2023 Year-End Threat Report

The number of cybersecurity incidents and their impact continue to increase. As a result, company leaders need to be more aware of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology’s SOC services, can help provide this visibility in identifying potential risks to an organization. As we close out 2023, we have seen several trends and characteristics emerge in the threat landscape.

The 9-5 “Hacker”

We tend to picture threat actors as individuals or small groups, hanging out in a basement wearing black hoodies and drinking Monster energy drinks in the middle of the night, pounding away at a keyboard. They spend night after night slowly and methodically creeping through a target’s network, their eyes alight with anticipation in rounding the next corner and discovering something worth the hacking. Or at least that’s the way I used to think about them.

Now, albeit after years of evolution, it has gone from a niche pastime to full blown criminal enterprise, all within a 9-5 workweek; weekends are for overtime. Recently, tools such as BlackByte 2.0 have allowed hackers to execute the entire attack process, from initial access to significant damage, in just five days. Attackers can swiftly infiltrate systems, encrypt crucial data, and demand a ransom for its release. This condensed timeline poses a significant challenge for organizations of all sizes, but are particularly challenging for smaller businesses.

What is even more alarming is the idea that criminal organizations are offering full time jobs as ‘professional hackers’ via the Dark Web. With postings for high paying (up to $20k/month) positions, paid time off/sick leave, remote working, paid vacations, and full or part time employment. Becoming a full time ‘hacker’ is gaining appeal as a career choice. One can see the lure of these positions when compared to the average compensation and benefits of white hat jobs that may pay lower wages and are pushing back-to-office.

Of course the risks of working associated with this ‘profession’, being defrauded, framed, arrested, prosecuted, and imprisoned, are likely to limit the pool of potential applicants. However, there are those that that feel they do not have much choice, such as unemployed professionals with bills piling up or recent IT graduates that are unable to gain employment.

If You Can Dodge a Sniff Test You Can Dodge an IDS – The Continued Rise of Phishing

A not-so-careful review of the many threat hunts published this year will reveal an obvious trend: most of the attacks begin with a phishing message. All of the flair and intrigue around the archetypal “racing keyboards” style of offensive and defensive cybersecurity is really only for the movies. In fact, just about the only time anyone is face-to-face with an attacker is in the email inbox. And while the attacker remains the same malicious actor with various degrees of cunning, the defender’s position is now filled by an end user who is likely too busy to meticulously screen any email they receive for signs of malice. It is here that we find the most fatal weakness in the entirety of the cyber security defense strategy: it’s easier to fool a person than a computer, and that often gets the job done just as well.

As of this year, 74% of breaches involved “the human element.” This includes social engineering, errors, and misuse of systems. Of social engineering attacks, half involve pretexting – creating a convincing story that gets a human victim to comply and grant access or execute a payload. This highlights a grim reality in the cybersecurity landscape: advanced technical defenses and a top-tier team of cybersecurity professionals are quite easily bypassed by leveraging the end user directly.

This is done mostly with compromised credentials which, thankfully for attackers, are far too frequently reused by users (getting someone’s Twitter password might be as good as getting their admin account creds at their DoD job). This attack vector accounts for half of known breaches in 2023 according to Verizon’s 2023 Data Breach Investigations Report (DBIR). Further, nearly 1 in 5 breaches are the result of phishing while a mere 10% were due to exploiting technical vulnerabilities, believed by most to be the source of most compromises.

While the 20% data point for phishing might seem low, it must be understood that both phishing and simply buying credentials for use in an attack are very low-effort and low-skill activities that yield tremendous results if applied correctly. The reality is economies of scale are very much present and achievable now with advances in cybercrime automation, business models, the sheer number of actors engaged in cybercrime; and most importantly the amount of valuable data that any given enterprise now holds.

This low-hanging fruit bears more reward every day as even the most lowly of enterprises become treasure troves of information that can be used immediately or reused in future attacks on higher priority targets. While it could be argued that this trend is survivorship bias and that most organizations are so secure that social engineering is the only way in, it should be noted that data breaches continue to become more common.

While oft-overhyped AI and ML is mentioned anywhere the writer thinks it might generate clicks, for the purposes of both writing malicious code and writing malicious emails, we can be assured that it will have a marked impact on the threat landscape. While a footnote for now, this is just one of many increasing challenges that the end-user faces, and even now, the end-user is woefully under-equipped for this fight.

Volt Typhoon

The Chinese state-sponsored threat campaign, Volt Typhoon emerged in 2023 and had a significant impacted on the cybersecurity landscape. This campaign was the source of targeted attacks on critical infrastructure networks across the United States including those of the Air Force and FBI. Several factors contributed to its impactful presence:

• Scope of Targeting: Volt Typhoon’s deliberate focus on critical infrastructure sectors such as government, maritime, communications, manufacturing, utilities, transportation, and education posed a severe threat. Their infiltration into these vital areas heightened concerns about potential disruptions to essential services and operations.
• Sophisticated Techniques: The threat actor’s adept use of living-off-the-land techniques and tactics disguised their activities as routine Windows system operations. This strategic camouflage made it challenging for security systems to detect their presence promptly, allowing Volt Typhoon to operate stealthily within compromised networks.
• Espionage Intent: With a primary motive believed to be espionage, Volt Typhoon’s intrusion aimed at acquiring sensitive information and data from various sectors. Their access to critical infrastructure entities, including military installations such as the US Navy in Guam, raised alarms about potential breaches involving national security and strategic preparedness.
• Strategic Implications: The breaches linked to Volt Typhoon were perceived as part of China’s strategic maneuvers, potentially prepositioning for future conflicts. This strategic context heightened the significance of the threat, indicating a calculated effort to gain access and control over crucial systems ahead of any potential hostilities.
• Challenges in Detection and Mitigation: The threat posed by Volt Typhoon was further compounded by the group’s utilization of legitimate accounts and sophisticated techniques, making it arduous for cybersecurity teams to detect and counter their attacks effectively.

Overall, Volt Typhoon’s activities not only threatened the integrity and security of critical infrastructure but also underscored the escalating complexities and challenges faced by cybersecurity entities in defending against state-sponsored threat actors with advanced capabilities.

Lockbit, An Escalating Ransomware Threat

The threat of ransomware continued to increase notably in 2023. This continues a steady trend, with malware becoming more and more prevalent as we move deeper into the digital age. Of all malware variants seen in 2023, few are as prevalent as LockBit, the new favorite of pro-Russian cybercrime networks known for their RaaS (Ransomware as a Service).

In contrast to cybercriminal groups of the past, LockBit operates a robust administrative network. This structure means the group maintains individuals who manage employees, interact with clients, and handle any ransom payments. Clients engage with LockBit, and post-deployment of the ransomware, any resulting payments are divided between the developers and the threat actors responsible for the ransomware’s deployment. The average ransom for these attacks is in excess of $1 million per incident.

Since it first appeared in late 2019, LockBit has evolved significantly. There are now five variations of LockBit ransomware, including versions specifically designed to target both Windows and MacOS environments. LockBit’s malicious activities have affected numerous entities. Some its most significant victims include Boeing, Royal Mail, and even the UK Ministry of Defense. Information stolen from the Ministry of Defense includes classified details related to military intelligence sites and high-security prisons. However, it’s crucial to understand that LockBit does not solely target large corporations and governmental agencies; small to medium-sized businesses are also in its crosshairs.

Ransomware is a wicked beast to try and to address. Ultimately, the best defense is to exercise proper cybersecurity hygiene. Avoid opening suspicious emails, refrain from clicking on questionable links, and never open attachments unless their security is guaranteed. If a company does fall victim to a ransomware attack, it’s imperative to contact law enforcement immediately. It’s important to remember that LockBit is a criminal organization, and there is no honor among thieves. Just because a ransom is paid, there is no guarantee that the files or sensitive data will be returned.

As we head into 2024, it is likely that ransomware will continue to flourish as a way for criminals to make a quick buck, with LockBit at the top of the list. As always, the best defense will be a proactive, defense-in-depth approach that prioritizes user awareness to minimize human error as much as possible.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.