Greetings and welcome to the December 2023 Threat Highlight Report!

December report covers

• Significant data breaches affecting US telecoms provider Xfinity, US mortgage lender MrCooper, and DonorView, a provider of a cloud-based charitable donation platform
• Active exploitation of the zero-click Outlook/Exchange exploit by Russian APT, identified as Unit 26165 of the Russian GRU.
• Analysis of exploit data focusing on changes over time in WithSecure and VirusTotal detection data, including fluctuations in the use of specific CVEs.
• Ongoing events surrounding Israel and Palestine with associated hacktivist proxies active in the cyber arena for both sides.
• Continuation of ransomware attacks, albeit in lower numbers than previous months, and signs of potential return of Qakbot after being taken down by Law Enforcement Agencies.
• Exploration of interesting vulnerabilities, both old and new, with a different approach to analyzing the data on these vulnerabilities.

1. Significant Data Breaches

• Xfinity: The US telecoms provider Xfinity experienced a significant data breach, with the Personally Identifiable Information (PII) of 35 million people stolen. The breach was attributed to a server vulnerable to CitrixBleed that was left unpatched for 2 weeks, allowing attackers to compromise it.
• MrCooper: The US mortgage lender MrCooper had the PII of 15 million individuals stolen. The data compromised included that of every current and former customer of the company or its sister brands, potentially even including individuals who have applied for a loan through MrCooper.
• DonorView: A cloud-based charitable donation platform, DonorView, experienced a breach resulting in the exposure of PII, including payment information, as well as details of children, their medical conditions, and attending doctors. The data was accessible from an unsecured Internet-connected database.

2. Active Exploitation of Zero-Click Outlook/Exchange Exploit by Russian APT

Microsoft identified CVE-2023-23397 as being actively exploited by the Russian state-sponsored actor known as APT28, Forest Blizzard, or Fancy Bear, identified by the US and UK as Unit 26165 of the Russian GRU. This activity was ongoing in December 2023, and Microsoft worked with Polish Cyber Command to identify and mitigate the techniques used by the attacker.

3. Analysis of Exploit Data

The report analyzes exploit data, focusing on changes over time in WithSecure and VirusTotal detection data. It highlights fluctuations in the use of specific CVEs, including significant increases in detections for vulnerabilities in Microsoft Office, Oracle Java JVM, and a specific set of drivers from MalwareFox AntiMalware. The report also notes a spike in exploit attempts for CVE-2023-23397, possibly related to the activity described by Microsoft or caused by other actors following Microsoft's reporting.

4. Ongoing Hacktivist Activity

The report mentiones ongoing events surrounding Israel and Palestine, with associated hacktivist proxies active in the cyber arena for both sides.

5. Ransomware Trends and Notable Reports

The report highlights a sharp decrease in ransomware activity from November 2023, with several law enforcement actions possibly impacting the numbers. However, tracked ransomware activity in December 2023 was still significantly higher than December 2022, with a 41.51% increase in victims. The report also provides insights into specific ransomware brands and trends observed throughout 2023.

Stay informed about the latest cybersecurity threats and trends.