March 12, 2024

On Tuesday Microsoft released 59 CVEs, including 41 for Windows. A remarkable 20 other product groups or tools are also affected. Of the CVEs addressed, just two are considered Critical in severity by Microsoft, both in Windows (specifically, in Hyper-V).

At patch time, none of the issues has been publicly disclosed, or is known to be under active exploit in the wild. Six of the important-severity vulnerabilities in Windows are by the company’s estimation more likely to be exploited in the next 30 days. Five of the issues addressed are amenable to detection by Sophos protections, and we include information on those in a table below.

In addition to these patches the release included advisory information on four patches related to the Edge browser; three of those CVEs were assigned by the Chrome team, not Microsoft. (More on Microsoft’s Edge patch, CVE-2024-26167, in a minute.) There is also one Important-severity issue, CVE-2023-28746, for which advisory information is given this month.

We don’t include advisories in the CVE counts and graphics below, but we provide information on all of them in an appendix at the end of the article. We are as usual including at the end of this post three other appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the Numbers

• Total Microsoft CVEs (excluding Edge): 59
• Total Edge / Chrome issues covered in update: 4
• Total non-Microsoft CVEs covered in update: 1
• Publicly disclosed: 0
• Exploited: 0
• Severity
  • Critical: 2
  • Important: 57
• • Elevation of Privilege: 25
  • Remote Code Execution: 18
  • Denial of Service: 6
  • Information Disclosure: 5
  • Security Feature Bypass: 2
  • Spoofing: 2
  • Tampering: 1

Figure 1: And just like that, 2024 ties 2023’s entire output of tampering CVEs… at one. More on CVE-2024-26185 in a minute

Products

• Windows: 41 (including one shared with .NET and Visual Studio)
• Azure: 4 (including one shared with Log Analytics Agent, OMI, OMS, and SCOM)
• Visual Studio: 3 (including one shared with .NET and one shared with .NET and Windows)
• .NET: 2 (including one shared with Visual Studio and one shared with Visual Studio and Windows)
• OMI (Open Management Infrastructure): 2 (including one shared with Azure, Log Analytics Agent, OMS, and SCOM; and one shared with SCOM)
• SCOM (System Center Operations Manager): 2 (including one shared with Azure, Log Analytics Agent, OMI, and OMS; and one shared with OMI
• Authenticator: 1
• Defender: 1
• Dynamics 365: 1
• Exchange: 1
• Intune: 1
• Log Analytics Agent: 1 (shared with Azure, OMI, OMS, and SCOM)
• Office (365 on-premises): 1
• OMS (Operations Management Suite Agent for Linux): 1 (shared with Azure, OMI, and SCOM)
• Outlook: 1
• SharePoint: 1
• Skype: 1
• SONiC (Software for Open Networking in the Cloud): 1
• SQL: 1
• Teams: 1

Figure 2: There’s something for everyone, as twenty tools or product groups are touched by the March Patch Tuesday angel

Notable March updates

In addition to the issues discussed above, a few specific items merit attention.

CVE-2024-26185

Windows Compressed Folder Tampering Vulnerability

One of the six issues Microsoft believes more likely to be exploited in the next 30 days, this vulnerability affects the ubiquitous 7zip. Minimal user interaction is required, most likely via email (in which the attacker sends a specially crafted file and convinces the user to open it) or via the web. This patch applies only to Win11 22H2 and Win11 23H2.

CVE-2024-21334

Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

Sporting the month’s highest CVSS score (9.8 base) and yet not likely to be exploited in the next 30 as judged by Microsoft, this RCE applies to not just OMI but to SCOM (System Center Operations Manager) 2019 and 2022 as well. If exploited, a unauthenticated remote attacker could access the OMI instance via the internet and send specially crafted requests to trigger a use-after-free vulnerability. (If patching’s not an immediate option, Linux machines that don’t need network listening can disable their incoming OMI ports by way of mitigation.)

CVE-2024-21421

Azure SDK Spoofing Vulnerability

Check the date of your last deployment: Was it prior to October 19, 2023? If so, you’ll need to manually update to Azure Core Build 1.29.5 or higher. (For convenience, Azure SDK’s GitHub is available here.) Those with deployments after that date already received the fix automatically.

CVE-2024-21448

Microsoft Teams for Android Information Disclosure

There are a number of Android-related patches this month – Intune, Outlook, the Edge patch we’ll discuss below – but only this one, an important-severity Teams issue, will require a trip to the Play Store. Exploitation would allow the attacker to read files from the private directory of the application.

CVE-2024-26167

Microsoft Edge for Android Spoofing Vulnerability

As an Edge vulnerability, this one arrives with scant information from Microsoft, which in the post-IE era mainly takes its browser updates outside the Patch Tuesday cycle. As an Android vulnerability, it may well be that Android users will take this update from other sources. What’s clear from Microsoft is that whatever it is and whoever’s patching it, the patch is not yet available, and that those concerned should keep an eye on the publicly posted CVE information for updates. Fortunately, with a 4.3 CVSS base score, this mystery may well be a tempest in a teapot.

Figure 3: March continues the trend so far in 2024 of lighter-than-usual patch loads. So far in 2024 there have been 179 patches released in the normal second-Tuesday cadence, compared with 246 in 2023, 225 in 2022, 228 in 2021, and 266 in 2020

Sophos protections

CVE	Sophos Intercept X/Endpoint IPS	Sophos XGS Firewall
CVE-2024-21433	Exp/2421433-A	Exp/2421433-A
CVE-2024-21437	Exp/2421437-A	Exp/2421437-A
CVE-2024-26160	Exp/2426160-A	Exp/2426160-A
CVE-2024-26170	Exp/2426170-A	Exp/2426170-A
CVE-2024-26182	Exp/2426182-A	Exp/2426182-A

 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of March patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (25 CVEs)

Important severity
CVE-2024-21330	Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
CVE-2024-21390	Microsoft Authenticator Elevation of Privilege Vulnerability
CVE-2024-21400	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
CVE-2024-21418	Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability
CVE-2024-21431	Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
CVE-2024-21432	Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-21433	Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2024-21434	Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability
CVE-2024-21436	Windows Installer Elevation of Privilege Vulnerability
CVE-2024-21437	Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-21439	Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2024-21442	Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-21443	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-21445	Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-21446	NTFS Elevation of Privilege Vulnerability
CVE-2024-26165	Visual Studio Code Elevation of Privilege Vulnerability
CVE-2024-26169	Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2024-26170	Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
CVE-2024-26173	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26176	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26178	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26182	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26199	Microsoft Office Elevation of Privilege Vulnerability
CVE-2024-26201	Microsoft Intune Linux Agent Elevation of Privilege Vulnerability
CVE-2024-26203	Azure Data Studio Elevation of Privilege Vulnerability

 

Remote Code Execution (18 CVEs)

Critical severity
CVE-2024-21407	Windows Hyper-V Remote Code Execution Vulnerability
Important severity
CVE-2024-21334	Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
CVE-2024-21411	Skype for Consumer Remote Code Execution Vulnerability
CVE-2024-21426	Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-21429	Windows USB Hub Driver Remote Code Execution Vulnerability
CVE-2024-21430	Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability
CVE-2024-21435	Windows OLE Remote Code Execution Vulnerability
CVE-2024-21440	Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-21441	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21444	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21450	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21451	Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26159	Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26161	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26162	Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26164	Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability
CVE-2024-26166	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26198	Microsoft Exchange Server Remote Code Execution Vulnerability

 

Denial of Service (6 CVEs)

Critical severity
CVE-2024-21408	Windows Hyper-V Denial of Service Vulnerability
Important severity
CVE-2024-21392	.NET and Visual Studio Denial of Service Vulnerability
CVE-2024-21438	Microsoft AllJoyn API Denial of Service Vulnerability
CVE-2024-26181	Windows Kernel Denial of Service Vulnerability
CVE-2024-26190	Microsoft QUIC Denial of Service Vulnerability
CVE-2024-26197	Windows Standards-Based Storage Management Service Denial of Service Vulnerability

 

information Disclosure (5 CVEs)

Important severity
CVE-2024-21448	Microsoft Teams for Android Information Disclosure
CVE-2024-26160	Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-26174	Windows Kernel Information Disclosure Vulnerability
CVE-2024-26177	Windows Kernel Information Disclosure Vulnerability
CVE-2024-26204	Outlook for Android Information Disclosure Vulnerability

 

Security Feature Bypass (2 CVEs)

Important severity
CVE-2024-20671	Microsoft Defender Security Feature Bypass Vulnerability
CVE-2024-21427	Windows Kerberos Security Feature Bypass Vulnerability

 

Spoofing (2 CVEs)

Important severity
CVE-2024-21419	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2024-21421	Azure SDK Spoofing Vulnerability

 

Tampering (1 CVE)

Important severity
CVE-2024-26185	Windows Compressed Folder Tampering Vulnerability

 

 

Appendix B: Exploitability

This is a list of the March CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

Exploitation more likely within the next 30 days
CVE-2024-21433	Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2024-21437	Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-26160	Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-26170	Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
CVE-2024-26182	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26185	Windows Compressed Folder Tampering Vulnerability

 

 

Appendix C: Products Affected

This is a list of March’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.

Windows (41 CVEs)

Critical severity
CVE-2024-21407	Windows Hyper-V Remote Code Execution Vulnerability
CVE-2024-21408	Windows Hyper-V Denial of Service Vulnerability
Important severity
CVE-2024-21427	Windows Kerberos Security Feature Bypass Vulnerability
CVE-2024-21429	Windows USB Hub Driver Remote Code Execution Vulnerability
CVE-2024-21430	Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability
CVE-2024-21431	Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
CVE-2024-21432	Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-21433	Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2024-21434	Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability
CVE-2024-21435	Windows OLE Remote Code Execution Vulnerability
CVE-2024-21436	Windows Installer Elevation of Privilege Vulnerability
CVE-2024-21437	Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-21438	Microsoft AllJoyn API Denial of Service Vulnerability
CVE-2024-21439	Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2024-21440	Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-21441	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21442	Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-21443	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-21444	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21445	Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-21446	NTFS Elevation of Privilege Vulnerability
CVE-2024-21450	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-21451	Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26159	Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26160	Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-26161	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26162	Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26166	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26169	Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2024-26170	Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
CVE-2024-26173	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26174	Windows Kernel Information Disclosure Vulnerability
CVE-2024-26176	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26177	Windows Kernel Information Disclosure Vulnerability
CVE-2024-26178	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26181	Windows Kernel Denial of Service Vulnerability
CVE-2024-26182	Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26185	Windows Compressed Folder Tampering Vulnerability
CVE-2024-26190	Microsoft QUIC Denial of Service Vulnerability
CVE-2024-26197	Windows Standards-Based Storage Management Service Denial of Service Vulnerability

 

Azure (4 CVEs)

Important severity
CVE-2024-21330	Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
CVE-2024-21400	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
CVE-2024-21421	Azure SDK Spoofing Vulnerability
CVE-2024-26203	Azure Data Studio Elevation of Privilege Vulnerability

 

Visual Studio (3 CVEs)

Important severity
CVE-2024-21392	.NET and Visual Studio Denial of Service Vulnerability
CVE-2024-26165	Visual Studio Code Elevation of Privilege Vulnerability
CVE-2024-26190	Microsoft QUIC Denial of Service Vulnerability

 

.NET (2 CVEs)

Important severity
CVE-2024-21392	.NET and Visual Studio Denial of Service Vulnerability
CVE-2024-26190	Microsoft QUIC Denial of Service Vulnerability

 

OMI (2 CVEs)

Important severity
CVE-2024-21330	Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
CVE-2024-21334	Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

 

SCOM (2 CVEs)

Important severity
CVE-2024-21330	Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
CVE-2024-21334	Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

 

Authenticator (1 CVE)

Important severity
CVE-2024-21390	Microsoft Authenticator Elevation of Privilege Vulnerability

 

Defender (1 CVE)

Important severity
CVE-2024-20671	Microsoft Defender Security Feature Bypass Vulnerability

 

Dynamics 365 (1 CVE)

Important severity
CVE-2024-21419	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

 

Exchange (1 CVE)

Important severity
CVE-2024-26198	Microsoft Exchange Server Remote Code Execution Vulnerability

 

Intune (1 CVE)

Important severity
CVE-2024-26201	Microsoft Intune Linux Agent Elevation of Privilege Vulnerability

 

Law Analytics Agent (1 CVE)

Important severity
CVE-2024-21330	Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability

 

Office (1 CVE)

Important severity
CVE-2024-26199	Microsoft Office Elevation of Privilege Vulnerability

 

OMS (1 CVE)

Important severity
CVE-2024-21330	Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability

 

Outlook (1 CVE)

Important severity
CVE-2024-26204	Outlook for Android Information Disclosure Vulnerability

 

SharePoint (1 CVE)

Important severity
CVE-2024-21426	Microsoft SharePoint Server Remote Code Execution Vulnerability

 

Skype (1 CVE)

Important severity
CVE-2024-21411	Skype for Consumer Remote Code Execution Vulnerability

 

SONiC (1 CVE)

Important severity
CVE-2024-21418	Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability

 

SQL (1 CVE)

Important severity
CVE-2024-26164	Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability

 

Teams for Android (1 CVE)

Important severity
CVE-2024-21448	Microsoft Teams for Android Information Disclosure

 

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the March Microsoft release, sorted by product.

Relevant to Edge / Chromium (4 CVEs)

CVE-2024-2173	Chromium: CVE-2024-2173 Out of bounds memory access in V8
CVE-2024-2174	Chromium: CVE-2024-2174 Inappropriate implementation in V8
CVE-2024-2176	Chromium: CVE-2024-2176 Use after free in FedCM
CVE-2024-26167	Microsoft Edge for Android Spoofing Vulnerability

 

Relevant to Windows (non-Microsoft release) (one CVE)

CVE-2023-28746

Intel: CVE-2023-28746 Register File Data Sampling (RFDS)

 

Cybercrime affects people from all walks of life, but it hits small businesses the hardest. While cyberattacks on large companies and government agencies get a majority of the news coverage, small businesses (broadly speaking, organizations with less than 500 employees) are generally more vulnerable to cybercriminals and suffer more proportionally from the results of cyberattacks. A lack of experienced security operations staff, underinvestment in cybersecurity, and smaller information technology budgets overall are contributing factors to this level of vulnerability. And when they are hit by cyberattacks, the expense of recovery may even force many small businesses to close.

Small businesses are not a small matter. According to the World Bank, more than 90% of the world’s businesses are small- and medium-sized organizations, and they account for more than 50% of employment worldwide. In the United States, small and medium businesses account for over 40% of overall economic activity. (In this report, we will use the terms small- and medium-sized businesses or organizations interchangeably, reflecting their similarity in our data.)

In 2023, over 75% of customer incident response cases handled by Sophos’ X-Ops Incident Response service were for small businesses. Data collected from these cases, in addition to telemetry collected from customers of our small- and medium-sized business protection software, gives us further unique insight into the threats that are targeting these organizations daily.

Based on that data and Sophos threat research, we see that ransomware continues to have the greatest impact on smaller organizations. But other threats also pose an existential threat to small businesses:

• Data theft is the focus of most malware targeting small and medium businesses—password stealers, keyboard loggers, and other spyware made up nearly half of malware detections. Credential theft through phishing and malware can expose small businesses’ data on cloud platforms and service providers, and network breaches can be used to target their customers as well
• Attackers have stepped up the use of web-based malware distribution—through malvertising or malicious search engine optimization (“SEO poisoning”)—to overcome difficulties created by the blocking of malicious macros in documents, in addition to using disk images to overwhelm malware detection tools
• Unprotected devices connected to organizations’ networks—including unmanaged computers without security software installed, improperly configured computers and systems running software fallen out of support by manufacturers—are a primary point of entry for all types of cybercrime attacks on small businesses
• Attackers have turned increasingly to abuse of drivers—either vulnerable drivers from legitimate companies or malicious drivers that have been signed with stolen or fraudulently obtained certificates—to evade and disable malware defenses on managed systems
• Email attacks have begun to move away from simple social engineering toward more active engagement with targets over email, using a thread of emails and responses to make their lures more convincing
• Attacks on mobile device users, including social engineering-based scams tied to the abuse of third-party services and social media platforms, have grown exponentially, affecting individuals and small businesses. These range from business email and cloud service compromise to pig butchering (shā zhū pán (殺豬盤)) scams.

A word about our data

The data used in our analysis comes from the following sources:

• Customer reports—detection telemetry from Sophos protection software running on customers’ networks, which gives a broad view of threats encountered, and analyzed within SophosLabs (in this report, referred to as the Labs dataset);
• Managed Detection and Response (MDR) incident data, gathered in the course of escalations driven by detection of malicious activity on MDR customers’ networks (in this report, referred to as the MDR dataset);
• Incident Response team data, drawn from incidents on customer networks for business of 500 employees or fewer where there was little or no managed detection and response protection in place (in this report, referred to as the IR dataset).

For a deeper look at data drawn strictly from the cases handled by our external-facing IR team (including cases involving customers with more than 500 employees), please see our sister publication, the Active Adversary Report (AAR). The conclusions in this report are based, unless otherwise stated, on the combined datasets with appropriate normalization.

Data is the prime target

The greatest cybersecurity challenge facing small businesses—and organizations of all sizes—is data protection. More than 90% of attacks reported by our customers involve data or credential theft in one way or another, whether the method is a ransomware attack, data extortion, unauthorized remote access, or simply data theft.

Business email compromise (BEC), in which email accounts are taken over by a cybercriminal for the purpose of fraud or other malicious purposes, is a substantial problem in the small-to-medium business set. We do not currently cover BEC in our sister publication, the Active Adversary Report, but the authors of the AAR estimate that in 2023, business email compromises were identified by our Incident Response team more often than any other type of incident, save ransomware.

Stolen credentials, including browser cookies, can be used for business email compromise, access to third-party services such as cloud-based finance systems, and access to internal resources that can be exploited for fraud or other monetary gain. They can also be sold by “access brokers” to anyone who cares to exploit them; Sophos has tracked offers on underground forums claiming to provide access to a number of small and medium businesses’ networks.

 

Figure 3: A cybercriminal offering to purchase access to small companies

By category, nearly half of malware detected in 2023 targeted the data of its intended victims. The majority of that is malware we’ve classified specifically as “stealers”—malware that grabs credentials, browser cookies, keystrokes, and other data that can be either turned into cash as sold access or used for further exploitation.

Because of the modular nature of malware, however, it’s difficult to completely categorize malware by functionality—nearly all malware has the ability to steal some form of data from targeted systems.  These detections also don’t include other credential theft methods, such as phishing via email, text message, and other social engineering attacks. And then there are other targets, such as macOS and mobile devices, where malware, potentially unwanted applications, and social engineering attacks target users’ data—especially of the financial kind.

Nearly 10% of malware detected falls outside of the four major categories shown above. This “other” category includes malware that targets browsers to inject advertisements, redirect search results to earn cash for clicks, or otherwise modifies or collects data for the profit of the malware developer, among other things.

Some stealers are very specific in their targeting. Discord “token” stealers, intended to steal Discord messaging service credentials, are often leveraged to deliver other malware through chat servers or via Discord’s content delivery network. But other leading stealers—Strela, Raccoon Stealer, and the venerable RedLine stealer family—are much more aggressive in their targeting, collecting password stores from the operating system and applications as well as browser cookies and other credential data. Raccoon Stealer has also deployed cryptocurrency “clippers” which swap crypto wallet addresses copied to the clipboard with a wallet address controlled by the malware operator.

Sophos has seen an increase in the number of information-stealing malware targeting macOS, and we believe that trend will continue. These stealers—some of which are sold in underground forums and Telegram channels for up to $3,000— can collect system data, browser data, and cryptowallets.

Ransomware remains a top threat for small businesses

While ransomware makes up a relatively small percentage of overall malware detections, it still packs the biggest punch in terms of impact. Ransomware affects all sizes of businesses across all sectors, but we have seen it hit small- and medium-sized enterprises the most frequently. In 2021, the Institute for Security and Technology’s Ransomware Task Force found that 70% of ransomware attacks targeted small businesses. While the overall number of ransomware attacks has varied year over year, that percentage bears out in our own metrics.

LockBit ransomware was the top threat in small business security cases taken on by Sophos Incident Response in 2023. LockBit is a ransomware-as-a-service, delivered by a number of affiliates, and was the most deployed ransomware of 2022 according to Figure 7.

LockBit was the malware observed the most by Sophos’ Managed Detection and Response (MDR) group (which includes the Incident Response team and its data)—with nearly three times the number of incidents in which ransomware deployment was attempted than its nearest peer, Akira.

As 2023 progressed, we saw an increase in the use of remote execution of ransomware—using an unmanaged device on organizations’ networks to attempt to encrypt files on other systems through network file access.

These types of attacks are able to gain footholds by exploitation of unprotected servers, personal devices, and network appliances that connect to organizations’ Windows-based networks. Defense in depth can prevent these attacks from taking entire organizations offline, but they can still leave organizations vulnerable to data loss and theft.

Windows systems aren’t the only ones targeted by ransomware. Increasingly, ransomware and other malware developers are using cross-platform languages to build versions for macOS and Linux operating systems and supported hardware platforms. In February of 2023, a Linux variant of Cl0p ransomware was discovered to have been used in a December 2022 attack; since then, Sophos has observed leaked versions of LockBit ransomware targeting macOS on Apple’s own processor and Linux on multiple hardware platforms.

Cybercrime as a service

The malware world continues to be dominated by what we’ve referred to as “Malware as a Service” (MaaS)—the use of malware delivery frameworks provided by cybercriminals through underground marketplaces to other cybercriminals. But a combination of improvements in platform security and takedown operations by industry and law enforcement have had some impact on the shape of the MaaS landscape.

After a decade of dominance in the malware delivery business, Emotet has receded since being taken down by Europol and Eurojust in January 2021. So, to a lesser degree, have Qakbot and Trickbot, after being disrupted by law enforcement in August 2023. While Qakbot has returned in some limited form, it has been largely supplanted by its would-be successors, Pikabot and DarkGate.

None of this has impacted the venerable remote access trojan AgentTesla, which has moved to the top of the MaaS market. It was the malware most often detected by endpoint protection in 2023 overall in endpoint (aside from generic malicious .LNK files and obfuscated malware), and made up 51% of the malware delivery framework detections in our telemetry last year.

Finding a different delivery route

Malware attacks require some form of initial access. Typically, that involves one of the following:

• Phishing emails
• Malicious email attachments
• Exploits of vulnerabilities in operating systems and applications
• Fake software updates
• Exploitation and abuse of Remote Desktop Protocol
• Credential theft

MaaS operators have in the past been largely reliant on malicious email attachments for that initial foothold. But changes to the default security of the Microsoft Office platform have had an impact on the MaaS market. As Microsoft has rolled out changes to Office applications that block by default Visual Basic for Applications (VBA) macros in documents downloaded from the Internet, it has become more difficult for MaaS operators to use their favored method of spreading malware.

That has led to some changes in the types of file attachments attackers use—attackers have moved to PDF file attachments almost exclusively. However, there have been some notable exceptions. In early 2023, Qakbot operators turned to using malicious OneNote documents to get around changes being pushed out to Excel and Word, concealing within the document links to script files that were activated when the target clicked on a button within the OneNote notebook file.

In 2021, we noted that “malware-as-a-service” offerings such as the RaccoonStealer backdoor had begun to rely heavily on web delivery, often using search engine optimization (SEO) tricks to fool targets into downloading their malware. In 2022, we saw “SEO poisoning” used as part of a SolarMarker information stealer campaign. These methods are on the rise again, and the actors behind them have grown more sophisticated.

We saw several notable campaigns using malicious web advertising and SEO poisoning to target victims. One of these was by an activity group using malware we dubbed “Nitrogen”; the group used Google and Bing advertisements tied to specific keywords to lure targets into downloading a software installer from a fake website, using a legitimate software developer’s brand identity. The same malvertising technique has been used in connection with a number of other initial access malware, including the Pikabot botnet agent, IcedID information stealer, and Gozi backdoor malware families.

In the case of Nitrogen, the ads targeted IT generalists, offering downloads including well-known remote desktop software for end-user support and secure file transfer utilities. The installers carried what was advertised, but they also delivered a malicious Python payload that, when launched by the installer, pulled down a Meterpreter remote shell and Cobalt Strike beacons. Based on other researchers’ findings, this was likely the first step in a BlackCat ransomware attack.

“Dual use” tools

Cobalt Strike, the well-worn “adversary simulation and red team operations” software kit, continues to be used by actual adversaries as well as legitimate security testing organizations. But it is by no means the only commercially developed software used by attackers—and it is no longer the most common.

Remote desktop tools, file compression tools, common file transfer software, other utilities, and open-source security testing tools are commonly used by attackers for the same reason that they’re used by small and medium enterprises—to make their jobs easier.

Sophos MDR has observed these utilities, which we refer to as “dual-use tools”, abused as part of the post-exploitation process by attackers:

• Discovery: Advanced IP Scanner, NetScan, PCHunter, HRSword
• Persistence: Anydesk, ScreenConnect, DWAgent
• Credential Access: Mimikatz, Veeam Credential Dumper, LaZagne
• Lateral Movement: PsExec, Impacket, PuTTy
• Data Collection & Exfil: FileZilla, winscp, megasync, Rclone, WinRar, 7zip

AnyDesk and PsExec were both seen in more incidents by Sophos MDR than was Cobalt Strike, as seen below:

Zero-day attacks and nonzero-day attacks

In May 2023, Progress Software reported vulnerabilities in the company’s widely used secure managed file transfer platform, MOVEit—including one that had been exploited by at least one set of malicious actors. Subsequently the company would reveal multiple additional vulnerabilities and issue multiple patches to fix them.

The attacks were attributed to actors associated with the Cl0p ransomware ring. The attackers used the vulnerability to deploy web shells on the public-facing web interfaces to MOVEit Transfer servers—web shells that in some cases persisted after the vulnerabilities were patched by Progress customers.

MOVEit was just one of a number of “zero day” vulnerabilities that challenged defenders in 2023.  GoAnywhere, another managed file transfer system, disclosed a vulnerability in February that another CL0p-affiliated group attempted to exploit.  And a remote code execution vulnerability in the PaperCut MF and NG print server software products was exploited by the Bl00dy ransomware gang in March and April after being reported to the developers in January.

In some cases, these vulnerabilities simply can’t be patched. For example, a vulnerability in Barracuda Email Security Gateway appliances, found in June, was so severe that it could not be patched and required complete replacement of physical or virtual appliances. A Chinese threat group continued to exploit the vulnerable appliances throughout the rest of 2023.

Vulnerabilities in software and devices don’t have to be new to be leveraged by attackers. Threat actors frequently seek out software that has fallen out of support, such as older network firewalls and web server software, to target— knowing that no patch will be coming.

Supply chain attacks and digitally signed malware

Small businesses also have to be concerned about the security of the services they depend upon to manage their business—and their IT infrastructure.  Supply chain attacks are not just for nation-state actors; we’ve seen attacks against managed service providers become an enduring part of the ransomware playbook.

In 2023, Sophos MDR responded to five cases in which small business customers were attacked through an exploit of a service provider’s remote monitoring and management (RMM) software. The attackers used the NetSolutions RMM agent running on the targeted organizations’ computers to create new administrative accounts on the targeted networks, and then deployed commercial remote desktop, network exploration and software deployment tools. In two of the cases, the attackers successfully deployed LockBit ransomware.

It’s hard to defend against attacks that leverage trusted software, especially when that software gives attackers the ability to disable endpoint protection. Small businesses and the service providers who support them need to be vigilant to alerts that endpoint protection has been turned off on systems on their networks, because this may be a sign that an attacker has gained privileged access through a supply chain vulnerability—or through other software that at first glance may seem legitimate.

For example, in 2023, we saw a number of instances of attackers using vulnerable kernel drivers from older software that still had valid digital signatures, and of intentionally created malicious software that used fraudulently obtained digital signatures—including malicious kernel drivers digitally signed through Microsoft’s Windows Hardware Compatibility Publisher (WHCP) program—to evade detection by security tools and run code that disables malware protection.

Kernel drivers operate at a very low level within the operating system, and are typically loaded before other software during the operating system’s start-up. That means that they execute in many cases before security software can start up. Digital signatures act as a license to drive, so to speak—in all versions of Windows since Windows 10 version 1607, kernel drivers need to have a valid digital signature or Windows operating systems with Secure Boot enabled won’t load them.

In December 2022, Sophos notified Microsoft of the discovery of malicious kernel drivers that carried Microsoft-signed certificates.  Because these drivers had Microsoft-signed certificates, they were by default accepted as benign software, allowing them to be installed—and then disable endpoint protections on systems that they were installed on. Microsoft issued a security advisory, and then in July 2023 revoked a host of malicious drivers’ certificates that had been obtained through WHCP.

Drivers don’t have to be malicious to get exploited. We’ve seen multiple cases of drivers and other libraries from older and even current versions of software products leveraged by attackers to “side load” malware into system memory.

We’ve also seen Microsoft’s own drivers used in attacks. A vulnerable version of a driver for Microsoft’s Process Explorer utility has been used multiple times by ransomware operators in efforts to disable endpoint protection products; in April 2023, we reported on a tool dubbed “AuKill” that used this driver in multiple attacks in attempts to deploy Medusa Locker and LockBit ransomware.

Sometimes we get lucky and catch vulnerable drivers before they can be exploited. In July, Sophos behavioral rules were triggered by activity from a driver for another company’s security product.  The alert was triggered by a customer’s own attacker simulation test, but our investigation of the event uncovered three vulnerabilities that we reported to the software vendor and were subsequently patched.

Spammers push social engineering boundaries

Email may seem like an old-school communication method in an era of encrypted end-to-end mobile chats, but spammers didn’t seem to notice (or care) about that. While the traditional BEC method of simply posing as an employee and asking another employee to send gift cards persists, spammers have gotten far more creative.

In the past year, Sophos’ messaging security team came across a slew of new social engineering tricks and techniques designed to evade conventional email controls. Messages in which the attacker emails an attachment or link out of the blue are now passé: The more effective spammers are more likely to strike up a conversation first, then move in for the kill in follow up emails.

We observed this methodology in attacks in which spammers posing as delivery service workers called enterprise customers on the phone and asked them to open a weaponized email. We also saw spammers initially email a solicitation for business or complaint, in attacks targeting a variety of industries in 2023, followed by a link to download a disguised, weaponized file after the business responded to the first email.

Conventional spam prevention involves processes inspecting message content and making decisions based on that content. Spammers experimented with a variety of methods of replacing any text content in their messages with embedded images: Sometimes the pictures appeared to be a written message, while others experimented with the use of QR codes or images that appear to be invoices (with telephone numbers the attackers prompt victims to call) as a way to evade detection.

Malicious attachments even pushed boundaries, with weaponized PDFs making something of a comeback, linking to malicious scripts or sites, sometimes using embedded QR codes. The Qakbot malware family expansively abused Microsoft’s OneNote document format, the notebook (or .one file), to deliver payloads before being shut down later in the year in a coordinated takedown. Attackers also latched onto the MSIX file format – a type of archive file format used by Microsoft to distribute apps through the Windows App Store – as a way of bypassing detection.

And attackers abused Microsoft’s services as well: By the year’s end, about 15% of the total spam Sophos blocked had been sent using email accounts created in Microsoft’s business-oriented onmicrosoft.com messaging system.

Mobile malware and social engineering threats

Small businesses depend heavily on mobile devices as part of either approved or ad-hoc information systems. Text messages, messaging and communications applications, and apps connecting to cloud services—including mobile point of sale applications—are mission-critical systems for distributed small enterprises. Cybercriminals know that, and continue to find ways to target mobile device users to gain access to data or to defraud.

Spyware and “bankers” are a group of Android malware of particular concern, and which we believe will continue to be a threat. Spyware is used to harvest data on the phone—and sometimes will even subscribe the device’s user to premium-rate services for direct monetary gain. They harvest personal data, including SMS messages and call logs from the affected device, which is then sold to fraudsters or used for blackmail—or both. There have been several cases where victims have taken their own lives as a result of threats from spyware operators.

These malicious mobile applications are distributed in a number of ways. They may masquerade as legitimate applications on the Google Play app store or third-party app store sites—often as mobile lending applications. They are also spread through links sent via text messages.

Bankers are malware that target financial applications, including cryptocurrency wallets, to harvest account data to gain access to funds—using accessibility permissions to gain access to sensitive data on the phone.

Then there’s the phenomenon of “pig butchering,” or sha zhu pan. We began tracking fake applications on both the iOS and Android platform tied to a form of scam we first referred to as “CryptoRom” in early 2021; since then, the scams have become increasingly more sophisticated.

The crime rings that operate these scams— frequently operated out of scamming compounds staffed with people who have essentially been kidnapped by organized crime—have taken billions of dollars from victims worldwide, and often focus on people tied to small businesses. In 2023, a small bank in Kansas failed and was seized by the FDIC after the bank CEO sent over $12 million from deposits to scammers in an effort to recover funds he had lost reportedly in one of these scams. This tragic example shows how a scam usually associated with an individual’s personal life can have ramifications and impact on small businesses.

Sha zhu pan scammers lure victims through social media sites, dating apps, other apps and community platforms, and even “inadvertent” SMS messages. They tend to target individuals who are looking for a romantic connection or friendship. After moving the target to a secure messaging app such as WhatsApp or Telegram, they gain their trust and introduce a money-making idea that they claim to have inside knowledge about—and that usually involves cryptocurrency.

Over the past year, we’ve seen the fake applications used by these scams making their way into the Google Play and iOS App stores. They evade store security review by presenting as a benign app until the review process is over, and then change remote content to turn it into a fake crypto trading app. Any crypto deposited through these apps is immediately pocketed by the scammers.

Recently, we’ve also seen these scams adopt a tactic from another type of crypto scam that requires no fake apps—instead, they use the “Web3” functionality of mobile crypto wallet apps to directly tap into wallets created by the victims. We have identified hundreds of domains associated with these “DeFi (Decentralized Finance) mining” variants of sha zhu pan, and as with the fake apps we identify, we continue to report them and work to get them taken down.

Conclusions

Small businesses face no shortage of threats, and the sophistication of those threats is often on par with those used to attack large enterprises and governments. While the amount of money that can be stolen is less than available from a larger organization, the criminals are happy to steal what you have and make up for it in volume.

Criminal syndicates are counting on smaller companies to be less well-defended and to not have deployed modern, sophisticated tools to protect their users and assets. The key to successfully defending against these threats is to prove their assumptions wrong: Educate your staff, deploy multifactor authentication on all externally facing assets, patch servers and network appliances with the utmost priority and consider migrating difficult to manage assets like Microsoft Exchange servers to SaaS email platforms.

The primary difference in our experience between the companies that were impacted the most by cyberattacks and those who suffered the least is time to respond. Having security experts to monitor and respond 24/7 is table stakes for an effective defense in 2024. Staying safe isn’t impossible; it just takes comprehensive planning and layered defenses to buy you time to respond and minimize damages.