Cloud account breach and email routing rule abuse detected

Cybersecurity firm Red Canary has released its sixth annual Threat Detection Report, examining the trends, threats and adversary techniques that organizations should prioritize in the coming months and years.

The report tracks the MITER ATT&CK techniques most commonly abused by attackers throughout the year, with two notable new entries surging into the top 10 in 2023: email forwarding rules and cloud accounts.

Red Canary’s latest report provides an in-depth analysis of nearly 60,000 threats detected in 2023 from more than 216 petabytes of telemetry collected from client endpoints, networks, cloud infrastructure, identities and SaaS applications. The report stands apart from other annual reports with its unique data and insights derived from extensive detection and expert, human-led threat investigation and confirmation.

Research shows that while the threat landscape continues to change and evolve, attacker motivations do not. The classic tools and techniques deployed by adversaries remain consistent, with some notable exceptions. Key findings include:

• Cloud account is the fourth most popular MITER ATT&CK technology detected by Red Canary in 2023, up from 46th in 2022, with a 16-fold increase in detections and impacting three times as many customers in 2023 as in 2022.
• Malicious email routing rule detection Increased nearly 600% as adversaries compromise email accounts, redirect sensitive communications to archive folders and other places users are unlikely to view, and attempt to modify payroll or wire transfer destinations to redirect funds to criminals Account.
• Half of the top 10 threats leverage malvertising and/or SEO poisoning, sometimes resulting in more severe payloads such as ransomware precursors.
• Half of the top threats are ransomware precursors, which if left unchecked can lead to ransomware infections, Ransomware continues to have a significant impact on businesses.
• Despite a wave of new software vulnerabilities, humans will remain the primary vulnerability exploited by adversaries in 2023, including identity access to cloud service APIs, exploiting email forwarding rules to perform payroll fraud, and launching ransomware attacks.
• macOS threats increase – In 2023, Red Canary detected more stealth activity in macOS environments than ever before, as well as instances of reflective code loading and AppleScript abuse.

Red Canary points to several broader trends affecting the threat landscape, such as the emergence of generative artificial intelligence, the continued prominence of remote monitoring and management (RMM) tool abuse, network-based payload delivery such as SEO poisoning and malicious The prevalence of advertising , The growing necessity for MFA evasion techniques, and the dominance of brazen but highly effective social engineering schemes such as help desk phishing.

“The top 10 threats and techniques change very little year over year, so the changes we see in the 2024 report are significant. The number of cloud account breaches rose from 46 to 4, which is unprecedented in our data set. It’s a similar story with email forwarding rules,” said Keith McCammon, chief security officer at Red Canary. “The golden thread connecting these attack patterns is identity. In order to access cloud accounts and SaaS applications, an adversary must compromise some form of identity or credentials, and a highly privileged person can grant an adversary countless access rights to valuable accounts. This highlights the critical importance of protecting corporate identities and identity providers.”

Emerging technologies for macOS, Microsoft and Linux users to watch out for

The technology section of the report highlights the most popular and impactful technologies observed among confirmed threats to Red Canary’s customer base in 2023. While many technologies like PowerShell and Windows Command Shell still exist, there are some interesting changes, including:

• Attackers use Microsoft’s new MSIX packaging tools (commonly used to update existing desktop applications or install new applications) to compile malicious installers that trick victims into running malicious scripts under the guise of downloading legitimate software.
• Container Escape – Attackers exploit vulnerabilities or misconfigurations in the container core and execution time environment to “escape” the container and infect the host system.
• Reflected code loading allows attackers to evade macOS security controls and execute malicious code on otherwise hardened Apple endpoints.

Attackers are not targeting verticals;their goals system

Data shows that adversaries can reliably leverage the same small set of 10-20 ATT&CK techniques to attack organizations, regardless of the victim’s sector or industry. However, adversaries do favor certain tools and techniques that may target systems and workflows common to specific sectors:

• Healthcare: Because this industry uses different machines and systems, Visual Basic and Unix Shell may be more popular.
• Education: Email forwarding and hiding rules are more common, likely due to heavy reliance on email.
• Manufacturing: Copying via removable media (e.g. USB) is more common, likely due to reliance on air-gapped or pseudo-air-gapped physical infrastructure and legacy systems.
• Financial Services and Insurance: Less obvious technologies such as HTML smuggling and distributed component object models are more common, possibly due to greater investment in controls and testing.

Recommended actions:

• Validate your defenses. Take a look at the top threats and techniques and ask yourself, “Am I confident in my ability to protect against them?” Red Canary’s open source testing library, Atomic Red Team, is free and easy to adopt.
• Patching vulnerabilities is key. It remains tried and true as one of the best ways to avoid risk.
• Become a cloud expert – Make sure your permissions and configurations are set correctly and understand how everyone in your organization is using the cloud infrastructure, as the difference between suspicious activity and legitimate activity is subtle in the cloud and requires a deep understanding of what is normal in your environment .

Check out the upcoming Cloud Transformation Conference, a free virtual event for business and technology leaders to explore the evolving cloud transformation landscape. Book your free virtual ticket to gain insight into the practicalities and opportunities of cloud adoption. Learn more here.

Label: Cloud accounts, Internet security, email