Keypoints
- Adversaries exploited âasâaâserviceâ enterprise software and shared cloud infrastructure, increasing weaponized vulnerabilities and large-scale breaches.
- The MOVEit vulnerability was exploited by the CL0P gang, demonstrating high profitability in targeting enterprise file transfer systems.
- Nation-state actorsâincluding Chinaâconducted targeted espionage against Taiwanese semiconductor companies.
- Threat actors abused legitimate internet services to distribute malware, expanding distribution channels and evasion options.
- Linux and macOS vulnerabilities were actively exploited, broadening the range of targeted operating systems beyond Windows.
- Compromise of business process organizations enabled scams such as SIM swapping to facilitate account takeovers and fraud.
- The report forecasts these trends to continue into 2024, shaped by geopolitical and regulatory factors.
MITRE Techniques
- [T1190] Exploit Public-Facing Application â Used to exploit enterprise and cloud services: [ââŚMOVEit exploit by the ransomware gang CL0PâŚâ]
- [T1195] Supply Chain Compromise â Leveraging vulnerabilities in shared/cloud service dependencies: [ââŚexploitation of âas-a-serviceâ enterprise software and shared cloud infrastructureâŚâ]
- [T1105] Ingress Tool Transfer â Abuse of legitimate internet services to deliver malicious payloads and distribution channels: [ââŚabuse of legitimate internet services for malware distributionâŚâ]
- [T1203] Exploitation for Client Execution â Targeting OS-specific flaws to execute code on Linux and macOS hosts: [ââŚexploitation of Linux and macOS vulnerabilitiesâŚâ]
- [T1589] Gather Victim Identity Information â Collecting identity and organizational data to enable SIM swapping and related scams: [ââŚcompromise of business process organizations for scams like SIM swappingâŚâ]
- [T1041] Exfiltration Over C2 Channel â Data theft and espionage activities following access to enterprise systems: [ââŚsteal data, conduct espionage, and disrupt geopoliticsâŚâ]
Indicators of Compromise
- [URL] Report and advisory â https://go.recordedfuture.com/hubfs/reports/ta-2024-0321.pdf (downloadable PDF report), https://www.recordedfuture.com/2023-annual-report (original post)
- [Domain] Affected/published domains â recordedfuture.com, go.recordedfuture.com
- [File] Report filename â ta-2024-0321.pdf (report containing full analysis)
- [URL] Media asset â https://cms.recordedfuture.com/uploads/unnamed_3_740b5ef73c.jpg (illustrative image used in the article)
Adversaries increasingly focused on enterprise-facing software and cloud-hosted services in 2023, weaponizing vulnerabilities in âas-a-serviceâ platforms to gain access and pivot across environments. High-impact examples include the exploitation of MOVEitâused by the CL0P gangâto rapidly harvest sensitive files from enterprise systems, demonstrating the effectiveness of targeting widely deployed file-transfer solutions and their supply chains.
Attackers also diversified distribution and access techniques by abusing legitimate internet services to host or deliver malware, reducing detection likelihood and complicating attribution. Concurrently, exploitation of Linux and macOS vulnerabilities expanded the attacker target set beyond traditional Windows environments, enabling remote code execution and client-side compromise on nonâWindows hosts.
Social-engineering and business-process abuse, such as using compromised or coerced business services to perform SIM swapping, supported account takeovers and fraud that complemented technical intrusions. These combined methodsâsoftware exploitation, cloud/supply-chain leverage, abuse of legitimate services, OS-specific exploits, and identity-focused scamsâdrove data theft and espionage activity and are expected to persist into 2024.
Read more: https://www.recordedfuture.com/2023-annual-report