Cisco Cyber Threat Trends Report for 2024: From Trojan Takeovers to Ransomware Roulette

The complexity and frequency of cyber threats continue to evolve, posing significant challenges for organizations worldwide. Cisco’s latest Cyber Threat Trends Report for 2024, “From Trojan Takeovers to Ransomware Roulette,” provides an in-depth analysis of the most pressing threats identified through DNS activity. Leveraging Cisco’s unique vantage point—handling an average of 715 billion daily DNS requests—the report offers valuable insights into the current threat landscape and recommendations for enhancing cybersecurity resilience.

The Role of DNS in Cybersecurity

The Domain Name System (DNS) is radically important to the internet, enabling connections to websites and applications. However, its widespread use also makes it a prime target for cyberattacks. Cisco’s report highlights the critical role DNS plays in detecting and mitigating cyber threats. Quoting a statement from report below:

“Cisco has a unique vantage point when it comes to cybersecurity. We know that you can’t protect what you can’t see. Because we resolve an average of 715 billion daily DNS requests, we see more threats, more malware, and more attacks than any other security vendor in the world.“

Key Findings

Analysis is based off DNS activity observed by organizations using Cisco Umbrella.

Cisco Umbrella: – Cisco Umbrella is solution by Cisco which unifies DNS-Layer Security, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Cloud-Delivered Firewall (CDFW), Data Loss Prevention (DLP), and Remote Browser Isolation (RBI) functionalities into a single cloud service.

The report identifies the top threat categories based on DNS activity observed from August 2023 to March 2024:

• Information Stealers: 246 million average monthly blocks
• Trojans: 175 million average monthly blocks
• Ransomware: 154 million average monthly blocks
• Remote Access Trojans (RATs): 46 million average monthly blocks
• Advanced Persistent Threats (APTs): 40 million average monthly blocks
• Botnets: 31 million average monthly blocks
• Droppers: 20 million average monthly blocks
• Backdoors: 14 million average monthly blocks

Detailed Analysis of Top Threats

The Cisco Cyber Threat Trends Report for 2024 provides a detailed analysis of the most prevalent cyber threats based on DNS activity. The report highlights the significant volume and variety of threats observed, emphasizing the critical need for robust cybersecurity measures. Here are the key findings in more detail:

1. Information Stealers: These malicious programs are designed to steal personal and financial information from infected systems. They capture keystrokes, extract files, and steal browser data like passwords and cookies.
   • Volume: Information stealers were the most frequently blocked threat category, with an average of 246 million monthly blocks.
   • Trends: Information stealer activity showed significant fluctuations, with periods of high activity followed by drops, possibly indicating data processing cycles by attackers.
   • Example: Redline, a prevalent information stealer, targets both macOS and Windows users, often through email and malvertising campaigns. It has been increasingly used to target the gaming community with fake Web3 gaming lures.
2. Trojans: Trojans disguise themselves as legitimate software to mislead users. Once installed, they can steal data, provide backdoor access, and perform other malicious activities.
   • Volume: Trojan activity averaged 175 million monthly blocks, making it the second most common threat.
   • Trends: The highest Trojan activity was observed in August and September 2023, followed by a decline. This decline often coincides with increases in ransomware activity, suggesting a strategic shift by attackers.
   • Example: Qakbot, a sophisticated Trojan, is known for stealing banking credentials and spreading across networks through vulnerabilities and brute force attacks.
3. Ransomware: Ransomware encrypts victims’ data, demanding a ransom for decryption. It often threatens permanent data loss or exposure if the ransom is not paid.
   • Volume: Ransomware threats averaged 154 million monthly blocks.
   • Trends: A significant spike in ransomware activity occurred in January, maintaining high levels thereafter. This trend closely mirrors dropper activity, suggesting a correlation between the two.
   • Example: LockBit, a major ransomware variant, accounted for a substantial portion of ransomware incidents. Despite law enforcement disruptions, LockBit quickly resumed operations, highlighting its resilience and adaptability.
4. Remote Access Trojans (RATs): RATs provide attackers with remote administrative control over infected systems, enabling them to monitor user behavior, access confidential information, and distribute additional malware.
   • Volume: RAT activity averaged 46 million monthly blocks.
   • Trends: RAT activity saw a notable spike in October, aligning with a similar increase in backdoor activity. This may be linked to the release of updated versions of tools like Cobalt Strike.
   • Example: SugarGh0st, a new RAT variant, has been used in targeted attacks, including campaigns against governmental entities.
5. Advanced Persistent Threats (APTs): APTs are sophisticated, long-term cyberattacks often carried out by state-sponsored groups or highly skilled cybercriminals. They aim to steal information or disrupt operations.
   • Volume: APTs averaged 40 million monthly blocks.
   • Trends: APT activity remained relatively stable throughout the observed period, indicating a consistent and ongoing threat.
   • Example: TinyTurla-NG, linked to the Russian Turla group, serves as a “last chance” backdoor used when other access mechanisms fail.
6. Botnets: Botnets consist of networks of infected computers controlled by attackers to perform various malicious activities, such as DDoS attacks, spam distribution, and data theft.
   • Volume: Botnet activity averaged 31 million monthly blocks.
   • Trends: Botnet activity remained stable until a sudden spike in March, which was 174% above the average for the observed period.
   • Example: TheMoon botnet, which primarily targets IoT devices, saw significant growth in early 2024, reaching 40,000 endpoints in 88 countries.
7. Droppers: Droppers are malware designed to install other malicious programs onto a target system. They typically evade detection and establish a foothold for more destructive malware.
   • Volume: Dropper activity averaged 20 million monthly blocks.
   • Trends: Dropper activity jumped in January and remained elevated, often linked to ransomware payload delivery.
   • Example: xHelper, a notorious dropper targeting Android devices, is known for its persistence and ability to reinstall itself after removal attempts.
8. Backdoors: Backdoors allow unauthorized users to bypass normal authentication and gain remote access to a computer or network. They are often installed through supply chain compromises or as part of other malware.
   • Volume: Backdoor activity averaged 14 million monthly blocks.
   • Trends: A significant spike in backdoor activity was observed in October, possibly linked to the release of new versions of tools like Cobalt Strike.
   • Example: Cobalt Strike, initially a legitimate penetration testing tool, has been widely adopted by cybercriminals for its powerful capabilities in command and control, privilege escalation, and lateral movement.

Recommendations for Enhanced Cybersecurity

Cisco’s report provides several key recommendations for organizations to bolster their defenses against these threats:

1. Leverage DNS Security:
   • Implement DNS filtering to block access to known malicious domains.
   • Integrate threat intelligence feeds for proactive threat identification.
   • Monitor DNS traffic for unusual patterns indicating malicious activity.
   • Secure DNS resolvers to prevent hijacking and cache poisoning.
2. Protect Endpoints:
   • Segment networks to limit malware spread.
   • Deploy advanced endpoint protection solutions using behavioral analysis.
   • Implement access controls based on the principle of least privilege.
3. Implement a Comprehensive Security Strategy:
   • Regularly patch and update systems to protect against known vulnerabilities.
   • Educate employees on identifying phishing and social engineering tactics.
   • Conduct regular backups and ensure quick restoration capabilities.
   • Develop and test an incident response plan for effective cybersecurity incident management.
   • Adopt a multi-layered defense strategy combining DNS security with other controls like firewalls and IDS/IPS.

Cisco’s Cyber Threat Trends Report for 2024 underscores the dynamic and evolving nature of cyber threats. By leveraging the power of DNS activity monitoring, Cisco provides unparalleled insights into these threats and offers actionable recommendations to enhance cybersecurity resilience. Organizations must stay vigilant and proactive, continuously updating their security measures to protect against these ever-present dangers.

Cisco’s 2024 Cyber Threat Trends Report provides crucial insights into the evolving cyber threat landscape. By analyzing DNS activity, Cisco identifies and mitigates a wide range of cyber threats, helping organizations bolster their cybersecurity defenses. The detailed findings and recommendations in this report underscore the importance of proactive and comprehensive cybersecurity strategies to protect against these persistent and sophisticated threats.

For further details and insights, access the full Cisco Cyber Threat Trends Report.