Professional Documents
Culture Documents
REPORT : 2023
Table of Contents
Executive Insight 3
socradar.io
Executive Insight:
SOCRadar 2023 Year-End Cyber Odyssey
XTI proved more than just a lone vessel; it was a naval force of
advanced protection. Integrated Attack Surface Management
elevated visibility in the storm with a bright spotlight on dangerous
vulnerabilities lurking in the sea of cyber risks. Brand Protection
created a safe harbor in the treacherous waters of the Dark Web,
and Cyber Threat Intelligence proved to be a spinnaker of
intelligence, propelling SOC cyber intelligence to record-breaking
speeds.
LastPass, Reddit, and Dole Food aren't just names; they're chapters
in the epic saga of cybersecurity sea battles. The report reads like a
maritime novel, chronicling the skirmishes of the digital seas. Supply
chain attacks, the submarine of cyber threats, continue to haunt
unsuspecting global companies.
socradar.io 3
Our New "Dark Web Radar" in 2024:
The Shadowy Opera of Data and Deals
socradar.io 4
NEW
socradar.io 6
The number of AI-based tools such
as WormGPT will increase even
more, and they will be especially
useful in implementing convincing
social engineering scenarios and
developing malware easily and
quickly. This will make it easier for
them to convince and infect their
victims.
socradar.io 7
SOCRADAR WITH NUMBERS
1.747.580 We Shared
Domains Discovered
824
1.747.580 Regional
IP Addresses 433.977 News
Web Sites
1.434.998
Ports
709
23.279 Threat
Login Pages Actors
25.702
Rogue Mobile Apps
695.278
SSL Certificates
4.349
Ransomware
News
1M+ Contextualized
Phishing Alarms
4.349
Malware
Analyzed
178.063 5.996.216
Detected Impersonating
Accounts
Discovered PII
Exposures
4.349
Unique IOCs
socradar.io 8
DARK WEB WITH NUMBERS
socradar.io 9
TOP DATA BREACHES
IN 2023
This compilation highlights some of the most significant cybersecurity incidents of
the year. These breaches reflect the evolving challenges and tactics in the
cybersecurity landscape, underscoring the need for vigilant and advanced
protective measures.
LastPass Breach:
An alarming encrypted password leak has
occurred due to unauthorized access to
archived data in a third-party cloud region.
Reddit:
A cyberattack by BlackCat Ransomware
resulted in the theft of 80 GB of data,
including internal documents, source code,
and information about employees and
advertisers.
socradar.io 10
City of Oregon:
The City of Oregon has suffered a Royal
ransomware attack, causing it to shut down
some of its IT systems to prevent the attack's
spread.
Capita Cyberattack:
A breach in Capita’s systems impacted the
personal data of pension fund members and
employees from up to 90 companies.
ChatGPT Incident:
A security issue exposed some ChatGPT
subscribers' payment-related data.
ABB Cyberattack:
The Black Basta group conducted a
cyberattack on ABB, compromising company
devices and private information.
socradar.io 11
TOP 9 CYBER SECURITY INCIDENTS
OF 2023
The year 2023 has seen many cyber incidents, each
highlighting different vulnerabilities and attack methods in
our increasingly digital world. These incidents, from
sophisticated ransomware attacks to vulnerabilities in major
cloud services, underscore the ever-present need for robust
cybersecurity measures across various sectors. This
compilation presents some of the year's most notable and
impactful cyber events, shedding light on the diverse nature
of cyber threats and the importance of being vigilant and
proactive in digital defense.
1.
Originating from South Africa, this campaign created over 130,000
accounts on various cloud providers through automated techniques,
including exploiting Captcha systems. The coin-mining activity via
free trial accounts cost GitHub $100,000 in lost revenue per user
account. The key takeaway of this incident for enterprise
organizations is that threat actors will increasingly use containers for
malicious infrastructure deployment in the coming years.
2.
Orchestrated by STORM-0558, a China-aligned espionage-motivated
actor, these attacks exploited Microsoft permissions components,
utilizing broad application scopes and a stolen signing key. The
attacks impacted Exchange Online and other Azure Active Directory
applications. Microsoft has identified several multi-tenant applications
with users that use an email address with an unverified domain owner.
Exposed organisations included a “leading multi-cloud consulting
provider” and a “publicly traded customer experience company."
Researchers found no shortage of vulnerable organisations.
socradar.io 12
3.
Royal Mail Ransomware
Attack:
Royal Mail fell victim to a ransomware attack by
LockBit Ransomware-as-a-Service (RaaS). This
attack disrupted international deliveries and
compromised some employee data.
4.
(SmoothOperator):
North Korean actors compromised the
infrastructure of the 3CX Private Automatic
Branch Exchange (PABX) platform in March,
affecting numerous organizations across
various industries.
5.
Various ransomware groups, including
AvosLocker, Black Basta, and others, targeted
VMware ESXi servers throughout 2023. The
diminished time gaps between the development
of malicious Windows-targeted payloads and
Linux or ESXi payloads underscore the
advantage ransomware operators are gaining
by shifting to these languages.
6.
data of 0.1% of customers, about 14,000
individuals. Hackers gained initial access
through credential stuffing attacks. 23andMe
also said that by accessing those individuals
accounts, hackers were also able to access “a
significant number of files containing profile
information about other users" ancestry. It turns
out, 6.9 million people affected in total of this
data breach.
socradar.io 13
7.
DarkBeam Security Hole:
A cyber risk protection company, DarkBeam,
experienced a security breach where an
Elasticsearch and Kibana interface was left
open, exposing billions of records, including
user e-mail and password pairs.
8.
Lacroix Cyberattack:
In May, a cyberattack against Lacroix Group, a
French electronics manufacturer, encrypted the
company’s virtual infrastructure and forced the
closure of several global sites, significantly
impacting the company’s sales and operations.
9.
Attack:
Caesars Entertainment experienced a data
breach where its database of loyalty customers
was stolen, prompting immediate action and
official reporting to the US Securities and
Exchange Commission.
socradar.io 14
THE MOST DANGEROUS
VULNERABILITIES OF 2023
In 2023, the cybersecurity landscape witnessed a series
of critical vulnerabilities that posed significant threats
across various platforms and technologies. From remote
code execution vulnerabilities in file transfer and print
management tools to authentication bypasses in
well-known software like Microsoft Outlook and Android
based operating system, these vulnerabilities
highlighted the diverse and potent dangers in the digital
world. This year also saw significant problems with
open-source web browser engines such as Apple's
WebKit. Such issues underlined the need to always be
vigilant and have robust security measures to protect
against similar cyber risks.
CVE-2023-34362
(MOVEit Transfer Injection Vulnerability):
SQL injection vulnerability has been found in the MOVEit
Transfer web application that could allow an unauthenticated
attacker to gain access to MOVEit Transfer's database.
CVE-2023-0669
(Fortra GoAnywhere MFT Remote Code Execution):
This was a critical vulnerability in Fortra’s GoAnywhere
Managed File Transfer tool, allowing remote code execution
on unpatched versions.
socradar.io 15
CVE-2023-27350
(PaperCut NG/MF Multiple Security Vulnerabilities):
This vulnerability in PaperCut print management software allows
remote attackers to bypass authentication and is considered a
significant risk to network security across many organizations.
CVE-2023-24880
(Windows SmartScreen Security Feature Bypass Vulnerability):
This flaw allowed attackers to bypass SmartScreen and Microsoft
Office’s Protected View, aiding the malware infection.
CVE-2023-23397
(Microsoft Outlook Elevation of Privilege Vulnerability):
A flaw in Microsoft Outlook that allowed attackers to bypass
authentication and access confidential data without user interaction.
CVE-2023-20963
(Android Privilege Escalation Vulnerability):
This vulnerability in Android allowed malicious applications to gain
elevated permissions.
CVE-2023-24489
(Citrix Content Collaboration):
A vulnerability in Citrix Content Collaboration (ShareFile) related to
improper access control. If exploited, it could allow an unauthenticated
attacker to remotely compromise the customer-managed ShareFile
storage zones controller.
socradar.io 16
CVE-2023-20867
(VMware Tools Authentication Issue):
A vulnerability in VMware Tools affecting host-to-guest operations. A
fully compromised ESXi host can force VMware Tools to fail to
authenticate host-to-guest operations, impacting the confidentiality
and integrity of the guest virtual machine.
socradar.io 17
DARK WEB RADAR
THREAT INTELLIGENCE:
OVERVIEW OF 2023
This section provides insights into the data gathered by SOCRadar during the first
eleven months of 2023. This data was collected through the SOCRadar XTI
Platform, which utilizes Machine Learning, Artificial Intelligence, and expert
analysts to monitor threat actor activities across various sources, including Dark
Web forums and markets, Telegram groups, and ransomware group blog pages.
The total number of posts published on the platform's Dark Web News channel
during this period was 13,081, with a daily average of 39.2 posts.
The graph illustrates the monthly trends in threat mentions on the Dark Web and associated
sources for the first eleven months 2023. (Source:SOCRadar XTI Platform)
socradar.io 18
Country Mentions and Uniqueness Analysis
An analysis of country mentions in global threat intelligence data highlights the total
number of mentions and the uniqueness of these mentions.
(Source:SOCRadar XTI Platform)
socradar.io 19
Dark Web Post Subjects Analysis
Selling Data
Hack Announcement
Partnership / Cooperation
Buying Data
Target Attack
Sharing Data
Analyzes the subjects of Dark Web posts, categorizing them into different themes.
(Source:SOCRadar XTI Platform)
socradar.io 20
Dark Web Post Industry Mentions Analysis
Information and
Telecommunication
Finance, Insurance and Banking
Public Administration
E-commerce
Educational Services
Manufacturing
Illustration of the distribution of mentioned industries within Dark Web posts, providing insights into
the sectors most frequently discussed in this environment. (Source:SOCRadar XTI Platform)
socradar.io 21
RANSOMWARE CHRONICLES:
UNVEILING THE DARK SIDE
OF THE WEB IN 2023
The data is sourced from a comprehensive analysis
conducted by SOCRadar analysts during the first
eleven months of 2023. We've scoured ransomware
groups' blog sites, leak sites, and Telegram channels to
compile a trove of valuable information. Over this
period, we've gathered a staggering total of 4,082
posts related to ransomware attacks, equating to an
average of 371 posts per month or 12 posts per day.
socradar.io 22
Ransomware Group Activity Analysis
Cl0p 9,48%
Play 6,69%
8base 4,56%
BianLian 4,24%
Akira 3,38%
NoEscape 2,84%
An overview of the activities of the Top 10 ransomware groups as recorded on the SOCRadars
Platform, highlighting contributions from 65 different groups. (Source:SOCRadar XTI Platform)
LockBit 3.0 leads with 23.10% of the posts, followed by Cl0p and AlphVM
Blackcat groups. The graph visually represents the proportion of posts
related to each group, offering a clear perspective on the dominance and
prevalence of these cyber threat entities in the digital landscape.
socradar.io 23
Geographical Analysis of Ransomware-Related Organization
Mentions
Countries Mentiones
Germany 3.80%
Canada 3.70%
France 3.50%
Italy 3.11%
Australia 2.16%
Spain 2.03%
Brazil 1.62%
India 1.59%
socradar.io 24
Industry-Wise Ransomware Post Analysis
Manufacturing
Construction
Educational Services
Retail Trade
Public Administration
Brand Protection
Stay one step ahead of threat actors with actionable Request Free Access
intelligence alerts.
socradar.io 25
THE BEST POSTS OF
Peep
DaINrk2023
dark peep
/dɑːrk piːp/ noun
SOCRadar's blog series that blends
cybersecurity with humor. Even in the Dark
Web, there's room for a chuckle or two.
socradar.io 26
You should only be SP CRYPTER sells its malware for $99 with a
socradar.io 27
Similar leak sites are on the rise!
Some ransomware groups seem so focused on
their operations that they don’t think about
where to share their activity. On the leaked
page that the CryptBB group opened to share
their leaks, we can see that they directly used
8Base’s site source code:
Messages to ALPHV
socradar.io 28
Hacktivist Takes
a Day Off
Hacktivist Aceh, the founder of a renowned
hacking group, made a personal announcement
to the digital realm. Despite the often
depersonalized nature of cyber-activities, this
message brings a touch of everyday humanity
to the forefront. Citing a personal event at
home, the hacktivist made a candid request for
understanding, emphasizing the need for a
break from their usual activities. The
announcement serves as a quirky reminder that
behind every digital persona lies an individual
navigating the complexities of daily life.
Sometimes, even the most dedicated
hacktivists need a day off for family events.
Aceh’s Telegram post about Aceh’s day off
socradar.io 29
It is Possible
to Become a
Threat Actor
by Participating
in a Giveaway!
The threat actor Shad0de is known for
distributing RDP access via Telegram,
and his latest post is about RDP access
to a Turkish language operating system
server with an Intel Xeon processor.
Good luck to the participants of the
giveaway! Shad0de’s free RDP access giveaway post on
Telegram
socradar.io 30
DDoSia is going professional-ish!
In its latest Telegram post, NoName announced
that the DDoSia Project is embarking on a new
journey and will create an army.
socradar.io 31
DON’T BE THE NEXT
RANSOMWARE VICTIM
Get Ransomware-proof
US STEALER MALWARE
LANDSCAPE:
CORPORATE RISKS AND KEY
VARIANTS
SOCRadar sampled the 2,000 stealer victim data and analyzed over 500 data
related to data leaks from 2023.
Stealer malware, notably spread through cracked software and game cheats, has a
marked presence in the U.S. This is attributed to the popularity of gaming, which
creates a fertile ground for these malware types. SOCRadar’s research shows how
users unknowingly download and install Stealer malware, highlighting the need for
greater awareness and caution in software and game downloads.
socradar.io 33
Stealer Malware Coast to Coast
Examining the regional differences of victims living in the United States in 2023
using the data we chose as a sample, out of the 49 states, California has the
highest rate of stealer victimization at 10.42%. Users in this large state, famed for
its thriving computer industry and casinos, appear to have encountered numerous
leaks stealer-related.
Montana
New York
0.06% 7.39%
Ohio
7.07%
California
10.42%
Texas
Florida
8.14% 7.77%
socradar.io 34
Corporate Credentials Crisis:
Stealer's Harvest in the Workplace
socradar.io 35
Equally concerning is that within the same stealer data, we identified a matching
number of passwords 57,343 with 12,342 unique passwords.
Based on the analysis of the data, approximately 5.20% of the passwords are
eight characters or less, which can be considered weak in terms of security. The
remaining 94.80% consist of passwords with more than eight characters,
representing stronger password choices. Credentials are linked to an extensive
array of 19,358 unique URL addresses. These credentials can be leveraged to
compromise a wide range of online services, posing a substantial risk to individuals
and organizations.
socradar.io 36
The Rising Menace of Redline and Meta Stealers
Redline Stealer maintains a more prominent presence in the landscape than Meta
Stealer, evidenced by its higher signature prevalence within the stealer data. This
observation underscores Redline's continued status as the most favored choice
among stealer operators.
55.5%
Other Stealers
44.5%
socradar.io 37
MOST DANGEROUS THREAT
ACTORS IN 2023
Medusa
Ransomware
BlackByte
LockBit
socradar.io 38
-Ransomware Group-
-Ransomware Group-
-Ransomware Group-
BlackCat
Ransomware Motivation: Financial Gain
socradar.io 39
-Ransomware Group-
-Ransomware Group-
-Ransomware Group-
Ransomware-as-a-service
Attack Type: (RaaS), Data Exfiltration,
Country of Origin: Unknown
Double Extortion
-TTPs-
Emerged onto the scene at the
end of May 2023 with a Phishing: T1566
high-profile attack against
the Chilean Army. The group Data Encrypted for Impact: T1486
is known for targeting Latin
American government
Exfiltration Over C2 Channel: T1041
institutions.
socradar.io 40
-Ransomware Group-
-Ransomware Group-
Medusa
Ransomware Motivation: Financial Gain
socradar.io 41
MAKE YOUR SOC TEAM FASTER
THAN THREAT ACTORS!
Dark Web Monitoring: SOCRadar's fusion of Protecting Customers’ PII: Scan millions of
its unique Dark Web recon technology with the data points on the surface, deep and Dark Web
human analyst eye further provides in-depth to accurately identify the leakage of your
insights into financially-targeted APT groups customers' Personally Identifiable Information
and the threat landscape. (PII) in compliance with regulations.
Credit Card Monitoring: Enhance your fraud 360-Degree Visibility: Achieve digital
detection mechanisms with automation speed resilience by maintaining internet-facing digital
by identifying stolen credit card data on asset inventory. Significantly accelerate this
popular global black markets, carding forums, process by automated discovery, mapping,
social channels, and chatters. and continuous asset monitoring.
4.9/5
Your Eyes Beyond
Virtual Addresses
London, UK Dubai, UAE São Paulo, Brasil Bangalore, India
167 City Road Old Street, 8W building 5th Floor, 7th & 8th Floors Torre The Estate, 8th Floor
London EC1V 1AW DAFZA, Dubai Joao Salem, Av. Paulista Dickenson Road 560042
1079 São Paulo Bangalore Karnataka