Pushing the Outer Limits: Trend Micro 2024 Midyear Cybersecurity Threat Report

Recently, it was reported that The New York Times suffered from a data breach when a malicious actor exploited an exposed credential to a cloud-based third-party platform. An anonymous 4chan user claimed to have access to 5,000 unencrypted GitHub repositories containing 3.6 million files, including sensitive authentication details, and even source code for the web-based game Wordle.

Earlier this year, we reported on a cryptojacking campaign that exploits exposed Docker remote API servers: Based on our analysis, malicious actors abused exposed Docker servers to deploy cryptocurrency miners via Docker images from the Commando project, an open-source GitHub project used by developers. We’ve also observed cybercriminals taking advantage of legitimate yet misconfigured tools in their attacks

In March, we talked about how developers need to secure their APISIX API gateway configurations by changing the hardcoded default master API token for accessing the administration API. We’ve seen multiple exposed instances in the wild that malicious actors could exploit to perform remote code execution (RCE).

Another API gateway we’ve focused on in the first half of 2024 was the Kong API gateway. Our report discusses the growing number of exposed Kong API gateway instances we’ve observed in the wild, which has been on an upward trend since 2021, and how such exposures can allow cybercriminals to put back-end services at risk.

In May 2024, we reported on the misconfigured deployments that we’ve found in the open-source monitoring tool Container Advisor (CAdvisor). Malicious actors could perform reconnaissance, lateral movement, privilege escalation, supplychain compromise, and vulnerability exploitation when they get ahold of unsecure CAdvisor instances that exposed sensitive environmental variables.

Compromised internet-facing routers have appealed to both nation-state threat actors and cybercriminals for their use as an anonymization layer. Whereas APT groups like Sandworm opt to use their own dedicated proxy botnets, APT29 favors commercial residential proxy networks, and Pawn Storm used the third-party proxy botnet of Ubiquiti EdgeRouter devices before the botnet was disrupted by the FBI in January 2024.

We also reported on Earth Krahang’s APT campaign and the group’s preferred tactic of leveraging compromised government infrastructure to carry out its operations. We identified connections between Earth Krahang and the China-nexus threat actor Earth Lusca through similarities in their infrastructure and backdoors used, although it’s possible that these are two intrusion sets operating independently.

Threat group Earth Lusca was also behind a new campaign featuring social engineering tactics that capitalized on China-Taiwan relations: Earth Lusca disseminated their malware using email lures that were likely based on legitimate documents stolen from geopolitical experts, just ahead of the Taiwanese national elections in early 2024.

Cyberespionage group Earth Hundun has persisted in carrying out attacks using the Waterbear backdoor, notorious for the constant updates that have given it a bevy of advanced evasion techniques. Earth Hundun has been using and further developing its most recent variant, Deuterbear, with additional features: Deuterbear has a shellcode format, is capable of anti-memory scanning, and has the same traffic key as its downloader.

In June, Microsoft delayed the release of its controversial Recall feature owing to privacy concerns over the AI tool’s tracking of user activity. Recall, which was supposed to be rolled out in Copilot+ PCs in June, takes and locally stores screenshots of users’ computer usage, potentially making it a target for malicious actors who are after user credentials and other confidential data.

During the first half of 2024, we’ve observed that cybercriminals have shifted their attentions to jailbreaking existing large language models (LLMs) instead of training their own. “Jailbreakas-a-service” offerings have been on the rise, designed to bypass LLMs’ built-in ethical safeguards through various means like prompting LLMs with hypothetical questions, roleplay scenarios, or questions in a foreign language.

AI-enabled fraud is shaping up to be a formidable threat thanks to tools like GoldPickaxe.iOS, a trojan discovered in February that’s able to collect biometric data with which to make deepfakes. These scams have also proven lucrative, as when fraudsters made a $25.6 million payday in February after impersonating London-based company Asup’s chief financial officer in a deepfaked video call.

OpenAI and Microsoft have also identified China-affiliated threat actor Earth Lusca among the threat actors that used OpenAI’s services to perform tasks like information-gathering, generating content and translations that may be used in phishing, and creating scripts likely to fine-tune their attacks. Since the release of their joint findings in February, OpenAI has disabled the accounts related to the APT actor.

Cybercriminals have capitalized on the increased interest in AI technologies around the world, as evidenced by Void Arachne: As part of its campaign targeting Chinese-speaking users, the threat group was observed bundling legitimate AI software with their malicious payload. To cast a wider net of potential victims, the group has also been proliferating malicious installer files that contain nudifiers and other deepfake-generating AI tools.