Kaspersky Security Bulletin

Advanced threat predictions for 2023

It is fair to say that since last year’s predictions, the world has dramatically changed. While the geopolitical landscape has durably shifted, cyberattacks remain a constant threat and show no signs of receding – quite the contrary. No matter where they are, people around the world should be prepared for cybersecurity incidents. A useful exercise in that regard is to try to foresee the future trends and significant events that might be coming in the near future.

We polled our experts from the GReAT team and have gathered a small number of key insights about what APT actors are likely to focus on in 2023. But first, let’s examine how they fared with the predictions for 2022.

What we predicted in 2022

Mobile devices exposed to wide attacks

Although 2022 did not feature any mobile intrusion story on the scale of the Pegasus scandal, a number of 0-days have still been exploited in the wild by threat actors. Last June, Google’s TAG team released a blog post documenting attacks on Italian and Kazakh users that they attribute to RCS Lab, an Italian offensive software vendor. In another publication, Google also followed up on the activities of a similar vendor named Cytrox that had leveraged four 0-day vulnerabilities in a 2021 campaign.

The cyber-offense ecosystem still appears to be shaken by the sudden demise of NSO Group; at the same time, these activities indicate to us that we’ve only seen the tip of the iceberg when it comes to commercial-grade mobile surveillance tooling. It’s also likely that the remaining actors will make every effort to reduce their public exposure from now on, limiting our visibility into their activities.

From a different angle, reporting from The Intercept revealed mobile surveillance capabilities available to Iran for the purposes of domestic investigations that leverage direct access to (and cooperation of) local telecommunication companies. Looking back at past leaks of private companies providing such services, such as in the case of Hacking Team, we learned that many states all over the world were buying these capabilities, whether to complement their in-house technologies or as a stand-alone solution they couldn’t develop. This reveals a likely blind spot for defenders and endpoint vendors: in a number of cases, perhaps even the majority, attackers have no need for 0-days and malware deployment to gain access to the information they need. This story also raises questions about whether attackers who have breached telecommunication companies would also be able to leverage these legal interception systems.

Verdict: some incidents, but no major event ❌

Private sector supporting an influx of new APT players

The previous discussion covered a number of private companies that have filled the void left by NSO and have made a business of providing offensive software to their customers. In 2022, the GReAT team tracked several threat actors leveraging SilentBreak’s toolset as well as a commercial Android spyware we named MagicKarakurt. One question mark here is that it’s difficult to tell whether we’re seeing new APT actors being bootstrapped by commercial toolsets, or established ones updating their TTPs.

BruteRatel, an attack tool comparable to CobaltStrike, remains on our radar when it comes to APT adoption. A recent leak has put it in the hands of cybercrime actors and it is very likely that by the end of the year we will see it involved in APT cases too.

A worrying trend we did not explicitly mention is underlined by a Meta report published shortly after last year’s predictions. In the report, they describe the emergence of a “surveillance-for-hire” sector composed of companies all around the world that provide cyber-offensive services for (hopefully) law-enforcement customers. In practice, Facebook found that not only criminals or terrorists were targeted by such groups, but journalists, dissidents and human rights activists as well. Our own research confirms that mercenary threat actors such as DeathStalker were very active in 2022.

Source: Meta
Source: Meta

Verdict: prediction fulfilled ✅

More supply chain attacks

Following the SolarWinds incident, we foresaw that attackers would notice the enormous potential of the supply chain attack vector. In 2022, we spotted malicious Python packages distributed through the PyPI archive (CheckPoint also detected 10 of them). As Cisco Talos notes, Python is not alone in this: NPM, NuGet or RubyGems are all potential candidates for such attacks and all it would take for a catastrophic event would be the compromise of a single developer’s credentials. Doubling down on developer-specific threats, IBM presented noteworthy research at this year’s edition of BlackHat, evidencing how source code management or continuous integration systems could be leveraged by attackers.

Another aspect of supply chain security is the reliance on open-source software components that may contain vulnerabilities: this was the root cause of a Zimbra 0day massively exploited in the wild this year.

When it comes to stealthy malware pushed to customers in the form of a software update however, we are not aware of any significant event in 2022, so we’ll only count this prediction as partially accomplished.

Verdict: prediction partially fulfilled 🆗 (more cases, no major event)

Continued exploitation of remote work

The reasoning behind this prediction is that we expected that in 2022, companies would still be lagging behind the transformative effects the COVID-19 crisis had on work organization. In many cases, this led to a rushed deployment of remote access means for employees, in the form of appliances that could be misconfigured, or hadn’t received much security attention until now.

A massive number of vulnerabilities were patched in such devices this year (firewalls, routers, VPN software…) – whether or not each of these vulnerabilities were exploited in the wild before being discovered, they affect devices that are not typically updated in a timely fashion and become prime targets for hackers immediately after vulnerability details are published. Such discoveries usually lead to massive and indiscriminate exploitation, and compromised machines are sold on dark markets to secondary buyers for the purposes of ransomware deployment.

Our own telemetry also confirms that RDP brute-force attacks have remained predominant throughout 2022.

Verdict: prediction fulfilled ✅

Increase in APT intrusions in the META region, especially Africa

At the end of last year, we expected the rise of Africa to be one of the major geopolitical events of the year in lieu of the ever-increasing investment and relationships with China and the Middle East.

We have indeed seen an increase in the number of persistent, sophisticated attacks targeting various states in META and specifically Africa. Starting from the most recent publication about Metador targeting telecommunication companies, HotCousin expanding its operations to this region, the numerous campaigns deploying various IIS backdoors, DeathStalker and Lazarus attacking multiple industries there and a mysterious SSP-library backdoor discovered on governmental and non-profit entities, we saw quite a few new threats active in the region over the last year.

Statistically speaking, we released information about an increase of backdoor infections on the continent. While such raw statistics are difficult to interpret and are not necessarily linked to strong APT activity, it could correlate to the increase in APT attacks we’ve seen in the region in 2022.

One glaring example is Iran, which faced a series of spectacular hacks and sabotages. Its atomic energy agency, live television and steel industry have been targeted, among others.

Verdict: prediction fulfilled ✅

Explosion of attacks against cloud security and outsourced services

One of the major cyber-incidents of 2022 took place early this year: the Okta hack. Okta was breached through one of its service providers, Sitel, itself compromised via the insecure VPN gateway of a recently acquired company. Fortunately for them, the hacker appears to have been a lone 16-year-old. Unfortunately for us, it demonstrates how easy it must be for sophisticated attackers to penetrate (and, in all likelihood, remain undetected) major platforms. Okta is a widely used authentication services provider, and it is safe to assume that a hacker controlling their network would be able to infect any of their customers.

In related news, CISA released an advisory in May warning managed service providers that they saw an increase of malicious activity targeting their sector. Beyond this, we also saw reports of important data leaks related to misconfigured AWS S3 buckets, although those are nothing new. Overall, we count this prediction as having turned out to be accurate.

Verdict: prediction fulfilled ✅

The return of low-level attacks: bootkits are ‘hot’ again

In line with our predictions, we released two blog posts in 2022 introducing sophisticated low-level bootkits. The first one, in January, was MoonBounce; the other was CosmicStrand in July 2022. In both cases, we described new UEFI firmware bootkits that managed to propagate malicious components from the deepest layers of the machine up to Windows’ user-land. Amn Pardaz also released a report about a malicious program called iLOBleed, which affects a management module present on HP servers and should be counted in the same category. Such highly sophisticated implants remain rare, and witnessing three separate cases in a single year is significant.

Worthy of mention is Binarly’s excellent work on firmware vulnerability research with 22 high-severity vulnerabilities discovered in low-level components for 2022, indicating an enormous attack surface remains. As Gartner once put it: “There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.”

Verdict: prediction fulfilled ✅

States clarify their acceptable cyber-offense practices

The rise of hacker indictments as part of states’ retorsion measures led us to believe that each of them would be forced to clarify their vision of what acceptable behavior in cyberspace is. Indeed, since most states admit to having their own cyber-offense program, there is a need to clarify why their own activities are tolerable while those of their adversaries deserve legal action. We therefore expected various parties to release a sort of taxonomy indicating which types of ends would justify the means.

Shortly after the release of our predictions (yet still in 2021), the UK released its Integrated Review of Security, Defence, Development and Foreign Policy in which it describes its vision of what a “responsible democratic cyber power” should be. No other country followed suit. With many key “cyber powers” engaged one way or another in the Ukrainian conflict, cyber-diplomacy has unfortunately taken a back seat and we are seeing less transparency (as well as less calls for transparency) in the cyber realm. In the end, our assessment that the world was moving towards a clarification of cyber-policies didn’t come to pass.

Verdict: very limited fulfillment of the prediction ❌

APT predictions for 2023

And now, we turn our attention to the future. Here are the developments we think we could be seeing in 2023.

The rise of destructive attacks

2022 bore witness to brutal geopolitical shifts that will echo for years to come. History shows that such tensions always translate to increased cyber-activities – sometimes for the purpose of intelligence gathering, sometimes as a means of diplomatic signaling. With the antagonism between the West and the East having reached the maximum possible level short of open conflict, we unfortunately expect 2023 will feature cyberattacks of unprecedented gravity.

Specifically, we foresee that a record number of disruptive and destructive cyberattacks will be observed next year, affecting both the government sector and key industries. One caveat is that in all likelihood, a proportion of them will not be easily traceable to cyber-incidents and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations in order to provide plausible deniability for their real authors.

In addition, we also fear that a limited number of high-profile cyberattacks against civilian infrastructure (energy grid or public broadcasting for instance) will take place. A last point of concern is the safety of underwater cables and fiber distribution hubs in such a context, as they are particularly difficult to protect from physical destruction.

Mail servers become priority targets

In the past years, we have seen vulnerability researchers increasingly focus on emailing software. The reason is simple: they represent huge software stacks that must support many protocols and have to be internet-facing to operate properly. The market leaders, Microsoft Exchange and Zimbra have both faced critical vulnerabilities (pre-authentication RCEs) that were exploited, sometimes massively, by attackers before a patch was available.

We believe that research into mail software vulnerabilities is only getting started. Mail servers have the double misfortune of harboring key intelligence of interest to APT actors and having the biggest attack surface imaginable. 2023 will very likely be a year of 0-days for all major email software. We encourage system administrators to immediately set up monitoring for these machines, due to the unlikelihood that patching (even in a timely fashion) will be sufficient to protect them.

The next WannaCry

Statistically, some of the largest and the most impactful cyber epidemics occur every 6-7 years. The last incident of the sort was the infamous WannaCry ransomware-worm, leveraging the extremely potent EternalBlue vulnerability to automatically spread to vulnerable machines.

Fortunately, vulnerabilities that enable the creation of worms are rare and far-between, and need to meet a number of conditions to be suitable (reliability of the exploit, stability of the target machine, etc.). It is extremely difficult to predict when such a bug will be discovered next, but we will take a wild guess and mark it up for next year. One potential reason increasing the likelihood of such an event is the fact that the most sophisticated actors in the world likely possess at least one suitable exploit of the sort, and current tensions greatly increase the chance that a ShadowBrokers-style hack-and-leak (see below) could take place.

APT targeting turns toward satellite technologies, producers and operators

It is nearly 40 years since the US’s Strategic Defense Initiative (nicknamed “Star Wars”) contemplated extending military capabilities to include space technologies. While such things may have seemed a little far-fetched in 1983, there have been several instances where countries have successfully interfered with satellites orbiting the earth.

Both China and Russia have used ground-based missiles to destroy their own satellites. There have also been claims that China has launched a satellite with a grappling arm that could be used to interfere with orbiting equipment and that Russia may have developed the same technology. We have already seen the hijacking of satellite communications by an APT threat actor.

If the Viasat incident is any indication, it is likely that APT threat actors will increasingly turn their attention to the manipulation of, and interference with, satellite technologies in the future, making the security of such technologies ever more important.

Hack-and-leak is the new black (and bleak)

There is still much debate regarding whether “cyberwar” indeed took place in the context of the Ukrainian crisis. It is however clear that a new form of hybrid conflict is currently unfolding, involving (among many things) hack-and-leak operations.

This modus operandi involves breaching a target and releasing internal documents and emails publicly. Ransomware groups have resorted to this tactic as a way to apply pressure on victims, but APTs may leverage it for purely disruptive ends. In the past, we’ve seen APT actors leak data about competing threat groups, or create websites disseminating personal information. While it is difficult to assess their effectiveness from the sidelines, there’s no doubt they’re part of the landscape now and that 2023 will involve a high number of cases.

More APT groups will move from CobaltStrike to other alternatives

CobaltStrike, released in 2012, is a threat emulation tool designed to help red teams understand the methods an attacker can use to penetrate a network. Unfortunately, along with the Metasploit Framework, it has since become a tool of choice for cybercriminal groups and APT threat actors alike. However, we believe that a number of threat actors will begin to use other alternatives.

One of these alternatives is Brute Ratel C4, a commercial attack simulation tool that is especially dangerous since it has been designed to avoid detection by antivirus and EDR protection. Another is the open-source offensive tool Sliver.

In addition to off-the-shelf products abused by threat actors, there are other tools that are likely to be included in APT toolsets. One of these, Manjusaka, is advertised as an imitation of the Cobalt Strike framework. The implants of this tool are written in the Rust language for Windows and Linux. A fully functional version of the C&C written in Golang is freely available and can easily generate new implants with custom configurations. Another is Ninja, a tool that provides a large set of commands, which allows attackers to control remote systems, avoid detection and penetrate deep inside a target network.

Overall, we suspect that CobaltStrike is receiving too much attention from defenders (especially when it comes to the infrastructure), and that APTs will make attempts to diversify their toolsets in order to remain undetected.

SIGINT-delivered malware

It has been almost 10 years since the Snowden revelations shed light on the FoxAcid/Quantum hacking system used by the NSA. They involve leveraging “partnerships with US telecoms companies” to place servers in key positions of the internet backbone, allowing them to perform man-on-the-side attacks. This is one of the most potent attack vectors imaginable, as they allow victims to be infected without any interaction. In 2022, we saw another threat actor replicate this technique in China, and there is little doubt in our minds that many groups have worked tirelessly to acquire this capability. While deploying it at scale requires political and technological power available to few, it is likely that by now, Quantum-like tools would be implemented on the local level (i.e., at country level, by relying on national ISPs).

Such attacks are extremely hard to spot, but we predict that their becoming more widespread will lead to more discoveries in 2023.

Drone hacking!

Despite the flashy title, we’re not talking about hacks of unmanned aircrafts used for surveillance or even military support (although that could happen too). This final prediction concerns itself with the other way around: the use of commercial-grade drones to enable proximity hacking.

Year after year, drones available to the general public gain additional range and capabilities. It wouldn’t take too much work to mount one of them with a rogue Wi-Fi access point or an IMSI catcher; or sufficient tooling that would allow the collection of WPA handshakes used for offline cracking of Wi-Fi passwords. Another attack scenario would be using drones to drop malicious USB keys in restricted areas, in the hope that a passer-by would pick them up and plug them into a machine. All in all, we believe this to be a promising attack vector, likely to be used by bold attackers or specialists already adept at mixing physical- and cyber-intrusion.

See you next year to see how we fared!

Advanced threat predictions for 2023

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2022

This is our latest summary of advanced persistent threat (APT) activities, focusing on events that we observed during Q3 2022.

APT10: Tracking down LODEINFO 2022, part I

The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.

Subscribe to our weekly e-mails

The hottest research right in your inbox