We’re officially in the final days of 2024, a year so eventful it feels difficult to remember half of what happened. We had the Olympics in Paris, which turned the world into fans of sharpshooting, breakdancing, and the pommel horse; a solar eclipse visible in totality from the US for the first time since 1979; and a monthslong, very impassioned rap battle between Kendrick Lamar and Drake.
We also, as always, had a lot of cyber attacks. But 2024 saw attackers finding new ways to pose a threat to organizations across the world. The best way to keep up with the ever-changing landscape of risks is with threat research, which is why Sysdig’s own Threat Research Team (TRT) works to consistently and quickly put out information on the latest threats you need to know about, whether it’s the SSHD backdoor, syscall evasion, or bypasses for AWS WAF.
Now that we’ve reached the end of 2024, let’s take a look back on the biggest takeaways from TRT’s findings this past year, so you’ll know how best to protect your organization in 2025.
1. LLMjacking is the big new threat on the block
A brand-new type of attack cropped up this year: LLMjacking, first identified by the Sysdig TRT in May 2024. Large language models (LLMs) are key to AI’s new ability to understand and generate human language, and they’re increasingly important in just about every industry — but they don’t come cheap.
In an LLMjacking attack, threat actors use stolen cloud credentials to gain illicit access to an organization’s LLMs. Sometimes the motive is personal use, but increasingly the point is to sell unauthorized access to third parties, including entities who’ve been banned from a given LLM service, or are located in sanctioned countries.
Regardless of the reason, LLM use is expensive, which means the price tag for organizations targeted this way is high — and it keeps growing. When Sysdig TRT first discovered this attack, it cost victims an estimated $46,000 a day. Now, as LLMs (and their cost to run) have advanced, the cost of LLMjacking to victims has ballooned to over $100,000 daily. And with how rapidly research in LLMs is progressing, this trend is likely to continue. That means that in 2025, it will be more critical than ever to adhere to the principle of least privilege and monitor your cloud for potentially compromised credentials and unusual activity.
2. AI and automation are speeding up attacks
By now, you’ve likely heard from every source imaginable the benefits of AI in the workplace, or even experienced them for yourself: AI automates otherwise time-consuming, rote tasks, delivering tedious work in the blink of an eye so humans can focus on more creative, high-level thinking.
Unfortunately, these same benefits are just as helpful and convenient for malicious actors. This past year saw attacks continue to grow in scale and speed, fueled in large part by automation.
For an example, you need look no further than the Meson Crypto CDN attack, which took place in February of 2024. Meson Network (MSN) is a blockchain project on Web3 intended to replace traditional cloud storage. In just minutes after obtaining access to the victim’s environment, the attacker attempted to create 6,000 nodes using the compromised cloud account. Because this whole process was automated, it took roughly 20 seconds to launch each batch of 500 micro‑sized EC2 instances per region. Those 6,000 nodes could cost victims up to $22,000 per day — and this all happened at what were once impossible speeds.
The Sysdig TRT has already previously discovered that after an exploit is found, attacks take less than 10 minutes on average to execute. The growing use of automation to further speed attacks only underscores the need for real-time threat detection and rapid response. In fact, to keep pace with threats, security teams likely will need to implement advanced AI of their own, like the AI cloud security analyst Sysdig Sage™.
3. Threat actors are abusing open source tools
Open source tools are the backbone of the cybersecurity community, as we pool our collective knowledge and resources to keep each other safe. And even if you’re closely monitoring your users for unusual or suspicious activity, you’re hardly going to question a user downloading and using a well-known, reputable OSS tool. But attackers are realizing this can make OSS tools the perfect cover.
Malicious actors weaponized multiple open source tools in 2024, with the most notable incident coming from the CRYSTALRAY threat group. The open source penetration testing tool SSH-Snake was publicly released in January. Less than a month later, Sysdig TRT found that CRYSTALRAY was leveraging SSH-Snake, in conjunction with several other open source tools, for offensive operations, exploiting Confluence vulnerabilities.
By July, CRYSTALRAY had over 1,500 victims, whose credentials it sold on the black market. The threat group seemed to shut down its operations following our July blog, but it still stands as a noteworthy example of a troubling trend. To help safeguard against similar threats, organizations need to make sure they have tools like Falco that can detect threats at runtime. After all, detecting attacks as soon as they happen lets you speed up investigation, and helps keep your exposure to a minimum.
4. Attackers are playing the long game
We tend to think of major cyber breaches as swift, massive attacks that compromise an organization in one dramatic blow. But perhaps one of the most shocking discoveries Sysdig TRT made in 2024 was that of RUBYCARP, a botnet group that had been quietly draining funds from victims undetected for a whopping ten years.
How is this even possible? RUBYCARP’s primary modus operandi used a botnet deployed using a variety of public exploits and brute force attacks, including cryptomining, DDoS, and phishing. Rather than going for a single, huge payout, RUBYCARP regularly customized and updated its kill chain necessities, and targeted a wide variety of vulnerabilities, all to evade detection and continue making a steady stream of income. And if you can stay under the radar for a long time, as RUBYCARP did, that income adds up: one member was found to have made 100,000 Romanian lei, or about $22,800, in just two years.
More attackers are aware that the longer they can hide, the more money and information they can extract, often adding up to a far greater impact in the long run. So in forming your cybersecurity strategy, it’s important not to overlook attacks traditionally considered low-impact, like DDoS. The last thing you want is a malicious actor living in your proverbial walls undetected for years.
Between LLMjacking, malicious use of automation and open source tools, and increasingly stealthy threat campaigns, tackling threats in 2025 might feel daunting. But knowing is half the battle. By staying abreast of threat research, you can plan accordingly. Keep these latest trends in mind as you build your cybersecurity resolutions for the new year, so you’re not caught unawares in 2025.
Want to learn more? Read the full 2024 global threat report here.