From data extortion attacks to supply chain compromise, 2023 saw several high-profile cyberattacks and incidents.
I talked with Mick Baccio, security strategist with SURGe, for his take on the types of incidents we're seeing this year. "The cybersecurity incident landscape in 2023 serves as a stark reminder that both financial gain and intelligence collection objectives can result in data exfiltration." Baccio continues:
"This underscores the vulnerability of even the most secure organizations, emphasizing the importance of organizational resilience in 2023 and beyond."
With that context, let's take a look the top five cyberattacks so far in 2023. I'll also share resources to help organizations defend against similar attacks in the future.
(Stay up to date with expert-recommended security reading, cyber podcasts & these security events.)
MOVEit transfer breach
In late May 2023, Progress Software Corporation disclosed a SQL injection vulnerability in the MOVEit file transfer platform. Soon after this disclosure, a data extortion group named cl0p began rapidly targeting MOVEit customers. Cl0p did not encrypt victim data, but instead exfiltrated the data and threatened to leak it if a ransom was not paid.
New Zealand-based cybersecurity firm Emsisoft is tracking the number of impacted organizations, which continues to grow months after the attacks began. As of October 2023, more than 2,500 organizations and 66 million people are known to be impacted by the breach, according to Emsisoft’s analysis.
MOVEit Transfer is the third file transfer platform that cl0p has targeted in data extortion attacks. Previous attacks leveraged vulnerabilities in Accellion and GoAnywhere software.
(Learn more about ransomware families.)
U.S. State Department emails hacked
In July, Microsoft released a report detailing the compromise of U.S. government email accounts the month prior by a China-linked threat actor dubbed Storm-0558.
The adversary used a consumer signing key to forge an authentication token to access the email accounts of State Department officials. A Microsoft investigation determined that the threat actor likely compromised a Microsoft engineer’s corporate account and found the signing key in a crash dump.
The attack was possible due to several security lapses. Politico reports that the State Department was able to alert Microsoft to the breach thanks to a tripwire alert that an analyst created two years before the attack. The DHS Cyber Safety Review Board plans to review this incident in order to help strengthen identity management and authentication in the cloud.
(Related reading: identity management best practices; authentication vs. authorization.)
Data extortion attacks on Las Vegas resorts
September 2023: A data extortion group called Scattered Spider claimed responsibility for cyberattacks targeting MGM Resorts and Caesars Entertainment Inc. Researchers believe Scattered Spider works in coordination with the ALPHV data extortion group and utilizes social engineering techniques, such as impersonating employees to convince helpdesks to provide duplicate access to accounts for initial access to a network.
The attackers were able to access MGM’s Okta client, which provided access to more credentials. Okta’s Chief Security Officer told Reuters that Scattered Spider also broke into systems of three other Okta clients in the manufacturing, retail, and technology space around the time of the MGM and Caesars breaches.
(Stay ahead of attacks from these groups: Check out this curated list of security resources from the Splunk Threat Research Team.)
🚨 In light of the recent #UNC3944 adversary activities, the Splunk Threat Research Team has curated specialized security content to help you stay ahead:
— The Haag™ (@M_haggis) September 15, 2023
🛡️ Suspicious Okta Activity: https://t.co/JCNTviPtho
🚫 Okta MFA Exhaustion: https://t.co/bw7wGf4l70
🛠️ Attacker Tools On… pic.twitter.com/TgJ9yLnJqy
3CX supply chain compromise
In early 2023, news broke of a supply chain compromise involving the 3CX VoIP application used by 600,000 organizations.
The Splunk Threat Research Team detailed the infection chain, including how the malware was delivered through a legitimate update to both Windows and macOS applications, leading to DLL side-loading.
Kaspersky researchers attributed the attack with medium-to-high confidence to Lazarus Group, a North Korea-backed Advanced Persistent Threat (APT) group. Kaspersky observed fewer than 10 machines targeted with a second-stage backdoor. It appears that the threat actors targeted cryptocurrency firms.
Previously, Lazarus Group has carried out cryptocurrency heists, with the proceeds believed to fund North Korea’s nuclear program.
Intelligence collection in the Russia-Ukraine War
A Five Eyes report published in August 2023 details how a type of Android malware dubbed “Infamous Chisel” was used to target Ukrainian service members. The report attributed the attacks to the Russia-linked Sandworm APT group for the purpose of battlefield intelligence collection.
This aligns with assessments from Ukrainian officials that Russia has shifted from disruptive cyberattacks at the start of the war to more targeted intelligence collection. Sandworm operates within the GRU, which is Russia’s military intelligence agency. Sandworm was also believed to be behind cyberattacks against Ukraine’s electric grid in 2015 and 2016.
Cyberattacks can be stopped
From cryptojacking and ransomware to complicated phishing attacks and beyond, IT and security teams face a variety of widespread cyberthreats today. The good news is that effective methods are available for identifying and containing attacks. Importantly, these approaches require planning and foresight to ensure that businesses are prepared to react before they are fully breached.
Even better? Work with security professionals to ensure your security operations are as strong as possible.
Learn more about Splunk or get in touch with us today!
Talk to Splunk security experts!
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.