Wrap-up
Please provide the information below to view the online Verizon Data Breach Investigations Report.
Thank You.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
This concludes our regularly scheduled programming. We hope you have found the information in this document helpful, actionable and enjoyable.
Once again the DBIR has shown us that while life is, in many ways, unpredictable, being as prepared as possible for all eventualities is the safest course. It is our hope that this document has gone at least some way toward helping you anticipate what threats are most likely to affect your organization and deploy your resources appropriately. We would like to express our sincere appreciation to our data contributors, without whom we could not make this report happen. And of course we thank you, our readers, for continuing to take the time to read this report, making helpful suggestions and greatly assisting us in the improvement of this report each year.
The DBIR team wishes you all a safe and prosperous year, and we look forward to seeing you again in 2025.
Year in review
Monthly snapshot as reported by the VTRAC Monthly Intelligence Briefings. If you’d like to learn more, feel free to reach out to the VTRAC team at Intel.Briefing@verizon.com.
January
The VTRAC’s cyber intelligence collections in January reflected most of the recurring information security (InfoSec) risk issues we would observe through the rest of 2023. Ransomware continued to plague every sector. For example, the LockBit threat actors (TAs) attacked the Royal Mail on January 11, disrupting postal operations for more than six weeks. Atlantic General Hospital in Berlin, Maryland, was among the first healthcare organizations struck with ransomware. Vulnerabilities in FortiOS secure sockets layer (SSL) VPN products were exploited by Chinese APT actors attacking government networks and an African managed service provider. Russian advanced persistent threat (APT) actors continued to attack Ukraine. COLDRIVER attempted to breach Brookhaven, Argonne and Lawrence Livermore National Laboratories using spear phishing and fake login pages. Noteworthy zero-day vulnerabilities that were exploited before patch availability were CVE-2023-21674, a Windows advanced local procedure call (ALPC) elevation of privilege vulnerability, and CVE-2023-22952, a remote code execution vulnerability in SugarCRM’s email templates. Month’s end brought news of a multinational operation to disrupt the Hive ransomware TA that began in July 2022 and had provided decryption keys to more than 1,000 victims.
February
A preauthentication command injection vulnerability in Fortra’s GoAnywhere MFT (managed file transfer) solution, labeled CVE-2023-0669, was a zero-day vulnerability that came to light in the first week of the month. Within days, we learned of a GoAnywhere MFT-related breach of more than 1 million patient records from the Community Health System. The Cl0p ransomware gang exploited GoAnywhere to steal data from more than a hundred companies beginning on January 18. The vulnerability was exploited in data breaches for several months only to be supplanted in June by a new zero-day vulnerability in another managed file transfer solution, Progress Software’s MOVEit. Microsoft’s Patch Tuesday included patches for three zero-day vulnerabilities and Apple also patched a zero-day in WebKit. North Korean APT, the Lazarus Group, conducted the No Pineapple! campaign to exfiltrate more than 100 GB of data from organizations in medical research, healthcare, chemical engineering, energy and defense as well as a leading research university. The city of Oakland, California, declared a state of emergency following a ransomware infection that disrupted most city services. Both the Play and LockBit TA claimed credit.
March
3CX is a Voice over Internet Protocol (VoIP) private branch exchange (PBX) software development company whose 3CX Phone System is used by more than 350,000 customers worldwide and has more than 12 million daily users. A digitally signed and trojanized version of the 3CX VoIP desktop client was used to target the company’s customers in an ongoing supply chain attack. Attributed to the Lazarus Group, the ultimate payload was a backdoor Trojan, Gopuram. The attackers used Gopuram with surgical precision. Gopuram was installed on fewer than 10 targets, all of which were cryptocurrency companies. The 3CX campaign demonstrated significantly more sophisticated capabilities from North Korean APT actors. And near the end of the month, a new North Korean APT emerged, APT43. Initial reports indicated that APT43 used cybercrime to fund its cyberespionage campaigns. Winter Vivern, the APT aligned with the national security interests of Russia/Belarus, was using malicious documents to collect credentials and exploit vulnerable Zimbra collaboration servers. Winter Vivern targeted government, military and diplomatic entities in nations supporting Ukraine. March’s zero-day vulnerabilities included Outlook, Microsoft Defender SmartScreen and Adobe ColdFusion to keep patch management teams busy.
April
The month began with the exploitation of two zero-day vulnerabilities in Apple products. Google mitigated a zero-day in its Chrome browser’s V8 JavaScript engine and then four days later rolled out a new version to mitigate a zero-day vulnerability in the Skia graphics engine. And Microsoft patched the second zero-day this year in its Common Log File System driver. Another zero-day vulnerability, CVE-2022-27926, affected Zimbra collaboration servers. The Winter Vivern APT actor had almost certainly discovered and exploited the vulnerability before the patch was announced. CERT Polska warned that the Russian APT29 was actively pursuing diplomatic targets in many nations, principally North Atlantic Treaty Organization (NATO) members. APT28 attacked vulnerable Cisco routers worldwide. The TTP of exploiting a 4-year-old vulnerability in network infrastructure was at once innovative and sufficiently simple to be adopted and adapted by many TAs. The GRU’s Sandworm Team continued to focus on support of the Russian invasion of Ukraine. Multiple top-tier cybercrime actors continued to compromise PaperCut and Fortra GoAnywhere MFT systems to install Cl0p, LockBit and BlackCat/ALPHV ransomware and frequently exfiltrated data from victim networks. Microsoft noted an increase in the pace and the scope of cyberattacks attributed to Iranian threat actors. For example, Mint Sandstorm (Charming Kitten) rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly targeted phishing campaigns to quickly and successfully access environments of interest. The Mint Sandstorm APT began exploiting CVE-2022-47966 in Zoho ManageEngine on January 19, 2023, the same day the proof of concept (PoC) became public.
May
A Chinese state-sponsored APT group dubbed Camaro Dragon was found infecting TP-Link routers with a malicious firmware implant that allowed attackers to gain full control of infected devices and access compromised networks while evading detection. The group overlaps with activity previously attributed to Mustang Panda. Mustang Panda was also observed conducting phishing campaigns against European entities. Other phishing emails delivered fake “official” Ukrainian government reports that downloaded malware onto compromised machines. Mustang Panda’s most used malicious implant was a Trojan program called PlugX, and it continued to remain the group’s preferred spying tool. A new Chinese aligned APT actor, Volt Typhoon was identified after it had been found targeting critical infrastructure organizations in Guam and elsewhere in the United States since mid-2021. Barracuda identified a zero-day vulnerability (CVE-2023-2868) in its Email Security Gateway (ESG) appliance on May 19. A security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on May 20. Microsoft Patch Tuesday included two zero-day vulnerabilities. Apple released security advisories and patches mitigating more than 30 vulnerabilities, including three zero-day exploits affecting WebKit. On May 31, Progress Software released patches for a SQL injection vulnerability in MOVEit managed file transfer software. Labeled CVE-2023-34362, we later learned exploitation began on May 27.
June
MOVEit moved into the mainstream. VTRAC began receiving a large number of victim reports—and we were still getting them as this went to press in February 2024. (MOVEit would continue to wreak havoc throughout the year, with multiple cybersecurity experts reporting increasing numbers of organizations and individuals affected.)100,101,102,103 There were indications the Cl0p ransomware TA had been testing MOVEit exploits in 2021. At least 1,000 organizations became victims, and personally identifiable information (PII) of at least 100 million individuals was compromised. The Russian APT Gamaredon Group attacked Ukraine featuring a PowerShell-based information stealer distributed on malicious USB thumb drives. Google released a new version of its Chrome browser to mitigate a vulnerability in the V8 JavaScript engine that was already being exploited in the wild. A zero-day vulnerability in Fortinet’s FortiOS and FortiProxy SSL-VPN preauthentication was being exploited in the wild. After May’s alert for CVE-2023-2868, on June 6, Barracuda announced any ESG appliance that had been compromised must be taken out of service and disposed of; patching was insufficient. Kaspersky’s security architecture detected suspicious activity originating from several iOS-based phones. It discovered a targeted APT campaign that it labeled Operation Triangulation. The target iOS device received a zero-click message via the iMessage service with an attachment containing an exploit. With no user interaction, the message triggered a vulnerability that led to code execution. After installation of the APT payload, the message was deleted. On June 21, Apple patched the Operation Triangulation zero-day vulnerabilities in the iOS kernel and in WebKit.
July
The top three ransomware TAs had a very good July. That is, InfoSec practitioners spent July avoiding successful attacks by LockBit, Cl0p and ALPHV. On Monday, July 4, the port of Nagoya, Japan, was struck by LockBit 3.0. Cl0p continued to take advantage of more than 130 organizations they had breached in May and June before MOVEit was patched. ALPHV (BlackCat) used search engine optimization (SEO) poisoning and malvertisements to lure users into downloading a trojanized WinSCP (Windows Secure Copy Protocol), leading to lateral exploitation, data theft and ransomware infection. A Chinese APT labeled Storm-0558 acquired a Microsoft account (MSA) consumer key from a Microsoft engineer’s system using an arcane series of loopholes. That key enabled the group to access Outlook and Outlook Web Access (OWA) accounts affecting about 25 organizations, including government agencies. Five zero-day vulnerabilities were mitigated on Microsoft Patch Tuesday. Zimbra Collaboration Suite contained a cross-site scripting zero-day vulnerability affecting the confidentiality and integrity of data. Adobe released an update to ColdFusion on Patch Tuesday. Three days later, Adobe released an out-of-cycle security bulletin for a deserialization zero-day vulnerability in ColdFusion. Two new zero-day vulnerabilities in Ivanti Endpoint Manager Mobile were exploited to breach the IT systems of a dozen ministries in Norway. Citrix released an advisory and patches for three vulnerabilities in NetScaler (formerly Citrix) application delivery controller (ADC) and NetScaler Gateway. CISA advised that one NetScaler vulnerability had been exploited to breach the network of a U.S. critical infrastructure organization in June. On August 2, we learned that 640 NetScaler servers had been backdoored by an unidentified TA and a China Chopper web shell installed.
August
Multiple sources reported a decline in ransomware attacks in the range of 20%–33%. An ongoing espionage campaign targeting dozens of organizations in Taiwan was discovered. Researchers attributed the activity to a new Chinese APT group labeled Flax Typhoon. The threat group minimizes the use of custom malware and instead uses legitimate tools found in victims’ operating systems to conduct its espionage operations (living off the land). VTRAC collected intelligence for another new APT, labeled Carderbee. That TA mounted a supply chain attack weaponizing updates from a Chinese security company to install a code-signed version of the PlugX backdoor to attack about 100 computers, mostly in Hong Kong. The North Korean Lazarus Group fielded new remote access trojans (RATs), QuiteRAT and CollectionRAT, and there were indications that the Lazarus Group was also shifting to “living off the land” TTP. The FBI announced a global operation against the Qbot (aka Qakbot). In Operation Duck Hunt, the FBI seized control of the botnet, removed the malware from infected devices and identified a substantial number of affected systems. As with many malware takedowns, the core cybercriminals were not arrested or confined, and Qbot would begin a comeback in December. Microsoft Patch Tuesday included mitigation of two exploited zero-day vulnerabilities: CVE-2023-38180 (patched) and CVE-2023-36884 (not patched).
September
Caesars Entertainment discovered on September 7 that the ALPHV ransomware TA had performed a social engineering attack that targeted an outsourced IT support vendor resulting in a breach of Caesars’ network and its loyalty program database, which stores driver’s license numbers and Social Security numbers for many customers. Caesars chose to pay roughly half of the $30 million ransom to recover its data. On September 11, MGM Resorts International disclosed the ALPHV ransomware TA had breached MGM’s network using social engineering, then stole sensitive data and encrypted more than a hundred ESXi hypervisors. MGM informed the SEC that the cyberattack cost the company $100 million. Akira ransomware threat actors were targeting Cisco VPNs that were not configured for MFA to infiltrate organizations. Cisco released an advisory for vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) that could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations. In August, Cisco became aware of attempted exploitation of this vulnerability in the wild. The University of Toronto’s Citizen Lab reported that iOS zero-day vulnerabilities were exploited to install NSO Group’s Pegasus commercial spyware. Microsoft Patch Tuesday included two zero-day vulnerabilities. The WebP Codec is used in countless applications and websites, and it had a zero-day vulnerability with attacks reported by Apple and Google. Adobe released an out-of-cycle advisory and patch to mitigate a zero-day remote code execution vulnerability in Adobe Acrobat and Reader
October
In an advisory sent to an undisclosed number of customers on October 19, Okta said it had “identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system.” An Okta spokesperson said the company notified about 1% of its customer base (~170 customers), including 1Password and Cloudflare. On October 7, Hamas invaded Israel, triggering significant unrest. Within an hour, the Russian-affiliated group Anonymous Sudan claimed responsibility for potentially disabling an Israeli civilian app designed to alert citizens about missile attacks. Hacktivists aligned with each side of the conflict began conducting DoS attacks as well as hack-and-leak and defacements. For the most part, nation-state aligned APT actors conducted limited or no offensive cyber conflict activities targeting Hamas or Israel. Organizations with Atlassian’s Confluence Data Center and Confluence Server reported compromises. Atlassian determined that a zero-day access control vulnerability, CVE-2023-22515, was being exploited. Apple released updates to iOS and iPadOS to address two more zero-day vulnerabilities. Three zero-days were among 104 security updates on Microsoft Patch Tuesday. Cisco and multiple intelligence sources have been tracking attacks exploiting a chain of two zero-day vulnerabilities in Cisco IOS XE software enabling creation of new accounts and implanting remote control malware
November
After a significant drop in observed ransomware attacks in September and October, November saw numbers rebound more to where we expected them to be. Carbanak, a well-known banking malware, returned from relative obscurity controlled by the FIN7 APT-grade cybercrime actor. Multiple sources linked FIN7 to Carbanak, Cl0p and ALPHV ransomware TAs. HelloKitty ransomware was attacking a zero-day vulnerability in Apache ActiveMQ, the popular open source, multiprotocol message broker. A zero-day vulnerability in SysAid IT service management software was being exploited by the Cl0p ransomware actors. The Russian APT Sandworm group was responsible for attacks against 22 critical infrastructure organizations in Denmark. November’s Patch Tuesday addressed 77 Microsoft patches, among them, Microsoft-released patches for three new zero-day vulnerabilities being exploited in the wild. Two F5 Big IP vulnerabilities were being attacked within five days of release of security advisories and patches. Chrome browser and multiple Apple products patched zero-day vulnerabilities. The Chinese APT, Mustang Panda, conducted cyberespionage campaigns targeting organizations in the Philippines and western Pacific Rim region.
December
The Cyber Av3ngers, a hacktivist TA affiliated with the Islamic Revolutionary Guard Corps (IRGC), took responsibility for defacing workstations at Pennsylvania’s Municipal Water Authority of Aliquippa. The TA reportedly hit multiple water utility companies in the United States by targeting Unitronics’ PLC devices. Ukraine’s largest mobile operator, Kyivstar, was hit by a cyberattack that left its system infrastructure extensively damaged and knocked it out of operation for days. The Solntsepek TA—which had been previously linked to the notorious Sandworm Group—claimed the attack a day later, stating that it had destroyed 10,000 computers, more than 4,000 servers, all cloud storage and backup systems. Google’s Chrome browser, QNAP’s VioStor network video recorder and Future X Communications’ wireless LAN routers AE1021PE and AE1021 each patched new vulnerabilities that had already been successfully exploited in the wild. Barracuda ESG appliances had a zero-day vulnerability that was being successfully exploited by a Chinese threat actor. Midmonth, Microsoft warned that Qbot (Qakbot) was being distributed again in a phishing campaign pretending to be an email from an IRS employee.