2023 has been another tumultuous year for cyber security, with a number of high-profile breaches and incidents making headlines around the world. From state-sponsored cyber-attacks to extortion campaigns, it’s clear that the threat landscape is constantly evolving. In this blog post, we take a look at some of the most reported on incidents of 2023.
The MOVEit hack traces back to May 31st 2023, when a severe flaw was detected in MOVEit Transfer, a managed file transfer (MFT) service by Ipswitch, Inc. This service, integral to industries like healthcare, government, finance, and aviation, secures and transmits files via Secure File Transfer Protocol (SFTP).
The vulnerability, designated CVE-2023-34362, involves a SQL injection flaw in MOVEit Transfer’s web application. This breach allows intruders to access and potentially alter or delete elements within the database, which varies based on the database engine (MySQL, Microsoft SQL Server, or Azure SQL).
Since its first detection over 2,620 organisations and more than 77 million individuals have been impacted to date. Some of the organisations effected include; British Airways, BBC, Aer Lingus, Bank of America, Avast and hundreds of universities and government agencies.
The Russian-based Clop Ransomware group, blamed for numerous high profile cyber-attacks since February 2019 was quick to exploit the vulnerability and by June 5th 2023, the group had leveraged the Zero-day vulnerability in MOVEit to attack many organisations.
A patch for the vulnerability was released on June 15th 2023 however many organisations continue to fall victim due to failing to implement the fix, highlighting the continual need for effective patch management.
Over 3.8 billion records were compromised due to an oversight by digital protection company DarkBeam.
The vulnerability, involving an unprotected interface, was identified on September 18th. The data, aggregated by DarkBeam to inform clients about potential breaches, was ironically comprised of previously leaked information from various cyberattacks. Among the compromised data were 16 collections labeled ‘email 0-9’ and ‘email A-F’, containing 239,635,000 login credential pairs.
The breach originated from an unprotected Elasticsearch and Kibana data visualization interface, granting unauthorised access to sensitive information. Such breaches are typically down to human errors, such as failing to reinstate security measures like password protection post-maintenance activities.
On August 8th 2023, the UK's Electoral Commission disclosed a "complex cyber-attack" where adversaries accessed the electoral registers, jeopardising the personal data of approximately 40 million individuals.
The breach was first detected in October 2022, but the suspicious activities were traced back further to August 2021. The attackers infiltrated servers containing emails, control systems, and electoral registers from 2014 to 2022, including overseas voters' data. The registers held voters’ names, addresses, and birthdates.
Security researchers noted that the Commission was using an unpatched Microsoft Exchange Server, vulnerable to ProxyNotShell attacks.
Compromised data also included personal details from the Commission's emails, like names, email and home addresses, phone numbers, and other information from webforms or emails. Contradicting the Commission's initial assessment of the attack's complexity, a whistleblower informed the BBC that the Commission failed a Cyber Essentials audit around the intrusion time.
The Lockbit ransomware group continues leveraging the Citrix Bleed vulnerability (CVE-2023-4966) to penetrate major organizations, resulting in data breaches and file encryption.
Despite Citrix issuing patches, a significant number of systems, especially in the U.S., remain exposed. Notable entities such as the Industrial and Commercial Bank of China, DP World, Allen & Overy, and Boeing have fallen victim to these attacks, with the Citrix Bleed vulnerability being a recurrent element.
These attacks are attributed to a LockBit affiliate, who is exploiting this specific vulnerability to gain network access. LockBit operates as a Ransomware-as-a-Service platform, granting its affiliates considerable freedom in their methods of attack. This approach is reminiscent of tactics previously seen in the GandCrab and REvil ransomware operations, where affiliates often targeted specific industries or utilized particular methods of access.
Over 10,000 Citrix servers around the world are still susceptible to the CVE-2023-4966 vulnerability, representing a substantial security threat. The United States has the highest number of vulnerable servers, with Germany, China, and the U.K. also having significant numbers. These unsecured servers, often in large organisations, continue to present a broad attack surface.
If you are worried about cyber threats or need help in determining what steps you should take to protect yourself from the most material threats, please Get in touch to find out how you can protect your organisation.