by Joshua Moore, Senior Investigator – DarkInvader
The internet continues to be a dark place for businesses. In fact, organizations need to be super vigilant when it comes to the threat landscape in 2023.
In a recent poll, nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organization’s accounting and financial data to increase in the year ahead, but just 20.3% work closely and consistently with their peers in cybersecurity.
This is a worrying stat, especially as with the increasing reliance on digital technologies and the rise of hybrid working, cybercriminals are finding new ways to exploit vulnerabilities to gain access to sensitive information.
The first months of 2023 have been an absolute hive of cyber attack activity, clearly demonstrating it is not slowing down anytime soon. Here are just a few of the threats that have hit the headlines so far:
Lockbit vs. Royal Mail
The recent cyber incident involving Royal Mail, served as a wake-up call regarding state-sponsored threats targeting international businesses.
The attack was carried out by Lockbit-3, a notorious Russia-linked ransomware operator known for targeting large corporations. Unusually, the ransomware gang published the attack and an ‘absurd’ ransom demand on their dark web blog, along with the subsequent chat logs with Royal Mail.
Despite Lockbit initially demanding $80 million, which they believed was a small percentage of the company’s turnover, it became evident from the chat logs that they had mistakenly targeted a subsidiary rather than the parent company, leading to disruptions in international shipping operations and global industry repercussions.
The Guardian Cyber Attack
The Guardian newspaper experienced a ransomware attack involving unauthorized access to parts of its network. As a result, employees were instructed to work remotely while internal systems were disconnected and assessed.
The attack affected various systems, including internal staff communication tools and staff canteen tills. The attack was initiated through email phishing, and while some staff information was accessed, specific details remain unknown.
This incident highlights the significance of regular phishing training to mitigate such risks and demonstrates how a single email can disrupt an entire company, leading to remote work arrangements and operational challenges.
ChatGPT Breach
In late March, ChatGPT, known for its groundbreaking AI capabilities, faced a data breach. OpenAI, the parent company, revealed that due to a bug in an open-source library, some users were able to view another user’s first and last name, email address, payment address, the last four digits of a credit card, and credit card expiration date.
Fortunately, full credit card numbers were not exposed. OpenAI promptly addressed the issue by notifying affected users, verifying emails, and implementing additional security measures.
This incident underscores how even a small vulnerability can be exploited by threat actors, causing disruptions for both users and the organization.
Eurovision becomes a target
This year’s Eurovision attracted many visitors to Liverpool with the cyber darkside taking advantage and according to booking.com, there was evidence of phishing emails being sent to some accommodation partners.
Scammers often exploit popular events to deceive customers, but while booking.com denied experiencing a security breach, travel agents still recommended visitors contact hotels directly if any concerns arise.
The organizers were also preparing themselves for pro-Russian hackers or other bad actors to attack the voting systems. Organizers were so concerned that the UK’s National Cyber Security Centre (NCSC) was brought in to protect the competition’s public vote.
New dark web market STYX
A new DarkWeb marketplace called ‘STYX’ has emerged, specializing in illegal services, stolen data, money laundering, and hacking tutorials.
Like other illicit sites, STYX relies on cryptocurrency payments to maintain anonymity. This marketplace may be a response to the recent FBI crackdown on breached forums, serving as an alternative platform for users seeking illegal data and services.
It highlights the challenge of shutting down sites like STYX or Breached, as new ones quickly replace those seized by authorities.
UNC3886 threat actor
Mandiant highlighted the activities of a Chinese espionage threat actor known as UNC3886 in a detailed report. The actor targets firewalls, IoT devices, hypervisors, and VPN technologies, taking advantage of the lack of endpoint detection response support.
By exploiting zero-day vulnerabilities and deploying custom malware, the actor gains persistence and infiltrates the target environment.
The report emphasizes the importance of communication and collaboration between organizations, vendors, and investigators to effectively mitigate these activities.
Protecting your business
The supply chain continues to be one of the biggest headaches for organizations. The UK government has been urging businesses to enhance their supply chain security.
The National Cyber Security Centre (NCSC) recently released new guidance to assist businesses in understanding and managing information obtained from suppliers.
Building upon existing supply chain recommendations, the guidance acknowledges the significant cybersecurity risks associated with weaknesses in the supply chain, as evidenced by several notable attacks in recent years.
The Cyber Security and infrastructure agency (CISA), in collaboration with MITRE, has introduced Decider, a free tool designed to facilitate the mapping of threat actor behavior to the MITRE ATT&CK framework.
This global knowledge base enables the identification and categorization of actor tactics, techniques, and procedures.
The tool simplifies the mapping process through guided questions, search and filter capabilities, and easy result export. Accompanying resources are provided to support users in getting started with the tool.
To effectively protect your organization from the barrage of oncoming cyber threats, it is crucial to implement comprehensive protective measures.
These have to include ensuring all security measures are in place and up-to-date to support the corporate infrastructure and networks, such as deploying robust firewalls and updating anti-malware solutions.
Regular software updates to address newly discovered vulnerabilities is now absolutely essential. Restricting access to sensitive data and educating employees on identifying and reporting suspicious emails from unknown sources are important steps.
Additionally, establishing an incident response plan, which involves backing up critical data, establishing communication protocols with customers and stakeholders, and collaborating with authorities for investigations, is imperative. By implementing these measures, businesses can proactively mitigate the risk of cyber attacks in 2023 and beyond.