Cybersecurity threatscape: Q4 2023

Spies never sleep

In Q4, the share of spyware attacks on organizations increased by five percentage points compared to the previous quarter. According to ANY.RUN, in Q4 2023, stealers were the most frequently used type of malware. Positive Technologies confirms that spyware was a trend not just in Q4, but throughout 2023.

Let's take a look at some of the types of spyware that the Positive Technologies Expert Security Center dealt with in Q4. The first is Agent Tesla, a well-known infostealer. Attackers sent Agent Tesla to organizations in phishing emails with fake financial documents, such as receipts, estimates, and payment notices.

In Q4, Zscaler ThreatLabz detected phishing campaigns where threat actors used Agent Tesla. In these campaigns, spyware was sent under the guise of XLSX documents. Attackers exploited CVE-2017-11882, an old vulnerability in the Microsoft Office Equation Editor. An update fixing this vulnerability was released in November 2017, but some people still use older versions. This is yet another reminder of the importance of installing updates on time, especially for popular and frequently used programs.

Besides Agent Tesla, RedLine was one of the most frequently used information stealers in Q4. RedLine can steal credentials, cookies, payment card data, cryptocurrency wallet data, and configuration information. It's distributed by subscription (malware-as-a-service) over multiple channels, including malvertising in Q4. Threat actors advertised a trojanized version of the CPU-Z tool hosted on a cloned copy of a popular news site. The download of CPU-Z resulted in infection by RedLine. CPU-Z was also delivered in emails. In late November, PT Expert Security Center detected RedLine phishing campaigns that targeted Russian companies. The emails contained malicious attachments disguised as 1C (A Russian business software suite) documents. For the C2 infrastructure, attackers used domain names masquerading as 1C resources.

In late November, PT Expert Security Center observed a phishing campaign by cybercriminal group XDSpy. The attackers mostly targeted Russian organizations. One of the phishing emails was sent to a research institute allegedly from another research institute. The message contained a link to a file sharing site where victims downloaded the Zayavlenye.pdf file and malware. The email looked genuine: the fake institute's logo was included in the signature, and the file was a scan of a form filled out by hand.

Aside from Agent Tesla and RedLine, the FormBook, Lumma, StormKitty, and Ducktail infostealers were most frequently observed by PT Expert Security Center in Q4.

Cl0p explores new paths

In Q4, Positive Technologies noted a significant decrease in the number of attacks that exploited the CVE-2023-34362 vulnerability in the MOVEit Transfer software. This vulnerability had been a focus of the Cl0p ransomware group since April. However, in November, Cl0p switched to CVE-2023-47246, a critical vulnerability in SysAid, an IT service management software. SysAid learned of the vulnerability on November 2 and announced a security update on November 8. We expect news of successful attacks exploiting this vulnerability and targeting organizations to appear in Q1 2024.

FBI vs BlackCat

BlackCat has long been one of the most widely used malware in ransomware campaigns. Since its inception (the first mentions in the dark web date back to Q4 2021), more than a thousand organizations have fallen victim, including utility company Empresas Públicas de Medellín, computer drive manufacturer Western Digital, IT services company HTC Global Services, and other major companies. However, the string of successful BlackCat attacks was cut short at the end of 2023. On December 19, the FBI shared details of the U.S. law enforcement disruption campaign that hit cybercriminals hard. Federal experts developed a tool to recover the files of more than 500 affected victims and avoid ransom payments totaling approximately $68 million. In response, BlackCat stated that all other victims whose keys pairs remained in the hands of the attackers would lose their data. BlackCat also threatened to remove all restrictions from its affiliates, allowing them to target any organization they wanted, including critical infrastructure.

What will come of the clash between BlackCat and the FBI has yet to be seen. We believe the group won't just disappear without a trace. It wasn't so long ago that BlackCat came to the forefront after learning from the mistakes of the notorious REvil and BlackMatter. So it's likely that BlackCat will soon recover from the FBI's interference and continue their operations.

Theft of payment card data from online stores

In Q4, the share of payment card data in the total amount of stolen information reached 5% in attacks on organizations and 16% in attacks on individuals (3% and 13% in Q3, respectively). We attribute this growth to several large campaigns in which attackers used JavaScript sniffers, or malicious scripts that intercept the payment card data of online store customers. In late December, Europol published a report on a two-month operation that helped reveal 443 online merchants infected with JavaScript sniffers.

One of the reasons why such attacks are successful is because people use outdated software. Attackers exploit vulnerabilities in outdated versions of CMS systems to inject malicious scripts into online store websites. Recently, Sucuri experts shared the details of a case where an infected online store was using CMS OpenCart version 1.5.5.1 which was released more than 10 years ago.

Attackers try to keep JavaScript sniffers invisible for as long as possible. In a recent campaign by Magecart, one of the most infamous JavaScript sniffers, criminals used a new technique to hide malicious scripts. The loader masqueraded as Meta Pixel code snippets and caused a "404 Not Found" error to execute the malicious code hidden on the error page. All requests appeared innocuous, which made it exceedingly difficult for traffic analysis tools to detect the JavaScript sniffer.

Another way attackers can steal payment card data is by using malicious plugins for WordPress websites. In December, Sucuri experts reported an attack where criminals used a malicious plugin that created bogus administrator users and injected a JavaScript sniffer into compromised sites. According to Sucuri, the malicious plugin can be installed from the WordPress admin panel using a compromised admin account or by exploiting a vulnerability in already installed plugins.

Data obtained using JavaScript sniffers is later sold on the dark web. Criminals also sell access to sites where buyers can install JavaScript sniffers and collect payment card data on their own.

It comes as no surprise that the number of attacks aimed at stealing the payment card data of online store customers increases around the holidays. During these periods, users need to be extra careful when shopping online. Here are some basic principles to follow:

• Only shop on well-known and trusted online stores. Large vendors normally have strong security measures in place, making it difficult for cybercriminals to inject JavaScript sniffers.

• Use payment services to make purchases without entering your payment card information. This is much safer, as payment services don't share card details with online stores.

• Get a separate card for online payments and don't keep a lot of money on it. A good solution here would be a virtual card.

Online store administrators should regularly perform security assessments of their websites, update the CMS and plugins in a timely manner, and use strong passwords and multifactor authentication.

Troubled waters: a surge in attacks on water systems

In Q4, hacktivist group Cyber Av3ngers escalated attacks against the industrial control systems of Israeli manufacturer Unitronics. In particular, the group targeted water and wastewater systems that use Unitronics Vision PLCs. Compromised devices that used default passwords were exposed online. The vulnerability was named CVE-2023-6448. As of early December, over 500 vulnerable Unitronics devices were still available online.

The Cyber Av3ngers claim to have hacked 10 Israeli water treatment facilities. They also hacked the Municipal Water Authority of Aliquippa in Pennsylvania. In late November, the hackers took control of a booster station, but an alarm went off and any serious consequences were avoided. A similar attack was carried out on a water scheme in the Barony of Erris, Ireland. After the incident, 180 homeowners were cut off from water for two days.

Ransomware operators also took an interest in water systems. A North Texas water utility was hit by an attack from a cybercrime gang known as Daixin Team just one day after the attack on the water authority in Pennsylvania. The phone system was affected, and the group claims to have stolen more than 33,000 files containing customer information. The Hunters International ransomware group added St. Johns River Water Management (U.S.) to its list of victims on its dark web portal.

Paris wastewater agency SIAAP and German public water supply company Hochsauerlandwasser also fell victim to cyberattacks in Q4. The details of these attacks remain unclear. In response to the spike in attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Environmental Protection Agency (EPA) issued the Incident Response Guide for water and wastewater operators.

Trending vulnerabilities

Every third (31%) successful attack on organizations involved the exploitation of vulnerabilities. Below are the most notable vulnerabilities exploited in Q4:

• CVE-2023-4966 (Citrix Bleed). On October 10, Citrix published a security bulletin disclosing a vulnerability in its NetScaler ADC and Gateway products. This critical vulnerability with a CVSS score of 9.4 allows criminals to hack accounts on vulnerable devices. The first attempts to exploit the vulnerability were registered in August. In late October, a publicly available exploit appeared, leading to widespread exploitation of Citrix Bleed by ransomware operators. The U.S. corporation Boeing, Chinese bank ICBC, international law firm Allen & Overy, and U.S. telecommunications provider Comcast Cable fell victim to ransomware attacks in Q4.
• CVE-2023-20198. This vulnerability in the Cisco IOS XE operating system with a CVSS score of 10 allows unauthenticated remote attackers to create an account with full access to a device. Cisco Talos specialists first registered the exploitation of this vulnerability on September 18. Since then, experts from various companies have reported tens of thousands of compromised Cisco IOS XE devices. The investigation of these attacks led to the discovery of another vulnerability (CVE-2023-20273) that was used in conjunction with CVE-2023-20198. Cisco published a security advisory covering these vulnerabilities on October 16 and released a patch on October 22. However, a publicly available exploit soon appeared, which led to a new wave of attacks on Cisco devices in early November, with attackers delivering the BadCandy web shell to compromised devices.
• CVE-2023-22518. This critical vulnerability in Atlassian's Confluence Data Center and Server was reported by the vendor on October 31. It's related to improper authorization and allows attackers to destroy data on vulnerable servers. In early November, an exploit for the vulnerability was published, followed by a surge in attacks on Atlassian Confluence servers available on the web. In particular, the vulnerability was exploited by operators of the Cerber ransomware. Initially, the vulnerability earned a CVSS score of 9.1, but was later increased to 10.
• CVE-2023-46604. This remote code execution vulnerability in Apache ActiveMQ with a CVSS score of 9.8 is popular among attackers. Arctic Wolf and Huntress observed attacks involving the installation of the SparkRAT malware on vulnerable ActiveMQ servers two weeks before Apache released security updates. The vulnerability was exploited by the HelloKitty and TellYouThePass ransomware operators. In addition, Trend Micro discovered that the vulnerability was exploited by operators of the Kinsing botnet to compromise Linux systems and deploy cryptocurrency miners. AhnLab identified attacks by the Andariel APT group using CVE-2023-46604 to deploy the NukeSped and TigerRAT backdoors.

Attacks in Q4 with dire consequences and wide repercussions

• Okta, an identity and access management company, fell victim to a cyberattack where hackers breached the company's support system by using previously stolen credentials. They were able to access files containing cookies and session tokens uploaded by Okta customers as part of support cases. Using this information, the hackers attempted to hijack customer accounts. BeyondTrust and Cloudflare were among the first to complain about suspicious activity. The final report on the incident investigation states that the attackers gained access to the names and email addresses of all support system users.
• The National Library of Great Britain experienced a massive outage due to an attack by the Rhysida ransomware on October 28. The library's website, phone lines, and all online services, including exhibition ticket sales, reader registration, and card transactions in the gift store, were down. The website was unavailable for more than 30 days. Almost a month later, on November 20, about 500,000 stolen files, including scans of employee passports and other personal data, were put up for sale on the dark web.
• In late October, Grupo Gtd, a telecommunications company operating throughout Latin America, including in Chile, Spain, Columbia, and Peru, was hit by a cyberattack involving the Rorschach ransomware. Rorschach is a relatively new ransomware that was first described by Check Point Research in April 2023. The cyberattack impacted various company services, including internet access, VPN, television systems, Voice-over-IP, and the company's data centers. Some government platforms were also down.
• Boeing, a U.S. aerospace company and leading jetliner manufacturer, fell victim to the LockBit ransomware gang's attack in November. The attackers hacked the company's infrastructure by exploiting the Citrix Bleed vulnerability we mentioned above. The gang stole about 50 GB of data, including information about Boeing's suppliers, distributors, and contractors, as well as financial, educational, and marketing documents.
• Major Australian port operator DP World fell victim to a cyberattack. On November 10–13, five ports were shut down. As a result, more than 30,000 containers got stuck on the docks and weren't shipped on time. Some of them contained perishable goods that expired, and the damage was estimated in the millions of dollars. In addition, the personal data of some current and former employees was stolen.
• U.S. healthcare company Henry Schein was attacked by the BlackCat ransomware gang on November 22, forcing the company to shut down its applications and e-commerce platforms in Canada and Europe. The incident happened only a week after the company had recovered from the first attack by the same group on September 27. It took the company six days to get its infrastructure back up and running after the second attack. Due to the downtime, the company's full-year 2023 sales were approximately 1–3% lower than in 2022.

In attacks on organizations involving leaks of sensitive data, two-thirds (66%) of stolen data was personal information and trade secrets. As for attacks against individuals, attacker interest was focused on stealing credentials (27%), correspondence (20%), and payment card information (16%).

The most notable leaks in Q4

• The data of about 7 million customers of 23andMe, an American biotechnology and genomics firm, was stolen in a cyberattack, including personal and medical information. Attackers used credential stuffing, a tactic where criminals attempt to break into a service with credentials stolen during previous data breaches. Some of the stolen data was later sold on the dark web for $1–10 per profile. Attackers claimed that the database contained the genetic information of "the wealthiest people living in the U.S. and Western Europe." Some 23andMe customers have filed class action lawsuits against the firm demanding financial relief.
• In October, Spanish airline Air Europa reported a leak of customer bank card information, including card numbers, expiration dates, and CVV codes. According to the PCI DSS standard, companies aren't allowed to store the CVV codes of their customers. The airline only notified customers 41 days after the attack happened, and did not disclose how many customers were affected by the leak.
• In late October, U.S. mortgage lender Mr. Cooper fell victim to a cyberattack, in which attackers stole the sensitive information of 14.7 million customers. The stolen database contained customer names, addresses, dates of birth, phone numbers, bank account numbers, and Social Security numbers. The company estimated the damage from this attack at $25 million.
• The Medusa ransomware gang's attack on Toyota Financial Services (TFS), a finance arm of Toyota Motor Corporation, resulted in a data breach. Criminals published a sample of the stolen data as proof of the hack, including financial documents, invoices, hashed account passwords, and passport scans. A notice sent by TFS to affected customers stated that the attackers also obtained their full names, home addresses, contract information, lease-purchase details, and IBANs (International Bank Account Number).
• In December, tech company EasyPark reported a data leak potentially affecting millions of users. EasyPark develops applications for parking and charging electric cars and sells its services in more than 20 countries and over 4,000 cities. Contact information, hashed passwords, and certain payment card data of EasyPark customers were compromised.

To protect against cyberattacks, we recommend following our general guidelines on personal and corporate cybersecurity. We urge users to be careful when entering their credentials on untrusted sites, making online payments, installing mobile apps, downloading attachments from emails, and following links from messaging apps, social media, and emails.

Companies should choose software vendors and distributors carefully to minimize the risk of falling victim to supply chain attacks. We recommend developing vulnerability management processes and participating in bug bounty programs. First and foremost, fix vulnerabilities that attackers are already known to exploit and for which publicly available exploits exist.

We also recommend using web application firewalls (WAFs) to harden the network perimeter. Ransomware is one of the most common cyberthreats, so don't forget to back up your data. To protect devices against malware, use sandboxes to analyze file behavior in a virtualized environment, detect malicious activity, and act in time to prevent damage to your company.

78% of successful cyberattacks were targeted

8% of successful attacks targeted individuals

This report contains information on current global cybersecurity threats based on Positive Technologies own expertise, investigations, and reputable sources.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker group activity are unable to calculate the precise number of threats. Our research seeks to draw the attention of companies and ordinary individuals who care about information security to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one incident, not several. For explanations of terms used in this report, please refer to the glossary on the Positive Technologies website.