Interactive Report Summary

Q1 2023 Cyber Threat Report

Activity across all three tracked sectors surged in Q1 2023, a clear indication that threat actors aren’t slowing down. Learn more about the biggest threats we saw, plus get a look into the technology industry’s threat landscape in our latest report 
Download the Report

Top Findings at a Glance

MALWARE

Malware events increase by nearly 40%

JavaScript variants a favorite tactic

BOTNET

Botnet activity jumped almost 60%

New botnets like NetSupport RAT emerge

EXPLOIT

Exploits more than double

Brute forcing dominates again, followed by Apache Log4j

Supply chain

Industry Spotlight: Technology

Technology companies often have a broad reach, access to data and a large user base, making them a prime target for financially focused threat actors or those interested in stealing intellectual data. 

We’ve heard a lot about supply chain attacks, and for good reason. Often, a vendor doesn’t adhere to the same level of cyber discipline as the company it serves, and this can be an easy attack vector for adversaries. A recent example is 3CX, which endured a double supply chain attack, meaning its compromise was initiated from another software supply chain compromise.  

Top technology threat actors include Lazarus Group, Kryptonite Panda, Comment Crew and UPS Team. 

 

Methodology

How Nuspire produces its threat intelligence 

Hover over tiles to learn more

GATHER

Collects threat intelligence and data from global sources, client devices and reputable third parties.

PROCESS

Data is analyzed by a combination of machine learning, algorithm scoring and anomaly detection.

DETECT

Using Nuspire’s cloud-based SIEM, log data is ingested and alerts the security operations center (SOC). The SOC then notifies the client and works with them to remediate the threat.

EVALUATE

Analysts further scrutinize the research, scoring and tracking of existing and new threats.

DISSEMINATE

Analysts leverage the insights to constantly improve the SOC, alerting, and the community through the creation of detection rules, briefs, and presentations.

January through March

Q1 2023 in Review

January
1.10
Multiple Global Car Brands Discovered to Have API Vulnerabilities
1.23
Researchers Warn Against Zoho ManageEngine “Spray and Pray” Attacks
1.25
VMware Releases Patches for Critical Vulnerability in vRealize Log Analysis Tool
February
2.1
2134 Million RealTek Jungle SDK Exploitation Attempts Compromise IoT Devices
2.3
Atlassian Announced Critical Jira Service Management Vulnerability
2.6
Microsoft OneNote Attachments Increasingly Used to Deliver InfoStealer RATs
2.7
Ransomware Operators Target VMware ESXi Servers
2.15
February 2023 Patch Tuesday | Microsoft Fixes 3 Actively Exploited Zero-Days
March
3.2
CISA Warns of Active Exploitation of ZK Java Framework Vulnerability
3.7
Fortinet Releases Advisory on Critical FortiOS Vulnerability
3.15
Microsoft’s Patch Tuesday Fixes Numerous Critical Vulnerabilities
3.17
CISA Launches Ransomware Vulnerability Warning Pilot
3.21
Emotet and Other Malware Families Shifting Tactics to OneNote Files
3.29
Supply Chain Attack Affecting 3CX Softphone Desktop Application

Let's Dive Into the Data

The record-breaking level of attacks Nuspire identified in Q4 2022 continued into Q1 2023.

#
Activity
Average

Malware

Throughout Q1, JavaScript variants continued to gain steam, with activity almost doubling in Q1. An increase in activity with this type of attack can likely be attributed to Microsoft’s default blocking of macros in Office files. In addition, we saw heightened activity of MS Excel variants, with a focus on using OneNote files to embed scripts given Microsoft’s blocking of macros in Word and Excel files.

 

#
Activity
Average

Botnets

Two new botnets topped Nuspire’s list this quarter: NetSupport RAT and FatalRAT. Before March 2023, Nuspire had not observed any activity from the NetSupport RAT botnet. NetSupport is a legitimate tool for remote access; however, threat actors have abused the tool to: 

  • Conduct real-time monitoring of devices 
  • Take control of the device  
  • Capture video and screenshots 
  • Exfiltrate information 
  • Install additional payloads  

FatalRAT is one of the primary payloads used by the Purple Fox threat actor group and is often retooled in an attempt to bypass security software. 

#
Activity
Average

Exploits

Brute forcing again dominated as the top exploit. In a distant second place was Apache Log4j, followed by Hikvision product command injections, which doubled from Q4 2022.

Stay Vigilant

If Q1 2023 is any indication of how the rest of the year will go, security teams should be on high alert and double down on their security defenses. Download the full report to find out how you can prepare and tighten your security controls around the expected challenges highlighted by our security experts.
Download the Report