10 Major Cyberattacks And Data Breaches In 2023
Data breaches, ransomware and data extortion attacks have had a broad impact on businesses in 2023.
While ransomware remained a massive threat to organizations, particularly smaller and less-protected businesses, the focus on data theft and extortion-only campaigns by some attackers was a major development in the cyberthreat landscape in 2023. Two of the attack campaigns we’ve highlighted on the following list — the MOVEit and GoAnywhere attacks — did not include encryption-based ransomware, but instead involved extortion demands in exchange for withholding stolen data from public disclosure. The Russian-speaking group behind both attack campaigns, Clop, was the most prominent group to favor extortion-only attacks in 2023, but was not the only one.
Meanwhile, many attackers continued to cut back on their use of malware, instead turning to exploits of tools such as remote monitoring and management (RMM), which are less likely to be caught by endpoint security products. Identity-based attacks using compromised credentials also continued to rise this year as a way to get around endpoint detection and response (EDR). And as for phishing and social engineering, these tried-and-true tactics remained a huge threat — as underscored by the hackers’ use of social engineering as part of the crippling MGM breach.
As part of CRN’s end-of-year coverage for 2023, we’ve compiled a sampling of the major cyberattacks and data breaches that we followed this year. For the most part, we’ve chosen to highlight attack campaigns that had multiple victims, given the broad industry impact of such attacks.
What follows are 10 major cyberattack campaigns and data breaches we followed in 2023 (in chronological order).
ESXi Ransomware Attacks
In February, the “ESXiArgs” ransomware campaign targeted customers that run the VMware ESXi hypervisor. An estimate by the FBI and CISA at the time put the number of compromised servers worldwide at 3,800.
The campaign targeted organizations in countries including the U.S., Canada, France and Germany, according to cybersecurity vendor Censys. The attacks exploited a two-year-old vulnerability (tracked at CVE-2021-21974) that affects older versions of VMware ESXi, researchers said.
The vulnerability affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code.
VMware released a statement saying that “the recent ESXiArgs ransomware attacks have highlighted important truths about protecting virtual infrastructure.”
“The important truth is that virtual infrastructure is a high-value target, precisely because organizations run their most important workloads there, and that threat actors are continuously evolving their tools and tactics to work in those environments,” VMware said in its statement.
In February, Fortra informed customers that it had identified an actively exploited zero-day vulnerability in its GoAnywhere file transfer platform, which could be used to remotely execute code on vulnerable systems.
The largest incident from the GoAnywhere campaign — the hack of healthcare benefits and technology firm NationsBenefits — impacted 3 million members, according to the Identity Theft Resource Center.
The GoAnywhere platform was also exploited by hackers to steal data from numerous other large organizations including Procter & Gamble, the City of Toronto, Crown Resorts and data security firm Rubrik.
In April, Fortra said that certain customers with on-premises deployments of the software were “at an increased risk” from the attacks.
Among the discoveries during the Fortra investigation into the attacks was that the GoAnywhere vulnerability “was used against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution,” the company said in a blog post. This occurred as far back as Jan. 18, Fortra said.
3CX Software Supply Chain Attack
The compromise in March of 3CX, a widely used communications software maker, resembled the SolarWinds supply chain attack of 2020 in a number of key ways.
3CX, whose communications software includes a VoIP phone system app targeted in the attack, has said that its customer base totaled more than 600,000 organizations, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.
However, researchers have noted that the 3CX compromise was caught in weeks rather than months — as had been the case with the SolarWinds attack — which appears to have limited the impact from the breach on 3CX and its end customers.
The 3CX attack also stood out from past software supply chain compromises in another major respect: The 3CX campaign was made possible by an earlier supply chain attack, according to Mandiant. In the earlier compromise, attackers had tampered with a software package distributed by a financial software firm, Trading Technologies, Mandiant researchers disclosed. “This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” researchers said in a post.
The 3CX attack was attributed by CrowdStrike, and later by Mandiant, to North Korea.
The widespread campaign by Clop, a Russian-speaking group, exploited a critical vulnerability in Progress’ MOVEit file transfer tool and are believed to have begun in late May. It’s also believed that the attacks have not included any deployment of encryption, as in traditional ransomware attacks. Instead, Clop claimed that if a victim company were to pay its demand, the group would not leak the victim’s stolen data on its darkweb site. And for hundreds of companies that presumably opted not to pay, Clop did exactly that.
It was less clear which companies did, in fact, pay the demand. But as of July, incident response firm Coveware was estimating that Clop would receive between $75 million and $100 million in the attacks.
As of Wednesday, the stunning number of impacted organizations from the MOVEit campaign stood at a total of 2,667, according to a tally by cybersecurity firm Emsisoft. In terms of the individuals known to have been impacted, the total is now at nearly 84 million. That places it among the farthest-reaching attacks of 2023, and also makes it one of the biggest data heists in recent years. Within the IT industry, victims of the MOVEit data extortion campaign included IBM, Cognizant and Deloitte, PricewaterhouseCoopers and Ernst & Young.
Other major incidents in the MOVEit campaign included the breach of the Louisiana Office of Motor Vehicles (up to 6 million Louisiana residents impacted) and the Oregon Driver and Motor Vehicles division of the Oregon Department of Transportation (3.5 million Oregon residents impacted).
PBI Research Services Breach
In one prominent case, a MOVEit-related incident ended up resulting in numerous downstream breaches of organizations that used a large third-party vendor. The breach of PBI Research Services became the largest single MOVEit-related incident, in terms of total individuals impacted, after data from 13.8 million individuals was ultimately compromised, according to the Identity Theft Resource Center.
The individuals had been served by financial systems that used PBI including pension systems (including the California Public Employees’ Retirement System, or CalPERS, and the Tennessee Consolidated Retirement System); major insurers (including Genworth and Wilton Re); and notable investment firms (including Fidelity Investments and Putnam Investments).
CalPERS, which is the largest public pension fund in the U.S., disclosed in a news release that the data of 769,000 retirees was compromised. In a quote included in the release, CalPERS CEO Marcie Frost called the PBI breach “inexcusable.”
Barracuda Email Security Gateway Attacks
Initially disclosed by Barracuda in late May, the attack campaign leveraged a critical vulnerability in the company’s Email Security Gateway (ESG) on-premises appliances. Further investigation from the company and Mandiant found that the vulnerability had been exploited as far back as October 2022.
Barracuda disclosed in June that it believed 5 percent of active ESG appliances had been compromised by attackers.
The attacks prompted the highly unusual recommendation from Barracuda that affected customers should actually replace their ESG devices.
Mandiant has attributed the “wide-ranging campaign” to a group it tracks as UNC4841, which is believed to work in support of China’s government. The firm’s researchers reported that government agencies were “disproportionately” targeted in the attacks, with a particular focus on the U.S.
As late as August, Barracuda was saying that it “continues to recommend that impacted customers replace their compromised appliance.” The company noted that it would provide replacement devices for free to impacted customers.
Microsoft Cloud Email Breach
The high-profile breach of Microsoft cloud email accounts belonging to multiple U.S. government agencies, discovered in June, is believed to have impacted the emails of Commerce Secretary Gina Raimondo as well as U.S. Ambassador to China Nicholas Burns and officials in the Commerce Department. A total of 60,000 emails were stolen from 10 U.S. State Department accounts in the compromise, according to reports.
The incident prompted U.S. Sen. Ron Wyden to request a federal investigation to determine “whether lax security practices by Microsoft” led to the hack, and also led to criticism from numerous prominent executives within the security industry.
In September, Microsoft disclosed that it had identified additional issues that enabled the China-linked threat actor — tracked as “Storm-0558” — to compromise the cloud email accounts of U.S. officials.
In a blog post, the tech giant disclosed that a flaw caused an Azure Active Directory key used in the compromise to be improperly captured and stored in a file following a Windows system crash in 2021. Another flaw led to the presence of the key not being detected, Microsoft said.
Additionally, the threat actor behind the breach was only able to access the file containing the key through compromising a corporate account belonging to a Microsoft engineer, according to the company.
Previously, Microsoft had said a stolen Azure Active Directory key was misused to forge authentication tokens and gain access to emails from an estimated 25 organizations.
Casino Operator Attacks
There are many concerning elements of the highly disruptive attacks against casino operators MGM and Caesars Entertainment in September — including the reported use of social engineering by the hackers to trick an IT help desk into providing access in the MGM breach. But among the other unwelcome developments was a collaboration that was reportedly behind the attacks: An alliance between young English-speaking hackers in the group known as Scattered Spider and Russian-speaking ransomware gang Alphv.
According to security researchers, the teenage and young adult hackers of Scattered Spider utilized BlackCat ransomware that was provided by Alphv (a gang whose members have previously been affiliated with DarkSide, the group behind the Colonial Pipeline attack). While ransomware-as-a-service has been a growing trend for years in Eastern Europe, the alliance between teen hackers — which some reports say include members in the U.S. and U.K. — and Russian-speaking RaaS groups appears to expand the threat landscape in troubling new directions.
Cisco IOS XE Attacks
In mid-October, a campaign against Cisco IOS XE customers rapidly became one of the most widespread edge attacks ever, experts told CRN. Nearly 42,000 Cisco devices were compromised through exploits of a critical IOS XE vulnerability discovered Oct. 16, according to Censys researchers.
Cisco said in an advisory that day that the zero-day vulnerability in IOS XE saw “active exploitation” by attackers. The privilege escalation vulnerability received the maximum severity rating, 10.0 out of 10.0, from Cisco. Exploitation of the critical vulnerability can allow a malicious actor to acquire “full control” of the compromised device, Cisco’s Talos threat intelligence team said.
The IOS XE networking software platform is utilized by a multitude of Cisco devices, many of which are commonly deployed in edge environments. Those include branch routers, industrial routers and aggregation routers, as well as Catalyst 9100 access points and “IoT-ready” Catalyst 9800 wireless controllers.
“Of edge attacks, this is one of if not the most significant,” said John Gallagher, vice president of Viakoo Labs at IoT security firm Viakoo.
On Oct. 23, Cisco released the first in a series of patches to address the critical IOS XE vulnerability.
Okta Support System Breach
On Oct. 20, Okta disclosed a data breach affecting its support case management system, which the company initially believed had impacted a “very small subset” of its 18,000 customers. In early November, however, Okta acknowledged that data from 134 customers had been accessed. And then in late November, the identity platform provider revised its assessment again — disclosing that the breach had included the theft of all support customer names and emails.
The victims of the attack also included several major cybersecurity vendors. Following Okta’s initial disclosure about the support system breach, BeyondTrust, Cloudflare and 1Password each said they were among the impacted customers in the incident.
In its updated disclosure in late November, Okta Chief Security Officer David Bradbury said the identity management company had been “re-examining the actions that the threat actor performed.”
As a result, “we have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users,” Bradbury wrote.
Crucially, however, user credentials and other sensitive data were not included in the report downloaded by attackers, Bradbury wrote.
Following the latest disclosure, Okta co-founder and CEO Todd McKinnon said that the company would be postponing upcoming product updates for 90 days in order to prioritize security.