Authored by Trellix’s Advanced Research Center, this report (1) highlights insights, intelligence, and guidance gleaned from multiple sources of critical data on cybersecurity threats, and (2) develops expert, rational, and reasonable interpretations of this data to inform and enable best practices in cyber defense. This edition focuses on data and insights captured primarily between April 1, 2023 and September 30, 2023.
What’s out there? What’s incoming? How do we get ahead of it?
These questions are ones we live and breathe every day. You as CISOs, and your SecOps teams. And our Advanced Research Center experts, as well as myself. Like you, we bounce between urgent after-hour war-room calls with CEOs and boards and intensive, weekend-long search-and-counter missions tracking down ransomware gangs or malicious payloads.
Working independently and together, your teams and ours represent the first line of defense for essentially every organization in the world.
Preventing these incidents and impacts starts with intelligence. Understanding the threat environment. Translating raw telemetry into actionable insights on threat actors, vulnerabilities, and attacks.
We publish the Trellix Cyberthreat Report for you. In this 2023
Q4 edition you’ll find insights on four fronts shaping the threat environment: (1) nation-state activity and APTs, (2) the continuing evolution of ransomware, (3) shifts in threat actor behavior, and (4) the emerging threat of generative AI.
Intelligence shapes the battlefield. In cybersecurity, that starts here.
Global context always matters in cybersecurity. Wars and conflicts inflame passions. Fragile relationships between nations fuel mistrust and misdeeds. Economic instability opens opportunities for some to prey on others. A sampling of factors influencing our Q4 2023 threat data and analysis includes the following.
Trellix’s world-class experts from our Advanced Research Center gather the statistics, trends, and insights that comprise this report from a wide range of global sources, both captive and open. The aggregated data is fed into our Insights and ATLAS platforms. Leveraging machine learning, automation, and human acuity, the team cycles through an intensive, integrated, and iterative set of processes – normalizing the data, analyzing the information, and developing insights meaningful to cybersecurity leaders and SecOps teams on the frontlines of cybersecurity worldwide. For a more detailed description of our methodology, please see the end of this report.
It’s imperative that any industry-leading assessment team and process understand, acknowledge and, where possible, mitigate the effects of bias – the natural, embedded, or invisible inclination to either accept, reject, or manipulate facts and their meaning. The same precept holds true for consumers of the content.
Unlike a highly structured, control-base mathematical test or experiment, this report is inherently a sample of convenience – a non-probability type of study often used in medical, healthcare, psychology, and sociology testing that makes use of data that is available and accessible.
Understanding the insights and data in this report requires briefly reviewing the following guidelines:
Nation-state actors are increasingly engaging in digital espionage, disinformation campaigns, and cyberwarfare. In fact, as hostilities escalate between various entities, such as Russia and Ukraine, China and Taiwan, Israel and Hamas, and many others, threat activity worldwide from both APT groups and hacktivists has intensified at a significantly higher rate than in 2022 and before. Within the last six months alone, activity from nation-state associated groups has increased by more than 50%.
Based on the telemetry alone, the most prominent nation-states represented were China, Russia, and North Korea. Based on public events alone, the most prominent nation-state threat actor was North Korea, with 36 reports of affiliated groups including Lazarus, Kimsuky, APT37, and BlueNoroff. The second most represented nation-state was China, with 33 reported events, many of them involving Mustang Panda. Threat actors affiliated with Russia represented the third most common nation-state groups, with 29 reported events involving Gamaredon, APT28, APT29, and others.
Notable Threat Actor Countries, Q2 to Q3*
* Percentage of total APT detections tracked by Trellix telemetry and industry-reported events.Top Threat Actor Countries by Industry Events, Q2 to Q3*
Top Threat Actor Countries by Telemetry Detections, Q2 to Q3*
1.
China
75.46%
2.
Russia
9.38%
3.
North Korea
7.37%
4.
Iran
4.28%
5.
Vietnam
1.17%
The APT groups most frequently identified in Q2 and Q3 reported events included the China-sponsored Mustang Panda, North Korea- backed Lazarus, and Russia-affiliated Gamaredon groups. This doesn’t necessarily mean these groups were the most active threat actors, as the global telemetry data reflects, but does point to highly impactful attacks and breaches.
Like many China-backed APT actors, Mustang Panda is driven by strategic intelligence-gathering in other regions. Thus, the group deploys a more methodical approach, prioritizes the use of custom tools and malware, and pursues a disciplined focus on specific sectors and targets. As a result, Mustang Panda is comparatively more likely to be identified and reported.
Like many APT groups associated with North Korean, on the other hand, Lazarus is highly represented on both sides. This is because the group (which is likely the author of the cyber espionage campaign Operation Dream Job) is more heavily driven by financial motives, leverages a broader array of tools, and targets a wider set of organizations in addition to its strategic priorities – such as attacking military infrastructure, from defense industries to top nuclear engineers, in the United States, Israel, Australia, and Russia.
Top Threat Actor Groups by Telemetry Detections, Q2 to Q3*
1.
APT40
42.28%
2.
MustangPanda
15.93%
3.
Lazarus
5.12%
4.
APT1O
2.82%
5.
Gamaredon Group
2.66%
Top Threat Actor Groups by Industry Events, Q2 to Q3*
Comparing the global telemetry and industry reports helps highlight trends that reflect some of the world’s military conflicts and socioeconomic tensions in 2023. Russian-backed APT groups continue to execute coordinated cyberattacks on Ukrainian organizations and agencies. At the same time, while China rattles its sabers up and down the Taiwan Strait, Chinese-affiliated actors are assaulting Taiwan with cyberattacks. In a similar manner, North Korean APT groups are targeting South Korea.
Threat data involving other countries also reflects global events. Though not yet demonstrably tied to larger geopolitical conflicts or developments, it appears that major, established actors are refocusing or expanding their activities to target specific regions.
We will be tracking these new patterns closely in the months ahead.
Notable Targeted Countries, Q2 to Q3*
* Percentage of total ransomware detections tracked by Trellix telemetry and industry-reported events.Ransomware continues to be the most common type of cyberattack worldwide. Global detections and industry-reported incidents, particularly in Q2 reflect unusual variations in ransomware families, as well as countries and industries targeted. Data for Q1 is provided for context.
2023 Ransomware Detections*
* Number of total ransomware detections tracked by Trellix telemetry.2023 Ransomware Events*
* Number of total ransomware incidents tracked by industry-reported events.Analysis of Q2 and Q3 activity indicates that the “usual suspects” are at the top of the list. LockBit was detected far more often (54%) than other variants, followed by BlackCat (22%) and Cuba (20%). The most common industry-reported events, however, were BlackCat and Trigona (both at 6%).
Top Ransomware Variants, Q2 to Q3*
* Percentage of total ransomware incidents tracked by Trellix telemetry and industry-reported events.The largest ransomware incident during this period was the MOVEit attack by Cl0P, a data exfiltration exploit that impacted 2,500+ organizations. Cl0P leveraged a specific CVE against the managed file transfer software MOVEit, which allowed it to exfiltrate data at scale.
Despite the attack’s sophistication, Cl0P seemed to struggle with handling the volume of data and communicating with victims. This factor, as well as the resources and time Cl0p invested for minimal return, calls into question the attackers’ objective.
At the start of the year, threat actors prominent in 2022, like LockBit and Royal, continued to dominate the landscape.
However, in Q2, lesser-known actors emerged prominently on the scene. BlackCat was the most commonly detected variant (51%), followed by the Black Basta, Trigona, Rorschach, and Cyclance families. Rorschach (6%) and Black Basta (4%) were also the most frequently reported variants. Trigona (9%) was too, for a short while, until a group known as the Ukrainian Cyber Alliance apparently wiped Trigon’s servers.
In Q3, we observed a “return to form” as the major players regained their prominence in both global telemetry and industry events. The most common were LockBit (60% of detections, 9% of reports), BlackCat (22% of detections, 9% of reports), and Cuba (19% of detections, 6% of reports).
Ransomware actors and groups are rapidly taking advantage of affiliate relationships, enhanced collaboration, and more vigorous communications across the cybercriminal underground. They can now execute sophisticated, wide- scale attacks today far more easily than in the past.
The countries enduring the highest ransomware activity correlate unsettlingly closely with the APT nation-state trends.
This may just be a coincidence.
Or it could be an early sign that the goals, targets, and attack methods of ransomware actors and APT groups are starting to converge.
Geographically, for Q2 and Q3, we observed some surprising activity. India accounted for the vast majority (77%) of ransomware detections and ranked high among reported industry events (7%). The next
two nations with the most detections and events were the United States and Turkey. Israel, Ukraine and Russia also ranked highly for ransomware activity during this period.
Geographic Dispersion of Ransomware, Q2 to Q3*
* Percentage of total ransomware incidents tracked by Trellix telemetry and industry-reported events.Industries and Sectors Impacted by Ransomware, Q2 to Q3*
* Number total ransomware incidents tracked by Trellix telemetry and industry-reported events.One very prominent new collaboration — an extended network referred to as "The Five Families" — is a great example of threat actors joining forces to increase the speed, operational efficiency, and impact of their cyberattacks.
The loosely organized coalition of 2,000+ members consists of the Stormous ransomware group as well as Blackforums underground forum group.
In the second half of 2023, a troubling trend emerged — one we have been anticipating for a while. Threat actors are starting to collaborate. This new behavior is driven by both practical goals, such as the sharing or selling of zero-day vulnerabilities and exploits, as well as political ones. These collaborations take many forms depending on the groups’ shared interests, motivations, and political beliefs.
By leveraging each other’s complementary skills, these groups are maximizing their advantages. Rather than focusing solely on politically motivated attacks involving Distributed Denials of Service (DDoS), website defacement, and data leaks, they have shifted their focus to ransomware activities, incorporating a double extortion scheme.
Other collaborations are driven by political goals. We have observed a distinct increase in the number of hacktivist collectives operating in the digital limelight of the Russia-Ukraine conflict. Actors like the following are pooling their resources and efforts, especially those who are pro-Russian.
Similarly, enhanced collaboration among threat actors is emerging on the periphery of the Israel-Hamas conflict. Immediately after the war erupted in October, our team observed a massive increase in cyberactivity. Since the start of the conflict, we have identified almost 80 pro-Palestinian groups targeting Israeli organizations with cyberattacks, and over two dozen pro-Israeli actors engaging in opposing activities. Among the hundreds of attacks between these parties so far, notable incidents include the compromise of the personal data of Israel Defense Forces soldiers and its sale on the dark web; the leak of stolen credentials associated with several key Palestinian government offices; and cyber attacks and compromises that have helped both sides target the other’s critical infrastructure.
During the latter part of 2023, we have continued to observe underground threat actors actively promoting zero-day exploits targeting vulnerabilities in both Windows and Linux systems. Some of the noteworthy vulnerabilities actively discussed on the dark web include the following:
Vulnerabilities that allow for RCE and LPE are some of the most attractive for threat actors to exploit. While selling such exploits is not a novel practice – and several specialized actors have designed their entire business model around their development and sale – the prevalence of these zero-day exploits in the underground has notably increased.
In effect, zero-day vulnerabilities discovered today are swiftly distributed among the underground network of threat actors, and rapidly end up in the hands of the most sophisticated and dangerous groups. Zero-day vulnerabilities are a more urgent threat than ever before, with major threat actors ready and waiting for the next big vulnerability they can exploit (e.g., the next Log4J, MOVEit or BlueKeep) to cause immense damage and lucrative financial windfalls.
In recent years, there has been a noticeable rise in the use of newer programming languages such as Golang (or Go, as it is formally known), Nim, and Rust to develop malicious software. While the volume is still low compared to older languages like Python or C++, threat actors are clearly embracing this new capability.
These languages are attractive to cybercriminals for many reasons. Nim’s focus on performance and expressiveness makes it useful for creating intricate malware. Rust’s memory management features are attractive to ransomware groups concerned about the encryption efficiency of their samples. Go’s simplicity and concurrency capabilities have made it a favorite for crafting lightweight and speedy malware. In 2023, we have observed that Golang-based malware is increasingly popular among bad actors – and have identified several emerging patterns we will be tracking closely in the months ahead.
Percentage of Golang Malware
At the beginning, cybercriminals used to employ Golang primarily to build infostealer samples that help elicit confidential data from victims, a practice that now represents only 3.66% of detections. This year, cybercriminals using Golang as ransomware represent nearly a third of detections (32%). The fact that malware authors have used Golang to build ransomware at this scale is a troubling shift in complexity and maturity. Backdoor and Trojan samples are prevalent among Golang samples, representing about 25% and 20% respectively. These types of malware tend to be distributed using fake software to infect any user who downloads it.
Particularly noteworthy, however, are incidents where APT actors have developed malware using Golang among their methods and tactics. For instance, earlier this year, security researchers uncovered a new attack in Ukraine by Sandworm. The APT group’s SwiftSlicer wiper was developed using Golang. Several other incidents have been observed such as the Russian state-sponsored group APT28 distributing a Go-based version of their Zebrocy malware, and China-affiliated Mustang Panda APT deploying a new Go-based loader in several recent attacks. These observations underline how cybercriminals are adapting to the threat landscape using new technologies.
There is a significant and somewhat stealthy shift in the threat landscape underway, centering on the often-overlooked realm of edge devices. While the attack surface is definitely expanding thanks to the number and diversity of connected devices in enterprises, edge devices like routers and access points – no matter which sector they operate in – are becoming the new frontier for threat actors, including APT groups.
Detections of malware attacking these types of edge devices continue to rise across all vendors of access point devices. Threat actors leverage vulnerabilities on these devices for many purposes – such as creating a foothold supporting network investigation; establishing webshells or backdoors on the network; escalating privileges; utilizing the devices for DDoS botnet purposes; and even conducting strategic cyberespionage for nation-states.
What sets the threats to edge devices apart from normal is their subtlety. It’s not about the easily foreseen IoT vulnerabilities, but rather the less conspicuous challenges posed by the devices themselves. Edge devices have their unique complexities. However, they cannot detect intrusions. Unlike traditional network components, they cannot simply be connected to another IDS or IPS. The gateways to our digital world are, by design, the first and last lines of defense. This makes them both the target and the blind spot. The evolving tactics of threat actors and the wealth of edge device architectures present with formidable challenges.
During 2023, we encountered several incidents in which APTs and sophisticated ransomware families leveraged edge device vulnerabilities for significant attacks:
With the advancement and evolution of artificial intelligence (AI) technology and new large language models (LLMs), we’ve seen new solutions and applications leveraging these innovations for cybersecurity. But, while these LLMs exhibit remarkable technological potential for positive applications, their dual-use nature also makes them vulnerable to malicious exploitation by threat actors. Leading generative AI applications like GPT-3.5, GPT-4, Claude and PaLM2 have achieved unparalleled capabilities in generating coherent text, answering intricate queries, solving problems, and coding, among other natural language tasks.
Our team harbors, however, significant and reasonable security concerns on how cybercriminals can misuse them for a large- scale attack. Unlike earlier less sophisticated AI systems, today’s AI applications offer a potent and cost-effective tool for hackers, eliminating the need for extensive expertise, time, and resources. These AI applications are capable of mitigating considerable challenges encountered by cybercriminals – both smaller actors looking to increase the scale of their activities and larger groups aiming to improve targeting or efficiency. Some examples common to phishing attacks include:
As these can now closely mimic human speech patterns and nuances, differentiating between real and fake voices is becoming more difficult.
Al-generated voices can also be programmed to speak multiple languages, allowing scammers to target victims across diverse geographic regions and linguistic backgrounds — automating and amplifying their fraudulent activities' reach and effectiveness.
The availability of free and open-source software is what originally led to the rise of “script kiddies,” individuals with little-to-no technical expertise using pre-existing automated tools or scripts to launch attacks on computer systems or networks. Though they are sometimes dismissed as unskilled amateurs or Blackhat wannabes, the growing availability of advanced generative AI tools and their potential for malicious malware usage means that almost any threat actor can pose a significant and growing threat to the market.
Cybercriminals can leverage LLM tools to improve the key stages of a successful phishing campaign by gathering background information, extracting data to craft tailored content, and generating phishing emails at scale for low marginal costs. Though little conclusive proof yet exists suggesting that this is already starting to occur, with malicious LLMs utilized in the wild for attacks, certain trends in activity imply it is a real possibility. The speed and scale at which phishing attacks are growing, with hundreds of millions of new attacks each quarter, indicates that attackers are using LLM tools to assist in their activities.
Weaponized generative AI is only the beginning though. More advanced tools are emerging, utilizing generative AI to outsmart endpoint security, creating signature-eluding malware, and posing a persistent strategic threat to cybersecurity. Future malicious generative AI apps will offer comprehensive defense evasion and near- total anonymity and difficulty in attribution, challenging security teams in tracing attacks. This will extend dwell times, facilitating “low and slow” APT-style attacks. Inevitably, generative AI will democratize these capabilities for all attackers, making behavior interpretation, anomaly detection, and comprehensive endpoint monitoring essential.
We share our cyberthreat intelligence to give you a solid, fact-based platform supporting some of the most important decisions you’ll make in the year ahead. Our purpose is to help you substantially improve your cyber defense and response capabilities in 2024 and beyond – however you choose to leverage the information in this report.
Each of these application avenues starts with cybersecurity intelligence. Intelligence helps you shape the battlefield. It helps communicate the “story” to your CEO and your board. What you’re doing and why. What you need to do and what it costs. Why their support for your agenda is so critical.
That story starts here.
Collection: Trellix and our seasoned, world-class experts from the Advanced Research Center gather the statistics, trends, and insights that comprise this report from a wide range of global sources.
Normalization: The aggregated data is fed into our Insights and ATLAS platforms. Leveraging machine learning, automation, and human acuity, the team cycles through an intensive, integrated, and iterative set of processes – normalizing the data, enriching results, removing personal information, and identifying correlations across attack methods, agents, sectors, regions, strategies, and outcomes.
Analysis: Next, Trellix analyzes this vast reservoir of information, with reference to (1) its extensive threat intelligence knowledge base, (2) cybersecurity industry reports from highly respected and accredited sources, and (3) the experience and insights of Trellix cybersecurity analysts, investigators, reverse engineering specialists, forensic researchers, and vulnerability experts.
Interpretation: Finally, the Trellix team extracts, reviews, and validates meaningful insights that can help cybersecurity leaders and SecOps teams (1) understand the most recent trends in the cyber threat environment, and (2) use this perspective to improve their ability to anticipate, prevent, and defend their organization from cyberattacks in the future.
Trellix Advanced Research Center Discovers a New Privilege Escalation Bug Class on macOS and iOS
As the cybersecurity industry’s most comprehensive charter, the Trellix Advanced Research Center is at the forefront of emerging methods, trends, and actors across the global threat landscape and serves as the premier partner of CISOs, senior security leaders, and their security operations teams across the world. The Trellix Advanced Research Center provides intelligence and cutting- edge content to security analysts while powering our leading XDR platform. Furthermore, the Threat Intelligence Group within the Trellix Advanced Research Center offers intelligence products and services to customers globally.
Trellix is a global company redefining the future of cybersecurity and soulful work. The company’s open and native extended detection and response (XDR) platform helps organizations confronted by today’s most advanced threats gain confidence in the protection and resilience of their operations. Trellix, along with its extensive partner ecosystem, has accelerated technology innovation through machine learning and automation to empower over 40,000 business and government customers with living security.
Subscribe to Receive Our Threat Information
This document and the information continued herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy I Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability.
Trellix is a trademark or registered trademark of Musarubra US LLC or its affiliates in the US and other countries. Other names and brands may be claimed as the property of others.