Critical Start today released its biannual Cyber Intelligence Report, featuring the top threats observed in the first half of 2023 and emerging cybersecurity trends impacting the healthcare, financial services, and state and local government industries. The report also includes actionable insights to help organizations strengthen their security posture and proactively mitigate potential risk.
Key findings in the report include:
- The Critical Start Security Operations Center (SOC), which monitors millions of endpoints with more than 80,000 investigations a week, saw increases overall in the number of investigated alerts, alerts escalated to customers, and alerts that were of high or critical priority. In the first quarter of 2023, the SOC saw a 38.88% increase in the number of high or critical priority alerts escalated to customers over the previous quarter.
- Two-step phishing attacks are on the rise, with attackers using convincing emails that resemble legitimate vendor communications, often related to electronic signatures, orders, invoices, or tracking information.
- The new Beep malware is top of mind for organizations and individuals. This pervasive threat is delivered via email attachments, Discord, and OneDrive URLs.
- State-sponsored cyber espionage is becoming increasingly common, with threat actors operating out of Russia, potentially India, and the Asia-Pacific (APAC) region.
"We are continuing to observe an unyielding surge in the volume of cyberthreats, including advanced malware, botnets, ransomware, cryptojacking, and more," said Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, in a press release. "While many of these attack trends are troubling, there are a number of things organizations can do to reduce their risk, such as investing in security awareness programs, updating security protocols, working with trusted partners to address vulnerabilities, and partnering with an MDR vendor."
More from the release:
The cyber threat landscape is constantly evolving, and threat intelligence is essential for identifying and responding in real-time. Cybercrime has become the world's third-largest economy, estimated to generate $8 trillion by the end of 2023—equivalent to about $25,000 per person in the United States.
The Critical Start Cyber Threat Intelligence (CTI) team analyzed a range of intelligence sources, such as customer data, open-source intelligence, vulnerability research, social media monitoring, and Dark Web monitoring to identify the most pressing cybersecurity threats of the first half of 2023.
Some highlights from the report include the top 10 threats from the first half of 2023:
- LockBit, a Russian-based ransomware group, has recently announced the release of a new variant called LockBit Green. This variant shares similarities with the Conti ransomware, as it incorporates a large portion of Conti's leaked source code. LockBit ransomware group operates under a RaaS model leveraging double, and sometimes triple, extortion techniques. It's estimated LockBit had nearly 1,100 victims in 2022 alone.
- After a brief hiatus, Emotet threat actors resumed their operations in early March 2023. Emotet, originally a banking trojan, has transformed into a versatile piece of malware that relies on massive spam email campaigns. Using a technique called email hijacking, the attackers insert themselves into existing business conversations or initiate new email conversations to make the malicious emails appear trustworthy. They often employ urgency-inducing topics, like service invoices, to increase the chances of victims opening the emails.
- Microsoft recently disclosed a Zero-Day vulnerability in Outlook, identified as CVE-2023-23397. This elevation-of-privilege flaw allows threat actors to execute remote code and steal NTLM credentials of Outlook users.
- Two-step phishing attacks involve threat actors using compromised vendors to target potential victims by creating convincing emails that resemble legitimate vendor communications, often related to DocuSign, orders, invoices, or tracking information.
- BlackLotus is a stealthy Unified Extensible Firmware Interface (UEFI) bootkit, a type of malware that can circumvent Secure Boot defenses. It is the first known malware capable of bypassing Secure Boot on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.
- Clasiopa is a sophisticated threat actor that utilizes a distinct toolset that includes custom-developed malware and hacking tools. Clasiopa's primary malware is Backdoor.Atharvan, a remote access Trojan (RAT) designed to evade detection. They also use modified versions of Lilith RAT for remote control and Thumbsender for gathering and exfiltrating file names. A custom proxy tool helps them maintain persistence and communicate with command-and-control servers undetected.
- Beep is a newly discovered botnet implant malware that employs exhaustive anti-analysis and detection-evasion techniques. It enables attackers to remotely deploy additional malware payloads onto compromised systems. The malware consists of a dropper, an injector, and an implant payload, with the capability to gather host information and communicate with a command and control (C2) server for further instructions. Beep exhibits advanced evasion tactics and is still in the early stages of development, with potential for future functionality enhancements.
- Dark Pink is an emerging APT group that has been active since mid-2021, with their first successful attack observed in June 2022. The group operates in the APAC region and employs sophisticated techniques, including DLL side-loading and Event Triggered Execution, to launch custom malware and maintain persistence. Their attacks begin with tailored spear-phishing emails disguised as job applications, containing personalized Information Security Officer (ISO) images that include signed executables, decoy documents, and malicious DLL files. Dark Pink infects both the victim's device and any removable drives present, using the Telegram API for communication and data exfiltration.
- DarkCloud is an information stealer malware delivered through phishing emails with malicious attachments. It can extract usernames, passwords, credit card data, and sensitive information from various applications and browsers.
- Linux, known for its security advantages, was previously considered less vulnerable compared to other operating systems. However, with Linux being widely used in critical areas of businesses and cloud services, threat actors have shifted their focus and developed sophisticated malware to target Linux. Several active ransomware groups, such as LockBit, AvosLocker, and Luna, are now targeting Linux systems using vulnerabilities and penetration testing tools like Cobalt Strike and Vermilion Strike.
For more details on each, download the report (must provide contact information to receive).
Critical Start is a provider of Managed Detection and Response (MDR) cybersecurity solutions and is a supporting partner of SecureWorld events.