Forescout Releases 2023H1 Threat Review

In a new threat briefing report, Forescout Vedere Labs looks back at the most relevant cybersecurity events and data between January 1 and July 31, 2023 (2023H1) to emphasize the evolution of the threat landscape. The activities and data Forescout saw during this period confirm trends it has been observing in its recent reports, including threats to unmanaged devices that are less often studied.

Overall, 2023H1 continued the trend of threat actors exploiting an increasingly diverse attack surface. Notably, Forescout saw more evidence of the type of “cross-device” attacks it first demonstrated with R4IoT and then observed with botnets such as Chaos. Some threat actors are now routinely mixing traditional endpoints with unmanaged devices such as VPN appliances, routers, NAS and building automation devices as part of their attack campaigns.

Below, Forescout distills the key findings of the report and provide mitigation recommendations.

H2: Building automation devices are becoming increasingly easy targets.

Mirai botnet variants in 2023H1 have been exploiting a new vulnerability on an access control device that was already a target in the past, as well as vulnerabilities on devices used to monitor solar power generation in small facilities. Additionally, Schneider Electric published an advisory in April about publicly available exploits targeting vulnerabilities from 2020 and 2022 in their KNX devices and linking back to a previous advisory about attacks on these systems. Later, CISA declared all devices using certain configurations of the popular KNX protocol to be vulnerable, while more than 12,000 of those devices are exposed online.

There were at least 25 CISA vulnerability advisories in the period related to devices used in building automation functions such as access control and power management. Looking into Shadowserver statistics, Forescout saw 13 vulnerabilities on building automation devices from nine vendors that are being exploited, while none of them is yet present on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

H2: Network infrastructure has become a favorite target for initial access and traffic proxying.

Several Russian and especially Chinese state-sponsored actors have been focusing on exploiting vulnerabilities on and developing custom malware for routers and VPN devices, while cybercriminals are leveraging routers and other compromised devices for residential proxies. Increased activity targeting network infrastructure led CISA to issue a specific operational directive about reducing the risks from these devices in June.

H2: NAS devices often host malware other than traditional DDoS botnets.

In a report in July, Forescout showed how network attached storage (NAS) had recently become the riskiest IoT device on organizations networks, partly because of targeted ransomware campaigns that compromised thousands of devices and partly because of how often they are exposed online. In 2023H1, Forescout also saw new vulnerabilities being exploited (such as CVE-2023-27992), vulnerabilities ranking among the top exploited (such as CVE-2022-27593) and advanced malware such as Raspberry Robin, which targets traditional IT, being distributed via compromised NAS on the internet.

H2: The ransomware landscape never stops changing.

Although ransomware has probably been the most prominent threat for at least the last five years, groups continue to morph, appearing and disappearing quickly, sometimes being used to disguise state-sponsored activities. In  2023H1, Forescout saw new families distributing ransomware packaged with infostealers, hacktivists using custom ransomware on OT devices and established families experimenting with ransomware on embedded devices.

Some well-known ransomware gangs remain very active even after one year, such as LockBit, Cl0p and ALPHV, but other groups that were relevant last year have disappeared, such as Conti and Hive, due to internal conflicts, law enforcement takedowns or by rebranding to stay under the radar. Entirely new groups now also figure among the most active, such as Malas and 8Base. Overall, the ransomware landscape is more fragmented this year with 53 groups reporting attacks, 36% more than the 39 groups in the same period last year.

Ransomware victims were located in more than 100 countries, but almost half (48%) are in the U.S., followed by several European countries (26% in total). The other roughly 25% are spread across the world. The services industry was the top target, with 16% of attacks, followed by manufacturing (13%) and technology (11%). Other top targets include healthcare, retail, financial services and education.

H2: Other notable observations: old favorites and new tools

Most vulnerabilities added to the CISA KEV catalog are from before 2023. Although new vulnerabilities are dangerous because usually there hasn’t been enough time to patch, organizations tend to dismiss older vulnerabilities, believing that they present lower risk. The KEV catalog includes evidence of older vulnerabilities being exploited not only on IT software but also building automation devices. Some of the exploited vulnerabilities in Table 1 are more than five years old.

Attackers are increasingly using open-source tools as part of their infrastructure. The trend to commoditize attack tools continues strongly. Malicious actors now have a wide choice of open-source tools, developed as legitimate applications, that they can use in campaigns, from phishing attacks to command-and-control infrastructure.

H2: What the numbers tell us about the threat landscape

During the first six months of 2023, Forescout saw:

• 16,556 new vulnerabilities get published, an average of 78 new CVEs per day or 2,365 per month. That is 2,220 more than in the same period of last year, an increase of 15%. Of the new vulnerabilities, 17% had a critical score.

• 113 CVEs added to CISA’s KEV catalog, which brought the catalog to a total of 981 vulnerabilities (a 13% increase). An average of 16 new vulnerabilities were added per month. Most of these newly exploited vulnerabilities (52%) were not published in 2023. There was a vulnerability added from 2004 and four vulnerabilities added that affect end-of-life products.

• 182 updates about threat actors. These are mostly cybercriminals (51%), including ransomware groups, followed by state-sponsored actors (39%) and hacktivists (8%). These actors come mostly from Russia (25%), China (16%) and Iran (13%).

• 150 countries being targeted by these threat actors. The top targets were the U.S. (67% of actors), the U.K. (35%) and Germany (32%). The top targeted industries were government (53% of actors), financial services (49%) and technology (43%).

• 2,809 ransomware attacks, up from 2,526 in the same period last year (an increase of 11%). That is an average of 401 attacks per month or 13 per day.

H2: Mitigation recommendations

Based on all the observations of this period, Forescout recommends the following concrete risk mitigation actions:

• Prioritize extending visibility, risk mitigation and network segmentation to cover the increased attack surface being exploited. Some of the devices being leveraged in attacks, such as network infrastructure, may already be in your radar but other types, such as NAS and building automation, are more likely to be forgotten during risk assessments. These, and other risky devices, are all now relevant for attackers, so you need to ensure that you proactively secure them. That means you should, at a minimum:

  1. Have the proper visibility into these devices in terms of their presence on the network, the software they run and who they communicate with
  2. Understand their risk in terms of vulnerabilities, weak configurations, exposure and other factors
  3. Segment them properly to prevent threats from moving between network segments of different criticalities

• Do not overlook older vulnerabilities and end-of-life systems. Although there are new CVEs being published all the time, the old ones that still work against your devices will get exploited just as well. Make sure your risk assessment tool also helps you prioritize which vulnerabilities to patch and which devices to replace. Pay attention to vulnerabilities that may have been forgotten in previous patching cycles but are now being leveraged by threat actors.

• Ensure that threat detection covers every device in the whole organization. Because threats now move from one type of device to another, you must be able to detect them across the organization – from an entry point that may be a vulnerable router to a pivot point that may be a misconfigured workstation and finally to a target that may be an insecure OT device. Make sure your threat detection solution covers all types of devices and multiple sources of data, including firewalls, intrusion detection systems, endpoint detection and response, and others.

• Follow the latest threat intelligence about ransomware and other actors. As threat actors continue to evolve and their targets change, you need to stay up-to-date by consuming the latest threat intelligence, whether that is machine-readable indicators of compromise or threat reports from leading cybersecurity researchers.

• Hunt for threats using emerging tools. Once you are confident you can detect threats in your environment that use traditional tools (such as Cobalt Strike), it’s time to extend your capabilities to detect emerging tools, such as Sliver. Threat actors move fast when using new tools, so you need to keep up the pace.