Cybersecurity moves fast, and the latest threats to reach organizations worldwide are being built on the back of artificial intelligence (AI) models that spit out accurate code, realistic messages, and lifelike audio and video designed to fool people. But as headline-grabbing as AI-based attacks appear to be, they aren’t driving the most breaches globally. That would be BEC attacks, in which attackers leverage stolen access to a business email account to create a scam that results in financial gain.

On June 25, 2024, Progress disclosed two vulnerabilities affecting MOVEit Transfer and MOVEit Gateway: CVE-2024-5805: A critical severity authentication bypass vulnerability affecting MOVEit Gateway (SFTP module). MOVEit Gateway is a proxy for MOVEit Transfer, designed to securely handle inbound connections when deployed behind a firewall.

On June 17, 2024, VMware disclosed two critical vulnerabilities (CVE-2024-37079 & CVE-2024-37080) affecting vCenter Server and Cloud Foundation. These vulnerabilities stem from a heap-overflow issue in the implementation of the DCERPC protocol which can be exploited by remote threat actors. By sending specially crafted network packets, threat actors could exploit CVE-2024-37079 and CVE-2024-37080 to achieve Remote Code Execution (RCE) on both vCenter Server and Cloud Foundation systems.

On June 19, 2024, CDK Global notified customers that a cyber incident had led to a shutdown of its systems, significantly impacting car dealerships across the United States. CDK Global serves nearly 15,000 dealership locations, and the incident caused substantial disruption, forcing car dealerships to halt operations and revert to manual processes. Dealerships were initially notified about the incident around 2AM Eastern time on June 19, 2024, with an update at 8AM confirming the incident.

Positive security outcomes don’t happen by chance — they result from a culture in which security is ingrained and embodied within and by everyone, from the executives through the employees. This fact has led to an overdue shift in organizational thinking, with recent research revealing that 88% of global organizations currently use some form of security awareness program, with another 10% in the process of adopting such a program within the next 12 months.

In 2023, the FBI’s Internet Crime Complaint Center (IC3) received 21,489 BEC complaints with adjusted losses over $2.9 billion USD, according to their 2023 Internet Crime Report. By way of comparison, ransomware, the cyber attack that grabs all the headlines and keeps IT and security teams up at night, accounted for only 2,825 complaints, with adjusted losses of less than $60 million USD.

Since April 2024, Arctic Wolf has been tracking an ongoing campaign by Black Basta ransomware group affiliates leveraging Microsoft’s Quick Assist for initial access. The Black Basta affiliates have been conducting vishing (voice phishing) attacks by impersonating IT or help desk personnel, claiming they need to fix an issue on the victim’s device. In other instances, the threat actors leverage an email bomb attack to flood the victim’s mailbox with emails from subscription services.

On February 19, 2024, ConnectWise published a security bulletin detailing two critical vulnerabilities within their on-premises ScreenConnect software, stating that the vulnerabilities have the potential to result in remote code execution (RCE). ScreenConnect is a widely utilized Remote Monitoring and Management (RMM) tool that has been leveraged by threat actors in the past, often in connection with ransomware attacks.

Cybersecurity compliance is complicated. As industry standards change and evolve with new technology, so do compliance requirements. Depending on your organization’s operations, industry, or even location, compliance could mean adhering to multiple frameworks and reporting to multiple governing bodies. In fact, 67% of organizations surveyed by Arctic Wolf follow between one to three sets of guidelines.

When it comes to cybercrime, there are few tactics as useful and widespread as credential theft and the use of stolen credentials. In the 2023 breach of password management giant Okta, it was a set of credentials that jumpstarted the incident — threat actors hacked into an employee’s personal Google account, where they found an Okta customer service account had also been saved.

While often considered a newer threat, and rightly so given its fast-rising dominance among the cybercrime landscape, ransomware is not a recent innovation in the ongoing cyber war. It stretches back decades to the early days of the internet, email, and even floppy discs.

On May 31st, 2024, a Proof of Concept (PoC) exploit and technical analysis were published for a pre-authentication Remote Code Execution (RCE) exploit chain impacting Telerik Report Server, a product by Progress designed for streamlined report management within organizations.

On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector. We are sharing details of this emerging variant to help organizations defend against this threat.

A notable statistic has appeared in the cybersecurity research landscape: Phishing and pre-texting accounted for 73% of breaches in 2023. That’s according to the 2024 Verizon Data Breach Investigations Report, and the alarming use of humans as a vector for initial access is mirrored elsewhere.