Incident Response Report - 2024
Discover the latest threat actor tactics and get real-world insights and expert recommendations to better safeguard your organization.
Discover the latest threat actor tactics and get real-world insights and expert recommendations to better safeguard your organization.
As the leader of Unit 42® by Palo Alto Networks®, I have the opportunity to work closely with our clients and my team on some of the largest and most complicated cybersecurity incidents.
In the past year, we have seen threat actors making larger and faster moves that damage their targets. The Unit 42 Incident Response and Threat Intelligence teams helped hundreds of organizations assess, respond, and recover from cyberattacks. We helped reduce operational downtime and got them back to business quicker.
Along the way, we collected data about the incidents.
In this report, we bring you the insights from that data. It’s part of how we empower organizations to proactively navigate cyber risks, strengthen security approaches, and respond to incidents with unmatched efficiency.
That’s the mission that drives Unit 42: protect the digital world from cyberattacks.
Here are the top areas of focus I’d like you to take away.
The time between initial compromise and data exfiltration is decreasing. Attackers are sometimes beginning to exfiltrate data in hours, not days. Defenders need to speed up as well.
They were behind the largest-scale attack campaigns in 2023. They lead the list of ways attackers get in. Measure your threat surface, then fix it quickly and comprehensively.
They’re more organized, with specialized teams for different parts of the attack. They’re more knowledgeable and able to use IT, cloud, and security tools as weapons of offense. And they’re more efficient, using processes and playbooks to achieve their goals more quickly.
And this is all happening at the same time as artificial intelligence (AI) is a top concern. While attackers may benefit from new AI capabilities, defenders already do. And we’re actively working on even more AI-driven abilities.
That’s why we’re here. Unit 42 helps you stay ahead of the adversaries. We help you prepare for, contain, remediate, and eradicate the threat. We think security should be intelligence driven and response ready. Every day should be safer than the last.
And in June 2024, Unit 42 was named a Leader in The Forrester Wave™: Cybersecurity Incident Response Services, Q2 2024. We see this achievement as a testament to our unwavering commitment to our clients’ security needs and the proven effectiveness of our incident response approach.
Contact us directly if you’d like to know more about what Unit 42 can do with you. We’re here to help.
Senior Vice President, Unit 42
New headlines covering nation-state threat actors come out every day–not to mention news of the latest vulnerabilities and security risks. Your time is more valuable than ever, and sorting out which threats really matter is a difficult task.
This report helps because it gathers real-world information from organizations like yours, so you can learn which threats really affect your peers–and how you can face them. Read on to find out how threat actors gain access to organizations, what they do once they get in, and how our incident responders’ top recommendations help you stop them.
Cybersecurity can often feel like an endless battle between attackers and defenders. At Unit 42, we believe intelligence, insight, and preparation still gives defenders the edge. We think the story of cybersecurity can be hopeful, with a strategic understanding of the threats we face today.
As an executive responsible for safeguarding your organization, you’ll find analysis and insights to help you make strategic decisions about how best to invest time, resources, and money. Every day, Unit 42 sees world events turning into specific impacts on organizations.
Guiding an organization through a high-profile breach is not easy. Leaders in the current landscape face supply chain attacks and breaches at partners or suppliers that suddenly unleash security risks from unexpected directions.
The key to surviving major incidents is to:
A deep understanding of today’s threat landscape can help you lead your people and your organization to a strong and resilient security posture.
Perhaps you’re the head of your organization’s security operations center
(SOC).
We’ll show you the Unit 42 take on key aspects of today’s threat
landscape. And, this report offers detailed information such as MITRE
ATT&CK® techniques and specific recommendations that will support
you in making the tactical decisions needed to protect your organization’s
way of life.
We also offer information that will help you support your personal everyday way of life. We hear all the time that one of the greatest risks for defenders of organizations is burnout–and running a SOC 24/7 can’t become something that consumes every minute of your life. Watch for recommendations about automation, AI, and other technologies that can help you focus your limited human resources where they most need to be.
By learning what other organizations are facing, you can increase your own resilience–without having to learn lessons the hard way.
Even if you’re not directly responsible for protecting your organization from cyberattacks, cybersecurity considerations touch all of us.
Communications professionals may need to prepare for public disclosures. Legal departments may benefit from understanding how sensitive data can be put at risk. And human resources departments may need to consider how to protect employees from threat actor harassment.
No matter your role, understanding today’s threat landscape will deepen your ability to meet today’s challenges.
We talk more about these findings, our recommendations, and what they mean for defenders, on Episode 16 of the Unit 42 Threat Vector podcast.
If you find yourself wanting an experienced guide through that landscape–whether you’re faced with an incident or considering how to prepare for or prevent one–Unit 42 is always glad to help. Please contact us.
As the global head of operations at Unit 42, I oversee our incident response engagements around the world. They’re severe incidents that have escalated beyond what the target organizations could manage on their own.
From this unique vantage point, I’ve seen some common themes emerge. Not just in the defensive mistakes, but also the strategies threat actors used to succeed.
This report distills these observations. Here are some of the top takeaways.
In 2023, by far the most damaging threat actor was a group we call Muddled Libra. They’re a criminal group focused on financial gain. They are also one of the most aggressive threat actors in the landscape today. Countering their attacks is a challenge for defenders of small and large organizations alike. This report has a special section on them, including an analysis of what they do and how you can defend against them.
Of course, they weren’t the only group in the mix. We also responded to compromises from other criminal groups, state-aligned actors, and some groups that we don’t know enough about yet to characterize.
Answering this question of “who” is one of the things that Unit 42 Threat Intelligence is great at. We’ll keep researching and uncovering attackers wherever they try to hide.
In the past year, attackers’ initial access most often started with a software vulnerability. The largest attack campaigns began with successful exploitation of internet-facing systems. From there, the stories varied.
Naturally, we also saw other techniques, from attackers using previously stolen credentials, phishing (both in email and chat), and more.
But don’t be misled–though phishing lost the top spot and dropped to number three, it’s still a serious threat. Attackers leverage phishing attacks for access, credentials, and tokens, rather than trying to drop malware.
The top six industries in our casework stayed the same this year, and they accounted for 63% of our cases:
Professional and legal services
Healthcare
High technology
Finance
Manufacturing
Wholesale and retail
Although their relative positions within the six have changed a little from year to year, the total number of cases for these industries is consistent.
The upshot is that cyberattacks continue to be a problem faced by organizations in all industries. And while certain attackers have turned their focus to a particular vertical from time to time, ultimately, every organization needs to be response ready.
I hope you enjoy reading about some of the investigations, research, and intelligence my team developed for this report. More importantly, I hope you’ll use it to make your organization more secure, your infrastructure more resilient, and every day safer than the one before. Reach out to me to explore ways we could help you do so.
Vice President, Global Head of Operations, Unit 42
There were three security weaknesses that weren’t themselves the cause of incidents, but made attackers’ lives easier. Address these, and you’ll be helping yourself and hurting them.
It's only a matter of time. Unpatched vulnerabilities on internet-facing systems will be exploited. Measure and reduce your attack surface, and you’ll improve this.
Our incident responders found that organizations with partial or incomplete deployment of security controls (especially endpoint detection and response tools) allowed attackers to operate from parts of the network that weren’t defended. Deploy your defenses everywhere, and you’ll deny them this advantage.
More attackers are stealing and using the identity of authorized personnel to access and move around networks. Make that harder and embark on or continue a journey toward Zero Trust networking, and you’ll pressure attackers into making mistakes you can see.
Unit 42 has worked on over a dozen intrusion cases that involved an adversary we call Muddled Libra, including several very large and visible incidents.
Muddled Libra is a sophisticated, tenacious, and damaging adversary. We don’t believe they are state-sponsored, but they are as aggressive and as skilled at attack operations as some advanced, persistent threat (APT) groups.
The group includes people with strong English language skills, which they use in written and spoken communications. It’s possible they speak English as a first language, and it’s possible they are located in North America, or even the United States.
Their ransom demands are very large, often in the tens of millions of USD. And of course, they demand payment in cryptocurrency.
Once inside an environment, they actively monitor defenders’ internal communications to understand when and how they have been detected, to improve their ability and speed of data theft. They also determine how to remain in the environment even during and after eradication attempts.
This group’s technical competence is higher than usual. They can select members from a large group of criminals with diverse skill sets. Within a certain subset of the criminal community, being a part of Muddled Libra carries cachet – and can be lucrative.
Defending against this attack group is difficult. It requires sustained effort, potentially multiple times. You’ll need to defend across the entire spectrum of your organization, from premises to cloud to remote workers and software-as-a-service (SaaS) tools. And when you do, they will fight back at the same time to maintain their access.
Muddled Libra has undergone some changes in the months leading up to summer 2024. This group evolves and changes its targets and tactics more often than other threat actors.
We have seen a downtick in activity related to this threat actor since late 2023. That may be an organizational regrouping, a change in our visibility, or related to law enforcement activity against the group. However, the reduction in case numbers doesn't equal a reduction in risk. The group is still active and the consequences of its attacks are serious.
Perhaps the most notable changes are the group’s resilience against defense. They have successfully adapted to defenders' mitigations, and the game of cat-and-mouse continues.
For example, early incidents from this group leveraged SMS “smishing” lures. As organizations remove SMS as a second factor – a move we encourage – the threat actor adapted, choosing methods to also compromise push-based second factor and other mitigations. When defenders began implementing network-level blocking of known VPN providers, the attackers began using access through residential proxies. Attacker sessions from these proxies appear to originate from the same kinds of Internet connections in the same locations that employees regularly use.
Similarly, the threat group adapted in later stages of the incident. They gave up remote management tools that were easily detected by defenders, and moved instead to legitimate system management tools that the defenders themselves were using.
The threat actor is targeting cloud assets more heavily. Sometimes, they will pass up on-premise infrastructure and concentrate their efforts on accessing and stealing data from SaaS and cloud service provider (CSP) environments instead. They are skilled at CSP compromise and move easily through infrastructure providers.
We even see them using legitimate scalability and native CSP functionality to help themselves more easily steal and exfiltrate data. While all CSPs have terms of service policies that explicitly prohibit this kind of activity, that doesn’t seem to matter to this threat group.
In 2023, Muddled Libra joined the ALPHV/Blackcat ransomware-as-a-service affiliate program. But, after the U.S. Justice Department interrupted ALPHV's operations, Muddled Libra attacks shifted to simpler (and quieter) data theft followed by extortion. Nevertheless, we have also seen this group experimenting with wiper malware.
Unit 42 has published a detailed blog post on changes in the exploits, reconnaissance and exfiltration techniques of this group. We maintain a threat group assessment as well, with details about the group’s activities at various stages of the attack chain. And we published a case study of Unit 42 helping a client defend successfully against this threat actor.
This threat group tends to focus its attacks on a few verticals at a time, conducting activity against several to many members of the vertical, before winding down activity and changing focus to another industry.
Early attacks from this group focused on telecom providers and business process outsourcing (BPO) organizations. These incidents appeared to be supply-chain attacks, in which the threat actor tried to compromise organizations and systems that would give them access to cryptocurrency assets.
For example, many online systems use SMS as a second factor of authentication. By compromising a telecom provider, Muddled Libra gained access to SIM-swap or port-out telephone numbers. Together with compromised first-factor credentials, the threat actor could steal cryptocurrency from a target and leave little recourse.
In the latter half of 2023, along with joining the BlackCat/AlphV ransomware group as an affiliate, Muddled Libra shifted or added to its targeting to include larger organizations that are particularly sensitive to service interruptions. Incidents at several large hospitality providers were publicly reported, but that was not nearly all the activity.
In recent months, the group’s attention has turned to financial services. We have seen increasing numbers of incidents in that vertical through the first half of 2024.
Muddled Libra uses several methods to gain access to an environment such as:
Social engineering both IT helpdesk and end users
Buying access from a broker
Stealing credentials from user endpoints
Reusing compromised infrastructure or re-exploiting unfixed vulnerabilities used by a previous attacker
Perhaps the highest-impact access method is scamming the target’s IT help desk. A threat actor will call the target’s IT help desk and impersonate a valid user. They will ask for help with resetting the user’s password, changing the mobile phone number associated with the account, or otherwise adding a multifactor authentication (MFA) device. Often, the request comes with a “sob story”...or other tactic intended to manipulate the emotions of the helpdesk worker. This attack only takes a few minutes.
Muddled Libra is unusually comfortable with engaging over the telephone, with both helpdesk and other employees. They are more successful in persuading people to engage in unsafe actions as a result.
Often, they will acquire initial access by taking over a less-privileged legitimate user account. Then, they identify the more highly privileged accounts that will help them achieve their objectives and call back to take over those accounts.
In one case that Unit 42 worked, the attackers successfully hoodwinked the help desk three separate times.
Muddled Libra also buys stolen credentials from initial access brokers. The threat group has been very open about their desire to buy access to certain targets, especially in the segments they have chosen.
And if these social engineering access methods don’t work, Muddled Libra also has technical tactics to use as well.
While malware is not their first choice tool, this threat actor has used Racoon Stealer to access credentials stored in applications. They appear to focus on stealing session tokens and saved credentials. They have also been seen misusing legitimate forensics tools to search for credentials in live memory. This can be a vector if organizational credentials are stored in unmanaged systems.
And of course, given Muddled Libra’s history with supply chain compromise, it should be no surprise that they can bypass SMS-based MFA. Their main tactic is SIM swapping, moving the second factor to a device under their control. They also perform “MFA fatigue attacks,” a tactic to defeat push-based second factors.
In this tactic, the attacker uses compromised credentials to satisfy the first factor and then repeatedly solicits a second-factor push from the authorized account holder. Eventually, after many push notifications, or from a lack of caution, the authorized account holder will approve the second factor push.
In short, Muddled Libra is often as skilled and familiar with a target’s IT infrastructure as the people who manage it. And they are not constrained by change control, compliance, or corporate policy.
Muddled Libra has advanced skills and understanding of modern IT operations, compared to other threat actors.
Unlike other threat actors who typically only perform light (if any) reconnaissance on their target, Muddled Libra performs extensive research both before and during the compromise.
They have been observed accessing a target’s own technical documentation, reading incident response standard operating procedures and playbooks, “how to” documentation, and otherwise furthering their understanding of the target’s environment. Then they use this knowledge to understand where to place implants and what defenders are likely to do in response.
Muddled Libra creates multiple backdoors into environments, installing rootkits, remote management tools, and outbound tunnels that they can use for later access even if their primary access is discovered and removed. We have seen them install a half dozen or more of these utilities.
They create new accounts for themselves whose names mimic existing privileged accounts. Sometimes they reactivate existing but previously disabled accounts and use those. This tactic avoids a “new account creation” alert.
Rather than attack from obvious locations such as commercial hosting and server farms, Muddled Libra has moved to using residential proxy services such as NSOCKS and Truesocks. This makes it so that their connections appear to originate from the correct geographic location and from a plausible network provider.
Muddled Libra even attempts to access and use existing endpoint and systems management tools (such as EDR/XDR consoles, patch management, and the like) for reconnaissance, data theft, and malware deployment. And naturally, they use credential stealing tools such as Mimikatz to help them move laterally and escalate privileges.
This threat group is also adept at using current IT and cloud management tools. They’ll use the remote-management tools that are legitimately present in a target environment and also add their own. They’ll search GitHub for code and keys, and they’ll steal both.
Cloud infrastructure is just as much at risk as classic IT infrastructure. Muddled Libra can use misconfigured cloud environments from Amazon Web Services, Google Cloud Platform, and Microsoft Azure, creating service accounts and additional access keys even in the very early stages of an attack. Some organizations have thought they evicted the threat actor from their premises, only to have them come back through access from the cloud.
Virtualized environments are also at risk. If a client does not contain a compromised virtual system quickly enough, this threat actor can reverse the containment, take over the host or hypervisor and lock the target out of their own infrastructure.
And even classic on-premises infrastructure can be attacked using remote infrastructure management tools (many of which have attracted patches in the last few years) at the system and the hardware level.
They are also familiar with secure email gateways and email storage systems. They’ll change rules to redirect or intercept notifications and recovery-related email to avert detection and response. In some cases they have created rules to redirect messages from specific security vendors to the threat actors. This tactic allows them to monitor the investigation as it proceeds.
Muddled Libra has exfiltrated data to commercial file-hosting services. They have also staged their tools in these services. Network traffic monitoring often doesn’t alert on known file hosting services.
They also create and use external VPN services to create outbound tunnels for exfiltration, obscuring their traffic from inspection devices.
Defending against Muddled Libra requires sustained effort before, during, and after a compromise. Focus your energy on detecting their tactics rather than their tools. Tools can change rapidly, but tactics take longer.
Training end-users not to approve MFA requests they didn’t solicit is important. You can further reduce the human-error burden by requiring number matching as well.
Sudden high volumes of MFA requests are a bright red, waving flag, especially if they go unacknowledged or are aimed at high-privileged accounts. Have a tool and process to rapidly identify and investigate this activity. Give the analyst performing the investigation the information to go out of band quickly.
Watch for velocity changes in MFA enrollment. Most people don’t lose their phones often. Put additional scrutiny on changes to high-privileged accounts. Consider a policy that requires live visual and audible verification with a third party, such as the requestor’s direct supervisor. (And read our Spotlight on AI section about deepfakes, too.) These policies do slow down legitimate requests as well. But having a well-known policy requiring verification resists attacker attempts to pressure junior personnel into making unauthorized changes.
Guard against SIM swapping. Educate users that if their phone suddenly loses service, they should treat that as a potential security problem as well as an availability problem. Require that devices being used for corporate authentication (even personally owned devices) be locked with a PIN against port-out and SIM changes in the mobile carrier’s systems. If you don’t already use these mitigations, consider measuring the effort necessary to deploy them vs. the effort necessary to move to a more secure MFA factor such as FIDO authentication.
Watch account creation and reactivation. Alert on new account creation that doesn’t quite fit naming conventions. Alert and escalate on old or intentionally disabled privileged accounts being reactivated. AI-enabled tooling could be useful here.
Log and analyze the usage patterns of your key security tools (“Quis custodiet ipsos custodes?”) Personnel accessing an XDR platform outside their usual work hours might just be industrious, or their account might be under a threat actor’s control. Many organizations collect these kinds of audit logs but don’t ever analyze them for outliers. Do so regularly.
Watch for changes in your cloud infrastructure. Monitor both your IT infrastructure cloud (such as directory services and cloud storage) as well as service infrastructure, continuous integration and continuous delivery (CI/CD) and similar environments. Look for changes to logging settings and privileges.
Check your code repositories. Ensure you’re not inadvertently exposing secrets, of course. But also look for new connections to third-party infrastructure and unusual patterns of access.
And watch the behavior of your virtual desktop systems. Check for outlier access patterns (though this attacker’s use of residential proxies will make that more difficult.) Look for unusual process trees. (A good endpoint protection tool should catch this itself, but you should still ensure you’re running down investigative leads from time to time rather than just closing everything as a false positive to keep the metrics good.) And try to alert on unusual storage usage, to catch staging for exfiltration.
If you see red-teaming tools in your environment, make sure there is an authorized red-team engagement underway. One SOC we worked with had a company logo sticker on the wall for each red team they’d caught.
Watch which remote management tools are being used in your organization. If you see new tools you don’t normally use, or different versions of the ones you do, dig at that. And try to identify unusual usage of the tools as well. For example, if your remote tools are normally used by IT staff, but suddenly one person in finance is using them, find out why.
Endpoint management and inventory tools can help here, too. Use them to scan the fleet and identify new or low-prevalence tools and executables. Then, train your analysts and models “what good looks like” (and doesn’t.)
Be suspicious of connections to your network from commercial VPN providers. While many people use such services, especially on their personal devices, discourage them. Commercial VPN providers add little if any security to a well-defended network, especially one built on Zero Trust principles.
Hold privileged users to a higher standard. Collect and monitor the patterns of where they access their accounts from and ask about outliers. If you use a corporate messaging platform that indicates a user’s time and location (e.g., “It’s 9:43 a.m. for Alice”), that can be a quick validator for SOC personnel wondering if Alice is really logging in from Aruba.
Watch outbound access, too. Monitor for connections that look like encrypted tunnels, particularly from new or unmanaged systems. If you can interdict connections at the network level (with technology and policy) use that capability judiciously.
And watch for commercial file hosting providers. If you can restrict access to just the ones you have organizational agreements with, do that. If not, monitor connections to the ones you’re not intending to use widely and watch for high data counts in short amounts of time. We have seen terabytes of data exfiltrated in a couple of hours.
Muddled Libra is a methodical, evolving adversary that poses a substantial threat to many organizations. They’re proficient with security tooling and are able to execute rapidly and effectively even in relatively secure environments. They evolve and change tactics constantly. It’s important to stay informed about their latest techniques.
Defenders need to combine strong technology and security practices with diligent monitoring to detect and interdict this group’s activity. Because of their speed, early detection and interruption of the attack chain is even more important. You may have only a couple hours between compromise and exfiltration.
The good news? The threat raised by this adversary creates an opportunity to take a critical look at what an advanced attacker could do in your environment–and prepare improvements to frustrate them.
Unit 42 Threat Intelligence publishes and updates assessments of this threat group. And as our security consultants face Muddled Libra during incident response, we collect more information firsthand and flow that threat intelligence throughout the Palo Alto Networks platform.
Everyone wants to know how the bad guy got in, in the first place. We reviewed the data from our casework over the last several years. A few trends emerged: some changed, some stayed the same.
There were certainly a lot of security incidents in 2023, and there were definitely some times when it felt like defenders couldn’t get a break from all the exploited vulnerabilities and campaigns that occurred.
But, some key incident metrics improved.
The first question we ask in a security incident is, how was it discovered?
In Figure 1, we show the proportion of Internal, External, and Partner sources of incidents. Internal means the client discovered the incident. External means a party other than the client did. Partner, in our casework, is usually a service provider to the target–something like a managed service, managed security service, or a managed detection and response.
One data caveat here, though. Sometimes, those partner organizations appear to us to be an internal source, so there may be a little fuzziness on the Partner-Internal line. (For example, sometimes a client says they discovered an incident, but it was actually identified by their managed security services provider. For our purposes as responders, those don’t change how we conduct the investigation.)
So what does this incident discovery data mean, overall? We think it’s mostly good news. Discovering four out of five incidents internally is pretty good.
Together with the reduction in median dwell time that we (and others) have observed, this could mean that detection efforts are paying off. Compromised organizations are discovering sooner that they need to address a problem, rather than being surprised by an external party turning up with a folder full of IP addresses and bad news.
However, we wouldn’t be engineers and consultants if we didn’t ask, “How can this be improved?” It’s worth thinking about this statistic in the context of your strategic plans. How will you find incidents in the information available to you? What will you do when you find it? Can you improve on both answers? What resources do you need to be–as Daft Punk so insightfully suggested–“harder, better, faster, stronger”?
The second question in any incident response is similarly meaningful. Is this actually a security incident, or just a false alarm? Figure 2 shows that most of the time, the potential incident is confirmed.
In figure 2,“Confirmed” means what it says; this is genuinely a problem. “Suspected” means we think it was an incident, but we can’t be sure, due to some limitation. Often this was a lack of available logs or a limited scope of investigation. A “False Positive” means the alert that kicked off the investigation was a true alert, but after investigation no other impact was found. And a “Near Miss” is the lucky ticket where some unauthorized activity occurred, but no asset or information was compromised (e.g., a vulnerability was exploited successfully, but there was no further unauthorized access).
Confirmed incidents held relatively steady at around three-quarters of all incidents. The changes in Suspected (which decreased), Near Miss, and False Positive are heartening. We think it means that more organizations are willing to investigate potential incidents. That’s good for defenders. It indicates growing maturity, willingness to engage help, and improved operational ability.
Again, a caveat: This data is drawn from incidents we worked on, which by definition means someone reached out for help. So there is a set of incidents that we don’t know about and aren’t represented in this data, and it might be a large set.
At the beginning of an incident investigation, after the discovery and confirmation are known, the next questions typically ask, how did this start?
We divide our case data by type of investigation.
This data is useful to understand the large macro trends, but it shouldn’t be misinterpreted as the likelihood of getting hit by one or another type of attack. That probability is much more influenced by who you are, what data you have, and which threat actors are best matched to your threat profile.
Figure 3 shows the top five investigation types for the last several years.
These data points are a little more difficult to interpret. First, let’s clarify the terms.
We divide Extortion into two subcategories: with or without encryption. Business email compromise (BEC) means an investigation centered on unauthorized takeover of email accounts. Network Intrusion is related to unauthorized access to a network environment–accessing a system or database without authorization, for example. And Web App Compromise means unauthorized access to, and/or taking advantage of a vulnerability in, a browser-based application.
While the top five investigation types are reasonably static, making sense of them is a little tricky. (Other is also in this data series, but since it’s not meaningful in this context, we left it out)
We’ll start with a caution. One trend that looks valid in the data–but might not be in real life–is the apparent decline in extortion with encryption. Those investigations are a decreasing fraction of our casework. However, there are a couple of confounding factors.
So there may be a dataset bias at work here. The same confounding factors may be at play for BEC.
Now, with that said, there are a few things that seem reasonable on their face.
The increase in network intrusions is sensible in light of large campaigns involving software vulnerabilities (including MOVEit, Citrix Bleed, and Microsoft Exchange RCE). Likewise for Web App Compromise, which was the engine behind some truly massive campaigns in 2023, such as the SugarCRM CVE-2023-22952 authentication bypass and remote code execution vulnerability.
We refer to these as large campaigns because the vulnerability is visible from the internet. Threat actors exploited the vulnerabilities at a large scale by scanning large portions of address space looking for vulnerable systems. In the largest cases, they developed software that automated the scanning as well as the exploitation. Then, some groups automated the data theft. We’ll go into more detail about that later.
The small but present growth of extortion without encryption also fits the anecdotal evidence. Some threat actors have found that the threat of publishing non-public data is more powerful than holding it hostage, and they’re capitalizing on that.
For each incident in the set, we assigned an initial access vector: the technique that gave an attacker their first access to the compromised environment. In 2023, exploitation of internet-facing vulnerabilities shot to the top spot, displacing the previously perennial favorite, phishing.
The increases in software vulnerabilities exploitation and previously compromised credentials stand out, as does the decrease in phishing attacks.
These changes are consistent with the higher-impact threat actors’ behavior we’ve seen. As we talk about later in this report, one of the major threat groups changed during 2023. They began the year focused on phishing and social engineering the end users themselves. As time went on, they moved toward taking over their accounts by social engineering the IT helpdesk or by abusing self-service password reset procedures.
The growth of previously compromised credentials as an intrusion vector is also notable; a five-times difference in just two years. This underscores the importance of encouraging people to use a different password (or passwordless authentication) for every site. The marketplace for these credentials is vibrant and does not appear to be fading.
And a large incident at a SaaS data analysis provider in the first half of 2024 emphasized the importance of credential management and monitoring. The provider reported that some customer accounts did not require multifactor authentication, and those accounts were compromised by a threat actor using credentials stolen from elsewhere.
Coordinated takedown efforts between law enforcement and private industry effectively shut down individual marketplace sites, but replacements spring up quickly. Defenders will be fighting this problem unless and until passwordless authentication becomes the norm.
The one-year jump in software vulnerability exploitation is probably related to the several large automated intrusion campaigns that swept across the internet in 2023.
And what were those threat actors exploiting? The top exploited vulnerabilities in our 2023 dataset were:
These initial access vectors will continue to change as threat actors adapt their tactics to the ones that work at a point in time. Most threat actors are in business, after all, so they need to optimize their effort just like defenders.
In early 2024, we said,
We will have to see if [the jump in vulnerability exploitation] continues, while we hope it doesn’t.
Well… it did.
The last few months have seen continued large-scale exploitation of vulnerabilities in widely deployed internet-facing systems. Attackers remain interested in finding and using those opportunities for access to large numbers of targets in a short time. And our observations show that trend across both targeted and opportunistic threat actors.
So, what's a defender to do with this information? We think there are a few meaningful bits.
Exploiting web applications and internet-facing software as a means of initial access came roaring back in 2023. It was the engine behind some of the largest-scale, most automated intrusions.
This means that patch hygiene, along with attack surface reduction, is still relevant, still important, and still hard to achieve comprehensively in large organizations. And you need to do it quickly. We have more recommendations for mitigations later in this report.
Social engineering fell behind software vulnerabilities for the number-one spot, but it’s still a problem.
People are wired to help each other. Social engineering works in many cases because the attacker persuades someone to act against their own best interest, and a request for help does the trick.
Moreover, helping each other is one of the key goals of high-performing organizations. So, we are working against our own goals when we ask people not to trust each other or not to help someone who’s asking for assistance.
Technology can help here, but process, education, and critical thinking are just as important.
Multi-layered defense is one of the core best practices in incident resilience. All the statistics in this section are focused around initial access and the first steps of an investigation. They’re all opportunities for defenders to place a mitigation, a control, or an alerting mechanism that will block, slow, or reveal an attacker’s activity.
But none of these defenses succeeds alone. Almost any security control can be overcome by a sufficiently motivated, skilled, and resourced attacker.
The most mature organizations protect everything with multiple layers, knowing that attackers will identify and evade some controls, but they’ll also make mistakes. A perfectly executed intrusion is almost as rare as a perfect game in baseball. It only takes one hit–for the offense, or the defense.
Ransomware attacks have increasingly become a sophisticated form of cybercrime that can jeopardize large companies, government agencies and critical infrastructure. Educational institutions have shut down or failed due to ransomware attacks, and attack groups such as Muddled Libra use ransomware-as-a-service software as part of their repertoire. Real-world implications abound such as disruptions in supply chains or hospitals, or taking critical gas pipelines offline.
Extortion groups have increasingly sought to gain leverage wherever possible, particularly through multi-extortion tactics. This means that, in addition to encrypting data and holding business operations hostage until a ransom is paid, attackers often pile on additional nasty inducements to push their victims to pay. This may include stealing data and offering it for sale to the highest bidder–often publicly, through dark web leak sites.
In other cases, Unit 42 incident responders have encountered groups that harass an organization’s employees or customers.
In our observations of dark web leak sites, we saw a 49% increase in posting alleged victims when comparing similar periods in 2022 and 2023. There is much more extortion activity than what can be observed through public postings.
And multi-extortion tactics seem to be effective for attackers. As shown in tables 1 and 2, when we consider all cases involving extortion, we see various tactics used at a relatively steady rate from 2021-2023.
However, when we consider cases where payment was made, a different pattern emerges. The use of harassment in those cases has grown from less than 1% to 27% in just two years. Data theft has more than doubled in prevalence, from 40% in 2021 to 82% of cases in 2023.
In general, it is best not to pay a ransom demand. Paying enriches criminals, further encourages threat actors to continue attacking organizations, and robs victims of their funds and other resources.
With that said, there are extenuating circumstances where organizations can be left with little choice but to pay. In these cases, work with incident response experts to negotiate demands if needed. These experts can also help avoid missteps, and offer advice on technical and other potential challenges.
Extortion Tactic | 2021 | 2022 | 2023 |
---|---|---|---|
Encryption | 96% | 89.9% | 89.2% |
Data Theft | 52.8% | 59.4% | 53.3% |
Harassment | 5.1% | 8.6% | 8.3% |
Table 1: Attackers’ tactics have stayed relatively steady over the past few years when all cases are considered.
Extortion Tactic | 2021 | 2022 | 2023 |
---|---|---|---|
Data Theft | 40% | 70% | 82% |
Harassment | <1% | 20% | 27% |
Table 2: For cases involving extortion where payment was made, we saw a dramatic increase in the use of additional extortion tactics since 2021. This shows the efficacy of those tactics for attackers.
Figure 5: While in general it is best not to make payments in response to extortion, in cases where payment was made, we observed that attackers kept their promises more often than not.
When organizations decide to pay a ransom, we recommend working with a payment vendor rather than arranging direct payment. These vendors provide a number of helpful services, including due diligence checks related to potential sanctions against certain threat actor groups. Without this type of check, paying a threat actor could introduce additional legal trouble for an organization, on top of the disruption of the ransomware attack.
Ransom demands are typically payable in some form of cryptocurrency, and the associated blockchain transactions are publicly visible to an extent. If you use your own cryptocurrency wallet, you might not adequately hide the flow of currency.
For example, we’ve seen cases where organizations paid directly, allowing the threat actors to garner clues about additional funds present. Sometimes, a threat actor may use this information to demand to be paid even more than was agreed—even up to the remaining balance in the cryptocurrency wallet!
A trick like this goes hand in hand with ransomware actors’ moves toward multi-extortion. In general, they’re looking for any way they can find to make more money or push an organization to pay.
The industry has even recently seen reports of threat actors taking advantage of the US Securities and Exchange Commission (SEC) disclosure rules to open a new avenue of extortion. In mid-November, news broke of threat actors reporting their victim to the SEC, and this could be a tactic we see more in the future. By using the threat of SEC enforcement, threat actors could threaten your time–whether or not your organization has actually been breached.
Tactics like this underscore the need for broad and deep defenses. While we saw above that backups can help an organization buy time and reduce damage, they’re not enough on their own.
We recommend organizations focus on the following actions to increase their cyber resilience:
To prepare for and respond to cyber incidents, including emerging ransomware tactics like extortion, multi-extortion and harassment. Organizations that continuously review, update, and test their incident response plans– ideally with input from cybersecurity experts–are much more likely to effectively respond to and contain an active attack.
75% of ransomware attacks and breaches fielded by Unit 42’s Incident Response Team result from a common culprit–internet-facing attack surface exposure. Deploying solutions that provide centralized, near real-time visibility can help organizations identify and mitigate vulnerabilities before they can be exploited.
To modernize security operations and reduce the burden on overworked analysts. The latest technology can help organizations drive down cybersecurity metrics, like mean time to detect (MTTD) and mean time to respond (MTTR), denying attackers the time they need to compromise an organization’s systems or exfiltrate its data. Additionally, technique-based protections mapped to the MITRE ATT&CK framework can help defenses nimbly evolve in response to adversarial tactics.
This is a fundamental security principle that assumes the network is already compromised and implements processes that continuously validate the user, device, application, and data in a controlled manner. Zero Trust network architecture creates layers of security that prevent or limit an attacker from successfully moving laterally around the network. This provides victims with more time to detect, properly contain and remediate the threat.
With cloud migration accelerating, threat actors will continue to develop tactics, techniques, and procedures (TTPs) designed to target and compromise cloud workloads. Organizations leveraging cloud infrastructure should implement a cloud security program and platform that offers comprehensive cloud-native security.
It’s also important to maintain relationships that you can access quickly for help. This may include local and regional law enforcement, outside and inside counsel, and incident response assistance.
While there is no silver bullet in cybersecurity, prioritizing these recommendations will materially reduce the risk of falling victim to an attack. It also allows you to more effectively contain an attack if one does occur and help increase resilience for the entire cybersecurity ecosystem.
The AI hype machine continues to accelerate - it’s everywhere. But is AI everywhere, or just the hype?
From Unit 42's point of view, while attackers are already using and experimenting with AI, they haven't yet found "threat-market fit." We haven't seen attackers getting a big impact from AI enablement. We think that effect is still a year or two out.
AI is helping defenders, already. Co-pilots in security tools help defenders make decisions that would otherwise need escalation to a more senior team member. That increased confidence leads to faster, better decisions countering attackers.
So, defenders currently appear to have a bit of a lead.
Generative AI refers to types of artificial intelligence that can generate content, such as text, images, audio and other media.
Unit 42 researchers have seen attackers using generative AI in several ways. We’ll outline three of them: bypassing identity verification, creating fake media that mimics real individuals, and malicious use of large language models (LLMs).
Threat actors often need to bypass safeguards intended to deter fraud, corruption and other criminal acts. Most of the time, those safeguards include identity verification, face matching, and sometimes “liveness” checks. Frequently, these are used in organizations that handle money – so the criminal threat actor needs to evade them.
Unit 42 researchers found threat actors offering to buy and sell those evasions. And, these techniques were more than simple faked identity documents. They included facial recognition bypass techniques, including camera-injection and “face swapping” technology for video.
One such tool was offered for about US$500, and another, more advanced tool, for about US$5,000. The creator of that more advanced tool claimed “You will also be able to make real live video calls and spoof your identity.”
These evasions are often in connection with “Know Your Customer” (KYC) verification processes, commonly used in financial contexts. Criminals aim to circumvent these controls to open accounts, launder money, commit fraud and steal funds. So, the risk is on both the consumer and the provider sides of those businesses.
Most often, the threat actor seeks to create a fictitious person. And that leads to the second activity we’ve seen.
Deepfake attacks involve using AI to create fake media that mimic real individuals, typically with malicious intent. It’s often realistic enough that discriminating between genuine and generated content becomes difficult.
Like identity-bypass services, Unit 42 researchers have found threat actor communities that sell access to deepfake-generated videos. The prices vary, averaging between US$60 and US$500, roughly aligned with the quality of the output. And, of course, a multi-tier subscription revenue model is available.
Here, too, face swapping is prevalent. The difference, though, is that the generated media mimics a real individual.
And that difference allows the deepfake-using threat actor to leverage any trust afforded the real individual who they’re simulating.
In April 2024, LastPass reported an attempted communication from a threat actor impersonating its CEO. While that attack was unsuccessful – the recipient employee was skeptical, ignored the attempt and reported it to the security team; gold star – it illustrates that deepfake technology is no longer just the stuff of intelligence agencies and high-grossing action movies.
That attempt was five years after a previous, audio-only attempt, in which an executive was misled into approving a money transfer, thinking he was speaking with his boss. The Wall Street Journal reported this story in 2019.
And what application of AI technology could enable attacks at a larger, faster scale? Let’s turn our attention to malicious large language models (LLMs.)
LLMs have emerged as one of the most prominent topics of discussion, prediction and action by threat actors. But, what makes a model “malicious”?
Malicious LLMs refer to large language models that are created or manipulated to circumvent guardrails or ethical boundaries. They may be custom-created models, or just wrappers to a more public model. Using those wrappers is referred to as “jailbreaking” the LLM.
Attackers have employed both malicious and conventional LLMs for purposes both malicious and benign. They’ve created more convincing spear phishing messages, conducted open-source research, asked for assistance writing and debugging code, and more.
For example, in mid-2023 a malicious LLM named WormGPT was advertised by its creator as a “ChatGPT alternative for blackhat.” The creator claimed to have trained the model themselves, making it an example of a malicious, uniquely developed model.
Similarly, a wrapper named BLACKHATGPT sent jailbroken commands to the ChatGPT API. Like other attacker tools, it carried a subscription price and helped generate code, craft social engineering text and otherwise enhance attacker capabilities.
Unit 42 has observed a trend of threat actors starting with jailbroken, wrapped public models; then, training existing models on attacker-supplied data; then, building and training their own.
While these malicious LLMs demonstrated they could be useful assistants to criminals, they were evolutionary, not revolutionary. We have not yet seen a model that significantly changes the threat landscape.
Unit 42’s Kyle Wilhoit wrote in more detail about these issues in a Prisma Cloud blog post. Unit 42 will have more to say about malicious LLMs in upcoming research.
Looking ahead, aside from AI’s potential for speed, it also has potential for patience. An AI could theoretically engage in a long, slow-burn operation aimed at eventually finding a way into an organization–perhaps over a time period that a human would be unlikely to sustain.
There’s also the possibility that attackers could compromise generative AI tools and large language models themselves. This could lead to data leakage, or perhaps poisoned results from impacted tools.
Despite that list of how attackers can benefit from AI, it’s important not to fear AI. Embracing the technology for defense opens possibilities for defenders to anticipate, track, and thwart cyberattacks to an unprecedented degree.
Anyone familiar with the work of the cybersecurity industry knows how often we face information overload. Mountains of security alerts come through every hour, of varying importance. Too often, defenders have to piece together data from disparate sources, while also trying to determine which of it really matters. According to industry research, more than 90% of SOCs are still dependent on manual processes.
AI offers a way out of that Sisyphean struggle. AI is particularly effective at pattern recognition, so cybersecurity threats that follow repetitive attack chains (such as ransomware) could be stopped earlier. While attackers may use AI to creatively identify new tactics, techniques, and procedures (TTPs) to obfuscate these chains, defenders could still leverage AI to detect and stop anomalous behavior.
This strength in pattern recognition extends to anomaly detection as well. Large amounts of data can hide relationships that human analysis won’t ever find, but that supervised learning models can bring up for attention.
The experience of Palo Alto Networks in our own SOC gives reason to hope.
On average, we ingest 36 billion events daily. Our AI-driven security operations platform reduces that number to just eight events requiring manual analysis. Through this process, we have reduced our mean time to detect (MTTD) to just 10 seconds. Our mean time to respond (MTTR) sits at just one minute for high priority alerts.
Security operations metrics like this will be key to understanding the efficacy of an AI-powered security tool. Defenders should pay attention to not only MTTD and MTTR, but also to incident closure rates, as well as false positive rates and the false negative rates. Effective tools should show clear benefits to the organization by improving these metrics.
Those developing AI models can take steps to prevent threat actors from misusing their creations. By controlling access to the models, threat actors can be prevented from co-opting them freely for nefarious purposes. There is also the perpetual need to recognize confidential or sensitive information and build in ways to safeguard it. When a model detects this type of information, it may choose to block further queries or activity.
Designers should also be aware of the potential to jailbreak large language models (LLMs) by convincing them to answer questions that could contribute to bad behavior. Those creating AI models should consider that attackers will ask things like, “How do I increase the impact of an attack on a vulnerable Apache web server?” AI models should be hardened against lines of questioning like this.
Organizations should also make an effort to secure users accessing AI tools, ensuring visibility and control over how these services are being used within an enterprise environment. It’s important to set clear policies for the type of data users can feed into AI services, protecting proprietary or sensitive information from exposure to third parties.
We believe the real risk of AI would be not recognizing it as the force multiplier it is, and missing the opportunity to use it to meaningfully improve the situation of defenders. This technology can both make us more effective at protecting our organizations and offer hope for work-life balance in a field that too often feels always-on. AI can help make security data actionable, giving real-time visibility and the ability to prevent, detect, and respond to cyberattacks quickly.
Defenders have a responsibility to use AI as the resource it is.
Once inside an organization, attackers have many options to achieve their objectives. They may execute the tools they need to use, install mechanisms to maintain access to the target environment, and try to remain unnoticed by the defenders.
Attackers may also need to identify where they are and what they can access, move around in the target environment, and create or use credentials to access data. Ultimately, they can collect and exfiltrate data, adversely impacting the organization. They may also (or instead) choose to make the data and systems unavailable.
These are areas of constant innovation and attacker creativity. And this year, the game of cat and mouse took a couple of wild turns. Here are some of the more interesting trends and techniques we observed, along with a few thoughts on which ones are likely to grow.
Threat actors often bring malware to a target environment. In 2023, about 56% of the matters we investigated involved malware in one way or another. That was consistent with its prevalence in the prior few years.
But while malware continues to be a problem, threat actors are increasingly “living off the land,” using and misusing the tools and code that a target already has in their environment.
How do those two statements (i.e., “consistent with prior years” and “increasingly living off the land”) go together? The answer lies in the attackers’ mix of tools. As they find system tools that can substitute for malware functions, they’ll adopt the system tools. Many intrusions still use malware at some point. More and more are using living-off-the-land techniques along with the malware.
of incidents investigated in 2023 involved malware
Endpoint protection platforms continue to be a great way to detect attacker activity of this kind. Even if the code isn’t malware per se, some platforms can discriminate between use and misuse by employing user and entity behavior analytics. Defenders who use this capability to identify investigative leads through alerting and/or hunting enhance their visibility.
For example, a common certificate utility on Windows called certutil can also be used to download files, decode Base64-encoded software, and more. And it’s a signed binary from the Windows installation, not malware. Can you tell when a threat actor is misusing it?
Some endpoint protection platforms can detect and alert on this activity. Detection might be based on the following:
Now, let’s return to malware for a moment.
Probably the most visible type of malware is ransomware: when you’ve been hit with it, attackers want you to know. Over the past year, 33% of the matters where malware was used involved ransomware. That was down slightly from last year, where it was 38%. However, we’re not saying “ransomware is down!” The changes are small, and the overall fraction of cases involving extortion with encryption was about the same in both years.
Another high-impact malware capability is data destruction. It also creates widespread, visible effects. In 2023 cases involving malware, it was used to destroy data 4.1% of the time. While that may not seem like a lot, it’s five times the rate from the year before. Together with its operational impact, we think protecting against wipers and destroyers is critically important. And that’s especially true if you know you face threat actors who have used wipers in the past.
Time-based observations show that attackers are speeding up. Encryption and data destruction have dramatic and visible effects. Thus, it’s wise to put effort into preventing attackers from gaining execution in the first place and exploiting it when they do.
We think attackers will continue to innovate tools and techniques here.
of malware attacks in the past year were ransomware
Attackers have to keep a foothold in the environment if they expect to continue operations. In 2023, about 42% of our hacking-related investigations involved a backdoor, and 32% of malware-related matters had some kind of interactive command and control (C2) software.
But as we noted in our sidebar on Muddled Libra, some attackers are moving back toward reverse tunnels. These tunnels are connections out of the target environment that terminate on a system under the attacker’s control in their infrastructure. These tunnels allow the attacker a great degree of freedom and often don’t require malware on the compromised system.
To wit, tunneling tools are now built into most current operating systems. In the past, attackers had to bring their own remote-access methods, often in the form of C2 tooling. They still do–commonly, a post-exploitation framework such as Cobalt Strike or an RMM tool–but they aren’t forced to. The operating system has built-in support for encrypted tunnels that may work just fine to evade notice by defenders.
Remote access tools are even less complicated to use. Microsoft Remote Desktop offers a GUI interface to a networked system, and organizations are still leaving it open. The 2023 Unit 42 Attack Surface Threat Report found 85% of organizations analyzed in the report had at least one internet-accessible Remote Desktop Protocol (RDP) instance online.
Another classic technique we continue to see is the use of web shells, which allows an attacker to use a compromised server as a beachhead into an environment. Placing a web shell on a system allows an attacker to continue to return over the long term. In 2023, we observed and reported on a series of APT intrusions in Southeast Asia that used web shells. We also observed web shells used as an attack vector in about 12% of hacking-related cases in 2023.
Attackers often use multiple persistence mechanisms. For example, in the attack against the Southeast Asian country, the threat actors:
In 2023, evading the defenders was where some of the most interesting advances in attacker conduct occurred.
Certain attack groups, especially the most damaging ones, are less willing to give up and go home. Instead, they research, anticipate, and respond to incident response actions.
Our Muddled Libra threat assessment explores several examples. As we said there:
“Muddled Libra has been methodical in pursuing their goals and highly flexible with their attack strategies. When an attack path is blocked, they have either rapidly pivoted to another vector or modified the environment to allow their favored path."
“The Muddled Libra threat group also repeatedly demonstrated a strong understanding of the modern incident response (IR) framework. This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment.”
Said another way, this threat actor puts up a fight. They try to steal files that will tell them how their target is going to react once the victim identifies compromise activity. Then, they use that knowledge to install additional means of access that anticipate the response.
We expect to see more of this kind of behavior in the future.
Perhaps most interestingly, we’ve seen a trend of attackers connecting their own infrastructure to a target’s environment. More than just living off the land, they’re actively installing and configuring new systems in the target’s environment that are controlled by the attacker, not the defender.
Unit 42 observed and captured a novel BlackCat ransomware tactic in October 2023. This ransomware-as-a-service threat actor provides comparatively advanced tool sets to its affiliates.
One advance we noticed was a tool named Munchkin. Munchkin provides a Linux-based virtual machine that the ransomware operator installs and runs on a compromised system, circumventing host-based security controls in many cases.
BlackCat is no longer alone in using this tactic. The Ragnar Locker group has also been reported to use it. We expect to see this tactic more often.
Another tactic we’ve seen used to great effect is Okta cross-tenant impersonation (discussed publicly in Okta’s blog post from August 2023). In this tactic, a threat actor uses highly privileged accounts to add a second, attacker-controlled identity provider (IdP). Then, the attacker federates their IdP to the target’s true IdP. At that point, the attacker can sign on to applications at the target as any user. This is misuse of a legitimate function, so preventing it requires vigilance and tight permission management.
A third tactic we’ve observed is attackers standing up their own cloud workloads in the target’s cloud infrastructure. Why not? It's incredibly fast and easy, and the target will pay the bill! This approach also blends in with normal IT or DevOps operations. It’s not at all unusual, and most SOC teams will breeze right past it.
We expect attackers will continue to add infrastructure under their control. Defending against it means creating and maintaining a comprehensive understanding of the contents of your environment, one of the hardest maintenance tasks a security team faces.
Ironically, this may be one area where the cloud is easier to manage. If you have access to cloud discovery and security posture management tools, you may find ways you could detect unmanaged systems and accounts that have skirted your security controls. It may only require a friendly relationship with the people who run the cloud infrastructure management plane!
Finally, a few classic tactics remain in the mix. Over the course of many investigations, we have seen threat actors take actions to try to avoid detection. Here are a few examples.
The first tactic is to try to appear normal. Unit 42 researchers identified a Chinese APT group that was doing this in several ways. (We haven’t connected this activity to a named group yet.)
The threat actors had created C2 infrastructure hosted on a half dozen internet-facing systems, with domain names that suggest they’re cloud storage services. A security analyst could easily wave away large data transfers to a cloud provider. It’s pretty normal. However, further analysis revealed that the same SSL certificate was being used on all the servers, which is inconsistent with their disparate network locations and hostnames.
This actor also appeared to install honeypot software on the C2 servers. This too could persuade a hurried analyst to dismiss the suspect connections as benign, seeing known security testing tools.
A different threat actor, Stately Taurus, took an even simpler approach. Their C2 connections used HTTP POST methods that set the host field to a Microsoft domain name, despite the traffic being directed to an IP address in Malaysia with no relation to any legitimate Microsoft service.
The second tactic is related: a threat actor disguising themselves by changing their behavior, depending on who’s asking.
The unnamed APT group’s C2 servers seemed to change during the course of a day. They only accepted C2 connections during the threat actor’s activity times and were closed at other times. While this may have helped the threat actor defend against casual observation, it looks unusual to the non-casual observer. Systems that change behavior based on time of day are uncommon.
And finally, the threat actor seemed to be filtering connections to the C2 infrastructure. They blocked connections from known Palo Alto Networks IP ranges, as well as some other cybersecurity companies and hosting providers.
These measures are an attempt to minimize the risk of being profiled by IP scanners. But they raise interesting investigative questions once they’re observed in a potential attack context.
And the third tactic was host-based, rather than network-based. An Iran-based actor we call Agonizing Serpens tried to evade endpoint detection and response (EDR) solutions on the systems they had compromised. While most of the techniques they tried were well-known already, this threat actor hadn’t previously been reported to use them.
The threat actor attempted at least three EDR bypass techniques. In this specific case, the target was using Palo Alto Networks Cortex XDR–and the techniques did not succeed. But these offensive tactics could be applied to many defensive security tools.
Those techniques were:
The Unit 42 blog post has more analysis of the technique. The key takeaway, though, was that the group’s use of evasive tactics and tools seems to indicate an upgraded capability compared to their past activity.
The big news in lateral movement this year was turnabout. We found attackers using security tools offensively.
Many security tools need elevated privileges. It’s wise to minimize those privileges, but some tools must run with the privileges attackers seek. For example, endpoint detection and response tools usually can access and change any data on a system. That’s the nature of the beast.
This year, attackers took that beast by the horns. We saw them compromise accounts belonging to security personnel with high privileges. Then, they used those accounts to access security tools that gave the attackers access to every system across the organization. And they used that access to move about and achieve their objectives.
Other tactics, techniques, and procedures of discovery and lateral movement remained familiar from prior years. Threat actors tend to use a variety of system administration tools at this phase, most of which are not malicious code and are frequently used by authorized personnel. Infostealers remain a common discovery (and sometimes initial access) vector for attackers.
Nonetheless, there are detection opportunities.
Internal port scanning is a quick way for a newly arrived threat actor to get the lay of the land. It’s also noticeable. Watching for these actions with endpoint and network-based detection is wise.
Threat actors often use RDP connections to move laterally within a target environment, even if it is not accessible externally. RDP offers many user-friendly conveniences for interactive access and can leave a light evidence footprint. Logging RDP use generates a lot of data, but it is a great detective control. This is probably one of those areas where AI can be helpful to sift through masses of data.
Threat actors also frequently use Server Message Block (SMB) protocol for lateral movement since they know defenders will often assume this is standard file sharing activity.
Access logs for security tools (and IT tools that run with elevated security privileges) can reveal unusual access patterns. See our Recommendations For Defenders for more on this.
See our Recommendations for Defenders for more on this.
Threat actors also frequently use Server Message Block (SMB) protocol for lateral movement since they know defenders will often assume this is standard file sharing activity.
We continue to see threat actors using credential-dumping tools such as Mimikatz and MiniDump to extract user account credentials and password hashes. They also use tools targeting Active Directory domain controllers themselves. Endpoint detections are the best way to find these. Investigate them promptly when they occur.
And watch for customized versions that will evade hash-based detection. We observed a threat actor using their own version of Mimikatz, requiring a password on the command line and omitting some of the usual features. Detect these tools by their behavior–attempting to steal information from memory–rather than just their hash, filename, or other easily changed attributes.
More importantly, attackers are shifting more focus to stealing sessions, not just credentials. We have seen a variety of actors using “stealer” tools to extract saved passwords, session tokens, and other artifacts from browser and application caches on endpoints.
Session tokens in particular can pose a significant risk if they are long-lived and the system they’re presented to has weak anomaly detection. With those tokens in hand, the threat actor assumes the identity and privileges of an authenticated user. They can perform all the same actions, use all the same authorizations. Would your tools notice if a session token was suddenly used in a different location than its owner?
Over the past year, we saw vulnerabilities weaponized and exploited more rapidly and on a larger scale than in prior years. We have observed a trend toward the automation of campaigns–similar to the “scaling up” process seen in manufacturing–from prototype to mass production.
The first attempts at exploitation are conducted interactively, by hand. Then, there’s a progression of automation from tools to assist human operators to machine-driven exploitation of the weaknesses.
Threat actors are also automating post-exploitation activity. In particular, the size of the MOVEit Transfer published victim list is consistent with automation not just of the exploit, but also the collection and exfiltration of the data.
With MOVEit compromises, automation of collection and exfiltration was relatively straightforward because the stolen data itself was resident on the compromised, internet-facing server.
The threat actor associated with the MOVEit compromises (CL0P) was faced with a different problem.
But then, the threat actor, (CL0P) was faced with a different problem. Having stolen all that data, to effectively extort the targets, the threat actor had to publish some of it.
Unfortunately for the threat actor, the usual methods of extortion weren’t able to handle the sheer volume of data they had stolen. Download speeds over Tor were too slow. They had to resort to publishing by torrent, which opened them up to further investigation by responders and researchers.
Look for more from Unit 42 on this case in the future.
In the last year, clients felt more impact than previously, from lost confidentiality through lost revenue.
The effects of an incident last a lot longer than the attack and investigation itself. While reputation and share prices usually recover to their pre-incident levels, there are always soft and hard economic costs.
One of the first questions a target asks after discovering a potential security incident is whether non-public information was disclosed, exposed, or compromised. Figure 7 shows that while we are able to answer that question most of the time, the answer continues to trend toward a more costly response.
Over 80% of the time, we can answer this question with a “yes,” “no,” or “maybe.” Within that set, the “maybes” are eating away at the “nos,” and the “yesses” are growing too. These changes aren’t large, and they may just be sample variations from year to year. But the fact remains; almost half the time (49%) in 2023, a target knew or had to assume their information had been compromised.
The second question a target asks is often whether the stolen data was targeted, or taken indiscriminately. Figure 8 shows that the answer here has a pronounced trend toward indiscriminate exfiltration.
We say the data was targeted if the threat actor selected what data they were after. For example, they may have performed keyword searches, applied criteria, or filtered their file collection patterns. Filtering by extension, size, date range, or pattern matching–all of these are targeting actions.
Looking at 2023 in isolation, it’s tempting to point at the large sweep-the-internet compromise campaigns and say that’s why the not-targeted number is so high this year. But there seems to be a pronounced growth in the tactic of attackers just collecting it all and sorting it out later. Attackers are also moving to exfiltrate much sooner than in the past, which aligns with this grab-and-go strategy.
So the large volume of exfiltrated data is a bit of a double-edged sword. On the one hand, it’s easier to detect large volumes of exfiltration than smaller, targeted transfers. On the other hand, when the stolen data is so big, the task of impact analysis and notification also gets a lot bigger. On the third hand, you’d need to detect that big exfiltration a lot earlier in the incident lifecycle. It might even be the first sign you notice that something is afoot, and you’ll need to act on it fast.
Defenders should look at this trend as an encouragement to buy or build capabilities to detect attacker activity sooner, to accelerate response actions to interrupt the attack.
As we said earlier, when you’ve been hit with a destructive or extortion-encryption tool, you know it. And in 2023, more of our clients experienced a business disruption of that type.
Figure 9 shows that in 2023, we worked more than twice as many cases where business disruption was one of the effects our clients experienced. Almost 35% of that casework involved business disruption of some kind. Usually, it was due to the effects of ransomware or data destruction malware.
And, increasingly, this disruption is publicly visible. There’s a clear trend of greater public awareness of large-scale cybersecurity incidents. Certain threat actors take advantage of this publicity to pressure their victims.
Several other major effects occurred less frequently, such as legal and regulatory consequences, as well as other (non-incident response consulting) response and recovery costs. But brand damage was up, almost double. And, it’s possible that the decreased frequency of legal and recovery effects is an artifact of our clients choosing to restrict the need-to-know.
While we aren’t in a position to characterize the total dollar losses due to incident response, we do keep track of what types of costs our clients experience. For this section, we’re talking about prevalence–how many of our clients experienced that type of cost–rather than dollar losses.
What part of the business does an incident response affect? It’s not just in the IT department. And the cost of response isn’t only the consulting fees. (By definition, if Unit 42 was involved in a case, there was almost always our cost of consulting, so we’ve left that out.)
For our clients, legal and regulatory losses led the list along with other costs of response and recovery. In the last two-and-a-half years, over 86% of our clients had some kind of legal or regulatory cost. And over 78% of them had recovery costs.
While it can be easier to prepare for losses that you expect, it’s always harder to prepare for losses that you don’t yet understand or can’t predict.
In our experience, the best way to address that discrepancy happens when you can identify all the parties who would be involved in a large-scale incident response. Then, invite them all to participate in a Tabletop Exercise exploring two scenarios:
Practicing a what-if scenario is a much lower-impact way of discovering holes in your capabilities and processes than letting a threat actor show them to you. Particularly, it lets defenders engage and prepare other stakeholders in their business, who might not be participating in the day-to-day cybersecurity work, but who will find themselves on the incident conference bridge.
In 2023, Unit 42 responded to multiple cases where threat actors used a SugarCRM vulnerability (CVE-2023-22952) to gain access to cloud accounts. This shows us two things: threat actors are well aware of the value of cloud accounts in a distributed work environment, and they’re willing to take roundabout ways to get access.
As the author of our article on these incidents described it, “When a threat actor understands the underlying technology used by cloud service providers, they can accomplish a great deal if they can gain access to credentials that have the right permissions.” They can take advantage of vulnerabilities in a wide variety of cloud services to get that initial access to find the credentials they need.
Many organizations believe that choosing cloud services obviates the need for them to think about security. And in fairness, many cloud service providers sell their products as if they’ve taken care of all that dirty work. But identity and access management (IAM) is always the responsibility of the organization rather than the cloud service provider, and misconfigurations can undo even the most secure products.
According to our latest Cloud Report , at least three-quarters (76%) of organizations don’t enforce MFA for console users, and 58% of organizations don’t enforce MFA for root or admin users.
While every organization has a small set of risky behaviors that are repeatedly observed in their cloud workloads, that also means that a few changes will make a big difference to your overall security. In most organizations’ cloud environments, 5% of security rules trigger 80% of alerts.
While the rapid increase in remote work due to the pandemic caused a huge growth in cloud adoption, there is still more cloud coverage in our immediate forecast. Threat actors know this and are adapting their techniques to take advantage of this change in infrastructure.
Figure 10 shows that we’ve seen an increase in incident responses involving cloud cases, from 6% in 2021 to 16.6% in 2023. This matches an overall trend in organizations’ environments relying more heavily on cloud infrastructure.
increased incident response from
6% to 16.6%
This increase of interest in cloud adoption for both organizations and threat actors gives us some unique opportunities. Cloud computing is not going away anytime soon, as it offers a lot of productivity (and even security) benefits for organizations that adopt it. For those who move quickly to improve their security, they have a rare chance to get ahead of threat actor activity.
There are several things you can focus on to make a big difference in your cloud security:
Enforce MFA. Having proper authentication on cloud service accounts is a way to make things harder for threat actors to access your environment.
Protect your data. Sensitive data is at risk from both insider and external attacks. According to our last Cloud Threat Report, personally identifiable information (PII), financial records, or intellectual property, are found in 66% of storage buckets and 63% of publicly exposed storage buckets
Monitor abnormal activity. If services within your cloud account are accessing or being accessed by new and unusual IP addresses or over unusual ports, make sure your monitoring is configured to alert on this activity.
React quickly. Moving quickly to address security alerts can significantly limit damage. Security teams take on average about 6 days to resolve a security alert. Over 60% of organizations take longer than four days to resolve security issues.
Implement the principle of least privilege. Granting least-privilege permissions is the most effective way to minimize the impact of security incidents. In our previous Cloud Threat Report , we found that 99% of the cloud users, roles, services, and resources were granted excessive permissions.
When a threat actor understands the underlying technology used by cloud service providers, they can accomplish a great deal if they can gain access to credentials that have the right permissions
Because the leading source of initial attacker access was internet-connected devices, we decided to investigate that attack surface further. Throughout the course of about a year, we used Cortex Xpanse to explore the attack surface of over 250 global organizations.
An average organization in our data set had more than 300 new internet-exposed services each month. And when we considered the seriousness of the exposures, they accounted for about one-third of the new “critical” or “high” severity exposures.
Together, these two statistics imply that this change in attack surface isn’t benign – it’s introducing new vulnerabilities that need to be found, fixed and avoided in the future.
We also looked at what kind of services appeared vulnerable in the data. Almost half of them were IT and security infrastructure or remote access services. This finding is consistent with our incident response history, where we often find attackers exploiting under-secured, misconfigured or unpatched systems. (For example, remote access services were once the favorite entry point for many ransomware groups, and they remain a widely used point of entry.)
Protecting against attack surface vulnerabilities is important, but doing so comprehensively can be tedious. Here are some recommendations we share with our clients.
Identifying and responding to attack surface risks starts with continuous, comprehensive scans of your organization's ports, services and devices. Then, prioritize and schedule the necessary fixes and changes. Just like shampoo: lather, rinse, repeat.
Regularly check perimeter resources to discriminate between expected assets and unknown or out-of-scope ones. Ensure all resources comply with your security baselines. Deviations from these baselines are often the most vulnerable to compromise, making them prime targets for attackers.
Detection is only half of the battle. It is crucial to have processes and technology to assist security teams in identifying, communicating, tracking and automating remediation where possible. Pair them with processes to ensure that new deployments meet secure baseline expectations, and you will continuously improve.
The full 2024 Unit 42 Attack Surface Threat Report has more global attack surface insights, trends and recommendations for best practices.
If ASM is new to your organization, or you’d like help with improving your program, Cortex Xpanse and Unit 42 Attack Surface Assessment can jump-start your journey. This assessment service gives you better visibility into your on-premises and cloud-based internet-connected assets and recommendations on prioritized actions to help you defend your organization.
And, adding the ASM Module to your XSIAM deployment provides context on internet-exposed assets to enhance threat prevention, detection and response with AI and machine intelligence.
Like the rest of us, attackers are taking advantage of automation to do more, in less time. The 2023 Unit 42 Attack Surface Threat Report highlighted the speed at which attackers can scan the entire IPv4 address space looking for vulnerable targets. It also investigated how quickly high-profile common vulnerabilities and exposures (CVEs) are found being exploited after public disclosure. In some cases, it was within hours.
And, speeding up isn’t just about finding vulnerabilities to exploit. In Unit 42 Incident Response cases, we’ve noticed that attackers are exfiltrating data faster as well.
Just two years ago, the median time between compromise and exfiltration was nine days. By 2023, it was two days–a full week less.
Especially striking is how often attackers move quickly. In almost 45% of our cases this year, attackers exfiltrated data in less than a day after compromise. This means that almost half the time, organizations must respond within hours to stop them.
Latest Attacks Happening in Hours – Time to Exfiltration is Often Less Than One Day
of incidents took attackers less than a day after compromise to exfiltrate data
In certain kinds of cases, exfiltration happens even faster. While we expected that extortion cases would be the fastest to exfiltration, that wasn’t the case. In matters that don’t involve extortion, attackers are working within hours more often than not. In 2022 and 2023, the median time to exfiltration for non-extortion matters has been less than one day.
While we can’t say for sure why this is, it may be because in some cases data exfiltration is the attacker’s main goal. Attacker speed may be related to their focus–the faster the threat actors complete their mission, the more money they make. And the faster they work, the less time defenders have to get in their way.
The bottom line is that, for many organizations, exfiltration may be underway before Incident Response and Legal have even assembled a response team and plan. It might even be complete.
In one case involving Black Basta ransomware, it took attackers less than 14 hours to accomplish extensive compromise. Starting with a simple phishing email, the threat group gained initial entry to the organization a mere half hour later. From there, they explored the network, escalated privileges, and began communicating with their C2 server.
Most of this took place while the organization’s security team was home, asleep and unaware. By the time the team began to realize something was wrong, the attack was well underway. The attackers were exfiltrating terabytes of data. They had created multiple custom versions of ransomware. And those tools were staged on a server inside the target’s environment, ready to encrypt nearly 10,000 endpoints.
On the other side of the conflict, data from our incidents suggests defenders have not yet caught up to attacker speed.
Like most other incident response firms, we measure dwell time as the number of days an attacker is present in a victim environment before being detected. For this report, we measured the time between the first detection of the attacker and the earliest evidence of the attacker’s presence.
The good news is that we see dwell time decreasing since 2021.
On the flip side, even this decrease may not be enough. For example, in the US, the Securities and Exchange Commission (SEC) adopted a rule requiring that material cybersecurity incidents be disclosed within four days. Given the time frames we observe, this could put organizations in the position of having to go public while still trying to figure out what happened–and what to say to customers, regulators, and the market.
This is even more of a concern when one considers that simply containing an attack may not be the same as fully remediating it. For example, an organization might contain an attack simply by deactivating compromised systems–a far cry from taking stock of the impact of the activity and fully restoring normal operations.
Clearly, defenders need to speed up as much as possible. We’ll give more recommendations for how to do that later in this report, but for the moment, there are a few key principles to keep in mind:
...an organization might contain an attack simply by deactivating compromised systems–a far cry from taking stock of the impact of the activity and fully restoring normal operations.
Preparation. One of the best ways to get ahead of attackers is to truly get ahead.
Through proactive preparation, organizations can get ready to respond within hours to compromises, stopping attackers before they have a chance to execute their plans.
Automation. As we mentioned in the Black Basta example above, human security teams need to sleep, and they’re also typically pulled in many directions.
Automation–especially when powered by machine learning and artificial intelligence–can help defenders sift through alerts and surface the ones that truly need attention.
Zero Trust. powerful way to limit the damage an attacker can do after
compromise is to limit their movement and activity.
When organizations design their security posture in accordance with a Zero Trust philosophy, attackers become less powerful when they gain initial access, because initial access means much less. It’s the difference between a thief getting into an entryway and being able to move through the entire building, and a thief getting into the lobby only to encounter another locked door.
Defense in depth. A security program designed with overlapping defenses
and controls gives attackers more opportunity to alert you to their
presence.
Especially combined with limited privileges in a Zero Trust philosophy, you can raise the signal-to-noise ratio of meaningful alerts that will let you focus on attacker activity earlier in the attack lifecycle.
While reviewing 2023's incidents, we kept in mind two topics close to defenders’ hearts; factors that contributed to attackers’ success, and mitigations defenders can use to frustrate attackers.
This section distills the most critical lessons into actionable recommendations for defenders. These are pragmatic, effective approaches to counter emerging and evolving cyberthreats.
Common contributing factors are the systemic issues or mistakes that contributed to attackers' success. Fixing these issues proactively lowers the chances or impact of a cyberattack.
You can't protect what you can't see. Organizations chronically lack comprehensive visibility across their network, cloud, and endpoints. This shortfall led to critical unmonitored areas, delaying the detection of and response to active threats.
Lack of visibility also led to uncontrolled and unmanaged vulnerabilities. In 11.5% of the incidents, insufficient patch management was a contributing factor.
of incidents had insufficient patch management as a contributing factor
Visibility gaps also led to unnecessary resource exposure, such as internet-exposed remote desktops or inadequately secured cloud workloads. These exposures contributed to 9.6% of cases.
Finally, insufficient coverage with endpoint protection technology was a contributing factor in 13.6% of the IR engagements we responded to.
These unmonitored areas provided attackers with opportunities and time to exploit weaknesses. Not having a comprehensive view across the attack surface–crucial for managing it effectively–significantly contributed to incident severity and frequency.
In our post-breach investigations, we often find forensic evidence of what happened in the logs and digital artifacts. But this data is often spread across many different security point products, buried in millions of uncorrelated alerts, or structured in disparate formats. That distribution discourages automated prevention, detection, or real time response by security analysts.
This data issue gets worse when teams struggle to maintain expertise in the myriad of tools they’ve adopted for security operations. As a result, even when the early signs of an attack exist, the signal is lost in the complexity of the IT landscape.
Defenders miss critical attack indicators when they’re overwhelmed by the sheer volume of information and operational demands. They can’t see the forest for the trees.
Allocating excess privileges to accounts is a too-common contributing factor in cybersecurity breaches. Over-privileged accounts give attackers the means to move laterally across an environment, accessing sensitive information and assets. Attackers particularly target administrative accounts because they can be used to gain access to other systems and accounts. Using those privileges amplifies the breach's impact.
This issue is especially acute in cloud environments, where Unit 42 research has discovered that 99% of accounts are over-permissioned. Extensive cloud privileges exacerbate the risk and potential damage of attacks.
Finally, the lack of MFA remains significant. In 2023, the absence of MFA was a contributing factor in over a third of incidents.
You may have heard us advise that you should “never let a good incident go to waste.” While Winston Churchill didn’t say that–Rahm Emanuel did,in 2008–it’s as applicable to cybersecurity incidents as political ones.
In this section, we make recommendations refined from hundreds of cybersecurity incidents in 2023. These guidelines can be a blueprint to bolster your defenses and avoid severe incidents like those chronicled in this report.
Remember, never let a good incident go to waste!
Criminals have more surface to attack than ever before. The continued adoption of bring-your-own-device practices, internet of things, and cloud-native applications and architectures continues to add vulnerabilities and misconfigurations.
In the cloud, hard-coded credentials, weak authentication, and inefficient alert handling lead to increased breach risk.
To make matters worse, the modern attack surface is in constant flux: on average, 20% of an organization's cloud attack surface is replaced each month with new or updated services, contributing to nearly half of new critical exposures.
Additionally, over 85% of organizations expose RDP to the internet for a significant part of each month. Doing so increases the risk of ransomware attacks and unauthorized access.
Get ahead of this now by establishing tools and processes that allow you to get your arms around your internal and external attack surface, including cloud, network, and endpoints.
To manage your external attack surface, including cloud and internet-facing assets, first identify and control what you have. Use advanced scanning tools and services that specialize in discovering and cataloging external-facing assets, such as web applications, cloud storage, APIs, and any services exposed to the internet.
Then, protect that external access with MFA. Don’t allow remote access (especially RDP) with just a username and password. Require a second factor of authentication, either behind a virtual private network (VPN) or natively in the solution. If you do nothing else, do this.
Next, continuously assess these assets for vulnerabilities and misconfigurations using active ASM applications and a cloud-native application protection platform (CNAPP).
Implement a rigorous process to remediate identified vulnerabilities and misconfigurations quickly. Order the list by risk and prioritize critical exposures that could lead to significant breaches. Regularly update and patch systems, apply necessary configuration changes, and ensure that security settings in cloud environments adhere to best practices.
Internal ASM means gaining visibility into the network and endpoints within your organization. Deploy tools for network discovery and asset inventory management. Identify and categorize everything you find, including servers, workstations, and network devices.
Implement endpoint detection and response (EDR or XDR) solutions to monitor and analyze endpoint activities, identifying potential threats or anomalies.
Conduct regular internal vulnerability assessments and configuration audits to identify weaknesses within the internal network. Scan for unpatched software, insecure network configurations, and unnecessary open ports or services.
Remediate swiftly. Focus on patch management, secure configuration, and network segmentation to reduce the internal attack surface.
For both kinds of ASM, the key outcome is enabling a proactive, continuous cycle of identification, assessment, remediation, and improvement. This dynamic approach allows you to adapt rapidly to new threats and changes within the IT environment, ensuring that the organization’s attack surface remains resilient against evolving cyberthreats.
Mixing weak authentication controls, over-privileged accounts, and improperly secured applications and information assets leads to critical breaches. This dangerous combination creates a straightforward pathway for attackers, with an easy route in, unfettered access to sensitive data, and an unobstructed route for data exfiltration or other disruptive impacts.
Zero Trust is designed to protect against exactly this.
Zero Trust is a cybersecurity strategy that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Rooted in the principle of “never trust, always verify,” Zero Trust principles protect modern environments by:
Adopting Zero Trust is a journey. Here are the first steps and tactical recommendations we routinely advise clients to take.
Multifactor authentication: Implement MFA everywhere you can. Prioritize methods like app-based or hardware tokens. Avoid SMS second factor if you can. It is vulnerable to SIM-swapping attacks that threat actors regularly perform.
Passwordless solutions. Where feasible, employ passwordless authentication methods such as biometric verification or FIDO2 security keys. These methods eliminate common attack vectors associated with passwords.
Single sign-on (SSO). Use SSO to reduce password fatigue and streamline user access, while maintaining stringent security checks.
Regular auditing and updating. Conduct frequent audits of authentication protocols. Ensure all methods are up to date and comply with the latest security standards. Find outliers and “temporary” exceptions that outlived their usefulness.
User education. Continuously educate users about safe authentication practices, including the importance of securing their authentication tools and recognizing phishing attempts.
Session management. Implement strict session management policies, including automatic logout after periods of inactivity and reauthentication for sensitive actions.
User and system accounts accumulate excessive privileges with evolving technology, workforce changes, and organizational growth. This accumulation magnifies organizational risk and eases attackers' efforts to move within your organization and access sensitive data.
Audit identity and access management comprehensively. Implement rigorous need-to-know access controls. Pay special attention to cached credentials on endpoints, as attackers such as Muddled Libra exploit them, even from accounts protected by a privileged access management application. Minimize privileges for each credential, segregate them effectively, and continuously monitor how they’re being used. Look for anomalies.
Ensure credentials expire when their owner no longer needs them. Grant access only when needed. Audit and monitor the use of long-lived, highly privileged credentials, restricting their scope to only essential roles and individuals.
Privileged users should have dedicated accounts for critical functions, like domain controllers or Microsoft Active Directory management. Separate these accounts from their regular user accounts. Doing so reduces the “blast radius” of a compromise. Over-privileged accounts can dramatically increase the impact of a breach, so minimizing privileges is key to containment.
Finally, segregate service accounts so that each has only one elevated privilege. This one-to-one approach eases anomaly detection and enables more precise response actions, allowing for targeted network shutdowns without widespread disruption.
The Zero Trust model is equally vital to managing system accounts and applications. Central to Zero Trust is the assumption that applications inherently cannot be trusted, needing continuous runtime monitoring to validate how the applications are behaving and being used.
Eliminate implicit trust between different components of applications during their interactions.
Control which applications are used in your environment, especially those that threat actors use to “live off the land.” For example, restrict access to remote management applications and non-sanctioned file-hosting services. Or, at least, monitor and alert on them.
Network segmentation is a key tactic to apply Zero Trust principles to network architecture and infrastructure. This strategy effectively impedes the lateral movement of threats and confines breaches to isolated zones, significantly reducing the breach's impact.
Zero Trust network access (ZTNA) plays a critical role in this context. ZTNA verifies users and grants them access to specific applications based on identity and context policies. It eliminates implicit trust and restricts network movement to decrease attack surfaces.
Regardless of their location, no users or devices trying to gain access to a network are trusted until they’ve been fully verified based on identity and access control policies. This approach contrasts with traditional VPNs, which often grant complete access to an internal network. ZTNA solutions, on the other hand, default to deny and allow access only to services explicitly granted to the user.
With attackers moving from intrusion to exfiltration in hours, detecting and responding to threats in near real time is crucial.
But, manually handling a barrage of alerts and data from disparate cybersecurity products is a labor-intensive and inefficient approach to threat management. Doing so misses critical alerts and leaves vulnerabilities exposed. Over 90% of SOCs still rely on these manual processes, giving adversaries an unnecessary advantage.
Collecting logs from security point products across your network, endpoints, and cloud can generate billions of events every day. Generating the telemetry is a great first step. The next one is to make sure this data is correlated, stitched together, and analyzed in a way that your defenders can take action on.
Consolidate your security tools and use extended detection and response (XDR) and/or extended security intelligence and automation management (XSIAM). They provide a unified platform that captures security telemetry from endpoints, networks, and cloud environments. Then, they give you a more streamlined and effective approach to threat detection and response.
These tools harness the power of machine learning and analytics to act as a force multiplier for the SOC analyst. This technology reduces detection and response times, shifting the advantage back to the defenders.
In our own networks, we have put this into practice:
And these results aren’t unique to us. Our customers have reported a sixfold rise in the volume of security data they ingest and analyze each day. They also see a fivefold increase in incident closure rates.
By integrating these tools with AI and automation, organizations can transform their security operations, enhancing their ability to detect and respond to threats in real time.
Even with tool consolidation and automation, a strong security operation team is still critical. If you staff a twenty-four seven in-house security operations center, great. If not, consider the benefits and specialized expertise of managed detection and response. We have worked hundreds of incidents where the attack could have been stopped earlier, but critical alerts weren’t reviewed soon enough, and the threat actor outran the defense.
Continuous monitoring is crucial. Based on the incidents we responded to over the past year, here are some of the key items to watch for.
Create rules to identify impossible logon scenarios such as geographic anomalies. Regularly audit MFA enrollment to ensure comprehensive implementation and identify gaps in logging. This thorough approach is critical for detecting and alerting on outliers and unusual usage, not just failed logins. Set up alerts for repeated authentication failures or unanswered attempts, which could indicate an attacker's efforts to overwhelm or misdirect authentication requests.
Given the risks associated with RDP abuse, it's crucial to restrict and closely monitor remote access. Assess and minimize the list of authorized remote management tools. Unauthorized tools should be blocked and monitored for, increasing the chances of detecting attacker activity. Clearly define and enforce which remote management tools are approved for business use.
While it may be challenging for larger organizations to track all privilege changes, focusing on high-privilege accounts is essential. Log these changes and, if possible, correlate them with change control processes. Use identity threat detection and response tools to spot abnormal behaviors and collaborate across departments for workflow and communication improvements.
Set up alerts for known defense evasion tactics like disabling host-based firewalls or antivirus programs. Quick investigation and response to these alerts are key. For businesses where the risk is acceptable, consider automatic containment measures.=
Be aware that skilled threat actors, like Muddled Libra, may attempt to exploit your security tools against you. This includes using endpoint protection for unauthorized commands or data loss protection tools to locate and exfiltrate sensitive information. Strictly monitor access to these tools, investigate any anomalies, and consider separate authentication infrastructure for critical security applications.
Unusual spikes in data transfer or accessing sensitive data repositories outside normal patterns should trigger alerts. Implementing network analysis tools can help in detecting and preventing data exfiltration attempts.
In an incident response, the difference between those organizations that have tested and prepared and those making plans for the first time is night and day. Take time now to prepare, practice, and test your readiness to respond.
Practice is critical in developing a robust response framework. These exercises provide an opportunity to refine and test your incident response plan in a controlled environment.
By simulating realistic scenarios, teams can identify gaps in their response strategies and improve coordination among internal and external stakeholders. The key is to establish a well-structured response plan in advance, rather than improvising during an actual crisis. Regular practice through mock scenarios ensures that when a real incident occurs, the response is swift, coordinated, and effective.
Experience is an invaluable tool to assess the strength of your security defenses. These tests involve simulated attacks on your systems to identify vulnerabilities and test the effectiveness of current security measures.
Regular security audits and penetration tests reveal potential weaknesses before attackers can exploit them. By understanding and addressing these vulnerabilities, organizations can significantly enhance their security posture.
A strong security culture is fundamental to effective cybersecurity. Maintaining one involves regular training and awareness programs. Ensure everyone is vigilant and understands their role in maintaining cybersecurity.
Muddled Libra attacks, for example, emphasize the importance of training beyond just email phishing. Personnel should be trained to recognize and respond to suspicious activities across various communication channels, including phone and SMS. Helpdesk staff, in particular, should be empowered and supported in pausing tickets for security verification without fear of repercussions.
This proactive approach is crucial in disrupting the initial stages of a potential attack. Spreading awareness across the entire organization is essential. Employees should be encouraged to support additional security measures, understanding their critical role in the broader context of organizational security.
The value of effective incident response is being able to recover quickly. Doing so hinges on the preparedness and resilience of systems and backups, coupled with specialized expertise. Reflecting on the incidents we've encountered over the past year, several key lessons emerge.
Diverse challenges require diverse skill sets. Recognize your team's strengths and identify areas where external expertise would augment your own.
Specialized knowledge in breach-related legal issues, crisis communication, forensic analysis, threat hunting, negotiation with threat actors, emergency remediation, and threat intelligence are often crucial. Establish relationships with trusted partners in these areas beforehand. Standing retainers or contractual agreements ensure the immediate availability of these resources during a crisis.
Ransomware attackers target backups, so it's imperative to protect them through segmentation, whether that means storing them offline or using other access controls. Regularly test and confirm the effectiveness of your backups. Assess how swiftly you can restore critical components, like domain controllers or essential production systems, from these backups.
Be prepared for a scenario where a complete credential reset is the only viable option. This process–often disruptive–can involve resetting passwords, unenrolling MFA devices, rotating API keys, or renewing Kerberos tickets. Mitigate the impact by planning this process meticulously before you need to do it. Document the reset protocol and store it securely offline to prevent unauthorized access by attackers.
A well-documented incident response plan outlines roles, procedures, and timelines. The plan should detail the steps for a rapid and comprehensive reset to minimize disruption. Store this plan securely and ensure it's accessible offline–an essential consideration if your network is compromised and online resources are unavailable.
Anticipate that attackers might be privy to your response strategies. Establish an out-of-band communication system for incident response, separate from your primary network.
This system should have its own identity and access management, ideally hosted on an entirely different platform. Secure it with hardware-based MFA to prevent unauthorized access. And practice using it.
Recommended Unit 42 Services:
There’s a lot of talk in the industry about security people burning out. And with seemingly endless creativity and effort from attackers, some days it does feel like our efforts are endless. Where do you even start?
Any consultant will tell you–and you can probably see this coming–“it depends.” But good consultants will tell you what it depends on and help you create a plan to go forward from there.
We often work with clients on that transformation; during an incident, yes, but also beforehand.
Being part of Palo Alto Networks gives Unit 42 access to a comprehensive platform of technology. In this section, we’ll provide some examples of how we use them.
The Unit 42 Incident Response team is available twenty-four seven, year-round. If you have cyber insurance, you can request Unit 42 by name. You can also prepare for the future (and the present) by requesting any of our cyber risk management services. Many of our clients keep Unit 42 on retainer so we are available to them at a moment’s notice.
Unit 42 has years of experience protecting organizations around the globe. Our Managed Services team can monitor, hunt and respond to suspicious activity twenty-four seven. We’re ready to help you scale fast and focus your internal team on more strategic tasks.
Unit 42 Managed Detection and Response provides world-class analysts, threat hunters, and researchers who investigate and respond to attacks.
Unit 42 Managed Threat Hunting proactively hunts for advanced threats and creates detailed reporting on its findings to help you defend and keep peace of mind.
Insufficient patch management and unnecessary resource exposure were contributing factors in dozens of cases. And our Unit 42 Attack Surface Threat Report researchers found about a 20% per month rate of change in cloud-based IT infrastructure. It’s important to minimize the risk here.
The first step is keeping an up-to-date inventory of your internet-connected assets, from the perspective of an attacker; from the outside-in.
The next step is doing that continuously and comprehensively. With that high rate of change, point-in-time audits are out of date as soon as they’re complete. Instead, automate.
Cortex Xpanse is an active ASM solution that helps actively discover, learn about, and respond to risks in exposed systems and services.
Reactively, we use Cortex Xpanse during incident response to find a client’s entire
attack surface. Several times, it’s shown us an attacker’s entry point that the client didn’t even know they had.
Proactively, ASM is part of our Unit 42 Attack Surface Assessment service. It boosts your visibility into internet-connected assets, and we recommend actions you can take to better defend your organization.
Lack of centrally managed endpoint protection was a significant contributing factor in 2023 incidents. Attackers are great at finding the unprotected sections of the infrastructure.
Naturally, we recommend Cortex XDR as our first choice. It’s an extended detection and response platform that integrates data from the endpoint as well as other sources. We particularly like how it can stitch together endpoint, network, cloud, and identity data. That helps with attack detection, and it also simplifies our investigations by putting all the data together for us. It can do the same for you.
Cortex XDR also uses AI-driven technology for analytics, threat insights, file and incident analysis. That’s in line with our goal to use automation-first processes that scale, because attackers are scaling, too.
During a live incident response, we often also need endpoint controls for capabilities like endpoint isolation, exploit and execution prevention. Cortex XDR does that for us as well.
Unit 42 conducts Compromise Assessment engagements using Cortex XDR. These assessments answer the key question: “Am I compromised?” We use extensive telemetry data from your environment together with data from Palo Alto Networks customers worldwide and Unit 42 threat intelligence to identify threats and vulnerabilities in your organization.
We prioritize our recommendations and align them with your security strategy. (We can help you develop that strategy, too.) Then you can move forward with implementation more confident that you’re strengthening your defenses.
Threat actors are creating larger and faster effects, consistent with their use of playbooks and automation. Defenders should automate as well.
In our own Palo Alto Networks SOC, we use Cortex XSOAR®. We’ve measured its performance in our environment, and it does the work of 16 full-time employees, saving our analysts an average of 2,600 hours per month. If you have invested in creating playbooks and processes but struggle to get them automated, XSOAR is a great place to start.
Unit 42 Incident Response offers several proactive assessments that relate to automation. If you’ve built or are thinking about building a next-generation SOC, our SOC Assessment can help you design and build that capability. If you already have processes in place, consider our Ransomware Readiness Assessment or BEC Readiness Assessment to evaluate them.
Many of the incidents we worked on could have been smaller or prevented entirely. The framework we recommend to clients is ZTNA 2.0, integrating authentication with fine grained least-privileged access. Access to organization resources should be minimal, continuously evaluated and comprehensive.
Palo Alto Networks Prisma Access is purpose-built, cloud-delivered and reduces risk. It delivers many networking and security services, from firewalls-as-a-service through SDWAN and malware blocking. The feature list is long.
Cortex XSIAM has Identity Threat Detection and Response that combines behavior analytics with identity threat detection to respond to threats like insider, data exfiltration, lateral movement, and other actions.
And because identity authentication is a key part of ZTNA 2.0, we recommend phishingresistant second factor authentication, such as FIDO2 keys. Move on this as quickly as you can.
Unit 42 Incident Response offers several engagements around ZTNA 2.0. Our Cyber Risk Assessment and Security Program Design, for example, helps you define a defense-indepth strategy that can align with this framework.
Many organizations can’t answer the question, “Which remote management tools are approved for business use?” Define and enforce an answer.
Cortex XSIAM has embedded ASM capabilities that let you find outliers to the answer.
To minimize the risk of data exfiltration to unapproved locations, you’ll need more than just packet filters. SaaS Security has continuous discovery, categorization and control using our App-ID™ technology.
Define and practice your incident response process. The most effective incident responses are executed from a thoughtful structure that was designed ahead of time.
Unit 42 can help you exercise those processes in Tabletop Exercises. You’ll simulate your response to a severe incident. We’ll base the scenario on real-world breaches and industry-specific threats.
For a stress test, consider a Penetration Test by the Unit 42 red team. We’ll apply the tactics, techniques and procedures used by threat actors, and you’ll get to defend against them. For even more benefit, consider a Purple Teaming Exercise, where our defenders collaborate with yours against the red team.
Palo Alto Networks, with Unit 42, has a broad offering of products and services. We would love to help you identify which ones would be valuable to your organization.
of organizations expose RDP to the internet for a significant part of each month
...good consultants will tell you what it depends on and help you create a plan to go forward from there.
If you talk to a lot of incident responders, one aspect of the work will keep coming up. Most of us enjoy problem-solving. Even when you encounter the same threat actor across several incidents, the differences are the fun part. What will the threat actor do differently this time? What will be different about the target environment? What one weird thing will happen and make the incident response totally different?
That’s the joy of the future tense. The past informs us. We look around in the present. And we find out in the future.
Here are the topics we think are important this year… and what they look like as of July, 2024.
In February 2024, we said…
Artificial intelligence (AI) has dominated technology news and development in the last two years. AI has technological benefits for both attackers and defenders, principally around scale. We think attackers will leverage those benefits with greater sophistication and scale, specifically around social engineering.
We expect to see attackers using AI tools with greater sophistication and scale than today. We expect they will target voters, seeking to create friction within and among political groups.
And we expect to see this activity play out within organizations, as well. Generative AI will enable attackers to operate at greater scale, creating more (though not necessarily better) social engineering content. This AI-generated content will become harder to discriminate from “authentic” content. Organizations will become increasingly reliant on advanced detection capabilities to bridge the resulting detection gap. Now is the time to stimulate awareness of and preparation for handling inauthentic AI-enabled information.
AI continues to dominate the conversation. But so far, we haven’t yet seen a dramatic shift in the threat landscape due to AI – it’s an incremental one.
We are seeing attackers experiment with jailbreaking models, such as WormGPT and FraudGPT. And while they have seen some success with rudimentary code generation and social engineering text, we aren’t yet seeing generative AI capable of directly generating malicious code at scale.
So-called “deepfake” technology using generative AI has been increasing. There are several public reports, including an April blog post from LastPass mentioning an (unsuccessful) attempt to voice-phish an employee. And in May, a British engineering company confirmed it had been the target of a deepfaked video call that led to it paying a fraudster US$25 million. And there have been numerous reports of AI-faked robocalls using inauthentic celebrity and political voices.
Kyle Wilhoit, director of threat research at Unit 42, talks more about these cases in episode 13 of the Threat Vector podcast.
We expect this trend to continue, and we’re sticking with our recommendation to stimulate awareness of and preparation for inauthentic AI-enabled information.
Previously…
DevOps (and SecDevOps, and any number of other mashed-together words to describe IT) has enabled defenders to scale technology operations to better operate and secure their organizations.
We expect attackers will demonstrate their skills and expertise in DevOps, IT, and security as well. They will use their target’s existing IT and security tools to meet their own malicious needs. We expect to see attackers manipulate and subvert security controls to evade detection and persist within the target environment – without needing malware.
This trend continues. As we note in our updated section on Muddled Libra, attackers continue evolving their skills. We see them improving their skills compromising cloud infrastructure. They’re even starting to make extended use of defender tools (which we also noted earlier.)
Our guidance remains: organizations should assess the security of their security. Review the authentication and authorization controls around DevOps and security tools, and then establish compensating controls and procedures to protect your protections.
Earlier, we cautioned…
Large language models (LLMs) have rapidly become the go-to tools for anyone who needs to create large volumes of text. LLMs are good at creating plausible text, even if it’s not always grounded in reality.
We expect attackers will look for opportunities to seed disinformation at the source. They will manipulate the sources and data that underpin these LLMs to influence the models’ output for the attackers’ own purposes.
Organizations should maintain a healthy distrust of LLM-generated material. Grounding decisions on verified data–not conjecture or hallucination–will remain the best way to operate in an increasingly untrustworthy information environment.
Organizations are continuing to invest in LLM and other technologies. We remain bullish on their ability to assist defenders, when used judiciously and correctly. For our own part, Palo Alto Networks is investing in Precision AI to help defenders with data they can trust. A lot more work remains to be done in this area.
Every incident response and threat report is a product of the authors’ point of view and casework. This one is ours. While statistics are useful, the real value of a report is its perspective on those numbers. That perspective arises from helping some of the world’s largest organizations through encounters with the most determined, skilled threat actors out there.
As well as that hands-on experience, Unit 42 has access to comprehensive cyberthreat data from a broad portfolio of Palo Alto Networks security products, including:
Our Cortex XSIAM SOC transformation platform
Our ability to monitor attack surfaces at scale with Cortex Xpanse
Observations of attack traffic from our Next-Generation Firewall
Behavioral insights from Cortex XDR monitoring across endpoint, network and cloud
This data underpins our threat intelligence and informs our incident responders. Here’s our methodology.
Data from incident response cases forms the backbone of this report. To assemble the information here, we reviewed the findings from more than 1,200 cases over the last 2.5 years.
This dataset includes anonymized data from several incidents that made headlines as well as many that didn’t but were no less impactful. These cases involved BEC, ransomware, insider threat, nation-state espionage, network intrusions, and inadvertent disclosures. Our clients range from small organizations with fewer than 50 personnel to Fortune 500 and Global 2000 companies and government organizations with more than 100,000 employees.
While most of the targeted assets in these cases were located in the US, the threat actors conducting the attacks were located worldwide, and they targeted businesses, organizations, and IT infrastructure around the globe.
We supplemented the case data with in-depth interviews with experienced security consultants to gather anecdotal and narrative insights from their work with clients in specific areas of expertise. Our recommendations and observations are based on areas where threat actors were largely successful. As such, the lessons themselves have broad applicability.
In February 2024, we said…
No changes here. We continue to see attackers harvesting data at large scale, presumably for later use.
Organizations should take stock of the encrypted data under their control, noting what has been stolen in the past that could become unprotected in the future. Organizations should also understand and increase their resistance to quantum threats as part of system design and operation.