In an indication of the upward trajectory of cyberattacks in 2023, research done by cybersecurity company, Mandiant has identified 62 well-defined Zero Day attacks across the globe till August this year.
This figure exceeds the number of Zero Day attacks observed in 2022, according to Mandiant Lead Threat Intelligence Advisor, JAPAC, Google Cloud, Yihao Lim.
Mandiant is a part of Google Cloud and is participating in this year’s GovWare Conference and Exhibition, Asia's premier cybersecurity event, which opened on Tuesday.
This year marks GovWare's eighth year as the industry base event of Singapore International Cyber Week (SICW), which attracts participation from over 50 countries and brings thousands of cybersecurity experts, policymakers, thought leaders, and industry professionals from around the world to discuss and address the most pressing cybersecurity challenges and innovations.
Lim noted that among the major Zero Day exploits observed by Mandiant this year was CVE-2023-2868 which impacted Barracuda ESG appliances and was leveraged by Chinese threat actor UNC4841 to compromise the secure email gateways of hundreds of organisations globally, Lim said.
Recalling the sequence of events he said that on May 23, 2023, Barracuda announced the CVE-2023-2868 Zero Day vulnerability in the Barracuda Email Security Gateway (ESG) had been exploited in the wild as early as October 2022 and engaged Mandiant to assist in the investigation.
“Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilise as a vector for espionage, spanning a multitude of regions and sectors,” Lim said.
He noted that starting as early as October 10, 2022, UNC4841 sent emails to victim organisations that contained malicious file attachments designed to exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda ESG appliances.
“For their campaign, UNC4841 has primarily relied upon three principal code families to establish and maintain a presence on an ESG appliance, following the successful exploitation of CVE-2023-2868,” he said.
“These code families - SALTWATER, SEASPY, and SEASIDE - were identified in the majority of UNC4841 intrusions. All three code families attempt to masquerade as legitimate Barracuda ESG modules or services, a trend that UNC4841 has continued with the newly identified malware families detailed for the first time in this blog post”, he said.
Elaborating further on the Barracuda, attack, Lim noted that a review of the data uncovered 26 distinct impacted sector clusters including government, defence, telecommunications, healthcare, banking, and semiconductor manufacturing among others.
Lim said UNC4841 was suspected of being a China-backed espionage threat actor that exploited the Zero Day vulnerability, CVE-2023-2868, in Barracuda Email Security Gateway products as early as October 2022 and more recently in May 2023.
“UNC4841 leveraged this zero-day to target a range of public and private sector entities primarily in the United States, extending to Europe, Asia, and Africa, he said.
He added: “With the increasing pace of Zero Day usage, especially by Chinese threat actors, a deep insight into Chinese victimology has emerged.”
Apart from the Barracuda incident, Lim said Mandiant has observed a wide variety of cyberattacks in the 2022 – 2023 period.
Lines getting blurred
“During this period we have seen just how blurry the lines between the cyber realm and the real world have become.
“Notably concerning the conflict in Ukraine, where attackers are attempting to not only cause disruption to the critical infrastructure but also to influence the narrative. We are seeing a similar convergence of the geopolitical and cyberspace with North Korea nexus threat actors targeting cryptocurrency for monetary gains to support the regime,” he said.
Apart from China, there is the North Korean-linked APT43 that steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, therefore reducing fiscal strain on the central government, Lim said.
He also noted that the Iranian nexus APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims so as to access their personal or corporate email accounts or to install Android malware on their mobile devices.
“In addition, APT42 infrequently uses Windows malware to complement their credential harvesting and surveillance efforts,” he added.
Use of AI
Lim noted that since 2019, Mandiant has tracked threat actors' interest in, and use of, artificial intelligence (AI) capabilities to facilitate a variety of malicious activities.
He, however, added: “Based on our observations and open source accounts, adoption of AI in intrusion operations remains limited and primarily related to social engineering,” he said.
“In contrast, information operations actors of diverse motivations and capabilities have increasingly leveraged AI-generated content, particularly imagery and video, in their campaigns, likely due at least in part to the readily apparent applications of such fabrications in disinformation.
“Additionally, the release of multiple generative AI tools in the last year has led to a renewed interest in the impact of these capabilities, he said.
We anticipate that generative AI tools will accelerate threat actors' incorporation of AI into information operations and intrusion activity, Lim said.
“Mandiant observes that such technologies have the potential to augment malicious operations in the future, enabling threat actors with limited resources and capabilities, similar to the advantages provided by exploit frameworks including Metasploit or Cobalt Strike.
“As adversaries continue to adopt generative AI and experiment, we anticipate more prevalent use of AI tools over time while effective operational use remains limited,” he said.
He added that while the quantity and sophistication of cybersecurity incidents has increased in recent years, “we have not yet seen AI support campaigns that couldn’t have been accomplished without it”.
“In fact, to date, Mandiant hasn't seen a single incident response where AI played a role. China, North Korea, Russia and Iran (commonly referred to as “the Big 4”) are all doing some type of disinformation work, and while this content isn’t successful now, we should expect to see a lot more of it,” he said.
AI an advantage for defenders
Lim, however, added that AI is providing a tremendous advantage for cybersecurity defenders, “enabling them to improve capabilities, reduce toil and better protect against threats”.
“AI provides a tremendous opportunity for defenders and cyber analysts to get better at what they’re already doing. Mandiant is already using AI in a number of ways to save time as defenders.
“Examples include analysing PowerShell script alerts, writing YARA rules, writing reports more efficiently, looking at adversary smart contracts, and analysing malware,” he said.
Lim noted that given the interconnectedness of the Internet, “we’re only as safe as the weakest link, so we must work together to protect the whole digital ecosystem”.
“To do this, we’re doubling down on collaboration in defence of shared values through research, information sharing, and partnerships to ensure we are collectively as strong as possible,” he said.
“That’s why Google established the Secure AI Framework (SAIF) that helps ensure responsible actors can continue innovating on AI advancements while raising the security bar and reducing overall risk.
“The fact is that AI has immense potential, but for AI advancements to succeed long-term, the industry needs clear security standards for building and deploying this technology in a responsible manner. SAIF is just one example of how Google is driving industry consensus at this pivotal time for the future of AI,” Lim said.
