In the latter part of 2024, cybercriminals have been increasingly utilizing legitimate Microsoft tools and browser extensions to circumvent security protocols and distribute malware, as indicated by Ontinue’s most recent Threat Intelligence Report.
The report reveals that threat actors are exploiting native Microsoft features like Quick Assist and Windows Hello to establish persistence and avoid detection. Quick Assist, a tool for remote access, is now being employed in social engineering ploys where attackers pretend to be tech support personnel to take control of victims’ systems. Similarly, Windows Hello, Microsoft’s passwordless authentication technology, is being misused to enroll unauthorized devices and evade multi-factor authentication in improperly configured corporate environments.
Moreover, browser extensions, particularly those on Chrome, are now increasingly being leveraged to disseminate malware designed to steal information from unsuspecting users.
This tactic is particularly insidious because malicious extensions can linger even after a system is reimaged. Users often unintentionally reintroduce the threat by reimporting their browser profiles during the recovery process, allowing cybercriminals to maintain access.
The report also shines a light on the changing landscape of ransomware attacks, noting that while estimated ransom payments decreased to $813.55 million in 2024 from $1.25 billion the previous year, there has been a rise in reported breaches. This suggests that ransomware groups are conducting more attacks to compensate for lower ransom success rates.
Furthermore, ransomware operators are adjusting their strategies, placing a higher emphasis on IT skills rather than traditional programming expertise. Affiliates are now selected based on their ability to navigate complex enterprise networks, disable backups, and target key data repositories, highlighting the evolving sophistication of ransomware attacks and the critical need for robust cybersecurity measures.
The report also alerts organizations to the escalating threats targeting Internet of Things (IoT) and Operational Technology (OT) environments. These systems often lack centralized security controls, making them attractive targets for cybercriminals. Recent attacks have exposed the vulnerabilities of these systems, including the use of large-scale botnets exploiting unpatched IoT devices and sophisticated nation-state actors targeting industrial control systems.
To combat these evolving threats, organizations are advised to implement a comprehensive array of security measures. These include reinforcing defenses against ransomware, securing authentication methods, monitoring and securing built-in system tools, promptly patching vulnerabilities, enhancing incident response capabilities, and bolstering web and email security.
As the cybersecurity landscape continues to evolve, organizations must adopt a proactive stance, focusing on swift threat detection, robust authentication mechanisms, and a flexible response strategy to fortify their security posture against emerging threats.