Short of witnessing Mozi IoT botnet’s takedown, the time period saw five other trends occurring in one cybersecurity firm’s user base.
Based on telemetry from its global user base in the second half of 2023, one cybersecurity firm has summarized the threat trends it had faced in that period of time.
First, in the ransomware scene, Cl0p, a cybercriminal group known for carrying out ransomware attacks on a major scale, garnered attention through its extensive “MOVEit hack” in H2 2023, which did not involve ransomware deployment. The attack targeted numerous organizations, including global corporations and US governmental agencies. A key shift in Cl0p’s strategy was its move to leak stolen information to open worldwide web sites in cases where the ransom was not paid, a trend also seen with the ALPHV ransomware gang.
Other developing strategies in the ransomware scene for H2, according to the FBI, included the simultaneous deployment of multiple ransomware variants, and the use of wipers following data theft and encryption.
Second, in the IoT landscape, the Mozi IoT botnet was found to contain a “kill switch” that could render the malware non-functional. Only two entities could have known about the switch: the botnet’s creators, and the Chinese government. In Aug 2023 the switch was used to cull Mozi activity worldwide — and marked the end of attacks on Netgear, DASAN Networks, D-Link and JAWS devices. Another threat detected in the firm’s IoT customer base was Pandora, which compromised Android devices such as smart TVs, TV boxes, and mobile devices to exploit for launching DDoS attacks.
Four other H2 trends
The third trend discerned from the firm’s data was an increase in AI-enabled attacks, with reference to users of generative AI tools such as ChatGPT. A considerable number of attempts was found to access malicious domains with names resembling “chapgpt”, seemingly in reference to the chatbot. Threats encountered via these domains also included web apps that insecurely handled OpenAI API keys. Also:
- The fourth trend spotted for H2 2023 was a significant increase in Android spyware cases in the firm’s user base, mainly attributed to the presence of the SpinOk spyware. This malicious software is distributed as a software development kit, and it is found within various legitimate Android applications. Website admins should be wary of the plugins they install, especially for WordPress, as this dramatically increases the attack surface. Make sure to put in place a patching policy that requires admins to apply updates as soon as they are available. Brief all web developers about secure coding practices such as data sanitization, secure HTTP headers.
- The fifth trend was the continual dominance of one of the firm’s most recorded threats in H2 2023: a three-year-old malicious JavaScript code detected as JS/Agent. Similarly, Magecart, a threat that goes after credit card data, had continued to grow for two years by targeting myriads of unpatched websites. The attacks could have been prevented if developers and admins had implemented appropriate security measures.
- Lastly, the increasing value of bitcoin had not been accompanied by a corresponding increase in cryptocurrency threats in H2, diverging from past trends in the firm’s user base. However, crypto stealers rose in numbers notably, due to the 199% growth of the Lumma Stealer, an info stealer that targets cryptocurrency wallets.
According to Jiří Kropáč, Director of Threat Detection, ESET, the firm that announced its H2 2023 user base cyber trends, “these developments show an ever-evolving cybersecurity landscape, with threat actors using a wide range of tactics.”
