Positive Technologies: Hackers Target IT Specialists as a Stepping Stone to Larger Attacks
Positive Technologies experts conducted a study1 of the Q3 2024 cybersecurity threatscape. The study revealed that IT professionals were the most frequent targets of attacks on individuals, and by targeting IT specialists, criminals were able to gain access to IT companies and launched supply chain attacks2. Hackers used malicious ads, malware, and even staged fake interviews to trick specialists into downloading malware.
In Q3, attacks against individuals and organizations increased by 15% year-on-year. IT specialists were the primary targets among individuals (13%), and one of the most common methods of such attacks (72%) was malware. Malware was spread through package managers, public repositories, malicious ads, and even fake interviews.
Valeriya Besedina, Junior Information Security Analyst at Positive Technologies, commented: “Beyond financial gain, the surge in attacks on IT specialists can be explained by the attackers’ desire to target larger entities, such as the companies the victims work for. Moreover, by using IT specialists as a point of entry, cybercriminals can infiltrate software supply chains and cause irreparable damage to numerous organizations. Cybersecurity experts note that in 2024, such attacks occurred at least once every two days.”
Q3 saw continued growth in attacks against IT specialists involving remote access trojans (RATs). RATs, which are spread through package managers, public repositories, and malicious ads, give cybercriminals constant access to compromised systems. Cybercriminals created RAT-infected websites mimicking popular network scanning software and promoted them in search engines. A technique based on the PyPI policy relating to removed packages3, dubbed Revival Hijack, was used by attackers to hijack 22,000 existing PyPI packages. Users weren’t warned about packages being removed and were updating them, unaware of the criminals’ actions.
According to the Positive Technologies study, the most common tools used in attacks on organizations were RATs (44%) and ransomware (44%). In 79% of successful attacks, computers, servers, and network equipment were compromised. The most popular tools were AsyncRAT4, XWorm5, and SparkRAT6. PT Expert Security Center experts detected phishing emails disguised as invoices used when targeting manufacturing companies, banks, the healthcare sector, and software developers in Russia, leading to infections by the XWorm trojan.
To spread spyware, cybercriminals used services that promoted malicious websites to the top of search results. In Q3, they managed to spread DeerStealer7, Atomic Stealer8, and Poseidon Stealer9 using this tactic.
Social engineering remained a major threat to individuals (92%) and was used in 50% of attacks against organizations. Social engineering attacks against organizations and individuals were mainly conducted via email (88%) and websites (73%), respectively. Cyberattacks on organizations led to breaches of confidential data (52%) and disruptions to core business operations (32%).
Positive Technologies recommends that companies build result-driven cybersecurity. Result-driven cybersecurity helps create a comprehensive automated defense system against non-tolerable events—consequences of cyberattacks that could prevent an organization from achieving its operational or strategic goals.
To protect systems against malware, Positive Technologies recommends using sandboxes to analyze file behavior in a virtualized environment, detect malicious activity, and act in time to prevent damage. The experts also recommend implementing an NTA system, such as PT Network Attack Discovery, which detects all modern cyberthreats, including the use of RATs, spyware, and ransomware. Companies should perform regular inventory and classification of assets, establishing data access control policies, and monitoring access to sensitive information.
Positive Technologies recommends using MaxPatrol SIEM for continuous monitoring of cybersecurity events and rapid detection of cyberattacks. It’s also crucial to implement vulnerability management processes using tools like MaxPatrol VM, conduct penetration tests (including automated ones), and participate in bug bounty programs.
Due to the large number of attacks with malware delivered through legitimate services, software developers should pay close attention to the repositories and package managers used in their projects and deploy application security tools, such as PT Application Inspector. It’s also recommended to use web application firewalls (WAFs), such as PT Application Firewall, to strengthen the network perimeter. To protect against data breaches, organizations should focus on data protection measures. IT specialists should remain vigilant online and avoid opening suspicious links or downloading attachments from unverified sources.
