This report was created in tandem with ChatGPT4 and the PWN Reporter Analyst Agent created by Scot Terban

The cybersecurity landscape in 2023 has been diverse and challenging, marked by numerous cyberattacks and data breaches across various sectors. The year witnessed a range of sophisticated threats, including ransomware attacks, exploitation of network vulnerabilities, and targeted phishing campaigns. This landscape was also characterized by the activities of prominent threat actors who utilized advanced techniques to breach systems and networks.

Key aspects of this landscape include:

• Widespread Sector Impact: Various industries, including healthcare, technology, finance, and government, experienced significant breaches. This underscores the universal vulnerability of different sectors to cyber threats.
• Rise in Vulnerabilities: A notable increase in the number of disclosed vulnerabilities, including critical ones that posed high risks, was observed. These vulnerabilities were often exploited by threat actors to gain unauthorized access to systems and data.
• Ransomware Dominance: Ransomware continued to be a dominant threat, with groups like LockBit and Cerber actively targeting organizations. This trend highlights the ongoing effectiveness of ransomware in compromising systems and extracting monetary gains.
• Evolving Attack Methods: Attackers employed a variety of methods, from exploiting remote services and public-facing applications to privilege escalation tactics. These methods demonstrate the evolving nature of attack strategies and the need for adaptive defense mechanisms.
• Sophisticated Threat Actors: Groups such as the CL0P Ransomware Gang and Clop were particularly active, showcasing their capability to exploit zero-day vulnerabilities and conduct large-scale attacks.
• Diverse Threat Vectors: The year saw various forms of cyber threats, including advanced ransomware, phishing, and zero-day exploits. This diversity required organizations to be prepared for a range of attack methods.
• Increased Complexity of Attacks: Cyberattacks became more complex, often involving multi-stage processes with sophisticated techniques.
• Rapid Adaptation by Threat Actors: Cybercriminals quickly adapted to security measures, showcasing agility in their attack methodologies.

Overall, 2023’s cybersecurity landscape paints a picture of an evolving and increasingly sophisticated array of threats, necessitating robust and dynamic cybersecurity strategies for defense and mitigation.

Verticals of Major Data Breaches in 2023:

Healthcare Sector Breaches: Norton Healthcare suffered a breach impacting 2.5 million people​​, and Vanderbilt University Medical Center fell victim to a ransomware attack​​. The Toronto Public Library also faced a ransomware attack, compromising employee and customer data​​.

Technology and Transport Sector: Infosys experienced a security event affecting its U.S. unit​​, and Boeing was targeted by the LockBit ransomware gang​​. Indian Council of Medical Research faced a breach impacting around 815 million citizens​​.

Financial Information and Genetic Data: Air Europa urged customers to cancel their credit cards after a breach​​, and 23andMe suffered a credential-stuffing attack leading to the theft of genetic data​​.

Government and Regulatory Bodies: The Norwegian Government faced a breach due to a zero-day vulnerability​​, and the UK Electoral Commission had a breach exposing data of approximately 40 million people​​.

Hacking Trends and Techniques:

Exploitation of Vulnerabilities: 2023 saw 26,447 vulnerabilities disclosed, with less than 1% contributing the highest risk. These included remote service exploitation, public-facing application exploitation, and privilege escalation​​.

Ransomware Activity: More than 50% of high-risk vulnerabilities were exploited by ransomware groups like LockBit and Cerber​​. Ransomware remained the principal money-making activity for cybercriminals, with phishing being a common entry point​​.

Targeting Network Infrastructure & Web Applications: About 32.5% of identified high-risk vulnerabilities were within networking infrastructure or web applications, sectors difficult to protect through conventional means​​.

Exploiting Cloud Resources: Criminals increasingly targeted cloud resources, employing techniques like ‘free jacking’ to mine cryptocurrencies using free cloud service offers​​.

Sophisticated Malware and Social Engineering: Attacks like those on The Guardian and Caesars Entertainment showcased the use of sophisticated malware and social engineering tactics​​.

Active Threat Actors in 2023:

CL0P Ransomware Gang: Known for high-profile attacks by exploiting zero-day vulnerabilities in platforms like GoAnywhere MFT and PaperCut​​.

LockBit: Using an advanced ransomware-as-a-service model, targeted a range of organizations and exploited vulnerabilities like CVE-2023-27350​​.

Clop: Conducted extensive attacks on enterprises, exploiting vulnerabilities ranging from SQL injection to pre-authentication command injection​​.

The cybersecurity landscape of 2023 was marked by the actions of both nation-state and non-nation-state (criminal) actors. These groups exhibited varying objectives, methods, and impacts. Here’s an overview of these actors along with short threat cards on each:

Nation-State Actors:

Russian State Actors: Employed diverse methods including phishing campaigns and zero-days for initial access across industries in NATO member states. They also engaged in malign influence operations targeting the Ukrainian diaspora and encouraging protests across Europe​​.

Chinese State-Sponsored Groups (Raspberry Typhoon and Flax Typhoon): Conducted worldwide campaigns targeting US defense and critical infrastructure, nations bordering the South China Sea, and strategic partners of China. Their activities were primarily focused on intelligence collection reflecting Beijing’s strategic goals in the region​​.

Iranian State Actors: Enhanced their offensive cyber capabilities, turning firmly against the West. They improved operations in cloud environments and rolled out custom implants and exploited new vulnerabilities. Iranian cyber operations increased globally, especially in the Global South​​​​.

North Korean Cyber Threat Actors (Jade Sleet and Citrine Sleet): Pursued intelligence collection on policy plans of adversaries and military capabilities, and engaged in cryptocurrency theft to fund state activities. Notably, they conducted a supply chain attack in March 2023 attributed to Citrine Sleet​​.

Non-Nation-State (Criminal) Actors:

CL0P Ransomware Gang: Known for exploiting zero-day vulnerabilities in platforms like GoAnywhere MFT and PaperCut. They target a wide range of organizations, including those with critical data and infrastructure.

LockBit: Utilizes a ransomware-as-a-service model to target various organizations. They have exploited vulnerabilities like CVE-2023-27350 to compromise systems and encrypt data for ransom demands.

Clop: Engaged in extensive attacks on enterprises, exploiting vulnerabilities ranging from SQL injection to pre-authentication command injection. Their targets often include financial, IT, and healthcare sectors.

Killnet: A pro-Russian hacker group known for conducting distributed denial-of-service (DDoS) attacks against European nations. They initially offered DDoS tools for sale before shifting to hacktivism against Russia’s enemies​​.

SamSam Ransomware Operators: Independent actors or criminal groups primarily focused on financial gains through ransomware operations. They targeted fields and industries with less robust cyber protection, like academia and healthcare​​.

Patriotic Hacking Collectives and Other Non-State Armed Groups: These groups are increasingly adopting offensive cyber capabilities to further their strategic objectives, often targeting journalists, opponents, or engaging in cyber capabilities to bolster their operations against states​​.

Scattered Spider

Overview: Scattered Spider is a cybercriminal group known for targeting large companies and their contracted IT help desks. This group has been involved in various criminal activities, predominantly focusing on data theft for extortion purposes.

Tactics, Techniques, and Procedures (TTPs):

Social Engineering: They are experts in social engineering, employing multiple techniques to deceive and manipulate victims. This includes phishing, push bombing, and SIM swap attacks to acquire credentials and install remote access tools.

Impersonation: They often pose as IT or helpdesk staff, using phone calls or SMS messages to gain network access by obtaining employee credentials.

Remote Access: Direct employees to run commercial remote access tools, enabling initial access to networks.

Exploiting Multi-Factor Authentication (MFA): Use tactics like sending repeated MFA notification prompts (MFA fatigue) and convincing cellular carriers to transfer control of a user’s phone number to a SIM card under their control.

Monetization: Their activities include monetizing access to victim networks through ransomware (such as BlackCat/ALPHV) and data theft, leading to financial extortion​​.

Notable Characteristics:

• Scattered Spider has demonstrated a high level of proficiency in manipulating standard security protocols and exploiting human factors to gain unauthorized access.
• Their approach often involves blending into an organization’s communication channels and exploiting trusted relationships.
• They have been known to adapt and evolve their techniques rapidly, making them a persistent and adaptable threat.

This group’s activities underscore the importance of robust security training for employees, especially in recognizing and responding to social engineering attempts, and the need for strong, multi-layered security systems.

Observations:

• Nation-state actors are increasing their investment in sophisticated cyberattacks to achieve strategic priorities, including espionage operations and global expansion of target sets​​.
• Non-state actors, while a serious threat, are considered less severe compared to nation-state actors. Their motivations vary and can be financial, ideological, religious, grievance-based, or even opportunistic, making their actions unpredictable and challenging to defend against​​​​.

2023 Breach List:

MailChimp Data Breach (January 2023): MailChimp, an email marketing platform, suffered a breach when an unauthorized actor accessed its internal customer service tools, compromising data of 133 customers. The breach was executed via a social engineering attack on employees, exposing customer details like names, store URLs, and email addresses【11†source】.

Activision Data Breach (February 2023): Video game publisher Activision experienced a breach via an SMS phishing attack. Sensitive employee information and details about upcoming game content were leaked. The breach was not disclosed until evidence surfaced online, raising questions about compliance with data breach notification laws【12†source】.

ChatGPT Data Breach (March 2023): A bug in the Redis open-source library exposed personal information of ChatGPT Plus subscribers. This included names, email addresses, and partial credit card details. OpenAI quickly addressed the bug and introduced a bug bounty program【13†source】.

Shields Healthcare Group Data Breach (2023): This breach affected 2.3 million people, exposing sensitive patient information. Shields Healthcare Group took steps to contain the incident and enhance their data security measures【14†source】.

MOVEit Data Breach (May 2023): MOVEit Transfer software was compromised by the “cl0p” ransomware group through a zero-day vulnerability, impacting over 1,000 organizations and 60 million individuals globally【15†source】.

JumpCloud Data Breach (June 2023): This identity and access management firm faced a breach by a nation-state actor, targeting a small set of customer accounts. The extent of the damage wasn’t fully disclosed【16†source】.

Indonesian Immigration Directorate General Data Breach (July 2023): Passport data of over 34 million Indonesian citizens was leaked and offered for sale, including full names, passport numbers, and birth dates【17†source】.

UK Electoral Commission Data Breach (August 2023): Unauthorized access to internal emails, control systems, and electoral registers exposed the personal data of approximately 40 million people【18†source】.

T-Mobile Data Breach (September 2023): Employee and customer data were exposed in two separate incidents, including email addresses, Social Security Numbers, and payment data【19†source】.

23andMe Data Breach (October 2023): Unauthorized access to the “DNA Relatives” feature exposed personal information of users. Credential stuffing attacks were used to gain access to accounts【20†source】.

Idaho National Laboratory Data Breach (November 2023): Sensitive personal information of employees was compromised, including Social Security and bank account numbers【21†source】.

The Guardian Ransomware Attack (December 2022): Phishing was the initial attack vector, leading to a ransomware attack on the UK newspaper【29†source】.

Toronto SickKids Ransomware Attack (December 2022): The Hospital for Sick Children in Toronto was hit by a ransomware attack, affecting internal systems and phone lines【30†source】.

FAA Incident (January 2023): The grounding of all U.S. flights due to issues with a critical FAA system raised concerns about the fragility of critical infrastructure【31†source】.

Cloud Exploitation for Cryptocurrency Mining (2023): Criminal groups exploited cloud providers’ free offers for cryptocurrency mining, a tactic known as ‘free jacking’【32†source】.

LastPass Breach (August 2022): A breach at the password manager revealed that encrypted customer data was compromised【33†source】.

Royal Mail Ransomware Attack (January 2023): An affiliate of the LockBit Ransomware-as-a-Service (RaaS) targeted Royal Mail, affecting international deliveries【34†source】.

Hive Ransomware Gang Infiltration and Shutdown (2023): A successful international effort led to the shutdown of the Hive ransomware infrastructure【35†source】.

MOVEit Software Exploit by Cl0p Ransomware Group (2023): A vulnerability in MOVEit Transfer software was exploited, affecting over 2,000 organizations and 60 million individuals【36†source】.

Caesars Scattered Spider Attack (September 2023): Caesars Entertainment’s database of loyalty customers was stolen, with the company paying a ransom to avoid data publication【37†source】.

Microsoft Storm-0558 Exploit (2023): A Chinese hacking group accessed Microsoft services by forging Azure AD tokens【38†source】

DarkBeam (3.8 billion breached records): DarkBeam’s misconfigured Elasticsearch and Kibana interface led to the exposure of 3.8 billion records, making it the largest data breach of 2023​​.

Kid Security App (over 300 million records): A misconfigured Elasticsearch and Logstash instance exposed over 300 million records of the Kid Security parental control app, including phone numbers, email addresses, and some payment card data​​.

SAP SE Bulgaria (95,592,696 artefacts): Kubernetes Secrets in public GitHub repositories were exposed, including credentials from SAP SE, compromising 95,592,696 records/artefacts​​.

TmaxSoft (over 56 million records): A Kibana dashboard exposed 2 TB of data for more than two years, leaking over 56 million sensitive records of the South Korean IT company​​.

ICMR (Indian Council of Medical Research) (815 million records): The breach exposed the personal data of 815 million Indian residents from the ICMR’s Covid-testing database, offered for sale on the dark web​​.

23andMe (20 million records): Credential stuffing attacks led to the leak of 20 million 23andMe data records, including genetic data profiles of UK and German residents​​.

Redcliffe Labs (12,347,297 medical records): A non-password-protected database was discovered, exposing 12,347,297 medical records (7 TB) of the India-based medical diagnostic company​​.

PharMerica (5.8 million patients): An unauthorized party compromised the US pharmacy network’s systems, exposing patients’ names, addresses, dates of birth, Social Security numbers, health insurance data, and medical data​​.

Latitude Financial (14 million records): This Melbourne-based company reported a breach of 14 million records, including 8 million drivers’ licenses and 53,000 passport numbers​​.

GoAnywhere Exploit by Clop Ransomware Gang: A vulnerability in the file transfer service GoAnywhere was exploited by the Clop ransomware gang, targeting multiple organizations including Hatch Bank and the City of Toronto​​.

AT&T (9 million customers): A data breach exposed the personal data of 9 million AT&T customers, including names, wireless account numbers, phone numbers, and email addresses​​.

PeopleConnect (20 million people): A 2019 backup database leak affected 20 million customers of PeopleConnect’s background check services, TruthFinder, and Checkmate​​.

Elevel (7 million data entries): The Moscow-based firm suffered a breach leaking 1.1TB of personal data, including customers’ names, phone numbers, email addresses, and delivery addresses​​.

CentraState Medical Center (617,000 patients): A ransomware attack compromised the personal data of 617,000 patients, including names, addresses, dates of birth, and Social Security numbers​​.

Twitter (220 million email addresses): A hacker leaked over 220 million users’ email addresses, posing significant privacy risks, especially for high-profile individuals​​.

T-Mobile USA (836 customers): A breach involving the theft of personal details from 836 customers exposed full names, contact information, account numbers, and Social Security numbers​​.

JD Sports (10 million customers): Personal information of 10 million customers was leaked, including names, addresses, phone numbers, order details, and the final four digits of payment cards​​

Shields Health Care Group (April 2023, 2.3 million people): A cybercriminal gained unauthorized access to the Massachusetts-based medical services provider’s systems, stealing personal data, including Social Security numbers, dates of birth, home addresses, healthcare provider information, and healthcare history of 2.3 million people​​.

NCB Management (April 2023, almost 1 million financial records): This debt collection services provider experienced a breach where a cybercriminal accessed credit card data for consumers’ Bank of America past-due accounts, along with a range of personal information​​.

Kodi (April 2023, 400,635 users): An unauthorized actor compromised the open-source media player Kodi’s MyBB forum database, stealing personal data, including usernames, email addresses, and encrypted passwords of 400,635 users​​.

Chick-fil-A Data Breach: This fast-food chain investigated suspicious activity linked to a number of customer accounts​​.

Other Significant Breaches:

Okta Data Breach

In October 2023, Okta, a trusted identity and access management company, suffered a security breach. A hacker used a stolen credential to access Okta’s support case management system. This breach led to the theft of customer-uploaded session tokens, which could be used to infiltrate the networks of Okta customers. The breach impacted around 1% of Okta’s customers, equating to approximately 134 organizations. In addition, the threat actor downloaded the names and email addresses of all Okta customer support system users. This incident also exposed personal information belonging to 4,961 current and former employees, following a breach of its healthcare coverage vendor, Rightway Healthcare​​​​​​​​.

SONY Data Breach

In June 2023, Sony experienced a significant data breach due to a zero-day vulnerability in the MOVEit Transfer platform, specifically CVE-2023-34362. This critical-severity SQL injection flaw allowed for remote code execution. The Clop ransomware gang claimed credit for the attack. Upon discovering unauthorized downloads, Sony immediately took the platform offline and remediated the vulnerability. Subsequent investigations revealed that the breach affected approximately 6,800 individuals, including current and former employees and their family members​​​​​​​​.

Forever 21 Data Breach

Between January and March 2023, Forever 21 experienced a data breach where an unauthorized third party accessed their computer system, stealing personal and protected health information of employees. The breach affected over 500,000 current and former employees. The hackers had intermittent access to Forever 21’s systems during this period. Despite the breach, the company believes that the third party hasn’t copied, retained, or shared any of the data, suggesting a lower risk to individuals. However, the breach’s scale and the nature of the information exposed raise significant concerns​​​​​​​​.