IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
internet of things
#
work from home
Search
Story image
#
Cybersecurity
#
Malware
#
Ransomware
New threat report reveals true dominance of ransomware
Fri, 20th Oct 2023
Author image
By Shannon Williams, Journalist
Follow us

Elastic has announced its second Elastic Global Threat Report, issued by Elastic Security Labs. Based on observations from more than 1 billion data points over the last 12 months, the report reveals ransomware is expanding and diversifying; more than half of all observed malware infections were on Linux systems; and credential access techniques have become an essential part of the cloud intrusion process.

Malware Trends

The majority of malware observed was composed of a small number of highly prevalent ransomware families and commercial off-the-shelf (COTS) tools. As financially motivated threat communities adopt or offer malware-as-a-service (MaaS) capabilities, enterprises should heavily invest in developing security functions with broad visibility of low-level behaviours to expose previously undiscovered threats. 

BlackCat, Conti, Hive, Sodinokibi and Stop are the most prevalent ransomware families we identify through signatures, amounting to about 81% of all ransomware activity.

COTS malware capabilities like Metasploit and Cobalt Strike represented 5.7% of all signature events. On Windows, these families amounted to about 68% of all infection attempts.

Around 91% of malware signature events came from Linux endpoints, while Windows endpoints accounted for only about 6%.

Endpoint Behaviour Trends

The most sophisticated threat groups evade security by withdrawing to edge devices, appliances, and other platforms where visibility is at its lowest. As never before, the report highlights the need for enterprises to evaluate the tamper-resistant nature of their endpoint security sensors and consider monitoring projects to track vulnerable device drivers used to disable security technologies. In addition, organisations with large Windows environments should track vulnerable device drivers to disable these essential technologies.

When looked at together, Execution and Defence Evasion make up more than 70% of all endpoint alerts.

Elastic observed the most discreet techniques on Windows endpoints, being the top target by adversaries with 94% of all endpoint behaviour alerts, followed by macOS at 3%.

macOS-specific credential dumping was responsible for an astounding 79% of all credentials access techniques by adversaries, an increase of approximately 9% since last year. Of these attempts, we observed that Windows environments where ProcessDump.exe, WriteMiniDump.exe, and RUNDLL32.exe were used more than 78% of the time.

Cloud Security Trends

As enterprises increasingly migrate on-premises resources to hybrid or entirely cloud-based environments, threat actors are taking advantage of misconfigurations, lax access controls, unsecured credentials, and no functional principle of least privilege (PoLP) models. Organisations can dramatically reduce the risk of compromise by implementing the security features that their cloud providers already support and monitoring for common credential abuse attempts.

For Amazon Web Services, Elastic observed defence evasion (38%), credential access (37%), and execution (21%) as the most common tactics mapped to threat detection signals. 

53% of credential access events were tied to compromised legitimate Microsoft Azure accounts, while Microsoft 365 experienced a high rate of credential access signals, accounting for 86%, and 85% of Google Cloud threat detection signals were related to defence evasion.

Discovery accounted for approximately 61% of all Kubernetes-specific signals, predominantly related to unexpected service account requests that were denied.

"Today's threat landscape is truly borderless, as adversaries morph into criminal enterprises focused on monetising their attack strategies," says Jake King, head of security intelligence and director of engineering at Elastic. 

"Open source, commodity malware, and the use of AI have lowered the barrier to entry for attackers, but were also seeing the rise of automated detection and response systems that enable all engineers to better defend their infrastructures," he says.

"It is a cat-and-mouse game, and our strongest weapons are vigilance and the continued investment in new defence technologies and strategies."

Related stories
GitHub's 2FA initiative helps secure software supply chain
AI tools linked to data exposure in 1 in 5 UK organisations
Gen AI optimism high in ANZ but cybersecurity concerns loom
NetApp 2024 report uncovers 'disrupt or die' era powered by AI
ANZ senior leaders caution over cybersecurity, global figures differ
Top stories
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity
Dropbox unveils new features for remote work, enhances Microsoft integration