Sydney, AUS, 7 September: In a new threat briefing report, Forescout Vedere Labs looks back at the most relevant cybersecurity events and data between January 1 and July 31, 2023 (H1 2023) to emphasise the evolution of the threat landscape.
Overall, H1 2023 continued the trend of threat actors exploiting an increasingly diverse attack surface. Below, Forescout distills the key findings of the report and provide mitigation recommendations.
Key Findings:
- Building automation devices are becoming increasingly easy targets. Mirai botnet variants in 2023 have been exploiting a new vulnerability on an access control device that was already a target in the past, as well as vulnerabilities on devices used to monitor solar power generation in small facilities.
- Network infrastructure has become a favourite target for initial access and traffic proxying. Several Russian and especially Chinese state-sponsored actors have been focusing on exploiting vulnerabilities on and developing custom malware for routers and VPN devices, while cybercriminals are leveraging routers and other compromised devices for residential proxies.
- The ransomware landscape never stops changing. Ransomware groups continue to morph, appearing and disappearing quickly. Some well-known groups remain very active, such as LockBit, Cl0p and ALPHV, but others that were relevant last year have disappeared, such as Conti and Hive. Entirely new groups also figure among the most active. Overall, the ransomware landscape is more fragmented this year with 53 groups reporting attacks, 36% more than the 39 groups in the same period last year. In 2023, ransomware victims were located in more than 100 countries. Australia was the 8th most targeted country, with 60 incidents. The top affected industries in Australia were Services (25%), Healthcare (13%) and Technology (10%).
- Old vulnerabilities are continuing to be exploited. Although new vulnerabilities are dangerous because usually there hasn’t been enough time to patch, organisations tend to dismiss older vulnerabilities, believing that they present lower risk. CISA’s KEV catalog includes evidence of older vulnerabilities being exploited not only on IT software but also building automation devices.
- Attackers are increasingly using open-source tools as part of their infrastructure. The trend to commoditise attack tools continues strongly. Malicious actors now have a wide choice of open-source tools, developed as legitimate applications, that they can use in campaigns, from phishing attacks to command-and-control infrastructure.
What the numbers tell us about the threat landscape in H1:
During the first six months of 2023, Forescout observed:
- 16,556 new vulnerabilities get published, an average of 78 new CVEs per day or 2,365 per month. That is 2,220 more than in the same period of last year, an increase of 15%. Of the new vulnerabilities, 17% had a critical score.
- 113 CVEs added to CISA’s KEV catalog, which brought the catalog to a total of 981 vulnerabilities (a 13% increase). An average of 16 new vulnerabilities were added per month. Most of these newly exploited vulnerabilities (52%) were not published in 2023. There was a vulnerability added from 2004 and four vulnerabilities added that affect end-of-life products.
- 182 updates about threat actors. These are mostly cybercriminals (51%), including ransomware groups, followed by state-sponsored actors (39%) and hacktivists (8%). These actors come mostly from Russia (25%), China (16%) and Iran (13%).
- 150 countries being targeted by these threat actors. The top targets were the U.S. (67% of actors), the U.K. (35%) and Germany (32%). The top targeted industries were government (53% of actors), financial services (49%) and technology (43%).
- 2,809 ransomware attacks, up from 2,526 in the same period last year (an increase of 11%). That is an average of 401 attacks per month or 13 per day.
Mitigation recommendations
Based on all the observations of this period, Forescout recommends the following concrete risk mitigation actions:
- Prioritise extending visibility, risk mitigation and network segmentation to cover the increased attack surface being exploited. That means organisations should, at a minimum:
- Have the proper visibility into these devices in terms of their presence on the network, the software they run and who they communicate with
- Understand their risk in terms of vulnerabilities, weak configurations, exposure and other factors
- Segment them properly to prevent threats from moving between network segments of different criticalities
- Do not overlook older vulnerabilities and end-of-life systems. Make sure risk assessment tool also helps prioritise which vulnerabilities to patch and which devices to replace. Pay attention to vulnerabilities that may have been forgotten in previous patching cycles but are now being leveraged by threat actors.
- Ensure that threat detection covers every device in the whole organisation. Make sure threat detection solution covers all types of devices and multiple sources of data, including firewalls, intrusion detection systems, endpoint detection and response, and others.
- Follow the latest threat intelligence about ransomware and other actors. As threat actors continue to evolve and their targets change, organisations need to stay up-to-date by consuming the latest threat intelligence, whether that is machine-readable indicators of compromise or threat reports from leading cybersecurity researchers.
- Hunt for threats using emerging tools. Once organisations are confident they can detect threats in their environment that use traditional tools (such as Cobalt Strike), they should look to extend their capabilities to detect emerging tools, such as Sliver.
Read the full analysis of the currently exploited vulnerabilities, active threat actors and emerging malware Forescout observed to learn how organisations can protect themselves.