ESET H2 2023 Threat Report


ESET Research, Threat Reports

A view of the threat landscape in the second half of 2023, as seen by ESET telemetry and from the perspective of ESET threat detection and hunting experts.

ESET H2 2023 Threat Report

The second half of 2023 was marked by significant cybersecurity incidents. Cl0p, a notorious cybercriminal group known for carrying out large-scale ransomware attacks, gained attention thanks to its extensive “MOVEit hack”, which surprisingly did not involve the deployment of ransomware. The attack targeted numerous organizations, including global corporations and U.S. government agencies. A key change in Cl0p’s strategy was its decision to release stolen information to open global websites in cases where the ransom was not paid, a trend also seen with the ALPHV ransomware gang. Other new strategies in the ransomware space, according to the FBI, include the simultaneous deployment of multiple ransomware variants and the use of wipers following data theft and encryption.

In the IoT landscape, our researchers have made a notable discovery. They identified a kill switch that had been used to render the Mozi IoT botnet non-functional. It is worth mentioning that the Mozi botnet is one of the largest of its kind that we have monitored in the last three years. The nature of Mozi’s sudden downfall raises the question of whether the kill switch was used by the botnet’s creators or by Chinese law enforcement. A new threat, Android/Pandora, has emerged in the same landscape, compromising Android devices – including smart TVs, TV boxes and mobile devices – and using them for DDoS attacks.

Amidst the common discussion surrounding AI-based attacks, we identified specific campaigns targeting users of tools like ChatGPT. We’ve also noticed a considerable number of attempts to access malicious domains with names like “chapgpt”, apparently in reference to the chatbot ChatGPT. Threats encountered through these domains also include web applications that insecurely manage OpenAI API keys, highlighting the importance of protecting the confidentiality of your OpenAI API keys.

We have also observed a significant increase in Android spyware cases, attributed primarily to the presence of SpinOk spyware. This malware is distributed as a SDK and found in various legitimate Android applications. On another front, one of the most recorded threats in the second half of 2023 is three-year-old malicious JavaScript code, detected as JS/Agent, which continues to be loaded by compromised websites. Similarly, Magecart, a threat that attacks credit card data, has been growing steadily for two years targeting myriads of unpatched websites. In all three cases, the attacks could have been avoided if developers and administrators had implemented appropriate security measures.

Finally, the growing value of bitcoin has not been accompanied by a corresponding increase in cryptocurrency threats, a departure from past trends. However, cryptocurrency thieves have seen a notable increase, caused by the rise of malware-as-a-service (MaaS) information stealer Lumma Stealer, which targets cryptocurrency wallets. These developments reflect an ever-changing cybersecurity landscape, in which malicious actors employ a wide range of tactics.

I hope you have an instructive read.

Follow Search ESET on Twitter for regular updates on key trends and top threats.

To learn more about how threat intelligence can improve your organization’s cybersecurity posture, visit ESET Threat Intelligence page.

Leave a comment