The second half of 2023 witnessed significant cybersecurity incidents. Cl0p, a notorious cybercriminal group known for carrying out ransomware attacks on a major scale, garnered attention through its extensive “MOVEit hack”, which surprisingly did not involve ransomware deployment. The attack targeted numerous organizations, including global corporations and US governmental agencies. A key shift in Cl0p’s strategy was its move to leak stolen information to open worldwide web sites in cases where the ransom was not paid, a trend also seen with the ALPHV ransomware gang. Other new strategies in the ransomware scene, according to the FBI, have included the simultaneous deployment of multiple ransomware variants and the use of wipers following data theft and encryption.
In the IoT landscape, our researchers have made a notable discovery. They have identified a kill switch that had been used to successfully render the Mozi IoT botnet nonfunctional. It is worth mentioning that the Mozi botnet is one of the largest of its kind we have monitored over the past three years. The nature of Mozi’s sudden downfall raises the question of whether the kill switch was used by the botnet creators or Chinese law enforcement. A new threat, Android/Pandora, surfaced in the same landscape, compromising Android devices – including smart TVs, TV boxes, and mobile devices – and utilizing them for DDoS attacks.
Amidst the prevalent discussion regarding AI-enabled attacks, we have identified specific campaigns targeting users of tools like ChatGPT. We also noticed a considerable number of attempts to access malicious domains with names resembling “chapgpt”, seemingly in reference to the ChatGPT chatbot. Threats encountered via these domains also include web apps that insecurely handle OpenAI API keys, emphasizing the importance of protecting the privacy of your OpenAI API keys.
We have also observed a significant increase in Android spyware cases, mainly attributed to the presence of the SpinOk spyware. This malicious software is distributed as a software development kit and is found within various legitimate Android applications. On a different front, one of the most recorded threats in H2 2023 is three-year-old malicious JavaScript code detected as JS/Agent, which continues to be loaded by compromised websites. Similarly, Magecart, a threat that goes after credit card data, has continued to grow for two years by targeting myriads of unpatched websites. In all three of these cases, the attacks could have been prevented if developers and admins had implemented appropriate security measures.
Lastly, the increasing value of bitcoin has not been accompanied by a corresponding increase in cryptocurrency threats, diverging from past trends. However, cryptostealers have seen a notable increase, caused by the rise of the malware-as-a-service (MaaS) infostealer Lumma Stealer, which targets cryptocurrency wallets. These developments show an ever-evolving cybersecurity landscape, with threat actors using a wide range of tactics.
I wish you an insightful read.
Follow ESET research on Twitter for regular updates on key trends and top threats.
To learn more about how threat intelligence can enhance the cybersecurity posture of your organization, visit the ESET Threat Intelligence page.