Use of AI by cyber criminals continues to gain ground

Trend Micro, one of the providers of cyber security solutions, summarizes the most important IT security trends in the first half of 2024 in its latest status report. Despite some successful operations by law enforcement agencies against ransomware and phishing, the threat level remains high.

The five most important ransomware families for the first half of 2024, measured by the number of files detected. (Image: www.trendmicro.com)

In the first half of 2024, a key objective of cybercriminals remains to develop fast, inconspicuous yet sophisticated threats and campaigns. In the first half of the year, the Japanese cybersecurity specialist observed how cybercriminals targeted misconfigured and unprotected assets in order to secretly penetrate systems and steal sensitive data. Overall, access to vulnerable cloud applications dominated the list of risk events in the first half of 2024. In many cases, a lack of endpoint protection on unmanaged devices also exposed companies to unnecessary risks.

Threat situation remains complex despite law enforcement successes

The ransomware family with the most file detections in the first half of 2024 was LockBit, although the detection figures fell massively as a result of the "Operation Cronos" police operation. Financial institutions were the most affected by ransomware attacks, closely followed by companies in the technology sector.

Despite the successful law enforcement measures in the first half of 2024, the threat situation remains complex:

  • LockBit: Despite considerable disruption and sanctions, LockBit is trying to maintain its position. Trend Micro analyzed a new version, LockBit-NG-Dev, which is written in .NET and could be platform-independent.

 

  • Dropper malware networksEven after the takedown of botnets like IcedID and Trickbot, ransomware groups continue to find vulnerabilities, abuse remote monitoring and management (RMM) tools, bring-your-own-vulnerable-driver (BYOVD) attacks, and use custom shell scripts.

 

  • New tools and tactics: Both state-sponsored actors and cybercriminals use compromised routers as an anonymization layer. While groups like Sandworm use their own proxy botnets, others like APT29 use commercial proxy networks. The APT group Earth Lusca used the tense relations between China and Taiwan as social engineering bait to infect targeted victims in one campaign investigated.

Players continue to push the limits of AI

Trend Micro observed that threat actors are hiding malware in legitimate AI software, running criminal LLMs (Large Language Models) and even selling jailbreak-as-a-service offerings. The latter allow cybercriminals to trick generative AI bots into answering questions that violate their own policies - especially to develop malware and social engineering lures. Deepfake offerings have also been refined by actors to carry out virtual hijackings, commit targeted fraud in the form of BEC (business email compromise) and bypass KYC (know-your-customer) controls. For the latter, malware has also been developed that intercepts biometric data.

"Cybersecurity has evolved in recent years to cope with increasingly complex and targeted attacks," explains Udo Schneider, Governance, Risk & Compliance Lead Europe at Trend Micro. "In the coming years, it will become essential for the security industry to be proactive. Business leaders and security teams must manage the ever-changing threats and risks with a resilience-oriented, data-driven approach and a comprehensive (cyber) risk management strategy."

Source: www.trendmicro.com

(Visited 80 times, 1 visits today)

More articles on the topic