2023 Global Threat Roundup: Trends in Cyberattacks, Exploits and Malware
Update: March 5, 2024 — Announcing The 2023 Threat Roundup Report webinar, where the Forescout Research team will analyze the challenges organizations face amidst persistent cyber threats and dissect pivotal events shaping the year ahead.
Original Publish Date: January 23, 2024
Our inaugural 2022 threat roundup report started by observing that “the year 2022 was eventful for cybersecurity.” As you can imagine, 2023 was no less eventful. Some of the key events included ongoing conflicts and the appearance of new ones, the emergence of critical vulnerabilities being mass exploited and the ever-increasing threat of cybercrime.
In our 2023 Global Threat Roundup report, we look back at all our data about attacks and the threat landscape of 2023 to share with organizations tactical insights and strategic recommendations for improved defense.
Excerpted below are our key findings and related insights for defenders. For a detailed analysis of the attacks, exploits, malware and threat actors observed in 2023, read the full report.
Key findings and insights for defenders
| Key findings | Insights for defenders |
|---|---|
| Attacks originated from 212 countries. The top 10 countries accounted for 77% of the malicious traffic, with a spike in attacks from China. 48% of attacks came from IPs managed by ISPs, 32% from organizations in business, government, and other sectors, and 10% from hosting or cloud providers. This reflects an increase in the use of compromised devices to launch attacks, whether directly or via “residential proxies.” | Country of origin alone continues to be ineffective for judging the risk of a particular IP address, but the rise in attacks originating from China reinforces our 2022 message that if your organization does not do business with, or in, that country, blocking those IP ranges may help to reduce noise in the SOC. Especially risky autonomous systems should always be treated with care.
The increased usage of residential proxies, ISPs and compromised devices on legitimate organizations means that you should keep up to date with threat feeds that can monitor these compromised IP addresses and help to detect compromises in your own network. |
| Web applications were the most attacked service type followed by remote management protocols. Remote management services were often targeted with specific usernames linked to IoT devices, whereas web application were often targeted with vulnerability exploits. | The increase in attacks targeting web and networking protocols is representative of threat actors shifting from mostly credential-based attacks to exploits on perimeter devices and applications.
Organizations should adopt technologies for risk management and threat detection that cover the entire attack surface, whether that is applications on a server, a perimeter device or an IT workstation. |
| Exploits against software libraries decreased partly because of Log4j exploits losing popularity. Exploits against network infrastructure and IoT devices increased. The most targeted IoT devices were IP cameras, building automation and network attached storage. Only 35% of exploited vulnerabilities appeared in CISA KEV. | When deciding which vulnerabilities to patch and when, consider the vulnerabilities that are currently being exploited. Although CISA keeps an up-to-date catalog of known exploited vulnerabilities, that does not cover the entirety of the exploited vulnerability landscape. Additional threat intelligence sources, such as Vedere Labs’ threat feeds, are required to prioritize vulnerability risk mitigation. |
| Five OT protocols were constantly targeted: Modbus (a third of attacks), Ethernet/IP, Step7 and DNP3 (with around 18% each) and IEC10X with 10% of attacks. The remaining 2% are divided amongst many other protocols, of which the majority is BACnet. Most attacks target protocols used in industrial automation and the power sector. Building automation protocols are less often scanned, but exploits against building automation are more common. | Monitoring the traffic to and from OT devices is as critical as monitoring IT traffic. Attackers are constantly probing these assets for weaknesses and many organizations will be blind to that because they lack visibility into their OT infrastructure. |
| Post-exploitation actions focused on persistence (50%, up from 3% in 2022), discovery and execution. Most observed commands are for generic Linux systems, but there were also commands executed specifically for network operating systems that run on popular routers. | The increase in persistence actions means that incidents are becoming harder to contain and eradicate after an initial breach, but also that threat actors intend to remain longer in a system. This reinforces our message last year that even after an initial breach, threat actors need to spend time getting situated in the target, downloading further tools, executing them and persisting. Many of these actions provide more chances for detection and response. |
| We observed an equal amount of remote access trojans (RATs) and information stealers (infostealers) as the most popular type of malware. Botnets and other downloaders come in third and fourth, followed by crypto miners and then a variety of other malware, such as keyloggers and adware. The most popular malware families observed were the Agent Tesla RAT (16%), then variants of the Mirai botnet (15%) and the Redline infostealer (10%). Cobalt Strike remained the most popular command and control (C2) server (46%), followed by Metasploit (16%) and the emerging Sliver C2 (13%). Most C2s are in the United States (40%), followed by China (10%) and Russia (8%). | Although individual malware samples and even families keep evolving every day, the basic nature of malware remains unchanged. The combination of RATs, botnets, infostealers and C2 servers is by now well-known to both attackers and defenders.
It is much more productive for defenders to detect and hunt for TTPs and anomalous behavior than to rely solely on file hashes and C2 IPs, which change constantly. |
| Threat actors targeted 163 countries. The United States was the most targeted by far, with 168 actors aiming at the country. In second place came the Unted Kingdom with 88, then Germany with 77, India with 72 and Japan with 66. Most threat actors were in China (155), Russia (88) and Iran (45). Together, these three countries accounted for almost half of threat actor groups in our database. Government, financial services, media, and entertainment were the industries most targeted by these actors. | Knowing where threat actors come from and their goals can help to prioritize strategic security investments.
Organizations in the most affected industries, especially, should pay attention to the latest threat intelligence to monitor campaigns that target specific sectors. |
| Although most attacks we observed are opportunistic, there were exploits targeting very specific networking devices to obtain precise information about them and drop malware. These attacks often use public proof-of-concept scripts. | Targeted attacks are more worrying because the adversaries know what they are looking for, but some opportunistic attacks can also reveal more information that attackers will use to expand their attack campaigns.
Continuously identify and patch vulnerable devices and segment networks to ensure that “low hanging fruit” such as known vulnerable edge devices cannot lead to further compromises on your network. |
Conclusion
In this comprehensive report, we meticulously analyzed data pertaining to attacks, exploits, and malware observed throughout 2023. Alongside each key finding, we have thoughtfully incorporated insights tailored for defenders. At a strategic level, we strongly advocate that organizations concentrate on enhancing cybersecurity through three fundamental pillars:
Risk & Exposure Management
Begin by conducting a thorough assessment of every asset connected to the network, scrutinizing its security postures, known vulnerabilities, credentials, and open ports. Implement robust security measures by replacing default and easily guessable credentials with strong, unique passwords for each device. Disable unused services, patch vulnerabilities promptly, and adopt a risk-based approach for mitigation. Leverage automated controls that encompass the entire enterprise rather than operating within isolated silos. This approach extends beyond conventional IT networks to encompass Operational Technology (OT) networks and various types of Internet of Things (IoT) devices.
Network Security
Avoid exposing unmanaged devices directly to the internet. Opt for network segmentation to isolate IT, IoT, and OT devices, restricting network connections to specifically designated management and engineering workstations. Segmentation should extend not only between IT and OT but also within these networks to thwart lateral movement and data exfiltration. Implement restrictions on external communication paths and employ isolation or containment measures for vulnerable devices as a mitigating control, especially when immediate patching is challenging.
Threat Detection & Response
Utilize an IoT/OT-aware, Deep Packet Inspection (DPI)-capable monitoring solution to detect and alert on malicious indicators and behaviors. Monitor internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing, and unauthorized use of OT protocols. Block or, at the very least, alert network operators to anomalous and malformed traffic. Consider Threat Detection & Response solutions that collect telemetry and logs from diverse sources, correlating attack signals for analyst investigation. These solutions offer the capability to automate response actions across the enterprise.
In essence, it is crucial to emphasize that traditional cyber hygiene practices must be applied comprehensively across all network assets. Prioritize the most critical attack surfaces based on up-to-date threat and business intelligence for a robust cybersecurity posture.