Rise in phishing attacks observed from August to October 2024

ReliaQuest has released a report detailing trends in cyberattacks observed from August to October 2024, highlighting a marked rise in phishing incidents.

During the reporting period, phishing incidents accounted for 46% of all incidents affecting the company's clients, a rise attributed to high employee turnover and the accessibility of phishing kits. ReliaQuest identified "SocGholish" and "LummaC2" as the most common malware during this period.

There was a 20% increase in cloud services alerts, driven by heightened use of cloud accounts, while malicious file alerts in phishing attacks remain a significant issue, taking advantage of users' tendencies to open files.

Law enforcement actions and affiliate distrust have throttled "LockBit" ransomware activity, yet it still holds notable presence. "RansomHub", benefiting from a ransomware-as-a-service model, is on the ascent, especially targeting the US, the manufacturing sector, and the professional, scientific, and technical services sectors.

Initial Access Broker activities saw a 16% rise, scraping against US organisations, believed to be likely to pay ransoms due to perceived cyber insurance policies. There was also an increase in cybercrime guides on forums, with insider threat content rising by 7%, driven by substantial financial incentives.

The data also showed a 12% reduction in mentions of Common Vulnerabilities and Exposures, indicating a downturn in discussions on such vulnerabilities in cybercriminal fora.

The findings included a 6% increase in digital risk protection alerts related to impersonating domains, showing continued dependency on straightforward techniques to capture credentials and data.

In a notable incident in late October 2024, ReliaQuest responded to a phishing attack targeting an organisation by impersonating its CEO. Despite existing security measures, the "Allowed Phishing Email" rule in the GreyMatter platform flagged the email, which included a malicious PDF. The investigation led to refined filtering rules to better distinguish similar threats in future.

Phishing remains an enduring threat, with its success due to its uncomplicated and effective nature. The report distinguished an incline in such attacks, possibly correlating with the busy academic year's commencement and high staff turnover in sectors like hospitality and retail.

Remote service exploitation incidents jumped by 12%, linked to shifts towards remote work and VPN vulnerabilities, highlighting the need for robust security protocols, such as strong password policies and network monitoring.

The exploitation of public-facing applications declined by 45%, potentially reflecting a pivot to simpler phishing techniques, noted alongside a 12% reduction in conversation about vulnerabilities on forums.

Cloud service alerts climbed by 20%, in tandem with increased cloud usage, posing risks through compromised accounts, data thefts, and possible extortion attempts.

Malicious files in phishing attacks soared, leveraging users' habits to open files that execute harmful code, suggesting an increase in online presence and phishing due to online shopping trends.

"SocGholish" and "LummaC2" were spotlighted as prevalent malware. "SocGholish", sometimes masquerading as fake browser updates, was noted in 18% of cases. "LummaC2", an infostealer available via malware-as-a-service, increased its presence in incidents to 14%.

During this period, ReliaQuest tackled an alert involving "LummaC2", foiling its potential infiltration into a client's system through proactive defence measures.

"LummaC2" spreads across various industries and regions, often distributed through phishing emails and imitating reputable companies. The takedown of similar infostealers like "RedLine" and "Meta" could shift momentum to "LummaC2".

The report suggested measures to tackle infostealers, such as disabling password storage in browsers and restricting organisational background on personal devices.

GreyMatter DRP noted a decline in exposed credentials by 19%, potentially due to improved alert processes, while impersonating domain alerts rose by 6%. This highlights the persistence of threat actors to deceive and steal user information.

GreyMatter DRP was particularly focused on exposing credentials and impersonating domains, offering alerts for expeditious remedy and defending against digital threats.

Inside the dark web activities, ReliaQuest pointed out a 16% spike in Initial Access Broker activities, offering access to corporate networks. Access to US-based organisations constituted the majority, likely due to perceived cyber insurance capabilities.

The continued activity and advice for organisations include implementing multi-layered protection, staying abreast of changing threats, and adopting digital risk protection solutions.

The ransomware landscape persisted, albeit with a decline in activity from "LockBit" due to law enforcement interventions, while "RansomHub" accelerated its operations, buoyed by attractive affiliate program offerings.

The report concluded on a note for businesses to continuously bolster cybersecurity efforts, equipped with insights and strategies for effective threat management.