1 00:00:01,639 --> 00:00:10,439 Produced by PI Media. Hi listeners, and welcome to CP Radio. I'm 2 00:00:10,560 --> 00:00:19,280 randlet It's that time of the year again. Once annually, Checkpoint Research publishers 3 00:00:19,280 --> 00:00:24,280 an annual report summarizing all of the most important industry trends and events of the 4 00:00:24,359 --> 00:00:29,000 year prior. It's like cheat, cheat in case you forgot anything or just 5 00:00:29,280 --> 00:00:34,759 didn't pay attention, like my lazy writer Nate. Well, no oh no, 6 00:00:34,960 --> 00:00:41,759 I was totally listening to you talking about wanta say cooking tips. These 7 00:00:41,799 --> 00:00:46,640 reports have to be very long and detailed to even begin to cover the vast 8 00:00:46,679 --> 00:00:51,520 world of cyber attacks that grow with each passing year, and so every year 9 00:00:51,719 --> 00:00:56,359 we do one of these episodes rather than sift through every little detail. Nate 10 00:00:56,479 --> 00:01:02,159 interviews and author of the report returning this time is you have a pinkas threat 11 00:01:02,200 --> 00:01:06,920 intelligence analyst at Checkpoint Research. In the next twenty five minutes, Nate and 12 00:01:07,000 --> 00:01:11,959 you have discussed what you need to know about cybersecurity from twenty twenty three and 13 00:01:11,120 --> 00:01:21,680 what you might want to learn from it. Heyus, and welcome back to 14 00:01:21,719 --> 00:01:26,760 the show. Before we get started, maybe a little primer for audience about 15 00:01:26,799 --> 00:01:29,920 what we're going to be doing here. Hi, Nate, good to be 16 00:01:29,959 --> 00:01:36,159 here. Thanks for having me. We're back with the Checkpoint Research Annual Cybersecurity 17 00:01:36,200 --> 00:01:41,760 Report, in which we focus on attack trends. This is a periodic analysis 18 00:01:41,920 --> 00:01:46,760 and I think we last spoke on our midiear review in twenty twenty three. 19 00:01:48,000 --> 00:01:52,959 In this publication, we review cyber attacks in twenty twenty three, so not 20 00:01:53,239 --> 00:01:59,959 developments in security solutions or survey of professional opinions and predictions, but rather data 21 00:02:00,120 --> 00:02:07,199 based observations from attacks occurring throughout twenty twenty three. In preparation for this publication, 22 00:02:08,000 --> 00:02:15,840 we collected and analyzed data from billions of events, hundreds of thousands of 23 00:02:15,919 --> 00:02:22,680 gateways, sensors, open source intelligence, and we try to identify current trends 24 00:02:22,719 --> 00:02:29,439 in this ecosystem. The full report is available online at research dot checkpoint dot 25 00:02:29,439 --> 00:02:36,919 com. The report itself has a data section where we review global malware statistics 26 00:02:37,039 --> 00:02:42,000 like top malware families, top malware types, and many more points that are 27 00:02:42,199 --> 00:02:46,879 better presented visually, so I highly recommend listeners to download and review the full 28 00:02:47,000 --> 00:02:53,879 pdffor or interactive version. In addition to the data chapter, we choose a 29 00:02:53,919 --> 00:03:02,199 few subjects and address them more lengthily. So what does the report actually cover? 30 00:03:05,719 --> 00:03:09,520 In this report, we deal with ransomware and the recent increase in zero 31 00:03:09,599 --> 00:03:16,479 day exploitation by ransomware threat actors. We review this year's attacks on edge devices. 32 00:03:17,039 --> 00:03:23,639 We have a chapter dealing with the developments in state affiliated activism, which, 33 00:03:23,719 --> 00:03:28,719 with the recent conflicts in Ukraine and Nasual has become a major medium in 34 00:03:28,719 --> 00:03:36,280 which nation state's conducted hostilities with the varying levels of taking responsibility for their attacks. 35 00:03:37,280 --> 00:03:42,680 Two more trends that we cover the growing number of exploitations and challenges in 36 00:03:43,000 --> 00:03:50,319 token security technology crucial for remote access and authynication in cloud environments. And lastly, 37 00:03:50,479 --> 00:03:58,000 we discuss the rise in malicious software packages within open source repositories, a 38 00:03:58,039 --> 00:04:03,080 phenomena which risks software supply chains. Let's take it one at a time, 39 00:04:03,199 --> 00:04:10,560 then tell me of what's been going on in the world of ransomware. On 40 00:04:10,639 --> 00:04:14,919 our last podcast, we discussed how ransomware is considered the number one threat for 41 00:04:15,039 --> 00:04:20,879 businesses and we reviewed its mechanisms of double extortion and how different actors assume different 42 00:04:21,040 --> 00:04:27,920 roles in the tax from ransomware as a service providers to affiliate through two initial 43 00:04:27,959 --> 00:04:33,879 access brokers all working in sync to to conduct a tax. Now we routinely 44 00:04:34,040 --> 00:04:40,279 monitor ransomware a shame sites. These are the platforms where ransomware is a service. 45 00:04:40,279 --> 00:04:45,600 Actors publish the identity and materials of their victims in order to increase their 46 00:04:45,639 --> 00:04:50,000 pressure for payment, and we've seen a notable increase in the number of published 47 00:04:50,040 --> 00:04:56,040 victims this year. Victims published on shame sites are those who do not pay 48 00:04:56,120 --> 00:05:00,519 the ransom demands, at least not at the time of publication. The actual 49 00:05:00,600 --> 00:05:05,360 number of victims is assumed to be much higher than the discount. There have 50 00:05:05,480 --> 00:05:11,839 been more than five thousand victim companies published on ransomware shame sites in twenty twenty 51 00:05:11,920 --> 00:05:19,240 three by almost seventy active ransomware groups. Lockbat with twenty one percent of all 52 00:05:19,279 --> 00:05:26,879 published victims, Alpha nine percent, and klob have been the most active ones 53 00:05:26,920 --> 00:05:31,519 in this sense, publishing the most victims. This is a ninety percent increase 54 00:05:31,560 --> 00:05:36,959 in the number of published victims from twenty twenty two. Law enforcement had several 55 00:05:38,000 --> 00:05:44,720 operations against these entities. There was a CEESA led operation against Alpha and another 56 00:05:44,759 --> 00:05:49,399 recent one against Lockbeat, but most of the time they return to regular activity 57 00:05:49,439 --> 00:05:56,319 after just a few weeks. Typically, the most targeted country is the US, 58 00:05:56,399 --> 00:06:00,839 with forty five percent of victims from the United States. It is followed 59 00:06:00,959 --> 00:06:08,839 by the UK, Canada, Germany, and Italy western industrialized countries, all 60 00:06:08,879 --> 00:06:14,519 of them we already previously reported of ransomware mega attacks, but now with twenty 61 00:06:14,519 --> 00:06:17,680 twenty three in full view, we can definitely title this a trend of both 62 00:06:17,759 --> 00:06:24,319 megattacks in the sense of hitting a large number of victims and also highlight the 63 00:06:24,360 --> 00:06:30,040 growing use of zero day vulnerabilities exploited to achieve them. Give me a sense 64 00:06:30,079 --> 00:06:34,759 for what these large scale attacks look like. The Club group exploited the zero 65 00:06:34,800 --> 00:06:42,160 DA vulnerability in the Go Anywhere secure file transfer tool, resulting in breaches that 66 00:06:42,240 --> 00:06:48,720 affected over one hundred and thirty organizations. Then in early June, Club exploited 67 00:06:48,920 --> 00:06:55,279 another zero day vulnerability that enabled it to access another file transfer platform, Movie, 68 00:06:55,639 --> 00:07:00,720 which led to the compromise of more than two thousand and six hundred organizations. 69 00:07:00,759 --> 00:07:05,879 Club already conducted a similar attack back in twenty twenty one, when it 70 00:07:05,959 --> 00:07:14,839 exploited a zero DA vailerability in Excellion's legacy file transfer appliants. In all these 71 00:07:14,920 --> 00:07:19,759 cases, the targets were carefully selected because of a high volume of customers, 72 00:07:19,800 --> 00:07:27,879 because of data quality, and for the ability or the probability of spreading the 73 00:07:27,959 --> 00:07:35,160 attack to additional victims through them. Notably, Club chose not to encrypt the 74 00:07:35,360 --> 00:07:43,360 victim's data, but threatened to expose or sell it only. This extortion strategy 75 00:07:43,399 --> 00:07:49,800 is effective even with victims who regularly maintained backups and employed data restoration procedures. 76 00:07:50,800 --> 00:07:57,279 It also decreases the chance of detection during the noisy encryption phase of an attack, 77 00:07:57,879 --> 00:08:01,920 and it relieves cyber criminals from the burden of managing decryption keys and the 78 00:08:03,000 --> 00:08:13,000 associated the quote customer service responsibilities related to multiple file decryption and we kind of 79 00:08:13,120 --> 00:08:18,319 skipped over it. What are zero day vulnerabilities? For those unfamiliar. Zero 80 00:08:18,439 --> 00:08:24,279 day exploits are such vulnerabilities that at the time of an attack are not known 81 00:08:24,399 --> 00:08:31,240 to the industry and to the producers of the attack services. They're highly sought 82 00:08:31,279 --> 00:08:37,200 after and are traded in a thriving market. The price of a zero day 83 00:08:37,240 --> 00:08:41,960 exploit depends on the targeted system and the nature of the vulnerabilities, and they 84 00:08:43,000 --> 00:08:46,559 can range from several thousand dollars to as much as two and a half million 85 00:08:46,639 --> 00:08:54,600 dollars. That's for zero click full control with persistence on mobile platforms, There 86 00:08:54,600 --> 00:09:00,320 are legal markets for the sale and purchase of zero days, like Zerodium, 87 00:09:00,399 --> 00:09:05,799 but there is also a very live underground market in which typically exploit prices are 88 00:09:05,799 --> 00:09:11,159 even higher. We need to understand that zero day vulnerabilities have a limited shelf 89 00:09:11,200 --> 00:09:16,879 life. The more they're exploited, the higher the likelihood of detection and subsequent 90 00:09:16,480 --> 00:09:22,559 patching. Therefore, after an attacker starts using such an exploit, there's a 91 00:09:22,639 --> 00:09:28,120 time race to achieve as many victims before the producers publish a patch, and 92 00:09:28,159 --> 00:09:35,039 the exploit becomes much less effective. Now, unlike adding features to maloware, 93 00:09:35,919 --> 00:09:41,519 for a ransomware actor to invest in a zero day vulnerability, the investment has 94 00:09:41,600 --> 00:09:48,279 to be recovered by the income generated from relatively short lived attack. What we 95 00:09:48,320 --> 00:09:54,080 can clearly understand from this is that the increase in expensive zero day utilization for 96 00:09:54,200 --> 00:09:58,840 ransomware attacks indicates that they do that. At the end of the day, 97 00:09:58,360 --> 00:10:03,960 these operations us have very high yields. How much yield are we talking here? 98 00:10:05,720 --> 00:10:11,120 Some estimate that clop could earn between seventy five to one hundred million dollars 99 00:10:11,159 --> 00:10:18,159 from the movie attack alone. Estimates of actual ransom payments can be challenging, 100 00:10:18,519 --> 00:10:22,759 but it is safe to assume that the more they more than covered the cost 101 00:10:22,799 --> 00:10:28,559 of zero day purchase or development. Okay, so back to what you're saying 102 00:10:28,639 --> 00:10:35,159 about these large scale ransom attacks. After the movie attack, exploitation of zero 103 00:10:35,200 --> 00:10:41,159 day vulnerabilities for ransomware attacks continued. Threat actors associated with clob were observed exploiting 104 00:10:41,159 --> 00:10:48,519 a zero DA vulnerability with the csad it support software, potentially impacting more than 105 00:10:48,639 --> 00:10:54,519 five thousand customers. And beyond clop A, Kira and LOCKB, two of 106 00:10:54,559 --> 00:11:00,240 the most prolific ransomware actors, have also been exploiting a new zero DAV vulnerbility 107 00:11:01,000 --> 00:11:07,120 in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts. 108 00:11:07,840 --> 00:11:15,840 Other financially motivated advanced groups like dark Casino have exploited the wind raw vulnerability reported 109 00:11:15,879 --> 00:11:20,120 in twenty twenty three to steal from online traders. Just for reference, the 110 00:11:20,320 --> 00:11:26,200 suggested price for a win I'll see exploit on Zerodium is eighty thousand dollars. 111 00:11:28,039 --> 00:11:35,200 In another incident, the Lokoyawa ransomware was deployed by a financially motivated actor after 112 00:11:35,320 --> 00:11:43,720 exploiting a zero day in Windows for privileged elevation. The likelihood of growing trend 113 00:11:43,200 --> 00:11:50,759 in the use of costly zero day exploits depends primarily on economic considerations. If 114 00:11:50,799 --> 00:11:56,159 threat actors are convinced that the potential returns outweigh the investment, we can expect 115 00:11:56,159 --> 00:12:03,399 an increase in these types of attacks. Then how do we tip those scales 116 00:12:03,559 --> 00:12:09,799 so that the investment outweighs the return. From a security point of view, 117 00:12:11,519 --> 00:12:18,120 effectively safeguarding against zero day attacks presents a complex challenge. Patching is far from 118 00:12:18,480 --> 00:12:26,679 enough, and backups do not provide protection from data publication based extortion, and 119 00:12:26,840 --> 00:12:35,519 this emphasizes the importance of implementing robust measures such as endpoint anti ransomware solutions like 120 00:12:35,720 --> 00:12:43,879 data loss prevention DLP mechanisms and XDR extended the detection response products. Fine, 121 00:12:43,960 --> 00:12:48,200 So that's that, as we promised earlier, though there are other matters we 122 00:12:48,240 --> 00:12:54,279 study to cover in only the short time we have here now, maybe something 123 00:12:54,320 --> 00:12:58,320 which is more to do with nation state actives and espionage. The next chapter 124 00:13:00,320 --> 00:13:05,799 deals with attacks focusing on edge devices, and edge device is just serverance. 125 00:13:05,879 --> 00:13:09,200 Clear they're the devices that serve as the entry points into networks, So we're 126 00:13:09,240 --> 00:13:13,960 talking routers, switches, s, gateways, that kind of thing. Edge 127 00:13:13,960 --> 00:13:20,679 devices have been under prioritizing security strategies for a long time. Traditionally, some 128 00:13:20,000 --> 00:13:26,440 edge devices and IoTs have been exploited by cyber criminals to set up button its 129 00:13:26,519 --> 00:13:31,639 for ditals attacks and to orchestrate spam campaigns. These were often disregarded, but 130 00:13:33,440 --> 00:13:37,879 what we've seen this year is a peak of attacks where edge devices have become 131 00:13:37,919 --> 00:13:45,720 the target of nation state apts and then sophisticated, financially motivated threat doctors. 132 00:13:46,840 --> 00:13:54,200 We're using them either as a part of sophisticated communication infrastructure or as entry points 133 00:13:54,240 --> 00:14:01,600 for penetrating broader network systems of carefully selected entities and devices. For example, 134 00:14:03,919 --> 00:14:13,480 a recent CPR checkpoint research report revealed Chinese operation targeting TIPI link routers by Chinese 135 00:14:13,519 --> 00:14:22,080 APT called Camera Dragon. They deployed the custom backdoor we called Horseshell to maintain 136 00:14:22,200 --> 00:14:28,039 persistence as well as for file transfer and network tunneling. This way, they 137 00:14:28,120 --> 00:14:33,360 could use a net of tip link routers to anonymize their communication and make their 138 00:14:33,399 --> 00:14:41,279 detection more difficult. Edge devices are not only targeted to be used as components 139 00:14:41,279 --> 00:14:46,679 of communication infrastructure, but also as initial entry points to networks. So in 140 00:14:46,720 --> 00:14:54,480 a sophisticated operation reported by Microsoft in May. The Chinese state sponsored vult Typhoon 141 00:14:54,519 --> 00:15:03,080 apt employed a double use strategy. This group exploited the small home or office 142 00:15:03,120 --> 00:15:11,320 devices and integrated them into their communication infrastructure, called the CAVY botnet. This 143 00:15:11,480 --> 00:15:20,080 botnet was then used to disguise CNC communications from other compromised edge devices within critical 144 00:15:20,120 --> 00:15:26,039 infrastructure organizations in the United States. Now, unlike Camera or Dragon, this 145 00:15:26,120 --> 00:15:31,480 case did not involve dedicated Thermo malware, but rather, the kV botnet used 146 00:15:31,600 --> 00:15:37,799 end to life Cisco and dry deck crowters as well as netgear firewalls, and 147 00:15:37,840 --> 00:15:45,720 then, separately to this assembly of hidden communication infrastructure, the attackers breached fourty 148 00:15:45,720 --> 00:15:50,919 net forty gal devices in critical US infrastructure facilities and used them as gateways for 149 00:15:52,200 --> 00:15:58,799 espionage and potential disruption, hiding their communication using the home of a scavy botnet. 150 00:16:00,120 --> 00:16:03,759 Only end of life unpatched known vulnerabilities are used to exploit edge devices. 151 00:16:04,399 --> 00:16:12,799 Mendiant researchers reported extensive zero D exploitation employment of customized malware to target edge and 152 00:16:12,879 --> 00:16:19,799 network devices by Chinese apts. For example, what they call UNC forty eight 153 00:16:19,879 --> 00:16:26,080 forty one conducted a global espionage campaign by exploiting a zero day vulnerability in another 154 00:16:26,240 --> 00:16:33,279 edge device, the Baracuda Email Security Gateway ESG. This was one of the 155 00:16:33,320 --> 00:16:41,000 most aggressive campaigns reported this year. Attackers targeted public and private sector entities worldwide, 156 00:16:41,720 --> 00:16:47,960 with an emphasis on those in the Americas, so almost one third of 157 00:16:48,000 --> 00:16:53,840 the affected organizations identified were government agencies. In this specific attack, in response 158 00:16:53,919 --> 00:17:00,519 to the discovery and mitigation efforts by defenders, the attackers fought back and deployed 159 00:17:00,519 --> 00:17:07,119 the additional malware designed to maintain persistence on a subset of the breached entities. 160 00:17:10,079 --> 00:17:17,039 This aggressive, persistent campaign has led to the exceptional supply recommendations to replace all 161 00:17:17,079 --> 00:17:22,039 these physical ESG appliances. They were declared unsafe and beyond repair. And all 162 00:17:22,079 --> 00:17:26,279 of the cases you just mentioned were carried out by Chinese actors, which is 163 00:17:26,319 --> 00:17:30,880 pretty remarkable, but I assume that they're not the only ones doing this, 164 00:17:32,119 --> 00:17:37,799 right. The recent increase in targeting of edge devices is not exclusive to Chinese 165 00:17:37,839 --> 00:17:47,240 actors. Russia's military intelligence affiliated apts extensively use this strategy against the Ukrainian targets 166 00:17:47,319 --> 00:17:52,039 during the ongoing conflict. Since the start of the Russian Ukrainian War, a 167 00:17:52,160 --> 00:18:00,000 series of cyber attacks significantly damaged Ukraine's energy, media, telecommunications and financial indust 168 00:18:00,039 --> 00:18:07,799 strees, as well as government agencies. The intensity and volume of these attacks 169 00:18:07,839 --> 00:18:12,480 were achieved by compromising edge devices, enabling Russian threat actors to maintain persistent access 170 00:18:12,559 --> 00:18:21,559 to target the networks and conduct multiple attacks over time. The Russian APD twenty 171 00:18:21,559 --> 00:18:27,799 eight group was observed deploying the jagger Tooth malware, which was specifically designed to 172 00:18:27,839 --> 00:18:33,200 exploit the all abilities in SISCO routers, which despite being known since twenty seventeen, 173 00:18:33,640 --> 00:18:41,559 have still proven to be effective. Going beyond Ukraine. In late twenty 174 00:18:41,720 --> 00:18:48,400 twenty three, the Russians and warm APT targeted Denmark's infrastructure and energy sectors, 175 00:18:48,480 --> 00:18:56,480 in what signals a significant escalation targeting entities outside of Ukraine. They executed attacks 176 00:18:56,519 --> 00:19:03,000 on twenty two Danish entities, exploiting two zero day vulnerabilities in zig cell fire 177 00:19:03,079 --> 00:19:11,759 walls. This gave attackers remote called execution RSE capabilities on breach platforms, and 178 00:19:11,880 --> 00:19:18,119 as a result, several companies were forced to stop normal operations and temporary resort 179 00:19:18,279 --> 00:19:26,039 to island mode. This shows Sandborns the Russian Sandborns extensive capability to exploit vulabilities 180 00:19:26,440 --> 00:19:33,240 and coordinate attacks on a wide scale. This trend has gone beyond nation state 181 00:19:33,359 --> 00:19:38,880 actors and now financially motivated transport groups are also targeting edge devices. Coctus, 182 00:19:40,160 --> 00:19:45,119 Akira, and Lockbat all have been reported to exploit misconfigured and vulnerable citrics and 183 00:19:45,359 --> 00:19:52,240 fourteen VPN devices In their attacks. Groups like fin A, lock Beat and 184 00:19:52,359 --> 00:20:02,119 MEDUSA used critical unpitched fulabilities in citric NetScaler devices to compromise companies. These attacks 185 00:20:02,759 --> 00:20:08,200 progress to the deployment of persistent webshells that remain active even after patching and rebooting. 186 00:20:10,599 --> 00:20:15,240 To summarize, then we're talking about some of the world's most sophisticated actors 187 00:20:15,279 --> 00:20:21,480 here across major countries, from both the state and the cyber underground, all 188 00:20:22,039 --> 00:20:26,880 of whom are targeting these edge devices. How then, do cyber defenders even 189 00:20:26,000 --> 00:20:33,680 begin to address this issue. This trend of edge devices exploitation starting from nation 190 00:20:33,880 --> 00:20:41,839 state doctors and extending has often happens to financially motivated criminals emphasizes the need to 191 00:20:41,960 --> 00:20:49,400 extend protections to what previously was who overlooked appliances, VPN routers, and even 192 00:20:49,559 --> 00:20:55,799 security devices in themselves. Aren't you have any other trends that we need to 193 00:20:55,960 --> 00:21:03,759 cover before hopping off here. I think that's it for now. For more 194 00:21:03,839 --> 00:21:10,039 details on these subjects and on activism, code repositories, access tokens, and 195 00:21:10,559 --> 00:21:15,720 much more, you're fair welcome to the full report. Thank you for having 196 00:21:15,799 --> 00:21:22,720 me. That's it for this episode, Thank you for listening. To find 197 00:21:22,799 --> 00:21:26,960 this year's full media report, visit research dot checkpoint dot com and scroll down 198 00:21:27,039 --> 00:21:30,000 to roughly the middle of the page. It's right there, And if you 199 00:21:30,160 --> 00:21:34,440 click the CPR Podcast channel in the top menu, you'll find all of our 200 00:21:34,519 --> 00:21:40,880 past episodes. Cp Radio is produced by Pimedia. Ela Shemish is our producer. 201 00:21:41,240 --> 00:21:44,640 I'm Randler, see you next episode. Bye bye.