Off-the-shelf offensive security tools and poorly configured cloud environments create openings in the attack surface, according to Elastic.
Adversaries are utilizing off-the-shelf tools
Offensive security tools (OSTs), including Cobalt Strike and Metasploit, made up ~54% of observed malware alerts. The most prevalent malware family observed this year was Cobalt Strike, accounting for 27.02% of infections.
Cobalt Strike is a very mature commercial post-exploitation framework with an experienced research and development team. It is so effective that threat actors frequently steal and weaponize this product to further their malicious objectives, rather than the benign purpose it was intended for.
Malware families such as Gafgyt (3.12%), Mirai (2.09%), and Bedevil (1.84%) appeared less often than in prior years, which may be a reflection of attempts to neutralize botnets from propagating. These malware families are typically distributed to Internet of Things (IoT) devices like residential broadband routers using hardcoded credentials or unpatched vulnerabilities, and are used to launch distributed DDoS attacks and to hijack advertising or DNS networks.
Enterprises are misconfiguring cloud environments
47% of Microsoft Azure failures were tied to storage account misconfigurations, while 44% of Google Cloud users failed checks related to BigQuery, specifically due to a lack of customer-managed encryption. S3 checks accounted for 30% of Amazon Web Services (AWS) failures — specifically a lack of MFA being implemented by security teams.
Credential access accounted for ~23% of all cloud behaviors, primarily in Microsoft Azure environments. There was a 12% increase in brute force techniques — making up nearly 35% of all techniques in Microsoft Azure.
While endpoint behaviors accounted for ~3% of the total behaviors in Linux, 89% of them involved brute-force attacks. There has been a 6% decrease in defense evasion behaviors over the last year.
“The discoveries in the 2024 Elastic Global Threat Report reinforce the behavior we continue to witness: defender technologies are working. Our research shows a 6% decrease in defense evasion from last year,” said Jake King, head of threat and security intelligence at Elastic. “Adversaries are more focused on abusing security tools and investing in legitimate credential gathering to act on their objectives, which reinforces the need for organizations to have well-tuned security capabilities and policies. “
The malware-as-a-service model will become more popular
In particular, changes in the cybercriminal ecosystem have motivated threat groups to abstract themselves from intrusions and the government interest this produces. As a result, there’s been an explosion of no- to low-experience threats running tools and playbooks as proxies.
This lowers the barrier to entry to a degree, though enterprises should consider that proxies without the skills and adaptability of mature threats may be easier to impact than those they are representing. However, it should also be noted that this dramatically interferes with attribution — and focusing the powers-that-be on crime-busting coalitions.
From authenticating reproduction works of art to analyzing the malicious properties of a ZIP archive, GenAI technologies are likely to have an
enduring impact in how businesses operate. However, vulnerabilities in how these models are implemented may lead to data exposure or system exploitation, or poisoning — especially in ways that may be challenging to discover.
Adversaries might discover a new way to extract privileged medical information from a healthcare prompt, or instruct a hosted model to take a disruptive action, and are likely researching methods to do so.
Although it doesn’t always feel like it, security efforts are making a difference. The tremendous attention paid to threats is proof enough that challenges are mounting for adversaries, and that’s not a coincidence.
However, mature threat actors are learning how to overcome obstacles — like leveraging inherent vulnerabilities in privileged device drivers for Windows to disable EDR sensors, injecting into privileged processes to delete critical security logs, or unloading security components to prevent security ingest from occurring.
Enterprises need to work harder to constrain public- facing systems, enforce MFA, minimize their attack surface, and protect data needed to detect threats.