The impact of professional cybercriminal gangs continues to propel cybersecurity — a once niche area of technology — into mainstream discussions. Attacks by ransomware and extortion groups in 2023 contributed to the disruption of ports, health care providers, cities and large businesses. The status quo has become one of headline-generating cyber incidents causing pain and disruption and exacting a toll on the information technology (IT) systems affecting our personal lives, businesses and national security.
As a result, policymakers and governments continue to create and implement strategies to address how and why this is happening. These include building cyber resilient organizations, strengthening public-private partnerships, disrupting cybercriminal ecosystems and importantly, how perpetrators can be held accountable. Law enforcement agencies collaborated worldwide this year to disrupt cybercrime players including the Hive ransomware group, the Genesis access market, the Breached cybercrime forum and the Qakbot botnet. Regulators are increasingly stepping into cybersecurity, mandating faster disclosures of cyber incidents. They are also interested in whether organizations can demonstrate that they’ve structured information security programs that are commensurate with the risk. Questions have also been raised about how vendors can improve the security of products in the design phase and whether software manufacturers should be held accountable for faulty products, similar to the consumer world.
The cybercriminal underground was more active than ever in 2023. Our analysts study malware samples, data breaches, software vulnerabilities and conversations between threat actors to understand how bad actors are undermining systems. Organizations saw continued risks from persistent attack vectors including information-stealer malware distributed by initial access brokers (IABs), or those who specialize in breaking into networks and selling that access. Phishing campaigns remained a persistent method to steal credentials and sometimes session tokens that can be parlayed into access. Vulnerability exploitation also rose as one of the most popular methods to compromise organizations. While threat actors occasionally leveraged zero-day vulnerabilities, which tend to generate headlines, the truth is most organizations are caught out by n-day vulnerabilities where patches have been available for some time. This cumulatively resulted in an environment where one of the biggest risks for organizations is a ransomware or extortion attack.
These trends present challenges for defenders, but cyber threat intelligence (CTI) collected from threat actors and attack groups offers opportunities to help prevent or contain malicious activity. Over the past year, we were in some cases able to predict which vulnerabilities were likely to be exploited before exploits were even developed. Our Malware Intelligence team processed indicators drawn from malware campaigns that help with real-time defense. We collected volumes of stolen credentials from data breaches and other sources, which can provide clues if, for example, an endpoint has been infected by an information stealer. No breach happens in a vacuum — there are usually prior signs that can indicate an organization is at risk, and CTI can often help.
This post provides an overview of some of the significant trends over the last year in the criminal underground and cybersecurity with a view as to what’s ahead in 2024.
Ransomware Will Intensify
Early 2022 saw significant disruption in the ransomware landscape due to Russia’s intensified aggression against Ukraine. Some Ukrainian and Russian threat actors that had been collaborating split due to the war. Ransomware attacks slightly dipped as groups reorganized and new strains emerged. But that period ended, and the discord settled. In 2023, ransomware surged.
Attacks have been propelled by the use of zero-day and n-day vulnerabilities and threat actors buying access to hacked organizations from IABs. In the last few months, we’ve seen vigorous attack activity directed at health care organizations and financial services. This is unlikely to abate in the foreseeable future. Ransomware-as-a-service (RaaS) offerings, where subgroups of threat actors partner with malware and infrastructure providers, are fine-tuned and growing ecosystems that allow lesser-skilled actors entry into ransomware.
In 2022, we saw 48 ransomware variants circulating. This year that increased to 68 variants. Although law enforcement and intelligence agencies are highly focused on disrupting these ecosystems and have notched notable and impressive successes, this activity will need to scale to make a significant impact. Countries agreed this year at the Counter Ransomware Initiative that governments should not pay ransoms. Australia has said that banning the payment of ransoms at some point is “inevitable.” Some U.S. states have taken this step and banned their governments from paying ransoms.
We expect more countries to look at the ransom angle as one way to bring cybercrime to heel. The best defense is prevention, and most ransomware is preventable with the right intelligence. Patching vulnerabilities, particularly for internet-facing applications, is critical. Monitoring the cybercriminal underground for threat actors selling access and stolen credentials can also give a crucial heads up before ransomware is installed.
Artificial Intelligence Is a Wild Card
The rapid advances in machine learning (ML), large language models (LLMs) and artificial intelligence (AI) upended technology this year. It’s unclear if AI will prove to be the game-changer it's heralded to be or, as some worry, pose an existential threat to the human race. Nonetheless, cybercriminals are interested in how AI could be integrated into their operations. While there doesn’t appear to be a killer AI application for cybercriminals thus far, its power could be helpful for some of the mundane back-end work that cybercriminals have to perform.
The advent of cybercrime-as-a-service, which is the term for the collective goods and services that threat actors supply to each other, is marked by an emphasis on specialization, scale and efficiency. Examples of incorporating AI include actors using LLMs to sort through masses of stolen data to identify the most important details to mention when extorting a company or employing a chatbot to engage in preliminary ransom negotiations. Another hypothetical innovation could be an AI tool that can calculate the maximum ransom an organization will pay based on the data stolen.
We reported a few examples of actors implementing AI in their offers during the second quarter of 2023, which included an IAB offering free translation services using AI. In May 2023, we reported a threat actor offered a tool that allegedly could bypass ChatGPT’s restrictions, and an actor associated with email spam allegedly integrated OpenAI’s technology into software that drafts spam emails — an obvious way to apply AI.
AI and ML tools are capable of enabling impersonation via video and audio, which pose threats to identity and access management. Videos rendered using AI now are fairly detectable, but synthesized voice cloning is very much a threat to organizations that use voice biometrics as part of authentication flows. We still assess AI cannot be fully relied upon for more intricate cybercrime, and doing so in its current form likely will render flawed results. But this area is moving so swiftly that it's difficult to see what is on the horizon. The proliferation of open source LLMs and services — some of which are being built with the intention of not having safety guardrails to prevent malicious use — means this area remains very much a wild card.
Law Enforcement Will Pressure ‘The Com’
Dozens of attacks by English-speaking threat actors drew attention to a long-running threat actor group loosely known as “The Community'' or “The Com.” The group and subgroups (also referred to as Scattered Spider, Muddled Libra, Starfraud, UNC3944, Scatter Swine, Roasted 0ktapus, 0ktapus) comprise a large number of mostly mid-to-lower level skilled threat actors but with a small subset of highly technically capable actors.
These groups have been evolving and upskilling for several years. One such group was LAPSUS$. It focused on subscriber identity module (SIM) swapping, gaming hacks, swatting and cryptocurrency theft. Except for telecommunications companies affected by SIM swapping, it generally wasn't considered a threat to enterprise security. That changed in 2023 with unending attacks and intrusions. Some with links to The Com began working with the ALPHV aka BlackCat RaaS group. This marked a somewhat rare alliance, as ransomware actors — who are mostly centered in Eastern Europe — have at times said they do not want to work with English speakers. The ransomware and extortion attacks conducted against MGM Resorts and Caesars Entertainment were believed to be linked to these threat actors. The Com also has been linked to attacks against business process outsourcing (BPO) companies and identity providers, running highly effective phishing campaigns that capture login credentials. Some group members use sharp social engineering skills to manipulate help desks into resetting multifactor authentication (MFA) tokens or reassigning them to new devices.
Although these threat actors fail many times, they are extremely persistent. When they gain access, they often read internal documentation on processes and procedures and use that knowledge to achieve deeper access. They’ve even joined organizations’ incident response calls. These actors will present a continued threat through next year, although expect law enforcement to exert pressure and possibly make arrests in 2024. These prospects, however, are tempered by the belief that some threat actors are likely minors, which limits options available to courts.
Supply Chain Risks Abound
We expect to see threat actors look for opportunities to attack through supply chains. Most organizations do not work in isolation and increasingly rely on third-party partners, suppliers and vendors. Cybercriminals see opportunities in these relationships and target weaknesses to extract data. One organization may have rock solid security, but threat actors will look to its suppliers and others that have existing relationships for a side door in.
Over the last decade, some of the most prominent attacks have been classified as supply chain attacks, including NotPetya in 2017, SolarWinds in 2020 and Kaseya in 2021. We saw this manifest in 2023 as well. Okta, one of the largest providers of identity services, experienced incidents where attackers sought access to its clients. Attackers also gained access to the systems of 3CX, which develops a widely used private branch exchange (PBX) software phone system. The attackers trojanized an update for the company’s Voice over Internet Protocol (VoIP) desktop application for Windows and macOS. The app reached out to malicious infrastructure, eventually installing information-stealer malware.
Threat actors take advantage of unsecured relationships between companies and other organizations they work with, including their software vendors. Consequently, if one business maintains robust cybersecurity standards but works with a less secure vendor, that third party has the capability to provide an attacker with an avenue to breach the organization’s defenses. With a foothold in a vendor’s network, threat actors can then pivot through the supply chain to the originally more secure network using that trusted relationship. These attacks can have disastrous knock-on effects. Third-party risk cannot be completely eliminated, but there are steps that can help detect and mitigate it. These include continuously monitoring and assessing the security posture of suppliers, employing zero-trust principles and leveraging threat intelligence to stay informed of emerging threats, vulnerabilities and tactics, techniques and procedures (TTPs).
Regulators Are Losing Patience
There’s a clear trend among regulators across the world: they’ve lost patience with organizations that gloss over data breaches. As a result, data breach reporting requirements continue to tighten. The U.S. Securities and Exchange Commission (SEC) has been on the edge of this. New rules in December 2023 require organizations to report “material” cybersecurity incidents. The U.S. Cybersecurity and Infrastructure Agency (CISA) is also drafting rules that require ransomware events specifically to be reported to the government. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will eventually require critical infrastructure agencies to report incidents to CISA within 72 hours and require reporting of ransom payments within 24 hours. Australia also is drafting a ransomware and ransom payment reporting requirement.
Additionally, there are signs that regulatory action may become more personal against security executives. In November 2023, the SEC alleged in a civil lawsuit that SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown violated securities laws by not accurately disclosing the company’s cybersecurity practices. The action comes four years after the disclosure of a supply chain attack against SolarWinds that infected 18,000 organizations, including U.S. federal government agencies. This case will have a long-term effect on CISOs. If Brown is barred from director-level positions, good CISOs may have less incentive to take the personal risk of working at companies where their skills are needed the most. It is therefore important that organizations run security programs commensurate with their risks. At the operational level, this means having agile detection capabilities and threat hunting teams that can use threat intelligence to defend before attackers progress in their intrusions.
Web-Facing Enterprise Software Is a Target
Ransomware groups quickly acted upon vulnerabilities in web-facing appliances and enterprise software this year. In May 2023, the CLOP cybercrime group exploited zero-day vulnerabilities in Progress Software’s MOVEit managed file transfer software to execute one of the largest mass data breaches of all time with more than 2,500 organizations affected. The attack did not involve file-encrypting ransomware — instead, CLOP exploited internet-facing MOVEit portals and extracted the data stored. It then held organizations for ransom. As many as half of the health care organizations paid ransoms to prevent data from being posted on CLOP’s data leak site.
In October 2023, the disclosure of a vulnerability in Citrix’s NetScaler Application Delivery Controller (ADC) and Gateway products saw ransomware actors quickly find vulnerable devices and attack. This will be a threat throughout next year as groups buy or fund research into software vulnerabilities in commonly used software. Organizations must fully account for their software assets and understand the breadth of their own attack surfaces, especially via knowing what applications attackers can see using device search engines such as Shodan and Censys. Organizations also must understand the operational impact of taking those services offline if there’s a new vulnerability and configure services in a more secure way or replace them with more secure alternatives.
Conclusion
We hope this post has imparted some insight into the trends we have seen and expect to see in 2024. The challenges in some of these areas will play out over many years. Eliminating ransomware, fixing software supply chains and building secure-by-design software are long-term problems. Although the cybersecurity industry has a certain fatalistic gallows humor (example: it’s not a matter if an organization will be breached but when), we don’t have to accept breaches as inevitable. Defenders who have the right data and intelligence can bolster themselves against attacks, and we’ve seen this positive scenario play out. Adversaries may innovate, but it’s possible to stay ahead.