Cyberthreats in 2024: Forecasts for the coming year from Group-IB experts
Once a year, Group-IB experts from various teams come together to write a detailed annual report to sum up the key findings from the past year. Our researchers revisit incidents they analyzed and responded to and highlight the main trends in cybercrime, the top threat groups, and the techniques used most often. Alongside trends, we offer forecasts for the coming year that our customers (and any other readers) can use to stay protected. In this blog post, Dmitry Shestakov, Head of Group-IB’s Threat Intelligence Unit, hits the high spots of our High-Tech Crime Trends report.
Escalating zero-day threats
A clear trend we observe is that nation-state groups and other threat actors continue to use zero-day exploits on a regular basis. In 2023, Group-IB’s Threat Intelligence team witnessed a 70% increase in the number of public posts offering zero-day exploits for sale in cybercriminal communities, compared to 2022. The spike is due to not only the larger scale of attacks but also the high demand for such vulnerabilities among threat groups.
One of our key discoveries in 2023 that confirmed this trend was the detection of a zero-day vulnerability in WinRAR. The flaw allowed threat actors to target users on trading forums. Cybercriminals distributed their malware through weaponized ZIP archives, which, once opened, infected devices belonging to traders and withdrew funds from broker accounts.
Criminals will increasingly often leverage unpatched software flaws in targeted attacks and cyberespionage campaigns against government and private sectors.
Supply chain attacks: The threat intensifies
Attacks on third parties as a way of reaching the end target are expected to become even more devious. In 2023, we witnessed the first ever double supply chain attack involving the compromise of two software vendors. The approach is likely to be borrowed by other cybercriminals. Another type of threat is related to open-source platforms, which can be used by attackers to upload malicious software and subsequently infiltrate the platform’s customers.
Ransomware still on top
Digital extortion isn’t going anywhere. Why would cybercriminals abandon it when organizations still rely on basic security tools? Gaining initial access is relatively simple thanks to widely distributed stolen credentials, and such attacks have proved highly profitable. Ransomware groups will continue to recruit accomplices through dark web forums and form ransomware-as-a service programs working as organized crime enterprises. Ransomware owners will focus on developing ransomware, creating and optimizing control panels, and money laundering, all the while outsourcing all attack-related activities.
AI is the new oil of cybercrime
Organizations are implementing AI into their daily routines more and more to improve and even secure their workflows, but it’s also a blessing for threat actors, who are always looking for new infection vectors. Cybercriminals are expected to exploit AI-based technology in many ways. They will keep jailbreaking existing platforms. The avant-guard AI based tools such as ChatGPT will be used to (a) develop malware without high technical skills required, (b) learn about necessary techniques, (c) roleplay attacks to better understand how victims might behave, and (d) improve existing tools.
In addition to using jailbroken language models, threat actors will develop their own GPT-style tools designed to help them fine-tune their phishing and social engineering attacks. For instance, AI is expected to be used more as a way of improving the quality of deepfakes for phishing attacks (e.g., scam calls).
Furthermore, AI-based systems will become attractive targets for threat actors due to their relatively new presence and the common lack of experience in utilizing them effectively. Many companies opt for publicly available AI models rather than developing their own. Users of AI frequently input various types of data, including confidential information like internal source code, financial details, and trade secrets, as well as data used for authentication in internal systems. Threat actors will aim to acquire such data through various means, including the most straightforward approach – searching for AI service accounts within logs of information-stealing malware or just employing phishing techniques.
Clouds of logs: An infection vector at no cost
Cybercriminals know that compromising a single host related to one employee can serve as a blueprint for executing a large-scale attack on a whole organization. Services called Underground Clouds of Logs (UCLs) – which offer user credentials obtained by information stealers – have been gaining momentum. For a relatively small fee or even free of charge, UCL services give less-skilled threat actors access to data, without the cybercriminals. having to use more difficult techniques such as phishing and exploitation of public-facing applications. Instead, UCL services make it possible for cybercriminals to focus on searching for valid accounts for internal services or legitimate credentials and access external remote services, depending on the organization they want to target.
Given that the number of offers of access to compromised hosts on UCLs is growing each year (by 30% in 2023 compared to 2022), it is likely that threat actors will use this low-cost or no-cost approach to gain access to companies more and more often.
Apple threats on the rise
A clear trend in 2023 was a shift from traditional targets (Windows and Android) to Apple platforms. This is because Apple products are becoming increasingly popular and their share in the market has also increased as a result. Apple iOS and macOS devices are also more and more often adopted in the corporate world.
Apple is now officially allowing third-party app stores to distribute iOS apps in Europe. The change is due to Apple being designated a “gatekeeper” under the EU’s Digital Markets Act (DMA). Threat actors are likely to use this development to their advantage.
Threat actors are also expected to continue adapting schemes typically used for Android to iOS. A prime example is a recently discovered iOS-based Trojan. that Group-IB called GoldPickaxe, which is merely a modified version of the Android Trojan GoldDigger but with new capabilities. Its functions include stealing facial recognition data, photos of ID documents, and SMS messages. More details can be found in our blog post.
The trend is also not limited to iOS – we have noticed an increase in discussions on underground forums regarding the development and sale of various types of macOS malware. When we compare the sales figures for macOS stealers in 2022 and 2023 on prominent underground forums specializing in malicious software sales, we can see a fivefold increase.
All this indicates that 2024 will see a rise in threats targeting Apple devices.
Nation-state actors, hacktivists, and global conflicts: No part of the world is immune
When the world is in flames, nation-state actors and hacktivists are on fire. The year 2023 was no exception, and 2024 is unlikely to give us a break, either.
The main targets of nation-state actors are expected to be government and military bodies, with the aim of collecting strategically important information and weakening government entities. Sectors such as financial services, telecommunications, and manufacturing could also be affected. Countries involved in the ongoing political and military conflicts will be at the forefront of attacks by nation-state threat actors. Meanwhile, phishing will remain the most common way of initiating attacks.
Nation-state actors are usually highly skilled and dangerous. Low-skilled hackers like hacktivists, on the other hand, usually resort to simpler methods such as DDoS attacks, defacement, and data leaks, which are easier to protect against – but a growing number of IT professionals are joining their ranks and their sheer number alone is enough for them to pose a significant threat to businesses and organizations.
Use of legitimate tools: A new angle
More and more threat actors are exploiting legitimate services to control malware and facilitate data exfiltration. Although the technique is not new, the trend has intensified noticeably since 2023, across various threat actor groups. The trend does not necessarily mean that legitimate services are not secure. Rather, it highlights how adaptable threat actors are in exploiting such platforms.
Previously, threat actors used legitimate services mainly to distribute malware (e.g., through cloud services) or to obtain additional commands or backup command-and-control (C2) servers (e.g., on X, formerly known as Twitter, or GitHub). However, they are now leveraging legitimate platforms such as Telegram also to store exfiltrated data. The trend towards seeking convenience in orchestrating attacks has led to many APT groups adopting Telegram or webhooks of legitimate applications. Telegram is used for not only storing data but also controlling infected devices directly by sending commands via Telegram, which means moving away from traditional C2 methods.
Techniques that were once exclusive to APTs are becoming more common among less specialized threat actors. Many instances of stealer malware and phishing kits already use Telegram as a point of exfiltration for compromised data. Currently, RAT malware or even post-exploitation frameworks, which are exchanged or disseminated on both underground and public forums, offer capabilities for control through legitimate services.
Threat actors are using legitimate services and infrastructure to conceal their activity, which makes it harder to detect and fight against such threats. In the future, these techniques are likely to be improved and developed even further. Meanwhile, new exploitation and malware management methods are likely to emerge as well.
Conclusion
Our highlights are just the tip of the iceberg. We recommend reading the full report, which offers a comprehensive description of region-specific and global threats. It’s important to be aware of all the various types of cybercrime, including those that stay out of the spotlight. Such threats prosper, and the number of criminals involved in them keeps growing. Our report will help you keep up with emerging criminal strategies such as unusual malware communication patterns, which is crucial if you want to adapt to the ever-evolving cybercrime scene and protect your digital and financial assets.
