WEBVTT 1 00:00:01.639 --> 00:00:10.439 Produced by PI Media. Hi listeners, and welcome to CP Radio. I'm 2 00:00:10.560 --> 00:00:19.280 randlet It's that time of the year again. Once annually, Checkpoint Research publishers 3 00:00:19.280 --> 00:00:24.280 an annual report summarizing all of the most important industry trends and events of the 4 00:00:24.359 --> 00:00:29.000 year prior. It's like cheat, cheat in case you forgot anything or just 5 00:00:29.280 --> 00:00:34.759 didn't pay attention, like my lazy writer Nate. Well, no oh no, 6 00:00:34.960 --> 00:00:41.759 I was totally listening to you talking about wanta say cooking tips. These 7 00:00:41.799 --> 00:00:46.640 reports have to be very long and detailed to even begin to cover the vast 8 00:00:46.679 --> 00:00:51.520 world of cyber attacks that grow with each passing year, and so every year 9 00:00:51.719 --> 00:00:56.359 we do one of these episodes rather than sift through every little detail. Nate 10 00:00:56.479 --> 00:01:02.159 interviews and author of the report returning this time is you have a pinkas threat 11 00:01:02.200 --> 00:01:06.920 intelligence analyst at Checkpoint Research. In the next twenty five minutes, Nate and 12 00:01:07.000 --> 00:01:11.959 you have discussed what you need to know about cybersecurity from twenty twenty three and 13 00:01:11.120 --> 00:01:21.680 what you might want to learn from it. Heyus, and welcome back to 14 00:01:21.719 --> 00:01:26.760 the show. Before we get started, maybe a little primer for audience about 15 00:01:26.799 --> 00:01:29.920 what we're going to be doing here. Hi, Nate, good to be 16 00:01:29.959 --> 00:01:36.159 here. Thanks for having me. We're back with the Checkpoint Research Annual Cybersecurity 17 00:01:36.200 --> 00:01:41.760 Report, in which we focus on attack trends. This is a periodic analysis 18 00:01:41.920 --> 00:01:46.760 and I think we last spoke on our midiear review in twenty twenty three. 19 00:01:48.000 --> 00:01:52.959 In this publication, we review cyber attacks in twenty twenty three, so not 20 00:01:53.239 --> 00:01:59.959 developments in security solutions or survey of professional opinions and predictions, but rather data 21 00:02:00.120 --> 00:02:07.199 based observations from attacks occurring throughout twenty twenty three. In preparation for this publication, 22 00:02:08.000 --> 00:02:15.840 we collected and analyzed data from billions of events, hundreds of thousands of 23 00:02:15.919 --> 00:02:22.680 gateways, sensors, open source intelligence, and we try to identify current trends 24 00:02:22.719 --> 00:02:29.439 in this ecosystem. The full report is available online at research dot checkpoint dot 25 00:02:29.439 --> 00:02:36.919 com. The report itself has a data section where we review global malware statistics 26 00:02:37.039 --> 00:02:42.000 like top malware families, top malware types, and many more points that are 27 00:02:42.199 --> 00:02:46.879 better presented visually, so I highly recommend listeners to download and review the full 28 00:02:47.000 --> 00:02:53.879 pdffor or interactive version. In addition to the data chapter, we choose a 29 00:02:53.919 --> 00:03:02.199 few subjects and address them more lengthily. So what does the report actually cover? 30 00:03:05.719 --> 00:03:09.520 In this report, we deal with ransomware and the recent increase in zero 31 00:03:09.599 --> 00:03:16.479 day exploitation by ransomware threat actors. We review this year's attacks on edge devices. 32 00:03:17.039 --> 00:03:23.639 We have a chapter dealing with the developments in state affiliated activism, which, 33 00:03:23.719 --> 00:03:28.719 with the recent conflicts in Ukraine and Nasual has become a major medium in 34 00:03:28.719 --> 00:03:36.280 which nation state's conducted hostilities with the varying levels of taking responsibility for their attacks. 35 00:03:37.280 --> 00:03:42.680 Two more trends that we cover the growing number of exploitations and challenges in 36 00:03:43.000 --> 00:03:50.319 token security technology crucial for remote access and authynication in cloud environments. And lastly, 37 00:03:50.479 --> 00:03:58.000 we discuss the rise in malicious software packages within open source repositories, a 38 00:03:58.039 --> 00:04:03.080 phenomena which risks software supply chains. Let's take it one at a time, 39 00:04:03.199 --> 00:04:10.560 then tell me of what's been going on in the world of ransomware. On 40 00:04:10.639 --> 00:04:14.919 our last podcast, we discussed how ransomware is considered the number one threat for 41 00:04:15.039 --> 00:04:20.879 businesses and we reviewed its mechanisms of double extortion and how different actors assume different 42 00:04:21.040 --> 00:04:27.920 roles in the tax from ransomware as a service providers to affiliate through two initial 43 00:04:27.959 --> 00:04:33.879 access brokers all working in sync to to conduct a tax. Now we routinely 44 00:04:34.040 --> 00:04:40.279 monitor ransomware a shame sites. These are the platforms where ransomware is a service. 45 00:04:40.279 --> 00:04:45.600 Actors publish the identity and materials of their victims in order to increase their 46 00:04:45.639 --> 00:04:50.000 pressure for payment, and we've seen a notable increase in the number of published 47 00:04:50.040 --> 00:04:56.040 victims this year. Victims published on shame sites are those who do not pay 48 00:04:56.120 --> 00:05:00.519 the ransom demands, at least not at the time of publication. The actual 49 00:05:00.600 --> 00:05:05.360 number of victims is assumed to be much higher than the discount. There have 50 00:05:05.480 --> 00:05:11.839 been more than five thousand victim companies published on ransomware shame sites in twenty twenty 51 00:05:11.920 --> 00:05:19.240 three by almost seventy active ransomware groups. Lockbat with twenty one percent of all 52 00:05:19.279 --> 00:05:26.879 published victims, Alpha nine percent, and klob have been the most active ones 53 00:05:26.920 --> 00:05:31.519 in this sense, publishing the most victims. This is a ninety percent increase 54 00:05:31.560 --> 00:05:36.959 in the number of published victims from twenty twenty two. Law enforcement had several 55 00:05:38.000 --> 00:05:44.720 operations against these entities. There was a CEESA led operation against Alpha and another 56 00:05:44.759 --> 00:05:49.399 recent one against Lockbeat, but most of the time they return to regular activity 57 00:05:49.439 --> 00:05:56.319 after just a few weeks. Typically, the most targeted country is the US, 58 00:05:56.399 --> 00:06:00.839 with forty five percent of victims from the United States. It is followed 59 00:06:00.959 --> 00:06:08.839 by the UK, Canada, Germany, and Italy western industrialized countries, all 60 00:06:08.879 --> 00:06:14.519 of them we already previously reported of ransomware mega attacks, but now with twenty 61 00:06:14.519 --> 00:06:17.680 twenty three in full view, we can definitely title this a trend of both 62 00:06:17.759 --> 00:06:24.319 megattacks in the sense of hitting a large number of victims and also highlight the 63 00:06:24.360 --> 00:06:30.040 growing use of zero day vulnerabilities exploited to achieve them. Give me a sense 64 00:06:30.079 --> 00:06:34.759 for what these large scale attacks look like. The Club group exploited the zero 65 00:06:34.800 --> 00:06:42.160 DA vulnerability in the Go Anywhere secure file transfer tool, resulting in breaches that 66 00:06:42.240 --> 00:06:48.720 affected over one hundred and thirty organizations. Then in early June, Club exploited 67 00:06:48.920 --> 00:06:55.279 another zero day vulnerability that enabled it to access another file transfer platform, Movie, 68 00:06:55.639 --> 00:07:00.720 which led to the compromise of more than two thousand and six hundred organizations. 69 00:07:00.759 --> 00:07:05.879 Club already conducted a similar attack back in twenty twenty one, when it 70 00:07:05.959 --> 00:07:14.839 exploited a zero DA vailerability in Excellion's legacy file transfer appliants. In all these 71 00:07:14.920 --> 00:07:19.759 cases, the targets were carefully selected because of a high volume of customers, 72 00:07:19.800 --> 00:07:27.879 because of data quality, and for the ability or the probability of spreading the 73 00:07:27.959 --> 00:07:35.160 attack to additional victims through them. Notably, Club chose not to encrypt the 74 00:07:35.360 --> 00:07:43.360 victim's data, but threatened to expose or sell it only. This extortion strategy 75 00:07:43.399 --> 00:07:49.800 is effective even with victims who regularly maintained backups and employed data restoration procedures. 76 00:07:50.800 --> 00:07:57.279 It also decreases the chance of detection during the noisy encryption phase of an attack, 77 00:07:57.879 --> 00:08:01.920 and it relieves cyber criminals from the burden of managing decryption keys and the 78 00:08:03.000 --> 00:08:13.000 associated the quote customer service responsibilities related to multiple file decryption and we kind of 79 00:08:13.120 --> 00:08:18.319 skipped over it. What are zero day vulnerabilities? For those unfamiliar. Zero 80 00:08:18.439 --> 00:08:24.279 day exploits are such vulnerabilities that at the time of an attack are not known 81 00:08:24.399 --> 00:08:31.240 to the industry and to the producers of the attack services. They're highly sought 82 00:08:31.279 --> 00:08:37.200 after and are traded in a thriving market. The price of a zero day 83 00:08:37.240 --> 00:08:41.960 exploit depends on the targeted system and the nature of the vulnerabilities, and they 84 00:08:43.000 --> 00:08:46.559 can range from several thousand dollars to as much as two and a half million 85 00:08:46.639 --> 00:08:54.600 dollars. That's for zero click full control with persistence on mobile platforms, There 86 00:08:54.600 --> 00:09:00.320 are legal markets for the sale and purchase of zero days, like Zerodium, 87 00:09:00.399 --> 00:09:05.799 but there is also a very live underground market in which typically exploit prices are 88 00:09:05.799 --> 00:09:11.159 even higher. We need to understand that zero day vulnerabilities have a limited shelf 89 00:09:11.200 --> 00:09:16.879 life. The more they're exploited, the higher the likelihood of detection and subsequent 90 00:09:16.480 --> 00:09:22.559 patching. Therefore, after an attacker starts using such an exploit, there's a 91 00:09:22.639 --> 00:09:28.120 time race to achieve as many victims before the producers publish a patch, and 92 00:09:28.159 --> 00:09:35.039 the exploit becomes much less effective. Now, unlike adding features to maloware, 93 00:09:35.919 --> 00:09:41.519 for a ransomware actor to invest in a zero day vulnerability, the investment has 94 00:09:41.600 --> 00:09:48.279 to be recovered by the income generated from relatively short lived attack. What we 95 00:09:48.320 --> 00:09:54.080 can clearly understand from this is that the increase in expensive zero day utilization for 96 00:09:54.200 --> 00:09:58.840 ransomware attacks indicates that they do that. At the end of the day, 97 00:09:58.360 --> 00:10:03.960 these operations us have very high yields. How much yield are we talking here? 98 00:10:05.720 --> 00:10:11.120 Some estimate that clop could earn between seventy five to one hundred million dollars 99 00:10:11.159 --> 00:10:18.159 from the movie attack alone. Estimates of actual ransom payments can be challenging, 100 00:10:18.519 --> 00:10:22.759 but it is safe to assume that the more they more than covered the cost 101 00:10:22.799 --> 00:10:28.559 of zero day purchase or development. Okay, so back to what you're saying 102 00:10:28.639 --> 00:10:35.159 about these large scale ransom attacks. After the movie attack, exploitation of zero 103 00:10:35.200 --> 00:10:41.159 day vulnerabilities for ransomware attacks continued. Threat actors associated with clob were observed exploiting 104 00:10:41.159 --> 00:10:48.519 a zero DA vulnerability with the csad it support software, potentially impacting more than 105 00:10:48.639 --> 00:10:54.519 five thousand customers. And beyond clop A, Kira and LOCKB, two of 106 00:10:54.559 --> 00:11:00.240 the most prolific ransomware actors, have also been exploiting a new zero DAV vulnerbility 107 00:11:01.000 --> 00:11:07.120 in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts. 108 00:11:07.840 --> 00:11:15.840 Other financially motivated advanced groups like dark Casino have exploited the wind raw vulnerability reported 109 00:11:15.879 --> 00:11:20.120 in twenty twenty three to steal from online traders. Just for reference, the 110 00:11:20.320 --> 00:11:26.200 suggested price for a win I'll see exploit on Zerodium is eighty thousand dollars. 111 00:11:28.039 --> 00:11:35.200 In another incident, the Lokoyawa ransomware was deployed by a financially motivated actor after 112 00:11:35.320 --> 00:11:43.720 exploiting a zero day in Windows for privileged elevation. The likelihood of growing trend 113 00:11:43.200 --> 00:11:50.759 in the use of costly zero day exploits depends primarily on economic considerations. If 114 00:11:50.799 --> 00:11:56.159 threat actors are convinced that the potential returns outweigh the investment, we can expect 115 00:11:56.159 --> 00:12:03.399 an increase in these types of attacks. Then how do we tip those scales 116 00:12:03.559 --> 00:12:09.799 so that the investment outweighs the return. From a security point of view, 117 00:12:11.519 --> 00:12:18.120 effectively safeguarding against zero day attacks presents a complex challenge. Patching is far from 118 00:12:18.480 --> 00:12:26.679 enough, and backups do not provide protection from data publication based extortion, and 119 00:12:26.840 --> 00:12:35.519 this emphasizes the importance of implementing robust measures such as endpoint anti ransomware solutions like 120 00:12:35.720 --> 00:12:43.879 data loss prevention DLP mechanisms and XDR extended the detection response products. Fine, 121 00:12:43.960 --> 00:12:48.200 So that's that, as we promised earlier, though there are other matters we 122 00:12:48.240 --> 00:12:54.279 study to cover in only the short time we have here now, maybe something 123 00:12:54.320 --> 00:12:58.320 which is more to do with nation state actives and espionage. The next chapter 124 00:13:00.320 --> 00:13:05.799 deals with attacks focusing on edge devices, and edge device is just serverance. 125 00:13:05.879 --> 00:13:09.200 Clear they're the devices that serve as the entry points into networks, So we're 126 00:13:09.240 --> 00:13:13.960 talking routers, switches, s, gateways, that kind of thing. Edge 127 00:13:13.960 --> 00:13:20.679 devices have been under prioritizing security strategies for a long time. Traditionally, some 128 00:13:20.000 --> 00:13:26.440 edge devices and IoTs have been exploited by cyber criminals to set up button its 129 00:13:26.519 --> 00:13:31.639 for ditals attacks and to orchestrate spam campaigns. These were often disregarded, but 130 00:13:33.440 --> 00:13:37.879 what we've seen this year is a peak of attacks where edge devices have become 131 00:13:37.919 --> 00:13:45.720 the target of nation state apts and then sophisticated, financially motivated threat doctors. 132 00:13:46.840 --> 00:13:54.200 We're using them either as a part of sophisticated communication infrastructure or as entry points 133 00:13:54.240 --> 00:14:01.600 for penetrating broader network systems of carefully selected entities and devices. For example, 134 00:14:03.919 --> 00:14:13.480 a recent CPR checkpoint research report revealed Chinese operation targeting TIPI link routers by Chinese 135 00:14:13.519 --> 00:14:22.080 APT called Camera Dragon. They deployed the custom backdoor we called Horseshell to maintain 136 00:14:22.200 --> 00:14:28.039 persistence as well as for file transfer and network tunneling. This way, they 137 00:14:28.120 --> 00:14:33.360 could use a net of tip link routers to anonymize their communication and make their 138 00:14:33.399 --> 00:14:41.279 detection more difficult. Edge devices are not only targeted to be used as components 139 00:14:41.279 --> 00:14:46.679 of communication infrastructure, but also as initial entry points to networks. So in 140 00:14:46.720 --> 00:14:54.480 a sophisticated operation reported by Microsoft in May. The Chinese state sponsored vult Typhoon 141 00:14:54.519 --> 00:15:03.080 apt employed a double use strategy. This group exploited the small home or office 142 00:15:03.120 --> 00:15:11.320 devices and integrated them into their communication infrastructure, called the CAVY botnet. This 143 00:15:11.480 --> 00:15:20.080 botnet was then used to disguise CNC communications from other compromised edge devices within critical 144 00:15:20.120 --> 00:15:26.039 infrastructure organizations in the United States. Now, unlike Camera or Dragon, this 145 00:15:26.120 --> 00:15:31.480 case did not involve dedicated Thermo malware, but rather, the kV botnet used 146 00:15:31.600 --> 00:15:37.799 end to life Cisco and dry deck crowters as well as netgear firewalls, and 147 00:15:37.840 --> 00:15:45.720 then, separately to this assembly of hidden communication infrastructure, the attackers breached fourty 148 00:15:45.720 --> 00:15:50.919 net forty gal devices in critical US infrastructure facilities and used them as gateways for 149 00:15:52.200 --> 00:15:58.799 espionage and potential disruption, hiding their communication using the home of a scavy botnet. 150 00:16:00.120 --> 00:16:03.759 Only end of life unpatched known vulnerabilities are used to exploit edge devices. 151 00:16:04.399 --> 00:16:12.799 Mendiant researchers reported extensive zero D exploitation employment of customized malware to target edge and 152 00:16:12.879 --> 00:16:19.799 network devices by Chinese apts. For example, what they call UNC forty eight 153 00:16:19.879 --> 00:16:26.080 forty one conducted a global espionage campaign by exploiting a zero day vulnerability in another 154 00:16:26.240 --> 00:16:33.279 edge device, the Baracuda Email Security Gateway ESG. This was one of the 155 00:16:33.320 --> 00:16:41.000 most aggressive campaigns reported this year. Attackers targeted public and private sector entities worldwide, 156 00:16:41.720 --> 00:16:47.960 with an emphasis on those in the Americas, so almost one third of 157 00:16:48.000 --> 00:16:53.840 the affected organizations identified were government agencies. In this specific attack, in response 158 00:16:53.919 --> 00:17:00.519 to the discovery and mitigation efforts by defenders, the attackers fought back and deployed 159 00:17:00.519 --> 00:17:07.119 the additional malware designed to maintain persistence on a subset of the breached entities. 160 00:17:10.079 --> 00:17:17.039 This aggressive, persistent campaign has led to the exceptional supply recommendations to replace all 161 00:17:17.079 --> 00:17:22.039 these physical ESG appliances. They were declared unsafe and beyond repair. And all 162 00:17:22.079 --> 00:17:26.279 of the cases you just mentioned were carried out by Chinese actors, which is 163 00:17:26.319 --> 00:17:30.880 pretty remarkable, but I assume that they're not the only ones doing this, 164 00:17:32.119 --> 00:17:37.799 right. The recent increase in targeting of edge devices is not exclusive to Chinese 165 00:17:37.839 --> 00:17:47.240 actors. Russia's military intelligence affiliated apts extensively use this strategy against the Ukrainian targets 166 00:17:47.319 --> 00:17:52.039 during the ongoing conflict. Since the start of the Russian Ukrainian War, a 167 00:17:52.160 --> 00:18:00.000 series of cyber attacks significantly damaged Ukraine's energy, media, telecommunications and financial indust 168 00:18:00.039 --> 00:18:07.799 strees, as well as government agencies. The intensity and volume of these attacks 169 00:18:07.839 --> 00:18:12.480 were achieved by compromising edge devices, enabling Russian threat actors to maintain persistent access 170 00:18:12.559 --> 00:18:21.559 to target the networks and conduct multiple attacks over time. The Russian APD twenty 171 00:18:21.559 --> 00:18:27.799 eight group was observed deploying the jagger Tooth malware, which was specifically designed to 172 00:18:27.839 --> 00:18:33.200 exploit the all abilities in SISCO routers, which despite being known since twenty seventeen, 173 00:18:33.640 --> 00:18:41.559 have still proven to be effective. Going beyond Ukraine. In late twenty 174 00:18:41.720 --> 00:18:48.400 twenty three, the Russians and warm APT targeted Denmark's infrastructure and energy sectors, 175 00:18:48.480 --> 00:18:56.480 in what signals a significant escalation targeting entities outside of Ukraine. They executed attacks 176 00:18:56.519 --> 00:19:03.000 on twenty two Danish entities, exploiting two zero day vulnerabilities in zig cell fire 177 00:19:03.079 --> 00:19:11.759 walls. This gave attackers remote called execution RSE capabilities on breach platforms, and 178 00:19:11.880 --> 00:19:18.119 as a result, several companies were forced to stop normal operations and temporary resort 179 00:19:18.279 --> 00:19:26.039 to island mode. This shows Sandborns the Russian Sandborns extensive capability to exploit vulabilities 180 00:19:26.440 --> 00:19:33.240 and coordinate attacks on a wide scale. This trend has gone beyond nation state 181 00:19:33.359 --> 00:19:38.880 actors and now financially motivated transport groups are also targeting edge devices. Coctus, 182 00:19:40.160 --> 00:19:45.119 Akira, and Lockbat all have been reported to exploit misconfigured and vulnerable citrics and 183 00:19:45.359 --> 00:19:52.240 fourteen VPN devices In their attacks. Groups like fin A, lock Beat and 184 00:19:52.359 --> 00:20:02.119 MEDUSA used critical unpitched fulabilities in citric NetScaler devices to compromise companies. These attacks 185 00:20:02.759 --> 00:20:08.200 progress to the deployment of persistent webshells that remain active even after patching and rebooting. 186 00:20:10.599 --> 00:20:15.240 To summarize, then we're talking about some of the world's most sophisticated actors 187 00:20:15.279 --> 00:20:21.480 here across major countries, from both the state and the cyber underground, all 188 00:20:22.039 --> 00:20:26.880 of whom are targeting these edge devices. How then, do cyber defenders even 189 00:20:26.000 --> 00:20:33.680 begin to address this issue. This trend of edge devices exploitation starting from nation 190 00:20:33.880 --> 00:20:41.839 state doctors and extending has often happens to financially motivated criminals emphasizes the need to 191 00:20:41.960 --> 00:20:49.400 extend protections to what previously was who overlooked appliances, VPN routers, and even 192 00:20:49.559 --> 00:20:55.799 security devices in themselves. Aren't you have any other trends that we need to 193 00:20:55.960 --> 00:21:03.759 cover before hopping off here. I think that's it for now. For more 194 00:21:03.839 --> 00:21:10.039 details on these subjects and on activism, code repositories, access tokens, and 195 00:21:10.559 --> 00:21:15.720 much more, you're fair welcome to the full report. Thank you for having 196 00:21:15.799 --> 00:21:22.720 me. That's it for this episode, Thank you for listening. To find 197 00:21:22.799 --> 00:21:26.960 this year's full media report, visit research dot checkpoint dot com and scroll down 198 00:21:27.039 --> 00:21:30.000 to roughly the middle of the page. It's right there, And if you 199 00:21:30.160 --> 00:21:34.440 click the CPR Podcast channel in the top menu, you'll find all of our 200 00:21:34.519 --> 00:21:40.880 past episodes. Cp Radio is produced by Pimedia. Ela Shemish is our producer. 201 00:21:41.240 --> 00:21:44.640 I'm Randler, see you next episode. Bye bye.