The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on key trends. This year-end wrap up of cybersecurity topics include our 2023 State of Encrypted Attacks Report, DarkGate activity, Agent Tesla attacks, holiday cyber attack trends, and predictions for 2024.
Zscaler ThreatLabz 2023 State of Encrypted Attacks report
The ThreatLabz 2023 State of Encrypted Attacks Report offers the latest insights on today’s encrypted threat landscape. The report is based on our analysis of more than 29 billion blocked threats from the world’s largest inline security cloud.
This year we witnessed an increase in threats over HTTPS, which grew by 24% during 2022. For the second year in a row, manufacturing was the industry most commonly targeted, with education and government organizations seeing the highest year-over-year increase in attacks. Additionally, malware, which includes malicious web content and malware payloads, continued to dominate over other types of encrypted attacks. Ad spyware sites and cross-site scripting accounted for 78% of all blocked attacks.
Other key findings include:
- The Education and Government sectors experienced a 276% and 185% year-over-year surge in encrypted attacks, respectively.
- Ad spyware sites account for 18.1% of encrypted attacks — that’s about 5.4 billion attacks between October 2022 to September 2023. This is a 290.5% year-over-year increase, establishing ad spyware sites as significant threats to users.
- Browser exploits increased by 297.1%, which comes out to about 15.8 million attacks between October 2022 to September 2023. That’s a huge difference from last year’s report, where ThreatLabz observed only about 4 million attacks.
Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.
Recent DarkGate Activity & Trends
DarkGate is a malware family dating back to 2018. It gained prominence after the demise of Qakbot through a Malware-as-a-Service (MaaS) offering advertised in underground cybercrime forums starting in the summer of 2023.
Between June and October of 2023, ThreatLabz observed the following DarkGate intrusion trends:
- DarkGate activity surged in late September and early October.
- ThreatLabz found a concentrated level of activity among hostnames that have been in existence for 50-60 days.
- Based on analysis of our cloud telemetry, the technology industry is the most targeted by DarkGate at 36.7%.
Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.
Threat actors (still) exploiting CVE-2017-11882 to deliver Agent Tesla
Agent Tesla, an advanced keylogger first seen in 2014, is spreading by exploiting a known vulnerability in the equation editor of Microsoft Office. This vulnerability, CVE-2017-11882, gives threat actors the ability to perform remote code execution. Initial infection is accomplished through sending victims phishing emails that contain malicious attachments. The attachments include words like “order” and “invoices” to lure targeted users into opening them.
Threat actors attempt to obfuscate their activities by including a VBS file in the infection chain. This file introduces a layer of complexity for analysts trying to decipher details of this Agent Tesla attack. Attackers use code injection to insert the Agent Tesla payload into the RegAsm.exe process. This allows the malware to perform malicious actions under the guise of being a legitimate process.
Read more about Agent Tesla attacks
Holiday shopping themed cyber attacks targeting enterprises
The increase in online shopping on Black Friday, Thanksgiving, and Cyber Monday make them popular holidays for cybercriminals to exploit. As expected, Zscaler ThreatLabz observed a surge in phishing, malware, and scam campaigns between November 19th and November 24th. ThreatLabz observed a 244% increase in global online shopping transactions between November 19th and November 24th. Within the United States, ThreatLabz saw a 136% increase in online shopping transactions during this period. Black Friday (November 24th) is the most popular day for online shopping in the United States, with activity picking up at 9am GMT and peaking at 4pm GMT.
In addition to online shopping trends, our report examines a Microsoft-themed phishing campaign that leverages Black Friday. This campaign tricks users into entering credentials into a fraudulent Microsoft page and then sends them to a domain controlled by a threat actor.
Read our full analysis on holiday cyber attacks
Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.
Key threat trends of 2023
AI was a hot topic in 2023, as the tech sector considered the uses and implications of large language models (LLMs) like ChatGPT. ThreatLabz investigated the topic by analyzing AI/ML and ChatGPT trends across enterprises throughout 2023. Both threat actors and security professionals are finding innovative ways to put LLMs and other AI technology to use.
Ransomware attacks had a strong year, surging 37% according to our research. We found the average enterprise ransom demand to be $5.3 million and the average payment exceeding $100,000. Ransomware-as-a-service (RaaS) groups were active with BlackCat/ALPHV launching significant attacks against casinos.
Social engineering attacks became more effective as threat actors adopted AI to boost their efficacy. The technology was effectively used in vishing (voice phishing) attacks against the gaming industry by the ScatteredSpider group. Threat groups are also using LLMs to create more convincing phishing emails.
VPN/Firewall security issues experienced by several prominent organizations served as a strong reminder that it is imperative to switch to a zero trust architecture. Last year we saw an increase in VPN-related vulnerabilities. In fact, 50% of surveyed organizations reported experiencing a VPN-related cyber attack in 2023.
Enterprise tools were a prime target for threat actors in 2023. The interconnected nature of many of today’s enterprise tools make them prime candidates for supply chain attacks. The vulnerable nature of many crucial enterprise tools highlights a strong need for organizations to consider adopting third-party risk management solutions.
Predictions for 2024
As we begin our journey into 2024 there there are certain events in our industry we seem likely to encounter, including:
- An increase in generative AI-driven reconnaissance, exploitation, and phishing attacks. As this technology lowers the skill level needed to successfully perform phishing attacks we can anticipate seeing more. AI can also assist with automating cyberattacks, and the upcoming US election may generate additional interest from global threat actors.
- Innovations in ransomware-as-a-service (RaaS). Like AI, RaaS can lower the barrier to entry for less-skilled threat actors. RaaS providers can help threat actors in various ways ranging from launching encryption-less attacks to breaching systems via initial access brokers(IABs).
- A rise in man-in-the-middle (MitM) attacks. Phishing-as-a-service toolkits make this attack tactic widely available and easier to implement. Businesses without a proxy-based zero trust architecture, full TLS inspection, and FIDO2 multifactor authentication (MFA) will be particularly vulnerable.
- Supply chain attacks on generative AI ecosystems. As generative AI grows in popularity the technology will become an increasingly tempting target for threat actors. Attackers will leverage new ways to strategically exploit weaknesses in various components of AI and its supply chain.
- Attackers respond to SEC regulations. The SEC regulations mandating disclosure of material breaches will drive strategic shifts in security teams. Anticipating this, threat actors may focus on covert strategies, sophisticated evasion techniques and encryption to prolong undetected access.
About ThreatLabz
ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.
The Zscaler Zero Trust Exchange
Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 7300+ customers, securing over 300 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI/ML and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.
What to read next:
2023 State of Encrypted Attacks Report
2023 ThreatLabz State of Ransomware report
2023 was filled with cybersecurity challenges. Here’s to a brighter 2024