Top 10 Ways Threat Actors Are Targeting Companies in 2023

When it comes to cybersecurity, knowledge is power. After all, you can’t protect your organization against threats you don’t know about. The global cybersecurity community also strengthens when companies and regulatory bodies share substantive information about threat actors’ identities and successful attacks and attempts. 

Evaluating threat actors’ targeting methods each year can help shed light on why certain methods persist in popularity and bring attention to new processes/techniques rising in popularity as threat actors and technology evolve. 

Black Kite’s research department gathered information from attacks over the past six months and tracked developments in artificial intelligence (AI) and machine learning (ML) technology to identify the top 10 ways threat actors are targeting companies in 2023. Here’s what we’ve found:

Top 10 Ways Threat Actors Are Targeting Companies in 2023

First things first: This list isn’t exhaustive. It’s nearly impossible to track down all the ways that threat actors target  companies, so we’re focusing on the most common attack vectors. It’s also important to note that this list isn’t in order of importance. Each organization faces unique threats based on its industry, infrastructure, and other factors. In other words, a top threat for one company may rank much lower for another.

Trend #1: Vendor-Related Data Breaches

As business ecosystems grow increasingly interconnected and data becomes a form of currency, it’s easy to see why threat actors target organizations through third-party vendors. Third-party vendors are often an organization’s security weak point. Companies often fail to realize how much data they share with their vendors and don’t properly vet each vendor’s security position.

The results can be disastrous. In May of this year, the CI0p ransomware group leveraged a vulnerability in MOVEit Transfer, a service supplied to organizations by Progress Software. Threat actors used the vulnerability to steal information from Progress Software’s connected client databases. In examples like the MOVEit data breach, threat actors can attack the vendor and access client data, which triggers a cascading effect.

Trend #2: Credential Stuffing

Credential stuffing is the automated injection of stolen username and password pairs to gain unauthorized system access. Threat actors often use tools like Sentry MBA or SNIPR to launch large-scale credential-stuffing attacks. Since nearly 70% of people reuse account passwords, credential stuffing will likely remain a popular threat vector. In fact, Okta, a popular U.S.-based identity and access management company, reported last year that one-third of all login attempts on its system were malicious and fraudulent.

Trend #3: Remote Desktop Protocol (RDP) Exploits

Developed by Microsoft, RDP is a proprietary protocol allowing users to access their desktops online. While it’s useful for information exchange, threat actors can use brute force attacks or exploit vulnerabilities to gain unauthorized access to a user’s desktop and data if the channel isn’t properly secured.

Most experts in the cybersecurity industry trace the significant rise in RDP attacks to the pandemic. Between the first and fourth quarters of 2020 alone, RDP attacks grew by 768%. Post pandemic, RDP attacks remain ubiquitous due to the popularity of common brute force attack algorithms and more advanced versions, like dictionary attacks, that use words, numbers, and strings of characters from pre-compiled lists to crack passwords.

Trend #4: Phishing Attacks

Phishing is a technique used to acquire sensitive data through fraudulent solicitation. These attacks lure users into clicking on malicious links or attachments. Typically delivered through email, threat actors also carry out phishing attacks via SMS or text messages, telephone calls, or vishing.

There’s also spear phishing or whaling, which targets an individual — usually a high-ranking official — or an entire department. Last year, researchers and security experts collected reports of over 500 million phishing attacks, which makes phishing attacks one of the most prevalent types of cybercrime. Phishing attacks will continue to rise in popularity, especially as threat actors leverage AI and ML to launch larger, more sophisticated attacks.

Trend #5: Business Email Compromise (BEC)

BEC is an attack that uses email to trick someone into sending money or divulging confidential company information. Usually, the threat actor poses as a trusted figure, such as the company CEO. BEC attacks often involve social engineering, spoofing, and exploiting legitimate business email processes.

Last year, Abnormal Security found that BEC attacks increased 81%. Security experts believe the rise in attacks corresponds with innovations in social engineering tactics. These social engineering innovations include an increase in BEC attacks carried out via SMS and social media apps like Signal and WhatsApp, in addition to email.

Trend #6: Structured Query Language (SQL) Injections

In an SQL injection attack, threat actors insert malicious SQL code into a web application database query. Most of these attacks target poorly coded application software that doesn’t correctly validate input, which allows attackers to execute arbitrary SQL code and manipulate the application’s database. 

A great example is the MOVEit data breach, which resulted from an SQL injection vulnerability. There were various unpatched versions of the MOVEit Transfer service in use by Progress Software’s clients. Since SQL injection attacks prey on poorly coded software, they’ll remain popular as organizational infrastructure grows more complex and threat actors look to take advantage of vulnerabilities resulting from visibility gaps in a company’s tech stack.

Trend #7: Cross-Site Scripting (XXS) Attacks

XXS attacks inject malicious scripts into webpages viewed by users. The scripts activate when a user visits a compromised webpage, enabling the attacker to steal sensitive information or act on the user’s behalf. 

In May 2023, security experts identified a case of reflected XXS. In a reflected XXS attack, threat actors send malicious links via email or specially crafted forms to trick users. When users interact with the link or form, the injected code returns to the vulnerable website.  
In the reflected XXS attack earlier this year, a WordPress plugin with over 2 million active installations contained malicious scripts, potentially allowing unauthenticated users to steal sensitive information. Security experts believe that XXS attacks will remain popular as threat actors continue to rely on email as an attack vector and leverage other interaction points like plugins and forms.

Trend #8: Exploiting Remote Code Execution (RCE) Vulnerabilities

RCE occurs when an attacker accesses a target computing device and then makes changes remotely, regardless of the device’s location. Exploiting these vulnerabilities, especially in the context of zero-day vulnerabilities, can give attackers complete control over a compromised system. Because attackers discover zero-day vulnerabilities before the vendor is aware, the attack is more likely to succeed since no patch exists for the vulnerability. 

RCEs continue to top lists of popular attack approaches simply because of their demonstrated effectiveness. The infamous WannaCry ransomware that became a global threat in 2017 was resulted from an RCE attack. Just last month, Fortinet disclosed a critical RCE vulnerability affecting its network access control solution. Fortinet released a patch, but if organizations fail to apply it, threat actors could insert a modified serialized object into their system and execute commands remotely.

Trend #9: Using AI and ML for Social Engineering

Social engineering has been around for ages. Threat actors using techniques that convince a target to reveal specific information or perform an action for illegitimate reasons is nothing new. The methods used in social engineering, however, are evolving as threat actors leverage AI and ML. Threat actors can use AI/ML to choose their targets with greater accuracy or dramatically increase the scope of an attack.

In recent years, reports of threat actors using AI/ML to boost phishing, baiting, and pretexting in social engineering efforts have risen. The result? An increase in high-quality deepfakes and well-constructed fraudulent emails and texts.

Trend #10: Advanced Persistent Threats (APTs)

A continuous, stealthy threat, APTs work to access computer networks or systems without detection. Threat actors gain access to a network and remain undetected for an extended period. Over a few days, months, or even years, the threat actors slowly siphon information from the network. These attacks are often state-sponsored or linked to cyberespionage groups whose primary goal is to steal (and often sell) sensitive information.

As of last year, APT attacks are on the rise. The global cybersecurity community attributes the  increase in APT attacks to Iranian state-sponsored and Chinese-based attacks. Other reasons behind the surge in APTs include the use of AI and ML in social engineering, malware, and phishing. As AI/ML solutions become more accessible, the tools empower threat actors and groups who are less tech-savvy to enhance the efforts of already sophisticated groups.

What Actions Should I Take?

Overall, it’s important to remember that cybersecurity is not only a technical challenge but an organizational one, requiring awareness and participation from all levels of the enterprise. In addition to boosting your organization’s awareness of significant cybersecurity attack trends, here are a few key actions to take:

• Implement multi-factor authentication (MFA). MFA is crucial for protecting your organization from RCE attacks (and many of the other top 10 trends on our list). Even if threat actors steal credentials, having an additional layer of security in place can prevent them from accessing your infrastructure or data.  
• Use advanced threat intelligence, which includes solutions that harness AI/ML to find and remediate threats in your ecosystem. AI/ML can also make recommendations for firewall configuration, endpoint protection, and staff training to recognize phishing and BEC attacks. 
• Vet third-party vendorsthoroughly. The best way to prevent vendor-data breaches is by researching your company’s third-party vendors to ensure that each vendor’s risk of a ransomware attack is low and that their overall security posture is strong. Doing so can help minimize your own data’s risk. While you can vet vendors manually, Black Kite’s Ransomware Susceptibility Index® (RSI™) uses ML analysis to quickly and accurately determine your third-party vendors’ likelihood of a ransomware attack.

Black Kite also offers a cyber risk assessment for third-party vendors. Organizations are assessed in 20 categories and rated using easily digestible metrics that speak to overall security posture, vulnerabilities, and potential financial impact to your organization in the event of an attack. Implementing these actions, leveraging the correct tools in your company, and sharing your findings with other organizations can help spark positive security trends in the cybersecurity sector for 2023 and beyond.