11 January 2024
KELA Cyber Intelligence Center
While some cybercriminals are on their holiday vacations (yes, we observed zero new ransomware victims on New Year’s Eve), the lull won’t continue long. Ahead of the new battles of 2024, KELA elaborates on the most expected trends in cybercrime for this year.
Hacktivists will become more mature and could be nation-state coverups
As we’re entering 2024 with two wars that have been marked with significant involvement of hacktivists, these types of actors aren’t going to rest. With their quick adoption of Telegram as one of the main ways to self-organize, attract attention, and announce attacks, hacktivists have learned to create noise around their activities. A possible evolution of such groups will be related to forming alliances and possibly trying to fund themselves through financially motivated cyber activities. Overall, the groups should be now entering a more “established” state. With the Russia-Ukraine war, the main players seem to have been set (such as Killnet, NoName, Anonymous Sudan, etc.), though with the Israel-Hamas war the landscape can still change.
As for the type of attacks, DDoS and defacement, with occasional data-theft attacks, are expected to persist as the main tactics of hacktivists in 2024. Potentially, following the alleged state-sponsored attack on Kyivstar, which was claimed through a hacktivist Solntsepyok group, more nation-state actors will use hacktivists as their coverup, resulting in more destructive and sophisticated attacks.
Ransomware and extortion actors to focus on supply-chain attacks
Just stealing data in addition to encryption is a known old trick. As a next big tactic, some prominent actors have already tried attacking third parties, resulting in massive data breaches, such as the MOVEit vulnerability exploitation by Clop and the attack on Mercury IT by LockBit. From sophisticated cybercriminals to beginners, threat actors seem to have realized the potential of such a compromise. It has resulted in an increased supply of initial access to third parties through the cybercrime ecosystem, with threat actors, for example, making notes such as, “This is a great investment opportunity for deploying ransomware or supply chain attacks!”
Based on the recent notable incidents, data-transfer solutions and managed service providers will be an attractive target for ransomware and extortion actors in 2024, giving enterprise defenders a strong incentive to closely examine their supply chain and minimize the attack surface.
Infostealers: an initial access vector everyone can afford
Speaking of initial access, a market of compromised credentials acquired through information-stealing malware will only thrive in 2024. Smarter attackers have understood for a long time that a single employee credential they can obtain for $10 can result in a high-profile compromise, such as the Uber or T-Mobile attacks. Based on demand, the cybercrime ecosystem adapts, providing innovative ways of obtaining such credentials, including subscription-based “clouds of logs” and dedicated services aimed to filter valid VPN credentials from the overall amount. The success of battling this threat will depend on enterprise defenders’ early access to this data through cyber threat intelligence solutions, enabling them to discover compromised corporate credentials before sophisticated threat actors acquire them.
Those who rush into implementing AI will be targeted
While cybersecurity companies have been adapting AI for defense, threat actors have been poking around for different ways to leverage AI in their attacks. Though attackers have tried to automate the identification of vulnerabilities, optimize phishing attacks or malware development, and so on, the process has been mostly inconsistent and will most likely stay the same in 2024. However, threat actors will definitely focus on and become better at attacking organizations that have adopted AI but haven’t yet managed to properly secure it. With lack of legislation and absence of best practices established over years, the cost of implementing AI without effective protection measures can be too high.
Takedowns: battles with hydra continue
Takedowns orchestrated by law-enforcement agencies have been instrumental in disrupting various cybercriminal activities. However, looking ahead to 2024, it’s crucial to acknowledge the resilience of threat actors, such as the QakBot botnet surviving the takedown or the Alphv ransomware gang stepping over the seizure of its blog. Historically, after law-enforcement actions, threat actors tend to regroup, rebrand, or resurface under new aliases, and it’s anticipated that threat actors will continue to evolve their tactics. As the cyber battlefield evolves, it’s crucial to continue a diverse approach that will not only disrupt the operations of sophisticated actors, but also complicate their use of the cybercrime ecosystem and their supply chains.