The cyber risk landscape continues to evolve and attackers proceed to adopt new tactics in reaction to many factors, in addition to the good fortune of endpoint security tools.
It probably goes without saying, but 2023 will see no shortage of alarming trends in cyber threats. The MOVEit attacks have highlighted some attackers’ shift from cryptocurrency-based ransomware to knowledge theft and extortion only. Many attackers are relying less and less on malware and more leveraging equipment such as remote monitoring and monitoring (RMM), which are less likely to be detected through endpoint security products. Credentials compromised by identity-based attacks continue to accumulate for similar reasons, in order to traverse endpoints. Detection and reaction (EDR). Phishing and social engineering remain major threats to organizations at all levels.
[Related: The 10 Biggest Data Breaches of 2023 (So Far)]
But hacking threats and tactics will also continue to evolve in 2023. “We’re seeing diversification in terms of attacks,” SonicWall CEO Bob VanKirk told CRN in an earlier interview. Depending on a number of factors, “threat actors continue to steer overhead,” he said.
In terms of emerging risks in 2023, attacks that leverage generative AI have gained a lot of attention (and yes, GenAI is on the list below). But there’s a lot more going on this year when it comes to new hacking tactics that are emerging. Security Researchers have learned about many emerging risk trends and new tactics such as phishing and social engineering, knowledge theft and extortion , ransomware and attacks on the software origin chain.
As part of CRN’s Cybersecurity Week 2023, it compiled a sampling of new hacking threats and tactics that have emerged over the past year. We’ve compiled the main points from CRN interviews and posts from researchers and speakers from Huntress, CrowdStrike, Zscaler, Mandiant, Microsoft, GuidePoint Security, and Cisco Talos, among others.
Here are 10 emerging cybersecurity threats and new hacking attacks that we need to pay attention to in 2023.
“Next level” fraud
Accounts payable fraud, in which an attacker impersonates a vendor and sends an invoice to the victim with their own account number, is new. However, the Huntress researchers detected a new and more devious technique for the threat. In several cases, Huntress has noticed attackers compromising an email account and then using artistic tactics to commit “highly targeted fraud” to the account, Huntress co-founder and CEO Kyle Hanslovan told CRN. How it works: Once in the account, the attacker will set regulations to send them an incoming invoice and then delete it, preventing the victim from receiving the genuine invoice, he said. The attacker then adjusts the bill to come with their account number and sends it to the victim, Hanslovan said.
“It’s just about improving the game,” he said. We’ve only had telemetry on this for two quarters and we’ve already discovered several dozen incidents, so the answer is that it’s going to have to be common.
Ransomware expands its reach and adds new tactics
In 2023, an emerging progression in the cyber threat space is the emergence of new ransomware equipment following access to source code and leaks from manufacturers, according to Cisco Talos researchers. This is notable not only because it means the arrival of more actors in the ransomware sphere, but also new types of actors with another domain of focus. Some of those new malicious actors have been observed employing ransomware by exploiting leaked code “to target Americans and small businesses,” Talos researchers wrote in a recent blog.
At the same time, the FBI warned in September that two new trends had emerged among ransomware-driven risk actors. In the first case, risk teams launch “multiple ransomware attacks against the same victim in close proximity,” according to the FBI advisory. The attacks also included the deployment of two other ransomware variants “in mixtures,” the FBI said. “This use of two ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. An instant ransomware attack instead of an already compromised formula can especially harm the victim entities.
As for the current emerging trend known to the FBI, ransomware risk actors have been forced to introduce new data deletion attacks, with the deployment of cleanup teams in an effort to put pressure on victims, the company reported. .
Low disruptive attacks
Some attackers who focus only on knowledge theft and extortion rather than encryption are turning to a new tactic: Instead of maximizing disruption for victims, some attackers are looking to minimize it, cyberthreat experts at the CRN said. The effort is part of an effort to change its name to security advisers, Mavens said.
Oddly enough, “we’re seeing the ransomware risk landscape shift more and more toward ‘customer service,'” said Deepen Desai, global CISO and head of security studies at Zscaler. Now, some risk actors aim to “provide the most productive experience” to victims, Desai said.
At GuidePoint Security, the incident reaction team has encountered several occasions where attackers have told their victims, “We did you a favor by encrypting your environment,” said Mark Lance, vice president of DFIR and risk intelligence at GuidePoint.
These attackers will then provide a “security audit report” that outlines how to improve the security of the victim’s environment, Lance said. “They see themselves as necessarily offering a security consulting service. “
New for knowledge leaks
For some malicious actors engaging in data theft and extortion, the risk of publishing stolen data on the dark web has led victims to respond to attackers’ demands for payment. This is the case with the Russian-speaking cybercrime organization. Clop, who was behind this year’s big MOVEit attack campaign. Or rather, it was true at first: After supposedly feeling the desire to increase tension in some of those affected, Clop “tried other tactics to spread this information,” said John Hammond, a senior security researcher at Huntress. First, Clop began creating leak sites on the clear web, that is, the open network, but they turned out to be easy to remove. The organization then began providing torrents of stolen knowledge, which BleepingComputer said were harder to remove due to its decentralized distribution system while also being faster to download.
Strange bedfellows
There are many disturbing elements to the recent high-profile attacks on casino operators MGM and Caesars Entertainment, adding the reported use of social engineering by hackers to trick an IT help desk into offering access to the breach. MGM. But among the unwanted developments is also the collaboration believed to be the attack: an alliance between young English-speaking hackers from the organization known as Scattered Spider and the Russian-speaking ransomware gang Alphv. According to security researchers, Scattered Spider youth and young adult hackers used BlackCat ransomware provided through Alphv (a gang whose members were once affiliated with DarkSide, the organization that attacked Colonial Pipeline). While ransomware as a service has been a developing trend for years in Eastern Europe, the alliance between the young hackers (which, according to some reports, have members in the United States and the United Kingdom) and the RaaS teams of speaking Russian is serving to broaden the risk panorama in that country.
RaaS comes to ESXi
Speaking of ransomware-as-a-service, CrowdStrike researchers shared key points about how it was expanded this year to include RaaS targeting VMware’s popular ESXi hypervisor. “In April 2023, for example, CrowdStrike Intelligence learned about a new RaaS program called MichaelKors, which supplies its affiliates with ransomware binaries targeting Windows and ESXi/Linux systems,” the researchers wrote in a blog post. “Other RaaS platforms that can target ESXi environments have also been launched, such as the Nevada ransomware. RaaS platforms emerge at a time when the hypervisor remains an attractive target for cybercriminals, due to the “lack of security tools, lack of sufficiently good network segmentation of ESXi interfaces, and vulnerabilities [in the wild] of ESXi. “environment,” the CrowdStrike researchers wrote.
Threats powered by GenAI
With so much discussion on the topic this year, it’s rarely easy to think that AI-powered generative cyberattacks are still an entirely new threat. Among GenAI’s well-known security dangers is the flavor it can give to bad actors, such as hackers who employ OpenAI’s ChatGPT to create more convincing phishing emails.
Security researchers have also learned of GenAI-powered chatbots that are intended in particular to be used by malicious hackers and other criminals, adding WormGPT, FraudGPT, and DarkGPT.
But even ChatGPT itself can provide significant help to hackers, for example through grammar for non-native English speakers, the researchers noted. And there are no security barriers that can prevent ChatGPT from delivering many types of emails that could be exploited for social purposes. engineering purposes, for example, an email addressed to his “uncle” he hasn’t spoken to in years, said Mike Parkin, leader generation officer. Marketing engineer at Vulcan Cyber.
Deep Counterfeiting Tools
In other parts of the world where AI-related issues are of concern, deepfakes have been observed for some time now as a potential security risk and, in some reported cases, have been successful in tricking victims into transferring funds. But a more recent progression in this domain is the reported availability of deepfake video creation software designed for phishing. In mid-August, Mandiant researchers said they had observed classified ads on “underground forums” related to this software, which aims to make malicious operations “more inherently non-public through the use of deepfake capabilities. “This is the first known case of “generating deepfake videos designed and sold for phishing scam purposes,” Bloomberg reported.
Meanwhile, audio deepfakes have had a moment in 2023, thanks in part to the growing availability of voice cloning software. Unsurprisingly, audio deepfakes are also used in cash transfer scams. And as mentioned above, the greatest risk in this area is that attackers can achieve “real-time” voice imitations, allowing them to convert their own voice into cloned voice with minimal latency.
Computer-triggered phishing
Another phishing risk that has increased slightly in 2023 is Microsoft Teams and the use of compromised Microsoft 365 accounts to conduct phishing attacks on the collaboration app. In August, Microsoft Threat Intelligence revealed that the organization had committed the widely felt SolarWinds compromise in 2020. There has recently been a crusade of cyberattacks using Teams messages. Attackers use Teams messages “to send honeypots that attempt to borrow a target organization’s credentials through interacting with a user and gaining approval for multi-factor authentication (MFA) messages,” Microsoft researchers wrote. The organization, once tracked through Microsoft as Nobelium, and now as Midnight Blizzard, likely pursues “specific espionage targets” in attacks carried out through Teams, researchers said.
In early September, Truesec had investigated a crusade involving the use of Teams phishing messages to distribute attachments that would install the DarkGate Loader malware, which can be used for malicious activities, by adding ransomware deployment.
Also in September, Microsoft researchers said that a cybercriminal organization tracked under the name Storm-0324 had been “observed distributing payloads using an open source tool to send phishing lures through Microsoft Teams chats. ” to the Midnight Blizzard crusade that Teams employs, aim to gain initial access, which can then be sold to other malicious actors who will use that access for malicious activities such as deploying ransomware.
Double attack on the chain.
The March compromise of 3CX, a maker of widely used communications software, was in some tactics similar to the SolarWinds source chain attack of 2020. But the 3CX attack stood out from previous chain compromises in software acquisition in at least one main aspect: the 3CX campaign. According to Mandiant, this was made possible thanks to a past attack on the source chain. In the past, attackers manipulated a software package distributed through a monetary software company, Trading Technologies, Mandiant researchers revealed. “This is the first time Mandiant has noted that one attack on the software source chain leads to some other attack on the software source chain,” the researchers said in a paper.
The 3CX attack attributed through CrowdStrike, and later through Mandiant, to North Korea.
Nick Galea, founder and CEO of 3CX, said in an article that the company is committed to “tightening our formulas” in the wake of the “first software-on-software source chain cascading attack. ” Galea had revealed in the past that it was most likely thousands of consumers had downloaded the malicious edition of the provider’s VoIP phone formula software.
However, researchers noted that the 3CX compromise was detected in a matter of weeks rather than months, as was the case with the SolarWinds attack, which appears to have limited the effect of the breach on 3CX and its end users.