10 Types of Cyberattacks Targeting Organizations Now
The threat landscape is perpetually in flux. Some attack vectors persist, others become less popular over time, and new ones constantly emerge to replace them. In this dynamic space, it’s essential for organizations to keep ahead of new and breaking threats.
According to the June 2024 BlackBerry® Global Threat Intelligence Report, BlackBerry® cybersecurity solutions prevented over 3.1 million attacks in the first quarter of 2024, equating to about 37,000 attacks per day. The BlackBerry Threat Research and Intelligence Team explains who the main targets are.
“Most of these attacks happened against critical infrastructure,” says Ismael Valenzuela, Vice President of Threat Research and Intelligence at BlackBerry. “CISA’s definition of critical infrastructure includes 16 different sectors, such as healthcare, government, energy, agriculture, finance, defense, and defense contractors.”
In this blog, we look at the latest top ten threats to these types of organizations, according to the MITRE ATT&CK® framework.
High-Value Targets
There’s a reason why critical infrastructure is one of the main cyberattack targets. Valenzuela explains: “Attackers are going after these organizations for the value of the data they have, for espionage purposes to exfiltrate data, or because they know that they support CISA’s critical infrastructure. By impacting these organizations, they know they're going to create chaos and they're going to probably trigger the payment of a ransom or some other financial gain.”
BlackBerry threat researchers found that 60% of the attacks from January to March 2024 targeted critical infrastructure, and 36% targeted commercial enterprises.
Says Valenzuela, “Commercial enterprises are usually also the target for these attackers. Half of these attacks against critical infrastructure happened in the finance sector.”
The increasing digitization of these sectors means their assets are more vulnerable to cybercriminals, and the increased use of connected devices and cloud computing has provided additional opportunities to breach their systems.
The Top Ten MITRE ATT&CK Techniques
Understanding threat groups’ high-level techniques can aid in deciding which detection techniques should be prioritized. “MITRE is the framework through which we can understand how the chain is being built among the whole attack,” explains Natalia Ciapponi, Threat Emulation Lead, BlackBerry. “These are the top 10 MITRE ATT&CK Techniques used by threat actors in this reporting period.”
Now let’s take a closer look at each type of MITRE ATT&CK Technique in our top 10 list.
Process Injection: This is where adversaries inject code into processes to evade process-based defenses and elevate privileges. This method executes arbitrary code in the address space of a separate live process, which may allow access to the process's memory, system/network resources, and elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
System Information Discovery: Adversaries use this technique to try and get detailed information about the intended victim’s operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information during automated discovery to shape follow-on behaviors, including whether the adversary fully infects the target or other specific actions.
DLL Side-Loading: Attacks use this approach to execute their own malicious payloads by hijacking which DLL (dynamic link library) a program loads. Rather than just planting the DLL within the search order of a program and then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting and then invoking a legitimate application that executes their payload(s). Adversaries use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.
Input Capture: Threat actors use this method to capture user input and obtain credentials or collect information. During normal system usage, users often provide credentials to various locations, such as login pages and portals or system dialog boxes. Input capture mechanisms may be transparent to the user or rely on deceiving the user into providing input into what they believe to be a genuine service.
Security Software Discovery: Adversaries use this technique to uncover the list of installed security programs, configurations, and sensors on a targeted system or cloud environment. This is key for an adversary who hopes to stay undetected. For example, if a malicious group runs a command on a victim’s system but detects that their security tools can spot malicious activity, they will often abort the operation. In other cases, more advanced and persistent groups can differentiate between security applications and find a way to work around the weaker ones. This can result in an adversary gaining control of a system or cloud environment.
Masquerading: Attackers deploy this sophisticated cyberthreat tactic to disguise their activities and evade detection. For instance, by using a false name, icon, and metadata, adversaries disguise harmful actions as standard system operations. Masquerading as a legitimate file or process can trick users and security software into opening or saving a fake file, which can lead to system penetration and data loss.
File and Directory Discovery: Threat actors frequently utilize the reconnaissance stage to gain insight into the target environment, identify potential files for exfiltration or manipulation, and locate sensitive information. This information supports further stages of an attack chain.
Process Discovery: With this technique, adversaries attempt to get information about running processes on a system so they can understand common software and applications within the network. Gaining admin or other elevated types of access may provide better process details. Attackers use this information during automated discovery to shape follow-up behaviors.
Application Layer Protocol: This is a popular way for threat actors to conceal their actions within legitimate traffic to avoid detection. By exploiting vulnerabilities in commonly used network protocols such as HTTP, HTTPS, DNS or SMB, adversaries blend malicious activity seamlessly into routine network traffic. They use this technique to exfiltrate data, enable C2 (command and control) communication, and move laterally within compromised networks. The stealthy nature of application layer protocol manipulation poses significant challenges to detection and attribution, as many traditional security tools struggle to differentiate between normal and malicious network activity. (This is why security tools with mature AI are so critical. Read Predictive AI, What It Is and How It Works, for more information.)
Registry Run Keys / Startup Folder: Attackers often use manipulation to establish persistence on compromised systems. By tampering with Windows Registry keys or adding malicious entries to startup folders, adversaries ensure that their malicious payloads execute automatically upon system boot-up or user login, facilitating ongoing control over compromised systems. This technique enables adversaries to deploy a wide range of malware, including backdoors, keyloggers and ransomware, thereby maintaining persistent access to compromised systems.
Keeping Ahead of the Threats
The dangers of not keeping up with the latest attack trends can be more than just financial. “Attackers know that they can leverage the fact that some organizations, such as those in the healthcare industries, have devices that they haven't updated in a long time,” says Valenzuela. “We have seen hospitals reverting to doing admissions with pen and paper because they couldn't use their computer networks. That means lives could be at stake.”
With such a high burden of public responsibility hanging in the balance, critical infrastructure and commercial enterprises must ensure they remain up to date with recent information on the threat landscape, and take protective measures accordingly.
For more actionable threat intelligence, read the BlackBerry Global Threat Intelligence Report, published each quarter.
