Introduction
The Sophos 2024 Threat Report, titled “Cybercrime on Main Street,” provides a detailed analysis of the evolving cyber threat landscape, particularly focusing on small and medium-sized businesses (SMBs). With insights from Sophos X-Ops, this report highlights the increasing sophistication and impact of cyber threats on smaller organizations, which are often more vulnerable due to limited resources and underinvestment in cybersecurity.
Background
Cybercrime affects all sectors, but small businesses (broadly defined as organizations with fewer than 500 employees) are disproportionately impacted. These businesses constitute over 90% of the world’s companies and account for more than 50% of global employment. In the U.S., SMBs represent over 40% of overall economic activity. The report draws on incident response data from Sophos’ X-Ops and telemetry from SMB protection software to provide a detailed view of the threats targeting these organizations daily.
Executive Summary
The report emphasizes that ransomware remains the most significant cyber threat to SMBs, but other threats are also critical:
- Data Theft: Nearly half of malware detections targeted data, with password stealers, keyloggers, and other spyware being prevalent.
- Web-based Malware Distribution: Attackers use techniques like malvertising and SEO poisoning to distribute malware.
- Unprotected Devices: Unmanaged or improperly configured devices are primary entry points for attacks.
- Abuse of Drivers: Cybercriminals exploit vulnerable or maliciously signed drivers to evade malware defenses.
- Evolving Email Attacks: Email attacks are becoming more sophisticated, involving multiple interactions with targets.
- Mobile Threats: Mobile malware and social engineering attacks are on the rise, affecting both individuals and businesses.
Key Developments in Cybercrime
Ransomware and Extortion
- Human-Operated Ransomware: These attacks have increased by 200%, characterized by “hands-on keyboard” techniques that blend in with regular system activity. Remote encryption methods make detection challenging.
- Data Exfiltration: The doubling of data exfiltration incidents reflects the trend of double extortion tactics, where data is stolen before encryption to increase ransom pressure.
- Prevalent Ransomware Variants: Magniber, Lockbit, Hive, and BlackCat are among the top ransomware threats. LockBit, in particular, was the most deployed ransomware in 2022.
- Targeted Industries: Critical infrastructure, education, and manufacturing sectors are frequently targeted due to their essential nature and often less robust cybersecurity measures.
Phishing and Identity Attacks
- Adversary-in-the-Middle (AiTM) Phishing: These campaigns bypass MFA by stealing session cookies and credentials through malicious proxy servers. High-volume campaigns indicate their effectiveness and scale.
- Business Email Compromise (BEC): BEC attacks have surged, with over 156,000 daily attempts. Attackers hijack email conversations to deceive targets into transferring funds or divulging sensitive information.
Distributed Denial of Service (DDoS)
- Cloud Computing Exploitation: Cybercriminals leverage cloud resources to launch massive DDoS attacks. These attacks generate hundreds of millions of requests per second, overwhelming target systems.
Cryptojacking
- Cryptojacking: Unauthorized use of devices to mine cryptocurrency is increasing. This activity slows systems and consumes resources, often going undetected.
Nation-State Threats
- Russia: Utilizes cyberweapons in its conflict with Ukraine, including destructive malware and espionage.
- China: Infiltrates critical infrastructure networks using advanced techniques for long-term espionage.
- Iran: Engages in cyberweapons use against Albania and Israel for political pressure and intelligence gathering.
- North Korea: Combines cyber espionage with financial cybercrime, targeting global entities for revenue generation.
Critical Cybersecurity Challenges
IoT and OT Security
- Vulnerabilities: IoT and OT devices are highly vulnerable due to inadequate security measures. They often lack basic security features, making them easy targets.
- Supply Chain Resilience: Enhancing supply chain security is crucial to mitigate risks associated with third-party vendors and interconnected systems.
Innovations in Security and Resilience
Artificial Intelligence (AI)
- AI in Cyber Defense: AI plays a crucial role in detecting and mitigating cyber threats. Sophos’ AI systems analyze over 65 trillion signals daily, tracking more than 300 threat actors.
- Responsible AI Development: Collaboration between public and private sectors ensures ethical use of AI in cybersecurity.
Cybercrime as a Service
- Malware as a Service (MaaS): The use of malware delivery frameworks provided by cybercriminals through underground marketplaces remains dominant. AgentTesla, Qakbot, Emotet, and Pikabot are among the top malware delivery frameworks, with AgentTesla being the most detected in 2023.
- Diversified Delivery Methods: Due to changes in platform security and law enforcement actions, cybercriminals have shifted to using web delivery methods such as SEO poisoning and malicious web advertising to distribute malware.
Finding a Different Delivery Route
- Adaptation to Security Changes: With Microsoft blocking VBA macros by default in Office applications, attackers have turned to using PDF and OneNote attachments to deliver malware. These methods have been effective in circumventing traditional security measures.
“Dual Use” Tools
- Legitimate Tools Exploited: Cybercriminals increasingly use legitimate tools for malicious purposes. Tools such as AnyDesk, PsExec, Cobalt Strike, and Mimikatz are commonly abused in cyber attacks to facilitate discovery, persistence, credential access, lateral movement, and data exfiltration.
Spammers Push Social Engineering Boundaries
- Evolving Techniques: Spammers have become more sophisticated, moving beyond simple unsolicited emails to engage in more interactive social engineering tactics. This includes initiating conversations with targets before sending malicious links or attachments.
- Creative Tactics: Methods such as embedding text content in images, using QR codes, and employing password-protected attachments are used to evade conventional email security controls.
Mobile Malware and Social Engineering Threats
- Growing Mobile Threats: Small businesses heavily rely on mobile devices, making them prime targets for mobile malware and social engineering attacks. Spyware and banking Trojans are particularly concerning, as they harvest sensitive data and financial information.
- Social Engineering on Mobile: Attacks like “pig butchering” scams, where victims are lured into fraudulent investment schemes through mobile apps, have had devastating financial impacts.
Key Recommendations
- Enable Multifactor Authentication (MFA): Adds an extra layer of security, making unauthorized access significantly harder.
- Apply Zero Trust Principles: Verify users and devices continuously, use least privilege access, and assume breach. This approach minimizes the risk of lateral movement within the network.
- Use Extended Detection and Response (XDR) and Antimalware: Implement software to detect and automatically block attacks, providing comprehensive visibility and faster response.
- Keep Systems Up to Date: Regularly update and patch systems to protect against known vulnerabilities.
- Protect Data: Implement data protection strategies including encryption, access controls, and regular backups.
- Modernize Cybersecurity Skills: Invest in training to ensure the workforce is equipped with the latest skills and knowledge.
- Strengthen Supply Chain Security: Assess and improve the security posture of third-party vendors and partners.
- Engage in Public-Private Partnerships: Share intelligence, best practices, and resources to enhance collective defense capabilities.
Conclusion
The Sophos 2024 Threat Report underscores the evolving nature of cyber threats and the critical need for heightened awareness and advanced security measures. By adopting comprehensive planning and layered defenses, organizations can build stronger defenses and navigate the digital landscape securely.


