In a , Forescout Vedere Labs looks back at the most relevant cybersecurity events and data between January 1 and July 31, 2023 (2023H1) to emphasize the evolution of the threat landscape. The activities and data Forescout saw during this period confirm trends it has been observing in its recent reports, including threats to unmanaged devices that are less often studied. Overall, 2023H1 continued the trend of threat actors exploiting an increasingly diverse attack surface.
Notably, Forescout saw more evidence of the type of “cross-device” attacks it first demonstrated with and then observed with . Some threat actors are now routinely mixing traditional endpoints with unmanaged devices such as VPN appliances, routers, NAS and building automation devices as part of their attack campaigns. Below, Forescout distills the key findings of the report and provide mitigation recommendations.
Mirai botnet variants in 2023H1 have been exploiting a new vulnerability on an access control device that was already a , as well as vulnerabilities on devices used to monitor solar power generation in small facilities. Additionally, Schneider Electric published an about publicly available exploits targeting vulnerabilities from 2020 and 2022 in their KNX devices and linking back to a previous advisory about . Later, CISA declared all devices using to be vulnerable, while more than 12,000 of those devices are .
There were at least 25 CISA vulnerability advisories in the period related to devices used in building automation functions such as access control and power management. Looking into , Forescout saw 13 vulnerabilities on building automation devices from nine vendors that are being exploited (as shown in Table 1), while none of them is yet present on CISA’s Known Exploited Vulnerabilities (KEV) catalog. 1 – Exploited vulnerabilities affecting building automation devices Several Russian and especially Chinese state-sponsored actors have been focusing on exploiting vulnerabilities on and developing custom malware for routers and VPN devices, while cybercriminals are leveraging routers and other compromised devices for residential proxies.
Increased activity targeting network infrastructure led CISA to issue a specific about reducing the risks from these devices in June. In a , Forescout showed how network attached storage (NAS) had recently become the riskiest IoT device on organizations networks, partly because of targeted ransomware campaigns that compromised thousands of devices and partly because of how often they are exposed online. In 2023H1, Forescout also saw new vulnerabilities being exploited (such as CVE-2023-27992), vulnerabilities ranking among the top exploited (such as CVE-2022-27593) and advanced malware such as Raspberry Robin, which targets traditional IT, being distributed via compromised NAS on the internet.
Although ransomware has probably been the most prominent threat for at least the last five years, groups continue to morph, appearing and disappearing quickly, sometimes being used to disguise state-sponsored activities. In 2023H1, Forescout saw new families distributing ransomware packaged with infostealers, hacktivists using custom ransomware on OT devices and established families experimenting with . Some well-known ransomware gangs remain very active even after one year, such as LockBit, Cl0p and ALPHV, but other groups that were relevant last year have disappeared, such as Conti and Hive, due to internal conflicts, law enforcement takedowns or by rebranding to stay under the radar.
Entirely new groups now also figure among the most active, such as Malas and 8Base. Overall, the ransomware landscape is more fragmented this year with 53 groups reporting attacks, 36% more than the 39 groups in the same period last year. 1 – New exploited vulnerabilities per year of publication Ransomware victims were located in more than 100 countries, but almost half (48%) are in the U.
S. , followed by several European countries (26% in total). The other roughly 25% are spread across the world.
The services industry was the top target, with 16% of attacks, followed by manufacturing (13%) and technology (11%). Other top targets include healthcare, retail, financial services and education. Although new vulnerabilities are dangerous because usually there hasn’t been enough time to patch, organizations tend to dismiss older vulnerabilities, believing that they present lower risk.
The KEV catalog includes evidence of older vulnerabilities being exploited not only on IT software but also building automation devices. Some of the exploited vulnerabilities in Table 1 are more than five years old. The trend to commoditize attack tools continues strongly.
Malicious actors now have a wide choice of open-source tools, developed as legitimate applications, that they can use in campaigns, from phishing attacks to command-and-control infrastructure. During the first six months of 2023, Forescout saw: Based on all the observations of this period, Forescout recommends the following concrete risk mitigation actions: ***ENDS*** Forescout Technologies, Inc. , a global cybersecurity leader, continuously identifies, protects and helps ensure the compliance of all managed and unmanaged connected cyber assets – IT, IoT, IoMT and OT.
For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide vendor-agnostic, automated cybersecurity at scale. The Forescout® Platform delivers comprehensive capabilities for network security, risk and exposure management, and extended detection and response. With seamless context sharing and workflow orchestration via ecosystem partners, it enables customers to more effectively manage cyber risk and mitigate threats.
To learn more, visit.
From: uaenews247
URL: https://uaenews247.com/2023/09/13/forescout-releases-2023h1-threat-review/