H1 2023 in Cybersecurity [CPRadio]

Produced by PI Media. Hi, and welcome to SIPI Radio. I'm your host, Ran Levy. Once a year, Checkpoint Research releases a media report, a summary of the first half of the calendar year in cybersecurity, including all of the major changes, trends, and events that be fined January through

June. Obviously, a lot happens in that time, and so the reports end up rather along, which is why sometimes we'll do one of these episodes to summarize not every detail, but the biggest, most important things you should know. The interviews are hosted by Nate Nelson, the writer of our show, and feature one of Checkpoint's research lead intelligence analysts. This time a familiar

fakes. You have a rad pinkas so sit back. Over the next twenty five minutes or so, Nathan you are, We'll give you a brief picture of the first half of the year twenty twenty three in case you missed any of it, or maybe you just need a refresher. I'll see you at the end of it. Enjoy. Heyov, welcome back to the program. Want to let listeners know what we have in store for them in this episode.

Hi, Nie, good to be here again. The last time we talked, we discussed Checkpoint Research's twenty twenty three annual Report, and this time we have the twenty twenty three Media Report, which we published just a few weeks ago. This edition is more concise but has the same general structure as before, and it is based on the analysis of anonymized data collected from hundreds

of thousands of gateways of our customers throughout the world. This data, combined with Ostin's research, gives us a pretty good picture of the current trends in cyber attack scene. So in this report, we analyze the major trends in cyber attacks and present the data concerning the major attack industries, infection methods, tope, malware, and more. Maybe you can be a little more specific

about exactly what's covered in the report. The report itself includes an analysis of the ransomware ecosystem and its developments, which will go into in a minute, but also reviews developments in activism, the recent threats in the mobile arena. We review what is probably going to be the major theme for which twenty twenty three will be remembered in history is the developments in AI and their implications over

the cyberfield, and much much more. Of course, we don't have nearly enough time to cover every one of these subjects, so today let's just focus on a few that we think are extra important. Firstly, what's happening with ransomware, So ransomer I'm still considered the number one threat for businesses of all sizes in the sense of the damage that degenerates in both direct and indirect damages.

These are the ransom payments, but also lots of business and exposure to lawsuits GDPR related for both customers and employees, but not just the damages. It's also more widespread, I think than you might think. So from analyzing the cases handled by our incident response team, we find that almost half of all the cases that they investigate are ransomer related cases. So many of the smaller incidents we see, if they're not handled properly, could develop into full

blown ransomware attacks. Now, when we say ransomware today, we mean not that it's an attack where data is encrypted or not just, but rather that the motivation behind the attack is to generate financial profit through the extortion of the victims. This is now an entire ecosystem whose main actors are ransomware as a

service RUSS threat actors that operate in a double extortion model. This means that threat doctors like lock Beat Club and many others that we'll talk about the other ones that are responsible for the Malwa development, but the actual operation of the

attack is conducted by affiliates. The affiliates pay for the use or show part of the revenue with the ransomware as a service actors, and in return they can use the ransomware encryptor and other infrastructure related services, including the reputation of the of the runs of worth the service actors. Yeah, can you expand on that idea, because I think it might be strange to those unfamiliar that

ransomware groups would have anything resembling a good reputation. Ironically, reputation is an important element in this sector of crime industry, since victims who pay large sums in extortion moneies rely on the reputation of the attacker for receiving decryption keys in return for their payment. These attacks normally include two strategies of extortion, both the encryption of data and the victim system and by stealing the data and threatening

to publish it later. This is the double element in double extortion. This model of operation, which is based on outsourcing the initiative to the affiliates, has created a competition between ransom as service actors on the attention of affiliates and how to recruit them, and this competition in turn pushes for continuous development of additional features in the ransomware malware and services. All of this is relevant today, of course, but it's not new either. So what's changed in ransomware

in twenty twenty three. One such important ability that was pushed and added to many ransomware families this year has been ransomware versatility to additional operating systems, mostly Linox. This ability opens the potential attach surface to many more systems and possible victims. So Linox dedicated ransomware is now offered by a Lockbit, by Royal, by Club, Bian, Lion by Society, and it really has become the standard for ransomware. Another aspect that ransomware has been improving in is the

speed of encryption, which has long been the subject of ransomware advertisements. I remember two years ago Lockbeat published an advertisement with an operational analysis of all available ransomware payloads, comparing their encryption speeds and claiming to be the fastest. Why is this important because the faster the encryption, the less time defenders have to detect and intercept the attacks, and the more chance criminals have at encrypting valuable

data. This is also why most attacks conduct this critical but noisy encryption phase at non working hours, so the attacks are mostly during nighttime or weekends or holidays, and they try to be as quick as possible. CPR has recently published an analysis of the fastest encryption ransomware we dubbed it woshot, which was

used against an American company. The average time that attackers now spend in breached networks is also getting shorter, from weeks in the past to less than a day for actors to stay in a breached network, locate and breach backup servers or active directories. So to summarize, ransomware, attackers are targeting previously untouched operating systems and moving faster than ever. What else Another aspect that transfer service

providers are working on improving is their evasion techniques. These are basically all the features intended to work around security mechanisms. For example, we see that mechanisms like restarting safe mode. That's when the intruding ransomware restarts the machine in safe mode to exclude most security mechanisms, so this has become another common feature again almost as standard. Leading examples are lock Beats, Alpha Black, Busta,

and Avhaslocker and where have we seen all these trends bear out? Tell me about some of the notable attacks that happen this year. Maybe the trend of the first half of twenty twenty three is the mega ransomware attacks, where attackers breach dozens, sometimes hundreds of companies in one go. The three largest examples of this are the Lockbeat exploitation of the Cloud fifty one service provider that has led to the breach of sixty other companies, and two attacks by Cloud,

both targeting file transfer tools. The first attack was through a service called go Anywhere that brought down one hundred and thirty victims, and the second by exploiting a zero day vulnerability in the movie tool, which is now confirmed to have taken down one hundred probably more than seven hundred companies, including Shell, Deutsche Bank, British Airways and many many. This is a major change from what we've become used to in this ecosystem until now there's been the gradual outsourcing of

various parts of the attack operation to many subcontractors. So affiliates produce the attack, but they buy infections from initial access brokers, and the initial access brokers base their activity on information and leads they buy in dark web markets where it is sold by often less technical actors who operate infostealers. But with mega attacks, one actor utilizes an expensive zero their vulnerability to penetrate multiple victims. This

creates a substantial management challenge for the threat actor. Just imagine the management of such an operation. You need to search and networks of hundreds of companies, you need to identify important information, you need to download and story, you

conduct negotiations, you need to leak it. It's really a considerable logistical challenge, and this is probably one of the reasons why they now skip the encryption phase altogether and resort to only data extortion that means they demand money or else they would publish the story information. Interestingly, this is the main trend we recognize and outlined in the previous report in December, when we noticed that threat

doctors started to conduct effective DOTA extortion without encryption. And these groups are well equipped to manage gigantic breaches of so many organizations at once on operation in this magnitude, there's other challenges. For example, in order to download the gigabyte of data from a from tour infrastructure, that could take relatively long time and

thus makes the extortion threat less effective. And that's why Globe has experimented with leaking the data not in its Onion infrastructure but rather on the clear Net, and in August, just a couple of weeks ago, they transformed their entire leak infrastructure to torrents. That makes it both much faster, therefore a more substantial threat for victims and more challenging for law enforcement to take the databasis of

flying anything else. Before we move on from the ran square topic, in this report, we also publish an analysis of data scrap from ransomware threat acts shame sight. These are the sites where they publish the identity and lay the data of non paying victims, so it's a partial view, but it's still insightful. So what we routinely do is we monitor more than one hundred and seventy Onion sites which are operated by over one hundred and twenty criminal group and

in the first half of twenty twenty three. These were used to publish the identity of more than twenty two hundred victims by nearly fifty active groups. Lockbit was the most prolific actor, accounting for more than a quarter of all victims before the count of the club's movie Bridge, which occurred in May but was published and added to the victim count in later months. So Lockbit had the most victims, and Alpha also known as black Cat and Clob followed. Alphav

is, the actor responsible for the recent breach of MGM Resorts International. In terms of geographical distribution, we see that almost half of the victims are US companies. That could explain the intensive activity of American law enforcement dentities against this criminal industry. They've led operations like the high ransomware group takes down in January

this year and lead much of the international activity. Who I'm curious are the victims of these stories, whether it be industry, geography, what have you. Most of the victims are from Western countries like UK, the UK, Canada, Italy, Germany and France, but interestingly we had some Russian victims this year. Now, normally most of these groups refrained from attacking exusar countries or just generally Russian language systems, but we did see now a substantial number

of Russian victim companies. These were almost exclusively victims of the Mala Sloker threat actor. This group, which emerged earlier this year, is unique not just for the identity of its victims, but also for their extraordinary ransom demand. The group asks victims to make a donation to a charity of their choice instead of paying a ransom payment directly to the group. On something maybe similar, we've again extraordinarily seen some Iranian victims in August. All of them were breached

by a group called Alvin Club, which is traditionally focused on Iran. Another interesting finding is the analysis of affected industries by ransomware. So what we see is that sectors that cannot or systematically would not play ransomware less affected by it. So government and military, education and research institutes, which we find at the top of our most sector index when we review general cyber attacks, are

not at the top of the ransomware victim industry index. They're pushed down in the ranking of most attacks sectors by manufacturing companies and retail entities who are more income oriented and generally more willing to negotiate and pay ransomware. By use law, it's forbidden, that is, to negotiate and pay ransomware. And from this analysis we can see that as an industry this principle is actually effective and we see less of the public sector at the top of the most attack ransomware

index. Before we finish up here, you have there is another major trend that you wanted to talk about. On another interesting issue we highlight in this report the re emergence of an old infection method that's of using USB drives. This is when thread uctors either distribute or sent by mail USB devices that have malicious mechanisms either automatic or use IT dependent, or even infections that use occasional

USB drives to transfer infections from one machine to the other. Now, already in twenty twenty two, the FBI issued a warning about campaign aiming at US defense firms, with the attackers mailing USB drives loaded with malicious payloads. And during the past few months, CPR reviewed a couple of malware families with extensive

exploitation of USB devices. The first was the Raspberry robin worm, currently one of the most widespread multipurpose malware families that has been recorded giving access to infections such as club and lockwit, So Raspberry Robin can be considered as an access broker agent in this ecosystem, and one of Raspberry Robin's infection vectors is through creating malicious lank files on USB storage devices, which infect the next machine they're

inserted too. Now, this is not a primitive malware and it is designed with an extensive set of anti analysis mechanisms, and it is interesting to see that it still bases much of its initial infections on USB tribes, which suggest that this is still an effective attach vector. We've also seen reports of nation state apts like China related Camaro Dragon that we published a research about and the Russian affiliated Shockworm, which were also reported to utilize the USB drives for infections,

so again, take care beware. At the beginning of the episode, you mentioned that the report covers shifting infection vectors, So what's going on in that realm? We've measured a significant decline in the use of office files for infection. This is due to Microsoft's restriction on Office macros, and we have a separate podcast chapter with Sam Handelman discussing this. But it's very clear from

our current gateway data that this has changed the way threat actors act. We see rustick drop of eighty to ninety five percent in the malicious use of Excel files of different types, and instead we see previously seldom used attack factors like one note files which despite being click intensive meaning that they require multiple activation by the user, they have been used to distribute malwer like cuboat Agent, Tesla,

redline and others. Anything else before we head off what else? We also see further use of various archives and container files, both password protected and not most popular Z files, which make up almost thirty percent of email attached archives and allow files, but also image and EASO files. We've also seen an increase of forty five percent of attached L and K files, and PDF files are on the rise, so threat actors like qboard and many others are

still exploring alternative infection chains to replace the block ones. I think that is it for this review. There's much more in the full edition, and you're very invited to our web page. And that's it. Thank you, and I hope to see you next time. That's it for this episode. Thank you for listening to find this year's full media report. Visit Research dot checkpoint dot com, and if you click the CPR podcast channel in the top menu,

you'll find all of our past episodes. Seepy Radio is produced by PI Media. Hilas Emish is our producer. See you next episode. Bye bye.