Cisco Talos, an effective threat intelligence organization, released a report reviewing major adversaries and key cybersecurity trends for the past year and predictions for the next year.
Dave Liebenberg, head of Strategic Analysis for Cisco Talos, emphasizes the value of retrospective analysis to contextualize changes and forecast future threats in cybersecurity.
The key takeaway from Dave Liebenberg’s interview is the analysis and prediction of cybersecurity threats and challenges for 2024 which highlights the persistence of ransomware, emerging extortion strategies without encryption, crucial initial access vectors, exploitation of old vulnerabilities, and the importance of organizational culture and preventative measures for cybersecurity.
Persistent ransomware threats, with LockBit, ALPHV, Clop, and BianLian identified as the most active groups in 2023.
A trend in ransomware included exploit of Zero Day vulnerabilities by well-resourced groups like Clop, similar to Advanced Persistent Threats (APTs).
Many established ransomware groups have shifted to pure extortion tactics, threatening to leak stolen data instead of encrypting it, which overshadowed traditional ransomware in Q2 2023.
Cybercriminals often exploited public-facing application vulnerabilities, compromised credentials, and phishing as initial access vectors.
Threat actors regularly leveraged outdated software vulnerabilities, stressing the importance of implementing effective patching programs. Adversaries prefer targeting older vulnerabilities and infrastructure, which highlights the need for network modernization and proper patching.
Workers and company culture play a vital role in cybersecurity, with emphasis on adhering to security policies, password management, remote work precautions, and guarding against social engineering attacks.
Security experts should advocate for measures like multifactor authentication, network segmentation, secure credential management, and having a solid incident response plan.
Moreover, the development of AI introduces both challenges and defenses in cybersecurity, such as aiding in social engineering attacks and detecting online disinformation.
Predictions for 2024 include the continuation of ransomware, the rise of commodity loaders like Qakbot, new commodity loaders replacing disrupted ones, and ongoing targeting of Ukraine by Russian-affiliated actors and China-affiliated actors enhancing their capabilities against critical infrastructure.
Despite challenges, there is optimism for 2024 due to industry collaboration, cyber defense advancements in 2023, and the success of initiatives like the Cyber Threat Alliance and Network Resilience Coalition.
Alongside cybersecurity discussions, Cisco announced its intent to acquire Isovalent to enhance cloud networking and security based on open-source technology.
Let’s now see some notable trends and statistics regarding Cyber Security in 2023.
Top Ransomware Threat in 2023
According to Talos report, the top ransomware threat in 2023 was LockBit. LockBit was identified as the most deployed ransomware variant, causing significant impact to organizations.
The LockBit ransomware operations targeted both IT (Information Technology) networks and OT (Operational Technology) networks, impacting critical infrastructure systems.
LockBit attacks have been observed to be highly impactful and disruptive. Other prominent ransomware threats mentioned on the page include Clop, ALPHV, and BianLian.
Top Targeted Vulnerabilities in 2023
Based on the information provided from Talos Intelligence, the top targeted vulnerabilities in 2023 were as follows:
- CVE-2017-0199: A Microsoft Office and WordPad remote code execution vulnerability exploited via crafted documents, often used for phishing.
- CVE-2017-11882: A memory corruption vulnerability in Microsoft Office that allows code execution by running a specially crafted file.
- CVE-2020-1472: An elevation of privilege vulnerability known as “Zerologon” in Microsoft Netlogon, affecting domain controllers.
- CVE-2012-1461: A vulnerability in the Gzip file parser utility that affects multiple antivirus products.
- CVE-2012-0158: A Microsoft Office vulnerability exploited for remote code execution through specially crafted documents.
- CVE-2010-1807: A vulnerability in Apple Safari.
- CVE-2021-1675: A Microsoft Windows Print Spooler service vulnerability, that allows remote code execution or elevation of privileges.
- CVE-2015-1701: A local elevation of privilege vulnerability in Microsoft Windows kernel-mode driver.
- CVE-2012-0507: A Java sandbox bypass vulnerability in Oracle Java SE.
- CVE-2015-2426: A remote code execution vulnerability in Microsoft Windows through a specially crafted OpenType font.
These vulnerabilities were found in common applications and were selected by threat actors due to their prevalence in targets’ networks and the high impact of their exploitation.
Moreover, they were all assigned high severity scores by Cisco Kenna and/or the Common Vulnerability Scoring System (CVSS), with several receiving the maximum score of 100 from Cisco Kenna.
Furthermore, these vulnerabilities are listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog, indicating that they should be prioritized for patching due to their risk profile and known exploitation in the wild.
Top Blocked Email Attachment Extensions
As per the information from the Talos Intelligence 2023 Year in Review report, the top blocked attachment file extensions are:
1. PDF (36%)
2. HTML (14%)
3. HTM (8%)
4. DOCX (5%)
5. ZIP (5%)
Other attachments accounted for 32% of the blocks. This data is sourced from Cisco Email Security Appliance, and the percentages represent their prevalence in blocking potentially malicious email attachments.
Common image-related filetypes, like JPG, JPEG, PNG, and GIF, were excluded from this list because they appear frequently in a high volume of benign emails, such as those containing graphics in senders’ signatures or email bodies.
Network Infrastructure Attacks
In 2023, there was an observed increase in sophisticated attacks targeting network devices, largely by state-sponsored actors, especially from Russia and China, with the intent to advance espionage objectives and facilitate stealthy operations.
Malicious actors commonly exploited unpatched vulnerabilities, weak or default credentials, or insecure device configurations to gain initial access to networking devices.
Exploitation of these vulnerabilities typically remained consistent throughout the year, with occasional spikes following public disclosure, suggesting organizations were often failing to patch their devices promptly.
Once they gained initial access, threat actors leveraged various techniques and sometimes installed malware to establish footholds for further activity within networks.
This could allow for a full device takeover, providing adversaries unfettered access to core components of a target’s network and security perimeter. Actors often sought to weaken defenses and establish long-term access without raising suspicions.
The most frequently targeted vulnerabilities in network devices were critical or severe, making them highly impactful if exploited.
The Cisco Talos team was active in countering this threat through efforts like launching the Network Resilience Coalition with industry partners, focusing on increasing awareness and providing actionable recommendations for improving network security.
Additionally, Talos reported numerous vulnerabilities to device vendors and published advisories to improve users’ security posture and aid in defenses against these types of attacks.
Here are the top network device vulnerabilities exploited in 2023:
- CVE-2020-5902 (SID 54462): A remote code execution vulnerability in F5 BIG-IP’s Traffic Management user interface.
- CVE-2019-1653 (SID 48949): An information disclosure vulnerability in Cisco RV series routers.
- CVE-2022-40684 (SIDs 60725 and 60726): An authentication bypass vulnerability in Fortinet FortiOS, FortiProxy and FortiSwitchManager.
- CVE-2023-28771 (SID 61865): An unauthenticated command injection vulnerability in multiple Zyxel firewalls.
- CVE-2020-3452 (SID 54598): A directory traversal vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.
Commodity Loaders
In 2023, commodity loaders like Qakbot, Ursnif, Emotet, Trickbot, and IcedID remained significant threats in the cybersecurity landscape.
These threats have evolved from their original roles as banking trojans to become versatile tools employed in various stages of attacks, including ransomware deployment. They are widely available on underground forums and due to their modularity can enable different payloads, making them attractive to a range of threat actors.
Notably, the developers updated these loaders with features more amenable to ransomware actors, such as reconnaissance capabilities and stealth enhancements that avoid antivirus detections. The rise of new IcedID and Ursnif variants and the addition of automated features in Qakbot, engineered to abet ransomware operations, exemplify this trend.
The disabling of macros by default in Microsoft Office also prompted commodity loader operators to adjust their tactics.
Throughout the year, these actors experimented with various file types and delivery methods to circumvent new security measures, such as leveraging Google Ads or OneNote files embedded with malicious content.
Despite law enforcement actions against these loaders, such as the dismantling of Qakbot’s infrastructure, developers may continue cybercriminal activities under different guises, indicating that threats from commodity loaders persist over time. Moreover, the infrastructure taken down in these operations may still facilitate residual or “zombie” activities.
The geographical impact of these loaders was global, with North America and Europe observed as the primary targets. Campaigns tended to be opportunistic, with lures sometimes tailored to regional contexts or business activities.
Finally, the long-term sustainability of such loaders’ threats was emphasized, considering that new ones could emerge to replace those disrupted, with IcedID being a potential candidate to fill any void left by loaders like Qakbot and Trickbot.