Threat actors have stepped up their efforts over the last year to launch attacks aimed at disabling enterprise defenses, according to the annual Red Report released Tuesday by Picus Security. The findings demonstrate a drastic shift in adversaries’ ability to identify and neutralize advanced enterprise defenses, such as next-generation firewalls, antivirus software, and EDR solutions, the report noted. It added that there was a 333% increase over the last year in this kind of “killer-hunter” malware that can actively target defensive systems in an attempt to disable them.
“It was a surprise for us because hunter-killer malware wasn’t even in our top 10 last year,” says Picus co-founder and Vice President Suleyman Ozarslan. “A 333% increase is the biggest jump in the history of our reports. It represents a shift toward more destructive cyber threats and poses a significant challenge for defenders. Organizations should be focused on these attacks this year.”
Cybercriminals adapt to much-improved security
According to the report, which is based on an analysis of more than 600,000 real-world malware samples, cybercriminals are changing their tactics in response to the much-improved security of the average business and the wide use of tools offering more advanced capabilities to detect threats. A year ago, the report noted, it was relatively rare for adversaries to disable security controls. Now, this behavior is seen in a quarter of malware samples and is used by virtually every ransomware and APT group.
âThe rise of hunter-killer malware marks a substantial evolution in cyber threats, requiring cybersecurity industries to adopt more dynamic and proactive defense mechanisms. Traditional defense strategies might be insufficient as these new malware types aim to undermine them directly,â says Callie Guenther, cyber threat research senior manager at Critical Start, a national cybersecurity services company. âThe extended dwell times enabled by disabling cyber protections pose a significant risk, as malware can remain undetected longer, increasing potential damage.â
Defenses must deal with attacks meant to disable them
To combat hunter-killer malware, the report advised organizations to embrace machine learning, protect user credentials, and consistently validate their defenses against the latest tactics and techniques used by cybercriminals. “Defenses need to be always up to deal with these types of attacks,â Ozarsian says. âWe suggest doing continuous attack simulations to understand the effectiveness of defensive systems against hunter-killer cyberattacks.”
Defense schemes that use behavioral analysis are necessary because many of these adversaries are âliving off the land,â Ozarsian adds, using the same tools that IT departments and in some cases security teams, use to accomplish their objectives. “The Loki ransomware group, for example, used Kaspersky’s TDSSKiller utility to disable security defenses,â he says.
70% of malware analyzed used stealthy techniques
The Red Report gives security teams a 12-month view of the most prevalent MITRE ATT&CK techniques exhibited by the latest malware. Other findings in this yearâs report included:
- Seventy percent of malware analyzed for the report employ stealth-oriented techniques by attackers, particularly those that facilitate evading security measures and maintaining persistence in networks.
- Use of obfuscated files or information (MITRE ATT&CK T1027) increased by 150%, highlighting a trend toward hindering the effectiveness of security solutions and obfuscating malicious activities to complicate the detection of attacks, forensic analysis, and incident response efforts.
- Use of the application layer protocol (MITRE ATT&CK t1071), which is being used for data exfiltration in sophisticated double extortion schemes, jumped 176%.