This blog looks at cyberattack techniques that we observed being implemented in 2023, including news-worthy instances of insider threat and social engineering services for sale on the dark web.
cyberattack techniques in 2023
A lot can happen in a year in cybersecurity, and 2023 was no exception. This series of blogs is a retrospective of some of the top trends, changes and continuities observed by Searchlight Cyber’s Threat Intelligence team, covering areas such as cybercriminal forums and marketplaces, threat actor motivations, malware, ransomware, initial access brokers, vulnerabilities, and social engineering techniques. The platforms, tools, actors, and insights featured in this series are based on intelligence gathered from Searchlight’s extensive deep and dark web dataset.
You can find the previous blogs in the series here:
- Hacking Forums and Dark Web Marketplaces.
- Threat Actors and Motivations.
- Malware and Vulnerabilities.
In this blog we look at two cyberattack techniques that were prevalent in 2023: insider threat and social engineering. We examine news-worthy incidents from the year where employees deliberately undermined the security of their organization, and new social engineering techniques and tools that cybercriminals are employing to unwittingly trick internet users into compromising their cybersecurity.
insider threat cyberattacks
Insider threat is when an organization’s security is undermined by someone within the perimeter – either an employee, contractor, or third party that has privileged access. Cybercriminals use insiders to steal company data or to provide them with access to the network, which they can then use for malicious means.
We regularly observe evidence of insider threat on the dark web – both employees posting on forums to attract buyers in the cybercriminal community, and cybercriminals trying to recruit insiders. For example, in October 2023 the ransomware group Everest was observed trying to recruit malicious insiders to conduct its attacks. For more information on how you can spot and disrupt insider threat by monitoring the dark web, download our report: Combating Insider Threat with Dark Web Intelligence.
These are some of the most noteworthy examples of insider threat last year:
On August 18, 2023 the electric car manufacturing company Tesla disclosed a data breach that impacted a total of 75,535 employees, including their social security numbers, names, addresses, phone numbers, and/or email addresses. The company was alerted to the breach (which took place in May 2023) by a German newspaper called Handelsblatt, who proactively reached out to inform Tesla that it had received the confidential information. An internal investigation found that two IT employees had “misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet”. According to Tesla’s data privacy officer, “the outlet has stated that it does not intend to publish the personal information, and in any event, is legally prohibited from using it inappropriately.”
The Discord Leaks
In April 2023, a Member of the Massachusetts Air National Guard – Jack Teixeira – was arrested and subsequently indicted for leaking hundreds of important top-secret classified documents from the Pentagon with regards to the war in Ukraine. The documents contained insight into military casualties, US and other NATO nations’ covert special forces operations within the warzone, documentation surrounding how the war is affecting other countries, and information relating to how the US planned to stop various Russian war plans and spy activity. These documents were shared via Discord, an instant messenger and VoIP social platform used by individuals to congregate online with individuals with similar interests. The 21-year-old Teixeria has pleaded not-guilty to all counts.
When threat actors can’t exploit technical vulnerabilities to get into the network, they often look to their workforce. Unlike insider threats (which use the willing participation of the employee), social engineering attacks rely on a cybercriminal’s ability to deceive an individual with access to a network and manipulate them into providing access credentials, sensitive information, data or perform malicious actions on behalf of the actor without knowing or understanding the possible consequences. Although employees are high-value targets, social engineering is also used against the general public to extract valuable data such as credit card information.
Over the years, cybercriminals have honed the tools and tactics they use in social engineering-based cyberattacks. Types of social engineering attacks we observed in 2023 include:
Phishing comes in many shapes and sizes but one of the most common phishing methods involves the use of a phishing page – a website crafted to mimic a legitimate brand and trick users into providing their information.
We observe cybercriminals developing these pages and selling them on the dark web for other threat actors to operate. For example, the actor b1ack – a member of XSS and Exploit cybercrime forums – provided such a service for a good chunk of 2023. b1ack’s phishing pages could be used to capture credentials, personal information, and cookies, while also forwarding the stolen data to the legitimate website that was being mimicked without interrupting the victim’s journey, in order to avoid arousing the suspicion of the user. The actor also offered a web-based control panel to manage multiple phishing pages and receive the harvested logs. b1ack listed several templates on their sales thread, including various social media sites, bank pages, and cryptocurrency services. The actor sought US $2,500 for one page.
Other actors take the sophistication of their pages even further, offering “live panels”, a management platform where the victim’s journey could be viewed and controlled in real time, allowing the attacker to change or adapt the prompt live. Pages with such panels are especially useful when the attacker is looking to capture a two factor authentication (2FA) code. Some actors work on simplicity rather than sophistication and implement a system where captured information is forwarded to the actor’s Telegram or email instead of using web-based panels.
Instead of fake websites or emails, attackers sometimes leverage a human voice to contact victims and attempt to persuade them into performing an action. This method is usually targeted at a specific individual and may prove successful as humans sometimes trust a voice more than they trust written text. In 2023 we’ve seen this method put to use more often than usual, with cybercriminal giants such as the BlackCat ransomware gang successfully deploying ransomware after calling the HelpDesk of their victim and impersonating an employee to obtain access credentials.
For those looking for an automated version of vishing, one-time password (OTP) bots have gained popularity over the past few years, with some powerful tools appearing on the market in 2023. Some of these bots use automated voice generators and text-to-speech (TTS) to call victims and attempt to convince them to provide their OTP or 2FA code. These services generally allow attackers to create custom scripts tailored to the service that is being impersonated and the profile of their victim. Others use SMS, email, or malware to capture the codes from users. According to the group chats we monitor when cybercriminals share their insights, OTP bots are easy to use, cheap, and reasonably efficient. Most are offered via Telegram, but some actors have also developed a web-based application. However, the services that employ third-party calling solutions often get banned quickly.
The PlugValley OTP bot is just one example of such service, offered on the Cracked cybercrime forum, with licenses starting at US $30 using the crimeware-as-a-service business model. The seller also promises custom scripts, multi-language support, zero latency and many other features – essentially offering a full package of what’s needed to successfully compromise an account.