The group stated there were indications that “threat actors are finding leak site extortion less effective in compelling payments… threat actors are piling on additional tactics to ensure they get their payments.”
In 2024, 86% of incidents to which Unit42 responded involved losses damaging to reputation or business processes, with attackers starting with encryption and data left, to lock users out of collectively managed files, to deleting VMWare and corrupting data entries with tampering or deletion.
A popular tactic was to target “deep partner networks”, requiring a costly containment operation that was time-consuming, once the patch had been applied, to re-authenticate the connection.
Clients operating in industries such as healthcare, hospitality, manufacturing and critical infrastructure have had to “grapple with extended downtime, strain on partner and customer relationships and bottom-line inputs”. The medium extortion rate increased nearly 80% to $1.25mn in 2024 from $695,001 in 2023.
However, in cases where a payment was negotiated to the hackers, Palo Alto found that the median ransom payment rose just £30,000 to $267,500 in 2024, representing more than 50% decline from the original amount.
The median initial demand for 2024 is 2% of an organisation’s perceived annual revenue, with over half of ransom demands falling between 0.5% and 5% of the victim’s perceived revenue, although outliers existed where over half annual turnover was demanded.
In terms of the nature of attacks, just over one-third of incidents involved cloud-based data, with dangling logins left stranded as virtual infrastructure (SaaS) was exploited via connection re-routing. Lack of Multi-factor-authentication was just 1/4 of reported attacks, vs 1.3 in 2023.
On numerous occasions, Unit 42 reported threat actors as having used “leaked API/access keys for initial access. This often gives threat actors leverage for further compromise….
In 45% of cases when we observed exfiltration, attackers sent the data to cloud storage… a technique that can mask the attacker’s activity within legitimate organisational traffic.”
Inactive personal accounts can be leveraged to launch internal attacks in an organisation’s software configurations (T1484 – Domain or Tenant Policy Modification); web-scraping for privileged account logins can be successfully masked as the attacker leverages “Abuse admin-level access” – or they can cloak their plugin’s activity by high-jacking cloud resources, taking snapshots of storage parameters to identify data the organisation considers valuable.
Palo Alto said that although attackers have capacity to disable or modify tools, system firewall and Windows Event logging, even where exploiting a botte-necked workflow pipeline for privilege escalation, it is worth noting that in 75% of incidents investigated, “critical evidence of the initial intrusion was present in the logs. Yet, due to complex, disjointed systems, that information wasn’t readily accessible or effectively operationalised.”
The group suggests the application of a “zero-trust” policy which is able to pivot quickly around a breach to contain it, and to prioritise security of valuable data by accurately monitoring access levels and data flows, to “stop unauthorised transfers, shielding your authorisation from IP theft, compliance violations and financial repercussions.”
An emerging threat is the proliferation of AI-assisted attacks, against which it recommends the following precautions:
- Deploy AI-driven detection to spot malicious patterns at machine speed, correlating data from multiple sources.
- Train staff to recognise AI-generated phishing, deepfakes and social engineering attempts.
- Incorporate adversarial simulation exercises in tabletop exercises to prepare for rapid, large-scale attacks.
- Develop automated workflows so your SOC can contain threats before they pivot or exfiltrate data.
Brightsides.uk 
Leave a comment