Infostealers account for surge in identity-enabled attacks
Analysis of almost 93,000 threats detected within more than 308 petabytes of security telemetry by Red Canary shows infostealer malware infections on the rise across both Windows and macOS platforms.
Used to gather identity information and other data at scale, in 2024 LummaC2 was the most prevalent stealer detected in 2024, operating under a malware-as-a-service model, and selling for anywhere from $250 per month to a one-time payment of $20,000.
Adversaries commonly use LummaC2 to deliver NetSupport Manager, Red Canary's seventh most detected threat detected in 2024 -- giving them a gateway to deploy other malicious payloads as a follow-up to their initial attack.
"2024 marked the rise of cloud-native and identity-enabled attacks, with three of the top five techniques we detected falling into these categories. This highlights the immense value adversaries place on identities -- compromise one, and they gain access to countless systems," says Keith McCammon, chief security officer at Red Canary. "Unfortunately, the rise of identity and access management (IAM) and identity providers hasn't deterred adversaries. Instead, it has made centralized identities even more lucrative targets as once compromised, adversaries can gain access to numerous disparate systems. Organizations must recognize identities as a frontline for defense and strengthen their security posture to stay ahead of adversaries."
The use of remote monitoring and management (RMM) tools for command and control and lateral movement is growing, enabling adversaries to drop malicious payloads including ransomware. This report sees malicious use of NetSupport Manager break into the annual top 10.
Red Canary also detected 400 percent more macOS threats in 2024 than in 2023, including an exponential increase in malware driven by Atomic, Poseidon, Banshee, and Cuckoo stealers. Atomic Stealer was the most prevalent, appearing on Red Canary's monthly top 10 threat rankings five times. However, in September detections dropped off sharply after Apple patched a popular Gatekeeper bypass technique abused by numerous malware families. 95 percent of stealer infections happened before September and just five percent after, showing the dramatic impact that patching can have.
The full report is available from the Red Canary site and there'll be a webinar to discuss the findings on March 26th at 2pm ET.
Image Credit: Shmeljov/Dreamstime.com