Networks Training

  • About
  • My Books
  • IP Tools
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • Tech News
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Network Security / Cisco Talos Year in Review – Top Cyber Security Threats in 2023 and Beyond

Cisco Talos Year in Review – Top Cyber Security Threats in 2023 and Beyond

Edited By Harris Andrea

Cisco Talos, an effective threat intelligence organization, released a report reviewing major adversaries and key cybersecurity trends for the past year and predictions for the next year.

cyber security

Dave Liebenberg, head of Strategic Analysis for Cisco Talos, emphasizes the value of retrospective analysis to contextualize changes and forecast future threats in cybersecurity.

The key takeaway from Dave Liebenberg’s interview is the analysis and prediction of cybersecurity threats and challenges for 2024 which highlights the persistence of ransomware, emerging extortion strategies without encryption, crucial initial access vectors, exploitation of old vulnerabilities, and the importance of organizational culture and preventative measures for cybersecurity.

Persistent ransomware threats, with LockBit, ALPHV, Clop, and BianLian identified as the most active groups in 2023.

A trend in ransomware included exploit of Zero Day vulnerabilities by well-resourced groups like Clop, similar to Advanced Persistent Threats (APTs).

Many established ransomware groups have shifted to pure extortion tactics, threatening to leak stolen data instead of encrypting it, which overshadowed traditional ransomware in Q2 2023.

Cybercriminals often exploited public-facing application vulnerabilities, compromised credentials, and phishing as initial access vectors.

Threat actors regularly leveraged outdated software vulnerabilities, stressing the importance of implementing effective patching programs. Adversaries prefer targeting older vulnerabilities and infrastructure, which highlights the need for network modernization and proper patching.

Workers and company culture play a vital role in cybersecurity, with emphasis on adhering to security policies, password management, remote work precautions, and guarding against social engineering attacks.

Security experts should advocate for measures like multifactor authentication, network segmentation, secure credential management, and having a solid incident response plan.

Moreover, the development of AI introduces both challenges and defenses in cybersecurity, such as aiding in social engineering attacks and detecting online disinformation.

Predictions for 2024 include the continuation of ransomware, the rise of commodity loaders like Qakbot, new commodity loaders replacing disrupted ones, and ongoing targeting of Ukraine by Russian-affiliated actors and China-affiliated actors enhancing their capabilities against critical infrastructure.

Despite challenges, there is optimism for 2024 due to industry collaboration, cyber defense advancements in 2023, and the success of initiatives like the Cyber Threat Alliance and Network Resilience Coalition.

Alongside cybersecurity discussions, Cisco announced its intent to acquire Isovalent to enhance cloud networking and security based on open-source technology.

Let’s now see some notable trends and statistics regarding Cyber Security in 2023.

Table of Contents

Toggle
  • Top Ransomware Threat in 2023
  • Top Targeted Vulnerabilities in 2023
  • Top Blocked Email Attachment Extensions
  • Network Infrastructure Attacks
  • Commodity Loaders
    • Related Posts

Top Ransomware Threat in 2023

According to Talos report, the top ransomware threat in 2023 was LockBit. LockBit was identified as the most deployed ransomware variant, causing significant impact to organizations.

The LockBit ransomware operations targeted both IT (Information Technology) networks and OT (Operational Technology) networks, impacting critical infrastructure systems.

LockBit attacks have been observed to be highly impactful and disruptive. Other prominent ransomware threats mentioned on the page include Clop, ALPHV, and BianLian.

MORE READING:  Boost Network Security with Automated CIS Compliance

Top Targeted Vulnerabilities in 2023

Based on the information provided from Talos Intelligence, the top targeted vulnerabilities in 2023 were as follows:

  1. CVE-2017-0199: A Microsoft Office and WordPad remote code execution vulnerability exploited via crafted documents, often used for phishing.
  2. CVE-2017-11882: A memory corruption vulnerability in Microsoft Office that allows code execution by running a specially crafted file.
  3. CVE-2020-1472: An elevation of privilege vulnerability known as “Zerologon” in Microsoft Netlogon, affecting domain controllers.
  4. CVE-2012-1461: A vulnerability in the Gzip file parser utility that affects multiple antivirus products.
  5. CVE-2012-0158: A Microsoft Office vulnerability exploited for remote code execution through specially crafted documents.
  6. CVE-2010-1807: A vulnerability in Apple Safari.
  7. CVE-2021-1675: A Microsoft Windows Print Spooler service vulnerability, that allows remote code execution or elevation of privileges.
  8. CVE-2015-1701: A local elevation of privilege vulnerability in Microsoft Windows kernel-mode driver.
  9. CVE-2012-0507: A Java sandbox bypass vulnerability in Oracle Java SE.
  10. CVE-2015-2426: A remote code execution vulnerability in Microsoft Windows through a specially crafted OpenType font.

These vulnerabilities were found in common applications and were selected by threat actors due to their prevalence in targets’ networks and the high impact of their exploitation.

Moreover, they were all assigned high severity scores by Cisco Kenna and/or the Common Vulnerability Scoring System (CVSS), with several receiving the maximum score of 100 from Cisco Kenna.

Furthermore, these vulnerabilities are listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog, indicating that they should be prioritized for patching due to their risk profile and known exploitation in the wild.

Top Blocked Email Attachment Extensions

As per the information from the Talos Intelligence 2023 Year in Review report, the top blocked attachment file extensions are:

1. PDF (36%)
2. HTML (14%)
3. HTM (8%)
4. DOCX (5%)
5. ZIP (5%)

Other attachments accounted for 32% of the blocks. This data is sourced from Cisco Email Security Appliance, and the percentages represent their prevalence in blocking potentially malicious email attachments.

Common image-related filetypes, like JPG, JPEG, PNG, and GIF, were excluded from this list because they appear frequently in a high volume of benign emails, such as those containing graphics in senders’ signatures or email bodies.

Network Infrastructure Attacks

In 2023, there was an observed increase in sophisticated attacks targeting network devices, largely by state-sponsored actors, especially from Russia and China, with the intent to advance espionage objectives and facilitate stealthy operations.

Malicious actors commonly exploited unpatched vulnerabilities, weak or default credentials, or insecure device configurations to gain initial access to networking devices.

Exploitation of these vulnerabilities typically remained consistent throughout the year, with occasional spikes following public disclosure, suggesting organizations were often failing to patch their devices promptly.

Once they gained initial access, threat actors leveraged various techniques and sometimes installed malware to establish footholds for further activity within networks.

MORE READING:  IBM and Cisco Quantum Computing Partnership: Analysis and Summary

This could allow for a full device takeover, providing adversaries unfettered access to core components of a target’s network and security perimeter. Actors often sought to weaken defenses and establish long-term access without raising suspicions.

The most frequently targeted vulnerabilities in network devices were critical or severe, making them highly impactful if exploited.

The Cisco Talos team was active in countering this threat through efforts like launching the Network Resilience Coalition with industry partners, focusing on increasing awareness and providing actionable recommendations for improving network security.

Additionally, Talos reported numerous vulnerabilities to device vendors and published advisories to improve users’ security posture and aid in defenses against these types of attacks.

Here are the top network device vulnerabilities exploited in 2023:

  1. CVE-2020-5902 (SID 54462): A remote code execution vulnerability in F5 BIG-IP’s Traffic Management user interface.
  2. CVE-2019-1653 (SID 48949): An information disclosure vulnerability in Cisco RV series routers.
  3. CVE-2022-40684 (SIDs 60725 and 60726): An authentication bypass vulnerability in Fortinet FortiOS, FortiProxy and FortiSwitchManager.
  4. CVE-2023-28771 (SID 61865): An unauthenticated command injection vulnerability in multiple Zyxel firewalls.
  5. CVE-2020-3452 (SID 54598): A directory traversal vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. 

Commodity Loaders

In 2023, commodity loaders like Qakbot, Ursnif, Emotet, Trickbot, and IcedID remained significant threats in the cybersecurity landscape.

These threats have evolved from their original roles as banking trojans to become versatile tools employed in various stages of attacks, including ransomware deployment. They are widely available on underground forums and due to their modularity can enable different payloads, making them attractive to a range of threat actors.

Notably, the developers updated these loaders with features more amenable to ransomware actors, such as reconnaissance capabilities and stealth enhancements that avoid antivirus detections. The rise of new IcedID and Ursnif variants and the addition of automated features in Qakbot, engineered to abet ransomware operations, exemplify this trend.

The disabling of macros by default in Microsoft Office also prompted commodity loader operators to adjust their tactics.

Throughout the year, these actors experimented with various file types and delivery methods to circumvent new security measures, such as leveraging Google Ads or OneNote files embedded with malicious content.

Despite law enforcement actions against these loaders, such as the dismantling of Qakbot’s infrastructure, developers may continue cybercriminal activities under different guises, indicating that threats from commodity loaders persist over time. Moreover, the infrastructure taken down in these operations may still facilitate residual or “zombie” activities.

The geographical impact of these loaders was global, with North America and Europe observed as the primary targets. Campaigns tended to be opportunistic, with lures sometimes tailored to regional contexts or business activities.

Finally, the long-term sustainability of such loaders’ threats was emphasized, considering that new ones could emerge to replace those disrupted, with IcedID being a potential candidate to fill any void left by loaders like Qakbot and Trickbot.

Spread the love

Related Posts

  • Boost Network Security with Automated CIS Compliance
  • IBM and Cisco Quantum Computing Partnership: Analysis and Summary
  • HPE Closes $14 Billion Acquisition of Juniper Networks, Forms AI-Centric Networking Unit
  • What is Cisco Identity Services Engine (ISE)? Use Cases, How it is Used etc
  • What is QUIC – This Modern Internet Protocol Makes Firewalls Blind

Filed Under: Network Security, Tech News

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

By subscribing to our email list you will be receiving technical tutorials and industry news from time-to-time. You can unsubscribe at any time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2026 | Privacy Policy | Terms and Conditions | Contact | Amazon Disclaimer | Delivery Policy