Red Canary report unveils 2023's top cybersecurity threats
Red Canary, a cybersecurity company, recently released its 6th annual Threat Detection Report, offering an in-depth analysis of cybersecurity trends and techniques that organisations need to prioritise. According to the report, 2023 saw a significant increase in Cloud Accounts compromises and the abuse of Email Forwarding Rules, two threats that emerged swiftly into the top 10 rankings. The analysis is based on more than 216 petabytes of telemetry collected throughout 2023, helping to examine nearly 60,000 threats and provide valuable insights.
The report reveals that while the threat landscape is evolving, attackers' motivations remain consistent. Their classic techniques are still commonly deployed, with exceptions. Specific findings indicated that Cloud Accounts was the fourth most common technique detected, rising from ranking 46th in 2022. It showed a 16-fold increase in detection volume and impacted three times more customers in 2023 than in the previous year. Detections for malicious Email Forwarding Rules soared by nearly 600%, leading to compromises on email accounts and attempts to redirect financial transactions towards criminals.
Among the top 10 threats, half utilised malvertising and/or SEO poisoning, sometimes leading to the deployment of sever payloads like ransomware precursors, and half of the top threats were identified as ransomware precursors, which might result in further ransomware infection if not addressed. Humans - the primary vulnerability for adversaries in 2023 - were often targeted to access cloud service APIs, execute payroll fraud with email forwarding rules, launch ransomware attacks, and more, despite new software vulnerabilities.
Red Canary's Keith McCammon asserted, "The top 10 threats and techniques change minimally year over year, so the drift that we're seeing in the 2024 report is significant. The rise of cloud account compromises from 46 to number 4 is unprecedented in our dataset and it's a similar story with email forwarding rules. The golden thread connecting these modes of attack is identity. To access cloud accounts and SaaS applications, adversaries must compromise some form of identity or credential, and one that is highly privileged can grant an adversary untold access to valuable accounts, underscoring the critical importance of securing corporate identities and identity providers."
While traditional techniques persist, interesting variations were noticed, such as adversaries compiling malicious installers with MSIX, a new packaging tool by Microsoft. Container escapes and reflective code loading in macOS were also prevalent, allowing adversaries to evade macOS security controls and run malicious code on Apple endpoints. Furthermore, pressures on different sectors saw varied threat patterns- healthcare saw a prevalence of Visual Basic and Unix Shell, education had an increase in email forwarding and hiding rules, manufacturing experienced replication through removable media like USBs, while financial services and insurance encountered less obvious techniques such as HTML smuggling and Distributed Component Object Model.
For ensuring cybersecurity, Red Canary recommends validating defenses against top threats and techniques, patching vulnerabilities, and gaining an expert understanding of cloud infrastructure usage within an organisation.