DENVER, September 19, 2024 – Red Canary today released a major midyear update to its annual Threat Detection Report, providing insight into how cybersecurity trends, threats, and adversary techniques evolved during the first six months of the year. The report confirms the central role of compromised identities in the attacker playbook, while underscoring the need for an operational approach to security to minimize exposure, detect threats faster, and reduce risk.
While most of the threats and techniques identified in the 2024 report remain consistent with the midyear update, some notable shifts were revealed. Looking at the top ten MITRE ATT&CK® techniques, Email Hiding Rule – whereby adversaries use a compromised account to set up rules to block, redirect, or mark certain emails as spam to cover their tracks – was a new entrant to the list. Notably, combined with Cloud Accounts and Email Forwarding Rule, this meant three of the top ten techniques related directly to identity and cloud-native attacks.
There were three notable shifts in the top ten threats in the past six months:
- Atomic Stealer – an infostealer that targets credentials, payment card data, keychain details, and cryptocurrency wallet information on macOS devices made a surprise entrance at number nine of the top ten threats.
- Scarlet Goldfinch – an ‘activity cluster’ that uses fake browser updates to trick users into downloading a legitimate remote management and monitoring tool that can be abused to deploy malicious software – was another new entrant at number seven.
- ChromeLoader – a malicious browser extension that reads and hijacks browser traffic to redirect it to specific sites, likely to conduct pay-per-click advertising fraud – rose from sixth place in 2023 to the number one slot.
Within the top ten threats, there was a continued trend away from email toward web-based delivery mechanisms, which accounted for six of those on the list. This indicates that efforts to lock down emails and make it more difficult for adversaries to insert malicious payloads into documents are continuing to pay off.
“While there are similarities with our previous list, it’s interesting to see ChromeLoader moving up the charts so dramatically, although this rise is due in part to improved detection capabilities for the threat. It might seem innocuous, but its broad ability to steal browser data and the potential for bad actors to re-task it for more malicious purposes make it particularly concerning,” said Brian Donohue, Principal Security Specialist, Red Canary. “The fact that Atomic Stealer is in our top ten is also remarkable given the relatively low percentage of our sample formed by macOS devices. We’d strongly urge organizations with a significant macOS footprint to double down on user education around downloading software from untrusted sources. More widely, organizations can defend against web-based delivery with measures like ad-blocking solutions, browser extension allow/blocklists, and GPOs that open potentially dangerous attachments in Notepad by default.”
User identities are still the weak link in the chain
The report also provides analysis of emergent or otherwise interesting threats and techniques that security professionals should take note of, such as:
- Adversary in the Middle (AitM) attacks: Adversaries frequently use AitM attacks to bypass multi-factor authentication (MFA). They create seemingly legitimate login pages to lure users into entering credentials and MFA codes, relaying the details in real time to gain access.
- Token theft: There is a growing trend of adversaries stealing session tokens to access identities, after compromising a cloud service or account. This technique is of especially high risk in AWS environments, where adversaries extract security tokens that ultimately allow them to perform actions within the cloud tenant.
- Permission sprawl: Organizations also need to be wary of permission sprawl, ensuring they maintain tight control of user privileges across different tools and systems. With thousands of users to manage, it is very easy to grant over-privileged access roles.
- Application consent phishing: Adversaries often register malicious applications then trick users into granting them permissions that allow the bad actor to access other systems and data via the cloud.
“While identity compromise has always been a significant threat, our midyear update highlights it is becoming even more prevalent,” concludes Keith McCammon, Chief Security Officer, Red Canary. “There are solutions that can fortify defenses against these threats, notably phishing-resistant multi-factor authentication, passwordless authentication, conditional access, and monitoring of behaviors and APIs. However, while some of these controls are broadly attainable, others can be expensive and operationally complex. This is why it’s essential to seek out not only technical solutions, but to build teams and seek out partners who can maximize their effectiveness, and deliver around-the-clock operational capabilities.”
About the report
The midyear update to the 2024 Threat Detection Report provides in-depth analysis of the confirmed threats detected from the petabytes of telemetry collected from Red Canary customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications in the first six months of 2024.
The Threat Detection Report sets itself apart from other annual reports with its unique data and insights derived from a combination of expansive detection coverage and expert, human-led investigation, and confirmation of threats.
About Red Canary
Red Canary is a leader in managed detection and response (MDR). We serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the cornerstone security operations partner for nearly 1,000 organizations, we provide MDR with industry-leading threat accuracy and a world-class customer experience across identities, endpoints, and cloud. For more information about Red Canary, visit: https://redcanary.com/.
###
Media contact:
Faith Wenger
press@redcanary.com