Interactive Report Summary

Q1 2023 Cyber Threat Report

Activity across all three tracked sectors surged in Q1 2023, a clear indication that threat actors aren’t slowing down. Learn more about the biggest threats we saw, plus get a look into the technology industry’s threat landscape in our latest report 
Download the Report

Top Findings at a Glance

MALWARE

Malware events increase by nearly 40%

JavaScript variants a favorite tactic

BOTNET

Botnet activity jumped almost 60%

New botnets like NetSupport RAT emerge

EXPLOIT

Exploits more than double

Brute forcing dominates again, followed by Apache Log4j

Image

Industry Spotlight: Technology

Technology companies often have a broad reach, access to data and a large user base, making them a prime target for financially focused threat actors or those interested in stealing intellectual data. 

We’ve heard a lot about supply chain attacks, and for good reason. Often, a vendor doesn’t adhere to the same level of cyber discipline as the company it serves, and this can be an easy attack vector for adversaries. A recent example is 3CX, which endured a double supply chain attack, meaning its compromise was initiated from another software supply chain compromise.  

Top technology threat actors include Lazarus Group, Kryptonite Panda, Comment Crew and UPS Team. 

 

Methodology

Hover over tiles to learn more

GATHER

Collects threat intelligence and data from global sources, client devices and reputable third parties.

PROCESS

Data is analyzed by a combination of machine learning, algorithm scoring and anomaly detection.

DETECT

Using Nuspire’s cloud-based SIEM, log data is ingested and alerts the security operations center (SOC). The SOC then notifies the client and works with them to remediate the threat.

EVALUATE

Analysts further scrutinize the research, scoring and tracking of existing and new threats.

DISSEMINATE

Analysts leverage the insights to constantly improve the SOC, alerting, and the community through the creation of detection rules, briefs, and presentations.

Q1 2023 in Review

January through March

Image

January 10

Multiple Global Car Brands Discovered to Have API Vulnerabilities 

January 23

Researchers Warn Against Zoho ManageEngine “Spray and Pray” Attacks 

January 25

VMware Releases Patches for Critical Vulnerability in vRealize Log Analysis Tool 

February 1

134 Million RealTek Jungle SDK Exploitation Attempts Compromise IoT Devices

February 3

Atlassian Announced Critical Jira Service Management Vulnerability 

February 6

Microsoft OneNote Attachments Increasingly Used to Deliver InfoStealer RATs 

February 7

Ransomware Operators Target VMware ESXi Servers 

February 15 

February 2023 Patch Tuesday | Microsoft Fixes 3 Actively Exploited Zero-Days 

March 2

CISA Warns of Active Exploitation of ZK Java Framework Vulnerability 

March 7

Fortinet Releases Advisory on Critical FortiOS Vulnerability  

March 15

Microsoft’s Patch Tuesday Fixes Numerous Critical Vulnerabilities

March 17

CISA Launches Ransomware Vulnerability Warning Pilot 

March 21

Emotet and Other Malware Families Shifting Tactics to OneNote Files

March 29

Supply Chain Attack Affecting 3CX Softphone Desktop Application

Let's Dive Into the Data

The record-breaking level of attacks Nuspire identified in Q4 2022 continued into Q1 2023.

#
Activity
Average

Malware

Throughout Q1, JavaScript variants continued to gain steam, with activity almost doubling in Q1. An increase in activity with this type of attack can likely be attributed to Microsoft’s default blocking of macros in Office files. In addition, we saw heightened activity of MS Excel variants, with a focus on using OneNote files to embed scripts given Microsoft’s blocking of macros in Word and Excel files.

 

#
Activity
Average

Botnets

Two new botnets topped Nuspire’s list this quarter: NetSupport RAT and FatalRAT. Before March 2023, Nuspire had not observed any activity from the NetSupport RAT botnet. NetSupport is a legitimate tool for remote access; however, threat actors have abused the tool to: 

  • Conduct real-time monitoring of devices 
  • Take control of the device  
  • Capture video and screenshots 
  • Exfiltrate information 
  • Install additional payloads  

FatalRAT is one of the primary payloads used by the Purple Fox threat actor group and is often retooled in an attempt to bypass security software. 

#
Activity
Average

Exploits

Brute forcing again dominated as the top exploit. In a distant second place was Apache Log4j, followed by Hikvision product command injections, which doubled from Q4 2022.

Stay Vigilant

If Q1 2023 is any indication of how the rest of the year will go, security teams should be on high alert and double down on their security defenses. Download the full report to find out how you can prepare and tighten your security controls around the expected challenges highlighted by our security experts.
Download the Report