全球网络威胁情报（CTI）

Table of contents Executive overviewHigh-level presentation of top threat actors, threat vectors, incidents, andoverall assessment 2Cross-industry threat vectorsTrending and emerging high-level threat vectors 3Cross-industry initial access techniquesThe top four trending initial access techniques affecting multiple industryverticals 4Threat vector highlightsSpotlight on the ransomware threat landscape and underground (dark web)trends 5Summary of dataSummary of cybersecurity events by type, threat actor type, and targetedindustry as observed by Deloitte CTI 6Threat actorsHigh-level overview of categories, heatmap, and trending and emerging threatactors with a global impact Executive overview | Cyberthreat trends 2024 The following report highlights overarching cyber trends and emerging issues from January 1 to December 31, 2024. Highlights•Ransomware continued to be the top threat vector for the year. The RaaS model facilitates the easy creation of new groups. Affiliates are not tied to onegroup, making attack attribution more challenging than in previous years.•Due to its effectiveness, social engineering continued to trend as an initialaccess technique for cybercriminals. The exploitation of human behavior andmistakes is again rising as technical protections are increasingly effective.•In 2024, Deloitte CTI observed a shift from brute-force attacks to usingdeliberately stolen username and password combinations to authenticate oncorporate virtual private networks (VPNs).•Deloitte IR teams noted on multiple occasions that threat actors usedsubscription-based cloud services, shifting away from the traditionally knownopen-source tools that offer similar capabilities.•Malware, particularly infostealers, remained a prominent threat as manyfamilies have developed new iterations. Despite law enforcement's takedownofResineStealer operations, large sample sets enable the malware to persist. APT29 (aka. Midnight Blizzard) is a suspected nation-statecyberespionage group targeting government-relatedorganizations globally. In 2024, the group conducted aspearphishing campaign that targeted multiple sectors.[1] RansomHub emerged inFebruary andoperates under aransomware-as-a-service (RaaS) model. The RansomHub threatgroup's differentiator is its ability to seamlessly accommodateaffiliates across varying skill and experience levels[1], [2]. Assessments •Deloitte CTI assesses with high confidence that threat actors will continue toleverage third-party integrations between vendors and clients. Third-partycompromises can spread rapidly and can affect multiple organizations withease.•Deloitte CTI assesses with moderate to high confidence that socialengineering, with the aid of AI, will become a top threat vector in 2025 andbeyond. Technical measures to detect AI-generated content and interactionsare lagging, increasingly exposing end users to this threat.•Deloitte CTI assesses with high confidence that nation-state groups willcontinue to pose significant challenges to global cybersecurity efforts. Deloitte’s incident response (IR) teamsnoted that threat actorsare honing their skills to exploit humanbehaviorsas technicalprotections are increasingly effective. For example, threat actorsare combining voice phishing (vishing) withbusiness emailcompromise (BEC) attacks to steal user credentials [1]. Threat vectors| Trends Throughout 2024, Deloitte CTI observed several overarching, cross-industry threat vectors not specific to a threat actortype. This section illustrates the impact of ransomware, third-party compromises, malware trends, and Deloitte's internalunderground findings. Underground trends Malware trends Ransomware Details Details Details Details •In 2024, security researchers observed newiterations of previously known malware, while lawenforcement disrupted some prevalent malwarefamilies. In October, a global operation led to thetakedown ofRedLineStealer. Although activitylevels have decreased due to the number ofRedLinesamples available, malware activitypersists.[6]•LummaStealercontinued to make an impact andexperienced high levels of growth during theyear.[6]•One notable development is a packer-as-a-service(PaaS) dubbed "HeartCrypt“ that threat actorsused to protect malware by packing maliciouscode into legitimate binaries.[7] •Third-party compromises increased in 2024, partlydue to the use of zero-day exploits forransomware and extortion attacks.[5]•Third-party compromise attacks have the potentialto be widespread. Data from these compromisescan be leaked on dark web forums for sale.[1]. •The cybercriminal underground continued its rapidtransformation toward decentralized, specialized,and professionally-structured operations. Due tolaw enforcement pressure, popular marketplacessplintered, driving activity into closed forums andencrypted channels. [1],[8],[9]•AI became a key enabler, powering deepfakecampaigns, PaaS offerings, and automatedtranslation to target victims worldwide.Ransomware synd