In a significant shift, cybercriminals in 2023 have become more strategic, exploiting wide-reaching software vulnerabilities to increase the efficiency of their operations. Most notably, the Russian-affiliated ransomware group Clop demonstrated this change in approach with a large-scale attack exploiting a vulnerability in MOVEit software (CVE-2023-34362). The exploit impacted over a hundred organisations, including several US universities, and resulted in hundreds of thousands of records being accessed.
The growing trend for widespread exploitation emphasises the need for businesses to implement multi-layered cybersecurity strategies and prioritise timely software patching when vulnerabilities are disclosed.
"Web Servers Malicious URL Directory Traversal" was June's most exploited vulnerability, affecting 51% of global organisations. In close succession, "Apache Log4j Remote Code Execution" and "HTTP Headers Remote Code Execution" were the second and third most exploited vulnerabilities, impacting 46% and 44% of organisations respectively.
Top malware families
June's most prevalent malware was Qbot, impacting 7% of organisations worldwide, followed by Formbook and Emotet with respective global impacts of 4% and 3%.
- Qbot is a multipurpose malware designed to steal user credentials, record keystrokes, steal browser cookies, spy on banking activities, and deploy additional malware. Distributed via spam emails, Qbot employs various anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
- Formbook is a Windows-targeting infostealer. Sold as Malware as a Service (MaaS) in hacking forums, Formbook harvests credentials from various web browsers, collects screenshots, logs keystrokes, and executes files according to its command-and-control server.
- Emotet is an advanced, self-propagating, and modular Trojan. Originally a banking Trojan, Emotet is now primarily used to distribute other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection.
- GuLoader is a widely used downloader since December 2019. Initially used to download Parallax RAT, it now serves various other remote access trojans and info-stealers such as Netwire, FormBook, and Agent Tesla.
- XMRig is open-source CPU mining software used to mine Monero cryptocurrency. Threat actors often abuse this software by integrating it into their malware to conduct illegal mining on victims' devices.
- AgentTesla is an advanced RAT that operates as a keylogger and information stealer. It is capable of monitoring and collecting victims' keyboard inputs, taking screenshots, and exfiltrating credentials from various software installed on a victim's machine.
- Remcos is a RAT that bypasses Microsoft Windows' UAC security and executes malware with high-level privileges. It primarily distributes itself through malicious Microsoft Office documents attached to SPAM emails.
- NanoCore is a Remote Access Trojan targeting Windows OS users. It includes basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop, and webcam session theft.
- LokiBot is a commodity infostealer that targets both Windows and Android OS, harvesting credentials from various applications, web browsers, email clients, and IT administration tools. Some Android versions of LokiBot include ransomware functionality in addition to their info stealing capabilities.
- NJRat is a remote access Trojan, primarily targeting government agencies and organisations in the Middle East. It captures keystrokes, accesses the victim's camera, steals credentials stored in browsers, uploads and downloads files, and views the victim's desktop.
June 2023 Vulnerability Bulletins
The US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the National Cyber Security Centre UK (NCSC UK) all issued bulletins in June 2023 highlighting specific recommendations:
- Prioritise patching when vulnerabilities are disclosed.
- Implement multi-layered cybersecurity strategies to protect against an evolving threat landscape.
- Regularly backup data and ensure it is easy to recover.
- Educate staff about the risks of opening attachments or clicking on links in unsolicited emails.
- Keep all devices and software updated to the latest versions.
The disclosure and exploitation of the MOVEit vulnerability (CVE-2023-34362) and the subsequent large-scale ransomware campaign highlight the importance of these measures. The increase in strategic, wide-reaching cyber attacks has made the implementation of comprehensive cybersecurity strategies and timely patching crucial for organisations in 2023.
References
- US Cybersecurity and Infrastructure Security Agency. (2023). June Bulletins.
- Australian Cyber Security Centre. (2023). June Bulletins.
- National Cyber Security Centre UK. (2023). June Bulletins.
- Check Point Research. (2023). June's Most Wanted Malware.
- Progress Software Corporation. (2023). MOVEit Vulnerability Disclosure.
