Top cybersecurity threats for September 2023

Author: Phil Muncaster

On the third Wednesday of every month, the Verizon Threat Research Advisory Center (VTRAC) holds a Monthly Intelligence Briefing (MIB) to discuss the current cybersecurity threat landscape. Below is the summary of their most recent briefing and here is the September recording of the briefing.

Listen now

Condition based maintenance icon

1. LockBit is considering changes to its ransom policy, which could have a major impact on victims

Security alert

2. Apple patched two new zero-day bugs being exploited to deliver commercial spyware

laptop hackers

3. North Korea's Lazarus Group stole tens of millions of dollars from two crypto firms

Top cybersecurity news

September 2023 cybersecurity and threat intelligence news you should know about.

  • The Clop ransomware group has begun using torrents to leak stolen data
  • is weaponizing the GDPR, extorting compromised victims with the threat of large regulatory fines
  • BianLian ransomware affiliates have stolen 7 TB of data from noted NGO Save the Children
  • A signing key used by Chinese hackers Storm-0558 to steal government information was taken after being leaked into a Windows crash dump in 2021, Microsoft revealed
  • A new Chinese Advanced Persistent Threat (APT) actor "Carderbee" has been observed using legitimate Cobra DocGuard software to deploy backdoor malware on victim machines

Like what you're reading?

If you’d like to receive new articles, solutions briefs, whitepapers and more—just let us know.

Sign up

The information provided will be used in accordance with terms set out in our Privacy Policy.

LockBit is considering changes to its ransom policy, which could have a major impact on victims

Top takeaways:

  • LockBit has asked affiliates to decide on a new ransom payment policy
  • One affiliate has already taken a hard line, threatening data destruction if its demands aren't met
  • Changes to policy could escalate the cost of ransomware breaches significantly

Prolific ransomware group LockBit was by far the most successful outfit in August, listing 126 victims on its leak site, according to Verizon intelligence. However, the group is being forced to address internal policy issues, after observing a major inconsistency in the amount of ransom demanded by different affiliates. It issued a poll to these affiliates earlier this month, which could have a significant impact on victims.

The options offered to affiliates were:

  1. Maintain the status quo and allow individual threat groups to decide on the ransom amount
  2. Set a minimum payment of 3% of victims' annual revenue with the option of a 50% discount
  3. A new rule where affiliates can only grant a 50% discount on the original ransom price
  4. No payment accepted below the victim's maximum ransomware insurance policy
  5. A minimum payment of 50% of the victim's ransomware insurance policy to be accepted

Already, one affiliate dubbed the National Hazard Agency has said it will not accept less than 3% of victims' annual revenue and has vowed to destroy data if negotiators try to bargain them down.

The debate highlights the struggle ransomware groups are having in monetizing their attacks but could also signal a new hard line on payments, which may harm victims financially.

Apple patched new zero-day bugs being exploited to deliver commercial spyware

Top takeaways:

  • Apple has patched two zero-day vulnerabilities used to deploy spyware to victims
  • The U.S. government has ordered all federal agencies to patch urgently
  • The exploits work with no user interaction on the latest iPhones

Apple was forced to patch two critical zero-day vulnerabilities exploited in the wild to deliver Pegasus spyware from notorious cyber mercenary firm NSO Group. Non-profit Citizen Lab said it discovered the "BlastPass" exploit chain after detecting spyware on the device of "an individual employed by a Washington, DC-based civil society organization with international offices." The two WebP Codec vulnerabilities are buffer overflow bug CVE-2023-41064, which affects the ImageIO framework, and CVE-2023-41061, a validation issue in Apple Wallet. Google updated the Chrome browser for an additional WebP vulnerability, CVE-2023-4863. Both have been added to CISA's Known Exploited Vulnerabilities Catalog.

It is claimed that Apple devices in lockdown mode are protected from BlastPass. However, all users are urged to update their devices, as they could enable threat actors to silently deploy spyware to a user's device without requiring interaction. NSO Group is one of many commercial spyware makers that develop such exploits for government clients.

North Korea's Lazarus Group has stolen tens of millions of dollars from two new crypto firms

Top takeaways:

  • North Korea's Lazarus Group was blamed for new cyber heists impacting the crypto industry
  • They affected crypto casino and exchange CoinEx
  • The funds are likely to fund the Kim Jong Un regime's weapons and nuclear program

North Korea's prolific Lazarus threat group has been blamed for several new raids on cryptocurrency firms, which netted more than $100 million. The FBI attributed a September 4 heist at crypto casino The attack enabled hackers to steal $41 million in Ethereum, Binance Smart Chain (BSC) and Polygon from the firm's hot wallets. A later attack on crypto-exchange CoinEx resulted in a $53 million loss and stemmed from a hot wallet private key that got into the wrong hands. That was also attributed to North Korea.

Lazarus is one of several groups working to collect funds for the Kim Jong Un regime's missile and nuclear programs. It has already been blamed for several attacks earlier this year, including Atomic Wallet ($35 million), Alphapo ($60 million) and CoinsPaid ($37 million). That brings the total haul for 2023 to $226 million, although it could be even greater. Given the recent decision by North Korea to send arms to Russia, these cybersecurity breaches also have a significant geopolitical dimension.

Related briefings

Learn more about the ever-evolving nature of security threats and complex risk environments.

Related products

Verizon Business Internet Security

Qualified Verizon Business Internet customers have access to powerful internet security solutions designed to help protect your business from cyber threats.

Verizon Mobile Device Management (MDM)

MDM provides powerful resources to mitigate mobile risk and help protect against cyberattacks that target corporate, education and business data and personal information.

Mobile Threat Defense (MTD)

Safeguard the data used by your remote workforce with advanced mobile security from Verizon and our partners.

Managed Detection and Response

Take your security program to the next level by quickly identifying and responding to security incidents.

Managed Security Information and Event Management

Get a tailored operational model that integrates Verizon security and intelligence capabilities with your own SIEM solution.

Advanced Security Operations Center (SOC)

To help detect and contain sophisticated threats and help prevent them from spreading.

Rapid Response Retainer

To help accelerate response to serious attacks.

Cyber Risk Programs

Identify security risks and threats before they can seriously harm
your organization

  • Learn more

Let's get started.