Report | Cyber Security Report, 2023
Explore key cybersecurity trends from 2022 in this insightful report by Check Point Research. It covers the rise of email-delivered attacks, the impact of the Russia-Ukraine conflict on cyber threats, evolving ransomware tactics, and risks in mobile and cloud security. Learn about the role of generative AI in future threats and the importance of zero-day prevention. Download the report to stay ahead.

CYBER SECURITY REPORT
2023
2CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Y O U D E S E R V E T H E B E S T S E C U R I T Y
3CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
CHAPTER 1: INTRODUCTION TO THE 2023 CYBERSECURIT Y REPORT BY MAYA HOROWITZ
CHAPTER 2: T IMELINE OF KE Y 2022'S CYBER E VENTS
CHAPTER 3: 2022'S CYBER SECURIT Y TRENDS 20 Russo-Ukrainian conflict
22 The year of wiper disruption
26 Hacktivism graduates to major player on geopolitical stage
30 Weaponization of Legitimate Tools
34 Ransomware Extortion—Shifting focus from encryption to data extortion
38 Mobile Malware Landscape—The Risk of Trusting the Familiar
41 Cloud: Third Party Threat
CHAPTER 4: GLOBAL ANALYSIS
CHAPTER 5: HIGH PROFILE GLOBAL V ULNER ABIL IT IES
CHAPTER 6: INCIDENT RESPONSE PERSPECTIVE
CHAPTER 7: 2023 INSIGHTS FOR CISOS: DISRUPTION AND DESTRUCTION
CHAPTER 8: PRE VENTION IS AT RE ACH
CHAPTER 9: MALWARE FAMILY DESCRIPTIONS
CHAPTER 10: CONCLUSION
C O N T E N T S
04
07 19
44 63 68 75 85 97 107
4CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 4
C H A P T E R 1
INTRODUCTION TO THE CHECK POINT 2023 SECURITY REPORT
5CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 5
M A Y A H O R O W I T Z VP Research, Check Point
In 1976, Queen Elizabeth II sent the first royal email. It was sent over ARPANET,
7 years before the internet was invented, and a long 13 years before the first
recorded internet hack.
Almost 50 years later, email has evolved into a popular communication method,
and the most popular vehicle for threat actors to initiate their attacks. In fact,
the Check Point Research (cp<r>) annual Security Report shows that in 2022,
the proportion of email-delivered-attacks has increased, reaching a staggering
record of 86% of all file-based attacks in-the-wild.
In our Security Report, we discuss a few more trends observed by cp<r>
throughout the year. The Russia-Ukraine war demonstrated how the traditional,
kinetic, war can be augmented by a cybernetic war. It has also influenced the
broader threat landscape in the rapid changes of hacktivism and how independent
threat actors choose to work for state-affiliated missions. The war has also seen
enhanced usage of wiper malware, and this trend has been adopted by several
actors, reaching a point where 2022 has seen more wiper attacks globally, than in
the previous decade altogether. Traditional cybercrime has also changed—in 2022,
threat actors started using more legitimate tools in their operations, including
native operating system files, IT software and penetration testing tools, all helping
them in their efforts to stay under the radar. In their ransomware attacks, threat
actors are starting to skip the encryption process, realizing that the financial
rewards comes mostly from data breaches and the threat to publish victim data.
In attacks on mobile devices, attackers make a habit out of mimicking legitimate
applications, and in the cloud threat landscape—companies’ data is at risk mostly
when hosted by third parties, and susceptible to attacks due to misconfigurations,
over-permissive roles and permissions, and access keys stored publicly.
C H A P T E R 1
6CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 6
In the last days of 2022, we witnessed a dramatic advancement in the field of
generative artificial intelligence, now widely available to the public, and which is
able to generate highly professional text (code included) on demand in seconds.
As we step into 2023, we should keep in mind that this technology may quickly
be adopted by threat actors, to craft even more malicious emails, in even better
quality than those typically authored by threat actors, and with endless variations
of malware and malicious code in general. This comes to prove, yet again, the
importance of zero day prevention of attacks, across the entire IT infrastructure,
including email, endpoint, network, cloud, and everything in between.
Check Point Software is committed to ensuring our customers are provided
the best and prevention-first security across all these vectors. At Check Point
Research, we are happy to provide this annual Security Report to help in
raising awareness and vigilance, so that we can all join hands in preventing
the next cyberattack.
Maya Horowitz VP Research at Check Point Software Technologies
C H A P T E R 1
7CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 7
C H A P T E R 2
TIMELINE OF 2022'S KEY CYBER EVENTS
8CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Ukraine has been hit by a large scale cyber-attack that took down several of its government and ministries websites. Threat actors defaced the Foreign Affairs website with threatening
message reading “Ukrainians!… All information about you has become public, be afraid and expect worse.” Researchers additionally found evidence of a significant ongoing operation targeting multiple organizations in Ukraine, leveraging a malware
disguised as ransomware that could render a system inoperable.
Television channels and a radio station run by Iran’s state broadcaster were hacked in a complex attack by an exiled opposition group. Hacktivist group Edalat-e Ali (Ali's Justice) hacked the television website and broadcasted a video with a strong opposition message. The video started with footage of people in Tehran’s Azadi stadium shouting “death to
dictator” referring to Supreme Leader Ali Kamenei, then it cut into a close up of a masked man similar to the protagonist of the movie V for Vendetta, who said “Khamenei is scared,
the regime’s foundation is rattling”. Check Point Research provided in-depth technical analysis of one of the attacks. CPR was able to discover part of the tools that were utilized in this operation, including the evidence of the usage of a destructive wiper malware.
UKR A INE IR A N
A significant Ransomware attack has disrupted operations of oil port terminals in Belgium, Germany and in the Netherlands, affecting at least 17 ports and resulting in difficulties
loading and unloading refined product cargoes. The BlackCat cybercrime group is suspected to be the group behind the attack.
Ukraine has been at the center of a series of targeted DDoS attacks on its armed forces, defense ministry, public radio and national banks websites. The US Government has officially attributed the attacks to Russia’s Main Directorate of the General Staff of the Armed Forces.
C H A P T E R 2
JANUARY
FEBRUARY
https://www.theguardian.com/world/2022/jan/14/ukraine-massive-cyber-attack-government-websites-suspected-russian-hackers https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ https://www.youtube.com/watch?v=-I39SWoJNSs https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ https://www.bankinfosecurity.com/cyberattack-cripples-european-oil-port-terminals-a-18465 https://therecord.media/ddos-attacks-hit-websites-of-ukraines-state-banks-defense-ministry-and-armed-forces/ https://www.bleepingcomputer.com/news/security/white-house-pins-ukraine-ddos-attacks-on-russian-gru-hackers/
9CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Check Point Research has released data on cyberattacks observed around the Russia/ Ukraine conflict. Cyberattacks on Ukraine’s government and military sector surged by 196% in the first three days of combat. Cyberattacks on Russian organizations increased by 4%.
Phishing emails in the East Slavic languages increased 7-fold.
Following an announcement by OpenSea about a contract migration they are planning, Check Point Research observed that hackers took advantage of the upgrade process and
scammed NFT users, leading to theft of millions of dollars.
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage
CPR has observed advanced persistent threat (APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure.
https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
Ukraine “IT army” consisting of cyber-operatives and volunteers worldwide
has claimed attacks taking down multiple Russian and Belarusian key websites, including the Kremlin’s official site.
As part of the NVIDIA leak by the Lapsus$ ransomware gang were 2 stolen code signing certificates used by to sign their drivers and executables. Attackers have already started using
these certificates to sign malware, hoping to evade security solutions. Ransomware gang Lapsus$, which took responsibility for the breach on the giant chip firm NVIDIA,
claims it also managed to breach the Korean manufacturer Samsung, and published 190GB of sensitive data online.
C H A P T E R 2
UK R A INEGERM A N Y NE THERL A NDSBELGIUM
MARCH
https://blog.checkpoint.com/2022/02/27/196-increase-in-cyber-attacks-on-ukraines-government-and-military-sector/ https://blog.checkpoint.com/2022/02/20/new-opensea-attack-led-to-theft-of-millions-of-dollars-in-nfts/ https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/ https://www.bleepingcomputer.com/news/security/ukraine-says-its-it-army-has-taken-down-key-russian-sites/ https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/ https://wccftech.com/samsung-data-compromised-190gb-info-stolen/
10CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
One of Russia’s largest meat producers Miratorg Agribusiness Holding has suffered a major cyberattack. Threat actors used Windows BitLocker to encrypt the victim’s IT systems in full
volumes and demanded a ransom. The attack resulted in distribution disruptions for several days.
Check Point Research (CPR) revealed a large spike in attacks committed by advanced persistent threat groups (APTs) around the world, using lures utilizing the war between
Russia and Ukraine. Most of the attacks started with spear-phishing emails that contained documents with malicious macros dropping malware such as Loki.Rat backdoor.
The new Spring4shell vulnerability (CVE-2022-22965) has been actively exploited by threat actors since the beginning of April, leveraging the Mirai botnet. The Singapore region has
been one of the most impacted geographic areas. Check Point Research shows that 16% of the organizations worldwide were impacted with Spring4Shell during the first
4 days after the vulnerability outbreak. VMware has released security updates to address this critical remote code execution flaw within its products.
Check Point Research identified “ALHACK”, a set of vulnerabilities in the ALAC audio format that could have been used for remote code execution on two-thirds of the world’s mobile devices. The vulnerabilities affected Android smartphones powered by chips from
MediaTek and Qualcomm, the two largest mobile chipset manufacturers.
Check Point Research identified a vulnerability in the Everscale blockchain wallet. If exploited, the vulnerability would have given an attacker full control over a victim’s wallet
and subsequent funds. The vulnerability was discovered in the web version of Everscale’s wallet, known as Ever Surf. Available on Google Play Store and Apple’s App Store,
Ever Surf is a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network.
C H A P T E R 2
RUS SI A
S ING A PORE
APRIL
https://www.bleepingcomputer.com/news/security/top-russian-meat-producer-hit-with-windows-bitlocker-encryption-attack/ https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/ https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html https://blog.checkpoint.com/2022/04/05/16-of-organizations-worldwide-impacted-by-spring4shell-zero-day-vulnerability-exploitation-attempts-since-outbreak/ https://www.vmware.com/security/advisories/VMSA-2022-0010.html https://blog.checkpoint.com/2022/04/21/largest-mobile-chipset-manufacturers-used-vulnerable-audio-decoder-2-3-of-android-users-privacy-around-the-world-were-at-risk/ https://research.checkpoint.com/2022/check-point-research-detects-vulnerability-in-the-everscale-blockchain-wallet-preventing-cryptocurrency-theft/
11CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Costa Rica has declared a State of Emergency following a devastating ransomware attack by the Conti gang. The attack affected many governmental organizations, including The Finance
Ministry, The Costa Rican Social Security Fund, and The Ministry of Science, Innovation, Technology, and Telecommunications. An estimated $200 million was lost due to disruptions related to the tax and customs platforms. The Conti Ransomware gang has allegedly taken its infrastructure offline after its leaders announced they were reorganizing their operation. The news comes a few days after Conti extorted Costa Rica. Conti members are believed to
be currently migrating and rebranding into smaller ransomware operations.
Lincoln College, a 157-year-old institution in Illinois, has announced it will indefinitely close after a significant ransomware attack that occurred in December 2021
took a toll on the school operations.
Sberbank, a Russian banking services organization, has been the target of continuous attacks in the past month by Pro-Ukraine hackers. The bank recently suffered the largest distributed
denial-of-service (DDoS) attack ever recorded, measured at 450GB/sec.
Russian state-sponsored hacking group, Turla, has been launching a reconnaissance campaign against the Austrian Economic Chamber, a NATO platform,
and the Baltic Defense College.
Blockchain Security 101 Every year, ordinary people lose money in blockchain hacks. Could it be that this technology is simply
insecure by nature? Or is there something we’re all missing—something that can save this industry, and the millions of people who’ve invested their hard-earned money into it, from squandering billions of dollars every year?
Tune in to CP<RADIO> our Podcast channel for this insightful podcast
https://research.checkpoint.com/2022/blockchain-security-101/
C H A P T E R 2
MAY
https://therecord.media/costa-ricas-new-president-declares-state-of-emergency-after-conti-ransomware-attack/ https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/ https://www.bleepingcomputer.com/news/security/lincoln-college-to-close-after-157-years-due-ransomware-attack/ https://www.bleepingcomputer.com/news/security/russian-sberbank-says-it-s-facing-massive-waves-of-ddos-attacks/ https://www.bleepingcomputer.com/news/security/russian-hackers-perform-reconnaissance-against-austria-estonia/ https://research.checkpoint.com/2022/blockchain-security-101/
12CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
CERT Ukraine has issued a warning concerning Russian hackers, possibly the state- sponsored APT group Sandworm, launching attacks exploiting the Follina critical vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool. The campaign leverages malicious emails with DOCX attachments targeting media and news outlets in Ukraine.
The largest ever-recorded HTTPS DDoS attack has recently been mitigated, with 26 million request per second. The attack targeted a Cloudflare customer and originated from cloud service providers rather than residential internet service providers, indicating the
use of hacked virtual machines.
Microsoft has issued a fix to address the critical Follina vulnerability (tracked CVE-2022-30190) which has been exploited in the wild,
recommending users to urgently update and patch.
Russian intelligence services have reportedly increased attacks against governments and NGOs supporting Ukraine in 42 different countries, with the goal
to obtain sensitive information from NATO countries’ agencies.
How the Evolution of Ransomware Changed the Threat Landscape From WannaCry to Conti: A 5 Year Perspective
https://www.checkpoint.com/ransomware-hub/
C H A P T E R 2
JUNE
https://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/ https://www.techcentral.ie/cloudflare-mitigates-biggest-ever-https-ddos-attack/ https://www.techcentral.ie/cloudflare-mitigates-biggest-ever-https-ddos-attack/ https://www.bleepingcomputer.com/news/security/microsoft-russia-stepped-up-cyberattacks-against-ukraine-s-allies/ https://www.checkpoint.com/ransomware-hub/
13CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Both Norway and Lithuania were victims of large-scale DDoS. The attacks are assumed to have been carried out by separate pro-Russian hacker groups,
with the goal of discouraging the nations’ support of Ukraine.
Twitter has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts,
with the data now up for sale on a hacker forum for $30,000. It has been reported on a stolen data market that the database contains info about various accounts, including celebrities,
companies, and random users.
Check Point customers among the first to be protected from Follina Vulnerability
Check Point customers were protected on the same day Follina was discovered (May 30th). Utilizing Harmony Endpoint and Threat Emulation behavioral protections
https://blog.checkpoint.com/2022/05/31/follina-zero-day-vulnerability-in-microsoft-office-check-point-customers-remain-protected/
Data Breaches. Is your Business Protected? Download our guide to learn more about data breaches and
the best practices you must follow to prevent them.
https://pages.checkpoint.com/prevent-cyber-attack-data-breach.html
C H A P T E R 2
L I THU A NI ANORWAY
JULY
https://securityaffairs.co/132765/hacking/legion-ddos-norway.html https://securityaffairs.co/132765/hacking/legion-ddos-norway.html https://www.bleepingcomputer.com/news/security/hacker-selling-twitter-account-data-of-54-million-users-for-30k/ https://blog.checkpoint.com/2022/05/31/follina-zero-day-vulnerability-in-microsoft-office-check-point-customers-remain-protected/ https://pages.checkpoint.com/prevent-cyber-attack-data-breach.html
14CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Atlassian Confluence critical vulnerability tracked CVE-2022-26138 has been exploited in the wild. Unauthenticated actors could leverage the flaw remotely to gain unrestricted
access to all pages in confluence. In addition, CISA issued a warning and ordered US federal agencies to address the vulnerability.
Cisco confirms it has been breached by the Yanluowang ransomware group. The initial access was gained after the threat actor gained an employee’s Google account credentials,
saved in their browser, and after getting an MFA push accepted by the user. The company says that while there have also been signs of pre-ransomware activity,
no ransomware has been deployed on Cisco’s systems.
The pro-Russian hacker group Killnet publicly targeted Lockheed Martin, calling other hacker groups to join in on attacks. At this point Killnet claims to be responsible for a recent DDoS attack on the company, and tells they have obtained personal data of the company’s
employees; claims were denied by the American corporation.
South Staffordshire Water, UK’s largest water company supplying 330M liters of drinking water to 1.6M consumers daily, has been a victim of ransomware attack launched by Cl0p, a Russian-speaking ransomware gang. The group caused disruption of the company’s
IT systems, allowing them access to more than 5TB of data including passports, screenshots from water treatment SCADA systems, driver’s licenses, and more.
The New Era of Hacktivism—State-Mobilized Hacktivism Proliferates to the West and Beyond
In the past year, things have changed. As one of the multiple fallouts of conflicts in Eastern Europe and the Middle East, some hacktivism groups stepped up their activities in form and focus to a new era;
Hacktivism is no longer just about social groups with fluid agendas.
https://research.checkpoint.com/2022/the-new-era-of-hacktivism/
C H A P T E R 2
AUGUST
https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html https://securityaffairs.co/133819/security/cisa-confluence-cve-2022-26138-catalog.html https://blog.talosintelligence.com/recent-cyber-attack/ https://www.hackread.com/killnet-hackers-hit-lockheed-martin-employee-data/ https://techmonitor.ai/technology/cybersecurity/south-staffordshire-water-cyberattack-ransomware-cl0p https://research.checkpoint.com/2022/the-new-era-of-hacktivism/
15CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Apple has issued an urgent patch for two zero-day flaws actively exploited by attackers to hack iPhones, iPads, or Macs. Among them is CVE-2022-32893, an out-of-bounds write
vulnerability in WebKit that would allow an attacker to perform arbitrary code execution, and CVE-2022-32894, an out-of-bounds write vulnerability in the operating system’s kernel that
would allow an attacker to execute code with kernel privileges.
Check Point Research has discovered an active cryptocurrency mining campaign imitating “Google Translate Desktop” and other free software to infect PCs. Created by a Turkish speaking
entity called Nitrokod, the campaign counts 111,000 downloads in 11 countries since 2019.
A traffic jam was generated in Moscow in a kind of physical DDoS attack, as attackers hacked Russian taxi service Yandex, and ordered dozens of cars to a specific location. The Anonymous
collective claims to be behind this attack.
Multiple cyberattacks linked to Iran have been disrupting Albania’s government systems since July, forcing them to shut down some online services. In response,
Albania’s government halted its diplomatic ties with Iran, ordering staff to leave within 24 hours. The latest attack which occurred over the weekend, allegedly by the same actor, targeted the Albanian Police’s computer system, forcing officials to take its TIMS system,
used for immigration data tracking, offline.
Uber has suffered a data breach, allegedly by an 18-year-old hacker who managed to gain access using social engineering tactics on an employee. The hacker claims to have access
to Uber’s internal IT systems and to the company’s HackerOne bug bounty account, which contains vulnerabilities in Uber’s systems and apps, disclosed privately by security
researchers. Uber claims that the users’ private information was not compromised.
A new record-breaking DDoS attack in has been recorded this week, peaking at 704.8 Mpps, about 7% higher than the previous attack recorded
on the same European organization last July.
C H A P T E R 2
SEPTEMBER
https://nakedsecurity.sophos.com/2022/08/18/apple-patches-double-zero-day-in-browser-and-kernel-update-now/ https://nakedsecurity.sophos.com/2022/08/18/apple-patches-double-zero-day-in-browser-and-kernel-update-now/ https://cybernews.com/cyber-war/hackers-created-an-enormous-traffic-jam-in-moscow/ https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1= https://www.securityweek.com/disruptive-cyberattacks-nato-member-albania-linked-iran https://www.reuters.com/world/albania-cuts-iran-ties-orders-diplomats-go-after-cyber-attack-pm-says-2022-09-07/ http://occurred https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ https://www.akamai.com/blog/security/record-breaking-ddos-attack-in-europe
16CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Hacktivist groups around the world have taken aim at the Iranian regime, as protests throughout the country continue. The groups have been leaking information relating to
Iranian government officials, and offering support to the protesters in sharing information and evading censorship.
Personal information of 10 million Australians has been stolen in a breach of telecom company Optus. The data includes sensitive information, such as passport and healthcare
details. While the hackers initially demanded a 1M USD ransom, they later retracted their demand due to the high attention drawn to the hack and the law enforcement
operation initiated to identify the attackers.
Check Point Research published a report studying the rising trend of state-mobilized Hacktivism. While in the past Hacktivist groups tended not to affiliate themselves with national interests, groups nowadays take part in state-directed efforts, driven by geopolitical conflicts.
Russian-speaking threat group Killnet claims responsibility for attacks taking down different US state government websites, including those of Colorado, Kentucky, Mississippi and others.
Online shopping company Woolworths has reported a data breach impacting over two million Australian users of its MyDeal subsidiary. The company said the breach was due
to a compromised user credential that was used to gain unauthorized access to MyDeal’s customer relationship management system. Several Australian companies have been breached during October—The country’s largest health insurance firm, Medibank, froze trading on the Australian stock exchange after confirming a 200GB data breach; In a breach of wine retailer Vinomofo’s network data of over 500,000 customers was
leaked; an attack on energy company EnergyAustralia exposed payment data of hundreds of the company’s customers.
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper
CPR provides under-the-hood details of its analysis of the infamous Azov Ransomware
https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/
C H A P T E R 2
OCTOBER
https://blog.checkpoint.com/2022/09/28/hacker-groups-take-to-telegram-signal-and-darkweb-to-assist-protestors-in-iran/ https://www.theguardian.com/business/2022/oct/01/optus-data-hack-australians-scramble-to-change-passports-and-driver-licences-after-telco-data-debacle https://research.checkpoint.com/2022/the-new-era-of-hacktivism/ https://edition.cnn.com/2022/10/05/politics/russian-hackers-state-government-websites/index.html https://insideretail.com.au/business/woolworths-says-mydeal-data-breach-impacted-2-2-million-customers-202210 https://www.abc.net.au/news/2022-10-19/medibank-halts-trading-cyber-hackers/101554194 https://www.theguardian.com/australia-news/2022/oct/18/vinomofo-data-breach-cyber-attack-hack-australian-wine-seller https://www.news.com.au/technology/online/hacking/energy-australia-hacked-after-data-stolen-from-medibank-optus/news-story/7fd668f480e8ab0b8c227fd772ed530f https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/
17CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Russian-affiliated hacktivist group ‘Killnet’ has launched a DDoS attack against government websites in Bulgaria, causing them to become inaccessible. Killnet said that Bulgaria was
targeted due to its “betrayal to Russia” and the supply of weapons to Ukraine.
The Largest copper manufacturer in Europe—Aurubis—has been the victim of a cyberattack that targeted its IT systems and forced the company to shut down many of its sites’ systems.
OpenSSL, used widely for secure communications, gave heads-up for a critical vulnerability in versions 3.0 and above that will be published on Tuesday, November 1st. eventually the
vulnerabilities published were downgraded to ‘high’ severity
Check Point Research found that global attacks increased by 28% in the third quarter of 2022, with education/research as the most attacked industry overall, and the healthcare sector the
most targeted industry in ransomware attacks.
IT Army of Ukraine claim to have gained access to Russia’s Central Bank. They published 27K of the leaked files, containing personal, legal, and financial data.
Check Point Research identified a new and unique malicious package on PyPI, the leading package index used by developers for the Python programming language. The package was
designed to hide code in images and infect through open-source projects on Github.
The Azov ransomware is being distributed worldwide to encrypt victim files, while in fact an analysis by Check Point Research proves that Azov ransomware is
a data wiper aimed at destroying data with no way to recover the files.
Meta has fired dozens of employees, after the employees had received thousands of dollars in bribes by outside hackers in return for granting access to users’ Facebook
or Instagram profiles. The employees used the company’s internal support tool, which allows full access to any user account.
C H A P T E R 2
NOVEMBER
https://therecord.media/cyberattack-disrupts-bulgarian-government-websites-over-betrayal-to-russia/ https://www.aurubis.com/en/media/press-releases/press-releases-2022/update-on-cyber-attack-at-aurubis https://blog.checkpoint.com/2022/10/30/openssl-gives-heads-up-to-critical-vulnerability-disclosure-check-point-alerts-organizations-to-prepare-now/ https://blog.checkpoint.com/2022/11/01/openssl-vulnerability-cve-2022-3602-remote-code-execution-and-cve-2022-3786-denial-of-service-check-point-research-update/ https://blog.checkpoint.com/2022/10/26/third-quarter-of-2022-reveals-increase-in-cyberattacks/ https://www.pravda.com.ua/eng/news/2022/11/3/7374815/ https://research.checkpoint.com/2022/check-point-cloudguard-spectral-exposes-new-obfuscation-techniques-for-malicious-packages-on-pypi/ https://www.bleepingcomputer.com/news/security/azov-ransomware-is-a-wiper-destroying-data-666-bytes-at-a-time/ https://www.wsj.com/articles/meta-employees-security-guards-fired-for-hijacking-user-accounts-11668697213
18CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
The European Parliament website has been attacked following a vote declaring Russia a state sponsor of terrorism. The pro-Russian hacktivist groups Anonymous Russia
and Killnet, have claimed responsibility for the attack, causing an ongoing DDoS (Distributed Denial of Service).
Black Basta ransomware group is running a campaign targeting organizations in the United States, Canada, United Kingdom, Australia, and New Zealand. The group uses QakBot (AKA QBot, Pinkslipbot) banking Trojan to infect an environment and install a
backdoor allowing it to drop the ransomware.
Cyber criminals who breached Australian Medibank’s systems have released another batch of data onto the dark web, claiming that the files contain all data harvested in the former heist that
impacted 9.7 million customers in October 2022. Medibank has confirmed the data breach.
Researchers found that over 300,000 users across 71 countries were effected by an Android campaign meant to steal Facebook credentials. This is by using Schoolyard Bully Mobile Trojan, deployed in legitimate education-themed applications, which were available
in the official Google Play Store.
Check Point Research has analyzed the activity of cyber-espionage group Cloud Atlas. Since its discovery in 2014, the group has launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts, however its scope has
narrowed significantly in the last year, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.
As artificial intelligence (AI) models grow more and more popular, Check Point Research discusses the risks and upsides of the technology. CPR demonstrates how AI technologies, like ChatGPT and Codex, can easily be used to create a full infection flow, from spear-phishing to
running a reverse shell, and provides examples of the positive impact of AI on the defenders’ side.
C H A P T E R 2
DECEMBER
https://www.politico.eu/article/cyber-attack-european-parliament-website-after-russian-terrorism/ https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/ https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/ https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/ https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/ http://discusses
19CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
C H A P T E R 3
2022’S CYBER SECURITY TRENDS
20CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
As was the case on the physical battleground,
the Russians apparently did not prepare for a
long cyber campaign. Their cyber operations,
which in the early stages included carefully
planned precise attacks, have all but ceased.
Multiple new tools and wipers, that were
characteristic of the initial stages, have been
replaced with a different operational mode.
Current offensive cyberattacks are mostly
rapid exploitations of opportunities as they
arise and use already known attack tools.
These are not intended to assist tactical combat
efforts but rather create a psychological effect
by damaging the Ukrainian civil infrastructure.
The recruitment of cyber professionals,
criminals, and other civilians to the military
cyber effort—on both sides of the conflict—
has further blurred the distinction between
nation-state actors, cyber criminals, and
hacktivists. The Ukrainian government has
established an army of hacktivists whose
management is very different from anything
we have seen before. Previously characterized
by loose cooperation between individuals in an
ad hoc fashion, new-hacktivist organizations
conduct recruitment, training, intelligence-
gathering and allocation of targets and
The ongoing Russian-Ukrainian war has had
a profound effect on cyberspace and caused a
significant increase in cyber-attacks in 2022.
Hacktivism has been transformed, and the use
of destructive malware by state-sponsored
groups and independent entities has become
more prevalent globally.
The role of cyberwarfare has been well
documented in this first full-blown hybrid
conflict, where battles are fought online as
well as on physical ground. The Russians
revealed new cyber tools and achieved tactical
objectives that affected military and civil
communications, including blocking public
media transmissions. While cyber activity
cannot win the war on its own, it does play a
significant part in tactical operations and has an
indisputable psychological and economic effect.
For cyber-operations to be effective, is not
just a matter of employing malware. Much
like conventional warfare, cyberwarfare also
requires meticulous and thorough preparations.
Reconnaissance, intelligence gathering and
assessment, target-bank compilation and
prioritization, dedicated-payload development
and network infiltration are all prerequisites
for a successful campaign.
RUSSO-UKR AINIAN CONFLICT
C H A P T E R 3
https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview https://www.virusbulletin.com/conference/vb2022/abstracts/russian-wipers-cyberwar-against-ukraine https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/ chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Russian-wipers-in-the-cyberwar-against-Ukraine.pdf
21CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 21
Eight years of continuous cyber hostility
between Russia and Ukraine have served as a
training period for both sides. Ukraine’s cyber
defense organizations are praised as “the most
effective defensive cyber activity in history”.
Knowing adversaries tools and modus operandi
has an increased importance in cyber warfare.
The impact of a first-time deployment of a
particular wiper may be devastating, but the
impact of the second one is often much smaller.
For example, the effect of the Industroyer2
attack on the energy sector in Ukraine in March
2022 was limited in comparison to Industroyer’s
first deployment in 2016.
The full scope of changes brought on by this
conflict is yet to be seen, but we have already
learned some valuable lessons.
battlefield status compilation in a military
manner. Attacks on Russian entities, which
were once considered off-limits by many
cybercrime entities, have now increased and
Russia is struggling under an unprecedented
hacking wave that combines state-sponsored
activity, political cyber warriors and criminal
action. On the other side, multiple Russian-
affiliated hacktivist groups were established
that target not only Ukraine but also Europe,
North America and Japan. For more details,
see our section on Hacktivism.
The extensive use of destructive malware
has already resulted in an increase in similar
activities in other regions and by other
geopolitical groups. Can cyberattacks be
considered a hostile act? What type of proof,
and how extensive must the damage be to be
considered a casus belli? Are modifications to
existing treaties required? We address these
questions in another chapter of the report
entitled “Wipers”.
S E R G E Y S H Y K E V I C H Threat Intelligence Group Manager,
Check Point Software Technologies
The role of cyberwarfare has been well documented in this first full-blown hybrid conflict, where battles are fought online as well as on physical ground. The Russians revealed new cyber tools and achieved tactical objectives that affected military and civil communications, including blocking public media transmissions. While cyber activity cannot win the war on its own, it does play a significant part in tactical operations and has an indisputable psychological and economic effect.
C H A P T E R 3
https://www.economist.com/by-invitation/2022/08/18/the-head-of-gchq-says-vladimir-putin-is-losing-the-information-war-in-ukraine https://www.washingtonpost.com/technology/2022/05/01/russia-cyber-attacks-hacking/
22CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 22
THE YE AR OF UNRESTR AINED WIPER DISRUPTION
Stuxnet, arguably the most famous destructive
malware, was used in 2010 to sabotage the
centrifuges in the Iranian nuclear project.
At the time, Stuxnet was unique in many
respects but mostly because its immediate
impact was the physical destruction of
mechanical hardware. In 2012, Shamoon
was deployed to disrupt oil companies in
the Middle East, targeting Saudi and Qatari
facilities. In 2013, DarkSeoul, attributed to
North Korea, was used to destroy more than
30,000 computers related to the banking and
broadcasting sectors in South Korea. This
attack took place during a period of heightened
tensions between the two countries following
nuclear testing by the North.
In the ensuing years we witnessed the Black
Energy attack in 2015 on the Ukrainian energy
infrastructure (KillDisk) and another attack
on Saudi targets by dubbed Shamoon2 in 2016.
NotPetya was distributed against Ukrainian
targets in 2017 in a supply chain attack which
caused significant collateral damage globally.
In 2018 Olympic Destroyer, purportedly
produced by North Korea, was used by the
Russian-affiliated Sandworm to disrupt the
Wipers and other types of destructive malware
are carefully designed to cause irreversible
damage, and if tightly woven into cyberwarfare,
the effect can be catastrophic. This is probably
why we have only seen limited use of wipers
over the years, and they were usually associated
with nation states. Until recently, countries
primarily used cyberattacks for the purpose of
espionage and intelligence gathering, and only
rarely resorted to destructive cyber tools. In
2022 we have seen a change in the appearance
of multiple new wiper families that are used
to destroy thousands of machines.
Wipers are destructive malware, designed
to inflict damage with limited potential for
financial gain for attackers. Early use of wipers
to showcase attackers’ capabilities was thus
limited and short-lived. But in all the cases,
the main purpose of the wipers is to interrupt
operations or to irreversibly destruct data.
While the process of data destruction has
several technological implementations.
C H A P T E R 3
https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html https://nakedsecurity.sophos.com/2013/03/20/south-korea-cyber-attack/ https://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/ https://www.reuters.com/article/us-cyber-saudi-shamoon-idUSKBN13Q38B https://www.securityweek.com/us-canada-australia-attribute-notpetya-attack-russia https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/
23CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 23
organizations in Ukraine, overwriting systems’
MBR (Master Boot Record) to prevent system
reboot and file recovery. Attackers left a
ransom note but did not offer a recovery
mechanism, leading to speculation that
the demand for payment was only intended
to mislead victims. The files were further
corrupted using a second stage payload that
was hosted on a Discord channel.
On the eve of the ground invasion in February,
three additional wipers were deployed:
Hermetic wiper, HermeticWizard and
HermeticRansom. The tools were named after
their certificate which was issued to ‘Hermetica
Digital Ltd’. Additional wipers were reported
later that month. Another attack was directed
at the Ukrainian power grid in April, using a new
version of Industroyer, the malware that was
used in a similar attack in 2016.
opening ceremonies of the Winter Olympic
Games. In 2019 Dustman and ZeroCleare were
used in Iranian attacks on targets in the Middle
East related to oil production. On average,
there was one attack by a wiper family per year.
During 2022, there has been a noticeable
shift in the tactics of destructive malware
deployment. Cyberespionage continued, as
it was previously, but this activity has been
supplemented by destructive cyber operations,
instigated by nations whose goal appears to
be to inflict as much damage as possible. The
start of the Russian-Ukrainian war in February
saw a massive uptick in disruptive cyberattacks
carried out by Russia against Ukraine. Russia
has a long history of cyber assaults against
its neighbor. In January 2022, WhisperGate
was used to attack government and financial
E L I S M A D J A Security Research Group Manager,
Check Point Software Technologies
Wipers and other types of destructive malware are carefully designed to cause irreversible damage, and if tightly woven into cyberwarfare, the effect can be catastrophic. This is probably why we have only seen limited use of wipers over the years, and they were usually associated with nation states. Until recently, countries primarily used cyberattacks for the purpose of espionage and intelligence gathering, and only rarely resorted to destructive cyber tools. In 2022 we have seen a change in the appearance of multiple new wiper families that are used to destroy thousands of machines.
C H A P T E R 3
https://www.malwarebytes.com/blog/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ https://ics-cert.kaspersky.com/publications/news/2020/01/10/bapco-dustman/ https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/ https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
24CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 24
In January 2022, the Iranian state broadcasting
service IRIB was attacked by destructive
malware. The attack, investigated by cp<r>,
caused damage to computers at dozens of
TV and radio stations throughout Iran. Images
of the leaders of the Iranian opposition, the
anti-regime organization Mojahedin-e-Khalq
(MEK), were aired on TV screens across
the country, calling for “Death to Ayatolla
Khamenei!” MEK, which conducts much
of its activity from exile in Albania, denied
responsibility. In June, the Chaplin wiper,
a revised version of Meteor, previously used
by Predatory Sparrow, hit steel plants in Iran.
Other wiper attacks were reported in Iran
that employed the Dilemma and Forsaken
families but attracted less attention due to
the general unrest in the country.
On July 18, just a few days before MEK’s
conference titled “the World Summit of Free
Iran”, the Albanian government stated it had
to “temporarily close access to online public
services and other government websites”
due to disruptive cyber activity. The Homeland
Justice hacktivist group that was behind the
incident (later attributed to Iran) used various
images and articles suggesting it was carried
out in retaliation for attacks on the Islamic
Republic. Researchers found that the wiper
used in this instance, ZeroClear, is related
to destructive attacks previously directed at
energy-sector targets in the Middle East.
In total, there were at least nine different
wipers deployed in Ukraine in less than a year.
Many of them were most likely separately
developed by different Russian intelligence
services and employed different wiping and
evasion mechanisms.
One of the attacks, enacted hours before the
ground invasion of Ukraine, was intended to
interfere with Viasat, satellite communications
company that provided services to Ukraine.
The attack used a wiper called AcidRain that
was designed to wipe modems and routers and
cut off internet access for tens of thousands of
systems. There was also significant collateral
damage, including thousands of wind turbines
in Germany.
The attacks were clearly the result of detailed
planning. Some of the tools were designed
specifically to fit their intended targets, with
attackers breaching security measures and
gaining access months earlier and then using
GPOs (Group Policy Objects) to deploy their
wipers at the time of the actual attack.
Cyber destructive activity was not restricted
to Russia-Ukraine. In the Middle East, Iran has
suffered a series of destructive attacks since
the middle of 2021. In July 2021, a hacktivist
group identifying itself as Predatory Sparrow
attacked Iran’s railway system, causing
delays and general panic. An investigation by
Check Point Research (cp<r>) revealed that
older versions of the wipers were used in
attacks against multiple targets in Syria.
C H A P T E R 3
https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ https://albaniandailynews.com/news/cyber-attacks-forces-akshi-close-government-online-systems https://www.wired.com/story/iran-cyberattack-albania/ https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against https://www.ibm.com/downloads/cas/OAJ4VZNJ chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://go.recordedfuture.com/hubfs/reports/mtp-2022-0512.pdf chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Russian-wipers-in-the-cyberwar-against-Ukraine.pdf https://arstechnica.com/information-technology/2022/03/mystery-solved-in-destructive-attack-that-knocked-out-10k-viasat-modems/ https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ https://www.virusbulletin.com/conference/vb2022/abstracts/russian-wipers-cyberwar-against-ukraine/ https://www.virusbulletin.com/conference/vb2022/abstracts/russian-wipers-cyberwar-against-ukraine/
25CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 25
Azov is a new widespread wiper that falsely
links itself to various security researchers and
blames multiple nations and political entities
for the current state of warfare. Azov has not
been officially linked to any of the fighting sides
and has been causing damage indiscriminately
since November 2022, as detailed in a recent
investigation by cp<r>.
More wipers have been used this year than were
probably recorded in the past 30 years, and they
have evolved both in the way they are deployed
and in their impact. Some actors in this area
are willing to take actions that could justify a
war, modelling the definition of endured cyber
hostility. It has become increasingly difficult to
tell the difference between nation-state APT
activity and hacktivist groups. Many countries
are involved to a degree in the activities of non-
governmental entities, ranging from providing
inspiration, tools and target allocation, to direct
management and financing of attacks disguised
as private initiatives. This ambiguity further
extends the degree to which threat actors can
operate without the likelihood of retaliation.
This will lead to more widespread destructive
cyber operations and in turn ever higher levels
of collateral damage.
The MEK summit was cancelled, but this did
not prevent a second cyberattack from hitting
Albanian government systems in September.
While this was an unprecedented attack on
a NATO member state, the defense alliance
did not consider it to be an ”armed attack”
as defined by Article 5 of the NATO treaty.
However the organization has in the past
reaffirmed that cyberspace is part of NATO’S
core task of collective defense. Iran has
consistently invested in extending its foothold
on western countries’ IT infrastructure.
This bold act of deploying destructive malware
against a NATO member without retaliation
could have serious ramifications.
The destructive cyber activity continued
throughout 2022. Somnia, a new wiper-turned-
ransomware was deployed by the FRwL (From
Russia with Love) hacktivist group against
Ukrainian targets. The attacks resemble
techniques practiced by ransomware groups,
but no ransom demand was submitted, and
the intent was clearly only to inflict maximum
disruption on the victim. Similar attacks that
deploy the CryWiper malware have recently
been targeting municipalities and courts in
Russia, leaving ransom notes and Bitcoin
wallet addresses. However, in reality the
damage is irreversible.
C H A P T E R 3
https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/ https://apnews.com/article/middle-east-iran-albania-tirana-de39227e538dabd5c84686b5846722eb https://edition.cnn.com/2022/09/10/politics/albania-cyberattack-iran/index.html https://www.cisa.gov/uscert/ncas/alerts/aa21-321a https://www.bleepingcomputer.com/news/security/ukraine-says-russian-hacktivists-use-new-somnia-ransomware/ https://www.kaspersky.com/blog/crywiper-pseudo-ransomware/46480/amp/
26CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 26
HACKTIVISM GR ADUATES TO MA JOR PL AYER
ON GEOPOLITICAL STAGE
The rise of politically motivated Middle Eastern
groups in the past couple of years, such as
the Iranian-associated “Hackers of Savior”
or anti-Iranian regime “Predatory Sparrow”,
marked the beginning of the change, as groups
began focusing on a single agenda. Early this
year, following Russian attacks on Ukrainian
IT infrastructure at the beginning of the war,
Ukrainian government set up an unprecedented
arrangement called the “IT Army of Ukraine”.
Through a dedicated Telegram channel,
its operators manage more than 350,000
international volunteers in their campaign
against Russian targets. On the other side
of the battlefield, Killnet, Russia-affiliated
group, was established with a military-like
organizational structure and a clear top-
down hierarchy. Killnet consists of multiple
specialized squads that perform attacks
and answer to the main commanders. These
groups are led by a hacker called KillMilk.
Hacktivism, the act of carrying out politically
or socially motivated cyberattacks, was
traditionally associated with loosely managed
entities such as Anonymous. These previously
decentralized and unstructured groups were
made up of individuals cooperating ad hoc for a
variety of agendas. Over the last year, following
developments in the Russian-Ukrainian
conflict, the hacktivist ecosystem has matured.
Hacktivist groups have tightened up their level
of organization and control, and now conduct
military-like operations including recruitment
and training, sharing tools, intelligence and
allocation of targets. Most of the new hacktivist
groups have a clear and consistent political
ideology that is affiliated with governmental
narratives. Others are less politically driven
but have nonetheless made their operations
more professional and organized.
C H A P T E R 3
https://www.cyberscoop.com/fbi-iran-warning-hacktivists-election-israel/ https://www.bbc.com/news/technology-62072480 https://blog.checkpoint.com/2022/02/27/how-the-eastern-europe-conflict-polarized-cyberspace/ https://www.politico.eu/article/meet-killnet-russias-hacking-patriots-plaguing-europe/ https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-hacktivism/ https://research.checkpoint.com/2022/the-new-era-of-hacktivism/
27CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 27
Unlike Anonymous, who have an open-door
policy, regardless of skill or specific agenda,
the new era hacktivists screen out applicants
who fail to meet specific requirements. This
reduces the risk of exposing the inner workings
of their operation. XakNet, a pro-Russian group,
declared that they will not recruit hackers,
pentesters, or OSINT specialists without proven
experience and skills. Other groups, like the
pro-Russian NoName057(16), offer training
through e-learning platforms, tutorials, courses
or mentoring.
Organized operations invest in and develop
their members’ technical proficiency and tools.
Although most of the activity is focused on
defacement and DDoS attacks using botnets,
in some cases, groups use more sophisticated
destructive tools. TeamOneFist, a Ukraine
affiliated group, has been linked to destructive
activities against SCADA systems in Russia.
The Belarusian Cyber Partisans group, in an
attempt to prevent the movement of Russian
troops to Ukraine, encrypted internal databases
of the Belarusian Railways to disrupt its
operation just before the invasion started.
The pro-Russian group 'From Russia with
Love' (FRwL) was observed using a data wiper
called 'Somnia' to encrypt the data of Ukrainian
organizations and disrupt their operations.
The battle is not only about inflicting damage.
All active groups are aware of the importance of
media coverage. They use their communication
channels to collect reports of successful
attacks and publish them to maximize the
effect. For example, Killnet has more than
89,000 subscribers on their Telegram channel,
where they publish attacks, recruit team
members and share attack tools. There is also
extensive coverage of the group’s activity in
major Russian media outlets to promote their
achievements in cyber space and validate the
impact of their successful attacks.
Well organized and coordinated groups also
use their resources to cooperate with other
entities. Killnet’s success has put them in a
position where other groups want to collaborate
with them or officially join forces. On October
24, Zarya (Killnet’s squad) allegedly conducted
a joint operation with two Russian-speaking
groups, Xaknet and Beregini, to breach and leak
data from the Ukrainian Security Service (SBU).
In addition, Killnet recently announced the
launch of a Killnet collective which has become
an umbrella organization for 14 pro-Russian
hacktivist groups.
C H A P T E R 3
https://press.avast.com/noname05716-pro-russian-hacker-group-targeting-sites-in-ukraine-and-supporting-countries-with-ddos-attacks https://www.ibtimes.com/team-onefist-new-breed-cyber-warriors-pulls-off-holy-grail-all-hackers-russia-3602204 https://www.theguardian.com/world/2022/jan/25/cyberpartisans-hack-belarusian-railway-to-disrupt-russian-buildup https://www.bleepingcomputer.com/news/security/ukraine-says-russian-hacktivists-use-new-somnia-ransomware/ https://t.me/xaknet_team/398
28CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 28
Several groups in the Middle East, the most
prominent being Predatory Sparrow, have
been observed attacking high profile targets
associated with the Iranian regime. The latest
large-scale hacktivist attack was inflicted on
Albania by ”HomelandJustice”, a hacktivists
group affiliated with Iran’s Ministry of
Intelligence and Security. The group
served Iranian interests by attacking the
Albanian government who sheltered the
“Mujahedin-e-Khalq” (MEK), an Iranian
dissident group. Between October 2021
and January 2022 the group used a unique
email exfiltration tool to collect emails.
Then on July 15, they temporarily shut down
multiple Albanian government digital services
and websites using ransomware file encryption
and disk wiping malware. These operations
resulted in Albania’s termination of diplomatic
ties with Iran on September 6.
The transformation in the hacktivism arena
is not limited to specific national conflicts or
geographical zones. Now major corporations
and governments in Europe and the US are
targeted by this new type of hacktivism. For
example, in November 2022 the European
Parliament was targeted with a DDoS attack
launched by Killnet. In recent months, the
US, Germany, Estonia and Lithuania, Italy,
Norway, Finland, Poland and Japan suffered
severe attacks from state-mobilized groups,
with significant impact in some cases. New
hacktivist groups are being mobilized based on
political narratives and are achieving strategic
and broad-based goals with higher success
levels, and a much wider public impact than
ever before.
H A C K T I V I S M
C H A P T E R 3
https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ https://www.nbcnews.com/tech/security/albania-cuts-diplomatic-ties-iran-july-cyberattack-rcna46626 https://www.cisa.gov/uscert/ncas/alerts/aa22-264a https://www.dw.com/en/albania-once-again-the-target-of-cyberattacks-after-cutting-diplomatic-ties-with-iran-and-expelling-diplomats/a-63146285 https://www.dw.com/en/albania-once-again-the-target-of-cyberattacks-after-cutting-diplomatic-ties-with-iran-and-expelling-diplomats/a-63146285 https://twitter.com/Cyberknow20/status/1570679456754434048 https://www.bloomberg.com/news/articles/2022-05-06/german-government-sites-hit-by-pro-russian-hackers-spiegel-says?leadSource=uverify%20wall https://securityboulevard.com/2022/11/aviation-starting-to-get-hit-with-rise-of-cyberattacks-post-pandemic/ https://www.reuters.com/world/europe/pro-russian-hackers-target-italy-defence-ministry-senate-websites-ansa-news-2022-05-11/ https://www.reuters.com/world/europe/norway-targeted-by-cyber-attack-security-agency-2022-06-29/ https://cybernews.com/cyber-war/russian-hackers-target-finland-parliaments-website/ https://www.infosecurity-magazine.com/news/japan-govt-websites-killnet/
29CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 29
Hacktivist operations, which until recently
were marked by a spirit of anarchy and
loose cooperation, have been inspired by
state-run cyber campaigns to improve their
level of organization and management.
This enhanced orchestration resulted in
improved infrastructure, manpower, tools,
and capabilities which in turn led to more
effective and destructive operations. This began
in specific conflict zones but quickly spread
globally. In turn, this is expected to inspire
hacktivist groups with more diverse agendas.
The boundaries between state cyber-operations
and hacktivism are blurred, which allows
nation states to act with a degree of anonymity
without fear of retaliation. Non-state affiliated
hacktivist groups are better organized and more
effective than ever before, and this is expected
to increase in the future.
The increased level of organization and
specialization among hacktivist groups
is not limited to political agendas. The
Guacamaya hacktivist group targets entities
in Latin America for their role in the region’s
environmental degradation and repression
of native populations. Since March 2022, the
group has focused on infiltrating mining and
oil companies, the police and several Latin
American regulatory agencies. On September
19, Guacamaya leaked 10 terabytes of
documents belonging to several entities
in Mexico, Guatemala, Chile, Peru, Colombia
and El Salvador. They also accused the
United States and Western corporations of
over-exploiting the region's natural resources.
A L E X A N D R A G O F M A N Threat Intelligence Analysis
Team Leader, Check Point Software
Technologies
The boundaries between state-sponsored cyber operations and hacktivism have become increasingly blurred, which allows nation-states to act with a degree of anonymity without feat of retaliation. This also provides hacktivists with the opportunity to publicly claim responsibility for cyber attacks and draw significant attention to their cause, which can be just as significant as the actual damage caused. Non-state affiliated hacktivist groups are better organized and more effective than ever before, and this is expected to increase in the future.
https://forbiddenstories.org/the-struggle-of-one-territory-must-be-the-struggle-of-all/ https://www.cyberscoop.com/central-american-hacking-group-releases-emails/ https://therecord.media/mexican-president-confirms-guacamaya-hack-targeting-regional-militaries/ https://indianexpress.com/article/world/mexico-confirms-hack-of-military-records-presidents-health-information-8183791/
30CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 30
The basic layer of cyber protection is
recognizing malicious tools and behaviors
before they can strike. Security vendors
invest substantial resources in the research
and mapping of malware types and families,
and their attribution to specific threat actors
and the associated campaigns, while also
identifying TTPs (Techniques, Tactics and
Procedures) that inform the correct security
cycles and security policy.
To combat sophisticated cybersecurity
solutions, threat actors are developing and
perfecting their attack techniques, which
increasingly rely less on the use of custom
malware and shift instead to utilizing
non-signature tools. They use built-in operating
system capabilities and tools, which are already
installed on target systems, and exploit popular
IT management tools that are less likely to
raise suspicion when detected. Commercial
off-the-shelf pentesting and Red Team tools are
often used as well. Although this is not a new
phenomenon, what was once rare and exclusive
to sophisticated actors has now become a
widespread technique adopted by threat actors
of all types.
There are several reasons why the use of
legitimate tools is an attractive option for
cybercriminals. First, as these tools are
not inherently malicious, they often evade
detection and are difficult to distinguish from
regular users or IT operations. Second, many
of these tools are open-source or available for
purchase, so threat actors have easy access
to them. In addition, when threat actors share
tools, it makes it harder to identify who is
responsible for a particular attack.
LIVING OFF THE LAND (LOTL)
LotL or LOLBin attacks, which have been
around for several years, leverage utilities
already available within the targeted system.
Attackers use them to download and execute
malicious files, conduct lateral movement, and
for general command execution. On Windows
OS these utilities often involve command shell,
Windows Management Instrumentation, and
native Windows scripting platforms such as
PowerShell, mshta, wscript or cscript. This
technique allows attackers to remain under
the radar, as legitimate software and native OS
binaries are less likely to raise suspicion and
are typically whitelisted by default. Attackers
often use these utilities for fileless attacks.
WE APONIZ ATION OF LEGITIMATE TOOLS
C H A P T E R 3
31CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 31
Cobalt Strike is the most widespread penetration
testing tool to be exploited by threat actors,
particularly since its source code was leaked in
2020. Brute Ratel is another legitimate offensive
framework that uses a licensing process and is
currently priced at $2,500. Customers must pass
a vetting process before being issued a license
to verify that the software will not be used with
malicious intent. As cybersecurity solutions are
increasingly focused on Cobalt Strike detections,
some threat actors quietly switched to Brute
Ratel for their 2022 attacks. This includes
creating fake US companies to pass the licensing
verification system. In an overview report on this
tool, techniques associated with APT29 were
identified, suggesting it has been adopted by
APT-level actors. Researchers also identified
the use of the tool by the BlackCat ransomware
gang since at least March 2022, which implies
that threat actors were able to circumvent the
developer’s verification procedure.
This leaves fewer traces as no malicious
artifacts are written to hard drives, and it
makes incident response and remediation
work even more complex.
OFFENSIVE FRAMEWORKS
A tight and robust security policy involves
constant testing to find vulnerabilities and
weaknesses within the network and systems
deployed in it. Organizations often rely on the
expertise of Red Team professionals to mimic
every step of a cyberattack. Red Teams deploy
multiple tools to test the resilience of the
environment. Many of these tools are free or
available for use or purchase in criminal circles
and they are often spotted in the wild, in the
hands of threat actors.
L O T E M F I N K E L S T E E N Director, Threat Intelligence
& Research, Check Point Software
Technologies
There are several reasons why the use of legitimate tools is an attractive option for cybercriminals. First, as these tools are not inherently malicious, they often evade detection and are difficult to distinguish from regular users or IT operations. Second, many of these tools are open-source or available for purchase, so threat actors have easy access to them. In addition, when threat actors share tools, it makes it harder to identify who is responsible for a particular attack.
C H A P T E R 3
chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/ https://bruteratel.com/pricing/ https://www.bleepingcomputer.com/news/security/ransomware-hacking-groups-move-from-cobalt-strike-to-brute-ratel/ https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/#Conclusion https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
32CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 32
As with Cobalt Strike, a cracked version of
Brute Ratel was shared in underground cyber-
criminal forums in September 2022, leading to
predictions that this tool will be widely adopted
by threat actors. This is a concerning expansion
of the criminal use of Red Team tools, as Brute
Ratel was developed by a former Red Teamer
with extensive knowledge of EDR (Endpoint
Detection and Response) technologies and is
specifically designed to evade detection by
EDR products.
Another emerging offensive framework detected
in 2022 is Manjusaka, the Chinese counterpart of
Cobalt Strike which is freely available on GitHub.
The tool was observed in campaigns targeting
the Haixi Mongolian and Tibetan Autonomous
Prefecture region in China. Additional tools
include the Sliver framework, which was seen
in multiple campaigns during 2022 and continues
to gain popularity at the year’s end.
Earlier this year, Check Point Research uncovered
a two year-long campaign targeting financial
organizations in French-speaking regions of
Africa. Attackers deployed several of these
tools, including Metasploit as well as PoshC2,
another offensive framework available on GitHub.
DWservice is another interesting tool found in
this campaign. DWservice is a legitimate remote
access service and, while it is subscription-based,
it also has a free plan. These are all easy-to-use
tools, exploited by actors with varying levels
of technical expertise, and we expect to see
their use increase at different stages of
offensive operations.
LEGITIMATE IT AND SECURITY SOFTWARE
Remote Management and Monitoring (RMM)
software is used daily for legitimate purposes.
Given its destructive potential when used in
malicious campaigns, it is crucial to keep a
close eye on its use and implement intelligent
security policies.
In 2022, multiple ransomware gangs made
use of legitimate IT software in successful
campaigns. One of the developments was the
rise of BazarCall-style social engineering
campaigns now employed by multiple
ransomware groups. First seen in 2021 when
used by the Ryuk/Conti ransomware gang, a
BazarCall attack starts with a phishing email
that urges the victim to call an actor-controlled
call center. The operator instructs the victim
to install a potent management tool to be
used as malware. This not only allows threat
actors to target specific entities based on
targeted industry, revenue or other factors. It
also leverages social engineering techniques
to control the malware delivery process. In
multiple campaigns reported in 2022, three
separate groups—Silent Ransom, Quantum,
and Roy/Zeon—used this method to initiate
Zoho Assist sessions, a legitimate remote
support tool, which allowed them to gain
initial access to corporate networks.
C H A P T E R 3
https://blog.bushidotoken.net/2022/09/brute-ratel-cracked-and-shared-across.html https://github.com/YDHCUI/manjusaka https://blog.talosintelligence.com/manjusaka-offensive-framework/ https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ https://twitter.com/teamcymru_S2/status/1604091964386705409 https://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/ https://www.advintel.io/post/bazarcall-advisory-the-essential-guide-to-call-back-phishing-attacks-that-revolutionized-the-data https://www.zoho.com/assist/
33CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 33
The Conti ransomware group and their affiliates
often relied on legitimate remote management
solutions such as Splashtop, AnyDesk or
ScreenConnect, as well as one-month
trial-versions of the Atera agent to regain and
establish persistence in cases where Cobalt
Strike was previously detected. This is now
used repeatedly by their successors. In a cp<r>
publication earlier this year, researchers found
that Atera remote management tool was used
also to deploy the Zloader banker.
In a case investigated by the Check Point
Incident Response Team (CPIRT) of a Hello
ransomware incident, attackers used Desktop
Central, a unified endpoint management
solution, together with Atera and Wazuh.
Desktop Central was installed prior to the
investigated breach, which indicates that
it was either utilized legitimately by the IT
department—although they did not recognize
it as a tool in their use—or was part of a
previous breach.
Wazuh is another legitimate software often
used by IT personnel. It is not a remote access
tool, but rather a security platform used for
network asset discovery and vulnerability
management. This allows attackers to disguise
their activity as legitimate scans for network
assets and vulnerabilities.
Other security tools adopted by threat actors
include Impacket and BloodHound. BloodHound
is a powerful tool for security assessments
of Active Directory (AD) environments used
in the analysis of AD rights and relations,
which can easily be abused by attackers.
Impacket is designed for IT administration and
penetration testing of network protocols and
services. Both tools were exploited by APT
groups in high-profile campaigns, such as the
WhisperGate destructive operation against
Ukrainian organizations, Sandworm attacks
against Ukrainian energy facilities together
with Industroyer2 malware, and in a Russian
state-sponsored campaign targeting defense
contractor networks in the US.
Before deploying the Somnia wiper, the FRwL
(From Russia with Love) hacktivist group used
a toolset consisting of AnyDesk, Ngrok reverse
proxy, Netscan network reconnaissance tool,
and open-source Rclone for data exfiltration
—tools that were previously used in financially-
motivated campaigns.
Instead of developing their own malware,
threat actors are now using legitimate
tools developed and made available by tech
companies. This trend sets new challenges for
detection, protection, attribution and further
mapping of the cyber arena. To meet these
challenges, defense systems must employ
holistic protection approaches. This emphasizes
the operational need for Extended Detection
and Response systems (XDR), which provide
context-based anomalies-detection and are
precisely designed to track down the malicious
use of otherwise legitimate tools.
C H A P T E R 3
https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/ https://www.manageengine.com/products/desktop-central/ https://www.manageengine.com/products/desktop-central/ https://wazuh.com/ https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ https://cert.gov.ua/article/39518 https://www.cisa.gov/uscert/ncas/alerts/aa22-047a https://cert.gov.ua/article/2724253
34CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 34
Seeking to maximize the pressure on their
victims, ransomware actors employ multiple-
extortion tactics. Data on the victims’ systems
is encrypted, with decryption keys released
only after the ransom payment. Unless they
pay, companies know their data could be
openly published, sold or even used to extort
their employees and customers directly. Some
ransomware affiliates, which have now become
more dominant in the ransomware crime
scene, and better skilled at identifying sensitive
information in victims’ networks, even skip the
encryption phase altogether and rely solely on
data publication threats to generate ransom
payments. This may have serious implications
for defense mechanisms, attribution, and future
analysis of the ransomware ecosystem.
In the early days, ransomware attacks were
conducted by single entities who developed
and distributed massive numbers of automated
payloads to randomly selected victims,
collecting small sums from each “successful”
attack. Fast forward to 2022 and these attacks
have evolved to become mostly human-operated
processes, carried out by multiple entities over
several weeks. The attackers carefully select
their victims according to a desired profile,
and implement a series of pressure measures
to extort significant sums of money. Threats of
exposing sensitive data have proven to be very
effective. This is because the victims fear the
consequences of large fines, lawsuits on behalf
of employees and customers, and the resulting
negative effect on stock prices and reputation.
Ransomware attack-management has also
evolved with an increase in threat actors that
operate a Ransomware-as-a-Service model
(RaaS) through affiliates. Affiliates, who
may participate in multiple RaaS programs
simultaneously and choose between various
encryption tools have become the ”producers”,
initiating attacks and paying part of the
revenue back to the RaaS operator. Affiliates
further outsource operations by purchasing
stolen credentials or network access from
access-brokers. The fragmented nature of this
operation complicates the attribution of attacks
and the tracking of criminal entities. Tactics,
techniques, and procedures (TTPs) used to
gain initial access to a system are no longer
necessarily connected to the affiliate or to the
RaaS payload later deployed.
R ANSOMWARE E X TORTION— SHIF TING FOCUS FROM
ENCRYPTION TO DATA E X TORTION
C H A P T E R 3
https://research.checkpoint.com/2022/ransomversary-wannacrys-5th-anniversary-special-and-the-evolution-of-ransomware/ https://blog.checkpoint.com/2021/05/12/the-new-ransomware-threat-triple-extortion/
35CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 35
Current Ransomware-as-a-Service (RaaS)
actors are competing for the attention of
affiliates, and typically charge 10% - 20% of
the ransom payment as a fee for their services.
The speed of the encryption module is one of
the main “selling points”, allowing the attacker
to reduce the encryption time and probability
of detection. RaaS actors’ attempts to shorten
encryption time include allowing affiliates
to choose from various encryption modes
or even offering partial file encryption
(“intermittent encryption”).
Some groups now skip the encryption phase
altogether, relying on threats of data exposure
alone to extort money. In September 2021,
a group named Karakurt Team started to
employ extortion without encryption. Attacking
mostly North American and European victims,
Karakurt operators typically contact their
victims, provide screenshots and copies of
the stolen data, and threaten to auction the
information or release it unless their demands
are met. They often contact the victims’
employees, business partners and clients
to ramp up the pressure. This new behavior,
involving direct contact with the victims’ clients,
was first observed in 2020, and is referred to
as Triple Extortion. Many different types of
information are considered sensitive, from
corporate financial and proprietary data to
personal data relating to physical or mental
health, financial data or any other personal
identifiable information (PII), which makes
the threat of data exposure even more potent.
Negotiation with the victims is often conducted
over relatively secure mediums, using
proprietary access codes. This is typically
done to prevent uncontrolled publication
which would result in reduced potential
leverage. At least in theory, victims who pay
can emerge from an attack relatively
unscathed, without their details posted on
Karakurt’s shame-site, and thereby stopping
their customers or the authorities from
finding out they have been attacked.
An example of the effectiveness of the threat of
personal data exposure was demonstrated in a
recent attack on Medibank, an Australian health
insurer, in October 2022. When the company
refused to pay ransom demands of $10M, the
attackers (possibly connected to the REvil
group) dumped massive amounts of personal
information relating to pregnancy termination,
drug and alcohol abuse, mental health issues
and other confidential and highly sensitive
medical data relating to millions of Australian
and international customers.
C H A P T E R 3
https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation https://www.cisa.gov/uscert/ncas/alerts/aa22-152a https://blog.checkpoint.com/2021/05/12/the-new-ransomware-threat-triple-extortion/ https://www.theguardian.com/australia-news/2022/dec/01/medibank-hackers-announce-case-closed-and-dump-huge-data-file-on-dark-web
36CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 36
added searchable data mechanisms, allowing
employees, customers and other potential
victims to search repositories of stolen data.
Also, valuable stolen data is often monetized
by selling it on Darknet markets.
Other threat actors have turned to destroying
data instead of encrypting it. The Onyx
ransomware group, active since April 2022,
destroys files larger than 2MB instead of
encrypting them. Others have followed suit.
A new sample of the ExMatter exfiltration tool
now includes dedicated wiping functionality.
Although it was initially detected as part of
the BlackMatter RaaS in late 2021, ExMatter
development is attributed to an affiliate and
not the RaaS entity. This marks the possible
independence of ransomware affiliates from
their RaaS partners.
Choosing to base their extortion solely on
data publication is understandably attractive
to attackers. It offers the option of quick
deployment, without a prolonged and messy
encryption process, thereby reducing the
possibility of detection. Victim management
becomes simpler. There is no need to supply
individual decryption keys to different victims
and operate a logistically complicated
“customer support” mechanism. Above all,
it frees affiliates from their dependence on
large RaaS actors who demand their share
of the income.
The Lapsus$ group also received a lot of public
attention following a series of data breaches
of large tech companies, including Microsoft,
Nvidia and Samsung. Since its first recorded
attack in December 2021 on the Brazilian health
ministry, in which they stole and threatened to
publish medical information regarding COVID-19
vaccinations, the group has focused on data
exfiltration rather than encryption. Headed
by young criminals of British and Brazilian
nationality, Lapusus$ uses various methods
to gain initial access to their victims, including
payments to employees, purchasing credentials
and social engineering. The group focuses on
locating and exfiltrating the proprietary source
code of their victims’ products. The ensuing
threat of publication is estimated to have
generated $14M in revenue after only a few
months of activity.
Some RaaS actors even recommend their
affiliates to avoid encrypting critical areas
such as data belonging to healthcare patients.
They permit attacking and exfiltrating data
from hospitals but not encrypting them,
suggesting some twisted version of a moral
code among hackers. Hive RaaS, which focuses
on healthcare, sometimes makes an effort to
not disable the systems. Publishing stolen data
has proven effective and threat actors have
developed elaborate extortion mechanisms.
BlackCat and Lockbit ransomware groups
C H A P T E R 3
https://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/ https://theconversation.com/darknet-markets-generate-millions-in-revenue-selling-stolen-personal-data-supply-chain-study-finds-193506 https://www.bleepingcomputer.com/news/security/beware-onyx-ransomware-destroys-files-instead-of-encrypting-them/ https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis https://www.reuters.com/technology/brazils-health-ministry-website-hit-by-hacker-attack-systems-down-2021-12-10/ https://www.bbc.com/news/technology-60864283 https://www.gov.br/pf/pt-br/assuntos/noticias/2022/10/pf-prende-brasileiro-suspeito-de-integrar-organizacao-criminosa-internacional https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ https://www.cisa.gov/uscert/ncas/alerts/aa22-321a https://www.databreaches.net/lake-charles-memorial-health-system-issues-statement-about-cyberattack-hive-responds/
37CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 37
and existing protection mechanisms which are
based on detecting encryption activity could
prove less effective. In its place, cyber security
providers will need to focus more on data
wiping and exfiltration detection.
As this data extortion model becomes prevalent,
possible ramifications include increased
fragmentation of the ransomware ecosystem.
Attribution of ransomware operations and
tracking threat actors may become even harder
I TAY C O H E N Technology Leader, Check Point Software
Technologies
As this data extortion model becomes prevalent, possible ramifications include increased fragmentation of the ransomware ecosystem. Attribution of ransomware operations and tracking threat actors may become even harder and existing protection mechanisms which are based on detecting encryption activity could prove less effective. In its place, cyber security providers will need to focus more on data wiping and exfiltration detection.
R A N S O M W A R E
C H A P T E R 3
38CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 38
Mod APKs (Android Package Kits; applications
for Android devices) are reworked copies of
well-known applications, designed to provide
users with extended functionalities or access
that are not available in the original version.
In the past few years, we have seen modified
versions of a variety of applications, from
instant messaging and social media apps, to
live streaming, VPN services and more. The
apps are usually distributed through unofficial
channels to users looking for free versions
of known apps, or for additional features
that do not exist in the original versions. In
some cases, users are targeted and offered
direct links to the modified APKs. In others,
users seek them out voluntarily due to limited
access to official applications. For example,
FMWhatsApp allows users to redesign their
WhatsApp interface and edit the “last seen” and
“blue tick” functionalities. These Mods are not
scrutinized as carefully as the official version,
which makes them a natural exploitation
target for threat actors. Often the infection is
achieved through advertisement SDKs, used by
the Mods’ developers. This was the case with
HMWhatsApp infection with the Triada Trojan in
August 2021, and APKPure later that year.
In our 2022 mid-year report we reviewed some
major events in the mobile threat landscape,
including the vast increase in the number of
malicious applications infiltrating Google and
Apple stores. Often disguised as innocent
applications like QR readers, external Bluetooth
apps, flashlights or games, they are designed
to attract as little attention as possible. In
our latest analysis, we focus on attempts to
hide mobile malware in “unofficial” versions
of well-known applications. Mostly, these
are malicious modified versions (aka Mods),
typically distributed through third-party app
stores and downloaded by users who prefer an
unofficial version for a variety of reasons. This
is not a completely unheard of threat, but 2022
has seen multiple attacks using apps that are
well known, trusted, and widely used.
MOBILE MALWARE L ANDSCAPE— THE RISK OF TRUSTING
THE FAMILIAR
C H A P T E R 3
https://securelist.com/triada-trojan-in-whatsapp-mod/103679/ https://securelist.com/apkpure-android-app-store-infected/101845/ https://pages.checkpoint.com/cyber-attack-2022-trends.html
39CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 39
In most cases, Mods are not distributed through
official app stores. However, sometimes
unsuspecting users can obtain them through
official channels. In October, WhatsApp’s
parent company Meta, filed a lawsuit against
three companies based in China and Taiwan for
developing unofficial versions of the application,
and selling them on their websites and in the
Google Play Store. Once installed, the modified
application was used to hijack accounts and
steal sensitive information from more than one
million Android users.
Mods have also been used by nation-state
actors. In August, researchers exposed the
Dracarys Android spyware deployed in a
modified version of the Signal messaging
application. Despite reports of attacks against
its users, Signal is considered a secured
messenger, but its modified version provided
attackers with extensive spying capabilities
along with its regular functions. The operation
was attributed to Bitter APT, a group known
to operate in South Asia, which is reportedly
also producing similar Mods for Facebook,
When made aware of these threats, WhatsApp
issued an alert in July 2022, warning users
not to use modified versions of the app,
and described its joint efforts with Google
to eradicate previous malicious versions.
Despite this warning, another modified build
of WhatsApp was reported in October 2022.
Once again, the YoWhatsApp Mod was found
to contain the Triada malware. When it is
implemented in a fully functioning version of the
popular messenger app, the malware is granted
extensive permissions, including access to
SMS messages, similar to the permissions
the official WhatsApp app receives. This can
allow threat actors to bypass Multi Factor
Authentication mechanisms and take over a
wide range of applications and accounts, from
email to banking and corporate accounts, as
well as the WhatsApp account itself. The latest
campaign deploying Triada malware through
modified applications, which was reported by
Check Point Research, weaponized copies of
the Telegram messaging app to steal personal
information from multiple users.
M A L W A R E
https://topclassactions.com/lawsuit-settlements/consumer-products/mobile-apps/meta-lawsuit-claims-companies-lure-whatsapp-users-into-connecting-to-malware-containing-apps/ https://www.malwarebytes.com/blog/news/2022/10/meta-locks-horns-with-apps-allegedly-compromising-whatsapp-accounts chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf https://www.kaspersky.com/blog/signal-hacked-but-still-secure/45273/ https://www.forbes.com/sites/thomasbrewster/2022/08/04/whatsapp-and-signal-fakes-are-spyware-from-india-and-pakistan-facebook-warns/?sh=63eda9e3207c https://twitter.com/wcathcart/status/1546567956728913920 https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/ https://twitter.com/search?q=%23Triada%20malware&src=typed_query&f=top
40CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 40
financially or politically motivated actors. This
was the case in 2018 and 2019 when the Iranian
government blocked secure instant messaging
(IM) apps, resulting in an increase in cloned
unofficial versions of Telegram, Instagram and
other IM applications. Many of the unofficial
applications were later revealed as part of a
government program to spy on and control
opposition and minority groups.
Mobile devices are targeted by hostile entities
for a variety of reasons and motivations.
Attackers often target the most popular,
well- known and widely used applications
which users would consider safe. Exploits
can come in either the form of modified or
fake applications, or through the exploitation
of vulnerabilities in the original versions. We
should take this as a reminder of the need to
stay vigilant, especially when using the most
popular and widely used applications.
Telegram, YouTube and WhatsApp. The
attack was deployed using phishing sites
that mimicked the genuine Signal site, and
most likely targeted users through phishing
emails and social media. Meta also accused
Transparent Tribe (APT-36), a Pakistan affiliated
state-sponsored threat actor, of creating and
using fake versions of WhatsApp, WeChat
and YouTube, and identified more than 10,000
potentially affected users.
Malicious modified versions of two mobile VPN
applications, SoftVPN and OpenVPN, were used
to spy on users by the mercenary Bahamut APT
group, which offers hacking services to a wide
range of clients.
Populations of totalitarian regimes often have
limited access to applications in the official app
stores and must seek other alternatives. This
makes them more susceptible to attacks by
S H A N I S H P R I N G E R Data Research Analysis
Team Leader, Check Point Software
Technologies
Mobile devices are targeted by hostile entities for a variety of reasons and motivations. Attackers often target the most popular, well- known and widely used applications which users would consider safe. Exploits can come in either the form of modified
or fake applications, or through the exploitation of vulnerabilities
in the original versions. We should take this as a reminder of the need to stay vigilant, especially when using the most popular and widely used applications.
C H A P T E R 3
https://portswigger.net/daily-swig/cloned-telegram-apps-pose-stalking-risk-to-iranians https://www.thenationalnews.com/business/iran-is-using-chat-apps-to-spy-on-its-citizens-researchers-say-1.1007778 https://timesofindia.indiatimes.com/gadgets-news/facebook-shuts-pakistani-hacker-group-apt36-how-it-operated-apps-used-and-more/articleshow/93383827.cms https://timesofindia.indiatimes.com/gadgets-news/facebook-shuts-pakistani-hacker-group-apt36-how-it-operated-apps-used-and-more/articleshow/93383827.cms https://www.wired.com/story/nso-group-forcedentry-pegasus-spyware-analysis/ https://www.microsoft.com/en-us/security/blog/2022/08/31/vulnerability-in-tiktok-android-app-could-lead-to-one-click-account-hijacking/
41CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 41
27.4%
22.9%
Cloud On-prem
In addition to vulnerability exploitation
attempts, cloud environments have become
both a source and target of security incidents
and breaches that involve improper access
management, sometimes combined with the
use of compromised credentials. In March 2022,
the ransomware gang Lapsus$ announced in a
statement on its Telegram channel that it had
gained access to Okta, an identity management
platform. Lapsus$ has a history of publishing
Over the past few years, Check Point Research
(cp<r>) has been tracking the increasing
adoption of cloud infrastructure in corporate
environments, as well as the evolution of the
cloud threat landscape. Currently, around 98%
of organizations use cloud-based services, and
76% of them have multi-cloud environments
that incorporate services from two or more
cloud providers.
When comparing the past two years, we have
seen a significant increase in the number
of attacks on cloud-based networks per
organization, which shot up by 48% in 2022
compared with 2021. Although the overall
number of attacks on cloud-based networks is
17% lower than non-cloud networks, a closer
examination of the types of attacks shows that
newly disclosed vulnerabilities (2020-2022) are
exploited more frequently on cloud-based than
on-premise environments. This might indicate
a shift that some threat actors now prefer
to scan the IP range of cloud providers. This
might enable to gain easier access to sensitive
information or critical services.
Figure 1 - Percentage of attacks leveraging recent vulnerabilities (disclosed 2020-2022)
CLOUD: THIRD PART Y THRE AT
C H A P T E R 3
42CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 42
Following the breach, Okta released an official
statement revealing that approximately 2.5% of
their customers were affected by the Lapsus$
breach—around 375 companies, according
to independent estimates. Okta, is used by
thousands of companies to manage and secure
user authentication processes, as well as by
developers to build identity controls. This
effectively means that hundreds of thousands
of users worldwide could potentially be
compromised by the company responsible
for their security.
On its Telegram channel, Lapsus$ claimed that
Okta was storing AWS keys in Slack and that
Okta’s third-party support engineers had access
to all the company’s 8,600 Slack channels. It
is possible that Lapsus$ gained initial access
to Okta via Slack using stolen cookies and/
or social engineering. cp<r> suggested that
Lapsus$’s access to Okta clients could explain
the cybercrime gang’s modus operandi and
impressive record of successes, all thanks to
excessive permissions granted to a third-party
within the corporate cloud environment. Identity
and Access Management (IAM) role abuse attacks
were thoroughly discussed by cp<r> in 2021,
and while this is still an ongoing issue, there are
other risks of which businesses need to be aware.
On September 16, 2022, Uber stated that they
were responding to a security incident which
they later attributed to a hacker connected to
the very same Lapsus$ group. The company
explained that the attacker used stolen
credentials of an Uber contractor in a Multi
Factor Authentication fatigue attack, where
the contractor was flooded with two-factor
authentication (2FA) login requests until one
of them was accepted. These credentials were
then used for lateral movement and privilege
escalation that resulted in the intruder gaining
administrator access to Uber's AWS cloud
account and its resources.
sensitive information, often source code, stolen
from high-profile tech companies such as
Microsoft, NVIDIA, and Samsung. However, this
time, the actors claimed their target was not
Okta itself, but rather its customers.
Figure 2 - LAPSUS$ announcement about OKTA on their telegram channel
BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASE FROM OKTA - our focus was ONLY on okta customers.
C H A P T E R 3
https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ https://www.forbes.com/sites/thomasbrewster/2022/03/22/fury-as-okta-the-company-that-manages-100-million-logins-fails-to-tell-customers-about-breach-for-months/?sh=2c51d99b8734 https://blog.checkpoint.com/2022/03/22/lapsuss-okta-the-cyber-attacks-continue/ https://blog.checkpoint.com/2021/05/05/check-your-privilege-the-risks-of-privilege-escalation-in-the-cloud/ https://twitter.com/Uber_Comms/status/1570584747071639552 https://www.reuters.com/business/autos-transportation/uber-says-hacker-working-with-lapsus-responsible-cybersecurity-incident-2022-09-19/
43CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 43
From basic rules like not storing cloud
access keys publicly or not ignoring 2FA
bypass attempts, to more complicated but
essential ones such as prevention of cloud
misconfigurations and using proper IAM, the
events of 2022 show that any violations of
these rules puts cloud environments at risk.
Towards the end of the year, Uber suffered another
high-profile data leak that exposed sensitive
employee and company data. This time, attackers
breached the company by compromising an AWS
cloud server used by Tequivity, which provides
Uber with asset management and tracking
services. It is not clear if the unauthorized access
was due to misconfiguration or stolen credentials,
but it’s evident that we need to adapt our methods
of assessing third-party risk to the world of
cloud infrastructure.
C H A P T E R 3
O M E R D E M B I N S K Y Data Research Group Manager,
Check Point Software Technologies
When comparing the past two years, we have seen a significant increase in the number of attacks on cloud-based networks per organization, which shot up by 48% in 2022 compared with 2021. Although the overall number of attacks on cloud-based networks is 17% lower than non-cloud networks, a closer examination of the types of attacks shows that newly disclosed vulnerabilities (2020-2022) are exploited more frequently on cloud-based than on-premise environments. This might indicate a shift that some threat actors now prefer to scan the IP range of cloud providers. This might enable to gain easier access to sensitive information or critical services.
T H R E A T
https://www.checkpoint.com/cyber-hub/cloud-security/what-is-cloud-security/what-is-a-cloud-security-misconfiguration/ https://www.checkpoint.com/cyber-hub/cloud-security/what-is-identity-and-access-management-iam/
44CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
GLOBAL ANALYSIS
C H A P T E R 4
45CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 45CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
GLOBAL
AMERICAS
CYBER ATTACK CATEGORIES BY REGION
Figure 3: Percentage of organizations affected by malware type globally in 2022.
Figure 4: Percentage of organizations affected by malware type in the Americas in 2022.
MULTIPURPOSE MALWARE*
INFOSTEALERS
CRYPTOMINERS
MOBILE
RANSOMWARE
32%
24%
16%
9%
7%
MULTIPURPOSE MALWARE
INFOSTEALERS
CRYPTOMINERS
MOBILE
RANSOMWARE
23%
18%
12%
7%
5%
45CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
* Banking Trojans and botnets, previously classified as two distinct types, are combined in a single category. As many banking Trojans received additional functionalities, making the dif ferentiation between the two categories less distinct, we introduce the category “multipurpose malware” to include both genres.
C H A P T E R 4
46CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
CYBER ATTACK CATEGORIES BY REGION
EMEA
APAC
Figure 5: Percentage of organizations affected by malware type in EMEA in 2022.
Figure 6: Percentage of organizations affected by malware type in APAC in 2022.
MULTIPURPOSE MALWARE
INFOSTEALERS
CRYPTOMINERS
MOBILE
RANSOMWARE
33%
25%
15%
8%
8%
MULTIPURPOSE MALWARE
INFOSTEALERS
CRYPTOMINERS
MOBILE
RANSOMWARE
44%
30%
25%
14%
9%
46CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
C H A P T E R 4
47CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 47
GLOBAL THRE AT INDE X MAP
Figure 7. Global Threat Index Map
The map displays the cyber threat risk index globally, demonstrating the main risk areas around the world.*
* Darker = Higher Risk * Grey = Insufficient Data
C H A P T E R 4
48CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 48
Education / Research
Government / Military
Healthcare
Communications
ISP / MSP
Finance / Banking
Utilities
Insurance / Legal
Manufacturing
Leisure / Hospitality
SI / VAR / Distributor
Retail / Wholesale
Transportation
Software Vendor
Consultant
Hardware Vendor
2314 (+43%) 1661
1463 1380 1372
1131 1101
957 950 943
904 871
750 747
689 448
(+46%)
(+74%)
(+27%)
(+28%)
(+52%)
(+48%)
(+47%)
(+36%)
(+60%)
(+18%)
(+66%)
(+41%)
(+37%)
(+19%)
(+25%)
Figure 8 - Global Average of weekly attacks per organization by Industry in 2022 [% of change from 2021]
Data collected in 2022 shows a continued rise in attacks against all industries. Most
targeted are the educational and research institutions, with an average of 2,314
attacks per week per organization, an increase of more than 40% from 2021. Attacks
on the healthcare sector registered the highest surge, 74% more attacks than last
year, placing it as the third most targeted industry in this index. From hospitals
and clinics to research facilities, attackers have been focusing on the healthcare
industry since the beginning of the COVID-19 pandemic, seeking financial gain. 89% of
healthcare organizations reported cyberattacks within the last year with an average
total cost reaching $4.4M. Reported attacks included the CommonSpirit Health, the
second largest non-profit hospital chain in the US. CommonSpirit, which operates 140
hospitals, has reported data of more than 600K patients stolen, the attack resulting
in medical damage to patients. Hospitals in New York were hit by ransomware in
November leaving medical systems down for weeks after the attack. An attack on the
Dallas-based Tenet health care cooperation, operating hundreds of medical sites,
caused disruption to acute care operations. Among ransomware groups reported to
target healthcare organizations are Lockbit, BlackCat, Cuba, Zeppelin and more.
C H A P T E R 4
https://blog.checkpoint.com/2022/04/12/what-can-the-health-sector-learn-from-2021s-threat-landscape/#:~:text=In%20our%202022%20Security%20Report,utilities%2C%20banking%20and%20manufacturing%20sectors. chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf https://www.nbcnews.com/tech/security/ransomware-attacks-hospitals-take-toll-patients-rcna54090 https://www.nytimes.com/2022/12/12/nyregion/brooklyn-hospital-cyberattack.html https://www.healthcareitnews.com/news/cybersecurity-incident-disrupts-operations-tenet-hospitals/ https://healthitsecurity.com/news/hhs-warns-healthcare-sector-of-lockbit-3.0-blackcat-ransomware https://www.cisa.gov/uscert/ncas/alerts/aa22-335a https://www.cisa.gov/uscert/ncas/alerts/aa22-223a
49CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 49
Figure 9: Delivery Protocols—Email vs. Web Attack Vectors in 2018-2022.
EMAIL WEB
2019
64%
36%
2018
33%
67%
2020
83%
17%
2021
84%
16%
2022
86%
14%
C H A P T E R 4
50CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 50
TOP MALICIOUS FILE T YPES—WEB VS. EMAIL
Figure 10: Web—Top malicious file types in 2022.
Figure 11: Email—Top malicious file types in 2022.
ex e
pd f
dl l
xls ln k
ps 1 jar
ht m
l xls
b do
c
57%
10% 8%
5% 4% 3% 2% 1% 1% 1%
ex e
pd f
xls xls x
xls m
do cx rtf do
c ht
m l
vb s
26%
22%
17% 15%
9%
4% 3% 3%
0.8% 0.6%
C H A P T E R 4
51CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 51
zip ra r
im g gz 7z r0
0 ca
b iso z
tg z
51%
15%
9% 6%
4% 2% 2% 2% 1% 1%
Figure 12: Top malicious archive files delivered by both Web and Email in 2022.
The proportion of email-delivered-attacks has increased, reaching a staggering
record of 86% of all file based in-the-wild attacks. Data shows an increase in
the utilization of various types of archive file formats, as threat-actors attempt
to conceal malicious payloads. Included in password protected archives,
the functionality of malware is hidden until they are extracted, making their
identification as malicious by security products especially challenging. Zip files
are the most commonly used format for this purpose, while in the top malicious
archives types we observe also .img and .iso files, since their extraction
functionality is integrated in Windows or with very popular tools. Archive files
are often used to bypass the mark-of-the-web based protection mechanism.
C H A P T E R 4
https://attack.mitre.org/techniques/T1553/005/
52CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 52
Figure 13: Most prevalent malware globally—2022
Figure 14: Most prevalent malware in the Americas—2022
AMERICAS
Em ot
et
Ag en
tT es
la
Fo rm
bo ok
Qb ot
Sn ak
eK ey
lo gg
er
Lo kib
ot
XM Ri
g nj
RA T
Gu lo
ad er
Re m
co s
10%
8%
4%
3% 3% 3%
2% 2% 2%
1%
GLOBAL
Em ot
et Qb
ot
Ag en
tT es
la
Fo rm
bo ok
Gu lo
ad er
XM Ri
g nj
RA T
Sn ak
eK ey
lo gg
er
Re m
co s
Lo kib
ot
8%
3% 3%
2% 2% 2%
1% 1% 1% 1%
GLOBAL MALWARE STATISTICS
Data comparisons presented in the following sections of this report are based on data drawn from
the Check Point ThreatCloud Cyber Threat Map between January and December 2022.
For each of the regions below, we present the percentage of corporate networks impacted by each
malware family, for the most prevalent malware in 2022.
C H A P T E R 4
https://threatmap.checkpoint.com/
53CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 53
Figure 15: Most prevalent malware in EMEA—2022
EUROPE, MIDDLE EAST AND AFRICA (EMEA)
Figure 16: Most prevalent malware in APAC—2022
ASIA PACIFIC (APAC)
Em ot
et
Ag en
tT es
la
Fo rm
bo ok
Qb ot
Sn ak
eK ey
lo gg
er
Lo kib
ot
XM Ri
g
Re m
co s
nj RA
T
Gu lo
ad er
10% 9%
4% 4% 4%
3%
2% 2%
1% 1%
Em ot
et
Ag en
tT es
la
Fo rm
bo ok
Sn ak
eK ey
lo gg
er
Lo kib
ot
XM Ri
g
Ra m
ni t
Qb ot
nj RA
T
Gl up
te ba
15% 14%
9%
7%
5% 4%
3% 3% 2% 2%
C H A P T E R 4
54CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 54
GLOBAL ANALYSIS OF TOP MALWARE
Rising back from its fourth place in Check Point’s 2021 most prevalent malware
list, Emotet has regained its position at the top of 2022 table, affecting 10% of all
corporate networks. Initially discovered in 2014 as a banking Trojan, Emotet has
developed into a significant multipurpose malware, serving as an initial access
malware and used by sophisticated Eastern European cyber criminals. Identified
as one of the major cyber threats, Emotet was taken down in January 2021, on a
global law enforcement operation, only to resurge by the end of that year. On its
return Emotet was distributed with Trickbot’s assistance and later deployed large
scale spam campaigns with malicious Office documents. Relying heavily on Office
macros’ exploitations, Microsoft’s intension to disable VBA macros in documents
obtained from the internet was expected to affect Emotet’s distribution. Emotet’s
operators prepared for the change, experimenting with alternative file types
including .lnk, .xll zip and .iso files. In November, Emotet returned from one of
its routine breaks, and went back to its previous weapon of choice—Excel files
with malicious macros. To bypass the Mark-of-the-Web limitations, the attached
maldocs displayed detailed instructions directing users to copy the files into
the trusted “Templates” folder. Emotet continues to use email threads hijacking
technique and customizes email content according to the targeted country. Emotet
was observed deploying other malware families like IcedID and XMRig on victim
system. Other Emotet campaigns in 2022 include a campaign targeting IKEA
employees; a US phishing campaign impersonating the IRS during the 2022 tax
season and many more.
Infostealers occupied a central place in this year’s table, with four of the most
commonly used stealers, AgentTesla, Formbook, SnakeKeylogger and LokiBot
occupying the top six places in our top malware list. The popularity of infostealers
is connected to the growing market for stolen credentials and their availability
to threat actors for relatively low prices. One of the emerging techniques of
cyber cybercriminals is using infostealers for widely spread infections that
are not specifically focused on corporate networks. After the initial infection,
cybercriminals mine the data to identify corporate VPN credentials, which will
allow them to get an initial access to corporate networks.
C H A P T E R 4
https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/ https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/ https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ https://blog.checkpoint.com/2022/12/13/november-2022s-most-wanted-malware-a-month-of-comebacks-for-trojans-as-emotet-and-qbot-make-an-impact/ https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/ https://www.bleepingcomputer.com/news/security/emotet-malware-campaign-impersonates-the-irs-for-2022-tax-season/
55CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 55
43%
19%
6% 5%
3%
46%
17%
5% 4%
3% 3%
45%
15% 5%
5%
22%
Emotet Qbot Raspberry Robin Phorpiex Glupteba Icedid Other
Emotet Qbot Glupteba Phorpiex Raspberry Robin Mylobot Other
5% 5%
47%
9% 7%
6% 5%
23%
3% Emotet Qbot Raspberry Robin Phorpiex Glupteba Icedid Other
Emotet Qbot Raspberry Robin Phorpiex Glupteba Icedid Other
19%
23%
3%
Figure 17: Most prevalent multipurpose malware globally
Figure 19: Most prevalent multipurpose malware in EMEA
GLOBAL
Figure 18: Most prevalent multipurpose malware in the Americas
Figure 20: Most prevalent multipurpose malware in APAC
AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
TOP MULTIPURPOSE MALWARE
C H A P T E R 4
56CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 56
MULTIPURPOSE MALWARE GLOBAL ANALYSIS
As in our last midyear report, two malware categories, banking Trojans and
botnets, which were previously classified as distinct types, have been merged.
As many banking Trojans received additional functionalities, that make the
differentiation between the two categories less distinct, we introduce the unified
category, “multipurpose malware”. Comparisons in this category therefore relate
to the last midyear report rather than to older annual data.
Emotet and Qbot have increased their relative activity and now comprise of more
than 60% of infection attempts in this category. Raspberry Robin is a new entrant
to the multipurpose list. First detected in September 2021 using infected USB
devices and wormable capabilities to spread, Raspberry Robin has become one
of the largest active malware distribution platforms within a year. It was reported
to deploy various other malware families, including IcedID, Bumblebee and
ransomware brands like Clop and LockBit. With possible relations to Evil Corp
this malware constitutes a serious new threat.
The Phorpiex botnet, which has been known for distributing other malware
families via spam campaigns, as well as for fueling large-scale spam, sextortion
campaigns and ransomware spread, started 2022 with crypto-transaction hijacking
and continues its expansion, occupying the fourth place in the multipurpose table.
Glupteba has fully returned from the 2021 takedown operation carried out by
Google. This malware features a variety of capabilities including a credential
stealer, crypto miner, router exploiter and more. However, Glupteba is best known
for its use of the bitcoin blockchain technology as its C&C infrastructure to receive
configuration information. Glupteba’s use of bitcoin records improves its resilience
against takedowns, since the blockchain transactions cannot be deleted, however
they remain exposed for public inspection. Tracking Glupteba’s activity through
the blockchain has exposed a large ongoing campaign which started in June 2022.
C H A P T E R 4
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ https://thehackernews.com/2022/09/new-evidence-links-raspberry-robin.html https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/
57CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 57
29%
22% 12%
12%
2%
38%
19%
15%
12%
4% 1%
35%
20% 16%
12%
11%
AgentTesla Formbook SnakeKeylogger Lokibot Vidar xloader Other
AgentTesla Formbook SnakeKeylogger Lokibot Vidar Pony Other
8%
5%
35%
21%
17%
12%
5% 8%
1%
AgentTesla Formbook SnakeKeylogger Lokibot Vidar Pony Other
AgentTesla Formbook SnakeKeylogger Lokibot Vidar RedLine Stealer Other
16%
10% 1%
Figure 21: Top infostealer malware globally
Figure 23: Top infostealer malware in EMEA
Figure 22: Top infostealer malware in the Americas
Figure 24: Top infostealer malware in APAC
GLOBAL AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
TOP INFOSTE ALER MALWARE
C H A P T E R 4
58CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 58
INFOSTE ALER MALWARE GLOBAL ANALYSIS
The growing market for stolen credentials and cookies, which are later used in
the evolving life cycle of access-brokers, ransomware affiliates and RaaS
suppliers, has contributed to the growing popularity of infostealers. Check Point
data reveals a steady increase in infostealers use, affecting 18% of corporate
networks in 2020, 21% in 2021 and reaching as much as 24% of all organizations in
2022. Infostealers are sold on underground forums for a monthly subscription fee
that ranges between $60 to $1,000, to threat actors of varying levels of technical
knowledge. This market, which was previously divided between multiple smaller
malware families, has consolidated and this year three brands, AgentTesla,
Formbook and SnakeKeylogger are responsible for 71% of Check Point monitored
infostealers attacks.
Formbook, detected in 20% of infostealer cases is a commodity malware
sold as-a-service on underground forums since 2016. It is designed to collect
keystrokes, search and access files, take screenshots, harvest browser
credentials and download and deploy additional payloads. It has been used
by multiple actors, often distributed using email attachments including pdf,
doc, RTF document, exe, zip, rar etc. Formbook has been deployed this year
targeting Ukraine and in numerous other campaigns.
The SnakeKeylogger modular .NET infostealer has tripled its rank compared to
our 2021 top malware statistics. Snake first surfaced around late 2020, and quickly
grew in popularity among cyber criminals. Snake’s main functionalities include
recording keystrokes, taking screenshots, harvesting credentials and clipboard
content, in addition to supporting exfiltration of the stolen data by both HTTP and
SMTP protocols. In August, researchers observed SnakeKeylogger in malspam
campaign spreading via phishing emails to target IT firms located in the US.
C H A P T E R 4
https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web https://www.bleepstatic.com/images/news/u/986406/Malware/RAT/FormBook-ad.jpg https://www.cyfirma.com/outofband/formbook-malware-technical-analysis https://www.malwarebytes.com/blog/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine https://www.bitdefender.com/blog/hotforsecurity/snake-keylogger-returns-in-malspam-campaign-disguised-as-business-portfolio-from-it-vendor/
59CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 59
84%
7% 4%
1%
84%
5% 3%
2% 6%
76%
10%
8% 1%
XMRig LemonDuck Wannamine JenkinsMiner Other
XMRig LemonDuck Wannamine NRSMiner Other
4%5%
64%15%
14%
2% 5%
XMRig LemonDuck Wannamine Kinsing Other
XMRig LemonDuck Wannamine Lucifer Other
Figure 25: Top cryptomining malware globally
Figure 27: Top cryptomining malware in EMEA
Figure 26: Top cryptomining malware in the Americas
Figure 28: Top cryptomining malware in APAC
GLOBAL AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
TOP CRYPTOMINING MALWARE
C H A P T E R 4
60CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 60
CRYPTOMINERS GLOBAL ANALYSIS
The crypto market cap has fallen dramatically in 2022, losing nearly $2 Trillion,
from a record $2.9T in November 2021. Low crypto rates combined with increased
mining costs affect mining profitability and with it the motivation for cryptomining.
This explains cryptominers’ visibility decreasing from 21% in 2021 to 16% globally
in 2022. This decline has left XMRig, a legitimate open-source mining tool, as the
most dominant tool used by attackers for malicious purposes. XMRig has been
used in 76% of cryptomining attacks in 2022 and as reported in the CPIRT chapter
often marks a breach which could later lead to the deployment of other malware.
LemonDuck, a relatively new cryptomining malware has no legitimate use,
and since its initial detection in 2019 added extensive malicious functionalities
including credential stealing and lateral movement. As Lemonduck is equipped
with the ability to drop additional tools for human-operated attacks, its detection
should be treated seriously as a possible precursor for severe attacks.
C H A P T E R 4
https://www.bloomberg.com/graphics/2022-crypto-contagion-from-bitcoin-to-FTX/ https://cryptoslate.com/btc-is-now-cheaper-than-the-all-in-sustaining-cost-of-mining-btc/ https://www.microsoft.com/en-us/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/
61CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 61
26%
24%
11% 7%
31%
19%
18%
9% 6%5%
49%
25%
20%
8% 5%
Anubis Joker AlienBot Hydra Hiddad Other
Joker Anubis Sharkbot Hiddad AlienBot Other
6%
5%
38%
17%5% 5%
5%
42%Joker Anubis AlienBot Hiddad Hydra Other
Joker Anubis AlienBot Hydra Hyddad Other
34%
Figure 29: Most prevalent banking Trojans globally
Figure 31: Most prevalent banking Trojans in EMEA
Figure 30: Most prevalent banking Trojans in the Americas
Figure 32: Most prevalent banking Trojans in APAC
GLOBAL AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
TOP MOBILE MALWARE
C H A P T E R 4
62CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 62
MOBILE MALWARE GLOBAL ANALYSIS
Joker, an Android mobile malware, is a stealer capable of accessing SMS
messages, contact lists and device information but mostly generates income
through unauthorized subscriptions to paid premium services. Joker uses its
access to SMS messages to authenticate requests and authorize payments.
Joker (aka Bread) was first identified in 2017 concealed in more than 1,700 benign
looking applications offered on Google Play Store. The malware has resurged this
year, hiding in at least 8 applications on Google Store with more than 3 million
downloads in 2022, climbing to the top of Check Point’s global mobile malware list.
Anubis is a banking Trojan malware designed for Android mobile phones. Since it
was initially detected in 2017, it has gained additional functions including Remote
Access Trojan (RAT) functionality, keylogging, and audio recording capabilities.
It has been detected on hundreds of different applications available in the Google
Store reaching Check Points top mobile malware list earlier this year.
C H A P T E R 4
https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html https://www.malwarebytes.com/blog/news/2022/07/new-variant-of-android-spyjoker-malware-removed-from-play-store-after-3-million-installs https://www.malwarebytes.com/blog/news/2022/07/new-variant-of-android-spyjoker-malware-removed-from-play-store-after-3-million-installs https://www.checkpoint.com/press-releases/june-2022s-most-wanted-malware-new-banking-malibot-poses-danger-for-users-of-mobile-banking/
63CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 63
C H A P T E R 5
HIGH PROFILE GLOBAL VULNERABILITIES
64CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 64
The following list of top vulnerabilities is based on data collected by the Check
Point Intrusion Prevention System (IPS) sensor net and details some of the most
popular and interesting attack techniques and exploits observed by cp<r> in 2022.
PROX YSHELL VULNER ABILITIES (CVE-2021-34473,
CVE-2021-34523 AND CVE-2021-31207)
This is the name given to an attack-chain which exploits three vulnerabilities
in Microsoft’s Exchange Server. Combining these vulnerabilities allows
unauthenticated attackers to perform Remote Code Execution (RCE) on vulnerable
servers. All three vulnerabilities have been reported and patched in 2021 they
remain at the top of the most exploited vulnerabilities list even in 2022. Some of
the reasons for their popularity with attackers are their simple exploitation, the
prevalence of MS Exchange servers with government and large businesses and
the fact they were thoroughly analyzed, and discussed by researchers. Check
Point data shows that 21% of our customers have been impacted with ProxyShell
attempts in 2022. ProxyShell vulnerabilities have been exploited for a variety of
motivations including by financially motivated threat actors to deploy ransomware,
for espionage in the Middle East and Africa and by Iranian APT entities to gain
access to American, Australian, Canadian and UK entities. Check Point Incident
Response Team (CPIRT) investigations found ProxyShell exploitations in one
in every six attack cases. Together with ProxyLogon and the recently reported
ProxyNotShell, these MS Exchange vulnerabilities constitute a significant attack
surface, frequently exploited in the wild, often resulting in major breaches.
C H A P T E R 5
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/ https://www.trendmicro.com/en_hk/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage https://www.cisa.gov/uscert/ncas/alerts/aa22-257a https://blog.checkpoint.com/2022/05/03/cisas-2021-top-15-routinely-exploited-vulnerabilities-check-point-customers-remain-fully-protected/
65CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 65
FOLLINA IN MICROSOF T OFFICE (CVE-2022-30190)
Reported in May 2022, this vulnerability in Microsoft Support Diagnostic Tool
(MSDT) is exploited using Microsoft Office documents. Microsoft has gone a
long way in their effort to reduce attacks utilizing office documents by disabling
macros in documents from external sources. Exploiting the new Follina
vulnerability, attackers are now using specially crafted .docx and .rtf documents
to download and execute malicious code even in Protected Mode and when macros
are disabled. Despite Microsoft’s mitigation efforts, threat actors have exploited
Follina in unpatched systems to deploy Qbot, and other RATs, making Follina
one the most frequently used vulnerability discovered in 2022 contributing to
the popularity of malicious office docs.
FORTINET CVE-2022-40684 AND CVE-2022-42475
Two critical bugs reported in October (CVSS score: 9.6) and December (CVSS score:
9.3) in Fortinet products allow unauthenticated attackers to execute arbitrary
code via specially crafted requests. The company notified of in-the-wild
exploitations and issued updates while CISA warned of significant risk to
the federal enterprise. Exploitation attempts of CVE-2022-40684 in the last
3 month impacted 18% of organizations.
C H A P T E R 5
https://research.checkpoint.com/2022/the-death-of-please-enable-macros-and-what-it-means/ https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ https://www.theregister.com/2022/06/09/qbot-malware-microsoft-follina/ https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild https://www.fortiguard.com/psirt/FG-IR-22-398 https://www.cisa.gov/uscert/ncas/current-activity/2022/10/11/cisa-has-added-one-known-exploited-vulnerability-catalog
66CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 66
New vulnerabilities discovered and reported in 2022 have been quickly
weaponized and used by threat actors this year. Compared to only 2% of attacks
in 2021 using same-year vulnerabilities, this year they were observed in
6% of the attacks monitored by Check Point. In addition to the vulnerabilities
reviewed above, the Atlassian Confluence RCE (CVE-2022-26134) and F5 BIG IP
(CVE-2022-1388) reviewed in our midyear report contributed their share to
new exploitation attempts. Our data shows that vulnerabilities reported in the
last three years made up 24% percent of exploitation attempts compared to
only 18% in 2021. This indicates an upgrade in threat actors’ competence and
integration ability, especially manifested in cloud based attacks, with 27% of
the attacks leveraging new vulnerabilities (2020-2022). Exploitation of older
vulnerabilities continued with widely used 2017 CVEs including, Apache Struts2
Figure 33: Percentage of attacks leveraging vulnerabilities by Disclosure Year in 2022.
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
Earlier
0 2 4 6 8 10 12
6%
9%
9%
5%
10%
12%
7%
11%
10%
4%
7%
10%
C H A P T E R 5
https://pages.checkpoint.com/cyber-attack-2022-trends.html
67CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 67
Remote Code Execution (CVE-2017-5638) which is used by botnets and the
PHPUnit remote code execution (CVE-2017-9841), still used to exploit vulnerable
WordPress plugins. Information collected by the CPIRT (Check Point Incident
Response Team) shows the proportion of newly reported vulnerabilities in
successful attacks is even higher, with the ProxyShell vulnerabilities alone
used in 17% of investigated cases. This demonstrates that while 4-5 year old
vulnerabilities’ exploitation attempts are widespread, successful attacks more
often rely on newly discovered flaws, exploited before patched. The “long tail”
phenomenon of vulnerability exploitation persists, with 50% of attacks in the
wild targeting vulnerabilities reported before 2017. These are mostly less effective
and used by less advanced attackers. These findings once again highlight the
importance of timely system patching.
V U L N E R A B I L I T Y
C H A P T E R 5
68CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 68
C H A P T E R 6
INCIDENT RESPONSE PERSPECTIVE
69CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 69
(A specific case investigated by CPIRT in 2022 is highlighted in the boxed text.
Other text includes observations and data referring to all cases handled in 2022.
Certain details have been modified to ensure customer confidentiality)
On a Monday morning in March 2022, the Check Point Incident Response
Team (CPIRT) received a call from a medium-sized European technology
company which had been the victim of a Quantum Locker ransomware
attack deployed early in the morning the day before. Robert, the
company’s CISO, was on the line. Thus began a typical workday in the life
of an IR analyst, which is often one of the worst days of the customers’
(professional) life.
Unlike the analysis and trends discussed in previous chapters of this report, which
are based on Check Point products’ anonymized data collected during routine
preventative protection, this chapter offers the perspective of the Check Point
Incident Response Team who provide attack mitigation services in response to
various types of active breaches, and not specific to Check Point customers.
Robert reported that most of their data center servers, including the
Domain Controllers and File Servers, had been encrypted and rendered
non-functional. With no backups, their entire operation came to a halt
and they were in need of assistance to investigate and mitigate this attack.
CPIRT’s mission was to look for ongoing vulnerabilities and malicious
activity, resume network functionality, and perform root cause analysis
to identify the initial attack vector and prevent future attacks.
C H A P T E R 6
70CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 70
Figure 34: Breakdown of CPIRT cases by initial threat indication in 2022
49%
11%
7%
10%
Ransomware Email Compromise Single server compromise Phishing attempt Compromised Credentials Multiple host compromise Single host compromise Brute Force Data Leak Other
3%
3% 4%
5%
3%
5%
CPIRT involvement usually follows the discovery of visible malicious activity,
such as encrypted files (ransomware), detection of spoofed or forged emails
(email compromise), or the presence of malware files or unknown processes on
a computer system. CPIRT’s breakdown of the initial threat indication provides
a different perspective of the threat landscape than the one routinely provided
by our product data.
D A N I E L W I L E Y Head of Threat Management and Chief Security Advisor,
Check Point Software Technologies
Analysis of the initial threat indications as seen by CPIRT in 2022 indicates that almost 50% of investigations involve ransomware infections. The threat breakdown above is different from what we see in our product data, which places multipurpose malware and infostealers at the top of the threat list. However, CPIRT data shows that the biggest risks that are visible from a large corporate perspective—are full-blown ransomware attacks and full network compromises. Product telemetry that records multipurpose malware activity often just shows the initial incursion which if prevented, blocks much larger damage.
C H A P T E R 6
71CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 71
RCE vulnerability
Exposed RDP Service
Phishing / Malspam
Brute force / Credential stuffing
Insider threat
Compromised Credentials
0 10 20 30 40 50
47%
24%
21%
8%
7%
3%
After the initial CPIRT forensic investigation, it became clear that the entry
point to the organization was the company’s exchange server. The server
had not been patched and was vulnerable to two very popular exploits used
by threat actors since 2021: the same group of vulnerabilities used
by Hafnium (CVE-2021-26855 and CVE-2021-26855, CVE-2021-26857 or
CVE-2021-26858) and the ProxyShell vulnerabilities (CVE-2021-34473,
CVE-2021-34523, CVE-2021-31207).
In almost half of CPIRT cases, the initial foothold is achieved by exploiting a
vulnerable server with an unpatched RCE vulnerability and open ports to the
internet. In fact, ProxyShell vulnerabilities specifically were the cause of one
in every six incidents CPIRT investigated in 2022, despite those vulnerabilities
being disclosed and patched in 2021.
Figure 35: Breakdown of the initial entry vector in CPIRT cases in 2022
C H A P T E R 6
72CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 72
An exposed RDP service is often used by attackers in combination with an
RCE vulnerability or password attacks such as brute force or credential stuffing
attack to gain a foothold in the network. Mail servers are often the weak link in
a network and are a common initial entry point for attackers and more easily
encrypted. That is because, due to performance considerations, endpoint
security and anti-ransomware products are frequently not installed on servers.
Combined with the high number of vulnerabilities, network exposure and poor
patch management, in many organizations, it’s the servers and not the peripheral
endpoints that are the weakest point and are therefore exploited in many attacks.
Further analysis revealed that the same vulnerable Exchange server had
been exploited twice, in incidents nine months apart. The first exploitation
of the server occurred in June 2021. Initially, “only” a cryptominer was
installed, utilizing multiple assets across the network.
This emphasizes the need to treat every breach as seriously as a full-blown
ransomware attack. As in this case, cryptominers and other “minor” malware
types are often initial indicators of possible exploitation that could lead to
cyber disasters later on.
Persistence in this attack was achieved by changing a registry key to
periodically connect and download an external resource. Initially, this
was a cryptominer installed on dozens of machines, but the resource
could easily have been changed to another payload. By the end of the
initial attack in mid-2021, the attackers leaked a list of network assets in
the network, and used Mimikatz to harvest credentials from the infected
network. Some of the harvested passwords were NTLM hashes which,
due to the practice of simple passwords, were easily reverse-engineered
to the plain text version.
C H A P T E R 6
73CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 73
Cobalt Strike
Mimikatz
AnyDesk
XMRig
PsExec
RdpWrap
Teamviewer
Session Gropher
Metasploit
Kali Linux
Chrome Password Reader
ADAudit
0 5 10 15 20 25 30 35 40
38%
33%
21%
13%
9%
8%
7%
7%
6%
6%
6%
5%
Figure 36: Tools used on compromised systems in 2022 CPIRT cases.
CPIRT case statistics reveal extensive utilization by attackers of non-signature
tools. The top tools used this year were Cobalt Strike and Mimikatz. However,
for the first time, the third most popular tool in this list, AnyDesk, is a legitimate
admin tool. As threat actors have started using more legitimate admin tools in
their attacks, the use of customized malware built by the same threat actors
has declined, and we are seeing an increase in attacks that might not include
any malware at all. This shift in the tools deployed by attackers is detailed in a
dedicated chapter in this report.
During the second breach in March 2022, the attackers used the data
retrieved nine months earlier. The asset list and credential dump
stolen during the first attack were now used to enable and direct the
ransomware deployment.
C H A P T E R 6
74CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 74
Lockbit
Black Basta
Conti
Dharma
Hive
Royal
Vice Society
Phobos
0 1 2 3 4 5 6 7 8
8%
7%
7%
5%
5%
5%
4%
4%
Figure 37: Top Ransomware Families seen in IR cases in 2022
Stolen credentials and initial access to corporate networks are now often traded
between threat actors or sold by “initial access brokers”. The outsourcing of more
and more parts of the attack process, and the further fragmentation of the threat
landscape, complicates attribution efforts. For these reasons, in many of CPIRT
cases in 2022, the attack attribution was not to a very well-known or common
threat group. We have also seen multiple malware families used in a single attack,
for example, the use of IceID to deliver RansomEXX.
While the first attack went relatively unnoticed, the second attack
resulted in the encryption of critical servers and ensuing serious damage.
But there is a happy ending: at the end of a long, nerve-wracking process,
thanks to CPIRT assistance, Robert was able to recover his company’s
data and resume normal business activity.
This case is one of many dozens handled by CPIRT in 2022 that emphasizes the
critical importance of the following:
• Patch immediately when an update is available.
• Impose a complex password policy with frequent updates.
• Use endpoint security and anti-ransomware on critical systems.
As Robert can attest, these actions prevent corporate catastrophes.
C H A P T E R 6
75CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
C H A P T E R 7
2023 INSIGHTS FOR CISOS: DISRUPTION AND DESTRUCTION
76CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 76
EXPECT INCREASED GLOBAL ATTACKS ON BUSINESSES, STRICTER GOVERNMENT REGULATIONS AND MORE
CISOs had to deal with a lot in 2022. Global attacks increased by 28% in the
third quarter of 2022 compared to same period in 2021, and the average weekly
attacks per organization worldwide reached over 1,130. As we look ahead to 2023,
that trend shows no signs of slowing down with increases in ransomware exploits
and state-mobilized hacktivism driven by international conflicts. At the same time,
organizations’ security teams and CISOs will face growing pressure as the global
cyber workforce gap of 3.4 million employees widens further, and governments
introduce stricter cyber regulations to protect citizens against breaches.
In 2022, cyber criminals and state-linked threat actors continued to exploit
organizations’ hybrid working practices as businesses shifted to decentralized
workforces, and the increase in these attacks is showing no signs of slowing down
as the Russia—Ukraine conflict continues to have a profound impact globally.
Organizations need to consolidate and automate their security infrastructure to
enable them to better monitor and manage their attack surfaces and prevent all
types of threat with less complexity and less demand on staff resources.
2023 INSIGHTS: WHAT SHOULD CISOS BE LOOKING OUT FOR, AND WHAT DOES IT MEAN FOR YOUR ORGANISATION?
Hikes in destructive malware and impactful hacking exploits
• No respite from ransomware: this was the leading threat to organizations in the
first half of 2022, and the ransomware ecosystem will continue to evolve and grow
with smaller, more agile criminal groups forming to evade law enforcement.
• Compromising collaboration tools: while phishing attempts against business and
personal email accounts are an everyday threat, in 2023 criminals will widen their
aim to target business collaboration tools such as Slack, Teams, OneDrive and
Google Drive with phishing exploits. These are a rich source of sensitive data given
most organizations’ employees often continue to work remotely.
C H A P T E R 7
https://blog.checkpoint.com/2022/10/26/third-quarter-of-2022-reveals-increase-in-cyberattacks/ https://www.isc2.org/Research/Workforce-Study https://www.checkpoint.com/press-releases/check-point-softwares-mid-year-security-report-reveals-42-global-increase-in-cyber-attacks-with-ransomware-the-number-one-threat/
77CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 77
M AYA H O R O W I T Z Vice President, Research,
Check Point Software Technologies
Ransomware threat actors will continue to carry out double extortions—encrypting network and sending out the data—as big money comes from the data breach. But we will also start to see more attacks where extortion is only related to a data breach with no encryption taking place, meaning that whilst the data is stolen, it can still be used.
When looking at compromised collaboration tools, there will be more sophisticated attacks within multiple domains, known as 5th Gen attacks, as the attack may start with email but move to the network, firewall and more. This can all take months to unfold. We are also seeing a rise in “static expressway” where you can create static ‘allow lists’ so everything from Google is allowed. This is common because it is hard to go through all domains. For example, we can create something malicious on a popular site and know that the receiving party will get it, with a good proportion clicking on it because it is a real Paypal/Quickbook invoice, but with a virus attached. This could expand to other trusted brands. With phishing, attackers use a fake email but in these cases, it seems legitimate, so both the user and security system are at a loss.
With the move to collaboration tools such as Slack and Teams over the pandemic period, there will be an increase of attacks using these platforms. Most attacks so far have been via email, but it could happen through any application or via services that use the same logins. There is a perception that Teams is impervious to attack, which means users are loose with sharing data and personal information, but this is not the case. Business Email compromise has resulted in $2.4B in losses, but in reality, perhaps it should be renamed business collaboration compromise.
J E R E M Y F U C H S Researcher/Analyst, Avanan (a Check Point Software Company)
C H A P T E R 7
78CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 78
HACKTIVISM AND DEEPFAKES EVOLVE WITH ATTACKS ON NATIONAL ORGANISATIONS
AND GOVERNMENT AGENCIES
• State-mobilized hacktivism: In the past year, hacktivism has evolved from
social groups with fluid agendas (such as Anonymous) to state affiliated groups
that are more organized, structured and sophisticated. Such groups have
attacked targets in the US, Germany, Italy, Norway, Finland, Poland and Japan
recently, and these ideological attacks will continue to grow in 2023.
• Weaponizing deepfakes: In October 2022, a deepfake of U.S. President Joe
Biden singing ‘Baby Shark’ instead of the national anthem was circulated
widely. Was this a joke, or an attempt to influence the important U.S. mid-
term elections? Deepfakes technology will be increasingly used to target and
manipulate opinions, or to trick employees into giving up access credentials.
The lines between nation state actors, cybercriminals and hacktivists will continue to blur. We will see more hacktivists groups in support of nation-state narratives, and nation-state actors learning techniques from veteran cybercriminals. All of this makes it harder to attribute attacks to any one group, so organizations will have to build proper cyber protections against all types of threat actors.
S E R G E Y S H Y K E V I C H Threat Intelligence Group Manager,
Check Point Software Technologies
C H A P T E R 7
https://research.checkpoint.com/2022/the-new-era-of-hacktivism/ https://apnews.com/article/fact-check-biden-baby-shark-deepfake-412016518873 https://apnews.com/article/fact-check-biden-baby-shark-deepfake-412016518873
79CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 79
CLOUD-BASED AND IOT SOLUTIONS— “VULNER ABLE BY DESIGN” AFFECTS
BUSINESS AT TACK VECTORS
• Cloud gets more complicated: It is clear that the increased use of cloud based and
IoT solutions has presented new challenges for security professionals. With less
control and visibility over where data is stored and how it is accessed, it can be
difficult to ensure that access to sensitive information is properly secured. This is
especially true in industries like healthcare and manufacturing, where IoT-based
sensors and devices are becoming more prevalent. Additionally, the use of devices
such as cameras, printers, and smart TVs for video conferencing have introduced
new vulnerabilities. Overall, it is important for organizations to take steps to
ensure the security of their cloud based and IoT systems as they will continue to
be central and trendier pieces of any IT environment, including implementing proper
access controls and regularly monitoring for potential vulnerabilities.
Vulnerability exploitation is prevalent as attackers are exceptionally quick at finding holes in well-known products widely used by organizations. That is why it is important to patch, patch, patch and keep up with updates as a minimum, as these simple security measures are usually overlooked.
M U H A M M A D YA H YA PAT E L Global Cybersecurity Evangelist,
Check Point Software Technologies
C H A P T E R 7
80CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 80
GOVERNMENTS STEP UP ME ASURES TO PROTECT CITIZENS AND ORGANIZ ATIONS
• New laws around data breaches: the breach at Australian telco Optus has
driven the country’s government to introduce new data breach regulations
to protect customers against subsequent fraud, with new laws introduced
lifting maximum penalties for serious or repeated breaches from the current
A$2.22million to the greater of A$50 million. Similar measures by the British
Government were introduced with a new mandatory reporting obligation on
MSPs (Managed Service Providers) to disclose cyber incidents or be fined £17
million for non-compliance. In Australia, the government is also considering
imposing a ban on ransoms to cybercriminals leading other national
governments to possibly follow this example in 2023, in addition to existing
measures such as GDPR.
• New national cybercrime task forces: More governments will follow
Singapore’s example of setting up inter-agency task forces to counter
ransomware and cybercrime, bringing businesses, state departments and
law enforcement together to combat the growing threat to commerce and
consumers. These efforts are partially a result of questions over whether the
cyber-insurance sector can be relied upon as a safety net for cyber incidents.
The EU has also strengthened its cybersecurity and resilience with its new
directive, NIS2. NIS2 will set the baseline for risk management and reporting
across all sectors including energy, health and critical infrastructure.
I expect to see cloud transformation slow down due to cost and complexity, with many companies considering the action of bringing workloads back in-house, or at least to private data centers. This could help in reducing the overall threat surface.
D E R Y C K M I T C H E L S O N Field CISO EMEA,
Check Point Software Technologies
C H A P T E R 7
https://www.sbs.com.au/news/article/optus-data-breach-what-are-the-new-regulations-for-telcos-following-cyberattack/fegmvnk5t https://www.reuters.com/technology/australia-flags-increased-penalties-data-breaches-following-major-cyberattacks-2022-10-22/ https://www.reuters.com/technology/australia-consider-banning-paying-ransoms-cyber-criminals-2022-11-12/ https://www.channelnewsasia.com/singapore/ransomware-task-force-singapore-internet-cybersecurity-practices-3014046
81CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 81
• Mandating security and privacy by design: The automotive industry has
already moved to introduce measures to protect the data of vehicle owners.
This example will be followed in other areas of consumer goods that store
and process data, holding manufacturers accountable for vulnerabilities in
their products.
To prevent highly sensitive data from falling into the wrong hands, CISOs must focus on understanding where the organizations’ crown jewels are stored, including within 3rd party systems. CISOs should take into consideration who and what has access to their data, think APIs, and prioritize Zero Trust implementation. This means enforcing the principle of least privilege so that users and systems are granted the bare minimum access to resources, to do their job.
Attacks on critical infrastructure will continue to increase with threat actors becoming more shameless, though they will be more difficult to conduct and require special tools. Key sectors such as energy, telecommunications and healthcare are targeted because they have so much to lose, and are more likely to pay. Though attacks on the education sector is random, attacks will continue because of how the networks are built.
A S H W I N R A M Cybersecurity Evangelist,
Check Point Software Technologies
M AYA H O R O W I T Z Vice President, Research,
Check Point Software Technologies
C H A P T E R 7
82CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 82
ZERO-DAY VULNER ABILITIES IN SUPPLY CHAIN AND SOF T WARE CODE CAN BE E XPLOITED,
DESTROYING DAY-TO-DAY BUSINESS OPER ATIONS
• Zero-day vulnerabilities continue to plague businesses: While these
vulnerabilities are typically discovered and patched by white hat hackers
before they are made public, they can be easily exploited once they are
found. This has not happened yet, as most threat actors are more interested
in exploiting vulnerabilities that are easier to access. The proxy logon
vulnerability, which was discovered last year, is still the most exploited
vulnerability simply because it is effective. However, if a threat actor were
to find and exploit a zero-day vulnerability before it was patched, the damage
could be devastating and destructive. Until recently, there have not been
many threat actors with the motivation to take down as many networks as
possible, but the current climate of chaos and changing motivations may
lead to more attempts to exploit such zero-day vulnerabilities. Patching and
keeping software up to date is a critical mission.
P E T E N I C O L E T T I Field CISO, Americas, Check Point Software
Technologies
Supply Chain Attacks and breaches will continue accelerating over the next year. Most companies do not do a good enough job with managing the risk of the components they are using and do not have visibility into their SBOM nor a complete strategy, much less an understanding of where the gaps are.
C H A P T E R 7
83CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 83
CONSOLIDATION AS A SOLUTION TO E VOLVING CORPOR ATE CYBER CHALLENGES
Cutting complexity to reduce risks: Organizations have more complex, distributed
networks and cloud deployments than ever before because of the pandemic. With
so many elements to consider, security teams need to consolidate their IT and
security infrastructures to improve their defenses and reduce their workload
to help them stay ahead of threats. The statistics speak for themselves, where
over two-thirds of CISOs stated that working with fewer vendors’ solutions would
increase their company’s security. Security teams need to consolidate their IT and
security infrastructures to improve their defenses and reduce their workload to
help them stay ahead of threats.
J O N AT H A N ‘J O N Y ’ F I S C H B E I N
CISO, Check Point Software
Technologies
The industry as a whole has made great strides in decreasing the number of solutions to reduce the complexity. Historically companies were using 15-17 solutions. Now CISOs are trying to cut down the number of solutions to reduce complexity, leading the industry to turn to consolidation as an answer. We suggest a management dashboard that allows security professionals to reduce the level of complexity when dealing with security issues.
C H A P T E R 7
https://blog.checkpoint.com/2022/06/09/what-role-did-a-viral-pandemic-play-in-cyber-security-consolidation/
84CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 84
D E R Y C K M I T C H E L S O N Field CISO EMEA,
Check Point Software Technologies
Consolidation will become a “real” priority in 2023, especially as businesses look to remove cost, heightened with the much talked about recession, and more importantly, complexity from entire digital and security stack.
Organizations need to consider the new ‘work from home’ realm and how to address security challenges from the hybrid and remote workforce as they may not have as strong a security posture as the organizations they belong to. With these workers leveraging the network, preventing such attacks through these new vector needs to be considered. Consolidating the entire cybersecurity posture would be a step in the right direction.
A N T O I N E T T E H O D E S Solutions Architect & Evangelist, EMEA, Check Point Software
Technologies
C H A P T E R 7
85CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
C H A P T E R 8
PREVENTION IS AT REACH
86CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 86
BECOMING A VICTIM IS NOT PREDESTINED—PRE VENTION
IS AT RE ACH
Zero-day attacks are unknown cyber risks that easily circumvent signature-
based security solutions and therefore pose an exceptionally dangerous risk to
businesses. Ransomware attacks became a central cyber threat and oppose a
disruptive factor globally to organizations, corporates and even governments.
Phishing attacks can have several different goals, including malware delivery,
stealing money, and credential theft. However, most phishing scams designed
to steal your personal information can be detected and their sometime enormous
damage can be prevented. A Data breach can ravage an organization. A data
breach often results in expensive security audits, fines and stakeholders often
lose trust in the organization as a result. The rapid rise of high-profile data
breaches shows it is critical for security professionals to reexamine their current
security strategies and implement unified security across network, cloud, and
mobile environments in an effort to prevent the next breach. Modern Cloud
Applications brings new security challenges to developers which needs to make
sure thery are preventing code leaks and other potential breaches that can
be disastrous.
In this section, we provide security professionals practical recommendations
that can mean the difference between joining the growing statistics of cyber
victims and preventing the next one.
C H A P T E R 8
87CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 87
HOW TO PRE VENT R ANSOMWARE AT TACKS
There are several actions that a company can take to minimize their exposure to
and the potential impacts of a ransomware attack.
1. Robust Data Backup
The goal of ransomware is to force the victim to pay a ransom in order to regain
access to their encrypted data. However, this is only effective if the target
actually loses access to their data. A robust, secure data backup solution is an
effective way to mitigate the impact of a ransomware attack. If systems are
backed up regularly, then the data lost to a ransomware attack should be minimal
or non-existent. However, it is important to ensure that the data backup solution
cannot be encrypted as well. Data should be stored in a read-only format to
prevent the spread of ransomware to drives containing recovery data.
2. Cyber Awareness Training
Phishing emails are one of the most popular ways to spread ransom malware.
By tricking a user into clicking on a link or opening a malicious attachment,
cybercriminals can gain access to the employee’s computer and begin the process
of installing and executing the ransomware program on it. With the global gap
in cybersecurity talent impacting organisations around the world, frequent
cybersecurity awareness training is crucial to protecting the organization against
ransomware, leveraging their own staff as the first line of defence in ensuring a
protected environment. This training should instruct employees to do the following:
• Not click on malicious links
• Never open unexpected or untrusted attachments
• Avoid revealing personal or sensitive data to phishers
• Verify software legitimacy before downloading it
• Never plug an unknown USB into their computer
• Use a VPN when connecting via untrusted or public Wi-Fi
C H A P T E R 8
88CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 88
3. Up-to-Date Patches
WannaCry, one of the most famous ransomware variants in existence, is an
example of a ransomware worm. Rather than relying upon phishing emails or
Remote Desktop Protocol (RDP) to gain access to target systems, WannaCry
spread itself by exploiting a vulnerability in the Windows Server Message Block
(SMB) protocol. At the time of the famous WannaCry attack in May 2017, a patch
existed for the EternalBlue vulnerability used by WannaCry. This patch was
available a month before the attack and labeled as “critical” due to its high
potential for exploitation. However, many organizations and individuals did not
apply the patch in time, resulting in a ransomware outbreak that infected 200,000
computers within three days. Keeping computers up-to-date and applying security
patches, especially those labeled as critical, can help to limit an organization’s
vulnerability to ransomware attacks as such patches are usually overlooked or
delayed too long to offer the required protection.
4. Strengthening User Authentication
Cybercriminals commonly use the Remote Desktop Protocol (RDP) and similar
tools to gain remote access to an organization’s systems using guessed or stolen
login credentials. Once inside, the attacker can drop ransomware on the machine
and execute it, encrypting the files stored there. This potential attack vector
can be closed through the use of strong user authentication. Enforcing a strong
password policy, requiring the use of multi-factor authentication, and educating
employees about phishing attacks designed to steal login credentials are all
critical components of an organization’s cybersecurity strategy.
5. Anti-Ransomware Solutions
While the previous ransomware prevention steps can help to mitigate an
organization’s exposure to ransomware threats, they do not provide perfect
protection. Some ransomware operators use well-researched and highly
targeted spear phishing emails as their attack vector. These emails may trick
even the most diligent employee, resulting in ransomware gaining access to an
organization’s internal systems. Protecting against this ransomware that “slips
through the cracks” requires a specialized security solution. To achieve its
objective, ransomware must perform certain anomalous actions, such as opening
C H A P T E R 8
89CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 89
and encrypting large numbers of files. Anti-ransomware solutions monitor
programs running on a computer for suspicious behaviors commonly exhibited by
ransomware, and if these behaviors are detected, the program can take action to
stop encryption before further damage can be done.
6. Utilize better threat prevention
Most ransomware attacks can be detected and resolved before it is too late.
You need to have automated threat detection and prevention in place in your
organization to maximize your chances of protection.
• Scan and monitor emails. Emails are a common choice of cybercriminals
executing phishing schemes, so take the time to scan and monitor emails
on an ongoing basis, and consider deploying an automated email security
solution to block malicious emails from ever reaching users.
• Scan and monitor file activity. It is also a good idea to scan and monitor file
activity. You should be notified whenever there is a suspicious file in play—
before it becomes a threat.
A T T A C K S
C H A P T E R 8
https://www.checkpoint.com/solutions/ransomware-protection/anti-ransomware/ https://www.checkpoint.com/infinity/zero-day-protection/ https://www.checkpoint.com/harmony/email-security/email-office/
90CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 90
HOW TO PRE VENT PHISHING AT TACKS
1. Always note the language in the email
Social engineering techniques are designed to take advantage of human nature.
This includes the fact that people are more likely to make mistakes when they are
in a hurry and are inclined to follow the orders of people in positions of authority.
Phishing attacks commonly use these techniques to convince their targets to
ignore their potential suspicions about an email and click on a link or open an
attachment. Some common phishing techniques include:
• Fake Order/Delivery: A phishing email will impersonate a trusted brand
(Amazon, FedEx, etc.) stating that you have made an order or have an incoming
delivery. When you click to cancel the unauthorized order or delivery, the
website (which belongs to a cybercriminal) will require authentication,
enabling the attacker to steal login credentials.
• Business Email Compromise (BEC): BEC scams take advantage of hierarchy
and authority within a company. An attacker will impersonate the CEO or
other high-level executive and order the recipient of the email to take some
action, such as sending money to a certain bank account (that belongs to
the scammer).
• Fake Invoice: The phisher will pretend to be a legitimate vendor requesting
payment of an outstanding invoice. The end goal of this scam is to have
money transferred to the attacker’s account or to deliver malware via a
malicious document.
C H A P T E R 8
91CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 91
2. Never share your credentials
Credential theft is a common goal of cyberattacks. Many people reuse the same
usernames and passwords across many different accounts, so stealing the
credentials for a single account is likely to give an attacker access to a number
of the user’s online accounts.
As a result, phishing attacks are designed to steal login credentials in various
ways, such as:
• Phishing Sites: Attackers will create lookalike sites that require user
authentication and point to these sites in their phishing emails. Beware of links
that don’t go where you expect them to.
• Credential-Stealing Malware: Not all attacks against your credentials are
direct. Some phishing emails carry malware, such as keyloggers or trojans,
that are designed to eavesdrop when you type passwords into your computer.
• Support Scams: Cybercriminals may pose as customer support specialists
from Microsoft, Apple, and similar companies and ask for your login
credentials while they “help” you with your computer.
3. Always be suspicious of password reset emails
Password reset emails are designed to help when you can’t recall the password
for your account. By clicking on a link, you can reset the password to that account
to something new. Not knowing your password is, of course, also the problem
that cybercriminals face when trying to gain access to your online accounts.
By sending a fake password reset email that directs you to a lookalike phishing
site, they can convince you to type in your account credentials and send those to
them. If you receive an unsolicited password reset email, always visit the website
directly (don’t click on embedded links) and change your password to something
different on that site (and any other sites with the same password).
C H A P T E R 8
92CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 92
4. Educate Employees About Current Phishing Threats
Phishing attacks use human nature to trick people into doing something that the
attacker wants. Common techniques include creating a sense of urgency and
offering the recipient of the email something that they desire, which increases the
probability that the target will take action without properly validating the email.
Phishers will often take advantage of current events or impersonate trusted
brands in their emails to make them more realistic. By offering information,
goods, or opportunities related to a current event or creating a situation where
the recipient believes that something has gone wrong (like a fake package delivery
notification), these emails increase their probability of getting clicks.
Phishing techniques and the pretexts used by cybercriminals to make their attacks
seem realistic change regularly. Employees should be trained on current phishing
trends to increase the probability that they can identify and properly respond to
phishing attacks.
5. Deploy an Automated Anti-Phishing Solution
Despite an organization’s best efforts, employee cybersecurity education will not
provide perfect protection against phishing attacks. These attacks are growing
increasingly sophisticated and can even trick cybersecurity experts in some cases.
While phishing education can help to reduce the number of successful phishing
attacks against the organization, some emails are likely to sneak through.
Minimizing the risk of phishing attacks to the organization requires AI-based
anti-phishing software capable of identifying and blocking phishing content across all
of the organization’s communication services (email, productivity applications, etc.)
and platforms (employee workstations, mobile devices, etc.). This comprehensive
coverage is necessary since phishing content can come over any medium, and
employees may be more vulnerable to attacks when using mobile devices.
To learn more about protecting against phishing attacks and schedule a private
demo to see for yourself how Check Point’s email security solutions can help you
to identify and block phishing attacks against your organization.
C H A P T E R 8
https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-phishing/ https://www.checkpoint.com/harmony/anti-phishing/ https://pages.checkpoint.com/harmony-email-and-office-demo.html https://pages.checkpoint.com/harmony-email-and-office-demo.html https://www.checkpoint.com/harmony/email-security/email-office/
93CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 93
HOW TO PRE VENT ZERO DAY AT TACKS
Threat Prevention across your organization
• Threat intelligence provides the information required to effectively detect zero
day attacks. Protecting against them requires solutions that can translate this
intelligence into actions that prevent the attack from succeeding.
Check Point has developed over sixty threat prevention engines that leverage
ThreatCloud’s threat intelligence for zero day prevention. Some key threat
prevention capabilities include:
• CPU Level Inspection: Cyberattackers commonly use return oriented
programming (ROP) to bypass defenses built into CPUs. CPU level inspection
identifies attempts to overcome executable space protection and code signing,
blocking the attack before malicious code can be downloaded and executed.
• Threat Emulation and Extraction: Analysis of suspicious content within a
sandboxed environment can help to detect malware before it is delivered to a
target system. This enables the malware to be blocked or malicious content to
be excised from a document before delivery.
• Malware DNA Analysis: Malware authors commonly build on, borrow from,
and tweak their existing code to develop new attack campaigns. This means
that novel exploits often include behavior and code from previous campaigns,
which can be used to detect the newest variation of the attack.
• Anti-Bot and Anti-Exploit: Modern cyberattacks often rely heavily upon
compromised machines being used as part of a botnet. After identifying a
compromised machine, an organization can isolate it and block bot-related
traffic to stop the spread of the malware.
• Campaign Hunting: Malware is reliant upon the attacker’s backend
infrastructure for command and control. Using threat emulation and
extraction, Check Point can identify new command and control domains
used by malware and leverage this information to detect other instances
of the attack campaign.
C H A P T E R 8
https://www.checkpoint.com/infinity/zero-day-protection/ https://www.checkpoint.com/infinity/zero-day-protection/ https://www.checkpoint.com/infinity/zero-day-protection/
94CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 94
• ID Guard: Account takeover attacks have become increasingly common with
the growing use of Software as a Service (SaaS) applications. Behavioral
analysis and anomaly detection can identify and block attempted attacks
even if the attacker has the correct credentials.
Security Consolidation works
Many organizations are reliant upon a wide array of standalone and disconnected
security solutions. While these solutions may be effective at protecting against
a particular threat, they decrease the effectiveness of an organization’s security
team by overwhelming them with data and forcing them to configure, monitor,
and manage many different solutions. As a result, overworked security personnel
overlook critical alerts.
A unified security platform is essential to preventing zero-day attacks. A single
solution with visibility and control across an organization’s entire IT ecosystem has
the context and insight required to identify a distributed cyberattack. Additionally, the
ability to perform coordinated, automated responses across an organization’s entire
infrastructure is essential to preventing fast-paced zero-day attack campaigns.
Threat Intelligence must be kept up to date
Modern cyberattacks are widespread and automated. A zero-day attack will target
many different organizations, taking advantage of the narrow window between
vulnerability discovery and patch release.
Protecting against this type of large-scale attack requires access to high-quality
threat intelligence. As one organization experiences an attack, the data that it
collects can be invaluable for other organizations attempting to detect and block
the attack. However, the speed and volume of modern attack campaigns makes
manual threat intelligence sharing too slow to be effective.
Check Point’s ThreatCloud is the world’s largest cyber threat intelligence database.
ThreatCloud leverages artificial intelligence (AI) to distill the data provided to it into
valuable insights regarding potential attacks and unknown vulnerabilities. Analysis
of over 86 billion daily transactions from more than 100,000 Check Point customers
provides the visibility required to identify zero-day attack campaigns.
C H A P T E R 8
https://www.checkpoint.com/quantum/unified-cyber-security-platform/ https://www.checkpoint.com/cyber-hub/cyber-security/what-is-threat-intelligence/
95CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 9595CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 95CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
DATA BRE ACHES CAN BE PRE VENTED
1
2
3
4
5
6
7
8
EDUCATE AND TRAIN First and foremost, educating and training your work force to take security precautions in order to prevent a breach from occurring.
SECURE PASSWORDS Creating a secure password and frequently changing it to prevent access.
REDUCE DATA ACCESS Reducing the ability to transfer data from one device to another decreases the risk of data getting into the wrong hands. SCREEN THIRD
PARTY VENDORS Screening third party vendors to make sure that they have proper security protocols enabled to prevent hackers accessing via their network.
ENCRYPT PCS AND DEVICES Regulating employee computers and devices in which they have access to company data can be significantly reduced by using only encrypted PCs and devices.
CREATE AND INTERNAL CLOUD One way to prevent open access to sensitive data from being accessed is by creating and internal cloud where only those who need access to it, can access it.
UPDATE PASSWORDS Implementing password updates and two-step authentication also mitigates this issue. Additional security measures such as limiting website access from work devices, frequent password changes, updating security software, and monitoring access to data can significantly reduce the risk of a data breach.
UPDATE SOFTWARE Frequent security software updates can prevent room for gaps in your security. Updating in crucial.
C H A P T E R 8
96CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 96
PREVENT COSTLY MISTAKES
Mitigate secret leaks caused by bad credentials
hygiene and human error that can have
devastating results.
INTEGRATE WITH YOUR CLOUD INFRASTRUCTURE
CloudGuard Spectral integrates with all leading
CI systems with built-in support for Jenkins,
Azure and others.
DETECT AS EARLY AS A PRE-COMMIT
When working with Git, employ our pre-commit,
Husky and custom hooks to automate early
issue detection.
INSTALL YOUR BUILD SYSTEMS PLUGIN
Scan during your static builds with native
plugins for JAMStack, Webpack, Gatsby,
Netlify and more.
CloudGuard Spectral’s automated tools
integrate with developers’ tools to detect
code vulnerabilities and to identify secrets
and misconfigurations in the code before
deployment, preventing unauthorized use
to nefarious ends.
With CloudGuard Spectral, organizations
can prevent exposing API keys, tokens
and credentials, as well remediating
security misconfigurations.
Supply chain attacks are designed to exploit
trust relationships between an organization
and external parties. These relationships could
include partnerships, vendor relationships,
or the use of third-party software. Cyber
threat actors will compromise one organization
and then move up the supply chain, taking
advantage of these trusted relationships to gain
access to other organizations’ environments.
Such attacks became more frequent and
grew in impact in recent years, therefore it
is essential developers make sure they are
keeping their actions safe, double checking
every software ingredient in use and especially
such that are being downloaded from different
repositories, especially ones which were
not self-created.
Best Security From Code To Cloud,
Check Point CloudGuard offers unified
cloud native security across your applications,
workloads, and network-giving you the
confidence to automate security, prevent
threats, and manage posture-at cloud
speed and scale. CloudGuard Spectral is a
developer-centric code security platform that
seamlessly monitors, classifies, and protects
codes, assets, and infrastructure; simply.
In order to scale this process, automation is
a necessity.
C H A P T E R 8
https://research.checkpoint.com/2022/check-point-cloudguard-spectral-exposes-new-obfuscation-techniques-for-malicious-packages-on-pypi/ https://www.checkpoint.com/cloudguard/developer-security/
97CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
C H A P T E R 9
MALWARE FAMILY DESCRIPTIONS
98CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
AcidRain AcidRain is a destructive malware reported on 24 February 2022 targeting Viasat modems. Coinciding with the Russian ground invasion of Ukraine, AcidRain attack on satellite communication systems caused widespread disruption to communication systems providing services to Ukraine.
AgentTesla AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim's keyboard input and system clipboard, and can record screenshots and exfiltrate credentials for a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.
AlienBot AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credentials theft, as well as SMS harvesting for 2FA bypass. Additional remote control capabilities are provided using a TeamViewer module.
Anubis Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
AZORult AZORult is a Trojan that gathers and exfiltrates data from the infected system. Once the malware is installed on a system, it can send saved passwords, local files, crypto-wallet data, and computer profile information to a remote C&C server. The Gazorp builder, available on the Dark Web, allows anyone to host an Azorult C&C server with moderately low effort.
Azov Azov is a data wiper first reported in November 2022 and mostly being spread via SmokeLoader malware. The ransom note left on victim systems blames security researchers and political entities for the fighting in Ukraine.
C H A P T E R 9
99CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Bazar Discovered in 2020, Bazar Loader and Bazar Backdoor are used in the initial stages of infection by the WizardSpider cybercrime gang. The loader is responsible for fetching the next stages, and the backdoor is meant for persistence. The infections are usually followed by a full-scale ransomware deployment, using Conti or Ryuk.
BlackMatter BlackMatter is a ransomware operated in a RaaS model. The malware has been active since 2021 with victims including multiple US critical infrastructure entities. BlackMatter is possibly a rebranding of the DarkSide ransomware.
Bumblebee BumbleBee is a new loader that is active since the beginning of 2022 and is used to deliver other payloads. Bumblebee payloads vary greatly based on the type of victim. Infected standalone computers will likely be hit with banking trojans or infostealers, whereas organizational networks can expect to be hit with more advanced post-exploitation tools such as CobaltStrike.
Conti Conti ransomware emerged in 2020 and has been used since in multiple attacks against organizations worldwide. Conti ransomware is delivered as the final stage after a successful intrusion into the victims' network. Initial intrusion might be performed using spearphishing campaigns, stolen or weak credentials for RDP, or phone-based social engineering campaigns.
CryWiper CryWiper is a data-wiping malware disguised as ransomware used in 2022 to attack Russian public sector entities. Despite payment demands displayed in a ransom note, files encrypted by CryWiper cannot be restored.
Cl0p Cl0p is a ransomware that was first discovered in early 2019 and mostly targets large firms and corporations. During 2020, Cl0p operators began exercising a double-extortion strategy, where in addition to encrypting the victim's data, the attackers also threaten to publish stolen information unless ransom demands are met. In 2021 Cl0p ransomware was used in numerous attacks where the initial access was gained by utilizing zero-day vulnerabilities in the Accellion File Transfer Appliance.
C H A P T E R 9
100CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Dracarys Dracarys is an Android infostealer discovered in 2022, used by the Bitter APT group to steal contacts, messages, call logs, screenshots, and more.
Dridex Dridex is a Banking Trojan turned botnet, that targets the Windows platform. It is delivered by spam campaigns and Exploit Kits, and relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system, and can also download and execute additional modules for remote control.
Dustman / ZeroCleare Dustman is a wiper, first detected in December 2019, targeting Middle Eastern entities. Dustman is a variant of the ZeroCleare wiper and has code similarities with Shamoon malware.
Emotet Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used to employ as a banking Trojan, and now is used as a distributer for other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, Emotet can also be spread through phishing spam emails containing malicious attachments or links.
FormBook FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
Glupteba Known since 2011, Glupteba is a Windows backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
GuLoader GuLoader is a downloader first reported in 2019. Since then it was used to distribute various malware including Lokibot, NanoCore, Formbook, Azorult, Remcos and more.
C H A P T E R 9
101CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
HermeticRansom In early 2022, HermeticRansom malware was utilized to distract victims while HermeticWiper attacks were launched against organizations in Ukraine. These attacks rendered devices inoperable and as such were destructive in nature and not financially motivated.
HermeticWiper HermeticWiper is a destructive malware first reported in January 2022 and used to target organizations in Ukraine. The malware is one of a series of wiping malware targeting Ukrainian organizations during the Russian-Ukrainian war and has similarities to WhisperGate
Hiddad Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, but it also can gain access to key security details built into the OS.
Hive Hive ransomware emerged in June 2021 and uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network. Hive involves both encryption and data exfiltration and operate a “leak site” over Tor.
Hydra Hydra in an Android banking Trojan discovered in 2019 distributed through infected applications on Google Play Store.
IcedID IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography, and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks.
Joker Joker, an Android mobile malware known since 2017, is a stealer capable of accessing SMS messages, contact lists and device information. Joker generates income mostly through unauthorized subscriptions to paid premium services.
C H A P T E R 9
102CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Kinsing Discovered in 2020, Kinsing is a Golang cryptominer with a rootkit component. Originally designed to exploit Linux systems, Kinsing was installed on compromised servers by abusing vulnerabilities on internet facing services. Later in 2021 a Windows variant of the malware was developed as well, allowing the attackers to increase their attack surface.
LemonDuck LemonDuck is a cryptominer first discovered in 2018, which targets Windows systems. It has advanced propagation modules, including sending malspam, RDP brute-forcing and mass-exploitation via known vulnerabilities such as BlueKeep. Over time it was observed to harvest emails and credentials, as well as to deliver other malware families, like Ramnit.
LockBit LockBit is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries, abstaining from Russian or other Commonwealth of Independent States victims.
Lokibot LokiBot is commodity infostealer for Windows. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY, and more. LokiBot has been sold on hacking forums and believed to have had its source code leaked, thus allowing for a range of variants to appear. It was first identified in February 2016.
Mylobot Mylobot is a sophisticated botnet that first emerged in June 2018 and is equipped with complex evasion techniques including anti-VM, anti-sandbox, and anti-debugging techniques. The botnet allows an attacker to take complete control of the user's system, downloading any additional payload from its C&C.
Nanocore NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
C H A P T E R 9
103CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
njRAT njRAT, aka Bladabindi, is a RAT developed by the M38dHhM hacking group. First reported in 2012 it has been used primarily against targets in the Middle East.
Pegasus Pegasus is a highly sophisticated spyware which targets Android and iOS mobile devices, developed by the Israeli NSO group. The malware is offered for sale, mostly to government-related organizations and corporates. Pegasus can leverage vulnerabilities which allow it to silently jailbreak the device and install the malware.
Phobos Phobos is a ransomware first detected in December 2018. It targets windows operating systems and its attack vector often includes exploiting open or poorly secured RDP ports. Phobos bears great resemblance to the Dharma ransomware, both in its ransom note and with much of its code and is thought to have been developed and used by the same group.
Phorpiex Phorpiex is a botnet that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
Ponystealer PonyStealer is an infostealer used for stealing passwords from a large number of applications including VPNs, FTP clients, email programs, instant messaging tools, and web browsers.
Qbot Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
Quantum Quantum is a rasnomware operated in a RaaS model. The malware has been discovered in 2021 with victims including multiple healthcare entities. Investigators link Quantoum to ex-Conti actors.
C H A P T E R 9
104CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Raccoon Raccoon infostealer was first observed in April 2019. This infostealer targets Windows systems and is sold as a MaaS (Malware-as-a-Service) in underground forums. It is a simple infostealer capable of collecting browser cookies, history, login credentials, crypto currency wallets and credit card information.
Ramnit Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
RansomEXX RansomEXX is a ransomware operated in a RaaS model with both Windows and Linux variants. The malware has been active since 2020 targeting mostly large corporations.
Raspberry Robin Raspberry Robin is a multipurpose malware initially distributed through infected USB devices with worm capabilities.
RedLine Stealer RedLine Stealer is a trending Infostealer and was first observed in March 2020. Sold as a MaaS (Malware-as-a-Service), and often distributed via malicious email attachments, it has all the capabilities of modern infostealer - web browser information collection (credit card details, session cookies and autocomplete data), harvesting of cryptocurrency wallets, ability to download additional payloads, and more.
Remcos Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
C H A P T E R 9
105CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
REvil REvil (aka Sodinokibi) is a Ransomware-as-a-service which operates an “affiliates” program and was first spotted in the wild in 2019. REvil encrypts data in the user’s directory and deletes shadow copy backups to make data recovery more difficult. In addition, REvil affiliates use various tactics to spread it, including through spam and server exploits, as well as hacking into managed service providers (MSP) backends, and through malvertising campaigns that redirect to the RIG Exploit Kit.
Sharkbot Sharkbot steals credentials and banking information on Android mobile devices. Sharkbot lures victims to enter their credentials in windows that mimic benign credential input forms. When the user enters credentials in these windows, the compromised data is sent to a malicious server. The malware implements geofencing feature excluding users from China, India, Romania, Russia, Ukraine or Belarus. Sharkbot has several anti-sandbox evasion techniques.
Snake Keylogger Snake Keylogger is a modular .NET keylogger/infostealer. Surfaced around late 2020, it grew fast in popularity among cyber criminals.Snake is capable of recording keystrokes, taking screenshots, harvesting credentials and clipboard content. It supports exfiltration of the stolen data by both HTTP and SMTP protocols.
Somnia Somnia is a type of ransomware that was deployed by the FRwL (From Russia with Love) group against Ukrainian entities in November 2022. Victims of Somnia were not asked to pay for decryption. The goal of the attackers was to disrupt systems, rather than to achieve financial gain.
Stuxnet Stuxnet is a malicious computer worm discovered in 2010 that targeted and disrupted the Iranian nuclear program. It caused physical damage to equipment by manipulating industrial control systems and was the first publicly known example of nation-state cyberattacks.
Triada Triada which was first spotted in 2016, is a modular backdoor for Android which grants admin privileges to download another malware. Its latest version is distributed via adware development kits in WhatsApp for Android.
C H A P T E R 9
106CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
Trickbot Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network. Once a machine is infected, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company-wide targeted ransomware attack.
Vidar Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload.
WannaMine WannaMine is a sophisticated Monero crypto-mining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions.
Whispergate WhisperGate is a destructive malware first reported in January 2022 and used to target organizations in Ukraine. The malware is one of a series of wiping malware targeting Ukrainian organizations during the Russian-Ukrainian war. WhisperGate damages the system's MBR while displaying a false ransom message.
XMRig XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
ZeroCleare ZeroCleare is a destructive wiper malware that was first identified in December 2020. It has been used in targeted attacks against organizations in the Middle East, and is notable for its ability to evade detection and wipe both hard drives and backup systems. ZeroCleare is believed to be the work of a state-sponsored hacking group.
C H A P T E R 9
107CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
C H A P T E R 1 0
CONCLUSION
108CHECK POINT SOF T WARE | SECURIT Y REPORT 2023 108CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 108CHECK POINT SOF T WARE | SECURIT Y REPORT 2023
As we navigate our way through a new year, it is important to re-evaluate
the cybersecurity processes you have in place to ensure they stand up
against the emerging threats outlined by our experts in this report.
There will undoubtedly be an increase in ideological motivated attacks
in response to geopolitical conflicts as seen between Russian and
Ukraine. Known threats such as ransomware will continue to evolve,
and new vulnerabilities will be exploited, especially given the huge leaps
made in generative AI, making it easier for malicious actors to craft
attacks, leading to newer strains of cyberattack modes and breaches.
Governments worldwide will tighten up regulations around cybercrime
to protect their citizens, and organizations will have to consolidate
and automate their IT and security infrastructure to plug the cyber skills
gap, which is set to grow even wider this year.
While we are seeing a rise in cyberattacks overall, given the growth
of 5th Generation cyberattacks in the last year, the maturing of cyber
defense solutions today means that organisations and the wider society
can adopt prevention-first solutions to block threats from ever reaching
us. Businesses and governments are addressing today’s sophisticated
threats and increasing investment in their security strategies, which
bodes well as the world faces even greater challenges, with the
upcoming recession and expected evolution of new malicious software
and nefarious practices. Only time will tell how this upward of attacks
will continue in 2023.
C H A P T E R 1 0
CONTACT US WORLDWIDE HEADQUARTERS
5 Ha’Solelim Street, Tel Aviv 67897, Israel Tel: 972-3-753-4555 | Fax: 972-3-624-1100
Email: info@checkpoint.com
U.S. HEADQUARTERS 959 Skyway Road, Suite 300, San Carlos, CA 94070
Tel: 800-429-4391 | 650-628-2000 | Fax: 650-654-4233
UNDER ATTACK? Contact our Incident Response Team:
emergency-response@checkpoint.com
CHECK POINT RESEARCH PODCAST Tune in to cp<radio> to get CPR’s latest research,
plus behind the scenes and other exclusive content. Visit us at https://research.checkpoint.com/category/cpradio/
W W W . C H E C K P O I N T . C O M
© 1994-2023 Check Point Software Technologies Ltd. All Rights Reserved.
https://research.checkpoint.com/category/cpradio/ http://WWW.CHECKPOINT.COM