Top cybersecurity threats for November 2023

Author: Phil Muncaster

On the third Wednesday of every month, the VTRAC holds a Monthly Intelligence Briefing (MIB) to discuss the current security threat landscape, latest cybersecurity trends, news and threat intelligence. Below is the summary of their most recent briefing and here is the November recording of the briefing.

dollar icon

1. Crypto trading platform Poloniex loses $114M to suspected North Korean attackers

Security alert

2. LockBit affiliate exploits Citrix flaw to devastating effect

laptop hackers

3. Software vendor Atlassian forced to upgrade the severity of Common Vulnerabilities and Exposures (CVE) after widespread exploitation

Top cybersecurity news

November 2023 cybersecurity and threat intelligence news you should know about.

  • A security breach at identity specialist Okta impacted all of its customers, some of which suffered follow-on session hijacking attacks
  • Verizon analysis has revealed 4,000 known ransomware victims so far this year, already 1,000+ more than 2022
  • Former Lizard Squad member "Nopaoh" was placed on the NSA's most wanted list in connection with money laundering for the 2016 Bitfinex heist
  • The New York State Department of Financial Services (NYDFS) updated its Cybersecurity Regulation applicable to covered financial institutions  to report ransom payments
  • Law enforcers delivered a blow to the Ragnar Locker ransomware group in an operation coordinated across 11 countries

Like what you're reading?

If you’d like to receive new articles, solutions briefs, whitepapers and more—just let us know.

Sign up

The information provided will be used in accordance with terms set out in our Privacy Policy.

Crypto trading platform Poloniex loses $114m to suspected North Korean attackers

Top takeaways:

  • Threat actors stole over $114m from a cryptocurrency trading platform
  • A breached hot wallet could be to blame, most likely due to a leaked private key
  • North Korean (Lazarus group) threat actors are suspected

Threat actors have stolen over $114m in digital currency from cryptocurrency trading company Poloniex. Although precise details are still unknown at the time of writing, the attackers are believed to have targeted the firm's hot wallets. That fits with Poloniex's decision to disable the wallet system "for maintenance" following the incident. A leaked private key could be to blame. Poloniex and Tron founder, Justin Sun, has claimed that a "portion" of the stolen assets have been frozen and that losses are "within manageable limits"—in other words, no customers should lose funds.

The firm is offering a 5% "white hat bounty" to its attackers in exchange for the return of the funds to the affected wallets. However, that offer has so far been ignored by the threat actors. That could be because sources suspect that the hackers could be the North Korean group Lazarus. Researchers claim to have observed similar behavior to the heist at earlier this year, with attackers saving different stolen tokens at different addresses. If true, this would be the latest in a long line of North Korean cryptocurrency thefts this year, including ($41m), CoinEx ($70m), Atomic Wallet ($35m), Alphapo ($60m) and CoinsPaid ($37m).

LockBit changes tack after affiliate exploits Citrix flaw to devastating effect

Top takeaways:

  • A LockBit affiliate has exploited a critical Citrix vulnerability to compromise several big-name firms
  • Allen & Overy, Boeing, ICBC and DP World are among the known victims
  • Over 10,000 Citrix servers are still thought to be exposed

An affiliate of the prolific ransomware-as-a-service (RaaS) outfit LockBit has been linked to a series of breaches at several major global organizations—all within the space of a few days. These include London-headquartered law firm Allen & Overy, Boeing, the U.S. arm of Chinese banking giant ICBC, and Australian port operator DP World. It's unclear what impact the compromises may have on victim organizations, although experts suggested it could be weeks before affected ports in Australia will be able to accept export cargo, as a result of the DP World breach.

The common thread appears to be the exploitation of a critical Citrix vulnerability named "Bleed" (CVE-2023-4966) for which fixes were made available more than a month ago. As the MOVEit campaign highlighted, a single flaw in a widely used product can have a devastating downstream impact on corporate customers. Researchers claimed that, as of November 14, over 10,000 Citrix servers were still vulnerable to the flaw.

Atlassian forced to upgrade severity of CVE to 10.0 after widespread exploitation

Top takeaways:

  • Atlassian reported widespread exploitation of a vulnerability in its Confluence product
  • The vendor upgraded the severity of the vulnerability to CVSS 10.0
  • Ransomware actors were quick to exploit the bug to compromise victims

Software vendor Atlassian upgraded the severity of a critical vulnerability in its Confluence product after widespread attacks exploited the bug. The firm originally posted a cybersecurity advisory about the improper authorization vulnerability on October 31. The bug (CVE-2023-22518) affects all versions of its Confluence Data Center and Server product (although not Atlassian Cloud sites accessed via It was originally given a CVSS score of 9.1. Atlassian urged sysadmins to patch, warning that organizations are "vulnerable to significant data loss if exploited by an unauthenticated attacker."

However, the firm updated its guidance on November 2, claiming that it had found "publicly posted critical information about the vulnerability which increases risk of exploitation." Just a day later, it revealed active exploitation. Three days after that, on November 6, the firm upgraded its CVSS score to the maximum, 10.0, due to the "change in the scope of the attack." Widespread exploitation was observed, including attempts to deploy the Cerber ransomware. The incident highlights the speed with which threat actors can pounce on newly published vulnerabilities/exploits, and the need for rapid incident response and risk-based patch management.

Related briefings

Learn more about the ever-evolving nature of security threats and complex risk environments.

Related Products and Resources

Verizon Business Internet Security

Qualified Verizon Business Internet customers have access to powerful internet security solutions designed to help protect your business from cyber threats.

Verizon Mobile Device Management (MDM)

MDM provides powerful resources to mitigate mobile risk and help protect against cyberattacks that target corporate, education and business data and personal information.

Mobile Threat Defense (MTD)

Safeguard the data used by your remote workforce with advanced mobile security from Verizon and our partners.

Managed Detection and Response

Take your security program to the next level by quickly identifying and responding to security incidents.

Managed Security Information and Event Management

Get a tailored operational model that integrates Verizon security and intelligence capabilities with your own SIEM solution.

Advanced Security Operations Center (SOC)

To help detect and contain sophisticated threats and help prevent them from spreading.

Rapid Response Retainer

To help accelerate response to serious attacks.

Cyber Risk Programs

Identify security risks and threats before they can seriously harm
your organization

Social Engineering Defense

Fortify your organization’s cybersecurity, end to end, with the help of Verizon’s customizable and comprehensive 5-point plan.

Verizon Data Breach Investigations Report

Keep your security plan up to date and help protect your organization—with access to in-depth analysis on recent cyber threats and data breaches.

  • Learn more

The author of this content is a paid contributor for Verizon.

Let's get started.