Top 10 Cyber Threats of 2023

Introduction

2023 was packed with a multitude of significant events that caused many to rethink their entire security strategies, especially their vendors and their team size. Unfortunately, we saw thousands of layoffs in the technology sector, including cybersecurity teams. This is despite the unrelenting and omnipresent threat of an ever growing number of cyber adversaries.

The Top 10 Cyber Threats of the year that I believe are worth focusing on in this blog revolve around several common themes, like the use of zero-day exploits, supply chain attacks, targeting identity providers, as well as intentionally disruptive campaigns.

#1 CL0P mass exploitation campaigns

Since 2020, a professional cybercrime syndicate known as CL0P shifted from targeted big game hunting ransomware campaigns to mass data-theft-extortion attacks, minus the deployment of ransomware. Around 27 May 2023, the CL0P group exploited a zero-day vulnerability in the MOVEit file transfer server, tracked as CVE-2023-34363, owned by thousands of organizations. CL0P’s MOVEit campaign was arguably one of the largest mass data breaches in history. Millions of people have been impacted by the MOVEit campaign through third-party service providers being compromised. Plus, it is estimated that CL0P has made between $75m and $100m from the MOVEit campaign, according to the incident response firm Coveware, which specialises in cyber extortion.

CL0P’s focus on data exfiltration, as evidenced in the targeting of file transfer solutions, suggests that over the past few years data encryption alone is no longer enough of an incentive for victim organizations to pay ransom demands, potentially due to the prevalence of backup software to recover files. Data exfiltration and threats to publish stolen data appear to hold much more weight with their victims and are largely what has powered double extortion and for many ransomware groups to find success. Other ransomware groups, such as BianLian, have also shifted away from data encryption, and we may see more affiliates going this way and a potential decline in RaaS services in the future.

#2 ScatteredSpider campaigns

Ever since the Twilio campaign, the ScatteredSpider group (aka Star Fraud, 0ktapus, ScatterSwine, UNC3944 or Octo Tempest) has taken the industry by storm, culminating in an incident that cost MGM Resorts an estimated $100m. This group’s tradecraft varies significantly from many traditional organized cybercrime groups, potentially because they are English-speaking threat actors.

ScatteredSpider are infamous for their brazen social engineering attacks, using techniques such as SMS phishing, voice phishing (vishing), and SIM swapping. Once they have obtained enterprise user credentials, they have many ways to maintain access. They will install remote monitoring and management (RMM) tools, use the Bring-Your-Own-Vulnerable-Driver (BYOVD) trick to terminate security services, enrol new devices to comply with controls, spin up virtual machines (VMs) using Cloud tools, and even abuse endpoint detection and response (EDR) systems, such as CrowdStrike Real Time Responder (RTR) to run arbitrary commands.

ScatteredSpider has a diverse set of targets, which shifted as their campaigns evolved. Initially, the group targeted mobile carriers providers and business process outsourcing (BPO) firms to initiate SIM swapping attacks, mainly to steal cryptocurrency. They then altered their campaign towards data theft extortion against IT service providers, gaming, hospitality, retail, managed service providers (MSPs), manufacturing, and the technology sector. In mid-2023, ScatteredSpider also began working with the Russian-speaking BlackCat/ALPHV ransomware gang, notably by listing Reddit as a victim on BlackCat/ALPHV’s data leak site. ScatteredSpider has also resorted to physical threats and are affiliated with English-speaking Violence-as-a-Service gangs.

The interesting thing about ScatteredSpider is that they display a level of understanding around enterprise security tooling like EDRs and single sign-on (SSO) or Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) that you would expect from a seasoned Sysadmin or Red Teamer. Their knowledge is so good in fact, that I actually suspect these operators might have worked in the cybersecurity or managed services industry at some point. Either that, or after each victim they take what they learned and put it immediately into practice.

#3 Iranian state-sponsored destructive attacks

In February 2023, it was reported that the Technion Israel Institute of Technology, one of Israel's leading research universities was struck by DarkBit ransomware. In April 2023, Microsoft disclosed details about the suspected Iranian state-sponsored DarkBit destructive attack. The adversary responsible is tracked as DEV-1084, which partnered with another Iranian APT actor named MERCURY (now tracked as Mango Sandstorm or MuddyWater). The APT’s actions were aimed at both on-premises and cloud environments. While they initially attempted to mask their activity as a cybercriminal DarkBit ransomware campaign, their true intent was destruction and disruption. The attack resulted in significant damage, impacting server farms, virtual machines, storage accounts, and virtual networks.

Iranian destructive cyberattacks are part of a growing trend of state-sponsored threat actors leveraging offensive cyber destructive capabilities for strategic objectives with significant implications for the global threat landscape. These attacks targeted both on-premises and cloud environments, highlighting the importance of securing hybrid infrastructures and that adversaries can traverse seamlessly between these two domains. The use of ransomware for politically-motivated destructive attacks also underscores the need for analysts to look beyond surface-level indicators and delve deeper into the attackers’ motivations and techniques.

#4 Barracuda appliances backdoored by China using a zero-day

The Barracuda Email Security Gateway (ESG) appliance had a zero-day vulnerability, tracked as CVE-2023-2868, that was exploited in-the-wild since October 2022, but not discovered until May 2023. Mandiant reported that UNC4841 was responsible, who is a suspected cyber-espionage APT actor working in support of the People’s Republic of China (PRC). After exploiting the zero-day, UNC4841 deployed three payloads, dubbed SALTWATER, SEASPY, and SEASIDE, to establish a presence on the Barracuda ESG appliances and maintain access in target networks for up to eight months.

Once embedded into target environments, UNC4841, were observed aggressively looking for specific data for exfiltration and conducted lateral movement within victim networks. This campaign impacted organizations worldwide, spanning both public and private sectors. Approximately one-third of the affected entities were government agencies from at least 16 different countries. Due to the timing of the victim disclosure notification, Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was also potentially impacted.

In an uncommon move by a cybersecurity product vendor, on 6 June 2023, Barracuda issued guidance recommending that all impacted Barracuda customers immediately isolate and replace compromised appliances.

#5 Whipping Up A Storm-0558

In July 2023, Microsoft and CISA recently disclosed a security incident impacting multiple customers of Exchange Online and Outlook. The incident reportedly stemmed from an APT actor attributed to China, tracked as Storm-0558, who acquired a Microsoft account private encryption key and used it to forge access tokens for Outlook. The overall aim of the campaign was believed to be to obtain information via acquired access to email accounts of employees within target organizations. Around May 2023, the Storm-0558 attackers stole at least 60,000 emails from Outlook accounts belonging to officials stationed across 25 organizations from East Asia, the Pacific, Europe, and the US. Affected organizations included government agencies, such as the US Department of State and US Department of Commerce.

Interestingly, Microsoft later disclosed that Storm-0558 used a consumer signing key obtained from a Windows crash dump after compromising the corporate account of a Microsoft engineer in April 2021. Wiz.io researchers also realized that even though Microsoft stated that Outlook and Exchange Online were the only applications known to have been affected, the compromised signing key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications. This potentially includes every application that supports personal account authentication, such as SharePoint, Teams, and OneDrive, among others.

#6 Anonymous Sudan

Active since January 2023, Anonymous Sudan initially portrayed itself as a hacktivist group acting on behalf of oppressed Muslims worldwide. However, numerous cybersecurity experts have linked this threat group’s activities to Russia. Anonymous Sudan, however, maintain that they are politically motivated anti-Western hackers from Sudan. They have conducted denial of service (DDoS) attacks against multiple organizations in Sweden and other countries including the Netherlands, Denmark, Australia, France, Israel, Germany, UAE, and the US. Their targets span various sectors such as financial services, aviation, education, healthcare, software, and government entities. Perhaps most notably, In June 2023, Anonymous Sudan claimed to be behind a DDoS attack that took some of Microsoft’s services cloud offline, including Outlook and Azure.

Anonymous Sudan continue to exploit ideological or regional affiliations to misdirect attention and create confusion. Their campaigns highlight that analysts need to look beyond surface claims to uncover hidden agendas. Anonymous Sudan’s DDoS attacks are more effectively information operations than actually doing damage to their targets. Their narratives also emphasize that Russia is a friend to the Muslim world and contrast it with perceived Western hostility to Sudan. Anonymous Sudan highlights the challenge of accurate attribution in cyberspace, where threat actors can mask their true origins and motivations. Threat intelligence analysts must consider geopolitical events, regional tensions, and historical context when assessing cyber campaigns.

#7 3CX Double Supply Chain Attack by North Korea

In March 2023, customers using the 3CX VoIP software were victim to a never-before-seen double supply chain attack, according to Mandiant. The attack began when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise. This earlier compromise involved a tampered installer for X_TRADER, a software package provided by Trading Technologies. The malware in the X_TRADER software allowed the adversary to gain access to 3CX's network, reach a server used for software development, corrupt a 3CX installer application, and infect a broad array of its customers. Both attacks were carried out by an APT group known as UNC4736. Mandiant assesses with moderate confidence that UNC4736 is related to financially motivated North Korean “AppleJeus” activity as reported by CISA.

The world’s first double supply chain attack highlights the intricate and interconnected nature of the global software development ecosystem. The North Korea-affiliated group successfully exploited vulnerabilities in one company’s software to compromise another. This specific incident and other North Korean-linked supply chain attacks on JumpCloud and CyberLink should highlight to software development firms that their security posture extends beyond their immediate environment and consider third-party dependencies, and in this case of 3CX and X_TRADER even fourth-party dependencies.

#8 War in Israel

Following the gruesome Hamas terrorist attack against Israeli civilians on 7 October 2023, the war between the IDF and Gaza erupted and has destabilized the region. This also led to a wave of cyber activity surrounding it from all nature of threat groups, including hacktivists, cybercriminals, and APT actors. The most widely reported type of activity has been hacktivism due to their public announcements claiming responsibility for attacks on social media sites, like Telegram and Twitter. The most common types of hacktivist attacks surrounding the Israel-Hamas war have been low-skilled denial of service (DoS) attacks and website defacements. In some cases, however, the hacktivists have been able to execute disruptive attacks by exploiting applications for Israeli civil services, such as the Red Alert emergency warning system.

Further, some of the Iran-aligned hacktivist activity that often targets Israel has even spilled out of the region and led to attacks on Unitronics Programmable Logic Controllers (PLCs) used in Water and Wastewater treatment plants in the US. The threat group that claimed responsibility for this campaign was the Iran-backed Cyber Av3ngers hacktivist group, which has a history of targeting industries using Israeli-manufactured OT and ICS equipment.

The rise of state-encouraged hacktivism as a tool of warfare remains to be an interesting growing trend surrounding modern conflicts. The digital offensive on Israel by pro-Palestine hacktivists mirrored the way Russian hacktivist groups targeted Ukraine and its allies during the early days of the February 2022 invasion. Further, many of the attacks on Israel originated from outside of Gaza, given the region’s low internet connectivity even before the strikes, highlighting how actors from states hostile to Israel are preparing to join in against Israel and its allies from afar.

#9 Citrixbleed

In October 2023, Citrix disclosed a critical vulnerability, tracked as CVE-2023-4966, affecting on-premise versions of its NetScaler ADC and NetScaler Gateway platforms, dubbed Citrixbleed. Mandiant also reported that they had evidence of zero-day exploitation beginning in August. The Citrixbleed bug is a sensitive information disclosure vulnerability that allows remote unauthenticated attackers to extract large amounts of data from a vulnerable Citrix device's memory, including sensitive session tokens.

Citrixbleed quickly became an attractive vulnerability to exploit by attackers due to it requiring little effort to leverage and that Citrix systems are used by large enterprises and governments for application delivery and VPN connectivity. Even if an organization patched its Citrix instances, they may have been exploited before patching and the attackers could still have access even after patches applied. Attackers can hijack access using legitimate session tokens to compromise a victim's network without needing a password or using two-factor authentication.

Despite Citrix releasing patches, CISA issuing an advisory, and Mandiant warning about zero-day exploitation, many organizations failed to patch and properly remediate systems that had already been compromised. There have been several high-profile examples already. LockBit 3.0 affiliates were observed exploiting CVE-2023-4966 to obtain initial access to Boeing Distribution. It is also suspected that Toyota Financial Services, Fidelity National Financial, and the Industrial and Commercial Bank of China (ICBC) have been victims of Citrixbleed attack as well. From my own discussion with DFIR teams, there are now at least half a dozen or more ransomware groups that have exploited Citrixbleed too.

#10 Okta Support System Breach

Okta is a company that provides identity and access management (IAM) solutions for various organizations. Over the years, Okta has been involved in several breaches that compromised its customer data and systems. It is a high value target for threat actors and is bound to attract more attacks than others. Its latest incident was that from 28 September to 17 October, a threat actor gained unauthorized access to HTTP Archive (HAR) files containing session tokens inside Okta’s customer support system. Okta initially stated that the incident only impacted 134 customers, or less than 1% of Okta customers. However, they later admitted that all their customers had their details exposed as well.

The adversary was able to use the session tokens stored in the HAR files uploaded by customers to the Salesforce Cloud support system to hijack the legitimate Okta sessions of at least five of customers, three of which disclosed (1Password, BeyondTrust, and Cloudflare). The way the adversary got access to the support system was reportedly via a stolen Okta employee authentication token for the service account. The compromise likely occurred due to the employee’s personal Google account or personal device being compromised. Interestingly, on 29 September, 1Password reported the suspicious activity on their Okta admin account to Okta support, which BeyondTrust also did on 2 October. It was not until 19 October that Okta confirmed there was and incident and then notified affected customers.

This latest Okta breach serves as a reminder that security vendors remain highly susceptible to breaches. The critical role of identity providers (IDPs) in securing organizations makes them a high value target. Organizations should be continually assessing the security of their vendors to prevent cascading risks. Also using Malwarebytes Free for enterprise DFIR is not recommended.

2023 Conclusion

In 2023, we saw significant and concerning trends related to the evolution of organized cybercrime. Cybercriminals are getting better at evading enterprise defenses during target intrusions, while others are focusing resources into zero-day development for mass exploitation. The collaboration between English-speaking and Russian-speaking cybercriminals to launch data extortion and ransomware campaigns is also a notable trend to continue monitoring.

As with previous years, the hostile state actors from China, Russia, North Korea, and Iran continue to launch increasingly bold and advanced intrusion campaigns. The exploitation of zero-day vulnerabilities is par for the course for state actors, but the exploitation of systems that leads to total appliance removal and replacement is a concerning trend to watch.

2023 also saw more state-encouraged hacktivism blended with government offensive cyber operations surrounding physical conflicts. This includes disruptive attacks on Ukraine from Russia and towards the end of the year Ukrainian hacktivists were supported by the Ukrainian defense intelligence directorate retaliating against Russia too. Israel has also been bombarded by hacktivists from Middle Eastern and Norther African countries, which have been compounded by Iranian state-sponsored attacks, as well as by state actors from Palestine and Lebanon.

Looking ahead

Lastly, there are two other trends that kept coming up in 2023, that did not make it to my Top 10, but are more than likely to continue in 2024, which I felt were worth a brief mention.

Firstly, many of what I would consider the top-tier malware distribution teams (the ones that provide initial access for ransomware gangs) have moved away from malspam towards SEO poisoning and Google Ads. It seems that malspam is suffering from Microsoft disabling internet macros and the high prevalence of email filtering security tools is catching their other attempts. Therefore, many have made the switch to delivery via search engine results for common enterprise tools. This is a concerning initial access vector that defenders should mitigate as soon as possible.

Secondly, multiple ransomware gangs in 2023 expanded their toolkits to terminate endpoint detection and response (EDR) systems. There has been a focus on using driver-based attacks, such as Bring-Your-Own-Vulnerable-Driver (BYOVD), leverage legitimate anti-rootkit tools, as well as malicious Microsoft developer-signed drivers. The next evolution to this, potentially in 2024 is the usage of Bring-Your-Own-Virtual-Machine (BYOVM) attacks. BlackCat/ALPHV popularised BYOVM again more recently by developing their Munchkin Linux VM in late 2023. The Ragnar Locker gang, however, who was eventually taken down in 2023, began using the TTP of BYOVM since at least 2020.

Thirdly, 2023 saw the mass adoption of artificial intelligence (AI) chatbots in the form of large language models (LLMs) globally. Of course, we saw some cybercriminals leveraging them to support their campaigns, but nothing earth shattering. One of the main concerns of law enforcement is the usage of AI chatbots by cybercriminals for fraud. I believe the bigger issue, however, is the ability to manipulate online content and spread disinformation. I already get asked on a frequent basis by friends and family if official news is AI generated. The ability to undermine and erode the trust of official communication channels by hostile state actors is a powerful tool that will continue to be abused ever effectively.

End

Nevertheless, 2023 was a year packed full of lessons that hopefully many of the victims have learned, albeit the hard way. Critical security technologies such as IDPs and EDRs were certainly put to the test. The adversaries showed the world, once again, that no matter what security tools are bought, if they are not configured correctly (by humans!) they will inevitably be bypassed and exploited. 2024 will be interesting, to say the least.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Tips for Investigating Cybercrime Infrastructure