Cybersecurity threatscape: Q2 2024

In Q2 2024, the number of incidents increased by 4% compared to the previous quarter. Malware remained a primary method in attacks on organizations: it was employed in 64% of successful attacks. The use of remote access trojans (RATs) in attacks continued to rise, targeting both organizations (41%: an increase of 9 percentage points compared to Q1) and individuals (42%: an increase of 5 percentage points). Social engineering remained the main method of successful attacks on individuals (92%) and a significant attack vector against organizations (51%). We witnessed numerous major cases of trade secret theft and significant leaks of biometric data. Q2 also saw attacks on AI research organizations, aimed primarily at stealing valuable data. Ransomware attacks employed various tactics such as email spam flooding. We also observed modified malware with significant improvements: for instance, spyware tools enhanced with AI modules.

Last quarter's trends reinforced: RAT attacks and software developers as targets

In Q2 2024, the use of RATs grew in attacks on organizations (41%) and individuals (42%), which continued the trend of the previous quarter.

Threat actors continued distributing various RATs, including free versions. For instance, a major compilation of remote access trojans was published in a dedicated Telegram channel. The RAT package included some tools which were widespread in the first half of the year: Remcos RAT, NanoCore RAT, and njRAT.

The rise in RAT attacks, along with multiple leaks of RAT packages, indicate a significant interest in these types of malware among cybercriminals. According to ANY.RUN, RATs were the most widespread malware in Q2 2024. Cybercriminals use RATs because this malware provides persistent access to compromised systems, enabling long-term espionage.

Compared to Q1, we also observed a 15% increase in malware delivery through package managers, such as npm and PyPI. This malware delivery method, which we covered in a previous report, is of great interest to attackers. Using typosquatting (Typosquatting is an attack using a malicious package that mimics the name of a legitimate one. The attack exploits a user's lack of attention when downloading files and installing software. When installed, the misspelled malicious package infects the device with malware), criminals deceived victims into installing malicious packages, which led to the compromise of the victims' devices and subsequent deployment of malware, such as miners and RATs. Notably, such attacks targeted both individuals and organizations, with software developers from IT companies becoming a primary attack target in the first half of the year. A successful attack of this type can result in the theft of credentials and their subsequent sale on darknet marketplaces, or progress to a supply chain attack.

There are also other ways of compromising the software supply chain. For example, attackers may use an exploit that allows them to hijack npm accounts and inject malicious code into trusted packages, leading to the compromise of devices that use the modified module. In early July, a darknet forum post advertised selling an exploit for a vulnerability in an npm package manager. According to the post, exploitation of the vulnerability gives the attacker several opportunities. First of all, it enables the attacker to steal npm accounts of software developers or companies and then inject backdoors into software distribution packages.

If using open-source libraries for malware distribution continues to grow in popularity, cybercriminals may increasingly focus on finding vulnerabilities in version control solutions and package managers. This could jeopardize a vast number of tech companies that rely on these tools. Organizations should regularly update their source-code management tools and storage solutions, as well as ensure security and integrity throughout the entire software development life cycle.

Social engineering: there's no limit to perfection

Social engineering continued to be one of the most frequently used methods in attacks on organizations (51%). As for attacks on individuals, social engineering remained the absolute leader (92%). Most often, cybercriminals used emails in attacks on organizations (83%) and phishing websites in attacks on individuals (62%). They tried to diversify their tactics by employing new phishing tools to steal credentials and switching to different file types to deliver malware.

"Hello, this is your IT support speaking"

According to Rapid7, threat actors started employing a new social engineering tactic. Here's how it works: the attackers flood the victim's mailbox with spam and then call the user, impersonating the IT support department and offering assistance. They ask the victim to launch a remote administration tool such as AnyDesk or Quick Assist (a Microsoft Windows utility for remote assistance). Once the remote connection is established, attackers download malicious software that collects credentials and establishes long-term access to the compromised system. In one of the attacks, researchers observed the attacker deploying Cobalt Strike beacons. Although Rapid7 did not detect any ransomware deployment in any of the cases, they found signs of compromise that were previously associated with Black Basta ransomware operators.

We've spoken before, so you can trust me

In May, experts from the Threat Intelligence Department at Positive Technologies Expert Security Center (PT ESC) observed yet another phishing campaign by the financially motivated group Hive0117. An employee of a holding company received a phishing email. Attached was a password-protected archive with an executable file, which was a DarkWatchman backdoor. The attackers used an unusual approach to crafting the email. It masqueraded as a reply to an earlier message to evoke the recipient's trust. The urgency of the message was not explicitly stated but implied: there was supposedly a tax audit being done on a customer. Under this pretext, the recipient was asked to forward the email to the accountant. That's also a smart move, because messages received from coworkers generally inspire more trust than emails from external senders.

In May, PT ESC detected a phishing campaign targeting a bank. The email included an archive with an executable file, which, when opened, deployed Agent Tesla. Interestingly, the email was sent from a legitimate address, indicating that it had been compromised earlier.

Another phishing campaign targeted commercial companies. Throughout June, PT ESC detected email campaigns originating from legitimate addresses. The email itself was quite typical (containing a link to a reconciliation statement and a claim), but the malware delivery method was uncommon: the text included a link to an external resource (GitHub), from which the user was supposed to download and execute the malicious payload.

To counter phishing, always scrutinize messages, even if the sender appears familiar. Don't rush to open password-protected archives. We recommend contacting the sender via a different and trusted communication channel first. This won't take much time, and it'll help your company avoid unpleasant consequences.

Evolution of quishing

Quishing is a form of phishing carried out with the help of QR codes. When scanning such a QR code, users are redirected to a malicious website that either contains links to download malware to user devices or requests credit card details or login credentials, supposedly in order to access the system. We noted a trend toward the use of quishing by attackers way back in Q1 2023. In June 2024, cybersecurity researchers at Cyble reported that attackers were actively using Word documents with embedded QR codes in phishing attacks.

This was also mentioned by other researchers. In June, for example, Check Point reported an increase in quishing cases, as well as a new way of exploiting this technique.

The Check Point researchers detected a campaign where the QR code was not inserted as an image, but created with HTML code and ASCII characters. The attackers essentially embedded small blocks into the HTML file, making them appear as a QR code in an email. Like in many other quishing attacks, this email pretended to be a reauthentication request. And since the QR code was created with ASCII characters, security tools often didn't recognize the malicious link.

Levers of pressure: GDPR blackmail and threatening calls

In May, the auction house Christie's confirmed a cyberincident after the extortion group RansomHub claimed responsibility for the attack. RansomHub had added Christie's to their extortion page, claiming they had stolen confidential client data: full names, physical address details, and identity documents of around half a million people.

Interestingly, the extortion gang threatened to inform the regulator about the data breach, which would result in substantial fines for the auction house under GDPR (General Data Protection Regulation). Given that a GDPR violation can result in a fine of €20,000,000 or 4% of annual turnover, such amounts can be critical for an organization. Attackers understand the implications of non-compliance with GDPR and incentivize the victim to pay the ransom by setting the ransom amount lower than the anticipated fines.

Another interesting case was brought to light by cybersecurity researchers at Halcyon. They identified a new ransomware operator called Volcano Demon. The group successfully attacked several companies using the LukaLocker ransomware. Notably, the attackers deviated from the standard playbook of ransomware operations. Instead of using data leak websites, they resorted to frequent threatening calls, increasing the pressure on their victims.

Gamers in the crosshairs

A new stealer emerged in the world of cybercrime, targeting the gaming community. Security researchers at G DATA analyzed Sharp Stealer, which is a type of malware that targets system information, passwords and login cookies for websites, card details from browsers, cryptowallets, and gaming accounts at Epic Games, Steam, Roblox, Ubisoft, VimeWorld, and Minecraft. This new malware family that includes Sharpil RAT and Sharp Stealer was initially reported by threat researcher Yogesh Londhe on a social media platform.

The choice of gaming platforms and related software deserves special attention. Gaming accounts often hold significant value in the form of in-game items and associated personal data. Selling compromised gaming accounts is a lucrative cybercriminal business, which makes these accounts a prime target for stealers like Sharp Stealer.

Play fair

McAfee reported a new malware tool similar to Redline Stealer (Redline Stealer is spyware that steels confidential data and downloads further malware to the victim's device). The malware disguises itself as demo versions of Cheat Lab and Cheater Pro (tools that offer players ways to cheat in various games, such as unlocking new weapons or levels that would be inaccessible through fair play) and uses URLs associated with Microsoft's GitHub repository. To spread the malware, users are offered a free full version of the software if they convince their friends to install the infected demo version.

Such an attack shows that even installing software from seemingly reliable sources can lead to your system being infected with malware.

Be cautious when downloading executable files from untrusted websites. We also advise you to use caution when downloading files even from reliable and legitimate services, such as GitHub, because attackers can exploit these channels to distribute malware.

Interest in AI research on the rise

We observed an increase in the use of remote access trojans by cybercriminals in Q1 2024. Now, attackers are using RATs to target AI research companies. In May, Proofpoint uncovered a new campaign targeting artificial intelligence research organizations. The threat actor used a RAT called SugarGh0st to obtain confidential information about the generative AI research. The trojan was delivered via phishing emails.

According to Proofpoint, the campaign targeted fewer than ten individuals, all of whom were directly connected to a leading AI research organization in U.S., which indicates a targeted attack and the attackers' keen interest in AI.

AI-enhanced malware

Attackers are constantly improving malware. For example, AhnLab SEcurity intelligence Center (ASEC) discovered a new feature in ViperSoftX, a malware strain that controls infected systems and steals information. Attackers enhanced this malware with Tesseract, an open-source OCR engine that uses neural networks to detect and recognize text in images. This novel feature allows ViperSoftX to extract text from images and scan strings for phrases related to passwords or cryptocurrency wallet addresses, which marks a leap in attack methodology.

Biometric data theft for creating deepfakes

In February, cybersecurity experts published a report on the GoldPickaxe malware, which targets Android and iOS devices. GoldPickaxe collects biometric data and other confidential information (such as identity documents and intercepted SMS messages). After gaining access to facial scans, cybercriminals used AI to create realistic digital models. Combined with stolen scans of identity documents and the ability to intercept SMS messages, this allowed the attackers to access the victims' bank accounts.

With the growing interest in AI technologies, active research in this field, and multiple leaks of biometric data, it is safe to assume that threat actors are also striving to create their own AI-based malicious tools. If they succeed, they might be able to create very convincing phishing messages, websites, and scripts, as well as fully automate some attack phases. Paired with continuous collection of biometric data in bulk, this could also make attacks more effective with the help of deepfakes. For instance, cybercriminals could use fake identities to get hired at tech companies for subsequent espionage.

Proliferation of skimmers for stealing bank card data

In Q2 2024, we observed payment card data rising from 13% to 22% among all data types stolen in attacks on individuals. This can be attributed to the proliferation of spyware and RATs that are capable of stealing payment card data, as well as to several campaigns that utilized web skimmers.

For instance, Sucuri identified a new web skimmer called Caesar Cipher, targeting content management systems (CMS) such as WordPress, Magento, and OpenCart. This malware was embedded in the order-processing PHP file of the WooCommerce plugin, an open-source e-commerce plugin for WordPress.

Another method of stealing payment card data involved the pkfacebook plugin, designed for the PrestaShop e-commerce platform. The attackers exploited the CVE-2024-36680 vulnerability to deploy card skimmers on websites. This vulnerability has a CVSS score of 7.5 (high severity) and involves SQL code injection. Security researchers at Friends-of-Presta published a proof-of-concept exploit for CVE-2024-36680 and warned of active exploitation of the vulnerability in attacks that utilized web skimmers to massively steal credit card data.

The payment card data obtained during attacks can be sold on darknet platforms and used in subsequent attacks. To avoid that, organizations should regularly update their CMS and plugins, as well as use strong passwords and multifactor authentication. This is particularly important because attackers typically exploit weak passwords and plugin vulnerabilities to gain extended access to websites and advance their attacks.

Evolution of malware

Android devices under threat

In late June, researchers reported a new attack vector on Android applications, which exploits a security feature to bypass security tools. In particular, Promon analyzed a piece of malware tracked as Snowblind, which exploits a Linux security feature known as seccomp. The seccomp feature allows Android to isolate applications and restrict the system calls they execute. Snowblind repackages a target application in such a way that the application cannot detect the abuse of accessibility services, which allows malware to capture user input (for example, credentials) or gain remote access to perform malicious actions. It is still unknown how many applications have actually been attacked, but other threat actors are very likely to also adopt this method. BleepingComputer reached out to Google for comments on the active abuse of seccomp. According to Google, no apps containing malicious code similar to Snowblind were found in Google Play.

Critical update: how RATs bypass the perimeter defenses

A new version of CraxsRAT malware was released, sounding the alarm for Android device security. In May, the malware gained the ability to bypass Google Play Protect, an application that scans devices for malicious apps, including those installed from third-party sources. According to the report, the new version of CraxsRAT supports multiple languages and features, such as injection of malicious payloads into APK files.

A new file type and an unfixed vulnerability

Threat actors are constantly seeking new infection methods to gain access to systems and bypass security tools. Recently, they started exploiting the Windows MSC file type. MSC files are used in the Microsoft Management Console (MMC) to configure components of the operating system or to create custom views of frequently used tools. The Elastic Security researchers uncovered a new method of distributing such files in conjunction with exploitation of an old, unfixed XSS vulnerability in Windows that allows deployment of Cobalt Strike. Security researchers also identified a fresh sample uploaded to VirusTotal on June 6, 2024, which proves its active use in attacks. At the time when the Elastic Security team published their article, no antivirus software recognized the file as malicious. Later, at the time of writing this report, 31 out of 63 antivirus vendors on VirusTotal flagged the file as malicious.

Well-known threat actors also make use of MSC files. For example, the Kimsuky APT group used fake accounts on a social network to spread malicious OneDrive links that delivered malicious MSC files. Additionally, cybersecurity researchers at NTT identified the use of MSC files in attacks by the DarkPeony group. The attack chain begins with a malicious MSC file, which subsequently delivers the PlugX RAT.

These attacks demonstrate how threat actors adapt their malware delivery methods to remain undetected. We anticipate a more widespread use of malicious MSC files in the future. To protect themselves from advanced malware, organizations should use sandboxes that allow programs to be opened and run in an isolated virtualized environment to detect malicious activity.

The wingless Pegasus

In the previous quarter, we wrote about darknet fraud, mentioning the major scam by the Mogilevich group and the deception of affiliates by the BlackCat group. In Q2, CloudSEC researchers identified a widespread trend of fraud involving the Pegasus spyware (Pegasus is spyware developed by NSO Group for law enforcement and intelligence agencies). The software was offered for hundreds of thousands of dollars. However, it turned out that almost all samples were fraudulent and ineffective. These tools and scripts were developed by some fraudsters and distributed under the name Pegasus to financially benefit from the real malware’s high visibility. For example, in one of the posts, permanent access was being sold for USD 1.5 million. There were also posts making Pegasus samples publicly available for free.

Trending vulnerabilities

Vulnerability exploitation remained one of the leading methods (35%) of successful attacks on organizations. Here are the trending vulnerabilities of Q2 2024:

• CVE-2024-3400. A critical vulnerability with a CVSS score of 10, published on April 12. It affects versions of PAN-OS by Palo Alto Networks, allowing unauthenticated attackers to execute commands with administrative privileges on the firewall. Researchers shared technical details and a proof-of-concept exploit for CVE-2024-3400, demonstrating how easily attackers can execute commands with root privileges. The public availability of the exploit enabled numerous criminals to conduct their attacks. System administrators were advised by Palo Alto to urgently install the latest PAN-OS update to fix the vulnerability.
• CVE-2024-5806. This highly exploited vulnerability with a CVSS score of 9.1 (critical severity) allows attackers to bypass authentication mechanisms in the MOVEit Transfer SFTP service. This could lead to unauthorized access to and potential leakage of confidential data stored on the MOVEit Transfer server. Threat monitoring platform Shadowserver Foundation reported a sharp increase in exploitation attempts following the disclosure of the vulnerability on June 25.
• CVE-2024-26169. This vulnerability allows attackers to gain system administrator privileges and has a CVSS score of 7.8 (high severity). Symantec's Threat Hunter Team found evidence that attackers exploiting the zero-day vulnerability were likely linked to Black Basta ransomware operator. Interestingly, one version of the exploit tool had a compilation timestamp dated February 27, 2024. This means that Black Basta operators had a functional exploitation tool long before Microsoft eventually released a patch.
• CVE-2023-7028. In early May, CISA added a critical GitLab vulnerability to its catalog of known exploitable vulnerabilities, with a CVSS score of 10.0 (critical severity). Exploitation of CVE-2023-7028 allows attackers to gain unauthorized access to private projects and confidential data, including credentials, as well as to inject malicious code into source code repositories.

An extended list of the most popular vulnerabilities can be found in the monthly digest on our website.

Successful cyberattacks in Q2 led to a variety of consequences. Similar to Q1, the most common consequence was the leakage of confidential information (55% for organizations and 82% for individuals). For organizations, disruption of core operations ranked second (27%), but its share had decreased by 6 percentage points compared to Q1 due to attackers shifting their focus towards stealing confidential information. One of the most serious data breach incidents involved Snowflake, a data cloud company. Many Snowflake customers confirmed the data leaks. According to a Mandiant report, attackers used stolen customer credentials to hijack accounts that were not protected with multifactor authentication. During investigations related to Snowflake, Mandiant observed that in some cases, attackers gained initial access through contractors. However, according to one of the attackers, access to Snowflake accounts was obtained by infecting an EPAM Systems employee's computer with malware.

The Snowflake corporate environment itself was not breached. Mandiant and Snowflake notified approximately 165 potentially vulnerable organizations about the incident. Among the companies confirming data breaches are Ticketmaster, Santander Bank, Advance Auto Parts, Pure Storage, Los Angeles Unified, Neiman Marcus, and AT&T.

The top five attacks in Q2 that had negative impacts and generated a lot of publicity:

• On May 6th, one of the largest printed circuit board manufacturers, Keytronic, fell victim to a cyberattack and had to halt production for two weeks. The attack also restricted access to business applications that support the company's operations. In addition, personal data was stolen during the attack. The Black Basta ransomware gang claimed responsibility for the attack and for stealing HR-related, financial, engineering, and corporate data. Keytronic said it incurred approximately USD 600,000 in expenses related to attack remediation and recovery, as well as hiring external cybersecurity experts.
• In early June, industrial equipment and forklift manufacturer Crown Equipment suffered a cyberattack that disrupted production at its factories. Employees were unable to clock in their working hours, access service manuals, and deliver machinery in some cases.
• The Qilin ransomware group attacked Synnovis, a company providing pathology services to hospitals and clinics in London, in early June. The attack caused significant disruptions in procedures and operations (including blood transfusions and blood testing) in multiple London hospitals, forcing NHS to declare a regional incident. Over 800 scheduled operations and 700 outpatient appointments had to be postponed. The National Health Service Blood and Transplant (NHSBT) also issued a warning about a blood shortage in London hospitals.
• On April 24, Dropbox discovered that malicious actors had gained access to the Dropbox Sign production environment. Criminals gained access to a Dropbox Sign automated system configuration tool, which is part of the platform's backend services. The attackers then used this access to obtain authentication tokens, MFA keys, hashed passwords, and customer information.
• In late May, the logistics company CDEK experienced a cyberattack, which resulted in significant disruptions to their services and business processes: the CDEK website and app became unavailable, and the operations of pickup points were halted. Experts estimate that the resulting damage could range from RUB 300 million to 1 billion.

In data breach attacks on organizations, attackers mostly aimed to steal trade secrets (26%), personal data (25%), and credentials (23%). In data breach attacks on individuals, attackers focused on stealing credentials (37%) and payment card details (22%).

In addition to data breaches related to Snowflake, Q2 saw other major data leaks:

• A notorious hacker claimed responsibility for breaching Apple and stealing source code of three internally used tools (AppleConnect-SSO, AppleMacroPlugin, and Apple-HWE-Confluence-Advanced). According to the hacker's post, the company was compromised in June.
• In late June, several database tables belonging to the online store of the Magnolia supermarket chain were leaked online. Security researchers noted that the text files contained the following information: full names of customers, delivery addresses, email addresses (245,931 unique addresses), phone numbers (252,209 unique numbers), hashed passwords, order details, order amounts, order dates, and discount coupons.
• A cybercriminal posted a message about selling data obtained from the AMD breach in June 2024. The data for sale reportedly includes a wide range of sensitive data, from source code and information about upcoming products to employee and customer databases.
• In May, a threat actor claimed to have breached the computer hardware manufacturer Cooler Master and stolen 103 GB of data. The data leak resulted from a hack of one of the company's websites. The stolen data included corporate information, supplier details, sales figures, warranty data, inventory information, as well as personal data of over 500,000 Fanzone members (Cooler Master's Fanzone site is used for product warranty registration, return requests, and refunds).
• On May 6, the Cybernews research team discovered a dataset focused solely on Chinese citizens. The dataset, 100 GB in volume, contained over 1.2 billion records (the population of China is roughly 1.4 billion people). The collection primarily included phone numbers, but also some personal data such as identity card numbers, home addresses, and bank card numbers.
• Around May, cybersecurity researcher Jeremy Fowler discovered a database with documents belonging to two separate Indian entities, ThoughtGreen Technologies and Timing Technologies. Both companies offer application development services and biometric verification solutions. The 1,661,593 files with a total size of 496.4 GB contained confidential biometric data, such as scanned facial images, fingerprints, signatures, and identification marks of police officers, military personnel, teachers, and even railway workers. The data might have been put up for sale on a darknet-related Telegram channel.
• According to Resecurity, a threat actor leaked 144 GB of Salvadoran citizens' data on a darknet forum. The database contained over 5 million high-definition photos, each tagged with the corresponding ID number (DUI), as well as first and last names, dates of birth, phone numbers, email addresses, and residential addresses. This particular breach marks one of the first instances in history where almost the entire population of El Salvador was affected by a compromise of biometric data.
• On July 6, a database table fragment was leaked online, presumably related to customers of the Vinlab store chain. The leak fragment contained over 408,000 lines with the following data: full names, phone numbers, email addresses, hashed passwords, and loyalty card numbers.

To protect against cyberattacks, we recommend following our general guidelines on personal and corporate cybersecurity. Given the specifics of the Q2 threatscape, we strongly advise users to be careful when entering their credentials on unfamiliar websites, downloading email attachments, and following links from messaging apps, social media, and emails. An objective and critical assessment of the situation will help safeguard your data and money.

Due to the large number of attacks with malware delivered through legitimate services, software developers should pay close attention to the repositories and package managers used in their projects, implement software supply chain security practices, and deploy application security tools. We also recommend using package and source code analyzers, such as PT PyAnalysis.

To protect your organization from potential data breaches, implement data protection measures. We recommend conducting regular inventory and classification of assets, establishing data access control policies, and monitoring access to sensitive information.

We also recommend using web application firewalls (WAFs) to harden the network perimeter. To protect devices against advanced malware, use sandboxes to analyze file behavior in a virtualized environment, detect malicious activity, and prevent damage to your company. Organizations should establish vulnerability management processes and participate in bug bounty programs.

19% of successful attacks targeted individuals

This report contains information on current global cybersecurity threats based on the expertise of Positive Technologies Expert Security Center (PT ESC), investigations, and reputable sources.

We assume that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our report seeks to draw the attention of companies and individuals to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one attack, not several. Definitions of terms used in this report are available in the glossary on the Positive Technologies website.