We are pleased to present the latest issue of ESET Threat Report, which brings changes aimed at making its contents more engaging and accessible. One notable modification is our new approach to data presentation: rather than detailing all data changes within each detection category, our intention is to provide more in-depth analyses of selected, notable developments. For those seeking a comprehensive overview of the telemetry data related to each category, we have included the full set of charts and figures in a dedicated Threat Telemetry section.
Another notable update is the change in publication frequency, transitioning from triannual to a semiannual release schedule. In this issue, we focus on the highlights of H1 2023, covering the period from December 2022 through May 2023. When comparing this period to H2 2022, we refer to the timeframe from June 2022 to November 2022.
In H1 2023, we observed trends highlighting cybercriminals’ remarkable adaptability and relentless pursuit of new avenues to achieve their nefarious goals – be it through exploiting vulnerabilities, gaining unauthorized access, compromising sensitive information, or defrauding individuals. One of the reasons for shifts in attack patterns is stricter security policies introduced by Microsoft, particularly on opening macro-enabled files. In a new attempt to bypass these measures, attackers substituted macros with weaponized OneNote files in H1 2023, leveraging the capability of embedding other files directly into OneNote. In response, Microsoft readjusted, prompting cybercriminals to continue exploring alternative intrusion vectors, with intensifying brute-force attacks against Microsoft SQL servers possibly being one of the tested approaches.
Our telemetry data also suggests that operators of the once-notorious Emotet botnet have struggled to adapt to the shrinking attack surface, possibly indicating that a different group acquired the botnet. In the ransomware arena, actors increasingly reused previously leaked source code to build new ransomware variants. While this allows amateurs to engage in ransomware activities, it also enables defenders like us to cover a broader range of variants, including newly emerging ones, with a more generic set of rules and detections.
Although cryptocurrency threats have been steadily declining in our telemetry – not even to be resurrected by the recent increase in bitcoin's value – cryptocurrency-related cybercriminal activities continue to persist, with cryptomining and cryptostealing capabilities increasingly incorporated into more versatile malware strains. This evolution follows a pattern observed in the past, when malware such as keyloggers was initially identified as a separate threat, but eventually became a common capability of many malware families.
Looking at other threats focused on financial gain, we observed a comeback of so-called sextortion scam emails, exploiting people’s fears related to their online activities, and an alarming growth of deceptive Android loan apps masquerading as legitimate personal loan services, taking advantage of vulnerable individuals with urgent financial needs.
I wish you an insightful read.
Follow ESET research on Twitter for regular updates on key trends and top threats.
To learn more about how threat intelligence can enhance the cybersecurity posture of your organization, visit the ESET Threat Intelligence page.