According to the Q2 2024 threatscape, social engineering remains one of the most frequently used methods in attacks on organizations, with 83% of cases involving emails
Positive Technologies detected complex phishing schemes in Q2 2024: attackers sent emails to employees of target companies with a request to forward them to coworkers. The quarter also saw the continued growth in attacks on organizations with remote access trojans (RATs) as well as massive use of skimmers1.
Social engineering was employed in every second successful attack on companies (51%). In May, the Positive Technologies Expert Security Center (PT ESC) detected an unusual phishing campaign conducted by the cybercriminal group Hive0117. An employee of a holding company received a phishing email. The email had an attachment that was a password-protected archive with an executable file: a DarkWatchman backdoor2. To gain the recipient's trust, the attackers disguised the email as a reply to an earlier email while creating the sense of urgency by mentioning a supposed tax audit, and requesting that the information be forwarded to the accountant. Such attacks have a high chance of success because coworkers are generally perceived as trusted individuals.
The use of malware continues to lead among other methods of cyberattacks on companies (64%). For the second consecutive quarter, experts note the growing use of RATs in attacks on both organizations (41%) and individuals (42%). Compared to Q1 2024, these increased by 9% and 5%, respectively. Cybercriminals use RATs because this malware provides persistent access to compromised systems, enabling long-term espionage.
"To spread RAT tools, attackers often use various package managers and repositories, such as npm and PyPI, and mimic the names of legitimate files. The popularity of this attack method has increased by 15% compared to the previous quarter, making software developers a popular target in the first half of 2024," says Dmitry Streltsov, Threat Analyst at Positive Technologies. "Attackers are continuously refining RATs and the methods of spreading them to remain undetected. For example, the new version of CraxsRAT can evade Google Play Protect, a built-in antivirus software on Android devices. It also allows malicious payloads to be injected into APK files3. This is a concern for the security of Android smartphones."
In Q2, the percentage of payment card data among stolen information in attacks on individuals increased by 9%, reaching 22%. Experts attribute this to the widespread use of skimmers. For instance, Sucuri identified a new web skimmer dubbed Caesar Cipher that targets content management systems (CMS) such as WordPress, Magento, and OpenCart. Stolen data is then used by cybercriminals in subsequent attacks or sold on the dark web.
With the Q2 threatscape in mind, Positive Technologies offers the following advice:
- For individuals. Carefully read emails, even if they come from someone you know. Avoid immediately opening password-protected archives. Verify the authenticity of a suspicious message by contacting the sender via other channels. Examine unfamiliar web resources carefully before entering your personal data.
- For software developers. Regularly update your source code management tools and check installation packages, for example, using PT PyAnalysis. Implement supply chain security practices and use application security tools such as PT Application Inspector, an application source code analysis system, and PT BlackBox, a dynamic application security testing tool.
- For organizations. Regularly conduct an inventory of your IT assets and categorize them by criticality. Implement data access control policies and monitor access to sensitive information. To protect the network perimeter, use web application firewalls (such as PT Application Firewall) and establish vulnerability management processes (using MaxPatrol VM). To detect the latest malware before it does any harm, implement advanced sandboxes (PT Sandbox). To evaluate the effectiveness of your defenses, participate in bug bounty programs (for example, Standoff 365 Bug Bounty).
- Malware for reading bank card data.
- A remote access trojan written in JavaScript. It allows attackers to connect to the infected computer and download other malware, gather valuable corporate information, or move laterally in the network.
- Files that are used to install applications on Android devices.
