2023 was packed with a
multitude of significant events that caused many to rethink their entire
security strategies, especially their vendors and their team size. Unfortunately,
we saw thousands of layoffs in the technology sector, including cybersecurity
teams. This is despite the unrelenting and omnipresent threat of an ever growing
number of cyber adversaries.
The Top 10 Cyber Threats of
the year that I believe are worthing focusing on in this blog revolved around
several common themes, like the use of zero-day exploits, supply chain attacks,
targeting identity providers, as well as intentionally disruptive campaigns.
Since 2020, a professional cybercrime
syndicate known as CL0P shifted from targeted big game hunting ransomware
campaigns to mass data-theft-extortion attacks, minus the deployment of
ransomware. Around 27 May 2023, the CL0P group exploited a zero-day
vulnerability in the MOVEit file transfer server, tracked as CVE-2023-34363,
owned by thousands of organizations. CL0P’s MOVEit campaign was arguably one of the largest mass data breaches
in history. Millions of people have been impacted by the MOVEit campaign
through third-party service providers being compromised. Plus, it is estimated
that CL0P has made between $75m and $100m from the MOVEit campaign, according
to the incident response firm Coveware,
which specialises in cyber extortion.
CL0P’s focus on
data exfiltration, as evidenced in the targeting of file transfer solutions, suggests
that over the past few years data encryption alone is no longer enough of an
incentive for victim organizations to pay ransom demands, potentially due to
the prevalence of backup software to recover files. Data exfiltration and
threats to publish stolen data appear to hold much more weight with their
victims and are largely what has powered double extortion and for many ransomware
groups to find success. Other ransomware groups, such as BianLian,
have also shifted away from data encryption, and we may see more affiliates
going this way and a potential decline in RaaS services in the future.
Ever since the Twilio
campaign, the ScatteredSpider group (aka Star Fraud, 0ktapus, ScatterSwine,
UNC3944 or Octo Tempest) has taken the industry by storm, culminating in an
incident that cost MGM Resorts an estimated $100m. This group’s tradecraft varies
significantly from many traditional organized cybercrime groups, potentially
because they are English-speaking threat actors.
ScatteredSpider are
infamous for their brazen social engineering attacks, using techniques such as SMS phishing, voice phishing (vishing), and SIM swapping. Once they have obtained enterprise user credentials, they have many ways to maintain access. They will install remote monitoring and
management (RMM) tools, use the Bring-Your-Own-Vulnerable-Driver (BYOVD) trick to terminate security services, enrol new devices
to comply with controls, spin up virtual machines (VMs) using Cloud tools, and even abuse endpoint detection and response (EDR) systems, such as CrowdStrike Real Time
Responder (RTR) to run arbitrary commands.
ScatteredSpider has a
diverse set of targets, which shifted as their campaigns evolved. Initially, the group targeted
mobile carriers providers and business process outsourcing (BPO) firms to initiate SIM swapping attacks, mainly to steal cryptocurrency. They then altered their campaign towards data theft extortion against IT
service providers, gaming, hospitality, retail, managed service providers
(MSPs), manufacturing, and the technology sector. In mid-2023,
ScatteredSpider also began working with the Russian-speaking BlackCat/ALPHV ransomware gang, notably by listing Reddit as a victim on BlackCat/ALPHV’s data leak
site. ScatteredSpider has also resorted to physical threats
and are affiliated with English-speaking Violence-as-a-Service gangs.
The interesting thing about
ScatteredSpider is that they display a level of understanding around enterprise
security tooling like EDRs and single sign-on (SSO) or Software-as-a-Service
(SaaS) and Platform-as-a-Service (PaaS) that you would expect from a seasoned Sysadmin or Red Teamer. Their knowledge is so good in fact, that I actually
suspect these operators might have worked in the cybersecurity or managed
services industry at some point. Either that, or after each victim they take
what they learned and put it immediately into practice.
In February 2023, it was reported
that the Technion Israel Institute of Technology, one of Israel's leading
research universities was struck by DarkBit ransomware. In April 2023,
Microsoft disclosed
details about the suspected Iranian state-sponsored DarkBit destructive attack. The adversary responsible is tracked as DEV-1084, which partnered with another Iranian APT actor named
MERCURY (now tracked as Mango Sandstorm or MuddyWater). The APT’s actions
were aimed at both on-premises and cloud environments. While they initially
attempted to mask their activity as a cybercriminal DarkBit ransomware
campaign, their true intent was destruction and disruption. The attack resulted
in significant damage, impacting server farms, virtual machines, storage
accounts, and virtual networks.
Iranian destructive
cyberattacks are part of a growing trend of state-sponsored threat actors
leveraging offensive cyber destructive capabilities for strategic objectives
with significant implications for the global threat landscape. These attacks
targeted both on-premises and cloud environments, highlighting the importance
of securing hybrid infrastructures and that adversaries can traverse seamlessly between these two domains. The use of
ransomware for politically-motivated destructive attacks also underscores the
need for analysts to look beyond surface-level indicators and delve deeper into
the attackers’ motivations and techniques.
The Barracuda Email
Security Gateway (ESG) appliance had a zero-day vulnerability, tracked as CVE-2023-2868,
that was exploited in-the-wild since October 2022, but not discovered until May
2023. Mandiant reported
that UNC4841 was responsible, who is a suspected cyber-espionage APT actor working
in support of the People’s Republic of China (PRC). After exploiting the
zero-day, UNC4841 deployed three payloads, dubbed SALTWATER, SEASPY, and
SEASIDE, to establish a presence on the Barracuda ESG appliances
and maintain access in target networks for up to eight months.
Once embedded into target
environments, UNC4841, were observed aggressively looking for specific data for
exfiltration and conducted lateral movement within victim networks. This
campaign impacted organizations worldwide, spanning both public and private
sectors. Approximately one-third of the affected entities were government
agencies from at least 16 different countries. Due to the timing of the victim disclosure notification,
In an uncommon move by a
cybersecurity product vendor, on 6 June 2023, Barracuda issued guidance
recommending that all impacted Barracuda customers immediately isolate and replace compromised appliances.
In July 2023, Microsoft
and CISA
recently disclosed a security incident impacting multiple customers of Exchange
Online and Outlook. The incident reportedly stemmed from an APT actor
attributed to China, tracked as Storm-0558, who acquired a Microsoft account private
encryption key and used it to forge access tokens for Outlook. The overall aim
of the campaign was believed to be to obtain information via acquired access to
email accounts of employees within target organizations. Around May 2023, the
Storm-0558 attackers stole at least 60,000 emails from Outlook accounts
belonging to officials stationed across 25 organizations from East Asia, the
Pacific, Europe, and the US. Affected organizations included government
agencies, such as the US Department of State and US Department of Commerce.
Interestingly, Microsoft
later disclosed
that Storm-0558 used a consumer signing key obtained from a Windows crash dump
after compromising the corporate account of a Microsoft engineer in April 2021.
Wiz.io researchers also realized
that even though Microsoft stated that Outlook and Exchange Online were the
only applications known to have been affected, the compromised signing key could
have allowed the threat actor to forge access tokens for multiple types of
Azure Active Directory applications. This potentially includes every application that
supports personal account authentication, such as SharePoint, Teams, and OneDrive,
among others.
Active since January 2023, Anonymous
Sudan initially portrayed itself as a hacktivist group acting on behalf of
oppressed Muslims worldwide. However, numerous cybersecurity experts have linked
this threat group’s activities to Russia. Anonymous Sudan, however, maintain that they
are politically motivated anti-Western hackers from Sudan. They have conducted
denial of service (DDoS) attacks against multiple organizations in Sweden and other
countries including the Netherlands, Denmark, Australia, France, Israel,
Germany, UAE, and the US. Their targets span various sectors such as
financial services, aviation, education, healthcare, software, and government
entities. Perhaps most notably, In June 2023, Anonymous Sudan claimed to be
behind a DDoS attack that took some of Microsoft’s services cloud offline, including Outlook and Azure.
Anonymous Sudan continue to
exploit ideological or regional affiliations to misdirect attention and create
confusion. Their campaigns highlight that analysts need to look beyond
surface claims to uncover hidden agendas. Anonymous Sudan’s DDoS attacks are
more effectively information operations than actually doing damage to their
targets. Their narratives also emphasize that Russia is a friend to the Muslim
world and contrast it with perceived Western hostility to Sudan. Anonymous
Sudan highlights the challenge of accurate attribution in cyberspace, where
threat actors can mask their true origins and motivations. Threat intelligence
analysts must consider geopolitical events, regional tensions, and historical
context when assessing cyber campaigns.
In March 2023, customers
using the 3CX VoIP software were victim to a never-before-seen double supply
chain attack, according to Mandiant. The attack began when a 3CX employee installed a
malware-laced software package distributed via an earlier software supply chain
compromise. This earlier compromise involved a tampered installer for X_TRADER,
a software package provided by Trading Technologies. The malware in the
X_TRADER software allowed the adversary to gain access to 3CX's network, reach
a server used for software development, corrupt a 3CX installer application,
and infect a broad array of its customers. Both attacks were carried out by an
APT group known as UNC4736. Mandiant assesses with moderate confidence that
UNC4736 is related to financially motivated North Korean “AppleJeus” activity
as reported by CISA.
The world’s first double
supply chain attack highlights the intricate and interconnected nature of the
global software development ecosystem. The North Korea-affiliated group successfully exploited vulnerabilities in one company’s software to compromise another. This
specific incident and other North Korean-linked supply chain attacks on JumpCloud
and CyberLink
should highlight to software development firms that their security posture
extends beyond their immediate environment and consider third-party
dependencies, and in this case of 3CX and X_TRADER even fourth-party dependencies.
Following the gruesome
Hamas terrorist attack against Israeli civilians on 7 October 2023, the war
between the IDF and Gaza erupted and has destabilized the region. This also led
to a wave of cyber activity surrounding it from all nature of threat groups, including hacktivists, cybercriminals, and APT actors. The most widely reported type of activity has
been hacktivism due to their public announcements claiming
responsibility for attacks on social media sites, like Telegram and Twitter. The
most common types of hacktivist attacks surrounding the Israel-Hamas war have
been low-skilled denial of service (DoS) attacks and website defacements. In some cases, however, the hacktivists
have been able to execute disruptive attacks by exploiting applications for
Israeli civil services, such as the Red Alert emergency warning
system.
Further, some of the
Iran-aligned hacktivist activity that often targets Israel has even spilled out
of the region and led to attacks on Unitronics Programmable Logic Controllers (PLCs)
used in Water and Wastewater treatment plants in the US. The threat group that claimed responsibility for this campaign was the Iran-backed Cyber Av3ngers hacktivist group, which has a history of targeting industries using
Israeli-manufactured OT and ICS equipment.
The
rise of state-encouraged hacktivism as
a tool of warfare remains to be an interesting growing trend surrounding modern
conflicts. The digital offensive on Israel by pro-Palestine hacktivists mirrored
the way Russian hacktivist groups targeted Ukraine and its allies during the
early days of the February 2022 invasion. Further, many of the attacks on
Israel originated from outside of Gaza, given the region’s low internet
connectivity even before the strikes, highlighting how actors from states
hostile to Israel are preparing to join in against Israel and its allies from
afar.
In October 2023, Citrix disclosed
a critical vulnerability, tracked as CVE-2023-4966, affecting on-premise
versions of its NetScaler ADC and NetScaler Gateway platforms, dubbed
Citrixbleed. Mandiant also reported
that they had evidence of zero-day exploitation beginning in August. The
Citrixbleed bug is a sensitive information disclosure vulnerability that allows
remote unauthenticated attackers to extract large amounts of data from a
vulnerable Citrix device's memory, including sensitive session tokens.
Citrixbleed quickly became
an attractive vulnerability to exploit by attackers due to it requiring little
effort to leverage and that Citrix systems are used by large enterprises and
governments for application delivery and VPN connectivity. Even if an
organization patched its Citrix instances, they may have been exploited before
patching and the attackers could still have access even after patches applied.
Attackers can hijack access using legitimate session tokens to compromise a
victim's network without needing a password or using two-factor authentication.
Despite Citrix releasing
patches, CISA issuing an advisory, and Mandiant warning about zero-day exploitation,
many organizations failed to patch and properly remediate systems that had
already been compromised. There have been several high-profile examples
already. LockBit 3.0 affiliates were observed
exploiting CVE-2023-4966 to obtain initial access to Boeing Distribution. It is
also suspected that Toyota Financial Services, Fidelity National Financial, and the Industrial and Commercial Bank of China (ICBC) have been victims of Citrixbleed attack as well. From my own discussion with DFIR teams, there are now at least half a dozen or more ransomware groups that have exploited Citrixbleed too.
Okta is a company that
provides identity and access management (IAM) solutions for various
organizations. Over the years, Okta has been involved in several breaches that
compromised its customer data and systems. It is a high value target for threat
actors and is bound to attract more attacks than others. Its latest incident was
that from 28 September to 17 October, a threat actor gained unauthorized access
to HTTP Archive (HAR) files
containing session tokens inside Okta’s customer support system. Okta initially stated that the incident only impacted 134 customers, or less than 1% of Okta
customers. However, they later admitted
that all their customers had their details exposed as well.
The adversary was able to
use the session tokens stored in the HAR files uploaded by customers to the
Salesforce Cloud support system to hijack the legitimate Okta sessions of at
least five of customers, three of which disclosed (1Password, BeyondTrust,
and Cloudflare).
The way the adversary got access to the support system was reportedly
via a stolen Okta employee authentication token for the service account. The
compromise likely occurred due to the employee’s personal Google account or
personal device being compromised. Interestingly, on 29 September, 1Password
reported the suspicious activity on their Okta admin account to Okta support,
which BeyondTrust also did on 2 October. It was not until 19 October that Okta
confirmed there was and incident and then notified affected customers.
This latest Okta breach serves as a reminder that security vendors are remain highly susceptible to breaches. The critical role of identity providers (IDPs) in securing organizations makes them a high value target. Organizations should be continually assessing the security of their vendors to prevent cascading risks. Also using Malwarebytes Free for enterprise DFIR is not recommended.
In 2023, we saw significant
and concerning trends related to the evolution of organized cybercrime.
Cybercriminals are getting better at evading enterprise defenses during target
intrusions, while others are focusing resources into zero-day development for
mass exploitation. The collaboration between English-speaking and
Russian-speaking cybercriminals to launch data extortion and ransomware
campaigns is also a notable trend to continue monitoring.
As with previous years, the
hostile state actors from China, Russia, North Korea, and Iran continue to
launch increasingly bold and advanced intrusion campaigns. The exploitation of
zero-day vulnerabilities is par for the course for state actors, but the exploitation
of systems that leads to total appliance removal and replacement is a
concerning trend to watch.
2023 also saw more state-encouraged
hacktivism blended with government offensive cyber operations surrounding
physical conflicts. This includes disruptive attacks on Ukraine from Russia and
towards the end of the year Ukrainian hacktivists were supported by the Ukrainian
defense intelligence directorate retaliating against Russia too. Israel has
also been bombarded by hacktivists from Middle Eastern and Norther African countries,
which have been compounded by Iranian state-sponsored attacks, as well as by state
actors from Palestine and Lebanon.
Lastly, there are two other
trends that kept coming up in 2023, that did not make it to my Top 10, but are more
than likely to continue in 2024, which I felt were worth a brief mention.
Firstly, many of what I
would consider the top-tier malware distribution teams (the ones that provide
initial access for ransomware gangs) have moved away from malspam towards
SEO poisoning and Google Ads. It seems that malspam is suffering from
Microsoft disabling internet macros and the high prevalence of email filtering
security tools is catching their other attempts. Therefore, many have made the
switch to delivery via search engine results for common enterprise tools. This is
a concerning initial access vector that defenders should mitigate as soon as
possible.
Secondly, multiple
ransomware gangs in 2023 expanded their toolkits to terminate endpoint detection
and response (EDR) systems. There has been a focus on using driver-based
attacks, such as Bring-Your-Own-Vulnerable-Driver (BYOVD), leverage legitimate
anti-rootkit tools, as well as malicious Microsoft developer-signed drivers.
The next evolution to this, potentially in 2024 is the usage of Bring-Your-Own-Virtual-Machine
(BYOVM) attacks. BlackCat/ALPHV popularised BYOVM again more
recently by developing their Munchkin Linux VM in late 2023. The Ragnar Locker
gang, however, who was eventually
taken down in 2023, began
using the TTP of BYOVM since at least 2020.
Thirdly, 2023 saw the mass
adoption of artificial intelligence (AI) chatbots in the form of large language
models (LLMs) globally. Of course, we saw some cybercriminals leveraging them
to support their campaigns, but nothing earth shattering. One of the main
concerns of law enforcement is the usage of AI chatbots by cybercriminals
for fraud. I believe the bigger issue, however, is the ability to manipulate
online content and spread disinformation. I already get asked on a frequent
basis by friends and family if official news is AI generated. The ability to
undermine and erode the trust of official communication channels by hostile
state actors is a powerful tool that will continue to be abused ever
effectively.
Nevertheless, 2023 was a
year packed full of lessons that hopefully many of the victims have learned,
albeit the hard way. Critical security technologies such as identity providers IDPs
and EDRs were certainly put to the test. The adversaries showed the world, once
again, that no matter what security tools are bought, if they are not
configured correctly (by humans!) they will inevitably be bypassed and
exploited. 2024 will be interesting, to say the least.