A to Z of Cyber in 2023

by | Feb 12, 2024 | Tech Articles

Every year at the ADF Cyber Skills Challenge Simon and Remy do a talk on the year that was in Cyber security. To assist in wrangling so much into a palatable format they use an A to Z list and try and jam interesting events in there. The talk is always a hoot and a great start to the conference. For the first time we’re also providing in Blog format so you to can read it if you weren’t there.

For those who missed it – A to Z of interesting, contentious or hilarious cyber happenings and trends in 2023.

A – Artificial Intelligence

AI had an incredible year of developments and adaptations for mainstream utilisation. AI has and will continue to effect (both negatively and positively) how the information security industry tackles our days – from using ChatGPT to build malware in its early releases, to seeing language models used in large-scale information operations and propaganda, across to one researcher in January using AI to clone his voice and provide realtime voice responses over the telephone (albeit with some awkward delays). On the other side of security, our adversaries are also hard at work manipulating new technologies – one scammer made thousands of dollars selling “leaked” Frank Ocean tracks that were generated with AI.

It isn’t perfect of course – ChatGPT output of coding is not aware of or considering security in its output and should be checked by a human before implementation (if you choose to use it for this). The screenshot here is a snippet of code generated by ChatGPT with the following prompt: “write me some javascript that will take user input, search through a page full of text, and highlight the matching words”. ChatGPT wrote a code block to do so however, it is directly editing the innerHTML property. If the text in question was improperly escaped, then this could lead to XSS vulnerabilities. It isn’t bad, it just isn’t best practice when the createElement tag could be used.

picture 1

Interestingly, when we posed the same question to LLaMa2 (Facebook’s large language model) – it created very similar code except with <span> tags inserted to the textContent property instead of the innerHTML property. So it wasn’t vulnerable, but it also doesn’t work…

B – Business Email Compromise

Business email compromise (BEC) is a form of email fraud wherein threat actor gains access to a business email account – by social engineering, credential stuffing, etc etc – and uses that access to intercept or manipulate payments and conduct unauthorized transfers of funds, or impersonate trusted senders to collect business information. This is not a new 2023 thing; what is new is the December 2022 release by the FBI of their annual internet crimes report. BEC topped a US$50B cost in the last 9 years. It’s now approximately 50x more profitable that ransomware.

The 2022 report stated that BEC makes cybercriminals approximately US$2.4B per year, compared to US$49M a year for ransomware. In Australia, ASD’s Annual Cyber Threat Report reported that in FY2022-23 self reported losses due to BEC was just shy of $80 million, and that is just the attempts that were recognised and reported.[i]

C – CVE-2023-23397

This CVE is a Microsoft Outlook Elevation of Privilege Vulnerability, leaving behind few digital artifacts for endpoint forensic analysis. The vulnerability exists in the PlayReminderSoundFile subroutine of Outlook – this runs a search function for the reminder sound file. Threat actors can set the PidLidReminderFileParameter as a UNC path pointing to their controlled SMB server. When Outlook attempts to connect, it will forward the user’s Net-NTLMv2 hash. And we have a Net-NTMLv2 hash leak to threat actor-controlled servers on our hands. All without any interaction with a malicious email, link or attachment – simply from the reminder. If you are a Mac user you don’t need to worry (or Outlook for Android, iOS or through the web), this one only affects all version of Microsoft Outlook on Windows.[ii]

In December 2022, Microsoft identified a Russian state-sponsored threat actor they track as Forest Blizzard (STRONTIUM) and published a patch (go update it if you haven’t already Windows users). STRONTIUM primary targets government, energy, transportation, and non-governmental sectors in the United States, Europe, and the Middle East. The Unites States and United Kingdom governments linked the group to Unit 26165 of the Russian Federation’s military intelligence agency: Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Other security researchers track similar activity as GRU Unit 26165, APT28, Sednit, Sofacy, and Fancy Bear.[iii]

picture2

Credit to Unit 42, here.

D – DP World

In November 2023, DP World Australia was hit by a cybersecurity incident that forced the company to close its ports in Melbourne, Sydney, Brisbane, and Fremantle for three days while they contained the incident. The shipping company is responsible for 40% of Australia’s maritime freight. DP World detected unauthorised access on their Australian corporate network and disconnected the network from the internet to contain. Files relating to current and past employees was accessed and a small amount exfiltrated, while operations were back to 100% on the 10th day post detection.[iv]

E – Essential Eight (again)

The Essential Eight – the Australian Cyber Security Centre’s eight recommended strategies for mitigating cyber security incidents as a BASELINE for good cyber hygiene. The Commonwealth Cyber Security Posture in 2023 (a report ASD gives to parliament) has been released.

Of 189 commonwealth entities just… 17% are E8 Level 2. This is up from 11% in 2022 and 4% in 2021. Though this is increasing – we can do better.

We’ll keep putting this in our A to Z until we get 80% plus.

F – Freejacking

Unit42 uncovered a significant Freejacking operation and attributed it to a South African based group – Automated Libra. For those to whom ‘freejacking’ is new, freejacking is the technique of harvesting free trials of cloud services to mine crypto currency. This group was highly automated and generated more than 130,000 fake accounts on free or limited-use cloud platforms including Heroku, GitHub, and ToggleBox. For more on the operation here, as written by Palo Alto.[v]

G – Gainesville, Georgia

A search warrant executed in Georgia against James Zhong led to the discovery of a towel-wrapped PC in a Cheetos tin that contained 50,591 BTC. These gains are alleged to be the profits of Zhong’s wire fraud activities on the Silk Road marketplace. Zhong was sentenced to 1 year and 1 day imprisonment in 2023. See the US Department of Justice’s read out here, the two highlights are copied below: the Cheetos tin and a PC wrapped in a towel.

picture 4

picture 3

H – His Majesty’s Treasury

Earlier this year His Majesty’s Treasury in London advertised for a new Head of Cyber Security and offering a massive 57 thousand pound salary which sits nicely around the EL1 level. The job description included leading a team of two cyber analysts involved in protecting Treasury from cyber and technical threats – similar to an infosec supervisor or SOC lead, who would be expecting much more. In Australia, this would sit somewhere near the band 1 level as a Head of anything, around double this salary offered at Treasury.[vi]

Good luck to the poms on that. Hoping they filled it (and that the person asked for more).

I – Israel/Hamas conflict

The Israel-Hamas conflict is the second significant conflict in very recent history to showcase cyber attacks aligned with kinetic strikes and the deeply felt effects this combination can have, when hacktivists jump in to attack in the name of their cause. The Israel/Hamas conflict has been at the forefront of global politics and those who were watching the Russia/Ukraine conflict have already seen the real world effects hacktivists can have on people within conflict zones.

The graph below is generated by Cloudflare from their databases on the number of requests that Israeli citizen protection websites received over a 90 minute window. As you can see, there is a small spike that occurred roughly 15 minutes after the Hamas rocket attack begins, then an enormous spike roughly 45 minutes after the start. Cloudflare has attributed this to a short DDOS attack.[vii]

picture51

Further, around 23rd October, a pro-Palestinian hacktivist group called AnonGhost successfully exploited an Israeli real-time rocket alert app, intercepted rocket warnings – preventing the alerts from reaching their intended recipients – and spammed users with a false message warning of a nuclear bomb incoming.[viii] And this is only some of the activities hacktivists have undertaken to assist their sides.

J – Jobs

Excuse the wall of numbers, this will all (mostly) be explained. Below are the statistics from AustCyber’s AUCyber Explorer where we can visualize the state of the Australian workforce specifically for the cyber security workforce. On the left, job openings for dedicated or related cyber security with slightly more dedicated roles than not, while the total employed workforce is in related roles more so than dedicated. At the bottom, the great majority of roles are offered full time and in urban areas (not necessarily linked), so if you are looking for part time and at a regional location you may be pressed to find your perfect role. To the right, the most popular ways to describe the various roles we undertake in cyber security and skills to brush up on to meet the most advertised requirements. Then to the middle top – according to this data the ACT is the best place to be specifically for the ratio of applicants to job openings with 5.41 people to each role advertised, well below the national average of 9.56 people per opening. The second slider showing the density of employer demand compared to the national average of one – unsurprisingly, ACT is the densest at 1.80. One stat the below doesn’t show you is that comparing states and territories, the ACT has more cyber security employees than the Northern Territory, South Australia and Tasmania added together, or 80.6% of Western Australia’s cyber security workforce.

Long story short – if you are in cyber security, you will most likely end up working in a related role, full time and in an urban area with a knowledge base in information security, network security and ISO 27001, and business cards reading “<your name here>, Cyber Security Analyst”. Also that urban area is probably Canberra….

picture 6

 

K – kids

Ransomware gangs once claimed to have taboo targets, but in 2023 have been hitting organisations who look after children and ruining their own reputations. According to Malwarebytes Labs, the education sector experienced an 84% increase in ransomware attacks in the first half of 2023, compared to the previous six months at the end of 2022. Noting that this is only based on data available on dedicated leak sites (a site where ransomware operations name their less cooperative clients aka victims who don’t pay out ransoms).

One example being in March 2023 – Minneapolis Public Schools was victim to an attack that lead to <300,000 files being published online when they didn’t pay a USD 1 million ransom.

In December 2023, a LockBit affiliate encrypted and attempted to ransom the Hospital for Sick Children in Toronto, Canada. The LockBit ransomware gang operates as a Ransomware-as-a-Service (RaaS), similar to any other blank-as-a-Service, where affiliates use the LockBit tool kit in something close to a subscription service, where a portion of their proceeds of attacks (the ransom) goes back to the main gang who maintain the source code, sometimes provide training and negotiation specialists. Back to the kids – in this instance, the LockBit gang denounced the actions of the rogue affiliate for crossing the line and provided a decryption key. Albeit a fortnight later and after SickKids had managed to restore 50% of priority systems.

L – Lazarus Group

Terrific Q3 for Lazarus Group continue their expertise in crypto-heists with reporting indicating they have lifted USD3 billion since 2018.

  • July: Alphapo found themselves out USD60 million
  • August: CoinsPaid founded Lazarus USD37 million
  • August: AtomicWallet needed to make back USD100 million
  • September: stake.com was down USD41 million
  • September: CoinEx lost USD55 million
  • And a suspected September heist from Mixin of USD200 million. While there is no confirmation yet, the biggest heist of the year is expected to be linked back to the North Korean hackers.

M – Mitnik

America’s “Most Famous Hacker”-turned-cybersecurity-consultant-and­-author Kevin David Mitnick passed in 2023.

picture 7

N – Netscaler (CVE-2023-4966)

CVE-2023-4966, more colloquially known as Citrix Bleed, is not your standard buffer overflow. This one is a bug in Citrix Netscaler in a couple of functions that implemented OpenID discovery. Read along with the decompiled code below. When a http request is made to this OpenID connect discovery endpoint, the application crafts this OpenID compliant JSON object to be sent back, formatting the string with the Host – taken from the http host header in the request. Next, it sends the JSON object to the person making the request via ns_vpn_send_response.

Looking at the last argument to that function, it is using the return value of snprintf to determine the length of data to be sent. However, the length of the data was calculated as the return value of snprintf. But where snprintf doesn’t (or can’t) return the length of data it wrote, it tells you the next best thing, being the length of data it would have written if the buffer was big enough.

What happens if we can exceed the length of the 0x20000 buffer (which you can do with ~22k chars as the host is used six times), is a nice memory leak sent back to you. This, in practice, has revealed session tokens for logged in users to the appliance. Ransomware gangs were quick to jump on this vulnerability and have been exploiting it since at least August 2023.

picture 8

picture 9

O – ODIN Intelligence

ODIN Intelligence is a US technology firm developing and supplying a suite of products for law enforcement. The one that made headlines was a product that enabled multi-agency coordination called SweepWizard and not for good reasons.

The problem with SweepWizard was a classic misconfig error – the cheeky unsecured API, returning data without authentication if a person uses a specific SweepWizard URL through any web browser. For those asking – an API is a software interface commonly used by applications or computers to communicate with each other, used for online web services for online apps to retrieve internal data with the right authentication tokens.

SweepWizard data exposed to the internet included:

  • Name, location, height, weight, eye colour, and social security numbers of 5,770 suspects, including juveniles.
  • Name, phone number, and email addresses of an unspecified number of law enforcement officers.
  • Details of over 200 operations, including planned warrant execution times, dates, locations, and targets.

For a profession that relies on tightly held information staying tightly held, the element of surprise and covert operations – this product could not be doing worse.[ix]

A few days later the Odin Intelligence website was hacked and defaced.

P – Papercut (CVE-2023-27350)

A tasty 9.8 CVE dropped in March 2023 – a bug in the PaperCut print software. A rare one indeed, as the CVE on print software is largely unheard of. Lucky too, for those who do the exploiting, because every organisation has networked printers. Roughly, it affects versions 8 through to 22 as there are a few minor releases that reportedly aren’t affected.

PaperCut is written in Java and the bug is in the web interface. This snippet of code below is the tail end of a Java class called SetupCompleted. When PaperCut is first installed and the setup is finished in the web interface, this class redirects the user back to the dashboard as the admin user without confirming credentials.

The SetupCompleted page is never actually removed from the installation – so an attacker can navigate to that page and be immediately redirected to the dashboard as admin, giving an authentication bypass. From there one can enable scripting in the web platform, and with scripting, we can call subprocesses in the operating system and onwards to a great compromise.

Oh, and the tastiest part for last, PaperCut runs as SYSTEM.

picture 10

Q – Quishing

Quishing is a form of social engineering technique where a victim is lured to provide information or a malicious website by scanning a QR code. So phishing via QR code = ‘quishing’. 2023 saw a substantional increase in quishing with some industry reporting as high as 51% across 2022. One notable campaign used a Microsoft authenticator enrollment theme and evaded domain filtering using Bing marketing redirection. For more on this – Intel471 covers it well in this blog post.[x]

R – Raids

Raidforums shut down in 2022, BreachForums shut down in 2023. RaidForums and BreachForums were websites that infamously hosted data breaches, amongst a bunch of other shady stuff.

Raidforums found themselves shutdown and the domain seized by the FBI, et. al. in 2022, when the owner, ‘Omnipotent’ – a Portuguese national taking a trip in the United Kingdom was suplexed by a bunch of black jumpsuit police.

The lesson here that we could all see coming is that when you run an international cybercrime domain, it is not recommended to holiday in FIVE EYES countries or those whom your illegal activity victimises.

Not to be deterred, a replacement called BreachForums popped up to fill the market gap. And where did our dark entrepreneur administer this site from? New York, New York! 20 year old Conor Fitzpatrick was arrested by the FBI in his home for his part in running the forum for year. As of March 2023, Fitzpatrick has taken a plea bargain, which is probably a good move because he’s facing 40-ish years in prison plus a potential lifetime supervision order upon release due to sexually explicit content of minors found on the servers.[xi]

picture 11

picture 12

 

S – SEO Poisoning

SEO poisoning isn’t exactly a new concept, but there was a sizeable uptick on this activity between January and March this year.

The technique involves hosting fraudulent websites for popular software, modifying or replacing that software download with a malicious version, then manipulating or paying Google to bump your malicious software to the top of google searches.

You can see in the screenshots here that when searching for OBS studio or notepad++ that the top responses are to unofficial websites – in notepad++’s case it’s actually fairly sneaky – the only thing different is the top level domain (N++ is .org).

picture 13

picture 14

The screenshot below is not exactly SEO Poisoning but more of a Not Cool (smart) move from Dominos’ marketing team target the person googling where to order pizza. If you google ‘Pizza Hut’ you get an automatic 40% of dominos. The cheeky move Dominos pulls is actually including Pizza Hut in the page title.[xii][xiii]

picture 15

 

T – T-Mobile (Telcos and their APIs)

In Jan 2023 T-Mobile disclosed that a threat actor had stolen 37 million account records. Then in May 2023 were hit by another attack that impacted only 836 customers – still bad and using ‘only’ because in comparison, 836 is not much to 37 million. T Mobile is now up to eight cyber security incidents since 2018.

In a suspiciously familiar sounding press release on the Big One – T-Mobile said that the data was stolen by the actor ‘abusing’ an exposed API.[xiv] In the release, T-Mobile revealed the attacker stole data through the exposed API beginning November 25, 2022. The organisation detected the malicious activity on January 5, 2023, and broke off the attacker’s access to the API the next day.

 

U – Unsolicited Traffic

U is for Unsolicited Traffic! A title that demonstrates a use case for ChatGPT when the DP World incident happened and we had to bump DDoS off the letter D.

What a year for DDoS!

CVE-2023-44487 is a vulnerability in the HTTP/2 protocol that uses the request cancellation feature. To summarise, with HTTP/2 a client can request a resource from a webserver and then cancel that request before the server provides it. It’s a handy feature when a browser might decide to cancel a request for something that’s outside of the browser viewport, allowing the server to free up those resources.

However a DoS condition occurs when rapid requests are made followed by rapid resets. This is extremely efficient from an attacker perspective, and earlier this year Google reported a record breaking DDoS that peaked at 398 million requests per second. To put that in perspective – the entire internet normally generates somewhere between 1 and 3 billion requests per second. Meaning that at it’s peak, this DDoS was somewhere between 13 and 40% of all internet requests.

Back to the bug – it’s a CVE in the protocol. Meaning that if you’re using HTTP/2, you’re vulnerable. Doesn’t matter what applications, operating system, whatever you’re running.

The second bug we’re looking at is another protocol bug – CVE-2023-29552! Service Location Protocol has been around since 1997 and is used for connection and communication between devices on a local network. It’s not meant to be exposed to the internet but the little red dots on the map there show that there are a few servers out there that are, mostly:

  • Planex routers
  • IBM Integrated Management Modules
  • Konica Minolta Printers
  • and ESXi servers (more on these next).

The reason this is interesting is that it’s a newly discovered bug that allows for DDoS amplification. A good DNS amplification will net you about 50x; this one will give you 2200x.

CVE-2023-44487           (HTTP/2)

picture 1.6png

CVE-2023-29552           (SRVLOC)

picture 17

V – VMWare ESXI

The common hypervisor has seen a surge in targeted attacks throughout 2023.[xv] This was fueled by multiple unpatched vulnerabilities, as well as an uptake in cybercriminals recycling code from the 2021 leak of Babuk ransomware builder. Ransomware operations currently deploying custom Linux encryptors for VMware ESXI servers include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, RansomEXX and Hive (according to Bleeping Computer).

Up to December 2023, Mario, Conti, Play, REvil, Rorschach, and Cylance (unrelated) all have a Babuk derived ESXi locker, which has been deployed throughout the year.

Goes to show, criminal groups have their own zeitgeist, and also, bad opsec.

W – Women

Where are they? We need more in cybersecurity.

RMIT released a report in March 2023 and, not to our surprise, found that the industry would benefit from more women. It is a dense read, if you are interested you find it here!

The important statistic – 17% of the industry are women, drawn from mostly 2021 Census data. While AustCyber say 24%, from the 2022 ABS labor survey.

X – X, the social media previously known as Twitter

The creator of Ethereum, Vitalik Buterin, found himself at the uncomfortable end of a pointed cyber attack when his twitter was hacked and hackers posted a link offering free NFTs to his followers. Those who clicked it were asked to link their blockchain wallet to a site that drained the cryptocurrency stored there. The tweet was up for 20 minutes and netted the attackers US$691,000.

This is the technique that won’t die and people will keep falling for, but the interesting twist to this event was that it occurred in the same month that Elon Musk announced he intended to make Twitter the “center of users’ financial world” and partnered with eToro to get users to invest in stocks and cryptocurrency within the platform. A smart hack and one we can educate against (you can click on the links here, no login to crypto wallets here).

Y – Yemen

In May of 2023, Yemen got their first legitimate threat actor: OilAlpha – a Pro-Houthi group residing in Yemen. The group targets political representatives, media, and journalists for espionage attempts, almost exclusively through the dropping of RATs for Android and rely heavily on social engineering on WhatsApp. OilAlpha spoofs international humanitarian organizations in the Arabian Peninsula and one Norwegian non-government organization. Read Recorded Future’s report on OilAlpha here.

Z – Zero-Days, not a zero count

2023 was the year of 0 days with 96 vulnerabilities uncovered over the year, beating the previous high score held by 2021 with 81 uncovered. This number was largely driven by a high count of new browser exploits. A zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. A vulnerability is a zero-day wen there is no solution provided from the affected software’s vendor and the vulnerability is being actively exploited by malicious actors. A zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.

 

 

 

 

 

[i] ASD Cyber Threat Report 2022-23, November 2023. Chapter 4 – Cybercrime, https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023

[ii] Unit42 https://unit42.paloaltonetworks.com/threat-brief-cve-2023-23397/

[iii] Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog

[iv] DP World Media Statement, 28 November 2023. https://www.dpworld.com/australia/news/releases/media-statement-update-on-cybersecurity-incident/

[v] PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources (paloaltonetworks.com)

[vi] The Record by Recorded Future, Alexander Martiin, 31 March 2023. https://therecord.media/head-of-cyber-role-salary-uk-hm-treasury

[vii] Cloudflare, Omer Yoachimik & Jorge Pacheo, 24 October 2023. https://blog.cloudflare.com/cyber-attacks-in-the-israel-hamas-war/

[viii] Cybernews, Vilius Petaukskas, 15 November 2023. https://cybernews.com/cyber-war/israel-redalert-breached-anonghost-hamas/

[ix] WIRED – Dhruv Mehrotra 11 January 2023, https://www.wired.com/story/sweepwizard-police-raids-data-exposure/

[x] Intel471. 31 October 2023. https://intel471.com/blog/phishing-emails-abusing-qr-codes-surge

[xi] Bleeping Computer, Sergiu Gatlan, 23 June 2023. https://www.bleepingcomputer.com/news/security/fbi-seizes-breachforums-after-arresting-its-owner-pompompurin-in-march/

[xii] CrowdStrike, Bart Lenaerts-Bergmans, 4 May 2023. https://www.crowdstrike.com/cybersecurity-101/attack-types/seo-poisoning/

[xiii] Flashpoint Intel Team, 30 May 2023. https://flashpoint.io/blog/seo-poisoning-threat-actors-using-search-engines/

[xiv] Bleeping Computer, Sergiu Gatlan, 19 January 2023. https://www.bleepingcomputer.com/news/security/t-mobile-hacked-to-steal-data-of-37-million-accounts-in-api-data-breach/#:~:text=New%20data%20breach%20impacts%2037,the%20API%20one%20day%20later.

[xv] Bleeping Computer, Lawrence Abrams, 4 August 20223. https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-4th-2023-targeting-vmware-esxi/

 

 

Remy

Experienced Cyber Security Operations Leader and Consultant, Remy is an Ex-Military Defensive Cyber Operations Officer with 10+ years experience in IT administration and implementation, network and security engineering, and integrations. Remy can hold his own in the Boardroom and with the Nerds in the basement. He delivers technical-to-executive language translation, exceptional written reports, and could train an orangutan to use a password manager (okay he's never done that last one but he has trained a lot of people at all levels to improve their cyber security).