If the cyber world has taken anything away from 2023, it’s the realisation that attack vectors never just disappear: Botnets come back from the dead, ransomware actors find creative ways to make money from theft, and threat actors that have been up to mischief for a decade reinvent themselves to stay relevant. The threat intelligence experts at Cisco Talos have analysed the key developments from 2023 and summarised them in a review of the year that is well worth reading.
The standard work for the cybercrime year 2023 highlights the most important trends that have shaped the threat landscape over the last 12 months.
Ransomware as an attack vector
Ransomware continued to pose the greatest threat to companies in 2023. For the second year in a row, LockBit took an inglorious top position in this area. And as usual, attackers focussed on organisations with limited cybersecurity resources or a low tolerance for downtime – particularly in the healthcare sector. However, 2023 was not business as usual: actors such as Clop relied on zero-day exploits. Such behaviour is usually associated with the activities of APT (Advanced Persistent Threats) groups. What was also new was that ransomware actors switched to pure extortion and skipped the encryption part.
“Unfortunately, in 2023, attacks with 0-days were no longer limited to attackers from the nation state sector,” says Holger Unterbrink, Technical Leader of Cisco Talos in Germany. “If the target is lucrative, crimeware gangs will also attack with 0-days again. Companies should take this into account in their security architecture and risk management.”
The telemetry data from Cisco Talos shows that commodity loaders from well-known families such as Qakbot and IcedID are still being used to spread ransomware. However, these loaders have shed all remnants of their past as banking Trojans and now present themselves as elegant tools for transmitting payloads. The developers and operators have been able to adapt to improved defences and have found new ways to circumvent the more frequent security updates. The speed with which ransomware groups have been able to recover from investigative successes has also been surprising. For example, the takedown of the Quakbot network in August 2023 was only effective for a short time. Talos’ analysis suggests that the law enforcement actions may not have affected the Qakbot operators’ spam delivery infrastructure, but only their command-and-control (C2) servers.
Targeting network devices and legacy vulnerabilities
A new and cross-regional trend is the increase in attacks on network devices by APTs and ransomware actors. Both groups are focussing on vulnerabilities in the devices and weak or incorrect login credentials. This shows that network systems are extremely valuable to attackers – regardless of their specific intentions.
In the area of application vulnerability exploitation, the Talos analysis shows that attackers in 2023 were primarily targeting old vulnerabilities – vulnerabilities that have been known for ten years or more, but in many cases have still not been patched. The majority of the most frequently attacked vulnerabilities are classified as maximum or high severity by Cisco Kenna and the Common Vulnerability Scoring System (CVSS) and are also listed in CISA’s catalogue of known vulnerabilities.
The use of social engineering for operations such as phishing and Business Email Compromise (BEC) also continued unabated in 2023. However, as a result of Microsoft disabling macros by default in 2022, attackers are increasingly using other file types to hide their malware. PDFs, for example, were the most frequently blocked file extension this year.
APT activities show geopolitical instability
The Cisco Talos Report 2023 devotes considerable space to analysing APT groups from China, Russia and the Middle East. The telemetry data clearly reflects an increase in suspicious data traffic in parallel with geopolitical events. The increasingly tense relations between the West and countries in the Asia-Pacific region led to an increased willingness on the part of APT groups from China to cause damage – especially in the area of critical infrastructure in countries such as Taiwan. Among Russian APTs, Gamaredon and Turla targeted Ukraine, as expected. Interestingly, however, the Russian activities did not show the full range of their destructive cyber capabilities. Gamaredon primarily targeted facilities in North America and Europe, with a disproportionately high number of casualties in Western Europe. The Iranian state-sponsored APT actor MuddyWater remained a major threat actor from the Middle East in 2023. However, industry countermeasures have impacted the group’s ability to utilise its standard tools, including the Syncro remote management and monitoring (RMM) platform. Events in early October 2023 between Hamas and Israel contributed to several politically motivated hacktivist groups launching uncoordinated and mostly unsophisticated attacks against both sides. A similar development could already be observed at the beginning of the Russia-Ukraine war. Cisco Talos assumes that the complicated and dynamic geopolitical environment in the Middle East will also have an impact on the cyber sector.
Other findings from the Talos Report:
- The use of valid accounts was one of the most commonly observed MITRE ATT&CK techniques, highlighting that attackers are using compromised credentials at various stages of their attacks.
- New ransomware variants utilised leaked source code from other RaaS groups. This allowed less experienced actors to get into the ransomware extortion game.
- Suspicious network traffic showed a sharp increase in activity that coincided with major geopolitical events and global cyberattacks – such as the large-scale DDoS attack on Microsoft Outlook.
Download the report: https://blog.talosintelligence.com/cisco-talos-2023-year-in-review/
Summary of the monthly cyber events of 2023: https://blog.talosintelligence.com/year-in-malware-2023-timeline/