Threat Reports 2023

Check Point Cyber Threat Report 2024: Notable Trends, Incidents, and Insights

crceriskby
Leave a Comment on Check Point Cyber Threat Report 2024: Notable Trends, Incidents, and Insights

Introduction

The Check Point Cyber Security Report 2024, authored by Maya Horowitz, VP of Research at Check Point, delves into the transformative and escalating landscape of cyber threats experienced in 2023. The report highlights the significant shift in cyber attacks, the motivations behind them, and the evolution of the methods used by attackers. The increasing complexity and scale of these attacks have drawn attention from government agencies to the general public, emphasizing the need for robust cyber security measures.

Notable Cyber Events of 2023 – Key Incidents

January

  • Australian Government Data Leak: A massive database containing over 14 million usernames and passwords was discovered on a dark web forum. This included more than 100,000 logins for portals belonging to Australian government agencies, exposing a significant vulnerability in governmental security measures.
  • Vice Society Ransomware: The Vice Society ransomware group conducted a series of widespread attacks targeting schools in both the UK and US. The FBI issued an alert regarding the groupโ€™s activities. These attacks disrupted educational institutions, causing significant operational and financial damage.
  • Royal Mail Cyberattack: Britainโ€™s international mail service, Royal Mail, faced a major disruption due to a cyberattack by the LockBit ransomware gang. The attack halted the dispatch of international packages, and the gang threatened to leak stolen data if their ransom demands were not met.

February

  • Dingo Crypto Token Scam: Check Point Research flagged the Dingo crypto Token as a scam. The threat actors behind the token added a backdoor function in its smart contract to manipulate the fee to 99%, leading to massive financial losses for investors.
  • KillNet DDoS Attacks: Pro-Russian hacktivist group KillNet launched a wide-scale operation against the US healthcare sector, executing multiple DDoS attacks and highlighting vulnerabilities in the sectorโ€™s cyber defenses.
  • JD Sports Data Breach: UK sportswear retailer JD Sports announced a data breach affecting approximately 10 million clients. The leaked data included full names, emails, phone numbers, billing details, and delivery addresses of customers who placed orders between November 2018 and October 2020.
  • ESXiArgs Ransomware: The ESXiArgs ransomware campaign targeted thousands of VMware ESXi hosts, with threat actors updating the malwareโ€™s encryption process to prevent potential recovery methods recommended by researchers.

March

  • SharpPanda Cyber-Espionage: Chinese APT group SharpPanda launched a cyber-espionage campaign targeting government entities in Southeast Asia. The group used the Soul framework to establish access to victimsโ€™ networks and exfiltrate sensitive information.
  • Ferrari Data Breach: The Italian luxury sports car maker Ferrari announced a data breach following an extortion attack. The leaked data included clientsโ€™ personal information, such as full names, addresses, email addresses, and phone numbers.
  • FakeCalls Android Trojan: Check Point Research uncovered the FakeCalls Android Trojan, which mimics over 20 financial apps and engages in voice phishing by simulating conversations with bank employees. This malware targets the South Korean market, extracting private data from victimsโ€™ devices.

April

  • 3CXDesktopApp Supply Chain Attack: Both Windows and macOS versions of 3CXDesktopApp, a VoIP application, were compromised in a large-scale supply chain attack linked to the North Korean Lazarus group. This attack affected more than 600,000 companies worldwide.
  • Crown Resorts Extortion: Australiaโ€™s largest gambling and entertainment firm, Crown Resorts, disclosed that it was being extorted by the CL0P ransomware group. The extortion attempt was a result of the group exploiting a vulnerability in Fortraโ€™s GoAnywhere software.
  • Anonymous Sudan: This hacktivist group, identified as a sub-group of the Russia-affiliated Killnet, launched multiple DDoS attacks on organizations in Europe, Australia, and Israel, often in response to perceived anti-Muslim activities.

May

  • MOVEit Transfer Vulnerability: Progress disclosed a vulnerability in MOVEit Transfer and MOVEit Cloud that could lead to unauthorized access. The Russian-affiliated CL0P ransomware group exploited this vulnerability, leading to a significant supply chain attack affecting many organizations, including payroll services provider Zellis.
  • TP-Link Router Backdoor: Check Point Research discovered a custom firmware implant tailored for TP-Link routers linked to the Chinese state-sponsored APT group Camaro Dragon. The implant, called โ€œHorse Shell,โ€ enabled attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement within compromised networks.

June

  • Clop Ransomware on DMVs: The Clop ransomware gang hacked the Louisiana and Oregon DMVs, exposing millions of driverโ€™s licenses. The stolen data included personal information such as names, addresses, and license numbers.
  • SMP Health Ransomware Attack: An Illinois hospital faced closure due to a ransomware attack that disrupted its ability to submit insurance claims. This situation led to a severe financial downturn for the hospital.

July

  • Malicious Telegram Version: Check Point Research identified a malicious modified version of the popular messaging application Telegram. The malicious application installed the Triada Trojan, which could sign up victims for various paid subscriptions, perform in-app purchases, and steal login credentials.
  • Nickelodeon Data Breach: 500GB of data leaked from American television channel Nickelodeon. The data included scripts, animation files, and full episodes of content. The breach was attributed to an authentication vulnerability on a feedback portal.

August

  • Prospect Medical Holdings Ransomware: A significant ransomware attack disrupted the operations of Prospect Medical Holdings, affecting 16 hospitals and 166 outpatient clinics in the US. The attack forced hospitals to divert patients to other facilities.
  • Discord.io Data Breach: The company handled a data breach exposing the information of 760,000 members, leading to the temporary suspension of services. The breach was carried out by a cybercriminal who posted the database on an underground forum.

September

  • Qakbot Malware Dismantling: The FBI’s operation โ€˜Duck Huntโ€™ dismantled the Qakbot malware operation, which had infected over 700,000 computers worldwide. Qakbot served as a platform for ransomware operators, impacting financial institutions, government contractors, and medical device manufacturers.
  • Google Looker Studio Phishing: Attackers used Google Looker Studio to send phishing emails from official Google accounts. The emails instructed victims to visit third-party websites to collect cryptocurrency, prompting them to input credentials that were then stolen.

October

  • Dropbox Exploitation: A phishing campaign exploited Dropbox to steal credentials by redirecting victims to credential-stealing pages. Attackers used legitimate Dropbox pages to send official-looking email messages to the victims.
  • LockBit Ransomware on CDW: The LockBit ransomware gang claimed responsibility for an attack on IT products and services reseller CDW. They demanded an $80 million ransom, threatening to release stolen data including employee badges, audits, and commission payout data.

November

  • Boeing Cyberattack: Boeing acknowledged a cyber-attack affecting its parts and distribution business. The LockBit ransomware gang claimed responsibility, adding Boeing to its victim page and threatening to leak stolen data.
  • Scarred Manticore Espionage Campaign: Check Point Research revealed an ongoing espionage campaign by Scarred Manticore, a threat actor tied to the Iranian Ministry of Intelligence and Security. The attacks targeted high-profile organizations in the Middle East, focusing on government, military, and telecommunications sectors.

December

  • Kyivstar Cyberattack: Ukraineโ€™s largest mobile operator, Kyivstar, was hit by what was described as the largest cyber-attack on telecom infrastructure in the world. The attack, claimed by the Russia-affiliated group Solntsepek, disrupted mobile and internet services for millions and affected air raid sirens, ATMs, and point-of-sale terminals.
  • Cyber Av3ngers: This group, affiliated with the Iranian Revolutionary Guard Corps (IRGC), defaced workstations at Pennsylvaniaโ€™s Aliquippa municipal water authority. The attack reflects a troubling trend in state-sponsored hacktivism targeting critical infrastructure in the United States.

Cyber Security Trends

Ransomware, Zero-days, and Mega Attacks

  • Ransomware Evolution: Ransomware attacks now extend beyond mere data encryption. The ecosystem is characterized by a mix of public attention-seeking and law enforcement evasion, with frequent rebranding making attribution difficult.
  • Zero-day Exploits: Zero-day vulnerabilities, sold at high prices, are increasingly used in ransomware attacks. The MOVEit and SysAid zero-day vulnerabilities were notably exploited by the CL0P group, impacting thousands of organizations.
  • Economic Considerations: The cost-benefit analysis of using zero-days plays a crucial role in their adoption. High-profile attacks, such as those on MGM Resorts International and DP World, underscore the financial and operational impact of these threats.

Expanding Attack Surface: The Emerging Risk of Edge Devices

  • Edge Devices Vulnerability: Devices like routers, switches, and VPN hardware are often neglected in security analyses. They are vulnerable to exploitation due to lack of monitoring, default passwords, and inadequate patching.
  • Nation-State APTs: Nation-state actors have increasingly targeted edge devices for constructing stealthy communication and exfiltration infrastructure. The Chinese Camaro Dragon APTโ€™s use of TP-Link routers is a prime example.
  • Botnets and Espionage: Botnets constructed from compromised edge devices have been used for DDoS attacks and espionage. The Russian Sandworm group’s attacks on Danish infrastructure highlight the strategic use of edge devices in nation-state cyber operations.

State-Affiliated Hacktivism and Wipers

  • Hacktivism Evolution: Hacktivism, initially driven by individuals, now involves substantial government involvement. State-affiliated groups act as fronts for nation-state APT units, publicizing their activities to foster an illusion of popular support.
  • Destructive Malware: The increasing use of wipers to cause operational disruption has become a norm. The Russian-Ukrainian war and the Israel-Hamas conflict saw significant hacktivist activities involving destructive malware.
  • Anonymous Sudan: A pro-Russian hacktivist group, has executed numerous high-profile DDoS attacks, including on Microsoft and Telegram. Their operations suggest substantial financial backing and a definite connection to Russia.

Tokens Under Attack: The Cloud’s Achilles Heel

  • Credential Theft and Token Exploitation: With the shift to remote work and the rise of cloud services, token-based attacks have surged. Attackers exploit stolen access tokens from authenticated sessions, bypassing MFA and gaining unauthorized access.
  • High-Profile Breaches: The Chinese Storm-0558 APT groupโ€™s breach of multiple email accounts belonging to U.S. Federal agencies, and Okta’s significant security breach highlight the vulnerabilities in cloud service providers and managed service providers.

Software Repositories Under Attack

  • Malicious Software Packages: The use of third-party software packages and libraries has led to increased vulnerabilities. Malicious packages on platforms like PyPi and NPM have been widely downloaded, emphasizing the need for stringent code legitimacy verification.
  • Common Attack Vectors: Typosquatting, package brandjacking, and dependency confusion attacks are prevalent. Over 6,800 malicious packages were identified in early 2023 alone, targeting both developers and end-users.

Global Analysis and High-Profile Vulnerabilities

The report provides a detailed analysis of global cyber security incidents, highlighting high-profile vulnerabilities exploited by attackers. It emphasizes the need for organizations to stay vigilant and adopt comprehensive security measures to protect against evolving threats.

Incident Response Perspective and Insights for CISOs

Check Point’s incident response perspective offers insights into handling cyber incidents effectively. The report also provides predictions and recommendations for CISOs to bolster their organizations’ cyber security posture in the face of emerging threats.

AI in Cybersecurity

AI has become a double-edged sword in cyber security. While attackers leverage AI to enhance their phishing campaigns, defenders are also using AI to improve threat detection and response capabilities. The report explores the role of AI in modern cyber security battles.

Conclusion

The Check Point Cyber Security Report 2024 underscores the dynamic and evolving nature of cyber threats. It calls for heightened awareness, advanced security measures, and continuous adaptation to stay ahead of cybercriminals. The insights provided aim to help organizations build stronger defenses and navigate the increasingly digital world securely.

This comprehensive summary captures the key elements and detailed insights from the Check Point Cyber Security Report 2024, offering a thorough understanding of the current cyber threat landscape and the necessary measures to counteract these evolving challenges.

Credit for the information in the Article:ย https://www.checkpoint.com/resources/report-3854/2024-cyber-security-report

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Cyber Risk Countermeasures Education (CRCE)

Subscribe now to keep reading and get access to the full archive.

Continue reading