2023 CYBER SECURITY TRENDS

The first half of 2023 saw significant developments in ransomware, methods of infection, hacktivism, mobile threats, and the use of AI by threat actors. This overview explores these evolving security challenges and sheds light on how they might influence the future cybersecurity landscape. In particular, we will focus on the rise of mega ransomware attacks, and the growing role of AI in enabling and accelerating cyberattacks and malicious activities. As is always the case with cybersecurity, these threats are constantly changing, which in turn demands a proactive approach to defense.

Ransomware currently poses the most significant threat to businesses, in terms of the sophistication of attacks and the damage that they cause. The damages comprise of both direct ransom payments, and indirect business costs such as recovery and remediation expenses, impact on stock market performance, as well as legal implications and brand damage.

Ransomware is constantly evolving and becoming more sophisticated with added functionality that makes attacks more targeted and successful. This is predominantly driven by escalating competition among Ransomware-as-a-Service (RaaS) groups, all seeking to recruit more partners and maximize their ‘sales’. In many cases these groups are criminal mirror-images of conventional businesses, with research and development teams, quality assurance departments, specialist negotiators, even HR staff. They may have dozens or even hundreds of employees, with revenues in the hundreds of millions of dollars. The rivalry between groups (after all, there is no honor amongst thieves) has led to quicker encryption of victim's data, innovative evasion techniques, and lower commission rates for partners. For example, leading entities like LockBit, Alphv, BlackBasta, and AvosLocker all incorporated an evasion technique that utilizes the restart-in-safe-mode function in an attempt to neutralize security services and make it more difficult to recover infected computers. Another noteworthy development is the surge in ransomware variants for different operating systems; the most dominant being for Linux and offered by RaaS groups including LockBit, Royal, CL0P, BianLian, and ViceSociety.

We found evidence of thousands of ransomware victims in the first half of 2023, totaling over 2,000 victims, with ransomware attacks by over 40 ransomware groups. We expect to see the same, if not more in the second half of 2023.

In the same way that vinyl LPs and even music cassettes have become popular again, older attack methodologies sometimes re-emerge, exemplified by the recent resurgence of USB-based cyberattacks conducted by both cybercriminals and nation-state actors. One of the oldest known attack vectors, the humble USB drive, is currently a significant conduit for contemporary malicious cyber operations. In 2022, the FBI issued a warning about a campaign aimed at US defense firms with the attackers mailing USB drives loaded with malicious payloads.

The Raspberry Robin worm stands out among such attacks. It is recognized as one of the top common malware variants on our multipurpose malware list and is distributed via infected USB drives through the exploitation of “autorun.inf” files or clickable LNK files. This worm has been linked to the FIN11 threat actor, with successful infections serving as a launchpad for subsequent attacks.

Nation state threat actors are currently leveraging USB-borne infections, even those caused by legacy malware like ANDROMEDA (which dates back to 2013) to hijack their infrastructure. Regardless of whether Turla or Tomiris is the culprit, USB infections remain a potent method for gaining initial access to systems.

State-affiliated hacktivism, first seen in 2022, was another dominant threat in the first half of 2023. Hacktivist groups select their targets based on nationalistic and political motivations. The infamous Russian-affiliated Killnet group started the year off by attacking Western healthcare organizations and later announced their intention to shift to acting as a “private military hacking company.”

Another hacktivist group, “Anonymous Sudan”, first appeared in January 2023 and has been particularly active, operating under the veil of counter-offensive cyberattacks to allegedly retaliate for anti-Muslim activities. While promoting a pro-Islamic narrative, this group has collaborated with the Pro-Russian Killnet, sparking speculation about a potential Russian affiliation. The group targets Western organizations, with Scandinavian Airlines a notable victim of a disruptive DDoS attack. The group also tried to implement an extortion strategy, most likely as part of its information operations, insisting on payment to halt their attacks. Their targets expanded to include US organizations, particularly in the healthcare sector. Recently Microsoft was victimized, resulting in substantial disruption of key Microsoft Outlook services, including email and calendar availability, as well as some disrup tion to the availability of the Microsoft Azure Portal.

Check Point Research has been monitoring various mobile cyberattack campaigns since the start of the year. For example, the FluHorse malware, designed to target East Asian victims, effectively camouflages itself as popular Android applications and aims to extract Two-Factor Authentication (2FA) codes along with other sensitive user data. In another campaign disclosed in March, attackers circulated malware known as FakeCalls, which is designed to simulate over twenty distinctive financial applications and generate fraudulent voice calls.

In the areas of sophisticated espionage operations, researchers reported a campaign called Triangulation that utilizes zero-click exploitation to take control of iOS devices, continuing a trend of large-scale exploitation of previously unknown vulnerabilities in Apple products.

A review of 2023 would be incomplete without acknowledging the significant advancements made in Artificial Intelligence. ChatGPT has brought a groundbreaking revolution in AI accessibility. The implications of AI’s capabilities have led to bold predictions ranging from significant transformations of the job market to potential existential threats to humanity. In the cyber arena, this paradigm shift has already been felt in significant ways. Last year, Check Point researchers demonstrated that criminals can harness AI to create sophisticated social engineering content. They can also craft ever more deceptive phishing emails, develop malicious VBA macros for Office documents, produce code for reverse shell operations, and more.

Since its publication in November 2022, ChatGPT has succeeded in a wide range of activities including passing MBA exams at Wharton, passing the US medical licensing exam, and has exhibited its wider production capabilities across numerous other areas. Given its potential for both good and evil, there are calls for enhanced regulation to stop misuse and the spread of misinformation. Some countries, including Italy, have opted to ban the use of generative AI altogether, while others such as the European Union are drafting a first-of-its-kind AI Act to control or restrict AI systems.