{"id":24135,"date":"2024-03-12T03:20:57","date_gmt":"2024-03-12T11:20:57","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/03\/12\/news-17865\/"},"modified":"2024-03-12T03:20:57","modified_gmt":"2024-03-12T11:20:57","slug":"news-17865","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/03\/12\/news-17865\/","title":{"rendered":"The 2024 Sophos Threat Report: Cybercrime on Main Street"},"content":{"rendered":"<p><strong>Credit to Author: gallagherseanm| Date: Tue, 12 Mar 2024 10:00:28 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Cybercrime affects people from all walks of life, but it hits small businesses the hardest. While cyberattacks on large companies and government agencies get a majority of the news coverage, small businesses (broadly speaking, organizations <a href=\"https:\/\/www.ecfr.gov\/current\/title-13\/chapter-I\/part-121#121.201\">with less than 500 employees<\/a>) are generally more vulnerable to cybercriminals and suffer more proportionally from the results of cyberattacks. A lack of experienced security operations staff, underinvestment in cybersecurity, and smaller information technology budgets overall are contributing factors to this level of vulnerability. And when they are hit by cyberattacks, the expense of recovery may even force many small businesses to close.<\/p>\n<p>Small businesses are not a small matter. According to the <a href=\"https:\/\/www.worldbank.org\/en\/topic\/smefinance\">World Bank<\/a>, more than 90% of the world\u2019s businesses are small- and medium-sized organizations, and they account for more than 50% of employment worldwide. In the United States, small and medium businesses account for over 40% of overall economic activity. (In this report, we will use the terms small- and medium-sized businesses or organizations interchangeably, reflecting their similarity in our data.)<\/p>\n<p>In 2023, over 75% of customer incident response cases handled by Sophos\u2019 X-Ops Incident Response service were for small businesses. Data collected from these cases, in addition to telemetry collected from customers of our small- and medium-sized business protection software, gives us further unique insight into the threats that are targeting these organizations daily.<\/p>\n<p>Based on that data and Sophos threat research, we see that ransomware continues to have the greatest impact on smaller organizations. But other threats also pose an existential threat to small businesses:<\/p>\n<ul>\n<li>Data theft is the focus of most malware targeting small and medium businesses\u2014password stealers, keyboard loggers, and other spyware made up nearly half of malware detections. Credential theft through phishing and malware can expose small businesses\u2019 data on cloud platforms and service providers, and network breaches can be used to target their customers as well<\/li>\n<li>Attackers have stepped up the use of web-based malware distribution\u2014through <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/07\/20\/bad-ad-fad-leads-to-icedid-gozi-infections\/\">malvertising<\/a> or malicious search engine optimization (\u201cSEO poisoning\u201d)\u2014to overcome difficulties created by the <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/12\/are-threat-actors-turning-to-archives-and-disk-images-as-macro-usage-dwindles\/\">blocking of malicious macros in documents<\/a>, in addition to using disk images to overwhelm malware detection tools<\/li>\n<li>Unprotected devices connected to organizations\u2019 networks\u2014including unmanaged computers without security software installed, improperly configured computers and systems running software fallen out of support by manufacturers\u2014are a primary point of entry for all types of cybercrime attacks on small businesses<\/li>\n<li>Attackers have turned increasingly to abuse of drivers\u2014either <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/04\/blackbyte-ransomware-returns\/\">vulnerable drivers from legitimate companies<\/a> or malicious drivers that have been <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/12\/13\/signed-driver-malware-moves-up-the-software-trust-chain\/\">signed with stolen or fraudulently obtained certificates<\/a>\u2014to evade and disable malware defenses on managed systems<\/li>\n<li>Email attacks have begun to move away from simple social engineering toward more active engagement with targets over email, using a thread of emails and responses to make their lures more convincing<\/li>\n<li>Attacks on mobile device users, including social engineering-based scams tied to the abuse of third-party services and social media platforms, have grown exponentially, affecting individuals and small businesses. These range from business email and cloud service compromise to <a href=\"https:\/\/news.sophos.com\/en-us\/tag\/shazhupan\/\">pig butchering (sh\u0101 zh\u016b p\u00e1n (\u6bba\u8c6c\u76e4)) scams<\/a>.<\/li>\n<\/ul>\n<h2>A word about our data<\/h2>\n<p>The data used in our analysis comes from the following sources:<\/p>\n<ul>\n<li>Customer reports\u2014detection telemetry from Sophos protection software running on customers\u2019 networks, which gives a broad view of threats encountered, and analyzed within SophosLabs (in this report, referred to as the Labs dataset);<\/li>\n<li>Managed Detection and Response (MDR) incident data, gathered in the course of escalations driven by detection of malicious activity on MDR customers\u2019 networks (in this report, referred to as the MDR dataset);<\/li>\n<li>Incident Response team data, drawn from incidents on customer networks for business of 500 employees or fewer where there was little or no managed detection and response protection in place (in this report, referred to as the IR dataset).<\/li>\n<\/ul>\n<p>For a deeper look at data drawn strictly from the cases handled by our external-facing IR team (including cases involving customers with more than 500 employees), please see our sister publication, the <a href=\"https:\/\/news.sophos.com\/en-us\/tag\/active-adversary-report\/\">Active Adversary Report<\/a> (AAR). The conclusions in this report are based, unless otherwise stated, on the combined datasets with appropriate normalization.<\/p>\n<h2>Data is the prime target<\/h2>\n<p>The greatest cybersecurity challenge facing small businesses\u2014and organizations of all sizes\u2014is data protection. More than 90% of attacks reported by our customers involve data or credential theft in one way or another, whether the method is a ransomware attack, data extortion, unauthorized remote access, or simply data theft.<\/p>\n<p>Business email compromise (BEC), in which email accounts are taken over by a cybercriminal for the purpose of fraud or other malicious purposes, is a substantial problem in the small-to-medium business set. We do not currently cover BEC in our sister publication, the Active Adversary Report, but the authors of the AAR estimate that in 2023, business email compromises were identified by our Incident Response team more often than any other type of incident, save ransomware.<\/p>\n<p>Stolen credentials, including browser cookies, can be used for business email compromise, access to third-party services such as cloud-based finance systems, and access to internal resources that can be exploited for fraud or other monetary gain. They can also be sold by \u201caccess brokers\u201d to anyone who cares to exploit them; Sophos has tracked offers on underground forums claiming to provide access to a number of small and medium businesses\u2019 networks.<\/p>\n<figure id=\"attachment_953929\" aria-describedby=\"caption-attachment-953929\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953929 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum1.png\" alt=\"Figure 1: A forum post advertising access to a small US accounting firm\" width=\"640\" height=\"104\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum1.png 1476w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum1.png?resize=300,49 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum1.png?resize=768,125 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum1.png?resize=1024,167 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953929\" class=\"wp-caption-text\">Figure 1: A forum post advertising access to a small US accounting firm<\/figcaption><\/figure>\n<figure id=\"attachment_953928\" aria-describedby=\"caption-attachment-953928\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953928 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum2.png\" alt=\"Figure 2: A forum post advertising access to a small business in Belgium\" width=\"640\" height=\"460\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum2.png 1040w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum2.png?resize=300,216 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum2.png?resize=768,552 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum2.png?resize=1024,736 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953928\" class=\"wp-caption-text\">Figure 2: A forum post advertising access to a small business in Belgium<\/figcaption><\/figure>\n<p><em>\u00a0<\/em><a style=\"font-size: 1em\" href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953927 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum3.png\" alt=\"Figure 3: A cybercriminal offering to purchase access to small companies\" width=\"640\" height=\"221\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum3.png 1474w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum3.png?resize=300,104 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum3.png?resize=768,266 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/atrforum3.png?resize=1024,354 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>Figure 3: A cybercriminal offering to purchase access to small companies<\/p>\n<figure id=\"attachment_953926\" aria-describedby=\"caption-attachment-953926\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953926 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum-4.png\" alt=\"Figure 4: Access to a small business in Italy being offered for sale on a criminal forum\" width=\"640\" height=\"238\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum-4.png 1266w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum-4.png?resize=300,111 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum-4.png?resize=768,285 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/ATRforum-4.png?resize=1024,380 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953926\" class=\"wp-caption-text\">Figure 4: Access to a small business in Italy being offered for sale on a criminal forum<\/figcaption><\/figure>\n<p><span style=\"font-size: 1em\">By category, nearly half of malware detected in 2023 targeted the data of its intended victims. The majority of that is malware we\u2019ve classified specifically as \u201cstealers\u201d\u2014malware that grabs credentials, browser cookies, keystrokes, and other data that can be either turned into cash as sold access or used for further exploitation.<\/span><\/p>\n<p>Because of the modular nature of malware, however, it\u2019s difficult to completely categorize malware by functionality\u2014nearly all malware has the ability to steal some form of data from targeted systems.\u00a0 These detections also don\u2019t include other credential theft methods, such as phishing via email, text message, and other social engineering attacks. And then there are other targets, such as macOS and mobile devices, where malware, potentially unwanted applications, and social engineering attacks target users\u2019 data\u2014especially of the financial kind.<\/p>\n<figure id=\"attachment_953938\" aria-describedby=\"caption-attachment-953938\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953938 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide1.png\" alt=\"Figure 5: Malware detections by type for 2023, as seen in our Labs dataset\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide1.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide1.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide1.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide1.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953938\" class=\"wp-caption-text\">Figure 5: Malware detections by type for 2023, as seen in our Labs dataset<\/figcaption><\/figure>\n<p>Nearly 10% of malware detected falls outside of the four major categories shown above. This \u201cother\u201d category includes malware that targets browsers to inject advertisements, redirect search results to earn cash for clicks, or otherwise modifies or collects data for the profit of the malware developer, among other things.<\/p>\n<p>Some stealers are very specific in their targeting. Discord \u201ctoken\u201d stealers, intended to steal Discord messaging service credentials, are often leveraged to deliver other malware through chat servers or via Discord\u2019s content delivery network. But other leading stealers\u2014Strela, Raccoon Stealer, and the venerable RedLine stealer family\u2014are much more aggressive in their targeting, collecting password stores from the operating system and applications as well as browser cookies and other credential data. Raccoon Stealer has also deployed cryptocurrency \u201cclippers\u201d which swap crypto wallet addresses copied to the clipboard with a wallet address controlled by the malware operator.<\/p>\n<figure id=\"attachment_953932\" aria-describedby=\"caption-attachment-953932\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953932 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide7.png\" alt=\"Figure 6: Information stealer malware detections in 2023, drawn from Sophos customer telemetry in the SophosLabs dataset\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide7.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide7.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide7.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide7.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953932\" class=\"wp-caption-text\">Figure 6: Information stealer malware detections in 2023, drawn from Sophos customer telemetry in the SophosLabs dataset<\/figcaption><\/figure>\n<p>Sophos has seen an increase in the number of information-stealing malware targeting macOS, and we believe that trend will continue. These stealers\u2014some of which are sold in underground forums and Telegram channels for up to $3,000\u2014 can collect system data, browser data, and cryptowallets.<\/p>\n<h2>Ransomware remains a top threat for small businesses<\/h2>\n<p>While ransomware makes up a relatively small percentage of overall malware detections, it still packs the biggest punch in terms of impact. Ransomware affects all sizes of businesses across all sectors, but we have seen it hit small- and medium-sized enterprises the most frequently. In 2021, the Institute for Security and Technology\u2019s Ransomware Task Force found that 70% of ransomware attacks targeted small businesses. While the overall number of ransomware attacks has varied year over year, that percentage bears out in our own metrics.<\/p>\n<p>LockBit ransomware was the top threat in small business security cases taken on by Sophos Incident Response in 2023. LockBit is a ransomware-as-a-service, delivered by a number of affiliates, and was the most deployed ransomware of 2022 according to Figure 7.<\/p>\n<figure id=\"attachment_953937\" aria-describedby=\"caption-attachment-953937\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953937 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide2.png\" alt=\"Figure 7: A breakdown of ransomware actors behind the small business incidents Sophos Incident Response investigated in 2023; these numbers reflect the dataset of hands-on IR engagements at customers that generally did not have previous Sophos protections in place. Lockbit accounted for the largest number of incidents.\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide2.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide2.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide2.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide2.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953937\" class=\"wp-caption-text\">Figure 7: A breakdown of ransomware actors behind the small business incidents Sophos Incident Response investigated in 2023; these numbers reflect the dataset of hands-on IR engagements at customers that generally did not have previous Sophos protections in place<\/figcaption><\/figure>\n<figure id=\"attachment_953936\" aria-describedby=\"caption-attachment-953936\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953936 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide3.png\" alt=\"Figure 8: The top attempted ransomware deployments detected by Sophos endpoint protection software and present in our Labs dataset across all customers in 2023, as a percentage of all detected ransomware; \u201cGeneric\u201d represents multiple types of ransomware detected with a catch-all signature that were not detected under another definition. Lockbit represented over 6 percent of detections, followed by &quot;generic&quot; detections and BlackCat\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide3.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide3.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide3.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide3.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953936\" class=\"wp-caption-text\">Figure 8: The top attempted ransomware deployments detected by Sophos endpoint protection software and present in our Labs dataset across all customers in 2023, as a percentage of all detected ransomware; \u201cGeneric\u201d represents multiple types of ransomware detected with a catch-all signature that were not detected under another definition<\/figcaption><\/figure>\n<p>LockBit was the malware observed the most by Sophos\u2019 Managed Detection and Response (MDR) group (which includes the Incident Response team and its data)\u2014with nearly three times the number of incidents in which ransomware deployment was attempted than its nearest peer, Akira.<\/p>\n<figure id=\"attachment_953933\" aria-describedby=\"caption-attachment-953933\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953933 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide6.png\" alt=\"Figure 9: The most-often observed malware in incidents taken on by Sophos Managed Detection and Response in 2023, as seen in the MDR dataset. Note the differences between this chart and the one in Figure 8; aside from the 2023 dominance of LockBit, we see that though there is a wide array of ransomware families that attempt to infect systems. Only a subset of those progress to a stage that requires hands-on MDR assistance. Note that these are non-exclusive; that is, more than one detection may occur in a single incident. Lockbit was the most common, ahead of QakBot and ChromeLoader\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide6.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide6.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide6.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide6.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953933\" class=\"wp-caption-text\">Figure 9: The most-often observed malware in incidents taken on by Sophos Managed Detection and Response in 2023, as seen in the MDR dataset. Note the differences between this chart and the one in Figure 8; aside from the 2023 dominance of LockBit, we see that though there is a wide array of ransomware families that attempt to infect systems. Only a subset of those progress to a stage that requires hands-on MDR assistance. Note that these are non-exclusive; that is, more than one detection may occur in a single incident<\/figcaption><\/figure>\n<p>As 2023 progressed, we saw an increase in the use of remote execution of ransomware\u2014using an unmanaged device on organizations\u2019 networks to attempt to encrypt files on other systems through network file access.<\/p>\n<figure id=\"attachment_953935\" aria-describedby=\"caption-attachment-953935\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953935 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide4.png\" alt=\"Figure 10: The last two years\u2019 worth of data from customer telemetry gathered by Sophos shows an overall increase in the proportion of attempted ransomware attacks involving remote ransomware \u2013 an ongoing problem that\u2019s taken on new life, especially in the latter half of 2023, in which remote ransomware attacks doubled from their levels in 2022.\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide4.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide4.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide4.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide4.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953935\" class=\"wp-caption-text\">Figure 10: The last two years\u2019 worth of data from customer telemetry gathered by Sophos shows an overall increase in the proportion of attempted ransomware attacks involving remote ransomware \u2013 an ongoing problem that\u2019s taken on new life, especially in the latter half of 2023<\/figcaption><\/figure>\n<p>These types of attacks are able to gain footholds by exploitation of unprotected servers, personal devices, and network appliances that connect to organizations\u2019 Windows-based networks. Defense in depth can prevent these attacks from taking entire organizations offline, but they can still leave organizations vulnerable to data loss and theft.<\/p>\n<p>Windows systems aren\u2019t the only ones targeted by ransomware. Increasingly, ransomware and other malware developers are using cross-platform languages to build versions for macOS and Linux operating systems and supported hardware platforms. In February of 2023, a Linux variant of Cl0p ransomware was discovered to have been used in a December 2022 attack; since then, Sophos has observed leaked versions of LockBit ransomware targeting macOS on Apple\u2019s own processor and Linux on multiple hardware platforms.<\/p>\n<h2>Cybercrime as a service<\/h2>\n<p>The malware world continues to be dominated by what we\u2019ve referred to as \u201cMalware as a Service\u201d (MaaS)\u2014the use of malware delivery frameworks provided by cybercriminals through underground marketplaces to other cybercriminals. But a combination of improvements in platform security and takedown operations by industry and law enforcement have had some impact on the shape of the MaaS landscape.<\/p>\n<p>After a decade of dominance in the malware delivery business, Emotet has receded since being taken down by Europol and Eurojust in January 2021. So, to a lesser degree, have Qakbot and Trickbot, after being <a href=\"https:\/\/www.justice.gov\/usao-cdca\/pr\/qakbot-malware-disrupted-international-cyber-takedown\">disrupted by law enforcement <\/a>in August 2023. While Qakbot has returned in some limited <a href=\"https:\/\/infosec.exchange\/@SophosXOps\/111925140107889131\">form<\/a>, it has been largely supplanted by its would-be successors, Pikabot and DarkGate.<\/p>\n<p>None of this has impacted the venerable remote access trojan <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/02\/02\/agent-tesla-amps-up-information-stealing-attacks\/\">AgentTesla<\/a>, which has moved to the top of the MaaS market. It was the malware most often detected by endpoint protection in 2023 overall in endpoint (aside from generic malicious .LNK files and obfuscated malware), and made up 51% of the malware delivery framework detections in our telemetry last year.<\/p>\n<figure id=\"attachment_953931\" aria-describedby=\"caption-attachment-953931\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953931 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide8.png\" alt=\"Figure 11: A breakdown of the common frameworks used to deliver malware by attackers, based on the number of endpoint detections from Sophos-protected customer networks; Qakbot numbers represent detections prior to the August 2023 international law enforcement action against its infrastructure; AgentTesla lead the pack, with QakBot still running second despite the takedown.\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide8.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide8.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide8.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide8.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953931\" class=\"wp-caption-text\">Figure 11: A breakdown of the common frameworks used to deliver malware by attackers, based on the number of endpoint detections from Sophos-protected customer networks; Qakbot numbers represent detections prior to the August 2023 international law enforcement action against its infrastructure<\/figcaption><\/figure>\n<h2>Finding a different delivery route<\/h2>\n<p>Malware attacks require some form of initial access. Typically, that involves one of the following:<\/p>\n<ul>\n<li>Phishing emails<\/li>\n<li>Malicious email attachments<\/li>\n<li>Exploits of vulnerabilities in operating systems and applications<\/li>\n<li>Fake software updates<\/li>\n<li>Exploitation and abuse of Remote Desktop Protocol<\/li>\n<li>Credential theft<\/li>\n<\/ul>\n<p>MaaS operators have in the past been largely reliant on malicious email attachments for that initial foothold. But changes to the default security of the Microsoft Office platform have had an impact on the MaaS market. As Microsoft has rolled out changes to Office applications that block by default Visual Basic for Applications (VBA) macros in documents downloaded from the Internet, it has become more difficult for MaaS operators to use their favored method of spreading malware.<\/p>\n<p>That has led to some changes in the types of file attachments attackers use\u2014attackers have moved to PDF file attachments almost exclusively. However, there have been some notable exceptions. In early 2023, Qakbot <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/02\/06\/qakbot-onenote-attacks\/\">operators turned to using malicious OneNote documents<\/a> to get around changes being pushed out to Excel and Word, concealing within the document links to script files that were activated when the target clicked on a button within the OneNote notebook file.<\/p>\n<p>In 2021, we noted that \u201cmalware-as-a-service\u201d offerings such as the RaccoonStealer backdoor had begun to <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/09\/01\/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service\/\">rely heavily on web delivery<\/a>, often using search engine optimization (SEO) tricks to fool targets into downloading their malware. In 2022, we saw \u201cSEO poisoning\u201d used as part of a <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/02\/01\/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence\/\">SolarMarker information stealer campaign<\/a>. These methods are on the rise again, and the actors behind them have grown more sophisticated.<\/p>\n<p>We saw several notable campaigns using malicious web advertising and SEO poisoning to target victims. One of these was by <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/07\/26\/into-the-tank-with-nitrogen\/\">an activity group using malware we dubbed \u201cNitrogen\u201d<\/a>; the group used Google and Bing advertisements tied to specific keywords to lure targets into downloading a software installer from a fake website, using a legitimate software developer\u2019s brand identity. The same malvertising technique <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/07\/20\/bad-ad-fad-leads-to-icedid-gozi-infections\/\">has been used in connection with a number of other initial access malware<\/a>, including the Pikabot botnet agent, IcedID information stealer, and Gozi backdoor malware families.<\/p>\n<p>In the case of Nitrogen, the ads targeted IT generalists, offering downloads including well-known remote desktop software for end-user support and secure file transfer utilities. The installers carried what was advertised, but they also delivered a malicious Python payload that, when launched by the installer, pulled down a Meterpreter remote shell and Cobalt Strike beacons. Based on other researchers\u2019 findings, this was likely the first step in a BlackCat ransomware attack.<\/p>\n<h2>\u201cDual use\u201d tools<\/h2>\n<p>Cobalt Strike, the well-worn \u201cadversary simulation and red team operations\u201d software kit, continues to be used by actual adversaries as well as legitimate security testing organizations. But it is by no means the only commercially developed software used by attackers\u2014and it is no longer the most common.<\/p>\n<p>Remote desktop tools, file compression tools, common file transfer software, other utilities, and open-source security testing tools are commonly used by attackers for the same reason that they\u2019re used by small and medium enterprises\u2014to make their jobs easier.<\/p>\n<p>Sophos MDR has observed these utilities, which we refer to as \u201cdual-use tools\u201d, abused as part of the post-exploitation process by attackers:<\/p>\n<ul>\n<li><u>Discovery:<\/u>\u00a0Advanced IP Scanner, NetScan, PCHunter, HRSword<\/li>\n<li><u>Persistence:<\/u>\u00a0Anydesk, ScreenConnect, DWAgent<\/li>\n<li><u>Credential Access<\/u>: Mimikatz, Veeam Credential Dumper, LaZagne<\/li>\n<li><u>Lateral Movement<\/u>: PsExec, Impacket, PuTTy<\/li>\n<li><u>Data Collection &amp; Exfil<\/u>:\u00a0FileZilla, winscp,\u00a0megasync,\u00a0Rclone,\u00a0WinRar, 7zip<\/li>\n<\/ul>\n<p>AnyDesk and PsExec were both seen in more incidents by Sophos MDR than was Cobalt Strike, as seen below:<\/p>\n<figure id=\"attachment_953934\" aria-describedby=\"caption-attachment-953934\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953934 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide5.png\" alt=\"Figure 12: The most-frequently encountered \u201cdual use\u201d tools in cybersecurity incidents, based on the number of cases where each was seen in the Sophos MDR dataset\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide5.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide5.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide5.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Slide5.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953934\" class=\"wp-caption-text\">Figure 12: The most-frequently encountered \u201cdual use\u201d tools in cybersecurity incidents, based on the number of cases where each was seen in the Sophos MDR dataset<\/figcaption><\/figure>\n<h2>Zero-day attacks and nonzero-day attacks<\/h2>\n<p>In May 2023, Progress Software <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/06\/05\/information-on-moveit-transfer-and-moveit-cloud-vulnerability-cve-2023-34362\/\">reported vulnerabilities<\/a> in the company\u2019s widely used secure managed file transfer platform, MOVEit\u2014including one that had been exploited by at least one set of malicious actors. Subsequently the company would reveal multiple additional vulnerabilities and issue multiple patches to fix them.<\/p>\n<p>The attacks were attributed to actors associated with the Cl0p ransomware ring. The attackers used the vulnerability to deploy web shells on the public-facing web interfaces to MOVEit Transfer servers\u2014web shells that in some cases persisted after the vulnerabilities were patched by Progress customers.<\/p>\n<p>MOVEit was just one of a number of \u201czero day\u201d vulnerabilities that challenged defenders in 2023. \u00a0GoAnywhere, another managed file transfer system, disclosed a vulnerability in February that another CL0p-affiliated group attempted to exploit. \u00a0And a remote code execution vulnerability in the <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-131a\">PaperCut MF and NG print server software products<\/a> was exploited by the Bl00dy\u00a0ransomware gang in March and April after being reported to the developers in January.<\/p>\n<p>In some cases, these vulnerabilities simply can\u2019t be patched. For example, a vulnerability in Barracuda Email Security Gateway appliances, found in June, was so severe that it could not be patched and <a href=\"https:\/\/www.barracuda.com\/company\/legal\/esg-vulnerability\">required complete replacement of physical or virtual appliances<\/a>. A Chinese threat group continued to exploit the vulnerable appliances throughout the rest of 2023.<\/p>\n<p>Vulnerabilities in software and devices don\u2019t have to be new to be leveraged by attackers. Threat actors frequently seek out software that has fallen out of support, such as older network firewalls and web server software, to target\u2014 knowing that no patch will be coming.<\/p>\n<h2>Supply chain attacks and digitally signed malware<\/h2>\n<p>Small businesses also have to be concerned about the security of the services they depend upon to manage their business\u2014and their IT infrastructure. \u00a0Supply chain attacks are not just for nation-state actors; we\u2019ve seen attacks against managed service providers become an enduring part of the ransomware playbook.<\/p>\n<p>In 2023, Sophos MDR responded to five cases in which small business customers were attacked through an exploit of a service provider\u2019s remote monitoring and management (RMM) software. The attackers used the NetSolutions RMM agent running on the targeted organizations\u2019 computers to create new administrative accounts on the targeted networks, and then deployed commercial remote desktop, network exploration and software deployment tools. In two of the cases, the attackers successfully deployed LockBit ransomware.<\/p>\n<p>It&#8217;s hard to defend against attacks that leverage trusted software, especially when that software gives attackers the ability to disable endpoint protection. Small businesses and the service providers who support them need to be vigilant to alerts that endpoint protection has been turned off on systems on their networks, because this may be a sign that an attacker has gained privileged access through a supply chain vulnerability\u2014or through other software that at first glance may seem legitimate.<\/p>\n<p>For example, in 2023, we saw a number of instances of attackers using vulnerable kernel drivers from <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/04\/19\/aukill-edr-killer-malware-abuses-process-explorer-driver\/\">older software that still had valid digital signatures<\/a>, and of intentionally created malicious software that used <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/07\/11\/microsoft-revokes-malicious-drivers-in-patch-tuesday-culling\/\">fraudulently obtained digital signatures<\/a>\u2014including <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/12\/13\/signed-driver-malware-moves-up-the-software-trust-chain\/\">malicious kernel drivers<\/a> digitally signed through Microsoft\u2019s Windows Hardware Compatibility Publisher (WHCP) program\u2014to evade detection by security tools and run code that disables malware protection.<\/p>\n<p>Kernel drivers operate at a very low level within the operating system, and are typically loaded before other software during the operating system\u2019s start-up. That means that they execute in many cases before security software can start up. Digital signatures act as a license to drive, so to speak\u2014in all versions of Windows since Windows 10 version 1607, kernel drivers need to have a valid digital signature or Windows operating systems with Secure Boot enabled won\u2019t load them.<\/p>\n<p>In December 2022, Sophos notified Microsoft of the discovery of malicious kernel drivers that carried <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/12\/13\/signed-driver-malware-moves-up-the-software-trust-chain\/\">Microsoft-signed certificates<\/a>.\u00a0 Because these drivers had Microsoft-signed certificates, they were by default accepted as benign software, allowing them to be installed\u2014and then disable endpoint protections on systems that they were installed on. Microsoft issued <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/ADV220005\">a security <\/a>advisory, and then in July 2023 <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/07\/11\/microsoft-revokes-malicious-drivers-in-patch-tuesday-culling\/\">revoked a host of malicious drivers\u2019 certificates<\/a> that had been obtained through WHCP.<\/p>\n<p>Drivers don\u2019t have to be malicious to get exploited. We\u2019ve seen multiple cases of drivers and other libraries from older and even current versions of software products leveraged by attackers to \u201cside load\u201d malware into system memory.<\/p>\n<p>We\u2019ve also seen Microsoft\u2019s own drivers used in attacks. A vulnerable version of a driver for Microsoft\u2019s Process Explorer utility has been used multiple times by ransomware operators in efforts to disable endpoint protection products; in April 2023, we reported on <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/04\/19\/aukill-edr-killer-malware-abuses-process-explorer-driver\/\">a tool dubbed \u201cAuKill<\/a>\u201d that used this driver in multiple attacks in attempts to deploy Medusa Locker and LockBit ransomware.<\/p>\n<p>Sometimes we get lucky and catch vulnerable drivers before they can be exploited. In July, Sophos behavioral rules were <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/01\/25\/multiple-vulnerabilities-discovered-in-widely-used-security-driver\/\">triggered by activity from a driver for another company\u2019s security product<\/a>.\u00a0 The alert was triggered by a customer\u2019s own attacker simulation test, but our investigation of the event uncovered three vulnerabilities that we reported to the software vendor and were subsequently <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/01\/25\/multiple-vulnerabilities-discovered-in-widely-used-security-driver\/\">patched<\/a>.<\/p>\n<h2>Spammers push social engineering boundaries<\/h2>\n<p>Email may seem like an old-school communication method in an era of encrypted end-to-end mobile chats, but spammers didn&#8217;t seem to notice (or care) about that. While the traditional BEC method of simply posing as an employee and asking another employee to send gift cards persists, spammers have gotten far more creative.<\/p>\n<p>In the past year, Sophos&#8217; messaging security team came across a slew of new social engineering tricks and techniques designed to evade conventional email controls. Messages in which the attacker emails an attachment or link out of the blue are now pass\u00e9: The more effective spammers are more likely to strike up a conversation first, then move in for the kill in follow up emails.<\/p>\n<figure id=\"attachment_953944\" aria-describedby=\"caption-attachment-953944\" style=\"width: 636px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953944 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam1.png\" alt=\"A screenshot of an email to a hotel by a malicious actor posing as a customer.\" width=\"636\" height=\"259\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam1.png 636w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam1.png?resize=300,122 300w\" sizes=\"auto, (max-width: 636px) 100vw, 636px\" \/><\/a><figcaption id=\"caption-attachment-953944\" class=\"wp-caption-text\">Figure 13: Only after receiving a reply from the target, the spammer sends the target an email with a link to a malicious file inside a password-protected Zip archive<\/figcaption><\/figure>\n<p>We observed this methodology in attacks in which spammers posing as delivery service workers called enterprise customers on the phone and asked them to open a weaponized email. We also saw spammers initially email a solicitation for business or complaint, in attacks targeting a variety of industries in 2023, followed by a link to download a disguised, weaponized file after the business responded to the first email.<\/p>\n<p>Conventional spam prevention involves processes inspecting message content and making decisions based on that content. Spammers experimented with a variety of methods of replacing any text content in their messages with embedded images: Sometimes the pictures appeared to be a written message, while others experimented with the use of QR codes or images that appear to be invoices (with telephone numbers the attackers prompt victims to call) as a way to evade detection.<\/p>\n<figure id=\"attachment_953942\" aria-describedby=\"caption-attachment-953942\" style=\"width: 547px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953942 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam2.png\" alt=\"A PDF attachment from a spam message embeds a blurry, unreadable thumbnail of a billing invoice and a link to a website hosting a malicious payload\" width=\"547\" height=\"307\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam2.png 547w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam2.png?resize=300,168 300w\" sizes=\"auto, (max-width: 547px) 100vw, 547px\" \/><\/a><figcaption id=\"caption-attachment-953942\" class=\"wp-caption-text\">Figure 14: A PDF attachment from a spam message embeds a blurry, unreadable thumbnail of a billing invoice and a link to a website hosting a malicious payload<\/figcaption><\/figure>\n<p>Malicious attachments even pushed boundaries, with weaponized PDFs making something of a comeback, linking to malicious scripts or sites, sometimes using embedded QR codes. The Qakbot malware family expansively <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/02\/06\/qakbot-onenote-attacks\/\">abused Microsoft&#8217;s OneNote document format<\/a>, the notebook (or .one file), to deliver payloads before being shut down later in the year in a coordinated takedown. Attackers also latched onto the MSIX file format \u2013 a type of archive file format used by Microsoft to distribute apps through the Windows App Store \u2013 as a way of bypassing detection.<\/p>\n<figure id=\"attachment_953941\" aria-describedby=\"caption-attachment-953941\" style=\"width: 471px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953941 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam3.png\" alt=\"Screenshot: A malicious PDF attachment, emailed to Sophos employees, embeds a QR code image that leads to a phishing page\" width=\"471\" height=\"550\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam3.png 471w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/spam3.png?resize=257,300 257w\" sizes=\"auto, (max-width: 471px) 100vw, 471px\" \/><\/a><figcaption id=\"caption-attachment-953941\" class=\"wp-caption-text\">Figure 15: A malicious PDF attachment, emailed to Sophos employees, embeds a QR code image that leads to a phishing page<\/figcaption><\/figure>\n<p>And attackers abused Microsoft\u2019s services as well: By the year&#8217;s end, about 15% of the total spam Sophos blocked had been sent using email accounts created in Microsoft&#8217;s business-oriented onmicrosoft.com messaging system.<\/p>\n<h2>Mobile malware and social engineering threats<\/h2>\n<p>Small businesses depend heavily on mobile devices as part of either approved or ad-hoc information systems. Text messages, messaging and communications applications, and apps connecting to cloud services\u2014including mobile point of sale applications\u2014are mission-critical systems for distributed small enterprises. Cybercriminals know that, and continue to find ways to target mobile device users to gain access to data or to defraud.<\/p>\n<p>Spyware and \u201cbankers\u201d are a group of Android malware of particular concern, and which we believe will continue to be a threat. Spyware is used to harvest data on the phone\u2014and sometimes will even subscribe the device\u2019s user to premium-rate services for direct monetary gain. They harvest personal data, including SMS messages and call logs from the affected device, which is then sold to fraudsters or used for blackmail\u2014or both. There have been several cases where victims <a href=\"https:\/\/abcnews.go.com\/US\/parents-teenager-died-by-suicide-after-sextortion-scam-urge\/story?id=99047305\">have taken their own lives<\/a> as a result of threats from spyware operators.<\/p>\n<p>These malicious mobile applications are distributed in a number of ways. They may masquerade as legitimate applications on the Google Play app store or third-party app store sites\u2014often as <a href=\"https:\/\/www.virusbulletin.com\/conference\/vb2023\/abstracts\/megalo-414e-don-uncovering-data-espionage-blackmailing-and-shell-companies-mobile-lending-apps\/\">mobile lending applications<\/a>. They are also spread through links sent via text messages.<\/p>\n<p>Bankers are malware that target financial applications, including cryptocurrency wallets, to harvest account data to gain access to funds\u2014using accessibility permissions to gain access to sensitive data on the phone.<\/p>\n<p>Then there\u2019s the phenomenon of \u201cpig butchering,\u201d or sha zhu pan. We began tracking fake applications on both the iOS and Android platform tied to a form of scam we first referred to as \u201cCryptoRom<a href=\"https:\/\/news.sophos.com\/en-us\/2021\/05\/12\/fake-android-and-ios-apps-disguise-as-trading-and-cryptocurrency-apps\/\">\u201d in early 2021<\/a>; since then, the scams have become increasingly more sophisticated.<\/p>\n<p>The crime rings that operate these scams\u2014 frequently operated out of scamming compounds staffed with people who have essentially been kidnapped by organized crime\u2014have taken billions of dollars from victims worldwide, and often focus on people tied to small businesses. In 2023, <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2023-09-27\/crypto-scam-led-to-demise-of-heartland-tri-state-bank\">a small bank in Kansas failed<\/a> and was seized by the FDIC after the bank CEO sent over $12 million from deposits to scammers in an effort to recover funds he had lost reportedly in one of these scams. This tragic example shows how a scam usually associated with an individual\u2019s personal life can have ramifications and impact on small businesses.<\/p>\n<p>Sha zhu pan scammers lure victims through social media sites, dating apps, other apps and community platforms, and even \u201cinadvertent\u201d SMS messages. They tend to target individuals who are looking for a romantic connection or friendship. After moving the target to a secure messaging app such as WhatsApp or Telegram, they gain their trust and introduce a money-making idea that they claim to have inside knowledge about\u2014and that usually involves cryptocurrency.<\/p>\n<p>Over the past year, we\u2019ve seen the fake applications used by these scams making their way into the Google Play and iOS App stores. They evade store security review by presenting as a benign app until the review process is over, and then change remote content to turn it into a fake crypto trading app. Any crypto deposited through these apps is immediately pocketed by the scammers.<\/p>\n<p>Recently, we\u2019ve also seen these scams adopt a tactic from another type of crypto scam that requires no fake apps\u2014instead, they use the \u201cWeb3\u201d functionality of mobile crypto wallet apps to directly tap into wallets created by the victims. We have identified hundreds of domains associated with these \u201cDeFi (Decentralized Finance) mining\u201d variants of sha zhu pan, and as with the fake apps we identify, we continue to report them and work to get them taken down.<\/p>\n<h2>Conclusions<\/h2>\n<p>Small businesses face no shortage of threats, and the sophistication of those threats is often on par with those used to attack large enterprises and governments. While the amount of money that can be stolen is less than available from a larger organization, the criminals are happy to steal what you have and make up for it in volume.<\/p>\n<p>Criminal syndicates are counting on smaller companies to be less well-defended and to not have deployed modern, sophisticated tools to protect their users and assets. The key to successfully defending against these threats is to prove their assumptions wrong: Educate your staff, deploy multifactor authentication on all externally facing assets, patch servers and network appliances with the utmost priority and consider migrating difficult to manage assets like Microsoft Exchange servers to SaaS email platforms.<\/p>\n<p>The primary difference in our experience between the companies that were impacted the most by cyberattacks and those who suffered the least is time to respond. Having security experts to monitor and respond 24\/7 is table stakes for an effective defense in 2024. Staying safe isn\u2019t impossible; it just takes comprehensive planning and layered defenses to buy you time to respond and minimize damages.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/12\/2024-sophos-threat-report\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/shutterstock_242229001.jpg\"\/><\/p>\n<p><strong>Credit to Author: gallagherseanm| Date: Tue, 12 Mar 2024 10:00:28 +0000<\/strong><\/p>\n<p>Ransomware remains the biggest existential cyber threat to small businesses, but others are growing.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[31045,129,11096,27030,16771],"class_list":["post-24135","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-2024-threat-report","tag-featured","tag-small-business","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24135"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24135\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24135"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}