Key MITRE ATT&CK methods utilized by cyber attackers


Whereas the menace panorama continues to shift and evolve, attackers’ motivations don’t, in response to a Pink Canary report. The traditional instruments and methods adversaries deploy stay constant–with some notable exceptions.

ATT&CK techniques

The report tracked MITRE ATT&CK methods that adversaries abuse most ceaselessly all year long, and two new and notable entries soared to the highest 10 in 2023: e mail forwarding rule and cloud accounts.

Why do adversaries abuse cloud accounts?

Cloud account compromises are growing in prevalence as organizations embrace software-as-a-service (SaaS) for crucial productiveness purposes like e mail, file storage, and messaging, leading to a considerable quantity of knowledge now being saved within the cloud. This shift is mirrored by adversaries too, who’re discovering simply as a lot worth in compromising cloud identities as they’ve traditionally in conventional endpoints.

Cloud accounts was the fourth most prevalent MITRE ATT&CK method researchers detected in 2023, rising from forty sixth in 2022, growing 16x in detection quantity and affecting 3 times as many purchasers in 2023 than in 2022.

Detections for malicious e mail forwarding guidelines rose by practically 600%, as adversaries compromised e mail accounts, redirected delicate communications to archive folders and different locations customers are unlikely to look, and tried to switch payroll or wire switch locations, rerouting cash into the legal’s account.

In 2023 we noticed continued use of perennial favourite methods. Phishing stays an evergreen situation, and this 12 months adversaries continued to leverage a wide range of file sorts of their phishing emails to ship malicious payloads. web optimization poisoning and malvertising continued to be widespread, with new threats taking inspiration from established malware households. We noticed a gentle stream of latest vulnerabilities exploited by adversaries from ransomware operators to state-sponsored threats, emphasizing the necessity to keep patch ranges each internally and inside the provide chain.

Identification assaults

Half of the highest threats are ransomware precursors that might result in a ransomware an infection if left unchecked, with ransomware persevering with to have a serious influence on companies.

Regardless of a wave of latest software program vulnerabilities, people remained the first vulnerability that adversaries took benefit of in 2023, comprising identities to entry cloud service APIs, execute payroll fraud with e mail forwarding guidelines, launch ransomware assaults, and extra.

As organizations migrate to the cloud and depend on a rising array of SaaS purposes to handle and entry delicate info, identities are the ties that bind all these methods collectively. Adversaries have rapidly discovered that these methods home the knowledge they need and that legitimate and approved identities are probably the most expedient and dependable means into these methods.

Researchers famous a number of broader traits impacting the menace panorama, such because the emergence of generative AI, the continued prominence of distant monitoring and administration (RMM) device abuse, the prevalence of web-based payload supply like web optimization poisoning and malvertising, the growing necessity of MFA evasion methods, and the dominance of brazen however extremely efficient social engineering schemes corresponding to assist desk phishing.

“The highest 10 threats and methods change minimally 12 months over 12 months, so the drift that we’re seeing within the 2024 report is critical. The rise of cloud account compromises from 46 to quantity 4 is unprecedented in our dataset–and it’s an identical story with e mail forwarding guidelines,” stated Keith McCammon, Chief Safety Officer, Pink Canary.

“The golden thread connecting these modes of assault is identification. To entry cloud accounts and SaaS purposes, adversaries should compromise some type of identification or credential, and one that’s extremely privileged can grant an adversary untold entry to worthwhile accounts, underscoring the crucial significance of securing company identities and identification suppliers,” McCammon continued.

Rising methods for macOS, Microsoft, and Linux customers to be careful for

In 2023 researchers detected extra stealer exercise in macOS environments than ever earlier than, together with situations of reflective code loading and AppleScript abuse.

Whereas many methods like PowerShell and Home windows Command Shell persist, there have been some attention-grabbing variations, together with:

  • Adversaries compiled malicious installers with Microsoft’s new MSIX packaging device–sometimes used to replace present desktop purposes or set up new ones–to trick victims into working malicious scripts underneath the guise of downloading respectable software program.
  • Container escapes–the place adversaries exploit vulnerabilities or misconfigurations in container kernels and runtime environments to “escape” the container and infect the host system.
  • Reflective code loading is permitting adversaries to evade macOS safety controls and run malicious code on in any other case hardened Apple endpoints.

Adversaries don’t goal verticals; they aim methods

The information exhibits that adversaries reliably leverage the identical small set of 10-20 ATT&CK methods towards organizations, whatever the sufferer’s sector or trade. Nevertheless, adversaries do favor sure instruments and methods that will goal methods and workflows which might be frequent in particular sectors:

  • Healthcare: Visible Primary and Unix Shell had been extra prevalent probably because of the totally different equipment and methods used inside that trade.
  • Training: E-mail forwarding and hiding guidelines had been extra frequent, probably on account of a heavy reliance on e mail.
  • Manufacturing: Replication via detachable media, corresponding to USBs, was extra frequent—probably on account of a reliance on air-gapped or pseudo air-gapped bodily infrastructure and legacy methods.
  • Monetary providers and insurance coverage: Much less “apparent” methods, corresponding to HTML smuggling and Distributed Element Object Mannequin had been extra frequent, probably on account of larger investments in controls and testing.


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *