Recorded Future’s 2023 Annual Report highlighted how threat actors targeted our trust in enterprise software and devices to devastating effect in 2023.
The zero-day attacks on file transfer software offerings GoAnywhere and MOVEit, which impacted thousands of corporate customers and tens of millions of downstream users, are just two notable examples.
While these were both the work of a single threat group – Clop – campaigns leveraging the Citrix Bleed zero-day in NetScaler ADC and Gateway appliances were exploited by multiple actors, including several LockBit affiliates with significant impact felt.
It is of great concern that these zero-day bugs were discoverable via simple public scans of internet-facing infrastructure. In the face of such an onslaught, organizations have to get better at identifying their digital attack surface, the risks they face and the risk of the system data stored on said systems.
Exploiting Legitimate Internet Services
Threat actors also took advantage of our trust in services like cloud storage platforms, messaging applications (e.g. Discord and Telegram) and GitHub to host malware and hide command-and-control (C2) communications in legitimate traffic.
Recorded Future research reveals that around a quarter of 400+ malware families currently abuse legitimate internet services in some way as part of their C2 infrastructure.
Abuse of Valid Accounts
Valid accounts were the top initial access vector for breaches in 2023, up 22% on the previous year’s figures. Once again, threat actors are abusing trust in these accounts to waltz past perimeter defenses, including even multi-factor authentication (MFA).
There was a 135% annual rise in the overall number of harvested credentials in 2023, and a 166% increase in credentials associated with cookies. Use of generative AI-based phishing will only increase the threat of account credential theft via social engineering.
Outsourcers in the Crosshairs
Business process outsourcers (BPO) also have highly trusted relationships with their client base, which bad actors sought to capitalize on in 2023. Even better, such organizations offered the ability to compromise multiple downstream customers from a single point of compromise.
Sophisticated threat group Scattered Spider singled out telecoms operators to facilitate successful SIM swap attacks, for example.
The Outlook for 2024
The bad news for 2024 is that we’re likely to see a lot more of the same over the coming months. We anticipate another major attack on a third-party file transfer application like MOVEit and a 15%+ increase in software supply chain attacks.
Identities and credentials will continue to be targeted for initial access. And many of the vendor organizations we rely on to support hybrid working – from VPN and MFA providers to cloud storage firms – will also be targeted by financially motivated threat actors. Elsewhere, the volatile geopolitical climate will provide plenty of opportunity for hacktivist groups and state-sponsored information operations to thrive.
Migrating to stronger MFA options and improving the visibility and risk categorization of systems in your security programs are just two of many initiatives CISOs will need to consider in order to mitigate these escalating threats. Strap yourself in for a bumpy ride.