Understanding the Modern Threat Landscape: 2023 Cyber Incidents that Shook the Digital World

In the dynamic world of information technology, cybersecurity has become a critical concern, central to the operations of governments, businesses, and individuals alike. As our reliance on digital platforms and systems grows, so does our exposure to potential cyber threats. From malware and ransomware to more recent phenomena like cryptojacking, the frequency of cyber threats continues to expand and evolve. For example, in 2023, 300,000 new malware instances are being generated daily, taking around 49 days to be detected on average.

On top of attackers getting more innovative and nefarious, software vulnerabilities and security failures further exacerbate the stress on organizations. The combined impact is a rapidly increasing attack surface and a variety of new and unpredictable risks. For instance, buffer overflows may cause a program to behave unpredictably, injection vulnerabilities can lead to data breaches or unauthorized system access, and configuration errors may expose sensitive information or provide avenues for attackers to gain system privileges.

Despite this, many organizations don’t give cybersecurity adequate importance. For instance, in 2023, there has been a 12% drop in the proportion of micro-businesses that list it as a high priority. The resulting lack of adequate monitoring and audit can leave certain vulnerabilities hidden, adding to the issue, as these are often only discovered once a malicious actor has already exploited it to launch an attack. 

A Dive into Recent Cybersecurity Incidents

In this blog post, we take a look at some prominent cybersecurity incidents and lapses in 2023, examining their mechanics and their potential impacts. Each of these cases presents unique challenges and insights, reflecting the diversity and complexity of cybersecurity threats in today's interconnected world.‍

Cyber Attacks

The BlackLotus Malware Attack

Malware attacks can be highly damaging due to their stealthy nature and capability to bypass fully patched operating systems. BlackLotus is a UEFI bootkit that first emerged in 2022, with a design that made it virtually undetectable to antivirus agents installed on target devices. The malware has the ability to compromise integral security features such as the BitLocker data protection, the Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity (HVCI). It exists in two variants – one is online and downloads Windows binaries from the Microsoft symbol store, while the other is an offline variant that carries the binaries itself.

The malware was recently upgraded with UEFI Secure Boot bypass capabilities, a development that has raised alarm among cybersecurity experts as it now has the capacity to infect fully patched Windows 11 systems. This marks a significant evolution in the cyber threat landscape as it is the first known instance of UEFI malware with the capability to disable the security protections provided by the operating system.

How Does BlackLotus Work?

• The attack first executes an installer that deploys the bootkit's files to the EFI system partition, disables the HVCI and BitLocker protections, and reboots the host. 
• The malware communicates with the command and control server and can load other payloads​​.
• It leverages legitimate binaries vulnerable to CVE-2022-21894 (Windows Hypervisor Loader, Windows Boot Manager, PE binaries) and their custom Boot Configuration Data. 
• The self-signed UEFI bootkit is launched after another reboot.
• Once deployed, the malicious kernel driver and HTTP downloader finish the malware installation​​.

The EarlyRAT Malware

Some malware are deployed with the specific intention of stealing information and data. Attackers use the stolen data to extort money or sell it on the dark web, damaging the the operations and reputation of your organization and causing massive business losses. In June 2023, security analysts discovered a previously undocumented remote access trojan (RAT) named EarlyRAT. It was being used by Andariel, a North Korean state-sponsored hacking group, to infiltrate systems, gather sensitive information from the breached devices, and execute commands on the infected system.

The Akira Ransomware

In March 2023, a new ransomware operation called Akira (no known connection to a 2017 ransomware by the same name), started infiltrating corporate networks globally – with victims across sectors like education, finance, real estate, manufacturing, and consulting. Akira employs its own ransomware encryptor to encrypt files, demanding ransoms that go up to millions of dollars and reducing the ransom for companies who only wish to avoid data leaks. The threat actors have also created an intricate data leak site.

How Does Akira Work?

• The attackers first breach a corporate network and spread laterally to other devices.
• Akira initiates its process by deleting Windows Shadow Volume Copies on the system, executing a specific PowerShell command.
• It then encrypts a broad spectrum of file extensions, excluding files in specific locations like the Recycle Bin, System Volume Information, Boot, ProgramData, Windows folders, and Windows system files.
• During encryption, files are appended with the .akira extension.
• Akira uses the Windows Restart Manager API to shut down any processes or Windows services that might prevent file encryption.
• After encryption, a ransom note titled "akira_readme.txt" is left in each folder with directions to the Akira data leak and negotiation sites.
• The ransom demand communication is done via a unique negotiation password for each victim, which is entered into the threat actor's Tor site. The site features a chat system allowing victims to negotiate directly with the gang.

The 8Base Ransomware Gang

Ransomware attacks can infiltrate your systems in numerous ways, and put your devices and sensitive data at serious risk. In June 2023, the 8Base ransomware gang, first spotted in March 2022, began escalating its double-extortion attacks on organizations across the globe. A surge in activity was documented, with the gang listing as many as 35 victims on its dark web extortion site​. The gang, which claims to only target companies that neglect data privacy of their employees and customers, operates by encrypting data and demanding a ransom for its release.

How Does 8Base Work?

• 8Base uses a version of the Phobos v2.9.1 ransomware –  a Windows-targeting RaaS operation.
• SmokeLoader, a popular malware downloader, is used to deploy the ransomware.
• It also uses the "admlogs25[.]xyz" domain for payload hosting, related to SystemBC, a proxy malware used for C2 obfuscation​1.
• Once deployed, the ransomware encrypts files, appending the .8base or .eight extension.
• The gang then demands ransom, using the email address "helpermail@onionmail.org" for contact.

Security Flaws & Lapses 

The KeePass Exploit

A password manager is a key component of a strong enterprise cybersecurity mechanism. Recently,  a vulnerability was discovered in the KeePass password manager, which allowed attackers to extract the master password from the application's memory, even when the database is locked​​. The vulnerability impacted the latest version of KeePass, 2.53.1, and, as the program is open-source, any project forks would likely be affected​​. The exploit was tested on Windows, and security analysts concluded that it would work on Linux and macOS as well.

How Does the Exploit Work?

• The attacker first requires physical access or malware infection on the target machine. 
• The vulnerability then allows the recovery of the KeePass master password (excluding the first 1-2 characters) in plaintext form. 
• This is possible even if the KeePass workspace is locked or the program is closed​.
• The flaw arises because the software uses a custom password entry box named "SecureTextBoxEx," which leaves traces of each character the user types in the memory​.

The Linux NetFilter Kernel Flaw

This is not the first time the Linux kernel has been affected by a security flaw. This year, once again, a new Linux NetFilter kernel flaw was discovered, allowing unprivileged local users to gain complete control over a system​. This vulnerability was given the identifier CVE-2023-32233, with a severity level of 7.8/10 – indicating it's a high-risk issue​​. The flaw is a use-after-free vulnerability in the Linux kernel's Netfilter network security framework, causing corruption of the subsystem's internal state. It can be exploited to perform arbitrary reads and writes in the kernel memory.

How Is the Flaw Exploited?

• To exploit the vulnerability, attackers need local access to a Linux device. 
• They use the flaw to manipulate the NetFilter's nf_tables configuration.
• Nf_tables accepts these invalid updates to its configuration, which causes memory corruption.
• Attackers exploit this to perform arbitrary reads and writes in the kernel memory.
• Subsequently, they can effectively escalate their privileges to the root level​.

The Ubuntu Kernel Flaws

Recently, two new security flaws were identified in Ubuntu, one of the most popular Linux distributions. The flaws, designated as CVE-2023-32629 and CVE-2023-2640, can potentially give unprivileged local users full control over a system. This problem affects around 40% of Ubuntu's users, estimated to be over 40 million. The flaws resulted from discrepancies in the OverlayFS module implementation within the Ubuntu Linux kernel, causing issues that can lead to privilege escalation and arbitrary code execution. The threat is immediate as proof-of-concept exploits for these vulnerabilities have been publicly available for some time.

How Are the Flaws Exploited?

• The attacker needs local access to an Ubuntu device.
• They manipulate the OverlayFS module within the Ubuntu Linux kernel to cause memory corruption.
• The flawed OverlayFS module accepts these invalid updates, creating a race condition when accessing VMAs.
• Attackers exploit this to execute arbitrary code.
• Subsequently, they can effectively escalate their privileges to the root level.

The Android N-day Vulnerability Problem

Google's recent annual 0-day vulnerability report has underscored a persistent issue in the Android platform that can effectively turn n-day vulnerabilities into 0-day vulnerabilities for malicious actors. This problem arises from "patch gaps," due to the Android ecosystem's complexity, differences in security update timings among various device models, short support periods, and responsibility ambiguities. On unpatched devices, n-day vulnerabilities can be exploited for extended periods, even when a patch the vendor has provided the patch. In fact, over 40% of the zero-day vulnerabilities discovered last year were variants of previously reported flaws, suggesting a shift in threat actor strategies towards exploiting known flaws.

How Is the Patch Gap Exploited?

• A bug is identified as a zero-day vulnerability when it is known to attackers before Google is aware of it.
• Once Google learns about it, it becomes an n-day (n = number of days since becoming publicly known).
• Attackers can continue to exploit n-day vulnerabilities until a patch is released. 
• Some devices remain unpatched even after a patch is released, until the device manufacturer makes it available on those models.
• During this “patch gap” period, attackers can exploit the vulnerability as a 0-day vulnerability on the unpatched devices.

A Precarious Cyber Landscape

These cases provide a glimpse into the tumultuous nature of the contemporary cybersecurity landscape, where attackers are relentless and getting increasingly smarter and critical. And a single overlooked vulnerability in an OS or any other software can become your organization’s Achilles heel. 

For businesses to remain secure, the approach to cybersecurity must be proactive, not reactive. Understanding potential threats and their mechanisms, staying informed about recent cybersecurity incidents, and implementing comprehensive and dynamic cybersecurity strategies are vital steps in protecting our digital environments. A cybersecurity partner like Evren can help your organization in each aspect – providing a robust security solution and helping you stay one step ahead of threat actors.

As on OS with integrated endpoint security, Evren ensures: 

• Automated patch management and an Internal Vulnerability Management Policy
• Proactive defense against attempted breaches through features like URL Filtering.
• Isolated “sandboxed” environments for software to minimize risks if one software gets infected.
• Data Breach Response Policy and Incident Response Plan for timely action against a breach.

Not sure if your current security tools are giving you adequate protection? Get in touch with us for an audit to assess the gaps, learn more about Evren’s features, and begin building your defenses against the rising tide of ransomware attacks.