Cyber Threat Predictions for 2024: An Annual Perspective

By Derek Manky, Global VP Threat Intelligence Fortinet

Adversaries always discover new ways to compromise networks, yet executing successful attacks hasn’t always been straightforward or quick. But today, thanks to the growth of the Cybercrime-as-a-Service (CaaS) market and the rise of generative AI, cybercriminals have more “easy” buttons than ever. The result? Attackers will expand their “work smarter, not harder” approach to cybercrime by relying heavily on the new capabilities in their respective toolboxes.

This year’s threat predictions report examines a new era of advanced persistent cybercrime, discusses how AI is changing the attack game, shares fresh trends to watch for in 2024, and more. Here’s a look at how we expect the threat landscape to evolve and our best tips for protecting your organization.

Read More News

The Evolution of Old Favorites in Cyber Threat

There are numerous attack trends we’ve been discussing for years—including in our 2023 threat predictions report—noting how we expect these fan-favorite tactics to evolve in the days ahead. For example, we’ve witnessed advanced persistent cybercrime become more sophisticated and targeted, the rise of more intense “turf wars” occurring between cybercrime groups, and a shift in how AI is used to support attacks. Below is a look back at some key 2023 predictions, along with our thoughts regarding how these longstanding trends across the threat landscape will change in 2024 and beyond.

A new era of advanced persistent cybercrime

For the past several years, we’ve predicted that the growth of new vulnerabilities combined with more pre-attack activity among adversaries would pave the way for the expansion of the CaaS market. Today, as cybercriminals and Advanced Persistent Threat (APT) groups continue working together, there are more on the dark web than ever—making it safe to say our prediction came true.

Unfortunately for security practitioners, it’s only the tip of the iceberg. APT activity is on the rise. In the first half of 2023, we witnessed significant activity among APT groups, with 41 (about 30%) of the 138 groups that MITRE tracks being active during this time. Of those, Turla, StrongPity, Winnti, OceanLotus, and WildNeutron were the most active, according to our FortiGuard Labs malware detections. 

Looking ahead, we predict that even more of these APT groups will “wake up” and become more active—even beyond the 138 identified by MITRE and those that CISA outlines with active cycles—likely engaging in dual cybercrime and cyber espionage activities. We also expect to see a trend in which more APT groups will transition to employing even more stealthy, innovative methods to initiate attacks. Techniques such as HTML smuggling are gaining popularity, and we foresee additional novel methods emerging in the coming year. Their tactics, techniques, and procedures (TTPs) continue to evolve, evading security products with outdated analytics. Alongside what’s sure to be a banner year for new CVEs, we should expect the growth of TTPs and therefore the MITRE ATT&CK framework.

In addition to the evolution of APT operations, we predict that cybercrime groups will continue diversifying their targets, looking for hidden (and highly lucrative) gems among a long list of already-compromised organizations. For example, in the operational technology (OT) space, the manufacturing industry has historically been the top target among cybercriminals. Going forward, we expect OT attacks to increasingly reach beyond manufacturing, with malicious actors setting their sights on industries such as healthcare, utilities, finance, oil and gas, and transportation. These attacks will also move beyond data encryption and focus primarily on the extortion of their targets. They’ll also continue embracing supply chain attacks, working to disrupt critical services and organizations.

In our 2023 threat predictions report, we also said that edge attacks would go mainstream, and we expect to see even more of this activity in the future. Not only did this happen, but we anticipate that attackers will work to diversify their targets beyond what we typically think of as an edge device. With Flipper Zero and other such tools at their fingertips, money or device mules could hack IoT devices in person by cloning RFID cards or hotel key cards and then running arbitrary commands on devices such as phones and laptops. Recently, Flipper Zero made it possible for attackers to avoid plugging in USB devices in a BadUSB attack. It only takes one employee to connect via Bluetooth before malicious commands get executed. With a zero-day exploit, user interaction may not even be required.

The bottom line: The sheer breadth of potential targets and more left-hand activity in the attack chain ensures a constant stream of victims and profitable payouts for cybercriminals.

“Get off my lawn:” The cybercrime turf wars intensify 

We predicted several years ago that we’d see turf wars emerge between cybercrime groups, with multiple adversaries homing in on the same targets. 

Today, we’re seeing just that, as multiple cybercrime groups try to infiltrate the same target in a short period—sometimes in a matter of 24 hours or less—deploying ransomware variants of AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal in different combinations. Many organizations that experienced this had similar attacks made against them within days, all led by various adversaries. We can assume other cybercriminals are closely monitoring communications on the dark web, and then running the same attack or piggybacking off attacks initially executed by rival threat actors. The growth of this emerging trend prompted the FBI to issue a warning to organizations in September of this year, urging security leaders to review and enhance their defenses to guard against ransomware incidents.

We saw that roughly two-thirds of all categorized MITRE ATT&CK techniques were actively being used in attacks in the first half of this year, with defense evasion being the top tactic and process injection being used across the board for evasion on compromised systems. Stolen credentials are like an all-access pass for bad actors, enabling them to infiltrate your network to launch ransomware and other attacks. Given how valuable stolen credentials are to threat actors, we predict that the emerging trend of Credential and Initial Access Brokerage service offerings will grow in the future, making it easier for cybercriminals to procure the credentials they need to execute successful attacks (sometimes against the same target). This type of service will likely mature and evolve in the same way that RaaS was developed to meet a gap in the market, becoming more “commercially” available as opposed to being available only on the dark web.

Money laundering services get hung out to dry

We previously predicted that cybercriminals would use laundering-as-a-service to “wash” their ill-gotten funds. As expected, many adversaries used these services to obfuscate ownership of illegal monies, with ChipMixer as an example of a laundering service that was heavily used but then shut down by authorities in March 2023. There are more crypto ‘mixers’ and ‘tumblers’ that have come on the scene since. The Killnet threat group, known for their pro-Russia hacktivist activity, also started a crypto exchange and offers mixer services. 

However, there also seems to be an active attempt to take down many Bitcoin mixers, and their popularity appears to be declining in tandem. As a result, most telegram groups from hackers are encouraging the use of traditional money laundry schemes instead of tumblers. 

Grabbing the (AI) chains to support all attack stages 

The weaponization of AI is adding fuel to an already raging threat landscape—it’s enabling attackers to enhance every stage of an attack and to do so better and faster than before. As predicted, we’re seeing cybercriminals increasingly use AI to support a multitude of malicious activities, ranging from thwarting the algorithms that detect social engineering to mimicking human behavior through activities such as AI audio spoofing and creating other deepfakes.  

But adversaries aren’t stopping there. We anticipate that cybercriminals will take advantage of AI in additional ways that we haven’t seen yet:

  • Attackers will use AI to conduct “generative profiling”—scraping social profiles and other public websites for personally identifiable information—which could easily be turned into an “as-a-service” offering. This is yet another way for malicious actors to have research done for them to execute an attack.
  • We’ll see more AI-chained attacks emerge, with cybercriminals using actionable models to make their attack chains more modular. For example, an attacker might use ML during the reconnaissance phase, chain it to an AI-driven weaponized payload, and chain that to the deployment of the weaponized payload. This federated AI approach reduces their time-to-compromise model.
  • Cybercriminals will use AI to “power up” password spraying. Password brute forcing, stuffing, and spraying are popular ways for attackers to identify, steal, and sell credentials. Using AI to identify patterns and themes in passwords will increase this possibility and shorten the time required for attackers to be successful.
  • AI poisoning attacks—instances where cybercriminals intentionally tamper with AI model training data and systems themselves—will become common, with malicious actors likely using automated toolkits to execute these hacks. Security teams will need to start protecting against these attacks, relying on an intrusion prevention service and application control to protect an organization’s AI assets.

Leave a Reply

Your email address will not be published. Required fields are marked *