Welcome to our 2024 Cybersecurity Forecast Series! This is the third of our four expert blogs where we unveil key predictions for attack surface challenges, navigate the geopolitical landscape, discuss AI advancements, and dive into ransomware trends in the year ahead. You can also watch our exclusive webinar that covers these insights and answer your burning questions about what 2024 holds for cybersecurity.
In our final blog post of the 2024 predictions series, let's explore a common theme from our past predictions about AI and ransomware: the reduction of the initial access barrier for attackers. This will result in a rise in compromised endpoints, and we'll talk about the implications from an attack surface perspective.
The Continuing Evolution of Endpoint Threats
Endpoints remain one of the most prominent objectives for threat actors in a cyberattack. Endpoints serve as the most common initial vector of entry for cybercriminals, and generally is where much of the valuable data threat actors are after resides. As a result, attacks targeting the endpoint will intensify, and there are several key areas where this will manifest:
- Living Off The Land: Threat actors are keen to avoid detection once they’ve compromised a system. One of the ways they perpetuate their attacks without raising too many alarms is by employing living off the land (LOLBins) techniques. This attack type uses existing binaries – programs and software that are already installed on a system – to carry out an attack, instead of relying on running separate malicious software, which can be easily identified by even legacy security software. We have mostly seen this type of exploitation of resources on Windows devices, where the attacker utilizes PowerShell, WMI, Task Scheduler and other services built into the operating system to run or trigger malicious scripts on the endpoint, but increasingly, threat actors are compromising binaries on Linux and macOS devices as well, such as bash. These attack tactics have proven to be effective and successful, and we will continue to see an increase of attacks utilizing these tactics in 2024. This underlies the critical importance of employing EDR/XDR technology and MDR services that can correlate events across the network and can help identify behavior associated with a security incident that may involve LOL
- Bring Your Own Vulnerable Driver (BYOVD): The elevated access granted to drivers in a system makes them an alluring target for cybercriminals. Threat actors are increasingly exploiting vulnerable drivers to gain privileged access into systems, where they then can use that access to bypass security solutions on endpoints, plant and trigger ransomware, move laterally across an organization’s network, and exfiltrate valuable data. Much like LOLBins, exploiting existing drivers on a system helps the attacker go undetected from traditional security solutions and often bypass Microsoft’s digital signature protection. We saw, for example, the North Korean-based hacking group Lazarus, exploit drivers belonging to authentication software to compromise the security of an organization they were targeting. 2024 should see an upturn of attacks utilizing driver vulnerabilities to compromise endpoints.
- Heterogeneity in Windows: Microsoft introduced the Windows Subsystem for Android to insiders on October of 2021, and allowed Python scripting in Microsoft Office in 2023. These new features allow Windows to run non-native applications on Windows. By itself, these additions introduce a whole new set of code and potential vulnerabilities into Windows. Every new piece of software increases the attack surface, which is the total number of points or "attack vectors" a threat actor can try to exploit. With both Windows and Android systems to target, there are more opportunities for attackers to find weaknesses. To compound the problem, utilization of the Android subsystem on Windows often involves the sideloading of apps. As we’ve previously reported, cybercriminals love to infest third party APKs (Android executables) with malware. The included support of Python scripts opens the doors for additional attacks to target users running Microsoft Office. We’ve already begun to see some malicious software packages exploiting the Python Package Index (PyPl). To protect against these threats, users should refrain from sideloading applications on Android systems, and adhere to installing software that’s available only through the Google Play Store or Company Portal.
- EDR Bypass: Endpoint detection and response (EDR) solutions gained increased popularity in 2023, providing organizations with valuable insight into security threats targeting their endpoints. To thwart the growing threat of EDR detection, threat actors developed an array of techniques to bypass EDR detection. Cybercriminals achieve this by modifying code in memory, incapacitating user-mode hooks, disabling the Antimalware Scan Interface (AMSI) service altogether – AMSI allows security solutions to scan code that is executed on Windows systems for threats – utilizing Kernel Exploits, manipulating audit logs used by EDR solutions, and more. As EDR adoption grows in popularity, so will the adoption of EDR bypass techniques by threat actors. Organizations should implement defense-in-depth technology that utilizes multiple security layers that complement and overlap each other. This includes Process Protection capabilities that fortify the endpoint against DLL tampering, and combines user-mode and kernel-mode security along with heuristics to identify and impede EDR bypass techniques.
Growing Cloud Threats
Cloud workloads and infrastructure have become pivotal to the operational backbone of organizations worldwide. With this critical reliance on cloud environments comes a heightened risk profile, as emerging threats loom over these cloud ecosystems. 2023 saw a rise in cyberattacks targeting cloud-native architectures such as container orchestration platforms like Kubernetes. Threat actors continued to exploit vulnerabilities in widely used services, and increasingly abused misconfigurations in cloud workloads. Understanding these emerging threats is crucial for organizations to fortify their defenses, ensuring that their cloud journey in 2024 remains secure and resilient.
- Azure and Azure AD Under Siege: Last year saw an upsurge in the availability of open-source tools available that are particularly useful for managing, monitoring, and securing public cloud workloads, particularly for Microsoft Azure®. These tools offer a range of functionalities, from infrastructure automation to performance monitoring. We anticipate threat actors will be looking to hijack many of these tools to gain unauthorized access into cloud workloads. By “hooking” into the application programming interfaces (APIs) used by these tools, or exploiting vulnerable drivers, cybercriminals will be able to expose the security of the cloud environments these tools interface with. With that exposure, threat actors will be able to access Azure AD and create accounts with elevated access that will allow them to weaken defenses in the organizations (e.g. disabling multi-factor authentication) or manipulate existing administration infrastructures like Intune™ to run malware on hosts. Extended detection and response (XDR) solutions that offer protection for cloud workloads and identity platforms can help uncover behavior associated with misuse of these tools.
- The Rise of Cloud-Native Worms: The increased adoption of DevOps in the cloud, and the expanding popularity of container platforms like Kubernetes, Docker, OpenShift and others has expanded the potential attack surface area for cybercriminals. Threat actors will continue to exploit misconfigurations in these cloud environments to gain access to organizations. We expect to see a rise in cloud-native worms that proliferate malware across entire cloud environments. Exploiting the very nature of these interwoven platforms, these worms have the potential to cause a lot of damage in a very short amount of time. We saw the emergence of a self-replicating variety of these worms used for crypto-mining schemes, and copycats are sure to follow. Organizations with a presence in the cloud should commission the services of professional Cloud Security Posture Management services to identify and resolve these cloud configurations that can leave businesses exposed to these novel cloud threats.
Emerging Attack Surfaces: The New Frontiers
Endpoints and cloud workloads will continue to be the prime targets for cyberattacks in 2024, however, we can expect to see threat actors expand how they target these assets.
- Targeting Communication Apps: 2024 will see the rise of attacks utilizing communication apps like Slack® and Teams™, turning these platforms into battlegrounds much like contested territories in new lands. Their casual, often unchecked nature makes them prime targets for infiltration. 2023 saw reports of a Teams™ vulnerability that allows threat actors to send malicious files to unsuspecting victims over the platform. There was a significant spike in the propagation of the DarkGate malware over Skype® and Teams™. Due to the nature of the tools involved, they will continue to serve as a fertile attack vector for cyber-crime. Organizations should employ multi-layered security on their endpoints that includes effective network protection that can intercept the transfer of malicious files over these platforms.
- Shifting User Interactions and Unmanaged Devices: As employees return to a hybrid work practice, threat actors aim to shift user interactions to less controlled environments using different devices and platforms. 70% of the incidents the Bitdefender MDR team investigated in 2023 originate from unmanaged devices, making the effectiveness of targeting this equipment clear. How these devices are being targeted will continue to evolve in 2024. Enterprises must remain vigilant against phishing attacks employing QR codes, or those involving the threat actor using phone numbers or hijacked accounts to initiate chats that lead to exposure of sensitive user data. Organizations must employ rigid bring-your-own device policies to help prevent threats that originate from the use of unmanaged devices, and employees should be encouraged to install robust mobile security on their devices with the capacity to detect malicious messages.
- Increased Usage of Platform-Agnostic Programming Languages & Frameworks by Cybercriminals: Threat actors like to cast as wide a net as possible when developing their attacks. In 2023 we saw an intensification of attacks written in platform-agnostic programming languages like Rust, Go, and Swift. Rust emerged as a popular choice among threat actors due to its security, reliability, and speed. In conjunction with utilizing these platform-agnostic languages, we have also seen an increased usage of open-source frameworks such as Havok, and Sliver , employed in Command and Control connections by cybercriminal groups. The benefits for attackers consists of being able to compromise any and all operating systems.
- Exploiting Vulnerabilities in CPUs: 2023 saw the discovery of several important vulnerabilities in CPUs such as Intel’s Redundant Prefix Issue (CVE-2023-23583) and Gather Data Sampling (CVE-2022-40982), and AMD’s Inception (CVE-2023-20569) and ZenBleed (CVE-2023-20593). These vulnerabilities can enable threat actors to leak sensitive information across privilege boundaries, or to even carry out DoS attacks on compromised systems. Due to their nature, these bugs are difficult to resolve, and often require an operating system or microcode update. Many may require complete recompiling of applications. Although we have yet to see attackers exploit these bugs, it’s possible we will see cybercriminal groups targeting these vulnerabilities in 2024.
- Global Conflicts Leading To Increased Hacktivism: With the development of conflicts around the world, we can expect an upsurge in cybercrime either directly supported or tacticity endorsed by state-sponsored actors, or unaffiliated groups with nationalist interests. Cyber warfare continues to be an effective tool to achieve political, social, or national objectives. The goals can consist of disrupting critical infrastructure, stealing sensitive data, or influencing public opinion. The past couple of years have seen a significant increase in attacks against critical infrastructures perpetuated by suspected state-sponsored groups, and given current conflicts in the middle east, the Baltics, and other territories, these types of incidents will only escalate in frequency and scope in 2024. Given the passion behind many of these types of attacks, we can expect a level of unpredictability in their execution.
Conclusion
Forging ahead into 2024, the landscape of cyberwarfare is undergoing a seismic shift, driven by the accelerating integration of Artificial Intelligence (AI) tools, increased focus on Cloud environments, and an expanding attack surface area brought on by heterogeneous platforms and work practices. It's clear that while the challenges are formidable, there is also substantial reason for optimism. The same advances in technology that have emboldened cyber attackers are also empowering defenders with more robust and sophisticated tools. Governments, organizations, and cybersecurity experts are increasingly collaborating, sharing knowledge and resources to stay ahead of threats. This collective effort is a testament to the resilience and adaptability of the cybersecurity community.
Organizations that focus on preparedness are the ones most likely to navigate these turbulent times with success. Moving into 2024, organizations should adopt a blueprint that includes effective prevention, protection, detection, and response capabilities to form not just components of a healthy cybersecurity strategy, but the very pillars upon which their resilience is built.
Dive deeper into 2024 cyber threats! Our on-demand webinar, Predictions 2024: Ransomware Evolution, AI Realities, and the Globalization of Cybercrime, goes beyond the blog, featuring live discussions on ransomware, AI/LLM, and emerging threats. Ask questions, get answers, and stay ahead.