The Year 2023 in Cybersecurity [CPRadio]

Produced by PI Media. Hi listeners, and welcome to CP Radio. I'm randlet It's that time of the year again. Once annually, Checkpoint Research publishers an annual report summarizing all of the most important industry trends and events of the year prior. It's like cheat, cheat in case you forgot anything or just didn't pay attention, like my lazy writer Nate. Well, no oh no,

I was totally listening to you talking about wanta say cooking tips. These reports have to be very long and detailed to even begin to cover the vast world of cyber attacks that grow with each passing year, and so every year we do one of these episodes rather than sift through every little detail. Nate interviews and author of the report returning this time is you have a pinkas threat

intelligence analyst at Checkpoint Research. In the next twenty five minutes, Nate and you have discussed what you need to know about cybersecurity from twenty twenty three and what you might want to learn from it. Heyus, and welcome back to the show. Before we get started, maybe a little primer for audience about what we're going to be doing here. Hi, Nate, good to be here. Thanks for having me. We're back with the Checkpoint Research Annual Cybersecurity

Report, in which we focus on attack trends. This is a periodic analysis and I think we last spoke on our midiear review in twenty twenty three. In this publication, we review cyber attacks in twenty twenty three, so not developments in security solutions or survey of professional opinions and predictions, but rather data

based observations from attacks occurring throughout twenty twenty three. In preparation for this publication, we collected and analyzed data from billions of events, hundreds of thousands of gateways, sensors, open source intelligence, and we try to identify current trends in this ecosystem. The full report is available online at research dot checkpoint dot

com. The report itself has a data section where we review global malware statistics like top malware families, top malware types, and many more points that are better presented visually, so I highly recommend listeners to download and review the full pdffor or interactive version. In addition to the data chapter, we choose a few subjects and address them more lengthily. So what does the report actually cover? In this report, we deal with ransomware and the recent increase in zero

day exploitation by ransomware threat actors. We review this year's attacks on edge devices. We have a chapter dealing with the developments in state affiliated activism, which, with the recent conflicts in Ukraine and Nasual has become a major medium in which nation state's conducted hostilities with the varying levels of taking responsibility for their attacks. Two more trends that we cover the growing number of exploitations and challenges in

token security technology crucial for remote access and authynication in cloud environments. And lastly, we discuss the rise in malicious software packages within open source repositories, a phenomena which risks software supply chains. Let's take it one at a time,

then tell me of what's been going on in the world of ransomware. On our last podcast, we discussed how ransomware is considered the number one threat for businesses and we reviewed its mechanisms of double extortion and how different actors assume different roles in the tax from ransomware as a service providers to affiliate through two initial access brokers all working in sync to to conduct a tax. Now we routinely

monitor ransomware a shame sites. These are the platforms where ransomware is a service. Actors publish the identity and materials of their victims in order to increase their pressure for payment, and we've seen a notable increase in the number of published victims this year. Victims published on shame sites are those who do not pay the ransom demands, at least not at the time of publication. The actual

number of victims is assumed to be much higher than the discount. There have been more than five thousand victim companies published on ransomware shame sites in twenty twenty three by almost seventy active ransomware groups. Lockbat with twenty one percent of all published victims, Alpha nine percent, and klob have been the most active ones in this sense, publishing the most victims. This is a ninety percent increase

in the number of published victims from twenty twenty two. Law enforcement had several operations against these entities. There was a CEESA led operation against Alpha and another recent one against Lockbeat, but most of the time they return to regular activity after just a few weeks. Typically, the most targeted country is the US,

with forty five percent of victims from the United States. It is followed by the UK, Canada, Germany, and Italy western industrialized countries, all of them we already previously reported of ransomware mega attacks, but now with twenty twenty three in full view, we can definitely title this a trend of both megattacks in the sense of hitting a large number of victims and also highlight the growing use of zero day vulnerabilities exploited to achieve them. Give me a sense

for what these large scale attacks look like. The Club group exploited the zero DA vulnerability in the Go Anywhere secure file transfer tool, resulting in breaches that affected over one hundred and thirty organizations. Then in early June, Club exploited another zero day vulnerability that enabled it to access another file transfer platform, Movie, which led to the compromise of more than two thousand and six hundred organizations.

Club already conducted a similar attack back in twenty twenty one, when it exploited a zero DA vailerability in Excellion's legacy file transfer appliants. In all these cases, the targets were carefully selected because of a high volume of customers, because of data quality, and for the ability or the probability of spreading the attack to additional victims through them. Notably, Club chose not to encrypt the

victim's data, but threatened to expose or sell it only. This extortion strategy is effective even with victims who regularly maintained backups and employed data restoration procedures. It also decreases the chance of detection during the noisy encryption phase of an attack, and it relieves cyber criminals from the burden of managing decryption keys and the associated the quote customer service responsibilities related to multiple file decryption and we kind of

skipped over it. What are zero day vulnerabilities? For those unfamiliar. Zero day exploits are such vulnerabilities that at the time of an attack are not known to the industry and to the producers of the attack services. They're highly sought after and are traded in a thriving market. The price of a zero day exploit depends on the targeted system and the nature of the vulnerabilities, and they can range from several thousand dollars to as much as two and a half million

dollars. That's for zero click full control with persistence on mobile platforms, There are legal markets for the sale and purchase of zero days, like Zerodium, but there is also a very live underground market in which typically exploit prices are even higher. We need to understand that zero day vulnerabilities have a limited shelf life. The more they're exploited, the higher the likelihood of detection and subsequent

patching. Therefore, after an attacker starts using such an exploit, there's a time race to achieve as many victims before the producers publish a patch, and the exploit becomes much less effective. Now, unlike adding features to maloware, for a ransomware actor to invest in a zero day vulnerability, the investment has to be recovered by the income generated from relatively short lived attack. What we can clearly understand from this is that the increase in expensive zero day utilization for

ransomware attacks indicates that they do that. At the end of the day, these operations us have very high yields. How much yield are we talking here? Some estimate that clop could earn between seventy five to one hundred million dollars from the movie attack alone. Estimates of actual ransom payments can be challenging, but it is safe to assume that the more they more than covered the cost of zero day purchase or development. Okay, so back to what you're saying

about these large scale ransom attacks. After the movie attack, exploitation of zero day vulnerabilities for ransomware attacks continued. Threat actors associated with clob were observed exploiting a zero DA vulnerability with the csad it support software, potentially impacting more than

five thousand customers. And beyond clop A, Kira and LOCKB, two of the most prolific ransomware actors, have also been exploiting a new zero DAV vulnerbility in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts. Other financially motivated advanced groups like dark Casino have exploited the wind raw vulnerability reported

in twenty twenty three to steal from online traders. Just for reference, the suggested price for a win I'll see exploit on Zerodium is eighty thousand dollars. In another incident, the Lokoyawa ransomware was deployed by a financially motivated actor after exploiting a zero day in Windows for privileged elevation. The likelihood of growing trend

in the use of costly zero day exploits depends primarily on economic considerations. If threat actors are convinced that the potential returns outweigh the investment, we can expect an increase in these types of attacks. Then how do we tip those scales so that the investment outweighs the return. From a security point of view,

effectively safeguarding against zero day attacks presents a complex challenge. Patching is far from enough, and backups do not provide protection from data publication based extortion, and this emphasizes the importance of implementing robust measures such as endpoint anti ransomware solutions like

data loss prevention DLP mechanisms and XDR extended the detection response products. Fine, So that's that, as we promised earlier, though there are other matters we study to cover in only the short time we have here now, maybe something which is more to do with nation state actives and espionage. The next chapter deals with attacks focusing on edge devices, and edge device is just serverance. Clear they're the devices that serve as the entry points into networks, So we're

talking routers, switches, s, gateways, that kind of thing. Edge devices have been under prioritizing security strategies for a long time. Traditionally, some edge devices and IoTs have been exploited by cyber criminals to set up button its for ditals attacks and to orchestrate spam campaigns. These were often disregarded, but what we've seen this year is a peak of attacks where edge devices have become the target of nation state apts and then sophisticated, financially motivated threat doctors.

We're using them either as a part of sophisticated communication infrastructure or as entry points for penetrating broader network systems of carefully selected entities and devices. For example, a recent CPR checkpoint research report revealed Chinese operation targeting TIPI link routers by Chinese APT called Camera Dragon. They deployed the custom backdoor we called Horseshell to maintain

persistence as well as for file transfer and network tunneling. This way, they could use a net of tip link routers to anonymize their communication and make their detection more difficult. Edge devices are not only targeted to be used as components of communication infrastructure, but also as initial entry points to networks. So in a sophisticated operation reported by Microsoft in May. The Chinese state sponsored vult Typhoon

apt employed a double use strategy. This group exploited the small home or office

devices and integrated them into their communication infrastructure, called the CAVY botnet. This botnet was then used to disguise CNC communications from other compromised edge devices within critical infrastructure organizations in the United States. Now, unlike Camera or Dragon, this case did not involve dedicated Thermo malware, but rather, the kV botnet used end to life Cisco and dry deck crowters as well as netgear firewalls, and

then, separately to this assembly of hidden communication infrastructure, the attackers breached fourty net forty gal devices in critical US infrastructure facilities and used them as gateways for espionage and potential disruption, hiding their communication using the home of a scavy botnet. Only end of life unpatched known vulnerabilities are used to exploit edge devices. Mendiant researchers reported extensive zero D exploitation employment of customized malware to target edge and

network devices by Chinese apts. For example, what they call UNC forty eight forty one conducted a global espionage campaign by exploiting a zero day vulnerability in another edge device, the Baracuda Email Security Gateway ESG. This was one of the most aggressive campaigns reported this year. Attackers targeted public and private sector entities worldwide, with an emphasis on those in the Americas, so almost one third of

the affected organizations identified were government agencies. In this specific attack, in response to the discovery and mitigation efforts by defenders, the attackers fought back and deployed the additional malware designed to maintain persistence on a subset of the breached entities. This aggressive, persistent campaign has led to the exceptional supply recommendations to replace all

these physical ESG appliances. They were declared unsafe and beyond repair. And all of the cases you just mentioned were carried out by Chinese actors, which is pretty remarkable, but I assume that they're not the only ones doing this, right. The recent increase in targeting of edge devices is not exclusive to Chinese actors. Russia's military intelligence affiliated apts extensively use this strategy against the Ukrainian targets

during the ongoing conflict. Since the start of the Russian Ukrainian War, a series of cyber attacks significantly damaged Ukraine's energy, media, telecommunications and financial indust strees, as well as government agencies. The intensity and volume of these attacks were achieved by compromising edge devices, enabling Russian threat actors to maintain persistent access

to target the networks and conduct multiple attacks over time. The Russian APD twenty eight group was observed deploying the jagger Tooth malware, which was specifically designed to exploit the all abilities in SISCO routers, which despite being known since twenty seventeen, have still proven to be effective. Going beyond Ukraine. In late twenty twenty three, the Russians and warm APT targeted Denmark's infrastructure and energy sectors,

in what signals a significant escalation targeting entities outside of Ukraine. They executed attacks on twenty two Danish entities, exploiting two zero day vulnerabilities in zig cell fire walls. This gave attackers remote called execution RSE capabilities on breach platforms, and as a result, several companies were forced to stop normal operations and temporary resort to island mode. This shows Sandborns the Russian Sandborns extensive capability to exploit vulabilities

and coordinate attacks on a wide scale. This trend has gone beyond nation state actors and now financially motivated transport groups are also targeting edge devices. Coctus, Akira, and Lockbat all have been reported to exploit misconfigured and vulnerable citrics and fourteen VPN devices In their attacks. Groups like fin A, lock Beat and

MEDUSA used critical unpitched fulabilities in citric NetScaler devices to compromise companies. These attacks progress to the deployment of persistent webshells that remain active even after patching and rebooting. To summarize, then we're talking about some of the world's most sophisticated actors here across major countries, from both the state and the cyber underground, all of whom are targeting these edge devices. How then, do cyber defenders even

begin to address this issue. This trend of edge devices exploitation starting from nation state doctors and extending has often happens to financially motivated criminals emphasizes the need to extend protections to what previously was who overlooked appliances, VPN routers, and even security devices in themselves. Aren't you have any other trends that we need to

cover before hopping off here. I think that's it for now. For more details on these subjects and on activism, code repositories, access tokens, and much more, you're fair welcome to the full report. Thank you for having me. That's it for this episode, Thank you for listening. To find this year's full media report, visit research dot checkpoint dot com and scroll down

to roughly the middle of the page. It's right there, And if you click the CPR Podcast channel in the top menu, you'll find all of our past episodes. Cp Radio is produced by Pimedia. Ela Shemish is our producer. I'm Randler, see you next episode. Bye bye.