In 2023, botnets returned from the dead, ransomware actors found creative ways to make money from theft, and threat actors that had been on the loose for a decade reinvented themselves to stay relevant.
The threat intelligence experts at Cisco Talos have analyzed the key developments from 2023 and summarized them in an annual review that is worth reading. The standard work for the cybercrime year 2023 highlights the most important trends that shaped the threat landscape last year.
Ransomware attack vector
The greatest threat to companies in 2023 was still posed by ransomware. For the second year in a row, LockBit took an inglorious top position in this area. And as usual, the attackers focused on facilities that have limited cybersecurity resources or can tolerate little downtime - especially in the healthcare sector. However, not everything was as usual in 2023: actors like Clop relied on zero-day exploits. Such behavior is usually associated with activity by Advanced Persistent Threats (APT) groups. What was also new was that ransomware actors switched to pure blackmail and skipped the encryption part.
“Unfortunately, in 2023, attacks with 0-days will no longer be limited to nation-state attackers,” says Holger Unterbrink, Technical Leader of Cisco Talos in Germany. “If the target is lucrative, crimeware gangs will attack again with 0-days. Companies should take this into account in their security architecture and risk management.”
Attackers adapt their strategies
Telemetry data from Cisco Talos shows that commodity loaders from well-known families such as Qakbot and IcedID continued to be used to spread ransomware. However, these loaders have shed all remnants of their past as banking Trojans and now present themselves as elegant tools for transmitting payload data. Developers and operators have been able to adapt to improved defenses and found new ways to circumvent more frequent security updates. The speed with which ransomware groups were able to recover from investigative successes was also surprising. The dismantling of the Quakbot network in August 2023 was only effective for a short time. Talos' analysis suggests that the law enforcement actions may not have affected the Qakbot operators' spam sending infrastructure, but only their command and control (C2) servers.
Network devices and old vulnerabilities targeted
A new and cross-regional trend is the increase in attacks on network devices by APTs and ransomware actors. Both groups focused on vulnerabilities in the devices and weak or incorrect credentials. This shows that network systems are extremely valuable to attackers - regardless of their specific intentions.
When it comes to exploiting application vulnerabilities, the Talos analysis shows that attackers in 2023 were primarily targeting old vulnerabilities - vulnerabilities that have been known for ten or more years, but in many cases have still not been patched. The majority of the most commonly attacked vulnerabilities are rated as maximum or high severity by Cisco Kenna and the Common Vulnerability Scoring System (CVSS), and are also listed in CISA's catalog of known vulnerabilities.
The use of social engineering for operations such as phishing and business email compromise (BEC) also continued unabated in 2023. However, as a result of Microsoft disabling macros by default in 2022, attackers are increasingly using other file types to hide their malware. PDFs were the most frequently blocked file extension this year.
APT activities demonstrate geopolitical instability
The analysis of APT groups from China, Russia and the Middle East takes up a lot of space in the Cisco Talos Report 2023. The telemetry data clearly reflects an increase in suspicious data traffic parallel to geopolitical events. The West's increasingly tense relations with countries from the Asia-Pacific region have led to an increased willingness by APT groups from China to cause damage - especially in the area of critical infrastructure in countries such as Taiwan.
As for the Russian APTs, Gamaredon and Turla targeted Ukraine, as expected. Interestingly, however, Russian activities did not demonstrate the full range of their destructive cyber capabilities. Gamaredon primarily targeted facilities in North America and Europe, with a disproportionate number of victims in Western Europe. The Iranian state-sponsored APT actor MuddyWater remained a major Middle Eastern threat actor in 2023. However, industry countermeasures have impacted the group's ability to use its standard tools, including the Syncro remote management and monitoring (RMM) platform.
The events in early October 2023 between Hamas and Israel contributed to several politically motivated hacktivist groups launching uncoordinated and mostly unsophisticated attacks against both sides. A similar development could already be observed at the beginning of the Russia-Ukraine war. Cisco Talos expects that the complicated and dynamic geopolitical environment in the Middle East will also impact the cyber domain.
Additional insights from the Talos Report:
The use of valid accounts was one of the most commonly observed MITER ATT&CK techniques, highlighting that attackers rely on compromised credentials at various stages of their attacks.
New ransomware variants used leaked source code from other RaaS groups. This also enabled less experienced actors to get started with ransomware extortion.
The suspicious network traffic showed a sharp increase in activity that coincided with major geopolitical events and global cyberattacks - such as the large-scale DDoS attack on Microsoft Outlook.
About Cisco Cisco is the world's leading technology company that makes the Internet possible. Cisco is opening new possibilities for applications, data security, infrastructure transformation and the empowerment of teams for a global and inclusive future.
Matching articles on the topic