2023 has been the cybercriminal’s year. Connected devices in sectors like manufacturing and education, the financial industry, the gaming and gambling industry, and the cryptocurrency space were hit by DDoS, malware attacks, kyberoasting, Access Broker advertisements, and DNS attacks. On top of this variety, cybercriminals got faster.
In August 2023, Bloomberg reported a cyberattack on Norway’s government, which exploited a vulnerability linked to a mobile device, lasted at least four months.
Adam Meyers, head of Counter Adversary Operations at CrowdStrike, says, “In our tracking of over 215 adversaries in the past year, we have seen a threat landscape that has grown in complexity and depth as threat actors pivot to new tactics and platforms, such as abusing valid credentials to target vulnerabilities in the cloud and in software.”
When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster, and they are employing tactics intentionally designed to evade traditional detection methods. Security leaders need to ask their teams if they have the solutions required to stop lateral movement from an adversary in just seven minutesAdam Meyers, head of Counter Adversary Operations at CrowdStrike
“When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster, and they are employing tactics intentionally designed to evade traditional detection methods. Security leaders need to ask their teams if they have the solutions required to stop lateral movement from an adversary in just seven minutes.”
According to the ZscalerTM ThreatLabz 2023 Enterprise IoT and OT Threat Report, a 400% increase occurred in IoT and OT malware attacks Year-over-Year, underscoring the need for better Zero Trust security to protect critical infrastructures. The manufacturing industry, which relies heavily on both IoT and OT, was the top targeted sector, bearing the brunt of blocked IoT malware attacks, accounting for 54.5% of all attacks and averaging 6,000 weekly attacks across all monitored devices.
Also, the education sector experienced a substantial increase in IoT malware attacks, with a percentage jump of 961%, owing to the propagation of unsecured as well as shadow IoT devices within school networks providing attackers with easier access points. The wealth of personal data stored on their networks has made educational institutions particularly attractive targets, leaving students and administrations vulnerable.
Mexico and the US were the most targeted countries, collectively accounting for 69.3% of attacks. IoT botnet activity, a growing concern in the realm of OT, continues to dominate, with the Mirai and Gafgyt malware families accounting for 66% of attack payloads.
The financial industry saw a stunning 80% YoY increase in interactive intrusions, defined as intrusions that use hands-on keyboard activity, interactive intrusions were up 40% overall.
A Crowdstrike report found an alarming nearly 6x year-over-year (YoY) spike in Kerberoasting attacks, a technique adversaries can abuse to obtain valid credentials for Microsoft Active Directory service accounts, often providing actors with higher privileges and allowing them to remain undetected in victim environments for longer periods of time.
Overall, 62% of all interactive intrusions involved the abuse of valid accounts, while there was a 160% increase in attempts to gather secret keys and other credentials via cloud instance metadata APIs.
Access Broker Advertisements
Access Broker advertisements increased by 147% on criminal or underground communities. Ready access to valid accounts for sale lowers the barrier to entry for eCrime actors looking to conduct criminal operations and allow established adversaries to hone their post-exploitation tradecraft to achieve their objectives with more efficiency.
Initial access brokers are threat actors that sell cybercriminals access to corporate networks. They are highly skilled in their field and possess a specialized set of skills honed over a long period of black hat hacking that they utilize to access secure networks.
Linux Tool linPEAS
CrowdStrike witnessed a threefold increase in Linux tool linPEAS, which adversaries use to gain access to cloud environment metadata, network attributes, and various credentials that they can then exploit.
DDoS & DNS Attacks
For the past two quarters of 2023, the gaming and gambling industry was the most targeted industry in Asia. In Q2, however, the gaming and gambling industry dropped to second place and cryptocurrency took the lead as the most attacked industry (~50%). Substantial portions of the attack traffic originated from Asia itself (30%) and North America (30%).
According to a Cloudflare report, attacks targeting cryptocurrency companies increased by 600%, as a broader 15% increase in HTTP DDoS attacks was observed. After crypto, gaming and gambling websites came in second place as their attack share increased by 19% QoQ. Marketing and advertisingwebsites not far behind in third place with little change in their share of attacks.
An increase in deliberately engineered and targeted DNS attacks alongside a 532% surge in DDoS attacks exploiting the Mitel vulnerability (CVE-2022-26143). Over the past quarter, HTTP DDoS attacks increased by 15% quarter-over-quarter (QoQ) despite a 35% decrease year-over-year (YoY). Additionally, network-layer DDoS attacks decreased this quarter by approximately 14%.
Over the past quarter, the most common attack vector was DNS-based DDoS attacks — 32% of all DDoS attacks were over the DNS protocol. Amongst these, one of the more concerning attack types we’ve seen increasing is the DNS Laundering attack which can pose severe challenges to organizations that operate their own authoritative DNS servers.
An average of 67.7 million cyberattacks targeted non-profits on a daily basis within the space of months. Additionally, one of the largest attacks Cloudflare saw was an ACK flood DDoS attack which originated from a Mirai-variant botnet comprising approximately 11K IP addresses.
Cybercriminals have not only added variety to their attacks but also speed. The average time it takes an adversary to move laterally from initial compromise to other hosts in the victim environment fell from the previous all time low of 84 minutes in 2022 to a record 79 minutes in 2023. Additionally, the fastest breakout time of the year was recorded at just seven minutes.
As we go into 2024, it’s a good idea to spruce up our cybersecurity game.