Cybersecurity threatscape: Q3 2024

This report contains information on current global cybersecurity threats based on Positive Technologies own expertise (from PT Expert Security Center), investigations, and reputable sources. 

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our report seeks to draw the attention of companies and individuals to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one attack, not several. Definitions of terms used in this report are available in the glossary on the Positive Technologies website.

In Q3 2024, the number of incidents increased by 15% compared to Q3 2023 and slightly decreased (by 4%) compared to the previous quarter. Malware remains the primary tool for attackers, used in 65% and 72% of successful attacks on organizations and individuals, respectively. Against organizations, remote control malware (44%) and ransomware (44%) were most commonly used, while individuals were most frequently targeted by spyware (47%, up by 6 p.p.). Social engineering remains a major threat to individuals (92%) and is involved in half (50%) of all attacks on organizations. Data breaches occurred in 52% and 77% of successful attacks on organizations and individuals, respectively. Disruption of core activities rose by 5%, reflecting the increased activity of ransomware groups. 

Targeting IT specialists

In Q3 2024, IT specialists were among the most targeted individuals (13%). In Russia alone, there is a shortage of as much as 500–700 thousand people in the IT field, with a 7% rise in the number of specialists posting resumes. This shortage has provided fertile ground for attackers who increasingly use fake interviews as a tactic. Since December 2022, researchers at Palo Alto Networks have tracked a campaign called Contagious Interview. Cybercriminals conduct fake interviews in which the developer ends up downloading malware. Methods of influencing the victim in these campaigns vary. In one campaign interviewees were asked to solve a problem, which required them to download malicious code. Notably, even APT groups have adopted this tactic. For instance, the Lazarus APT group spread a fake video conferencing app, supposedly for interviews. The MalwareHunterTeam found similar software for macOS that, interestingly, none of the antivirus engines on VirusTotal detected as malware.

Since the first half of 2024, the trend of using package managers and public repositories to infect victims with malware has continued. For example, the security research group Checkmarx discovered npm packages which targeted Roblox developers, distributing the Quasar RAT. Attackers used typosquatting¹ to make these packages appear legitimate. Meanwhile, the security group JFrog found a technique called Revival Hijack based on the PyPI package removal policy, which threatened about 22,000 existing packages. Once a package is deleted, its name becomes available for re-registration. However, users are not notified, so they may end up updating the previously safe packages, not realizing that they are now under the control of attackers. 

IT specialists have also become targets of malicious ads. The group Hunters International created sites mimicking Angry IP Scanner, a popular network scanning tool. These sites were promoted via Google Ads, appearing at the top of search results. However, it was actually the Sharp RAT malware disguised as the scanner.

The rise in attacks on IT specialists, in addition to financial gain, can be explained by the desire to move on to larger targets. It's not just IT companies that are at risk: cybercriminals can penetrate a software supply chain, causing irreparable damage to numerous organizations.

Social engineering: a constant threat

In Q3 2024, social engineering remains the most popular method for attacks on both organizations (50%) and individuals (92%). For organizations, email remains the main channel for social engineering (88%), while for individuals, it's websites (73%). Attackers are also increasingly exploiting the popularity of social networks for attacks against individuals. Compared to the previous quarter, this method was 4% more common. Among social networks, Facebook has become the most frequently exploited by cybercriminals.

The Blue Screen of Death

On July 19, a large-scale Windows OS failure led to the infamous "blue screen of death" popping up on computers worldwide. The issue was caused by an incorrect update to CrowdStrike Falcon sensor, a cybersecurity agent designed to protect devices from various threats. According to Microsoft, the incident affected 8.5 million Windows devices across various sectors, including airlines, healthcare facilities, and banks. Of course, this news didn't fail to attract the attention of attackers. 

Cybercriminals used the problem as an opportunity for social engineering attacks. Just a few days after the incident, BleepingComputer discovered phishing emails disguised as recovery guidance from Microsoft. The attached document contained instructions for a tool which supposedly removed the problematic CrowdStrike driver from Windows devices. But running the tool simply installed the Daolpu stealer on the victim's device. CYFIRMA researchers also observed a significant number of newly registered domains related to this incident, some of which spread malware.

Do not follow the link 

According to a Unit 42 study, attackers have begun using a new phishing method that leverages HTTP headers. Cybercriminals embed malicious links in the Refresh header of HTTP responses. This refreshes the page, redirecting the user to external websites without requiring the user's interaction. These links often use legitimate or compromised domains, making it difficult to spot malicious indicators in the URL. The goal of these attacks is typically to steal user credentials. 

PHaaS: phishing threats reach record levels

In Q3 2024, use of phishing sites grew in attacks against both organizations (28%, up by 6 p.p.) and individuals (73%, up by 11 p.p.) compared to the previous quarter. Previously, phishing attacks required hackers to expend considerable effort in creating malicious sites and applications, and sometimes interacting with the victims over long periods. This presented an entry barrier for attackers. However, with the advent of PHaaS (phishing-as-a-service) platforms, carrying out such attacks is becoming much easier. These platforms allow attackers to purchase phishing kits containing ready-made templates for quickly creating many phishing pages. Recently, Palo Alto Networks reported on the Sniper Dz platform, which offers free phishing kits to users. The platform allows users to create phishing pages hosted either on Sniper Dz servers or in their own infrastructure. In 2024, approximately 140,000 phishing sites were created using this platform. However, there's no such thing as a free lunch: any data stolen by the attackers gets scooped up by Sniper Dz, too. 

Previously established phishing tools continue to be used, with their functionality regularly updated. For example, ANY.RUN reported on campaigns carried out in August this year using an updated version of Tycoon 2FA, which now uses fake error messages to trick users into disclosing their credentials.
 

RATs and ransomware wreak havoc on organizations, spyware targets individual users

The trend of using RATs in attacks on organizations continued in Q3 2024 (44%). RATs allow attackers to maintain persistent access to compromised devices, enabling them to conduct long-term reconnaissance, gather data, and monitor user actions. According to our data, popular tools among cybercriminals include AsyncRAT, XWorm, and SparkRAT. For example, PT Expert Security Center (PT ESC) team reported on phishing campaigns which targeted industrial enterprises, banks, healthcare providers and software developers in Russia, ultimately leading to XWorm infections. Similar phishing emails were used by the OldGremlin group.

We also noted a 6% increase in ransomware attacks compared to the previous quarter. Attackers frequently employed the ransomware programs LockBit 3.0 and Play. A Linux version of the Play ransomware has also emerged, specifically targeting VMware ESXi environments.

Trends in attacks on individuals are changing, with an increase in spyware use (47%). Lumma Stealer and FormBook occupy leading positions in hackers' arsenal. They both target a wide range of information, including browser data, various files, and credentials. Lumma Stealer is particularly attractive to attackers as it enables the theft of data from cryptocurrency wallets. 

Two birds with one stone: hybrid malware

Cybercriminals are continually enhancing the tools in their arsenal, adding new features. For example, Netskope Threat Labs researchers discovered an updated version of XWorm RAT that can now take screenshots, modify hosts files², carry out DDoS attacks, and more. Hackers are also adding plugins to RATs for stealing sensitive information from browsers and cryptocurrency wallets, as was the case with the use of a modified AsyncRAT in phishing attacks studied by eSentire researchers.

This trend is also seen for ransomware. Using hybrid tools, criminals can solve two problems at once, encrypting and stealing confidential data at the same time. This guarantees profits for the attackers: even if the ransom isn't paid, they can still sell the stolen data. In August 2024, Outpost24 discovered the latest version of Crystal Rans0m with such capabilities. A similar ransomware program, Luxy, was analyzed by K7 Security Labs.

Small driver, big problems

In Q3, ransomware groups frequently used the "bring your own vulnerable driver" (BYOVD) technique. This method involves hackers installing on the victim's device a driver with a known vulnerability, which they then exploit. Trend Micro tracked a chain of infections linked to EDRKillShifter—a dropper that lets hackers use this technique to disable EDR solutions. Malwarebytes researchers observed that the RansomHub group used the legitimate TDSSKiller tool for this same purpose. This tool was initially designed to remove rootkits. The DragonForce ransomware group also actively uses this method in its attacks. 

Security tool becomes a weapon

Proofpoint researchers discovered a campaign where Cloudflare Tunnels were used to spread malware. Attackers employed the TryCloudflare function, which allows you to create a one-time tunnel without registration. Each tunnel generates a temporary random subdomain under trycloudflare.com, which is used to route traffic through Cloudflare's network to a local server. Criminals hosted malicious files on these subdomains and sent victims links to them. Seeing a legitimate Cloudflare link, the user would click and become infected with remote access malware. Other researchers reported similar findings: Forcepoint X-Labs observed AsyncRAT infections using TryCloudflare in July 2024. 

Hand in hand: malvertising and stealers

This quarter saw cases of spyware distribution through malvertising: attackers used services like Google Ads to promote malicious sites to the top of search results. These sites often look legitimate, raising no suspicion from users. Malwarebytes described such a campaign, the end goal of which was to deliver the DeerStealer spyware. In similar attacks, hackers spread Atomic Stealer and Poseidon Stealer. 

Malicious ads have also been noted on social media, promoting Lumma Stealer and SYS01, which are designed for stealing passwords. 
 

Supply chain attacks

Supply chain attacks are a cyberthreat in which an attacker introduces a malicious component into software that is subsequently downloaded by the victim. Cyble researchers report that in 2024, such attacks occurred at least once every two days. We previously mentioned that a software developer can often become the starting point for a supply chain attack on organizations. However, attackers sometimes use other methods. One of the most notable recent incidents was a supply chain attack on Polyfill.io, affecting over 100,000 sites. Polyfill.io is a popular service that automatically loads polyfills³ necessary for browsers to render pages. A Chinese company called Funnull acquired the polyfill.io domain, service, and associated GitHub account. Afterward, the service began redirecting users to malicious sites and deploying sophisticated malware. According to Censys, although Namecheap suspended the malicious domain polyfill.io on June 27, as of July 2, 384,773 nodes were found still containing links to the infected domain in their source code.
 

RDGA: strength in numbers

The Random Domain Generation Algorithm (RDGA) is a method used by attackers to automatically create large numbers of domain names for connecting malware with command-and-control servers. Even if some domains are blocked by security systems, the malware can generate more, making detection and blocking challenging. RDGA is based on pseudo-random or random sequences, making it difficult to detect using standard algorithms that rely on lists of known domains. The Revolver Rabbit attacker uses this technology to spread XLoader malware. He was able to generate 500,000 domains under the .bond TLD (top-level domain). The Play ransomware group also employs this algorithm. 

AI in attacks

In Q1 and Q2 of 2024, we noted an increased use of AI in attacks. In this quarter, too, this trend continues. Symantec observed two campaigns in which large language model (LLM) technology was used to write malicious code. In one case, AI generated a PowerShell script that downloaded the Rhadamanthys spyware and the CleanUpLoader backdoor. In another, an LLM was used to generate JavaScript for loading and executing additional payloads, such as Dunihi. It's worth emphasizing that AI-generated code tends to have similar characteristics: functions and variables are formatted with one-line comments that use precise terms to explain their purpose.

The trend of integrating AI modules into malware persists as well. Insikt Group discovered a new version of the Rhadamanthys stealer that uses AI for optical character recognition (OCR). This enables Rhadamanthys to extract cryptocurrency wallet seed phrases⁴ from images.

The dark side of pentesting tools

Pentesting tools remain popular among attackers. Cobalt Strike continues to be a favorite, though some have shifted to its open-source alternative, the Sliver framework. Threat actors such as MimiStick, CRYSTALRAY, and Onyx Sleet used Sliver in their attacks. 

According to BI.Zone, 12% of attacks use tools originally designed for penetration testing. The post-exploitation framework Havoc is also gaining popularity. We have also observed it in various attacks. Specifically, the PT ESC Threat Intelligence team discovered a phishing email allegedly from the Russian Federal Security Service (FSB), threatening the victim and requesting a list of documents specified in an attached archive. When the user clicks the archive, instead of downloading it as expected, they are redirected to a site where a payload has been embedded using HTML smuggling⁵. This payload deploys the Havoc Demon dropper on the device.

Trending vulnerabilities 

Exploiting vulnerabilities remains one of the most effective attack methods, accounting for 33% of attacks. Here are some of the most notable vulnerabilities actively exploited in Q3:

• CVE-2024-36401. This frequently exploited vulnerability with a CVSS score of 9.8 allows remote code execution. FortiGuard Labs researchers noted it being used to spread backdoors and botnets. In addition, Trend Micro reported that the Earth Baxia group used it in attacks on Taiwanese government organizations. 
• СVE-2024-23897. A vulnerability that allows reading of arbitrary files through the built-in command-line interface (Jenkins CLI), rated 9.8 on the CVSS scale. IntelBroker used it to gain initial access during an attack on the IT service provider BORN Group. The hackers managed to obtain hardcoded keys from the source code, later using them to infiltrate other systems. This vulnerability was also used in an attack on Brontoo Technology, paralyzing the operations of over 300 banks in India. 
• CVE-2024-39717. A vulnerability in the Versa Director platform, published in August 2024 with a CVSS score of 7.2. It allows loading of malicious files disguised as PNG images to let attackers into corporate networks. The Chinese APT group Volt Typhoon reportedly exploited this zero-day vulnerability for initial access. 
• CVE-2024-34102. A critical vulnerability in Adobe Commerce, rated 9.8 on the CVSS scale. This vulnerability's widespread exploitation led to attacks on 4,275 online stores, including major brands like Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway. The flaw allowed attackers to implant skimmers on store payment pages, putting users' payment data at risk.
• CVE-2024-7971. A severe vulnerability in the Chrome browser, with a CVSS score of 8.8. It's a type confusion error in the V8 engine, which handles JavaScript and WebAssembly execution. Google issued an update on August 21, and on August 26, reports emerged of the vulnerability being exploited. All Chromium-based browsers are also affected by this vulnerability. 

Successful cyberattacks in Q3 had various consequences, impacting individual users, organizations, and even entire regions. As in previous quarters, criminals focused on stealing confidential information (52% and 77% of successful attacks on organizations and individuals, respectively). Disruption of core operations affected 32% of organizations, a 5% increase from the previous quarter due to heightened ransomware activity. For example, an INC Ransom attack in August on McLaren Health Care caused significant disruptions. Access to patient databases may have been lost, forcing staff to transfer records manually. Dates for some appointments and non-urgent procedures also had to be adjusted. 

In Q3, the following attacks had dire consequences and wide repercussions:

• In August, Iran's banking sector experienced a major cyberattack. Sources report that the government negotiated with the criminals, paying at least $3 million in ransom to prevent the leakage of personal data from more than 20 banks. While Iranian authorities denied the incident, it was reported that ATMs across the country were temporarily disabled. The IRLeaks group, previously involved in similar cyberattacks, claimed responsibility. 
• Cryptocurrency-related attacks have earned criminals more than $750 million. One of the biggest losses was suffered by the Indian cryptocurrency exchange WazirX, which lost $230 million. The stolen assets accounted for 45% of the exchange's total reserves. Its competitor CoinSwitch has filed a lawsuit against WazirX to recover the frozen funds. Another high-profile incident involved the theft of $243 million from a cryptocurrency holder. Criminals used social engineering tactics, posing as support from Google and Gemini, to reset two-factor authentication and transfer funds to a compromised wallet. 
• An email scam led to theft of over $60 million from Orion, a leading supplier of carbon products. The attackers deceived an Orion employee into making multiple bank transfers. The theft is currently under investigation. A similar scam tricked an employee at a Singaporean commodity company, resulting in a $42.3 million loss. However, unlike Orion, the Singaporean company was lucky enough to be able to recover the stolen funds. 
• In August 2024, the Seattle-Tacoma International Airport was attacked by the Rhysida ransomware group. Some critical systems had to be isolated to contain the damage. This caused disruptions to reservation and check-in systems and resulted in flight delays. 

In successful attacks on organizations resulting in confidential information breaches, criminals most often targeted credentials (23%), personal data (23%), and trade secrets (24%). As for attacks on individuals, attackers focused on credentials (29%), payment card data (24%), and personal data (21%). 
 

The most notable Q3 leaks:

• On July 4, 2024, a file named rockyou2024.txt containing nearly 10 billion unique passwords was posted on a darknet forum. This leak was significantly larger than previous ones, like RockYou2021, which contained 8.4 billion passwords. The scale of the leak allows hackers to efficiently conduct brute-force attacks, using real passwords instead of random characters, which increases the likelihood of successful compromise. A further risk arises from the fact that users often reuse credentials across multiple services, meaning that if one account is compromised, others may be as well. 
• In April 2024, a hacker forum listed a database allegedly stolen from the National Public Data company, being sold for $3.5 million. The data was disclosed in July. The breach involved the personal information of up to 2.9 billion residents in the U.S., Canada, and the U.K., including names, social security numbers (SSN), addresses, phone numbers, and emails. A resident of California has since filed a lawsuit, accusing the company of negligence, unjust enrichment, and breach of fiduciary duty.
• The hacktivist group NullBulge claimed responsibility for leaking around 1.1 TB of data from Disney's internal Slack communications. The confidential data included unreleased projects, raw images, system login credentials, and Disney employees' personal data, such as phone numbers and email addresses. The group reported that an insider granted them access. Though Disney declined to comment on the breach, the company decided to stop using Slack. 
• India's Star Health and Allied Insurance became victim to a major data breach affecting 31 million clients. The stolen information included medical documents, personal identification numbers, tax data, and more. The attacker distributed free samples of the data via Telegram and sold it on BreachForums. 
• According to TAdviser, attackers publicly released a backup database from the 1C system of one fitness club network. The breach exposed data of around 2.2 million clients (both individuals and legal entities) and 10,100 employees.

To protect against cyberattacks, we recommend following our general guidelines on personal and corporate cybersecurity. In view of the events in Q3, we strongly recommend remaining vigilant online, and refraining from opening suspicious links or downloading attachments from unverified sources. Be critical of unusually advantageous offers or urgent demands—this will help protect your data and finances.
Given the large number of attacks distributing malware through legitimate services, developers should pay close attention to the repositories and package managers used in their projects, implement software supply chain security practices, and deploy application security tools. 
Considering the growing number of attacks utilizing social engineering, we recommend training employees in cybersecurity fundamentals. 
We also recommend using web application firewalls (WAFs) to harden the network perimeter. To protect devices against the latest malware, use sandboxes to analyze file behavior in a virtualized environment, detect malicious activity, and act in time to prevent damage to your company. To assess the effectiveness of your existing email protection tools, specialized services are available. Ransomware remains a significant cyberthreat, so remember the importance of regular backups. 
Organizations need to develop vulnerability management processes, conduct regular penetration testing (including automated options), and participate in bug bounty programs. Special attention should be paid to fixing vulnerabilities that attackers are already known to widely exploit and for which publicly available exploits exist.
To prevent potential leaks of corporate data, it's crucial to focus on organizational data protection. We recommend conducting regular inventory and classification of assets, establishing data access control policies, and monitoring access to sensitive information.