In the second quarter of 2024, Kaspersky’s Global Research and Analysis Team (GReAT) observed that, while some threat actors maintained their usual patterns, others have significantly updated their tools and broadened the scope of their activities. According to the company's telemetry, there has been a surge in sophisticated cyberespionage campaigns targeting various sectors with government, military, telecommunications and judicial systems facing the highest number of threats worldwide.
Here are the key highlights from the latest APT trend:
- Exploitation of open-source threats: One major development this quarter was the backdooring of XZ, an open-source compression utility widely used in popular Linux distributions. The attackers employed social engineering techniques to gain persistent access to the software development environment. Kaspersky's GReAT uncovered several details explaining why this threat remained undetected for years. One key factor was that the attackers implemented an anti-replay feature to prevent capture or hijacking of backdoor communications. Additionally, they used a custom steganography technique within the x86 code to conceal the public key required for decrypting the backdoor.
- Hacktivist attacks: Hacktivist activity was a significant aspect of the threat landscape this quarter. While geopolitics often drives malicious actions, not all notable attacks were linked to active conflict zones. A prime example is the Homeland Justice group's attacks on entities in Albania. The attackers managed to exfiltrate over 100TB of data, disrupt official websites and email services and wipe database servers and backups, causing extensive damage to the targeted organisations.
- Toolsets updates: Kaspersky’s GReAT highlights that the attackers took time to update their toolsets. In early 2023, the threat actor GOFFEE was discovered when it began using a modified version of Owawa, a monitored malicious IIS module. Since then, GOFFEE has stopped using Owawa and the PowerShell-based RCE implant, VisualTaskel. However, it has continued its intrusions by leveraging PowerTaskel, its earlier HTA-based infection chain. Additionally, GOFFEE has expanded its toolkit by introducing a new loader, disguised as a legitimate document and distributed via email, further enhancing its ability to infiltrate targets.
- Geographical spread: No single region stood out as a hotbed for APT attacks this quarter. Instead, activity was widespread, affecting all regions. This quarter, APT campaigns targeted Europe, the Americas, Asia, the Middle East and Africa, highlighting the global reach and impact of these threats.
“APTs continuously evolve, adapting their tactics and expanding their reach, making them a relentless force in the cyber landscape. To combat these ever-changing threats, it's crucial that the cybercommunity unites, sharing information and collaborating across borders. Only through collective vigilance and open communication can we stay one step ahead and safeguard our digital world,” said David Emm, principal security researcher at Kaspersky’s GReAT.