Top cybersecurity threats for September 2023
Author: Phil Muncaster
On the third Wednesday of every month, the Verizon Threat Research Advisory Center (VTRAC) holds a Monthly Intelligence Briefing (MIB) to discuss the current cybersecurity threat landscape. Below is the summary of their most recent briefing and here is the September recording of the briefing.
September 2023 cyber threat intelligence briefing
At a glance, this MIB covered:
1. LockBit is considering changes to its ransom policy, which could have a major impact on victims
2. Apple patched two new zero-day bugs being exploited to deliver commercial spyware
3. North Korea's Lazarus Group stole tens of millions of dollars from two crypto firms
Top cybersecurity news
September 2023 cybersecurity and threat intelligence news you should know about.
- The Clop ransomware group has begun using torrents to leak stolen data
- Ransomed.vc is weaponizing the GDPR, extorting compromised victims with the threat of large regulatory fines
- BianLian ransomware affiliates have stolen 7 TB of data from noted NGO Save the Children
- A signing key used by Chinese hackers Storm-0558 to steal government information was taken after being leaked into a Windows crash dump in 2021, Microsoft revealed
- A new Chinese Advanced Persistent Threat (APT) actor "Carderbee" has been observed using legitimate Cobra DocGuard software to deploy backdoor malware on victim machines
LockBit is considering changes to its ransom policy, which could have a major impact on victims
- LockBit has asked affiliates to decide on a new ransom payment policy
- One affiliate has already taken a hard line, threatening data destruction if its demands aren't met
- Changes to policy could escalate the cost of ransomware breaches significantly
Prolific ransomware group LockBit was by far the most successful outfit in August, listing 126 victims on its leak site, according to Verizon intelligence. However, the group is being forced to address internal policy issues, after observing a major inconsistency in the amount of ransom demanded by different affiliates. It issued a poll to these affiliates earlier this month, which could have a significant impact on victims.
The options offered to affiliates were:
- Maintain the status quo and allow individual threat groups to decide on the ransom amount
- Set a minimum payment of 3% of victims' annual revenue with the option of a 50% discount
- A new rule where affiliates can only grant a 50% discount on the original ransom price
- No payment accepted below the victim's maximum ransomware insurance policy
- A minimum payment of 50% of the victim's ransomware insurance policy to be accepted
Already, one affiliate dubbed the National Hazard Agency has said it will not accept less than 3% of victims' annual revenue and has vowed to destroy data if negotiators try to bargain them down.
The debate highlights the struggle ransomware groups are having in monetizing their attacks but could also signal a new hard line on payments, which may harm victims financially.
Apple patched new zero-day bugs being exploited to deliver commercial spyware
- Apple has patched two zero-day vulnerabilities used to deploy spyware to victims
- The U.S. government has ordered all federal agencies to patch urgently
- The exploits work with no user interaction on the latest iPhones
Apple was forced to patch two critical zero-day vulnerabilities exploited in the wild to deliver Pegasus spyware from notorious cyber mercenary firm NSO Group. Non-profit Citizen Lab said it discovered the "BlastPass" exploit chain after detecting spyware on the device of "an individual employed by a Washington, DC-based civil society organization with international offices." The two WebP Codec vulnerabilities are buffer overflow bug CVE-2023-41064, which affects the ImageIO framework, and CVE-2023-41061, a validation issue in Apple Wallet. Google updated the Chrome browser for an additional WebP vulnerability, CVE-2023-4863. Both have been added to CISA's Known Exploited Vulnerabilities Catalog.
It is claimed that Apple devices in lockdown mode are protected from BlastPass. However, all users are urged to update their devices, as they could enable threat actors to silently deploy spyware to a user's device without requiring interaction. NSO Group is one of many commercial spyware makers that develop such exploits for government clients.
North Korea's Lazarus Group has stolen tens of millions of dollars from two new crypto firms
- North Korea's Lazarus Group was blamed for new cyber heists impacting the crypto industry
- They affected crypto casino Stake.com and exchange CoinEx
- The funds are likely to fund the Kim Jong Un regime's weapons and nuclear program
North Korea's prolific Lazarus threat group has been blamed for several new raids on cryptocurrency firms, which netted more than $100 million. The FBI attributed a September 4 heist at crypto casino Stake.com. The attack enabled hackers to steal $41 million in Ethereum, Binance Smart Chain (BSC) and Polygon from the firm's hot wallets. A later attack on crypto-exchange CoinEx resulted in a $53 million loss and stemmed from a hot wallet private key that got into the wrong hands. That was also attributed to North Korea.
Lazarus is one of several groups working to collect funds for the Kim Jong Un regime's missile and nuclear programs. It has already been blamed for several attacks earlier this year, including Atomic Wallet ($35 million), Alphapo ($60 million) and CoinsPaid ($37 million). That brings the total haul for 2023 to $226 million, although it could be even greater. Given the recent decision by North Korea to send arms to Russia, these cybersecurity breaches also have a significant geopolitical dimension.
Verizon Business Internet Security
Qualified Verizon Business Internet customers have access to powerful internet security solutions designed to help protect your business from cyber threats.
Verizon Mobile Device Management (MDM)
MDM provides powerful resources to mitigate mobile risk and help protect against cyberattacks that target corporate, education and business data and personal information.
Let's get started.
Choose your country to view contact details.
- Select Country...
- United States
- Costa Rica
- Hong Kong
- New Zealand
- United Kingdom
- United States
Call for Sales.
Or we'll call you.