported a sharp increase in threat actor activity starting January 11, 2024. Analysts at Censys found 412 nodes (as of January 22) that were still compromised. The infected devices have a wide geographical spread: the USA, Germany, South Korea, China, and Japan. Given the widespread nature of the exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive in January, requiring all federal civilian executive branch (FCEB) agencies to address these vulnerabilities in Ivanti products. Interestingly, in February, the systems of this very agency were compromised due to the exploitation of these vulnerabilities.

The beginning of Q1 2024 was marked by a flood of zero-day vulnerabilities. There was widespread exploitation of vulnerabilities in the servers of ScreenConnect—software for remote management of computers and other devices. The vulnerabilities disclosed in February were assigned identifiers CVE-2024-1709 and CVE-2024-1708, and were rated 10 (critical) and 8.4 (high) on the CVSS scale, respectively. The first vulnerability allows attackers to remotely execute code on the system, while the second allows them to create an administrator account and subsequently gain access to internal company resources. The CISA has added CVE-2024-1709 to its catalog of known exploited vulnerabilities and ordered U.S. federal agencies to secure their servers by February 29. Ransomware operators quickly took note of the discovered ScreenConnect vulnerabilities. Sophos X-Ops analysts reported that attackers actively exploited these vulnerabilities, deploying ransomware created from the LockBit source code leaked in 2022. Исследователи Trend Micro researchers also reported that, following the disclosure, the known groups Black Basta and Bl00dy began actively exploiting the ScreenConnect vulnerabilities in their attacks. Alongside these groups, Trend Micro noted attackers using the modular malware XWorm, which possesses remote access capabilities and ransomware functions. The ScreenConnect vulnerabilities also caught the attention of APT groups. According to Kroll analysts, the Kimsuky group (also known as APT43) used CVE-2024-1709 and CVE-2024-1708 to subsequently infect target systems with a new malware variant called ToddlerShark.

In addition to the flaws in Ivanti and ScreenConnect solutions described above, here are some other vulnerabilities relevant for the first quarter of 2024:

• CVE-2023-48022. According to an Oligo report, attackers are exploiting a vulnerability in the popular open-source framework Ray, used for machine learning, scientific computing, and data processing. Researchers found that hundreds of publicly accessible Ray servers were compromised using CVE-2023-48022, allowing attackers to access sensitive information, including AI model source code, database credentials, and cloud environment access tokens.
• CVE-2023-48788.This widely exploited vulnerability is an SQL injection in FortiClient EMS software which allows the execution of arbitrary code or commands through specially crafted queries, thus providing initial access to an organization's corporate networks.
• CVE-2024-21893. This actively exploited vulnerability was disclosed on January 31st. It allows attackers to bypass authentication and access Ivanti gateways. Researchers from Orange Cyberdefense report that the vulnerability has been successfully exploited for subsequent deployment of the DSLog backdoor.
• CVE-2024-27198. This vulnerability, scoring 9.8 (critical) on the CVSS scale, affects multiple versions of TeamCity, allowing attackers to gain control of a vulnerable server with administrative rights. Trend Micro experts note, that after successful exploitation, attackers installed various malware: BianLian and Jasmin ransomware, the XMRig miner, and the SparkRAT remote access tool.

An extended list of the most popular vulnerabilities can be found in the monthly digest on our website.

Using products containing vulnerabilities can jeopardize any company. Companies should take responsibility for their security, closing vulnerabilities and promptly installing the latest updates. Attackers waste no time in taking advantage of flaws in popular solutions, especially if exploits are widely available. Such trending vulnerabilities are the most dangerous and require immediate fixing. We recommend establishing a vulnerability management process to promptly identify and address weaknesses in your organization's infrastructure.

Hidden threats in open source code

In Q1 2024, attackers again used open libraries and package managers to distribute malicious payloads.

Infected repository

According to an Apiiro study, starting in May 2023, over 100,000 fake repositories masquerading as popular projects were found the vast plains of GitHub. To carry out such an attack, attackers first clone a popular repository and then add malicious code, after which the repository is published on the platform. This results in thousands of projects with the same name as the original, but containing additional obfuscated (Obfuscation involves changing program code so that it becomes difficult to understand, while the program retains its functions) malicious code . GitHub automatically monitors and blocks suspicious repositories, but because there are so many of them, some infected copies manage to remain. A particularity of Github is that it allows multiple repositories with the same name. This enables attackers to promote their version of a popular project to unsuspecting developers on various forums and communities.

Malware in package managers

Attackers not only fork existing repositories but also create their own malicious libraries and publish them in package managers. Using PyPI (Python Package Index) and npm packages, criminals inject various malicious programs into their victims' devices. For example, in January, a malicious npm package was discovered that delivered remote access malware targeting Windows users. The ZIP file included AnyDesk remote desktop software along with a remote access trojan capable of collecting confidential information from the compromised device. In the same month, FortiGuard Labs reported malicious packages on PyPI from an author with the username WS, with uploads dating back to September 2023. The analyzed files were found to contain the WhiteSnake (The malware is distributed as malware-as-a-service and is aimed at stealing data from the browsers Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. It also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!, CoreFTP, WinSCP, AzireVPN, WindscribeVPN, and various cryptocurrency wallets) info-stealer trojan targeting Windows users and a Python script designed to steal information from Linux devices. Attackers use this vector to deliver various types of malware: RATs, stealers, and even miners. The ultimate goal is to collect confidential information (such as credentials or payment card data) and take control of computer resources for cryptocurrency mining.

Since PyPI lacks strict controls, even a low-skilled attacker can upload and publish malicious code. Responsibility for the safety of packages lies with the users who download them. However, such a volume of incidents does not go unnoticed. For instance, PyPI restricted the registration of new users after a large-scale malicious campaign was identified by Checkmarx security researchers.

To avoid infection, we recommend developers use various package and source code analyzers, such as PT PyAnalysis.

Typosquatting

Typosquatting is an attack in which a malicious package mimics the name of a legitimate one, a sophisticated cybercriminal tactic. Typically, open-source ecosystems use unique project names, meaning attackers have to rely on developers and ordinary users making typos. Attackers create malicious versions of popular libraries with names similar to the originals. Imagine you want to install the Python library Colorama, which allows you to change text colors and styles in the terminal. However, due to a typo, you install not the original package but a malicious version, and instead of making cosmetic changes in the terminal, you infect your computer. Threat researchers at Imperva discovered just such a malicious package being distributed under the guise of a popular library. Over the past year, there have been several attempts to disguise the Colorama package using names like colarama, colourama, and colorama-api. End-user devices get infected with the Fade Stealer spyware. This malware targets Windows systems and is designed to steal confidential information from various web resources, including social networks and gaming sites. Stolen data may also include keystroke sequences, screenshots, and microphone recordings.

Such attacks remind us of the security threats lurking in open-source package repositories. This is exacerbated by the fact that legitimate services are used as a channel for malware distribution. The compromise of developers' devices can have serious consequences. For example, leaks of confidential data. Organizations should implement software supply chain security practices—a set of measures to ensure the security and integrity of all stages of product development.

AI in the arsenal of attackers: to believe or not to believe—that is the question

In Q3 2023, we observed a trend in the use of neural networks for malicious purposes. In Q1 2024, we are witnessing the continuation of this trend.

Fake leaks

In January, a user with the nickname Lean posted on a shadow forum claiming to have data on 48 million Europcar customers. However, the company itself stated that the information could have been generated. Based on the attached screenshots of the allegedly stolen data, KasadaIQ's threat analysis service determined that the attackers probably used a Python library called Faker, designed to generate test data.

Use of AI tools for mass attacks

Cybersecurity researchers at Secureworks have noticed an increase in the number of domains registered with keywords related to obituaries. To attract the attention of potential victims, scammers use AI-generated obituaries. The attackers aim to compromise site visitors' personal data, steal money under the guise of donations for non-existent causes, and infect devices with malware.

Deepfake faces

At the end of 2023 we noted the active use of deepfakes. Attackers used the technology not only to steal money and data but also as a propaganda tool amidst the complex geopolitical situation.

We also saw high-profile attacks in Q1 2024. In Hong Kong, criminals stole $25 million using deepfakes. Scammers sent an email to an employee inviting him to a video meeting with the CFO and other employees—but they were all fakes. During the meeting, the employee made transfers amounting to 200 million Hong Kong dollars. The victim reported the incident only a week later.

Such incidents remind us that neural networks, while bringing obvious benefits, can become a powerful weapon in the hands of attackers. To recognize a deepfake, pay attention to changes in the manner and sound of speech, and any strange or unnatural body and facial movements. If in doubt, contact the person through a different verified communication channel. This method is effective for both individuals and organizations.

Spies, move aside — RAT is coming

Spyware was a trend not only in Q4 but also in 2022–2023 in general. Since the beginning of 2024, the malware in criminals' arsenal has changed: attackers are increasingly using remote access tools (RATs) in their attacks. In Q1 2024, the share of incidents involving this type of malware increased compared to the previous quarter, both in successful attacks on organizations (32%) and on individuals (37%). At the same time, we note a 4% decrease in the use of spyware in attacks on organizations (down to 21%), as well as an 11% decrease in the use of banking trojans in attacks on individuals (down to 11%).

According to the ANY.RUN service, the number of detected RATs doubled compared to Q3 2023. RATs allow attackers to gain full control over a compromised system. Such malware can steal various types of confidential information and track victims' actions, such as keystrokes and screen activity. Additionally, RATs can serve as loaders to deliver additional malware to the compromised device.

The increased attacker interest in RATs can be explained by the fact that many of today's malware are modular, enabling them to combine the functions of spyware, downloaders, and even ransomware. Speaking of modularity, it's worth noting the Silver RAT malware, released by the Anonymous Arabic group. According to a report from Cyfirma, the program is written in C# and boasts a wide range of features, including keystroke logging, system restore point destruction, and even data encryption.

According to our data, in Q1 2024, the most popular RAT tools were Remcos, used in every fifth RAT attack (19%), Agent Tesla, which also has spyware functions, and Venom RAT (also known as AsyncRAT).

Agent Tesla is usually sent by attackers in phishing messages. In March of this year, the Trustwave SpiderLabs team reported the discovery of a phishing email disguised as a notification of bank payment. The archive contained a loader for subsequent deployment of Agent Tesla. In another attack, according to Forcepoint researchers, attackers disguised themselves as Booking.com, the accommodation booking service. The email asked the recipient to check the attached PDF file for a card statement. As soon as the user opened the link from the PDF file, the URL loaded obfuscated JavaScript code, calling a PowerShell script. The ultimate goal of the attack was to deploy Agent Tesla on the target system.

Specialists from the Positive Technologies Expert Security Center (PT ESC) also identified attacks by the TA558 group using a variety of malware, including Remcos and Agent Tesla. Notably, the attackers actively used the steganography technique — a method of hiding malicious code in an innocuous-looking file or image.

Additionally, RATs were widely spread in attacks on various organizations. For example, the Blind Eagle group used Ande Loader to subsequently deploy Remcos and njRAT. According to eSentire, phishing email attacks targeted Spanish-speaking users in the North American manufacturing industry. In another attack the companies received emails supposedly reporting a new order and containing a ZIP archive. When opened, a malicious file masquerading as a command list was launched. Ultimately, the Remcos RAT was deployed on the system.

The use of RATs is growing, but spyware shouldn't be dismissed either. Thus, experts from PT Expert Security Center discovered a series of attacks by the Lazy Koala group targeting government agencies in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. The main goal of the attacks was to steal credentials from various services on the computers of government employees.

Android devices in the crosshairs

Comparing Q1 2024 with Q4 2023, we note an 8% increase in the use of RATs for Android devices. Typically, attackers targeted mobile devices.

Thus, according to a Check Point study for February, Anubis and AhMyth take first and second place in popularity among malware targeting mobile devices. Anubis is a banking Trojan, but it has received some updates since its initial discovery, including RAT, keylogging, and audio capture capabilities. It was found in hundreds of different applications available on the Google Store. AhMyth is primarily a RAT, but it's also capable of collecting confidential information from the infected device. It has a graphic user interface, making it one of the easiest to use for attackers. AhMyth is an open-source application, so attackers can adapt the tool for their specific goals. It was used by the UNC1530 group to attack mobile devices in Israel for intelligence data collection.

Other RATs targeting Android mobile devices were noted in the first quarter. Thus, according to Zscaler, in one attack, the attacker spread a RAT targeting Android and Windows devices using an online meeting as bait. The cybercriminal created several fake sites imitating popular solutions like Skype, Google Meet, and Zoom to deliver the SpyNote RAT targeting Android, as well as njRAT and DCRat targeting Windows.

Many RAT samples are modular: such solutions can function as a loader, banking trojan, spyware, and even ransomware. We assume that soon we will see even more RATs with new modules. To avoid malware infection, use antivirus protection as well as sandboxes—specialized tools for analyzing file behavior.

The dark side of the force

The Q1 2024 will be remembered for the operation in February named Cronos, during which the LockBit infrastructure was captured and two members of the well-known ransomware group were arrested. According to a press release from the UK's National Crime Agency, over 200 cryptocurrency accounts belonging to the attackers were frozen. However, there is every reason to believe that the ransomware group will be able to restore its position in the cybercrime world: as specialists from Trend Micro discovered, the developers are creating a new version of their malware, which will likely become LockBit 4.0.

It's worth mentioning the major marketplace for selling illegal goods and services, Nemesis. Among other things, ransomware and phishing tools are sold, and DDoS attack services are offered. In a joint effort of law enforcement agencies from Germany, the US, and Lithuania, the dark marketplace was successfully shut down. The press release states that the investigation began in October 2022, but it wasn't until March 2024 that the final curtain fell: the cybersleuths captured the server infrastructure and shut down the marketplace.

Deception everywhere

On the dark web, nothing is so simple. In February, a new ransomware group called Mogilevich appeared. According to the criminals, they hacked and stole data from at least four organizations, including Epic Games. However, the Epic Games claimed there was no evidence of a cyberattack or data theft.

A distinctive feature of the Mogilevich ransomware group is that they didn't share any fragments of the stolen information. Many researchers concluded that the group's statements had no basis in reality, and the criminals simply wanted to deceive buyers. And in the end, they turned out to be right: it was just a big scam for easy money. A group representative stated the following: "We used big names to gain recognition as quickly as possible." By making big hacking claims, the cybercriminal group wanted to gain the trust of other criminals in order to sell them non-existent data and ransomware. The group managed to sell their software to eight novice hackers, as well as a non-existent database for $85,000.

Pig in a poke

In March, the BlackCat (ALPHV) group announced the closure of their project on one of the shadow forums. The ransomware gang claimed that the FBI had gained access to their infrastructure, forcing them to shut down the project, but law enforcement denied this statement. It is believed that the group organized a large-scale scam and then quit the business, taking their affiliates' money with them. Later, a post appeared on the Tox platform, selling the malware source code for $5 million. One of the reasons for BlackCat leaving the ransomware market is probably decreased trust among partners after the group allegedly refused to pay one partner a percentage of the ransom ($22) for their attack on Change Healthcare.

Cyberattacks in Q1 2024 led to various consequences: criminals successfully attacked both small enterprises and industry giants, sometimes causing city-wide disruptions. Criminals were mainly focused on obtaining confidential information (accounting for 54% of attacks) and disrupting the core activities of organizations (33%). Despite the trend towards using RATs, we shouldn't forget ransomware, which can lead to the execution of non-tolerable events. For example, the incident in February with Lurie Children's Hospital in Chicago. This attack affected the hospital's internet, email, telephone communication, and access to the MyChart platform. Local media reported that planned procedures were postponed, ultrasound and CT scan results were unavailable, and doctors had to write prescriptions manually. The Rhysida extortion group claimed responsibility for the attack: claiming to have stolen 600 GB of hospital data, the criminals demanded a ransom of 60 BTC (about $4 million).

Here is a list of attacks in the first quarter that had a negative impact and wide repercussions:

• In February, attackers managed to infiltrate the systems of the German battery manufacturer Varta. As a result of the attack, the company halted production at five plants. The announcement of the shutdown did not go unnoticed, and the company's shares fell by 4.75%.
• In January, Tietoevry faced an attack by the Akira ransomware. The attack affected a data center, consequently impacting the company's clients. Among them was Sweden's largest cinema chain: due to the attack, people were unable to buy tickets online. The building materials supplier Moelven also suffered, and the agricultural products supplier Grangården had to close its stores during the recovery period.
• On February 21, the BlackCat (ALPHV) ransomware gang attacked the medical technology services company Optum. As a result, the Change Healthcare platform crashed. It's the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system. Due to the incident, doctors and pharmacies had to find alternative ways to submit insurance claims. According to First Health Advisory, a digital health risk assurance firm, the failure cost providers approximately $100 million per day.

In successful attacks on organizations resulting in the leak of confidential information, attackers most often aimed to steal personal data (37% of stolen information) and credentials (17%), as well as trade secrets (22%). Attacks on individuals largely aimed at stealing their credentials (39%) and personal data (25%).

In Q1, we noted that, among information stolen from organizations, the share of credentials increased by 7% compared to the previous quarter. Reasons for this growth include the widespread distribution of malware by attackers and numerous phishing campaigns. Throughout March, PT Expert Security Center experts recorded phishing messages disguised as Microsoft mailings. Attached to the emails were PDF documents containing a fake DocuSign and a QR code. The QR code took the user to a phishing page disguised as the Microsoft login page, where only the victim’s password needed to be entered.

A similar phishing campaign targeting bank employees was recorded by PT ESC experts in January. The emails contained a link to a phishing page imitating the bank's website. The campaign also aimed to steal credentials.

The most notable data breaches in Q1:

• In January, researchers discovered a database containing 26 billion records with data from users of popular foreign and Russian social networks and resources such as LinkedIn, Twitter, Snapchat, Adobe, Tencent, and others. The found database was named "mother of all breaches."
• At the end of January, Viamedis suffered a major data breach from a cyberattack. The breach affected 33 million people. The company stated that the information included names, dates of birth, insurer data, social security numbers, marital status, citizenship status, and guarantees available for payment by third-parties.
• As a result of a security breach at a French employment agency, information on 43 million people was compromised. The stolen data includes names, dates and places of birth, social security numbers, France Travail IDs, email addresses, postal addresses, and phone numbers.
• Hyundai Motor Europe suffered a Black Basta ransomware attack, resulting in the theft of 3 terabytes of corporate data. The specific data stolen was not disclosed, but it is known to relate to various departments of the company, including legal, sales, human resources, accounting, IT, and management.

To protect against cyberattacks, we recommend following our general guidelines on personal and corporate cybersecurity.

In view of the events in Q1, we strongly recommend remaining vigilant online, and refraining from opening suspicious links or opening email attachments from unverified sources. Given the large number of attacks distributing malware through legitimate services, developers should pay close attention to the repositories and package managers used in their projects, implement software supply chain security practices, and deploy application security tools.

Organizations should develop vulnerability management processes and participate in bug bounty programs. First and foremost, fix vulnerabilities that attackers are already known to exploit and for which publicly available exploits exist.

We also recommend using web application firewalls to harden the network perimeter. To protect devices against malware, use sandboxes to analyze file behavior in a virtualized environment, detect malicious activity, and act in time to prevent damage to your company.

To protect your organization from potential breaches, it is important to pay attention to the protection of data. We recommend conducting regular inventory and classification of assets, establishing data access control policies, monitoring access to sensitive information, and using specialized solutions that apply the "data-centric security" concept.

22% of attacks targeted individuals

This report contains information on current global information security threats based on Positive Technologies' own expertise, investigations, and reputable sources.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our research seeks to draw the attention of companies and ordinary individuals who care about information security to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one separate attack, not several. For explanations of terms used in this report, please refer to the glossary on the Positive Technologies website.