Martin Riley, Director of Managed Security Services at Bridewell, investigates the factors of new and increasingly complex cyberthreats.
The evolving digital landscape confronts critical national infrastructure (CNI) with a complex array of cyberthreats, each posing unique challenges to its security. An attack could lead to a range of consequences from widespread power failures to the disruption of transportation and communication networks. Given these escalating risks, it’s imperative for CNI operators to proactively monitor and mitigate these threats, over the next year and beyond.
Over the last year, the team at Bridewell’s Security Operations Centre (SOC) has been meticulously gathering and analysing data on these emerging cyber-risks. These findings have been instrumental in shaping Bridewell’s 2024 CyberScape Briefing. The report spotlights three areas of concern for CNI, providing key insights which are necessary for developing proactive defences against the increasingly sophisticated cyberthreats we face today.
The Cobalt Strike phenomenon within C2 frameworks
At the forefront of these threats is still the Cobalt Strike malware framework. A powerful tool that was originally designed for legitimate penetration testing, it’s now often been repurposed by criminals as the preferred method for establishing command and control over compromised networks. From here, cybercriminals have opportunities to infiltrate systems, harvest credentials and exfiltrate sensitive data. Bridewell’s experts have discovered that it comprises 22% of the global cyberthreat infrastructure that the team have been covertly keeping tabs on, and has also been discovered in the same percentage of clients across the year.
Over the course of 2023, there was a startling 27% increase in Cobalt Strike attacks. Further investigation into the source of these deployments found that over a third (37%) were hosted in China. This proved to be the major hub for Cobalt Strike infrastructure last year. CNI will need to be on red alert as the use of Cobalt Strike will continue in 2024, but it wasn’t the only type of risk emerging around the globe.
The infostealer threat
Much like their nefarious mammal counterparts in the real world, Racoon Stealer variants are adept at theft. It’s a type of malware that was leveraged widely around the world in 2023 to covertly raid data such as credit card information, passwords, browser cookies and autofill data. But as the year rolled on, their popularity started to wane, with a 42% decrease in use by threat sectors.
With exclusive data revealed from Bridewell’s managed detection and response (MDR) service, 38% of clients were on the receiving end of information stealer attempts, revealing their prevalence now and in the future.
The deceptive disguise of fake updates
Some cybercriminals are moving away from phishing and malspam campaigns and towards search engine optimisation (SEO) poisoning, including fake update campaigns. This has involved cunning tracks deployed by bad actors to make users believe they are downloading legitimate updates. Instead, malicious code is installed into the user’s device. Once infected, criminals can gain access to systems, services and information.
Among existing clients, as many as a third (33%) of organisations were being impacted by fake update campaigns. SocGholish is the most common type of malware deployed. This is a malware distribution network that poses a serious threat due to the speed in which it can progress an attack following initial access to ransomware.
Vigilance in the face of uncertainty
An abundantly clear trend from these insights is the increased blurring of the line between legitimate tools and malicious intent. More cybercriminals are bending commercially-available solutions to their will, and it’s essential for CNI organisations to take action to stay ahead of the curve.
First, organisations will require comprehensive threat intelligence strategies. This enables them to develop incident response plans that are tailored to the specific threats they are likely to face. CNI entities can then share intelligence and work together to respond to evolving threats.
A next step is for organisations to achieve full visibility across their assets. Making use of threat-informed MDR and extended detection and response (XDR) services will enable CNI organisations to effectively detect, mitigate, contain and remediate threats across the entire technology stack, leaving no weak link in their portfolio of devices and systems.
As insider knowledge from the experts lays bare the evolution of threats and growing uncertainty as the norm in the CNI sector, vigilance and comprehensive cybersecurity strategies will be essential to navigating the complex landscape in 2024.
Click below to share this article
