“New year, clean slate” may be the resolution for many people eager to leave 2023 behind. But it’s not so simple for cybersecurity defenders as we enter 2024; last year left a lingering impact from several disruptive cyber-threat events. Optimism isn’t a bad approach, but renewed vigilance is a better one.
Let’s review the leftovers we’ll continue to observe in 2024 (they’re not all bad!): novel ransomware extortion techniques, the use of artificial intelligence (AI) to automate attacks, and disruptions of major cybercriminal marketplaces and malware networks. What can we do better to address these in the context of a new year?
Dark-Web Networks Dismantled
From a law-enforcement perspective, 2023 was a bountiful year. In the first half, law-enforcement agencies took down several established and well-known English-language cybercriminal platforms, including Genesis Market and BreachForums. The operations drove many English-speaking users to Russian-language forums, such as XSS.
New forums—Exposed, KKKSec, PwnedForums—quickly mushroomed to fill the gap. But instead, many cybercriminals came to see these platforms as either operationally negligent or honeypots (sites set up to entrap users who intend to engage in illicit behavior). Even Exposed—purportedly a new BreachForums, launched in June 2023—prompted one user of a Russian-language forum to say they were “highly confident” that the site was an FBI honeypot.
Authorities also dismantled the “Hive” and “ALPHV” (aka BlackCat) ransomware groups, seizing control of their servers and websites, and issuing a decryption tool for 500-plus organizations compromised by ALPHV to recover their systems and files. The Hive operation seemingly spelled the group’s demise: They haven’t been seen since. But ALPHV has shown resilience, naming several newly compromised entities on a new data leak site.
To round it off, the FBI also led a multinational operation that successfully disabled the “QakBot” (aka QBot) malware loader. Prior to the takedown, ReliaQuest had identified QakBot as the most used malware loader, accounting for more than one third of all such activity.
2024 Context
In the murky world of the dark web, trust has proven the hardest commodity to acquire. The takedowns of 2023 were highly effective in disrupting cybercriminal transactions and dialogue, and the deep reluctance to adopt new platforms will probably stick.
On the flip side, new threat actors will flock to established forums, such as XSS and Exploit. This will potentially create an even more concentrated pool of discussions about malicious cyber activity, and could foster closer collaborations.
Ransomware: Ever-New Extortion Tactics
Ransomware attacks continued to wreak the most financial and reputational damage throughout 2023; but it was the “Clop” ransomware group’s MOVEit campaign that caught the public eye, for its scale and extortion method. By exploiting a zero-day vulnerability (CVE-2023-34362) in the MOVEit managed file transfer software, more than 2,600 organizations were reportedly affected. ReliaQuest provided real-time updates on the campaign while it unfolded.
Likely because such a large number of organizations were breached, Clop told affected entities they would need to confirm their compromise and initiate negotiations for ransom—while they sat back and awaited the rewards. This move garnered significant publicity, bolstered Clop’s notoriety, and probably put them in a better place to collect payments in future activity.
ALPHV also took extortion to the “nth” degree by having the audacity to file a US Securities and Exchange Commission (SEC) complaint against one of the organizations named on its data-leak site (i.e., an entity it had compromised). ALPHV pointed out to the SEC that the breached company hadn’t complied with new cyber-attack disclosure regulations This hallmark event marked the first public confirmation of a ransomware group reporting an organization to the SEC to pressure them into making payment.
2024 Context
These and other bold tactics (see our deep dive covering 2023 ransomware and extortion trends) showcase the continuing innovation at play in the ransomware scene. There’s only one aim: squeezing payments out of compromised organizations. And, as companies become more vocal in their refusals to pay ransoms (in some countries, they’re legally forbidden to do so), ransomware groups will resort to even more extreme and unusual ways to extort money. In 2024, we’ll undoubtedly see other inventive methods.
Faster Attacks: Automating with AI
In 2023, the chatter about using AI to speed up cyber attacks grew much louder. Threat actors increasingly referred to the generative AI bot ChatGPT on dark-web forums, expressing interest in bypassing its security controls.
Where there’s demand, there’s supply. Perpetrators started offering proofs of concept (PoC) to bypass ChatGPT’s filters: “WormGPT” and “FraudGPT,” which are allegedly both ChatGPT black-hat (malicious tools used to gain unauthorized access to computer networks and systems) equivalents Their prices are relatively affordable—around $1,000 a year gets you a subscription. They promise highly enticing possibilities: develop malware, create hacking tools, produce grammatically impeccable emails to conduct business email compromise (BEC), and more.
Security researchers are going head-to-head with cybercriminals, trying to stay ahead of the game by anticipating how AI can progress the nature of cyber attacks. In March 2023, researchers released a PoC, named Black Mamba, which demonstrated how AI can be used to generate polymorphic malware. That’s a type of malware that can repeatedly cause mutation of its appearance or signature files, via new decryption routines.
Black Mamba exploits a large language model to synthesize polymorphic keylogging functions. It dynamically alters code at runtime, without connecting to a command-and-control server to deliver or verify the keylogger. Although it’s still in early development stages, Black Mamba demonstrates how LLMs can be abused to combine common malicious actions in unusual ways. The desired end result for threat actors would be better evasion from detection from security systems trained to recognize certain behavioral patterns.
2024 Context
Whether or not these tools can deliver all they promise remains uncertain. What’s undisputable is that AI will increasingly grease the wheels for highly efficient and targeted cyber attacks in 2024. We’ll see more instances of AI powering flawless phishing campaigns (see our insights on detecting phishing and BEC here). Also, look for it to act as a coding assistant to malware developers, scan for vulnerabilities at speed, and devise crafty defense-evasion techniques based on lessons learned in previous intrusions.
ReliaQuest in Your Court for 2024
Just as threat actors are looking to capitalize on lessons from past attacks, we’re ingesting new data all the time and refining our insights to ensure security teams are always pointed in the right direction. As 2024 unfolds, are you looking to accelerate proactive security operations? Achieving this in months, instead of years, is possible with ReliaQuest GreyMatter. Request a demo.