The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.
Review Q3’s research here.
I’m Connor Jackson, Manager of Security Research here at Cybermaxx.
Q3 of 2023 has been a big one. The MGM attack, ALFI, the number of spike and threat actor activity, CLOP, DarkGate, a lot has happened this quarter.
The Recent Attacks
The recent MGM attack has been claimed by two separate threat actors. It’s still unclear if they were working together to coordinate this attack or operating individually.
CLOP are still working through the backlog of victims from the mass exploitation of progress software’s movement vulnerability, which occurred earlier this year.
The number of orgs hit has now risen over 2000 and approximately 62 million individuals have been affected due to leaked data as a result of this. Ransomware attacks for Q3, which is July first to September 30th, are now up 59% over Q2, which is double what we saw in Q1.
This brings the total number of successful attacks this quarter to 1826 with 28% of these attacks all stemming from the same group, ALFI.
An existing Malware strain has adopted a Malware as a service model. This has resolved in its use skyrocketing in recent weeks.
Darkgate is a Malware that can be used to infect the system with various utilities, info stealers, follow on payloads, etc.
We have a Breakdown and Analysis
We have a breakdown and analysis of this strain with the multiple ways that we’ve seen infections for our sand.
Also included with the ransomware report for Q3 is a series of Sensor one and Crowdstrike EDR queries, and these can be used to help detect this threat early on in the attack chain, which you can use in your own environments.
The Sharp Rise activity appears to be stemming from four main groups. Those groups are ALFI, CLOP, Locket, and 8base.
All of these threat groups can be classified as opportunistic and have been observed rapidly weaponized and vulnerabilities to complete their objectives.
We mentioned last quarter that we expected to see 8base continue to be a threat within the industry. Q2 saw 107 successful attacks, and in Q3 we saw 92, placing them in at number four when ranked by a volume of activity.
The Key Takeaways
The key takeaways this quarter are that supply chain attacks continue to be a lucrative attack factor, and they’re still being used to target large organizations as we saw with MGM.
Malware as a service is continuing to rise in popularity, leading to things like Darkgate, and activity in line with this should be monitored for over the coming weeks and months.
You can use our EDR queries to help detect this.