Infostealer sales rose across Windows and macOS platforms.
A significant rise in Large Language Model (LLM) to attack cloud infrastructure has been detected as part of an overall increase.
According to the latest Threat Detection Report from Red Canary, while cloud attacks rose overall in 2024, the techniques adversaries abused have largely remained the same as in past years.
Amongst this, Red Canary observed adversaries attempting to impair defenses inside cloud environments by disabling or modifying firewall rules and logging. Gaining access through compromised cloud accounts or valid credentials, adversaries elevate their privileges by granting the identity additional roles.
Also with the rise of usage of LLM, cloud services such as AWS Bedrock, Azure OpenAI, and GCP Vertex AI have become prime targets for adversaries in an attack known as “LLMJacking.”
Sold Access
As part of this rise in LLMJacking, adversaries have reportedly sold access to hijacked models as part of their own SaaS ‘business’ and passed all LLM usage costs to the victim.
Keith McCammon, chief security officer at Red Canary, said: “The sheer accessibility of the tools that adversaries can use to compromise organisations has led to an explosion in attack volume, overwhelming security teams.
“AI is becoming an essential tool for helping analysts cut through the noise and focus on threats that matter. By streamlining workflows and augmenting human expertise, AI enables security teams to detect and respond to threats faster, preventing adversaries from gaining an advantage.”
Stealing Malware
The research also found that in 2024, stealer malware infections were on the rise across Windows and macOS platforms. The most prevalent stealer detected in 2024 was LummaC2, operating under a malware-as-a-service model, and selling for anywhere from $250 per month to a one-time payment of $20,000.
“Its growing popularity and expanded scope make it a major threat, exposing user credentials and enabling adversaries to gain initial access to organisations using legitimate accounts,” the report said.
“Adversaries commonly use LummaC2 to deliver NetSupport Manager, Red Canary’s seventh most detected threat detected in 2024 – giving them a gateway to deploy other malicious payloads as a follow-up to their initial attack.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
