Red Canary Detects Spike in Cloud Account Compromises and Email Forwarding Rule Abuse

DENVER, March 13, 2024 – Red Canary today unveiled its sixth annual Threat Detection Report, examining the trends, threats, and adversary techniques that organizations ought to prioritize in the coming months and years. The report tracks MITRE ATT&CK® techniques that adversaries abuse most frequently throughout the year, and two new and notable entries soared to the top 10 in 2023: Email Forwarding Rule and Cloud Accounts. 

Red Canary’s latest report provides in-depth analysis of nearly 60,000 threats detected with the more than 216 petabytes of telemetry collected from customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications in 2023. The report sets itself apart from other annual reports with its unique data and insights derived from a combination of expansive detection coverage and expert, human-led investigation and confirmation of threats. 

The research shows that while the threat landscape continues to shift and evolve, attackers’ motivations do not. The classic tools and techniques adversaries deploy remain consistent–with some notable exceptions. Key findings include: 

• Cloud Accounts was the fourth most prevalent MITRE ATT&CK technique Red Canary detected in 2023, rising from 46th in 2022, increasing 16x in detection volume and affecting three times as many customers in 2023 than in 2022.
• Detections for malicious email forwarding rules rose by nearly 600 percent, as adversaries compromised email accounts, redirected sensitive communications to archive folders and other places users are unlikely to look, and attempted to modify payroll or wire transfer destinations, rerouting money into the criminal’s account.
• Half of the threats in top 10 leveraged malvertising and/or SEO poisoning, occasionally leading to more serious payloads like ransomware precursors.
• Half of the top threats are ransomware precursors that could lead to a ransomware infection if left unchecked, with ransomware continuing to have a major impact on businesses. 
• Despite a wave of new software vulnerabilities, humans remained the primary vulnerability that adversaries took advantage of in 2023, compromising identities to access cloud service APIs, execute payroll fraud with email forwarding rules, launch ransomware attacks, and more.
• Uptick in macOS threats–in 2023 Red Canary detected more stealer activity in macOS environments than ever before, along with instances of reflective code loading and AppleScript abuse.

Red Canary noted several broader trends impacting the threat landscape, such as the emergence of generative AI, the continued prominence of remote monitoring and management (RMM) tool abuse, the prevalence of web-based payload delivery like SEO poisoning and malvertising, the increasing necessity of multi-factor authentication (MFA) evasion techniques, and the dominance of brazen but highly effective social engineering schemes such as help desk phishing. 

“The top 10 threats and techniques change minimally year over year, so the drift that we’re seeing in the 2024 report is significant. The rise of cloud account compromises from 46 to number 4 is unprecedented in our dataset–and it’s a similar story with email forwarding rules,” said Keith McCammon, Chief Security Officer, Red Canary. “The golden thread connecting these modes of attack is identity. To access cloud accounts and SaaS applications, adversaries must compromise some form of identity or credential, and one that is highly privileged can grant an adversary untold access to valuable accounts, underscoring the critical importance of securing corporate identities and identity providers.” 

Emerging techniques for macOS, Microsoft, and Linux users to watch out for 

The techniques section within the report highlights the most prevalent and impactful techniques observed in confirmed threats across the Red Canary customer base in 2023. While many techniques like PowerShell and Windows Command Shell persist, there were some interesting variations, including:

• Adversaries compiled malicious installers with Microsoft’s new MSIX packaging tool–typically used to update existing desktop applications or install new ones–to trick victims into running malicious scripts under the guise of downloading legitimate software. 
• Container escapes–where adversaries exploit vulnerabilities or misconfigurations in container kernels and runtime environments to “escape” the container and infect the host system.
• Reflective code loading is allowing adversaries to evade macOS security controls and run malicious code on otherwise hardened Apple endpoints.

Attackers don’t target verticals; they target systems  

The data shows that adversaries reliably leverage the same small set of 10-20 ATT&CK techniques against organizations, regardless of the victim’s sector or industry. However, adversaries do favor certain tools and techniques that may target systems and workflows that are common in specific sectors:

• Healthcare: Visual Basic and Unix Shell were more prevalent likely due to the different machinery and systems used within that industry. 
• Education: Email forwarding and hiding rules were more common, likely due to a heavy reliance on email.
• Manufacturing: Replication through removable media, such as USBs, was more common—likely due to a reliance on air-gapped or pseudo air-gapped physical infrastructure and legacy systems.
• Financial services and insurance: Less “obvious” techniques, such as HTML smuggling and Distributed Component Object Model were more common, likely due to greater investments in controls and testing.

Recommended actions:

• Validate your defenses. Look at the top threats and techniques and ask: ‘am I confident in my ability to defend each of these?’ Red Canary’s open source test library Atomic Red Team is free and easy to adopt. 
• Patching vulnerabilities is key. It remains tried and true as one of the best ways to insulate yourself from risk.
• Become a cloud expert–ensure your permissions and configurations are properly set up, and know how everyone in your organization is using cloud infrastructure, as the difference between suspicious and legitimate activity is nuanced in the cloud and requires a deep understanding of what is normal in your environment.

Learn more

• Read the full interactive report or the condensed executive summary
• Register and join the Unveiling the 2024 Threat Detection Report webinar, Today at 2:00pm ET

About the Threat Detection Report

The full report is intended as a reference library for security practitioners to improve their ability to prevent, mitigate, detect, and emulate cyber threats. It offers detailed guidance on data sources that log relevant evidence of adversary behaviors, tools that collect from those data sources, how security teams can use this visibility to develop detection coverage, and much more deeply actionable information.

The Threat Detection Report sets itself apart from other annual reports by offering unique data and insights, accompanied by recommended actions derived from a combination of expansive visibility and expert, human-led investigation and confirmation of threats.

Each of the nearly 60,000 threats Red Canary detected in 2023 were not prevented by the customers’ other expansive security controls. They are the product of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.

About Red Canary

Red Canary is a leader in managed detection and response (MDR). We serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the security ally for nearly 1,000 organizations, we provide MDR across our customers’ cloud workloads, identities, SaaS applications, networks, and endpoints. For more information about Red Canary, visit: https://www.redcanary.com.

###

Media contact:

Faith Wenger

press@redcanary.com