The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.
Review Q4’s research here.
2023 has been a busy year for threat actors. We’ve seen a sharp increase in supply chain attacks, over 4000 successful ransomware attacks, and large-scale exploitation of vulnerabilities in increasingly smaller timeframes.
Q1 saw CVE-2023-29059 – commonly known as the 3CX application vulnerability. This was the first major supply chain attack of the year.
In Q2 the vulnerability in Progress softwares MoveIt application set the internet on fire, listed as CVE-2023-34362. The Cl0p ransomware group took responsibility for the mass exploitation that we observed over the initial weekend – which led to approximately 200 organizations being compromised. Today, that number is over 2000 with 60 million affected users.
This led into major supply chain compromises further downstream for affected organizations and should serve as an early indicator of what to expect for 2024. Other common trends include exploitation of unpatched systems, which has been a mainstay for many years creating easy wins for initial access teams. Organizations should make efforts this year to audit their third party vendors to minimize their exposure and risk to supply chain attacks.
Q3 saw the major ransomware attack on the MGM group, which was curiously claimed by two separate threat actors; AlphV and the Scattered Spider groups. It is unclear if they were working together at different stages of the operation. AlphV did increase their operational output by 400% during this same timeframe – which likely was the catalyst for the FBIs involvement in Q4.
In Q4 the FBI seized AlphVs PR site, which was promptly taken back by the threat group. This cycle repeated four times before concluding. During the seizures Lockbit allegedly reached out to several high ranking developers affiliates. We will see if Lockbits Modus Operandi changes in 2024 as a result of these strategic acquisitions.
The final quarter of the year saw 1218 successful ransomware attacks against organizations, in comparison to Q3 with 1495 attacks – a 22% decrease quarter over quarter. This brings the total ransomware incidents in 2023 to 4769 attacks, compared to 2022 which had 2870. This is significantly higher at a 66% increase over last year, and shows how threat actors and the ransomware industry is currently growing and becoming more profitable as time goes on.
We began monitoring a new group in June called NoEscape, who run a Ransomware as a Service model – offering to split profits 90/10 for affiliates if the ransom is over $3M USD. NoEscape also do not target countries in the Commonwealth of Independent States, which is likely indicative of where their operations are based from. On average they are conducting 17 attacks per month, and we have classified them as opportunistic as they target orgs from various countries regardless of industry vertical.
Comparing these figures to Lockbit, who were the top performer again this quarter, who completed 87 attacks per month on average this year, and 263 attacks for the quarter between October 1st and December 31st.
Looking ahead into 2024
A common theme across the major incidents of this year is an assault on the supply chain, affecting customers downstream. These types of attacks are proving to be more and more lucrative for threat actors, as one successful compromise can grant them access to dozens or even hundreds of customer environments.
CISOs should be mindful of who has access to their network and ensure that their vendor’s security posture is to an acceptable standard that aligns with internal efforts being made to reduce the likelihood of falling victim to such attacks. Focus on NAC, tooling, and ensure that devices joining the network match said standard. Work with your security partners to perform risk assessment and make a note of the tooling they use to help reduce the attack surface and improve your posture.
CISOs should also make endeavors to update and maintain accurate inventory and SBOM within their environment. Shepherding the technologies that are active in your network will help your security team identify abnormal activity, as well as provide you with the means to filter your intelligence to just the items that affect your teams, coordinating patch management, and any needed architectural changes.
Download the full report below: