Dangerous evolution – the main cyber threats of 2023

Group-IB, the first private company specializing in the study of high-tech crime and protection from cyber attacks, named the main cyber risks. The company's experts predict that in the coming year, ransomware programs will remain the number one cyber threat for businesses, the market for selling access to corporate networks will continue to grow, and data stolen using info-stealers will become the main way to access the networks of the attacked organizations. The anti-record of 2022 for the number of leaks of databases of Russian companies may be broken, and targeted phishing and targeted attacks on company employees will again be in trend.

2023: cryptographers remain cyber threat No.1

In the coming year, the empire of ransomware will retain its leadership in the ranking of the main cyber threats to business, experts of Group-IB are sure. In 2022, the most active groups were Lockbit, Conti and Hive. Experts emphasize that the structure of criminal gangs continues to become more complicated and more and more resembles the structure of legal IT startups with their hierarchy, hiring system, training, motivation and vacations.

The industry of cryptographers exists and develops due to partner programs (Ransomware-as-a-Service, RaaS). Developers sell or rent malware to their partners to further hack the network and deploy ransomware. During the analyzed period (H2 2021 – H1 2022), Group-IB discovered 20 new public partner programs. Of these, only the strongest will survive in 2023: small groups, like last year, will break up, and their participants will move to larger ones.

The number of sites where attackers publish stolen company data to more effectively pressure the victim (Dedicated Leak Sites, DLS) increased by 83% in the specified period, reaching 44. According to Group-IB, the data of 8 victims attacked by cryptographers appear on DLS every day, and in total, the data of 2,894 companies were posted in public access.

As before, most of the ransomware attacks were carried out by companies from the United States, but last year finally put an end to the question of whether cryptographers attack Russian companies. The number of ransom attacks for decrypting data on businesses in Russia tripled in 2022, and the record for the amount of ransom was set by the OldGremlin group, demanding 1 billion rubles from the victim. However, it is quite difficult to calculate the total damage or the number of victims due to the fact that the data of Russian companies are almost not laid out on DLS.

However, due to the fact that the builders and source codes of some popular ransomware programs, for example, Conti and LockBit, got into the public space, Group-IB criminologists recorded their use on the territory of Russia. Other trends were also noticed, for example, the active use of legal BitLocker software as an encryptor, as well as ransomware attacks with the aim of destroying the victim's IT infrastructure, and not for financial gain.

2023: the sale of access to hacked corporate networks will grow

The growing demand in the market for selling access to compromised networks of companies is fueling the ransomware industry with renewed vigor. During the period analyzed in the report, the market of access sellers in the darknet has more than doubled, while the average price of access has halved compared to the same period earlier. Most often, attackers sell their "product" in the form of access to VPN and RDP (remote desktop protocol).

In total, Group-IB found 380 brokers selling access to the compromised infrastructure of companies that published more than 2,300 offers on darknet forums. The most active attackers were under the nicknames Novelli, orangecake, Pirat-Networks, SubComandanteVPN, zirochka — their offers totaled 25% of the total access sales market.

2023: steelers' data will become the main source of access in the company

The use of stilers – malware to steal data from infected computers and smartphones of users — is becoming a new way to gain access to the infrastructure of companies.

In 2022, data stolen with the help of stilers entered the top 3 of the best-selling "goods" on the darknet, along with the sale of access and text data of bank cards (owner's name, card number, expiration date, CVV).

Infection with a styler usually occurs through an infected file downloaded to the victim's computer. This is not a targeted attack, but it affects a large group of users. As a result, hackers receive text data containing logins, passwords, cookie sessions, browser fingerprints, user system data, personal files of the victim, access to messengers and cryptocurrency wallets.

With the growing popularity of remote work and single sign-on (SSO) services, access to critical infrastructure of companies began to get into the logs of stylers more often. During the analyzed period, more than 400,000 accesses to single sign–on (SSO) services, 18,000 to VPN and 3,000 to Citrix services were found in the logs of steelers on underground markets. During the period H2 2021 – H1 2022, Group-IB specialists found more than 200 ads for the sale of stylers and more than 150 topics with free distribution of this type of malware on cybercrime forums.

In general, steelers have become the second most important cyber threat of 2022 after ransomware. Also, Russian-speaking scammers who used to work in 2019-2021 under the “Mammoth” scheme with courier delivery, rent, fake dates in 2022 switched to attacks using stilers to steal data for the purpose of subsequent monetization.

Another trend is that data stolen with the help of stilers is increasingly stored by attackers on log clouds — a special service for accessing stolen confidential information. These services first appeared in 2018, but the peak of popularity occurred in 2022, when 102 clouds were discovered. More than 12,000 accesses to Auth0, 1700 Okta, and 700 OneLogin services were found in the log clouds.

Analysts of Group-IB Threat Intelligence note a high demand for logs, which in turn will lead to an increase in the number of attacks using stilers.

2023: the number of database leaks will increase

The vast majority of leaked databases of Russian companies that appeared in 2022 on underground forums and thematic Telegram channels were posted for free to public access. Against the background of the current geopolitical crisis, cybercriminals have changed their motive: not to make money, but to cause reputational or economic damage to Russian business and its clients.

During the three summer months, 140 databases got into the network, and the anti—record was set in August - 100 leaks, which included databases of 75 Russian companies. Among the victims were Internet delivery services, transport, construction and medical companies, online cinemas, telecom operators, etc. In general, the total number of rows of all summer plums, according to Group-IB experts, amounted to 304 million.

In 2023, the number of compromised databases may increase, and the intensity of the confrontation in cyberspace will increase.

"The Russian market of cyber intelligence-based services is experiencing a new birth, a kind of renaissance, since most Russian companies realized in 2022 that a huge number of cyber security solutions are useless, they are not equipped with darknet scanning technologies, do not compare the attack and the attacker, do not have predictive analytics and do not allow building their own picture of cyber threats for each individual companies. – says Valery Baulin, CEO of Group-IB in Russia and the CIS. "Using unique solutions for monitoring the infrastructure, tactics and tools of cybercriminals, Group–IB experts in their new analytical report give a detailed cross-section of cyber threats and answers to questions about who, how and why attacks businesses."