Elasticsearch B.V2024年全球网络风险报告 -Global Threat Report

Global

Threat

Report

2Θ24

TableofContents

2

1Introduction03

GenerativeAI04

3

Threatoverview04

Augmentingdefenders

05

MalwareDetections06

Distributionbyoperationsystem06Malwarecategories07

4EndpointBehaviors11

Distributionbyoperatingsystem11

Distributionbytactic12

5CloudSecurity36

Distributionbycloudserviceprovider37

Benchmarkingcloudsecurityposture47

6ThreatProfiles57

REF5961—BLOODALCHEMY,RUDEBIRD,EAGERBEE,DOWNTOWN58

REF8207—GHOSTPULSE61

REF4578—GHOSTENGINE64

REF7001—KANDYKORN66

REF6127—WARMCOOKIE69

8

7Respondingto2023Forecasts72

9

ForecastsandRecommendations75

Conclusion79

2024ElasticGlobalThreatReport

1

Introduction03

8

8

8

8

Introduction

Withthebesttechnologies,themost

widespreadinformationdistribution,andthegreatestpublicawarenessofthreatsallin

motion,thesecurityenvironmentisstronger

thanever.Yet,almostinspiteofthesethings,

threatecosystemsarethrivinglikeneverbefore.

Truthfully,thethreatlandscapeisdynamic

andreactive—anewtechniqueempowers

apreviouslyunknownthreatgroup,vendors

swarmtomitigatethatthreatandcreatenewtechnologiesintheprocess,operatorsonbothsidesseekoutnewtechniquesortools,andsoitgoes.Thislandscapeisshapeddailybytheeffortsofattackersanddefendersalike.This

reportisoneofthewaysthat

ElasticSecurity

Labs

holdsitselfaccountableasaforceofchangeforgoodinadynamicenvironment—bysharingwhatwe’reseeing,aswellaswhatwethinkneedsfurthervisibility.

TheintentionwithourGlobalThreatReportis

thesameasit’sbeenoverthepastcoupleyears:todemocratizeknowledge,upholdtransparent

principles,andidentifyimpacts.WeareleveragingElastic’spowerfulglobaltechnologytoprovide

uniqueinsightsthatinformourprioritiesforthe

ElasticSecuritysolutionandservethesecuritycommunityatlarge.

Thisreportwouldnotbepossiblewithoutthe

securitycommonwealth—ourobservationsarebasedonbillionsofsecurityeventsvoluntarily

sharedbyourusers,enrichedwithopensources,representingtensofthousandsofdistinct

entitiesinpracticallyeveryindustry.Thevalued

partnershipwehavewithourusersenablesusto

discoverpreviouslyunknownthreatsintheirdata

andanonymouslysharethosediscoverieswiththebroadersecurityindustry.Thiscollaborationhas

ledtohundredsofnewprotections,freelyavailabletothepublic.We’dliketoextendahugethank-

youtoourusers—thelearningssurfacedfromthisshareddatabenefitallofusthroughoutthesecuritycommunity.

Asaresearchgroup,wepowerandare

empoweredbyElastictechnologies.Inmanyways,wealsodemonstratewhatcanbeachievedwith

the

ElasticSecurity

solution.Thesamevisibility

andcapabilitiesourusershaveprovidedare

poweringtheseinsights,andwe’reexcitedtoseetheotherpositivecontributionsthatthey’llmaketothethreatlandscapeatlarge.

2024ElasticGlobalThreatReport

2

GenerativeAI04

GenerativeAI

Theriseof

generativeartificialintelligence

(generativeAI)broughttremendousexcitement,withthehopethatthistechnologywillsoon

touchalmosteveryaspectoflifeinonewayoranother.Thisexcitementalsobroughtabout

understandablehesitationalongsideadesiretounderstandthewaysthisnewtechnologycouldbeabused.

ElasticisnostrangertogenerativeAI.While

manyofourcolleaguesarebuilding

incredible

capabilities

intoourproducts,ElasticSecurity

LabsandourpartnersintheInfoSechousehavealsodevotedconsiderabletimetounderstandingthetechnologyandtheassociatedrisks.

Threatoverview

Augmentedphishingandsocialengineering

Likemany,weanticipatedthatoneofthefirstthreatusecasesforgenerativeAIwouldbe

thecreationofmoresophisticatedphishing

campaigns.Suddenly,threatactorscanscalethecreationofpersonalizeddocumentsthat

aredifficulttodistinguishfromlegitimate

communications.Whilethistechniqueisstill

maturing,examplesoftheseincidentsarealreadybeing

studied

.

Atawiderscale,deepfake-basedscamshave

interferedwithpoliticalelectionsandsome

extortioncases(

ABC

,forexample).TheuseofgenerativeAItoolstocreatedeepfakes—videooraudioofapersonthathasbeenmanipulatedtospreadmisinformation—willcontinuetobea

threatinthecomingyears.It’simportanttonote,

however,thatdeepfakeshavebeenlimitedintermsofcybersecurityincidents.

Bothofthesethreatswillcontinuetoaccelerate,

whichreaffirmstheimportanceoftrainingusersto

identifyAIcreations.Organization-widecybersecuritytrainingprogramshavebeencrucialforstopping

regularphishingattempts,soit’simportantforCISOsandothersecurityleaderstoimplementAI-focusedtrainingintotheirprogramsaswell.

Malwaredevelopment

Therehasbeen

research

highlightinghowAIhas

beenusedtocreatemoreadaptivemalware,butthistechnologyhasyettoseewideadoption.Thefull

extentofAI-drivenmalwareavailabilitycontinuesto

2024ElasticGlobalThreatReport

2

GenerativeAI05

beaconcern,andasmodelsandservicesbecomemoreaccessible,thiswillcontinuetodevelop.

Likeregularmalwaredevelopment,securityteamsshouldremainuptodateonthreatsandtrends.

Additionally,maintainingarobust

protections

library

withconsistentlyupdatedand

tunedrules

willbecrucial.

Augmentingdefenders

Likeanytechnology,generativeAIcanbeabused;however,thatdoesn’tmeanitisn’tanincrediblypowerfultoolinthehandsofdefenders.

Enhancedcybersecuritytooling

OneofthemanyexcitingprospectsofbuildinggenerativeAIcapabilitiesspecificallyfor

defenderswastheideaofadvancedthreat

detection—specificallyawaytoautomatically

synthesizealertsanddistillthemintothehighest-priorityattacks.Automatingrepetitivemanual

triagetasksempowerspractitionerstoremove

themonotonyandfocustheireffortsonstrategicinitiativesinstead.We’reexcitedthatElastichas

builtthisfunctionintoourSecuritysolution,anditexiststoaiddefendersintheirdaytodaywith

AttackDiscovery

.

Anotherexcitingusefordefendingteamscomes

intheformofautomatedsecuritytesting,

whichhasseenincreasedadoptioninrecent

years.Thishasnotreplacedtraditionaltesting

methodologiesfully—andwedon’tanticipate

themdoingso—buttheyhavebecomevaluableinmoreeffectivelyidentifyingvulnerabilitiesand

shouldcontinuetoimprove.

Goingevenfurther,generativeAIprovidesenhancedcybersecuritytrainingforInfoSecteams,withsimulationsbecomingmore

realistic.Whilethishasmuchpotential,itis

stillintheearlystagesandwillneedsome

refinementbeforeitseeswidespreadadoption.

Governanceandethics

GenerativeAIispowerful,anditwillremainanimportanttoolforSecurityteamsand

practitionersastimegoeson.Bututilizingpowerfultechnologyrequiresafirm,ethical

hand.Thankfully,organizationsandgovernmentsaroundtheworldareracingtodevelopsafety

guidelinesandresponsibleframeworks.

Someexamplesoftheseinclude:

•

NISTAIRiskManagementFramework:

FromtheNationalInstituteofStandardsandTechnology,thisframeworkisfocusedonthegovernance,riskmapping,measuring,and

managementofAI.

•

FAIR-AIR:

ThisframeworkfromtheFAIR

InstitutehelpsteamsidentifyAI-relatedlossexposureandmakeriskbaseddecisions.

•

AITRiSM:

Gartner’sframework

ensuresreliable,safe,andcompliantAI

implementationswithemphasisacrosstheentirelifecycle.

ElasticSecurityLabsisexcitedtokeepaneye

onthisemergingtechnologyandwillcontinue

toreportonitsevolution.Amorein-depthlook

atthreatsandprotectionstogenerativeAI

applications—specificallylargelanguagemodels

—canbefoundinour

LLMSafetyAssessment

.

2024ElasticGlobalThreatReport

elasticsecurtyIabs

3

MalwareDetections06

Malware

Detections

ElasticSecurityprovidesmechanismstodetectandmitigatemalwareonallmajordesktop

operatingsystems(OS).Forthesepurposes,

malwareisanysoftwaredevelopedtofacilitate

adversaryactions,disruptlegitimateactivities,orotherwisecauseharmtoacomputerornetwork.Inthissection,readerscanfinddetailsabout

thedistributionofmalwarebyOS,category,

andfamily,aswellasadedicatedbreakdownofransomwareobservations.

Thisyear,ElasticSecurityLabsreviewedmalwareandmemorythreatprotectionalertsfromElasticSecurity.Toimprovetheaccuracyofourmalwareobservations,thissubsectiononlyincludesYARAsignatureeventsfornamedmalwarefamilies.

YARAsignaturesareapowerfulcomponentof

ElasticSecurity,providingtheabilitytomitigate

malwareusingstring-orbyte-sequencesfoundin

executables.Thesesignatures,whichapplyto

bothfilesystemandmemory-residentsoftware,areavailabletothepublicthrough

Elastic’s

ProtectionsArtifactsrepository

aspartofour

ongoingcommitmenttofreeandopenprinciples.

ThematerialspresentedinthissectionoftheElasticGlobalThreatReport

includethemostsignificantthreat

capabilitiesandphenomenaobservedin

Elastic’stelemetryoverthepastyear.Elasticusersvoluntarilysharethese

alertsandotherdatawithus,providingElasticSecurityLabswithapowerful

toolfordiscovering,diminishing,

anddisruptingthreats.ThistelemetryconsistsofdatafromElasticSecurity,ElasticAgent,andadiverserangeof

third-partyinstrumentation.

Distributionbyoperatingsystem

macOS1.68%

Linux32.20%

Windows66.12%

Figure1:Malwareinfectionsbyoperatingsystem

2024ElasticGlobalThreatReport

3

MalwareDetections07

Windows

ThedistributionofYARAeventsacrosseach

OSsuggestssomedisparityintheprevalence

ofthreats.Windowshostsaccountedforthe

majorityofdetectionswith66.12%ofalldetected

cases.Thisisn’tentirelyunexpectedgiven

thewidespreaduseofWindowsinenterprise

environmentsanditssusceptibility—both

historicallyandincontemporaryterms—to

varioustechniquesemployedbymalware.WhileitwouldbedeceptivetostatethatanyoneOSis“mostlikely”tobeinfected,techniqueslike

Bring

YourOwnVulnerableDriver(BYOVD)

representarchitecturalconditionsthatthreatactors

frequentlytargettoachievetheirgoals.

Linux

Linuxhostsstillrepresentasignificantportionofinfectionsat32.20%.Thismaysuggestthatadversariesareincreasingly

targetingLinux

systems

,likelyduetotheirprevalenceinserverenvironmentsandcriticalinfrastructure.Linux

containers,whichareoftenintendedtoexist

forminutesorhoursversusweeksormonths,

maycontainunpatchedvulnerabilitiesthatevennascentthreatscanexploit.

Readersshouldnotethatlastyearwe

reported92%ofmalwareinfectionswereonLinuxendpointsdueinparttothe

inclusionofweaklyattributableevents.

Thisshifthasoccurredinpartfromthe

changesourteammadetothewayweprocessElastic’stelemetry—providingamore

accuraterepresentationofcommonendpointmalwareobservations,aswellasthe

broadercategoriesofmalwaredescribed.

macOS

macOShostsrepresentthesmallestproportionofendpointsfromwhichElasticreceivestelemetry.Withthatinmind,macOSalsorepresentsthe

fewestmalwareobservationsat1.68%.Elastic

SecurityLabsdoesnotconcludethatmacOSismoresecure,lesswidelypresentinenterprises,orlesslikelytobetargeted.Inactuality,researchthatweconductedearlierthisyeararound

piratedmacOSapplications

foundthatseveralstraightforwardmethodsofinfectingthese

systemswerewidelyused.

Malwarecategories

Malwaresubcategorizationwillbenecessarilysubjective,definedfromtheperspectiveof

eachvendororreportingentity.Thecategories

presentedherearealignedtocollectionsofYARAsignatures,andareexplainedinmoredetailbelow.

Malwarecategory

SUM

Trojan

82.03%

Generic

8.03%

Cryptominer

4.39%

Ransomware

2.10%

Backdoor

1.01%

Other

2.44%

Table1:Categoriesofmalwareobserved

2024ElasticGlobalThreatReport

elasticsecurtyIabs

3

MalwareDetections08

Trojansaccountfor82.03%ofallmalwaretypes

observed,aproportionattributedtotheuseful

natureofmasqueradingaslegitimatesoftware.

Onceexecuted,Trojansoftendeployadditional

maliciouspayloadslike

infostealers

,effectively

servingasadeliverymechanismforvarioustypesofmalware.

Lastyear,wereportedthatTrojansaccountedforaround61%ofall

malwaretypeswesaw.The21%increaseisattributedtoasmallbutbroadly-distributednumberoftrojanized

applications.Whilemanyofthe

organizationswhochosetosharedataemployapplication-levelcontrols,

fewadoptedblockorallowlistsinwaysthatconstraintheexecutionofunknownsoftware.

The“Generic”categorycomprises8.03%of

infections,representingbroadlyidentifiedthreatsthatdonotfitspecificmalwareclassificationsbut

stillposesignificantrisks.Forexample,genericmalwaremightbedevelopedbyanaspiring

malwaredevelopernewtotheecosystem.

Weobservedasignificantchangeincryptomineridentificationsthisyear,decreasingfrom

21.80%to4.39%.Cryptominingsoftwaretakes

advantageofresourcescalabilitytocalculate

cryptocurrencies,andhasplayedincreasingrolesinfinancially-motivatedscenarios;familieslike

GHOSTENGINE

,whichwasdiscoveredinMay

2024,containacryptominingapplicationthatcan

beinstalledduringintrusions.MoreinformationonGHOSTENGINEcanbefoundintheThreatProfilessectionofthisreport.

YARA-basedransomwareobservationsrepresented2.10%ofdetectionsandfurtherreinforcesthe

factthatransomwareremainsacriticalthreatdue

primarilytotheresultingimpactsofextortion,theft,andreputationalloss.YARAworksasacomplementtoransomwareandotherprotections—onewith

ashorterdistributionintervalidealfortherapidresponsetoemergingthreats.

Backdoorsaccountfor1.01%ofobservedmalwareandwillbefamiliartomanyreaders,oftenused

likeTrojanstoprovidemechanismsforintrusion.

Notallreadersmaybeawarethatremote

monitoringandmanagement(RMM)software—lessthanhalfofthe1%—isthetoolofchoiceformanyscammerswhouseurgencyalongsideothersocialengineeringapproachestoconvinceuserstoself-infect.

Malwarefamilies

WecanexaminethedistributionofYARAsignature

matchestoidentifythatasmallnumberof

malwarefamiliesmakeregularappearances:

CobaltStrike,Metasploit,Sliver,DONUTLOADER,

andMeterpreterrepresentabouttwo-thirdsof

allmalwarewesawlastyear.Reflectingonthe

distributionofmalwarebycategory(figure2),therewassignificantoverlapbetweenTrojanizedsoftwareandthepresenceofthesemalwarefamilies.

We’representingtheinformationinthisway

(excludingransomwarefamilies)becausethose

weremostcommonlyseenduringlaterstagesofintrusions,aftermanyoftheseprevalentmalwarefamilieswerealreadypresentintheenvironment.Enterprisesneedtoprioritizemalwareduringall

stagesoftheintrusionlifecycleinordertode-riskbadoutcomes.

2024ElasticGlobalThreatReport

elasticsecurtyIabs

3

MalwareDetections09

Offensivesecuritytools(OSTs)areacommontopicofheateddebaterightnow,duelargelyto

thefrequencywithwhichtheyareabusedbymaliciousactors.Themostcommonlyseenmalware

familiescorrelatedprimarilytoOSTs—asignificantincreasesincelastyear.However,itis

essentialthatreadersunderstandthattheoffensivesecuritycommunityexistsfortheirbenefit.

Metasploit

18.23%

oDonutloaderoGenericGafgyteBedevil

6.62%5.01%3.12%1.84%

Figure2:Infectionsbymalwarefamily

27.02%17.89%

Meterpreter

5.11%

Dropperl

4.35%

Sliver

8.71%

Mirai

2.09%

CobaltStrike

Other

Themostprevalentmalwarefamilyweobserved

thisyearwas

CobaltStrike

,accountingfor27.02%ofinfections.CobaltStrikeisaverymaturecommercialpost-exploitationframeworkwithanexperienced

researchanddevelopmentteam.Itissoeffective

that

threatactors

frequentlystealandweaponize

thisproducttofurthertheirmaliciousobjectives,

ratherthanthebenignpurposeitwasintendedfor.Metasploitvariantsrepresented18.2%ofYARA

matchesandareanotherexampleofOSTsabusedbythreatactors.

Meterpreter,

thereverseshell

bundledwithMetasploit,alsoappearedinthetop

10commonfamilies,accountingfor5.1%ofsignals.ElasticSecurityLabs

maintainsvisibility

ofthese

families,whichregularlyappeartogetherinthewild.

Sliver,

with8.71%ofinfections,isanOSTdesignedforadversarysimulation.Itsuseinpost-exploitationactivitiesdemonstratesthepowerofitscapabilities.

SightingsofSliverincreasedsignificantlyfrom

lastyear.

DONUTLOADER

amountedto6.62%

ofinfections,andservesasaloadertoexecute

additionalmaliciouspayloadsinmemory,avoidingdisk-baseddetectionmechanisms.

MalwarefamiliessuchasGafgyt(3.12%),Mirai(2.09%),andBedevil(1.84%)

appearedlessoftenthaninprioryears,whichmaybeareflectionofattemptstoneutralizebotnetsfrompropagating.

Thesemalwarefamiliesaretypically

distributedtoInternetofThings(IoT)

deviceslikeresidentialbroadband

routersusinghardcodedcredentialsor

unpatchedvulnerabilities,andareusedtolaunchdistributeddenial-of-service(DDoS)attacksandtohijackadvertisingorDNSnetworks.

2024ElasticGlobalThreatReport

elasticsecurtyIabs

3

MalwareDetections10

Thedistributionofmalwarefamiliesreiteratesthe

importanceofendpointinstrumentationcapableofidentifyingandmitigatingmalicioussoftware,and

enterprisesthatrelyonvisibilityovercapabilitymayexperienceworseoutcomesthanthosewhodon’t.TheuseofOSTsbythreatsisastrongindicator

thattechnicalinnovations,proceduralmaturity,

adoptionofleastprivilege,andinformationsharingisimpactingmaliciousactors.

2024ElasticGlobalThreatReport

4

EndpointBehaviors11

8

Endpoint

Behaviors

Securitypractitionersoftendefineathreatintermsoftactics,techniques,andprocedures(TTPs).

Inotherwords,whatarethegoal-alignedmethodsusedbythreats?Thissectiondescribesthemostcommonlyobservedtactics,techniques,andprocedures(TTPs)onWindows,macOS,andLinux.

Distributionbyoperatingsystem

Linux3.30%macOS3.97%

Windows92.73%

Figure3:Endpointbehavioralertsbyoperatingsystem

Windows

Themajorityofendpointbehaviorsweobserved

wereseenonWindowshosts,accountingfor

92.73%ofallsightings.Thisisamarginaldecreasefrom94.2%lastyear,areductionofabout1.5%.

Thesestatisticsreflecttheproportionsofsystemssharingtelemetrywithus,populationsthat

fluctuateregularlytosmalldegrees.

LinuxandmacOS

Linuxeventsincreasedfrom2.80%lastyearto3.30%,afluctuationofahalf-percent.At3.97%,macOSeventsincreasednotquite1%sincelastyear.TheincreaseinmacOSdetectionscanbe

2024ElasticGlobalThreatReport

4

EndpointBehaviors12

attributedtoagrowinginterestfromadversariesinexploitingmacOSvulnerabilities,ashighlightedinour

research

earlierthisyear.

Becauserelativelyrarephenomenacanbe

artificiallyamplifiedinsmallpopulationsofsystems,readersshouldbeawarethatmacOSandLinux

statisticsarenotsignificantandmaynotresemblewhatyouareseeing.Thesehavebeenincludedasdatapointsanddonotinfluencerecommendations.

Distributionbytactic

Tacticsaresometimesbetterthoughtofas

objectives,andthetechniquesorganizedwithinthemcouldbethoughtofasthemeansof

achievingthem.EachprebuiltbehaviorprotectionElasticdevelopsisalignedto

MITREATT&CK®

,themostwidely-acceptedtaxonomyofTTPs,andthissectionwillreflectthat.

Atahighlevel:

•Persistencehitsincreasedbynearly8%

•DefenseEvasioneventsdecreasedto38%,anearly6%differencefromlastyear

•Executionremainedprevalent,representingaround16%ofdetectedtactics

ThePersistence,DefenseEvasion,andExecutiontacticsarecommonlyemployedinsome

combinationbyadversariesduringintrusions.

Thesethreemakeupalmost70%ofallbehaviorsseenovertheprioryear,areductionfromlastyearwhentheyamountedtomorethan81%.

DefenseEvasionExecution

Persistence

CredentialAccess

CommandandControlInitialAccess

PrivilegeEscalationLateralMovement

DiscoveryCollectionImpact

Figure4:EDRbehavioralertsbytactic

4.88%4.18%3.75%

.1.11%

.0.73%.0.54%

15.28%

38.99%

15.61%

8.40%

6.54%

Surprisingly,weobservedanearly2%decreaseindetectionsrelatedtoPrivilegeEscalation

whencomparedtothepreviousyear—thegrowingthreatofinformationstealersandthe

widespreaddistributionofstolencredentialsmayhavereducedthenecessityofthistactic.Forinstance,therewasaslight3%increaseinCredentialAccessdetectionsas

described

inouranalysisearlierthisyear.

2024ElasticGlobalThreatReport

elasticsecurtyIabs

4

EndpointBehaviors13

DefenseEvasion

DefenseEvasionremainstheprominenttacticamongadversaries.Accountingforapproximately38%ofalldetections,thesearetechniquesusedtobypassorblindsecuritycapabilities.

Windows

Themostcommontechniquesinthiscategory—

ProcessInjection,SystemBinaryProxyExecution,andImpairDefenses—collectivelydescribeentireattackchains:athreatactorexploitsavulnerabilityinaclientapplication,injectsmaliciouscodeinto

aprivilegedprocess,andspawnsrundll32.exetoexecuteanadversary-controlleddynamiclinklibrary(DLL)thatwritesavulnerabledriverto

diskthatisusedtodisableEndpointDetection&Response(EDR)sensors.

1.61%

BITSJobs

Manipulation

1.34%

ObfuscatedFilesor

Information

Figure5:DefenseEvasionbytechniqueinWindowsendpoints

12.72%

SystemBinary

ProxyExecution

6.87%

Hijack

ExecutionFlow

53.39%

Process

Injection

1.94%

Modify

Registry

3.50%

AccessToken

MasqueradingImpair

Defenses

6.50%

8.77%

Thisyear,ProcessInjectiondetectionsincreasedbyapproximately31%,nowaccountingfor53.39%ofallDefenseEvasiondetections.Process

Injectionisacommonlyusedmethodusedto

injectmaliciouscodeintootherprocesses,making

ithardertodetectandpotentiallyallowingthemtobypasssecuritycontrols.

SystemBinaryProxyExecution,whichmadeup

nearly47%ofdetectionslastyear,hasdecreasedabout35%t