The Cisco Talos Year in Review report released Tuesday highlights new trends in the cybersecurity threat landscape.
We'll focus on three topics covered: the ransomware cybercriminal ecosystem, network infrastructure attacks and commodity loader malware.
More ransomware actors switched to extortion rather than encryption, while commodity loaders evolved to be stealthier and highly effective, although new major security improvements have seen the day in 2023, such as Microsoft Office disabling macros by default.
The ransomware cybercriminal ecosystem changed Most targeted vertical.
In terms of ransomware, the most targeted vertical, as observed by Cisco Talos in 2023, was the healthcare and public health sector, which is not surprising since the organizations in that sector often suffer from underfunded budgets for cybersecurity and low downtime tolerance.
Figure A. Some ransomware groups have been changing.
The most active ransomware group for the second year in a row was LockBit, followed by ALPHV and Clop.
Some ransomware groups kept changing in 2023; those structures often merged or rebranded in an attempt to confuse law enforcement and researchers tracking them.
Multiple leaks of ransomware source code and builders also affected the ransomware threat landscape because these allowed more people to start their own operations.
The Clop ransomware group in particular has been able to exploit multiple zero-day vulnerabilities, including vulnerabilities in the GoAnywhere MFT platform, MOVEit and PaperCut.
Another remarkable shift in the ransomware threat landscape is that more affiliates are now switching to a data theft extortion model rather than the usual encryption model.
The improvements in ransomware detection capabilities from Endpoint Detection and Response and Extended Detection and Response software might be one reason for switching tactics and stopping deploying ransomware on the targeted systems.
Cisco Talos also suspects the aggressive pursuits from U.S. and international law enforcement against ransomware actors might be another reason for that change.
Cisco Talos observed an increase in attacks on networking devices in 2023, particularly attacks operated by China- and Russia-based groups looking to advance espionage objectives and facilitate stealthy operations against secondary targets.
The researchers observed such activity from other cybercriminals, including initial access brokers and ransomware threat actors.
The IcedID new samples have been used by initial access brokers known for commonly selling network accesses to ransomware groups.
The latest Ursnif variants were used by the Royal ransomware group.
Deploying new features ideally suited to help ransomware groups.
Access control mechanisms should be carefully reviewed in all corporate environments, and data segmentation should be applied for storing sensitive data because ransomware threat actors are increasingly trying to steal sensitive data rather than encrypt it.
The main families of commodity loaders have dropped their banking trojan capabilities to be lighter and stealthier, even without using macros - often to facilitate ransomware operations.
This Cyber News was published on www.techrepublic.com. Publication date: Wed, 06 Dec 2023 15:28:05 +0000