First-Half 2023 Threat Intelligence: Tracking Cybercriminals Into the Shadows

Over the past five years, cybercriminal groups have become increasingly corporatized. The early 2020s even saw them starting to market themselves as they endeavored to become widely known — both to be taken more seriously and to build a reputation for “fair” dealings with their victims. Lesser-known groups were even known to borrow the branding of larger groups, hoping to cash in on the brand recognition surrounding them.

But while the paychecks kept pouring in, cybercriminal groups seemed to lose sight of one thing: they weren’t legal entities in the way the corporations they emulated were. In fact, there was nothing legal about them at all, as many were reminded when politicians and law enforcement ramped up enforcement efforts and they found the long arm of the law pointed squarely in their direction.

After every cybercriminal arrest, the same refrain is repeated: “We applaud the efforts of law enforcement, but we don’t expect the bust to bring about lasting change.” But a look at data from the first half of 2023, as reported in the just-released Mid-Year Update to the 2023 SonicWall Cyber Threat Report brings this accepted notion into question, as we’ve seen threat actors begin to shun the spotlight and focus more on lower-risk activities such as cryptojacking, IoT malware and encrypted threats.

A graph depicting the rise of cryptojacking hits in 2023.

Malware Continues its Migration

Malware remained essentially flat year-to-date, falling just two percent compared with the first half of 2022. But that doesn’t mean there isn’t a great deal of change going on below the surface. With 1.3 billion hits (out of a global total of 2.7 billion), North America still sees the lion’s share of malware, but it was also the only region to record a decrease. In contrast, Europe and LATAM saw double-digit growth, suggesting that cybercriminals are shifting their attention to new shores.

Customers working in education and finance saw particularly large increases in malware, though none of the industries we examined showed a decrease.

Ransomware is Down, but Poised for a Turnaround

If cybercriminals are showing a greater interest in remaining under the radar, then a decrease in ransomware — a form of cybercrime that relies on the threat actors announcing and introducing themselves — should be expected. Still, with attack volumes down 41% over the first six months of 2022, many might wonder whether cybercriminals are giving up on ransomware for good.

There are a number of reasons we don’t think so, one of which is the trend line for ransomware as we moved through 2023. While the year-to-year trend line still points downward, on a month-by-month basis, we’ve actually seen ransomware rise, with a second quarter 74% higher than the first.

Cryptojacking’s Record Surge Continues

But if ransomware is down, what’s rising to take its place? We’ve seen an increase in several attack types, but perhaps the most pronounced has been in cryptojacking.  The number of cryptojacking hits reached 332 million hits in the first half of 2023, up a staggering 399% year-to-date. This not only represents a new record high — it also puts 2023 on track to see more cryptojacking hits than all other years on record combined.

IoT Malware Jumps by More Than a Third

SonicWall Capture Labs threat researchers noted a continued increase in the amount of IoT malware in the first half of 2023, jumping 37% to 77.9 million. At this rate, the number of IoT malware attacks will easily eclipse last year’s total, itself a record high.

As we’ve seen with other threat types, North America saw a decrease in attacks. At a modest 3%, however, this dip was more than made up for by triple-digit jumps in Asia and Latin America. India, in particular, saw an outsized number of these attacks: IoT malware there skyrocketed 311%.

Malicious PDF and Office Files Fall by Double Digits

The number of attacks involving malicious PDFs dropped 10% in the first six months of 2023, but there was an even bigger decrease in the use of malicious Microsoft Office files: Those attacks fell a staggering 75% compared with the same time period in 2022. Some of this drop may be due to Microsoft’s recent efforts to increase security, but time will tell whether this is a sustained downturn or whether cybercriminals make inroads around these new restrictions.

“The seemingly endless digital assault on the enterprise, governments and global citizens is intensifying and the threat landscape continues to expand,” said SonicWall President and CEO Bob VanKirk. “Threat actors are relentless, and as our data indicates, more opportunistic than ever before, targeting schools, federal governments and retail organizations at unprecedented rates. The 2023 SonicWall Mid-Year Cyber Threat Report helps us understand both the criminal mindset and behavior, which will in turn help organizations protect themselves and build stronger defenses against malicious activities.”

Read the full report here.

The RSA Report: Boots on the Ground

All good things must come to an end, and the RSA Conference is no exception. But this year’s RSAC ended on a definite high note, packing as many actionable insights as possible into the final few sessions.

Much of today’s cybersecurity guidance advises businesses to think in terms of when an attack occurs, not if. But very little of it explains what that eventuality might look like. “Ransomware: From the Boardroom to the Situation Room” pulled the curtain back on the government’s response to a series of ransomware attacks on our country’s critical infrastructure. The real-time simulation offered the audience a seat at 1600 Pennsylvania Avenue as key members of the National Security Council’s staff, staff of the National Cyber Director and representatives of various federal departments convened to discuss what had happened and how best to respond.

Obviously, given the high total cost of ransomware, it’s best to avoid an attack in the first place. SonicWall’s multi-layer solutions are designed to stop even the most advanced ransomware attacks. SonicWall has helped countless companies harden against ransomware, including McAuley House School, which switched to SonicWall after a series of successful ransomware attacks and called their new SonicWall solution the “best security investment decision we’ve ever made.”

Incident response was also a theme in the next session, “Investigation & Incident Response Challenges for the Hybrid Enterprise.” This session explored a survey of more than 250 individuals involved with cyber investigations in a wide swath of industries, in public, private and government organizations of all sizes. This survey yielded some alarming results: Less than a third of respondents were confident in their team’s ability to track an incident through both cloud and legacy environments, and nearly three-fourths weren’t confident that they collected all data needed to investigate a breach.

Part of the problem stemmed from the tools used: While 74% said they used a SIEM, there were limits on the collection and retention of data due to the work and cost intensiveness involved. And with under a third of respondents integrating non-security data into investigations, investigating some incidents — particularly those involving insiders — will prove much more difficult.

Unfortunately, incidents involving insiders are increasingly common: In “Ghosts in the Machine: Is There a Security Patch for People?,” FBI Special Agent Greg Concepcion and Nisos Intelligence Advisor Paul Malcomb revealed that today, 82% of security incidents are related to insiders — up 72% since 2020. The speakers explained the various groups who generally represented insider threats, from VIPs and Money Movers to Sensitive IP handlers and System Admins and Developers — along with what sort of threat they were most likely to fall for (phishing ranked high on the list for almost everyone) and the best way to limit their ability to cause accidental or intentional harm.

Sine most of the harm is non-malicious, there are many steps that can be taken to reduce your risk, such as implementing multifactor authentication and ensuring employees are following basic best practices concerning password hygiene, double-checking urgent requests for money or sensitive information, and phishing awareness.

Another step that can help is the implementation of Zero Trust, but as the panelists in “It’s All Geek to Me: Communicating the Business Value of Zero Trust” explained, it can be difficult to get leaders and stakeholders on board with making that investment. However, since the impact Zero Trust can have on your security posture can be enormous, it’s important to frame the ideas of identity, the integration of security controls, and risk in a way that’s accessible and not overly technical or complex.

If you’re ready to explore a zero-trust solution, SonicWall or one of our trusted partners can help you put together the case for taking this positive step for your network security.

While we’re always a bit sad to see RSA draw to a close, we know the lessons and key learnings we gained on this journey will continue to inform and enrich us well into the future. Thanks for following our RSA coverage, and we hope to see you next year at RSAC 2024!

RSA Report: New Tactics, New Technologies

While the official theme of this year’s RSA Conference is “Stronger Together,” one throughline keeps repeating over and over, through the Exhibit Hall, from the stage in keynotes and sessions, and in casual conversations — the revolutionary power of emerging technologies, particularly AI. While some see it as a positive, revolutionizing force and others take a more cautionary (or even dire) view, most everyone agrees on one thing: We’ve entered a new era, both for cybersecurity and for the world at large.

In “Security as Part of Responsible AI: At Home or At Odds,” panelists discussed the dark side of revolution: Disruption. Currently, they argued, not enough attention is being paid to the downstream effects of AI — such as its potential for use in cybercrime, the existence of so-called “hallucinations” (things AI presents as truth, but which are false or completely fabricated) and other factors. But who, ultimately, will be responsible for mitigating the potential for AI to invent falsehoods, leak personally identifying data, and more?

Some feel this responsibility belongs in the realm of Responsible AI, which has generally been limited to things like mitigating biases and improving fairness. Others agree that it should belong in the security wheelhouse, because things like AI data leaks overlap somewhat with cyberattacks in terms of the need for a rapid response (and also because some cyberattacks will be directly on the AI itself).

Either way, however, network visibility will continue to be paramount. SonicWall customers will be well-positioned to face this new era, as we already have an upper hand when it comes to visibility. We have a long history of helping companies move from siloed point solutions to greater visibility, and customers such as SADAFCO, Al Qayed Holding Group, awfis space solutions, InfoStream and many others have specifically called out increased visibility with SonicWall solutions in just the past few months.

While AI comes with a great deal of risk, it also has the potential in some ways to save us from ourselves. The “SIEM There, Done That: Rising Up in the SecOps Revolution” specifically zeroed in on AI’s ability to move us past legacy solutions such as SIEM, which many organizations are still relying on. While SIEM provides a great deal of valuable telemetry, it also requires a great deal of human intervention, exacerbating the cyber skills shortage, causing alert fatigue and contributing to the problem of burnout among cyber professionals.

While gamification and other initiatives can help ease the skills shortage by attracting the next generation of cybersecurity professionals to the field, there are also things we can do in the meantime, such as deploying solutions that use machine learning and AI to automate processes and ease demands on staff. These solutions include SonicWall’s Capture ATP with RTDMI, which won Best AI and Machine Learning Based Security Solution of the Year in 2020, and has only continued to build on this foundation since.

“Why I’m Optimistic (and You Should Be, Too)” took a similarly uplifting tone, emphasizing that security is, in fact, solvable. Moreover, we already know what’s needed for effective security, including hardening the attack surface, implementing zero-trust access policies, preventing all known attacks and detecting unknown threats.

These objectives already form the cornerstones of how SonicWall does business. For the past three decades, we’ve offered firewalls and other solutions that allow our customers to harden their environment. While our signature-based protections ward against known attacks, emerging technologies such as our Capture ATP with patented Real-Time Deep Memory Inspection (RTDMI™) excel at detecting threats never before seen by anyone in the cybersecurity industry — often before they’ve exhibited any malicious behavior. And with our comprehensive zero-trust solution, SonicWall SMA 1000, organizations can control access and segment networks to limit inside threats as well as outside threats.

Unfortunately, the need to harden networks has never been more urgent, as the past several years have brought a sharp increase on critical infrastructure. In “Defending OT Systems from Ransomware,” speakers Jeff Jones and Tom VanNorman discussed why OT (Operational Technology) differs from IT. The world of OT brings with it inherent environmental risks such as large equipment, scaffolding, temperature extremes and other operational hazards, and to keep these environments safe, the systems running them have been designed for near-24/7/365 uptime. Unfortunately, cybercriminals are aware that these critical infrastructure environments cannot afford downtime — and as a result, manufacturing is now the hardest-hit industry, with groups like the Royal ransomware gang targeting critical infrastructure specifically.

While the culture of safety that drives OT environments can help foster a prevention mindset when it comes to cyberattacks, there are specific changes from the IT world that can also help. The speakers called out the need for better password hygiene, the development of an incident response plan that brings in all concerned parties as necessary steps for securing our most critical infrastructure and better phishing education as critical to beating back the rising wave of attacks on our manufacturing and other critical infrastructure.

Unfortunately, with the advent of AI, the sophistication of phishing attacks is rising rapidly. In “CatPhish Automation: The Emerging Use of AI in Social Engineering,” speaker Justin Hutchens outlined the accelerating development of AI, from the Turing test to the recent release of ChatGPT. Pulling back the curtain on the code and commands used in AI “catphishing” attacks — wherein an AI pretends to be a human in order to conduct a phishing attack — Hutchens showed how terrifyingly easy it is to conduct such attacks, and their potential for fooling even otherwise savvy users.

But catphishing isn’t the only new tactic threat actors are employing. “Hacking Exposed: Next-Generation Tactics, Techniques and Procedures” outlined a real-life attack in which the adversary uses no malware at all. By using vishing, readily available tools such as AnyDesk, and LoTL attacks, these attackers launch an attack that will be virtually undetectable by many antimalware solutions — making increased visibility and good telemetry more important than ever.

But while most of the day’s sessions dealt with the near future, some are already looking to what the more distant future will hold. In “The Next 50 Years,” theoretical physicist Michio Kaku discussed the transition from the digital era to the quantum era—a time in which extraordinarily powerful computers will revolutionize the economy, science, medicine and our way of life.

In this new era, Kaku explains, brains will interface with computers, technology will send designs directly from the minds of artists and designers to 3-D printers who will immediately bring them to life, and the libraries of the future will house elements of our personalities, digital footprints, and more — lending us a form of immortality.

While these sessions dealt with the emerging technologies, these advancements don’t supplant existing issues in cybersecurity, such as the rise of misinformation and nation-state attacks. Check back later for more on the role of government and international partnerships in fighting today’s increasingly powerful adversaries. And don’t forget to stop by Booth #5585 in Moscone North for demos, presentations and more!