Data breaches, ransomware, and extortion attacks have broadly impacted businesses in 2023.
While ransomware remained a significant threat to organizations, especially smaller and less-protected businesses, the emphasis on data theft and extortion-only campaigns by certain attackers marked a major development in the cyberthreat landscape in 2023.
Two of the attack campaigns highlighted in the following list — the MOVEit and GoAnywhere attacks — did not involve encryption-based ransomware; instead, they featured extortion demands in exchange for withholding stolen data from public disclosure. The Russian-speaking group behind both attack campaigns, Clop, was the most prominent group favoring extortion-only attacks in 2023, but it was not the only one.
Meanwhile, many attackers continued to reduce their reliance on malware, opting instead for exploits of tools such as remote monitoring and management (RMM), which are less likely to be detected by endpoint security products. Identity-based attacks using compromised credentials continued to rise this year to evade endpoint detection and response (EDR).
Regarding phishing and social engineering, these tried-and-true tactics remained a significant threat, as highlighted by hackers’ use of social engineering as part of the crippling MGM breach.
We have compiled a sampling of the major cyberattacks and data breaches we monitored throughout the year. For the most part, we have chosen to highlight attack campaigns with multiple victims, given the broad industry impact of such attacks.
Ten major cyberattack campaigns and data breaches we tracked in 2023:
ESXi Ransomware Attacks
In February, the “ESXiArgs” ransomware campaign targeted customers using the VMware ESXi hypervisor. According to the FBI and CISA estimates, the number of compromised servers worldwide was approximately 3,800.
This campaign focused on organizations in various countries, including the US, Canada, France, and Germany, as the cybersecurity vendor Censys reported. The attacks exploited a two-year-old vulnerability (tracked as CVE-2021-21974) affecting older versions of VMware ESXi, according to researchers.
The vulnerability specifically impacts the OpenSLP service in older ESXi versions, providing an avenue for remote code execution.
VMware stated that “the recent ESXiArgs ransomware attacks have underscored important truths about protecting virtual infrastructure.”
“The crucial truth is that virtual infrastructure represents a high-value target because organizations conduct their most critical workloads there. Threat actors continuously adapt their tools and tactics to operate in these environments,” VMware emphasized in its statement.
GoAnywhere Attacks
In February, Fortra informed customers that it had identified an actively exploited zero-day vulnerability in its GoAnywhere file transfer platform, capable of remotely executing code on vulnerable systems. The most significant incident from the GoAnywhere campaign— the hacking of healthcare benefits and technology firm NationsBenefits—impacted 3 million members, as the Identity Theft Resource Center reported.
Hackers also exploited the GoAnywhere platform to pilfer data from other large organizations, including Procter & Gamble, the City of Toronto, Crown Resorts, and data security firm Rubrik.
In April, Fortran stated that certain customers with on-premises software deployments were “at an increased risk” from the attacks.
Among the discoveries during Fortra’s investigation into the attacks was that the GoAnywhere vulnerability “was used against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution,” as disclosed in a company blog post.
3CX Software Supply Chain Attack
The compromise in March involving 3CX, a widely used communications software maker, bore a resemblance to the SolarWinds supply chain attack of 2020 in several key ways.
3CX, whose communications software includes a VoIP phone system app targeted in the attack, has stated that its customer base exceeded 600,000 organizations, with sales exclusively through its network of 25,000 partners. Notable customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW, and Honda.
However, researchers have pointed out that the 3CX compromise was detected within weeks rather than months, as with the SolarWinds attack. This swift response seems to have mitigated the breach’s impact on 3CX and its end customers.
The 3CX attack also differed from previous software supply chain compromises in another significant aspect: The 3CX campaign was facilitated by a preceding supply chain attack, as revealed by Mandiant. In the earlier compromise, attackers had manipulated a software package distributed by a financial software firm, Trading Technologies, according to Mandiant researchers. In a post, they noted, “This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack.”
The 3CX attack was attributed to North Korea, initially by CrowdStrike and later confirmed by Mandiant.
MOVEit Attacks
The extensive campaign orchestrated by a Russian-speaking group, Clop, targeted a critical vulnerability in Progress’ MOVEit file transfer tool and is believed to have commenced in late May. Unlike traditional ransomware attacks, there is no indication that the attacks involved encryption. Instead, Clop asserted that if a victim company complied with its demand, the group would refrain from disclosing the stolen data on its dark website. However, for numerous companies that presumably chose not to comply, Clop carried out its threat.
It remains unclear which companies ultimately paid the ransom. However, as of July, Coveware, an incident response firm, estimated that Clop could gain between $75 million and $100 million from the attacks.
As of this December, the astonishing number of organizations impacted by the MOVEit campaign reached 2,667, as the cybersecurity firm Emsisoft reported. The total number of individuals known to be affected is now nearly 84 million. This positions the attack as one of the most widespread incidents in 2023 and one of the largest data breaches in recent years. Notable victims within the IT industry include IBM, Cognizant, Deloitte, PricewaterhouseCoopers, and Ernst & Young.
Additional significant incidents in the MOVEit campaign involved breaches at the Louisiana Office of Motor Vehicles (impacting up to 6 million Louisiana residents) and the Oregon Driver and Motor Vehicles division of the Oregon Department of Transportation (impacting 3.5 million Oregon residents).
PBI Research Services Breach
In a prominent case, a MOVEit-related incident led to numerous downstream breaches affecting organizations that utilized a large third-party vendor. According to the Identity Theft Resource Centre, the breach of PBI Research Services emerged as the largest single MOVEit-related incident, impacting a significant number of individuals—13.8 million.
These individuals were associated with financial systems employing PBI, including pension systems such as the California Public Employees’ Retirement System (CalPERS) and the Tennessee Consolidated Retirement System. Major insurers like Genworth and Wilton Re and notable investment firms, including Fidelity Investments and Putnam Investments, were also affected.
CalPERS, the largest public pension fund in the US, disclosed in a news release that the data of 769,000 retirees had been compromised. As quoted in the release, CalPERS CEO Marcie Frost described the PBI breach as “inexcusable.”
Barracuda Email Security Gateway Attacks
Initially disclosed by Barracuda in late May, the attack campaign leveraged a critical vulnerability in the company’s Email Security Gateway (ESG) on-premises appliances. Further investigation by the company and Mandiant found that the vulnerability had been exploited since October 2022.
In June, Barracuda disclosed that it believed attackers had compromised five percent of active ESG appliances.
The attacks prompted the highly unusual recommendation from Barracuda that affected customers should replace their ESG devices.
Mandiant has attributed the “wide-ranging campaign” to a group it tracks as UNC4841, believed to work in support of China’s government. The firm’s researchers reported that government agencies were “disproportionately” targeted in the attacks, with a particular focus on the US.
As of August, Barracuda recommended that impacted customers replace their compromised appliances. The company noted that it would provide replacement devices for free to impacted customers.
Microsoft Cloud Email Breach
The high-profile breach of Microsoft Cloud email accounts belonging to multiple US. government agencies, discovered in June, are believed to have impacted the emails of Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns and officials in the Commerce Department. According to reports, 60,000 emails were stolen from 10 US State Department accounts in the compromise.
The incident prompted US Sen. Ron Wyden to request a federal investigation to determine “whether lax security practices by Microsoft” led to the hack and criticism from numerous prominent executives within the security industry.
In September, Microsoft disclosed that it had identified additional issues that enabled the China-linked threat actor — tracked as “Storm-0558” — to compromise the cloud email accounts of US officials.
In a blog post, the tech giant disclosed that a flaw caused an Azure Active Directory key used in the compromise to be improperly captured and stored in a file following a Windows system crash in 2021. Another flaw led to the absence of the key being detected, Microsoft said.
Additionally, according to the company, the threat actor behind the breach could only access the key file by compromising a corporate account belonging to a Microsoft engineer.
Previously, Microsoft had said a stolen Azure Active Directory key was misused to forge authentication tokens and gain access to emails from an estimated 25 organizations.
Casino Operator Attacks
Several concerning aspects relate to the highly disruptive attacks against casino operators MGM and Caesars Entertainment in September. These include hackers’ reported use of social engineering to deceive an IT help desk into providing access during the MGM breach. However, among the other unwelcome developments was a reported collaboration behind the attacks: an alliance between young English-speaking hackers in the group known as Scattered Spider and the Russian-speaking ransomware gang Alphv.
According to security researchers, Scattered Spider’s teenage and young adult hackers utilized the BlackCat ransomware provided by Alphv. Alphv is a gang whose members have previously been associated with DarkSide, the group behind the Colonial Pipeline attack.
While ransomware-as-a-service has been a growing trend for years in Eastern Europe, the alliance between teen hackers — which some reports suggest includes members in the US and UK — and Russian-speaking RaaS groups appears to expand the threat landscape in troubling new directions.
Cisco IOS XE Attacks
In mid-October, a campaign against Cisco IOS XE customers rapidly became one of the most widespread edge attacks ever. Censys researchers reported that nearly 42,000 Cisco devices fell victim to exploits targeting a critical IOS XE vulnerability discovered on October 16.
On the same day, Cisco issued an advisory acknowledging the existence of a zero-day vulnerability in IOS XE that attackers actively exploited. The privilege escalation vulnerability received a maximum severity rating of 10.0 out of 10.0 from Cisco. Cisco’s Talos threat intelligence team stated that exploiting this critical vulnerability could grant a malicious actor “full control” over the compromised device.
The IOS XE networking software platform is widely used across various Cisco devices, many commonly deployed in edge environments. These devices include branch routers, industrial routers, aggregation routers, Catalyst 9100 access points and “IoT-ready” Catalyst 9800 wireless controllers.
On October 23, Cisco released the first patches to address the critical IOS XE vulnerability.
Okta Support System Breach
On October 20, Okta disclosed a data breach affecting its support case management system. Initially, the company believed the breach had impacted a “very small subset” of its 18,000 customers. However, in early November, Okta acknowledged that data from 134 customers had been accessed. Later in November, the identity platform provider revised its assessment, revealing that the breach had included the theft of all support customer names and emails.
The victims of the attack also included several major cybersecurity vendors. Following Okta’s initial disclosure about the support system breach, BeyondTrust, Cloudflare, and 1Password each stated they were among the impacted customers in the incident.
Bradbury emphasized that user credentials and other sensitive data were not included in the report downloaded by attackers.
