Highlights:


  • Healthcare and education sectors are prime targets for cyberattacks due to their limited budgets, outdated systems, and sensitive data. These factors create high-pressure environments that attackers exploit for quick financial gains. 
  • As large language models (LLMs) like ChatGPT continue to evolve, new vulnerabilities and AI-generated malware emerge, signaling an end to AI's initial "honeymoon phase." 
  • Sophos predicts a shift in focus towards targeting edge devices and creating proxy networks, which will expand the pool of potential victims to organizations of all sizes. 
  • Cybercriminals are also using "noise" strategies, which involve minor attacks and false incidents, to overwhelm response teams and distract them from more significant threats. 

To address these challenges, Sophos emphasizes the importance of proactive strategies, such as conducting vendor security evaluations, prioritizing patching and multi-factor authentication (MFA), and managing burnout among cybersecurity professionals



Ransomware

Ransomware Attacks Will Continue—especially Against the Healthcare and Education Sectors

Educational and healthcare institutions frequently operate on limited cybersecurity budgets and with legacy systems in place. Both sectors also handle significant amounts of sensitive personal data. Add to the fact that, in the case of healthcare, ransomware attacks disrupt essential, life-saving operations, and you have a perfect storm of pressure that helps attackers secure quick ransom payments. That means these sectors will continue to be two of the biggest targets of ransomware attacks. (Chester Wisniewski, director, global field CTO)

AI

The honeymoon ends, and reality Sets in as AI becomes a target for vulnerabilities, malware, and attacks

Every new internet technology has a honeymoon period that ends when reality sets in. That time is coming for the latest LLMs as vulnerabilities and malware emerge. Microsoft has been issuing patches for AI products over the past year, and we’re starting to see how attackers can use LLMs to deploy malware such as trojans. In the following year, a clearer picture will emerge of the risks of AI—and AI users and security professionals will need to figure out the best way to patch these vulnerabilities, safeguard against malware, and protect against the eventual attacks that inevitably follow vulnerabilities and malware. (Christopher Budd, director, Sophos X-Ops)

Generative AI is the risk that keeps on giving

Thanks to AI, certain cybercriminal activities have been democratized. Low-skilled, opportunistic attackers can now ask some AI platforms for “educational” information on how to build anything terrible, from a believable phishing lure to a sample of code from popular ransomware. While AI-generated attacks have a low success rate and often seem obvious, they contribute to a growing flood of “noise” in offensive operations, obscuring the real threats. (Aaron Bugal, field CTO)


Rather than changing the world, we’re going to see incremental changes in LLMs

Large language models (LLMs) like ChatGPT signaled a significant breakthrough in the development of AI in the past few years. Much like the prior deep learning breakthrough 12 years ago, future progress will be incremental—at least for a while. The improvement and development of AI is a slow-moving process punctuated by significant changes. We still have so many optimizations and improvements that can be made with the current iteration of LLMs, such as power and cost efficiencies. These smaller improvements will be the expected advancements in the next few years. (Ben Gelman, senior data scientist)


There will be a rise in multi-agent systems

The next evolution in utilizing LLMs will be chaining them together to create more complex tasks. So, rather than opening up ChatGPT and asking it to write a line of code, researchers and possibly cybercriminals will orchestrate multiple LLMs and other AI models to carry out more complex tasks like automated cybersecurity penetration systems, customer service, and integrated assistants. This is similar to what Sophos created in its “scampaign” — a fully automated constructor for fake, AI-generated e-commerce websites. (Ben Gelman, senior data scientist)

Nation-States

Nation-state attacks aren’t just for enterprises anymore

Nation-state groups have turned their attention to edge devices to build useful proxy networks for chaos and sabotage. These edge devices are frequently unpatched and vulnerable, especially since many companies still have end-of-life (EOL) devices deployed in the wild. With nation-state groups building proxy networks, the victim pool has broadened—and companies of all sizes may now be targeted. (Chester Wisniewski, director, global field CTO)

Attacker Tactics


Cybercriminals will bring the noise to distract targets

Throwing a smokescreen or a flash bang and causing disruption, distraction, and confusion takes the focus off the real threat – and cybercriminals know this. To evade detection, cybercriminals are using distraction tactics to pull incident responders’ attention away from their primary objective. Attackers can overwhelm response teams by creating “noise”—such as minor attacks or false incidents—allowing more significant threats to advance undetected. These distraction tactics are becoming a serious challenge, draining resources and stretching even well-equipped security teams thin, weakening defenses and making organizations vulnerable. (Aaron Bugal, field CTO)




When the security community zigs, the criminals zag

As organizations implement more advanced endpoint security tools and deploy multi-factor authentication (MFA), attackers increasingly target cloud environments. This is partly because companies are less likely to use MFA with their cloud access tokens. This also means that, where passwords used to be an attacker’s prize, they’re now looking for cloud assets and authentication tokens to gain footholds. (Chester Wisniewski, director, global field CTO)


Expect attackers to focus on the supply chain

Two of 2024’s most prominent cybersecurity events have targeted third-party software suppliers: Blue Yonder and CDK. The latter disrupted thousands of car dealerships across the United States for over a week, and the former hit major retailers during the holiday shopping week. Expect more attacks like these in the coming year. Attacks against the software supply chain have far-reaching consequences beyond the initial company targeted. Software supply chain attacks are highly effective for attackers to increase pressure on victims since affected customers often have limited options while awaiting remediation. (Chester Wisniewski, director, global field CTO)