Increases in ransomware attacks, commercialized malware, and cloud security breaches were some major trends in one firm’s protection ecosystem data.

Based on its own customer protection telemetry and public and third-party data (for a total of 1bn data points over 12 months) that has been voluntarily submitted, a cybersecurity firm has released a snapshot of the cyber threat landscape it encountered in the past year.

In the malware scene, the majority of malware observed was composed of a small number of highly prevalent ransomware families and commercial off-the-shelf (COTS) tools. BlackCat, Conti, Hive, Sodinokibi and Stop were the most prevalent ransomware families identified through signatures, amounting to about 81% of all ransomware activity in the firm’s data.

COTS malware capabilities like Metasploit and Cobalt Strike represented 5.7% of all signature events. On the Windows platform, these families amounted to about 68% of all infection attempts in the data. Finally, around 91% of malware signature events came from Linux endpoints, while Windows endpoints accounted for only about 6% in the data analyzed.

Other findings

In terms of trends in endpoint behavior, the most sophisticated threat groups evaded security by withdrawing to edge devices, appliances, and other platforms where visibility is at its lowest:

    • Enterprises are advised to evaluate the level of tamper-resistance of their endpoint security sensors, and consider monitoring projects to track vulnerable device drivers used to disable security technologies.
    • Organizations with large Windows environments should track vulnerable device drivers to disable these essential technologies.
    • Execution and Defense Evasion made up more than 70% of all endpoint alerts in the data analyzed.
    • The most discreet techniques were observed on Windows endpoints (being the top target by adversaries with 94% of all endpoint behavior alerts)
    • MacOS-specific credential dumping was responsible for 79% of all credentials-access techniques by adversaries, an increase of approximately 9% since a similar analysis by the firm. Of these attempts, in Windows environments, ProcessDump.exe, WriteMiniDump.exe, and RUNDLL32.exe were used more than 78% of the time.

In terms of cloud security trends: threat actors were taking advantage of misconfigurations, lax access controls, unsecured credentials, and no functional principle of least privilege (PoLP) models. The data points to organizations needing to implement security features that their cloud providers already support, and monitoring for common credential abuse attempts. Also:

    • For Amazon Web Services, defense evasion (38%), credential access (37%), and execution (21%) were the most common tactics mapped to threat detection signals.
    • 53% of credential access events in the data analyzed were tied to compromised legitimate Microsoft Azure accounts.
    • Microsoft 365 experienced a high rate of credential access signals, accounting for 86% in the data.
    • 85% of Google Cloud threat detection signals were related to defense evasion.
    • Discovery accounted for approximately 61% of all Kubernetes-specific signals, predominantly related to unexpected service account requests that were denied.

According to Jake King, Head of Security Intelligence and Director of Engineering, Elastic, which released the threat report: “Today’s threat landscape is truly borderless, as adversaries morph into criminal enterprises focused on monetizing their attack strategies. Open source, commodity malware, and the use of AI have lowered the barrier to entry for attackers, but we’re also seeing the rise of automated detection and response systems that enable all engineers to better defend their infrastructures. It’s a cat-and-mouse game, and our strongest weapons are vigilance and the continued investment in new defense technologies and strategies.”