In a world where the digital shadows grow longer and cyberthreats continue to evolve with alarming sophistication, Bridewell’s 2024 CyberScape Briefing shines a light on the cybersecurity trends and threats facing critical national infrastructure (CNI) this year.
The comprehensive data and analysis, gathered over the course of 2023 by the Bridewell Security Operations Centre (SOC) exposes undercurrents shaping our cyber reality from those on the front lines: intricate C2 frameworks, stealthy infostealers and deceptive fake updates.
C2 frameworks: The Cobalt Strike phenomenon
This powerful digital technology has become the most prevalent type of C2 framework deployed by the cyber underworld. Designed as a commercial penetration testing tool, Cobalt Strike makes up 22% of the global cyberthreat infrastructure that Bridewell’s professionals have been covertly tracking.
Between January and December 2023, the use of Cobalt Strike skyrocketed by 27%. Cyber professionals scanned the globe for the source of these deployments and discovered that China accounted for 37% of the total number.
The hotspot for this activity? Shenzhen Tencent Computer Systems Company Limited (AS45090) was the top ASN where they observed Cobalt Strike-related infrastructure being deployed and operated from in 2023. Cyberagents have been on high alert, encountering Cobalt Strike in 22% of Bridewell’s clients in 2023, and the latest data suggests that the trend will continue in 2024.
Infostealers: The shifting shadows
Racoon Stealer variants, the digital pickpockets of the cyber world, were rife around the globe in 2023, but their popularity went into decline throughout the year. As these variant servers saw a 42% decrease in use by threat actors, Bridewell’s team observed Ficker Stealer and WhiteSnake Stealer emerging as new vectors in Q4.
Russia (31%), with Shelter LLC (AS211409) and AEZA INTERNATIONAL LTD (AS210644, AS204603), proved to be the primary source of information stealer infrastructure deployments, with links back to Russian ownership and ASNs originating from Russia, and surprisingly, the UK. Netherlands (25%), US (14%) and Germany (13%) were the other locations playing host to stealthy infostealers.
Over 38% of Bridewell clients in 2023 saw information stealer attempts. The latest intel from Bridewell’s experts, with exclusive data from its managed detection and response (MDR) service, suggests this trend will also continue in 2024.
Fake updates: The new disguise for malware
Phishing and malspam campaigns are making way for Search Engine Optimisation (SEO) poisoning, including fake update campaigns. Nefarious individuals behind this act have deployed cunning tricks to make users think they are downloading what they believe to be legitimate updates, only to then unleash malicious code instead. This code will infect the victim’s device and provide access to systems, services and information.
Bridewell’s SOC identified 33% of customers being impacted by fake update campaigns, with SocGhoulish being the most common type of malware dropped in these infections.
“Our 2024 CyberScape Briefing reveals a world where the lines between legitimate tools and malicious intent are increasingly blurred,” said Martin Riley, Director of Managed Security Services at Bridewell. “Where threats like C2 frameworks, infostealers and fake updates are evolving in sophistication and impact, it’s necessary for organisations to stay ahead of the curve.
“Our intelligence experts have meticulously analysed the trends and patterns, providing invaluable insights that empower CNI organisations to fortify their defences against these insidious threats. Vigilance and comprehensive cybersecurity strategies will prove key to navigating this landscape in 2024.”Click below to share this article