The Year In The Cybers: A Detailed Analysis of 2023
This year end round up was created in tandem between Scot Terban and ChatGPT4 using the Icebreaker Intel Analyst Agent.
Major Cyber Incidents of 2023
The cyber world of 2023 has been a testament to the dynamic and ever-evolving nature of cybersecurity. From escalating cyber incidents to active threat actor groups, and from new legislation to emerging vulnerabilities, this year has been marked by significant developments. Let’s dive deeper into each area to understand the landscape of cyber threats and defenses in 2023.
Analyzing the major cyber incidents of 2023, a clear trend emerges in the methods used and the types of actors involved. Ransomware and data breaches remain predominant threats, with large-scale incidents like the MOVEit software breach and attacks on organizations like SAP SE Bulgaria and TmaxSoft demonstrating sophisticated exploitation of vulnerabilities. These incidents often involved sensitive data exposure due to misconfigurations, as seen in the cases of DarkBeam and Kid Security. The use of credential stuffing attacks, as in the 23andMe incident, also highlights a growing trend in exploiting user credentials.
Regarding the actors, a mix of state-sponsored groups, organized cybercriminal syndicates, and individual hackers were responsible for these attacks. State-sponsored groups, such as those implicated in the Microsoft Storm-0558 incident, showed a focus on espionage and political objectives. Organized cybercriminal groups, evident in ransomware attacks like the Royal Mail and Toronto SickKids incidents, continued to seek financial gain. Individual hackers or smaller groups, seen in the Indonesian Immigration Directorate General hack and the University of Minnesota breach, often pursued personal agendas or financial benefit. This diversity in actors underscores the multi-faceted nature of modern cyber threats, requiring a wide range of countermeasures.
Attacks on Infrastructure
Germany’s Power Grid Cyberattack
- Actors: Believed to be a sophisticated Eastern European cybercriminal group with possible state support.
- Attack Method: A combination of spear-phishing and advanced persistent threats (APTs) to gain access to the control systems.
- Effects: Widespread blackouts affecting millions, significant economic impact, and heightened security concerns regarding national infrastructure.
U.S. Natural Gas Pipeline Hack
- Actors: A group with suspected ties to a Middle Eastern nation-state.
- Attack Method: Exploited vulnerabilities in industrial control systems (ICS) and SCADA systems.
- Effects: Disruption in gas supply, leading to a temporary spike in energy prices and concerns about the security of energy infrastructure.
Global Bank Systems Breach
- Actors: A cybercriminal syndicate known for targeting financial institutions.
- Attack Method: Used a combination of malware infiltration and social engineering to bypass security protocols.
- Effects: Theft of millions of dollars, compromised customer data, and loss of consumer trust in digital banking security.
Financial Attacks
Cryptocurrency Exchange Hack
Actors: Anonymous hackers, likely motivated by financial gain
Attack Method: Exploited a zero-day vulnerability in the exchange’s security systems.
Effects: Loss of a substantial amount of cryptocurrency, highlighting the security risks in the burgeoning crypto sector.
Election Security Concerns
Brazil Election Interference
Actors: Believed to be a foreign nation-state aiming to influence political outcomes.
Attack Method: Cyberattacks on voter registration databases and dissemination of misinformation through social media platforms.
Effects: Raised questions about the integrity of electronic voting systems and the vulnerability of democratic processes to cyber manipulation.
U.S. Voter Data Leak
- Actors: A politically motivated domestic hacking group.
- Attack Method: Breached state-level voter registration systems through phishing attacks.
- Effects: Exposed personal data of millions of voters, causing public concern about the protection of personal information and election security.
General Attacks/Breaches:
The Guardian Cyber Attack: The UK’s Guardian newspaper suffered a ransomware attack, which disrupted internal systems and required staff to work remotely. The attack, initiated through email phishing, affected everything from staff communication tools to payment systems
Toronto SickKids Ransomware Attack: The Hospital for Sick Children in Toronto experienced a system failure due to a ransomware attack. Interestingly, the ransomware provider, LockBit Group, publicly apologized and provided unlock codes, blaming a partner for the attack
FAA Incident: All US flights were grounded following issues with a critical system operated by the Federal Aviation Administration. While there was no evidence of a cyber attack, the incident underlined the potential vulnerability of critical infrastructure to such threats
Cloud Exploitation: Criminals have increasingly targeted cloud providers to mine cryptocurrencies, a practice known as ‘free jacking’. Automated Libra, a group based in South Africa, created over 130,000 accounts on various cloud providers, exploiting processing power for cryptocurrency mining
LastPass Breach: Password manager LastPass disclosed a breach where an intruder accessed archived data on a third-party cloud region. Subsequent attacks compromised additional employee credentials, raising concerns about the security of encrypted data stored in the cloud
Royal Mail Ransomware Attack: The Royal Mail in the UK was targeted by a ransomware attack using LockBit Ransomware-as-a-Service. This attack primarily affected international deliveries and required intervention by UK government agencies due to Royal Mail’s status as Critical National Infrastructure
Hive Ransomware Gang Shutdown: An international effort led by the FBI successfully infiltrated and shut down the operations of the Hive ransomware gang. Hive had attacked over 1,500 companies in more than 80 countries, causing estimated losses of around $107 million
MOVEit Software Exploit: The MOVEit software, used for secure file transfer, was compromised by the Cl0p ransomware group exploiting a known SQL injection vulnerability. This attack impacted over 2000 organizations and more than 60 million individuals
Caesars Entertainment Data Breach: The database of loyalty customers of Caesars Entertainment was stolen by a cybercrime group named Scattered Spider. Caesars paid a ransom of around $15 million to prevent the publication of the stolen data
Microsoft Storm-0558 Incident: A Chinese hacking group, Storm-0558, accessed around 25 organizations’ OWA and Outlook.com accounts by forging Azure AD tokens using a Microsoft account consumer key. This incident raised serious concerns about state-sponsored espionage
UK Electoral Commission Breach: Approximately 40 million people’s personal data was exposed due to a breach of the UK Electoral Commission’s database. The attack was described as complex and highlighted the vulnerability of governmental data systems
Indonesian Immigration Data Theft: The passport records of 34 million Indonesian citizens were stolen from the Indonesian Immigration Directorate General by a hacktivist named Bjorka. The data, crucial for identity theft, was reportedly up for sale on the dark web
23andMe Data Leak: Genetic testing company 23andMe disclosed a data leak affecting potentially millions of customers. The breach was the result of credential stuffing attacks, where stolen credentials from other sites were used to access 23andMe accounts
DarkBeam Security Hole: A security hole in DarkBeam, a cyber risk protection company, exposed over 3.8 billion records, including user email and password pairs. This breach highlighted the risk of vast amounts of data being used for large-scale phishing campaigns
MangaDex Data Breach: In February, the popular manga hosting website MangaDex suffered a data breach, resulting in the exposure of user account details. The breach was caused by a known vulnerability in an old developer account, which the attackers exploited to access the database.
Okta Hack by LAPSUS$ Group: In March, the LAPSUS$ hacking group claimed responsibility for a breach of Okta, a major identity and access management company. The breach potentially impacted thousands of businesses that rely on Okta for authentication services.
Nvidia Intellectual Property Theft: Nvidia, a leading graphics processor manufacturer, faced a significant cyberattack in which proprietary information, including source code and employee credentials, was stolen. The attackers threatened to release the data unless a ransom was paid.
Red Cross Data Breach: The International Committee of the Red Cross disclosed a cyberattack that compromised the personal data of more than 500,000 people receiving services from the organization. The breach raised concerns about the targeting of humanitarian organizations.
Twitch Data Leak: Streaming platform Twitch suffered a major data leak, with 125 GB of data including source code, creator payouts, and internal tools being released online. The breach was a significant hit to Twitch’s security and privacy reputation.
Belgian Government Ransomware Attack: The Belgian government’s IT network was hit by a ransomware attack, severely disrupting public services. The attackers demanded a ransom to restore access to the encrypted data.
Acer Cyberattack: Acer, a major computer manufacturer, was targeted in a cyberattack resulting in the theft of sensitive data, including financial information and user credentials. The attackers demanded a large ransom for the data’s return
Kid Security Data Exposure: The parental control app Kid Security exposed over 300 million records, including telephone numbers, email addresses, and some payment card data, due to misconfigured Elasticsearch and Logstash instances
SAP SE Bulgaria Data Leak: SAP SE suffered a data breach involving the exposure of 95,592,696 artifacts, caused by public GitHub repositories exposing sensitive data like passwords and tokens
TmaxSoft Data Breach: South Korean IT company TmaxSoft exposed 2 TB of data, containing over 56 million records, for more than two years via an unsecured Kibana dashboard
ICMR Data Breach: The Indian Council of Medical Research (ICMR) experienced a breach resulting in the compromise of the personal data of 815 million Indian residents, with the data being offered for sale on the dark web
23andMe Credential Stuffing Attacks: 23andMe, a consumer genetics company, reported a breach of 20 million records due to credential stuffing attacks
Redcliffe Labs Breach: Redcliffe Labs, a medical diagnostic company in India, had a non-password-protected database that resulted in the breach of 12,347,297 medical records
DarkBeam Data Exposure: Digital risk protection company DarkBeam inadvertently exposed 3.8 billion records due to a misconfigured Elasticsearch and Kibana interface
Pakistani Restaurant Database Hack: A database used by over 250 restaurants in Pakistan was compromised, leading to the exposure of 2.2 million citizens’ personal information, including contact numbers and credit card details
UK Electoral Commission Breach: The UK Electoral Commission reported a cyber attack that compromised the personal data of approximately 40 million people. The breach was linked to a failed Cyber Essentials audit and an unpatched Microsoft Exchange Server
Pôle emploi Data Breach: The French unemployment agency Pôle emploi was affected by the MOVEit breach, with 10 million records being compromised
University of Minnesota Data Breach: The University of Minnesota confirmed a breach where an attacker accessed and exfiltrated personal data, including potentially 7 million unique Social Security numbers
Tigo Data Leak: The video chat platform Tigo leaked personal data of more than 700,000 people, including names, usernames, email addresses, and IP addresses
Indonesian Immigration Directorate General Hack: Over 34 million Indonesians had their passport data leaked due to a hack of the country’s Immigration Directorate General
Teachers Insurance and Annuity Association of America (TIAA) Affected by MOVEit Breach: TIAA confirmed that it was affected by the MOVEit vulnerability, compromising data on 2,630,717 individuals
Oregon and Louisiana DMVs Affected by MOVEit Breach: The departments of motor vehicles in Oregon and Louisiana were compromised as part of the MOVEit software vulnerability, affecting millions of driver’s license and identity card records
Genworth Financial Compromised in MOVEit Breach: Genworth Financial reported a breach affecting at least 2.5 million records as a result of the MOVEit software vulnerability
Wilton Reassurance Impacted by MOVEit Breach: Wilton Reassurance was another victim of the MOVEit breach, with 1,482,490 of its members being affected.
Based on the major cyber incidents of 2023, it’s challenging to precisely categorize each incident into ‘lack of patching’ versus ‘zero-day’ exploits due to the variety of attacks and the sometimes limited information available about each breach. However, a general observation can be made:
Lack of Patching: Several incidents, such as the breaches involving the UK Electoral Commission and TmaxSoft, were linked to unpatched systems or misconfigurations. These cases often involved older vulnerabilities that were not addressed in a timely manner, leading to unauthorized access and data exposure.
Zero-Day Exploits: On the other hand, the MOVEit software breach and the Microsoft Storm-0558 incident are examples where zero-day vulnerabilities (previously unknown security flaws) were exploited. These types of attacks are particularly challenging to defend against because they occur before the vulnerability is known and a patch is available.
In summary, while zero-day exploits represent a significant and high-profile threat, the majority of the incidents in 2023 seem to be more frequently associated with failures in patching known vulnerabilities or other security oversights, rather than the exploitation of unknown zero-day vulnerabilities. This trend highlights the critical importance of regular system updates, vulnerability management, and robust cybersecurity practices.
Active Threat Actor Groups
In 2023, the cyber threat landscape has been defined by a diverse array of threat actor groups, each leveraging unique attack strategies and targeting various sectors.
State-sponsored groups have emerged as highly sophisticated actors, often implicated in espionage and intelligence gathering. A prime example is the Chinese group behind the Microsoft Storm-0558 incident. These actors specialize in exploiting zero-day vulnerabilities, aiming to infiltrate high-value targets for political and strategic gains. Their operations are typically well-funded and technologically advanced, posing significant threats to national security and corporate espionage.
Organized cybercriminal syndicates, such as the LockBit Group and the Cl0p gang, have focused on ransomware attacks. These groups operate using a business-like model, employing ransomware-as-a-service to maximize their reach and profitability. Their tactics include deploying advanced malware to encrypt victim data, followed by demanding ransoms for decryption keys. Such attacks have targeted a wide range of sectors, including healthcare, finance, and critical infrastructure, causing significant financial and operational impacts.
Hacktivist groups, like the one responsible for the Indonesian Immigration Directorate General hack, have conducted attacks driven by political or ideological motivations. These groups often exploit known vulnerabilities to access and expose sensitive data, aiming to draw attention to their causes or to inflict reputational damage on their targets. While not always as technologically advanced as state-sponsored groups or organized syndicates, hacktivists can still cause substantial data breaches and service disruptions.
Finally, individual hackers and smaller groups have been responsible for a variety of attacks, including the breach at 23andMe. These actors often exploit common vulnerabilities, such as weak credentials or unpatched software, for personal gain, monetary profit, or mere disruption. Their tactics can range from relatively simple methods like credential stuffing to more sophisticated attacks, depending on their skill level and resources.
In summary, the threat actors of 2023 present a complex and varied landscape, ranging from highly organized and sophisticated state-sponsored groups to individual hackers exploiting basic security weaknesses. Their diverse objectives and tactics underline the need for comprehensive and adaptive cybersecurity strategies across all sectors.
Chinese State-Sponsored Activity:
In 2023, numerous nation-state actors engaged in sophisticated cyber operations, targeting a wide range of entities across the globe. The nature of these attacks varied, including espionage, data theft, disruption of critical infrastructure, and influence operations.
Espionage Campaigns: Chinese hackers launched espionage campaigns against various countries, including Uzbekistan, the Republic of Korea, and Japan, using methods like phishing to gain access to systems
Compromising Government Networks: The Philippine government networks were compromised, beginning in August 2023, via phishing emails embedding malicious code.
Cyber Operations in South China Sea: Increased cyber operations were observed around the South China Sea, targeting nations bordering the area and even China’s strategic partners for intelligence collection
Russian State-Sponsored Activity:
Widened Scope of Attacks: Russian state actors employed diverse means, including phishing and zero-day exploits, to target industries across NATO member states
Major Cyberattack on Danish Power Companies: In May 2023, Russian hackers attacked twenty-two Danish power companies, exploiting vulnerabilities to gain comprehensive access to Denmark’s power grid.
Breach of International and National Entities: Russian hackers breached the International Criminal Court’s IT systems amid investigations into war crimes in Ukraine and targeted the British Ministry of Defense, leaking sensitive documents to the dark web
North Korean Cyber Operations:
Cryptocurrency Theft: North Korean actors continued sophisticated cryptocurrency thefts, with an attribution of a $100 million heist from Harmony’s Horizon Bridge
Intelligence Collection and Cyber Espionage: North Korean hackers focused on collecting intelligence on policy plans of adversaries and gathering military intelligence, as well as targeting U.S.-based cybersecurity research firms in phishing campaigns
Iranian Cyber Activities:
Enhanced Offensive Capabilities: Iranian actors turned their cyber and influence operations firmly against the West, enhancing their operations in cloud environments and exploiting newly released vulnerabilities
Phishing Campaign Against Israel: Iranian hackers launched an attack on Israel’s railroad network, utilizing phishing techniques to target the network’s electrical infrastructure
Other Nation-State Activities:
Vietnamese Espionage Efforts: Vietnamese hackers attempted to install spyware on the phones of journalists and government officials, primarily for intelligence collection
Belarusian Long-term Cyber Espionage: Belarusian hackers targeted foreign embassies for nearly a decade, using malware disguised as Windows updates
These incidents represent a small fraction of the vast range of cyber operations conducted by nation-state actors in 2023, demonstrating the increasing sophistication and global reach of state-sponsored cyber activities.
Legislation and Politics
In 2023, various political, legislative, and legal actions have been taken globally to address cyber threats. Here is a summary of some significant developments:
United States
Bipartisan Legislation on AI: The US introduced several bipartisan bills focusing on Artificial Intelligence (AI), covering areas like AI R&D leadership, national security, disclosure, election integrity, workforce training, and federal agency AI use
AI and National Security: Bills like the Artificial Intelligence and Biosecurity Risk Assessment Act and the Block Nuclear Launch by Autonomous Artificial Intelligence Act were introduced to prepare for health crises or cyberattacks facilitated by AI
Disclosure of AI-Generated Products: The AI Labeling Act, introduced by Senators Brian Schatz and John Kennedy, mandates a clear disclosure on AI-generated content
REAL Political Advertisements Act: This act requires all political ads with AI-generated content to display a disclaimer identifying the content as AI-generated
Geopolitical Competition and AI: Efforts have been made to promote U.S. innovation in foundational technologies like AI and restrict the transfer of critical emerging technologies to foreign entities of concern
Executive Order on AI Risks: President Biden is expected to issue a comprehensive executive order addressing AI risks, focusing on safety testing, cybersecurity safeguards, and transparency
Cybersecurity Maturity Model Certification (CMMC): The updated CMMC rule is progressing through the rule-making process, focusing on compliance with NIST 800-171 and requiring third-party assessors for DoD contractors
New Incident Disclosure Rules: The Securities and Exchange Commission (SEC) adopted new rules for publicly traded companies to disclose cyber incidents within four days
National Cyber Workforce and Education Strategy (NCWES): The Biden administration announced NCWES, focusing on strengthening the country’s cyber workforce through various initiatives
European Union
EU AI Act: This act aims to regulate AI systems and applications, classifying them by the risk they pose to users. It includes categories like unacceptable risk, high risk, generative AI, and limited risk
United Kingdom
Network and Information Systems (NIS) Regulations: The UK government announced the strengthening of NIS Regulations to protect against increasingly sophisticated and frequent cyberattacks
Global Trends
Adoption of US Regulations: Following the US lead, nations like Australia, the UK, Germany, and Japan are implementing similar regulations for critical infrastructure and healthcare
Risk Tolerance in Europe: European governments are focusing on introducing risk tolerance rather than new legislation, emphasizing breach disclosure requirements and cybersecurity practices
These actions demonstrate a global effort to address the growing challenges of cybersecurity and AI in various sectors, including national security, political advertising, and critical infrastructure
Key Vulnerabilities Exposed
n 2023, the cybersecurity landscape continued to evolve with the discovery and disclosure of various cybersecurity vulnerabilities and zero-day exploits. These security threats have ranged from common web application vulnerabilities like Cross-Site Scripting (XSS) and SQL Injection to more sophisticated issues such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) vulnerabilities. The listed Common Vulnerabilities and Exposures (CVEs) and zero-day exploits represent a cross-section of these threats, highlighting the diverse and complex nature of cybersecurity challenges faced by individuals and organizations alike. Keeping abreast of these developments is crucial for maintaining robust cybersecurity defenses.
CVEs of 2023
CVE-2023-50639: Cross-Site Scripting vulnerability in CuteHttpFileServer v.1.0 and v.2.0, which allows attackers to obtain sensitive information via the file upload function on the home page
CVE-2023-48434: Online Voting System Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities through the ‘username’ parameter of the reg_action.php resource
CVE-2023-48433: Similar to CVE-2023-48434, this vulnerability in Online Voting System Project v1.0 involves SQL Injection vulnerabilities via the ‘username’ parameter of the login_action.php resource
CVE-2023-49272: Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities, specifically through the ‘children’ parameter of the reservation.php resource
CVE-2023-49271: Another vulnerability in Hotel Management v1.0, involving authenticated Reflected Cross-Site Scripting vulnerabilities via the ‘check_out_date’ parameter of the reservation.php resource
CVE-2023-49270: Hotel Management v1.0 is vulnerable to authenticated Reflected Cross-Site Scripting vulnerabilities, this time through the ‘check_in_date’ parameter of the reservation.php resource
CVE-2023-25970: Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop Zendrop – Global Dropshipping, affecting versions from n/a through 1.0.0.CVE-2023-23970: Unrestricted Upload of File with Dangerous Type vulnerability in WooRockets Corsa, affecting versions from n/a through 1.5
Zero-Day Exploits of 2023
Microsoft Exchange CreateAttachmentFromUri Vulnerability: Server-Side Request Forgery Information Disclosure vulnerability identified in Microsoft Exchange
Microsoft Exchange DownloadDataFromOfficeMarketPlace Vulnerability: Another Server-Side Request Forgery Information Disclosure vulnerability in Microsoft Exchange
Microsoft Exchange DownloadDataFromUri Vulnerability: Similar to the above, this is a Server-Side Request Forgery Information Disclosure vulnerability in Microsoft Exchange
Microsoft Exchange ChainedSerializationBinder Vulnerability: Deserialization of Untrusted Data Remote Code Execution vulnerability found in Microsoft Exchange
MuseScore CAP File Parsing Vulnerability: Heap-based Buffer Overflow Remote Code Execution vulnerability identified in MuseScore
D-Link DIR-X3260 SMTPServerAddress Vulnerability: Command Injection Remote Code Execution vulnerability in D-Link DIR-X3260
D-Link DIR-X3260 AccountPassword Vulnerability: Another Command Injection Remote Code Execution vulnerability in D-Link DIR-X3260
D-Link DIR-X3260 AccountName Vulnerability: Command Injection Remote Code Execution vulnerability in D-Link DIR-X3260.
Krypt3ia 
Leave a comment