Netskope nombrado Líder en el Cuadrante Mágico de Gartner® 2024™ para Security Service Edge. Obtenga el informe

cerrar
cerrar
  • Por qué Netskope chevron

    Cambiar la forma en que las redes y la seguridad trabajan juntas.

  • Nuestros clientes chevron

    Netskope atiende a más de 3.000 clientes en todo el mundo, entre ellos más de 25 de las 100 empresas de Fortune

  • Nuestros Partners chevron

    Nos asociamos con líderes en seguridad para ayudarlo a asegurar su viaje a la nube.

Aún más alto en ejecución.
Aún más lejos en visión.

Sepa por qué 2024 Gartner® Cuadrante Mágico™ nombró a Netskope Líder para Security Service Edge por tercer año consecutivo.

Obtenga el informe
Netskope Nombrado líder en el gráfico 2024 Gartner® Magic Quadrant™ for Security Service Edge para Menu
Ayudamos a nuestros clientes a estar preparados para cualquier situación

Ver nuestros clientes
Woman smiling with glasses looking out window
La estrategia de venta centrada en el partner de Netskope permite a nuestros canales maximizar su expansión y rentabilidad y, al mismo tiempo, transformar la seguridad de su empresa.

Más información sobre los socios de Netskope
Group of diverse young professionals smiling
Tu red del mañana

Planifique su camino hacia una red más rápida, más segura y más resistente diseñada para las aplicaciones y los usuarios a los que da soporte.

Obtenga el whitepaper
Tu red del mañana
Presentamos la Netskope One Plataforma

Netskope One es una Plataforma nativa en la nube que ofrece servicios convergentes de seguridad y redes para hacer posible su transformación SASE y de confianza cero.

Learn about Netskope One
Abstracto con iluminación azul
Adopte una arquitectura de borde de servicio de acceso seguro (SASE)

Netskope NewEdge es la nube privada de seguridad más grande y de mayor rendimiento del mundo y ofrece a los clientes una cobertura de servicio, un rendimiento y una resiliencia incomparables.

Más información sobre NewEdge
NewEdge
Netskope Cloud Exchange

Cloud Exchange (CE) de Netskope ofrece a sus clientes herramientas de integración eficaces para que saquen partido a su inversión en estrategias de seguridad.

Más información sobre Cloud Exchange
Vídeo de Netskope
  • Servicio de seguridad Productos Edge chevron

    Protéjase contra las amenazas avanzadas y en la nube y salvaguarde los datos en todos los vectores.

  • Borderless SD-WAN chevron

    Proporcione con confianza un acceso seguro y de alto rendimiento a cada usuario remoto, dispositivo, sitio y nube.

  • Secure Access Service Edge chevron

    Netskope One SASE proporciona una solución SASE nativa en la nube, totalmente convergente y de un único proveedor.

La plataforma del futuro es Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) y Private Access for ZTNA integrados de forma nativa en una única solución para ayudar a todas las empresas en su camino hacia el Servicio de acceso seguro Arquitectura perimetral (SASE).

Todos los productos
Vídeo de Netskope
Next Gen SASE Branch es híbrida: conectada, segura y automatizada

Netskope Next Gen SASE Branch converge Context-Aware SASE Fabric, Zero-Trust Hybrid Security y SkopeAI-Powered Cloud Orchestrator en una oferta de nube unificada, marcando el comienzo de una experiencia de sucursal completamente modernizada para la empresa sin fronteras.

Obtenga más información sobre Next Gen SASE Branch
Personas en la oficina de espacios abiertos.
Diseño de una arquitectura SASE para Dummies

Obtenga un ejemplar gratuito del único manual que necesitará sobre diseño de una arquitectura SASE.

Obtenga el eBook
Cambie a los servicios de seguridad en la nube líderes del mercado con una latencia mínima y una alta fiabilidad.

Más información sobre NewEdge
Lighted highway through mountainside switchbacks
Habilite de forma segura el uso de aplicaciones de IA generativa con control de acceso a aplicaciones, capacitación de usuarios en tiempo real y la mejor protección de datos de su clase.

Descubra cómo aseguramos el uso generativo de IA
Habilite de forma segura ChatGPT y IA generativa
Soluciones de confianza cero para implementaciones de SSE y SASE

Más información sobre Confianza Cero
Boat driving through open sea
Netskope logra la alta autorización FedRAMP

Elija Netskope GovCloud para acelerar la transformación de su agencia.

Más información sobre Netskope GovCloud
Netskope GovCloud
  • Recursos chevron

    Obtenga más información sobre cómo Netskope puede ayudarle a proteger su viaje hacia la nube.

  • Blog chevron

    Descubra cómo Netskope permite la transformación de la seguridad y las redes a través del borde de servicio de seguridad (SSE)

  • Eventos y Talleres chevron

    Manténgase a la vanguardia de las últimas tendencias de seguridad y conéctese con sus pares.

  • Seguridad definida chevron

    Todo lo que necesitas saber en nuestra enciclopedia de ciberseguridad.

Podcast Security Visionaries

La intersección de Zero Trust y la seguridad nacional
On the latest episode of Security Visionaries, co-hosts Max Havey and Emily Wearmouth sit down for a conversation with guest Chase Cunningham (AKA Dr. Zero Trust) about zero trust and national security.

Reproducir el pódcast
La intersección de Zero Trust y la seguridad nacional
Últimos blogs

Lea cómo Netskope puede hacer posible el viaje hacia la Confianza Cero y SASE a través de las capacidades del borde de servicio de seguridad (SSE).

Lea el blog
Sunrise and cloudy sky
SASE Week 2023: ¡Su viaje SASE comienza ahora!

Sesiones de repetición de la cuarta SASE Week.

Explorar sesiones
SASE Week 2023
¿Qué es SASE?

Infórmese sobre la futura convergencia de las herramientas de red y seguridad en el modelo de negocio actual de la nube.

Conozca el SASE
  • Empresa chevron

    Le ayudamos a mantenerse a la vanguardia de los desafíos de seguridad de la nube, los datos y la red.

  • Liderazgo chevron

    Nuestro equipo de liderazgo está firmemente comprometido a hacer todo lo necesario para que nuestros clientes tengan éxito.

  • Soluciones para clientes chevron

    Le apoyamos en cada paso del camino, garantizando su éxito con Netskope.

  • Formación y certificación chevron

    La formación de Netskope le ayudará a convertirse en un experto en seguridad en la nube.

Apoyar la sostenibilidad a través de la seguridad de los datos

Netskope se enorgullece de participar en Vision 2045: una iniciativa destinada a crear conciencia sobre el papel de la industria privada en la sostenibilidad.

Descubra más
Apoyando la sustentabilidad a través de la seguridad de los datos
Pensadores, constructores, soñadores, innovadores. Juntos, ofrecemos soluciones de seguridad en la nube de vanguardia para ayudar a nuestros clientes a proteger sus datos y usuarios.

Conozca a nuestro equipo
Group of hikers scaling a snowy mountain
El talentoso y experimentado equipo de servicios profesionales de Netskope proporciona un enfoque prescriptivo para su exitosa implementación.

Más información sobre servicios profesionales
Servicios profesionales de Netskope
Asegure su viaje de transformación digital y aproveche al máximo sus aplicaciones en la nube, web y privadas con la capacitación de Netskope.

Infórmese sobre Capacitaciones y Certificaciones
Group of young professionals working

La nube y las amenazas Informe 2024

azul claro más
Este Informe explora la evolución de los entornos empresariales en la nube y el panorama de las amenazas, destacando las tendencias predominantes en 2023 y ofreciendo predicciones sobre cuáles continuarán en 2024.
Nube oscura sobre la puesta de sol
22 min read

Executive summary enlace enlace

test answer

The Netskope Cloud and Threat Report aims to provide strategic, actionable intelligence on the latest trends in cloud computing and cybersecurity threats affecting organizations throughout the world. In this edition, we take a look back at the major trends of 2023, paying special attention to those that we expect to continue into 2024 and beyond.

Throughout 2023, cloud and SaaS adoption continued to rise in enterprise environments, with users constantly adopting new apps and increasing their use of existing apps. App suites from Microsoft and Google continue to dominate in all industries and geographies worldwide as apps from these vendors become even more ingrained in critical business processes.

Adversaries, recognizing this trend, are abusing and targeting popular apps in their operations more frequently. Social engineering has become the most common method adversaries use to gain access into victims’ environments. Adversaries are increasingly successful in tricking victims into downloading Trojans by hosting them in popular SaaS apps and in tricking victims into clicking on phishing baits designed to steal SaaS app credentials.

The majority of adversary activity targeting Netskope customers in 2023 was financially motivated. When a financially motivated adversary gains initial access to a victim’s environment, they typically install an implant (usually Cobalt Strike) to maintain persistence. They ultimately try to extort the victim organization by deploying ransomware, infostealers, and wipers, threatening to expose sensitive data publicly or sabotage the victim’s environment if they do not pay. Even geopolitically motivated adversaries, whose primary objective has historically been cyber espionage, are also engaging in similar extortion activities.

This report spotlights these and other predominant trends of 2023 and offers predictions into which ones will continue into 2024.

 

Report highlights enlace enlace

sdofjsfojefgejelosij

Generative AI apps are an enterprise mainstay
Generative AI apps, virtually non-existent in the enterprise a year ago, are now a mainstay, with more than 10% users accessing cloud-based generative AI apps each month and with the top 25% of users exponentially increasing their use of these apps.

Most Trojans are downloaded from popular cloud apps
Attackers are most successful at tricking victims into downloading Trojans when they are hosted on popular cloud apps, with the most popular apps from Google and Microsoft among the top apps for malware downloads.

Criminal adversaries expand their extortion playbook
Criminal adversary activity dominated the threat landscape in 2023, with multiple adversary groups relying heavily on Cobalt Strike to maintain permanence and deploy ransomware, infostealers, wipers, and other malicious software to extort their victims.

 

About this report enlace enlace

Netskope Threat Labs publishes an annual Cloud and Threat Report to provide strategic, actionable intelligence on the latest trends in cloud computing and cybersecurity threats affecting organizations throughout the world. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. Netskope provides threat and data protection to millions of users worldwide. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Stats presented in this report are a reflection of both adversary activity and user behavior. Stats in this report are based on the period starting December 1, 2021 through November 30, 2023.

 

Netskope Threat Labs enlace enlace

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest web, cloud, and data threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, Black Hat, and RSAC.

Cloud and SaaS app use on the rise enlace enlace

The enterprise transition from traditional, on-prem applications to cloud and SaaS apps is far from over. Most organizations have already migrated to cloud-based productivity suites, and the migration has shifted to more niche applications. The number of apps used by the average user has increased from 14 to 20 over the past two years, an average 19% increase per year. Currently, half of all enterprise users interact with between 11 and 33 apps each month, with the top 1% of users interacting with more than 96 apps per month.

apps used by the average user

At the same time, people’s interactions with cloud and SaaS apps are increasing at an even faster rate–35% per year–from just over 1,000 activities per month two years ago to nearly 2,000 activities per month today. Half of all enterprise users generate between 600 and 5,000 activities per month, with the top 1% of users generating more than 50,000 activities per month. An activity is a core interaction between a user and an app, with the most common activities being:

  • Downloading or uploading a file
  • Editing a document
  • Posting a message
  • Viewing a file or a message

Median number of activities per user per month

The most popular apps in the enterprise have not changed significantly over the past year. Among the top 20 most popular apps, year-over-year popularity varied by single-digit percentage points, with a few standout themes.

Overall app popularity

Google and Microsoft reign supreme
The core components of the Microsoft 365 and Google Workspaces productivity suites were among the top apps in both 2022 and 2023. Microsoft products OneDrive, Sharepoint, Teams, Azure Blob Storage, Outlook.com, Forms, and GitHub along with Google products Google Drive, Google Cloud Storage, Gmail, and Calendar accounted for the majority of the top 10. Apps from these vendors have become mainstays of the enterprise ecosystem in all geographies and all industries and will continue to remain on the top for the foreseeable future.

Social media shifts
Although their relative popularity was largely unchanged year-over-year, there were some shifts in the popularity of various social media platforms among enterprise users. Facebook is still the most popular social media platform, despite its popularity decreasing by 6 points. Despite all the talk of an exodus from Twitter following the purchase by Elon Musk, enterprise users are still using it at roughly the same rate. The professional social networking platform LinkedIn gained 4 points, the largest gain of any of the social media platforms and the third-largest gain of all apps. TikTok and Instagram remained largely unchanged.

Outlook leapfrogs Gmail
Outlook.com leapfrogged Google Gmail in 2023 as Outlook users continue to shift away from using the native Outlook app in favor of the web app. Adding more than 6 points of popularity, Outlook.com had the second-largest increase of any cloud or SaaS app in 2023.

 

Generative AI apps on the rise enlace enlace

2023 was the year of generative AI. It all started with the hype around OpenAI and their flagship product ChatGPT. Although it did not crack the top 20 most popular apps of 2023, ChatGPT added more users than any other app, with its popularity increasing from 0% to nearly 7% of all enterprise users by the end of the year. As ChatGPT grew in popularity, other companies began creating competing chatbots, and even more companies began creating niche products to leverage the power of these large language models (LLMs). The idea of an AI-powered assistant to help in tasks like writing, programming, and even security operations took off. At the same time, apps for generating images, videos, and audio were also released.

The enterprise cybersecurity community did what it typically does when a new technology with this much hype hits the market: Quickly determine whether these apps serve a legitimate business purpose and–for the cases where they do–figure out how to safely enable their use. For many organizations, this meant pumping the breaks, blocking the apps until they could go through proper security review. In general, this meant that these generative AI apps gained popularity in the enterprise more slowly than they did in the consumer market.

But their popularity did grow. The following graph shows an increase in AI app popularity resembling a sigmoid, increasing from just over 2% of all enterprise users accessing at least one AI app per month a year ago to more than 10% doing so today. Most of that growth occurred in the first half of 2023 and cooled off toward the end of the year.

Percentage of users interacting with AI

A plot of the growth of the top three generative AI apps provides more insight into the shape of the overall popularity graph above. ChatGPT was the most popular app by a large margin, with the writing assistant Grammarly coming in second, followed by the Google Bard chatbot in third. The following plot provides a detailed breakdown of the growth of these three apps. ChatGPT was the main driver of the sigmoidal growth pattern in the first half of the year, rising from nearly 0% to 7% of the enterprise user population very rapidly. Google Bard had a similar shape to its growth later in the year when it became generally available, but its adoption paled in comparison to ChatGPT. Grammarly started the year as the most popular AI app due to its pre-existing user base, and while it did not see as aggressive growth as ChatGPT, its popularity continues trending upward. In the next year, Netskope Threat Labs predicts that Grammarly will continue its rise in popularity and close the gap between it and ChatGPT, but will still lag behind the all-purpose chatbot.

Top 3 AI apps by percentage of users

Most users only interact with generative AI apps a few times per month. Over the course of the past year, the average user increased from 5 activities per month to 14 activities per month, where an activity is most commonly a prompt posted to a chatbot. The top quartile of AI app users showed a more significant increase, from 15 to 85 activities over the course of the year. This indicates that a quarter of the AI user population are power users who are increasingly rapidly increasing their use of generative AI apps. Netskope Threat Labs expects both of these trends to continue into 2024: the total number of users accessing AI apps in the enterprise will continue to increase only modestly, while the amount of activity from power users will increase significantly as the population of super users finds new ways to squeeze additional value from these technologies.

AI app activities by user

A closer look at the top ten generative AI apps as 2023 draws to a close reveals three noteworthy trends that we expect to see continue into 2024.

Top 10 AI apps by percentage of users per month

Chatbots reign supreme
ChatGPT, the first generative AI chatbot to rise to popularity, is still on top at the end of the year, with 6.7% of enterprise users interacting with the chatbot at least once per month. Google Bard, Google’s ChatGPT alternative, is the second most popular chatbot, but has just more than one-tenth of the user base. ChatGPT and Google Bard are general-purpose and can be used to support business functions, like helping with writing and programming tasks or information retrieval, or for entertainment. Their versatility is one of the primary reasons for their popularity. Other more niche customer engagement chatbots–ChatBase and Blip–also made the top ten but with even fewer users.

AI assistants are catching up
One of the most popular uses of generative AI technology in the enterprise so far is as a writing assistant. Grammarly, the second most popular generative AI app, is used by 3.1% of enterprise users, with alternatives QuillBot and Wordtune also making the top ten. Tabnine is a programming assistant that helps programmers write code more efficiently. Netskope Threat Labs expects that AI assistants, especially writing and programming assistants, will continue to grow in popularity in 2024. Their integration into commonly used tool sets for writing and programming and the fact that they are specifically designed and tuned for those tasks will fuel their popularity growth. The fact that they cannot be used for entertainment purposes will also likely remove barriers to their adoption in the enterprise, whereas other apps, like general purpose chatbots, may suffer.

AI art generators are moving into the enterprise
AI art generators, specifically those that can generate images, eked their way into the number 9 and 10 spots of the most popular generative AI apps in the enterprise. Like chatbots, AI art generators are all-purpose tools that can be used for entertainment or to support business functions, both of which factor into their popularity in the enterprise. Because of their entertainment uses, especially their ability to generate content that is not safe for work, they are likely to remain at the bottom of the popularity list in enterprise environments for the foreseeable future.

 

Social engineering enlace enlace

The most common method by which adversaries gained initial access to their victim’s systems in 2023 was via social engineering. Social engineering is typically the easiest way for adversaries to gain access to hardened enterprise systems where remote access is limited and patches against known security vulnerabilities are applied in a timely manner. Social engineering targets the people who have access to the systems, rather than the systems themselves. Among the various social engineering tactics and techniques used by adversaries to target enterprises in 2023, there were two standouts:

  • Tricking victims into downloading and executing Trojans
  • Using phishing to trick victims into sharing sensitive credentials

The remainder of this section provides a deeper dive into each of these techniques.

 

Troyanos

Enterprise users are constantly targeted with Trojans from many different angles. Adversaries are continuously crafting new Trojans with a variety of different baits to trick users into downloading and executing them. In 2023, an average of 8 out of every 10k users downloaded an average of 11 Trojans per month. Throughout the year, an organization with 10k users would have had an average of 132 Trojans downloaded by users on their network. Netskope Threat Labs expects both of these numbers to remain relatively constant throughout 2024.

One of the angles that adversaries increasingly use to trick users into downloading Trojans is to host the Trojans on popular SaaS apps. Over the past year, the percentage of HTTP and HTTPS malware downloads originating from SaaS apps has been consistently above 50%, a trend that Netskope Threat Labs expects to continue through 2024 as it pushes closer toward 60%.

Percentage of HTTP/HTTPs mlware downloads from cloud apps

The specific apps where adversaries have the most success in tricking their victims into downloading Trojans are unsurprisingly also some of the most popular apps in the enterprise. The following figure breaks down the top 20 apps, including a year-over-year comparison. We highlight four major themes of this plot below.

Top apps where malware downloads were detected

Microsoft OneDrive maintains its lead
As discussed earlier in this report, Microsoft OneDrive is ubiquitous in the enterprise. It is the most popular SaaS app by a large margin, with nearly two-thirds of all enterprise users accessing content in OneDrive every month. For that reason, it is unsurprising that it would also lead in terms of malware downloads. Adversaries can easily create their own OneDrive accounts to host malware, which they share with their victims. Furthermore, because two-thirds of users regularly use OneDrive, they are accustomed to clicking on OneDrive links and therefore more likely to do so when an adversary shares one.

Microsoft Sharepoint is nuanced
Microsoft leverages SharePoint in a variety of other services, including Microsoft Teams. The year-over-year increase in malware downloads originating from SharePoint is primarily due to an increase in Trojans being shared with victims over Microsoft Teams, which show up as Microsoft SharePoint downloads on the Netskope platform.

Apps providing free hosting are the leaders
The majority of the apps in the top 20 are apps that provide free file hosting services. This includes cloud storage apps (Microsoft OneDrive, Google Drive, Azure Blob Storage, Amazon S3, Box, Dropbox, Google Cloud Storage), free web hosting apps (Weebly, Squarespace), free file sharing services (DocPlayer, MediaFire, WeTransfer), and free source code hosting apps (GitHub, SourceForge). Because these apps all provide low-cost or no-cost file hosting, Netskope Threat Labs expects them and similar apps to continue to be abused for malware and phishing delivery for the foreseeable future.

 

Phishing

Adversaries are generally more successful in tricking victims into clicking on phishing links than they are in tricking them into downloading malware. On average, 29 out of every 10k enterprise users clicked on a phishing link each month in 2023, more than three times the rate of users downloading Trojans. Throughout the year, an organization with 10k users would have had an average of 348 users clicking on phishing links.

Attackers phish for credentials and other sensitive information for a variety of different targets. The top 10 phishing targets in 2023 included popular cloud and SaaS applications, shopping sites, and banking portals. SaaS apps and shopping sites were among the top targets throughout the year, while banking portals, social media, and government targets saw a steady increase throughout the year. While some adversaries phish for credentials and data that they will themselves use, others serve as initial access brokers, selling the stolen credentials, banking information, and other data on the black market. Netskope Threat Labs predicts that cloud and SaaS apps, while they will continue to remain among the top phishing targets, will be displaced by banking portals as the top target in early 2024.

Top phishing targets by links clicked

Among the top phishing target categories, there were a few standouts:

Gobierno
The most common government target was the United States Internal Revenue Service, where attackers created phishing pages to steal financial data from their victims.

Social Media
Facebook, the most popular social media app in the enterprise, remains the most targeted social media platform by a large margin. Adversaries use compromised social media accounts to run scams, spread malware, spread misinformation, and other illicit activities.

Shopping
The shopping giants Amazon and Ebay remain the top shopping targets.

Gaming
The gaming platform Steam was the most targeted gaming platform by a large margin. Adversaries typically use the payment information attached to the account to make purchases and also try to use the account to compromise additional accounts.

Consumer
The video streaming service Netflix maintained its lead as the most phished service in the consumer category in 2023. Here, the main objective is theft: The stolen accounts are sold on a black market to people looking for an inexpensive Netflix subscription.

Among the cloud and SaaS apps targeted by adversaries in phishing campaigns in 2023, one app ecosystem stands out above all the rest: Microsoft. Microsoft’s popularity among enterprise users means that Microsoft credentials are both a lucrative target for attackers and that users are going to be more accustomed to clicking on links for Microsoft services. As more users continue to use Microsoft services, Microsoft will continue to be a primary target of adversaries who can leverage access to their victim’s Microsoft account for business email compromise, to steal sensitive data, and to pivot to other connected applications. For these reasons, Netskope Threat Labs expects Microsoft to remain the top cloud phishing target in 2024, increasing its lead even further over other apps.

Top cloud phishing targets by links clicked

A less common but growing phishing strategy is to use phishing attachments instead of phishing links in emails. Phishing attachments are meant to bypass anti-phishing controls that only inspect links embedded directly in the email itself. The most common type of phishing attachment is a PDF document that appears to be an invoice, directing victims to call a phone number or visit a link if they need to correct anything on the invoice. Phishing attachments were quite rare in early 2022, spiked mid-year, subsided, and spiked again in late 2023. Despite the increase, an enterprise user downloading a phishing attachment is less common than a user clicking a phishing link or downloading a Trojan. Netskope Threat Labs expects phishing attachments to become even more common in 2024.

Users downloading phishing attachments per 10k users

 

Adversary profiles and objectives enlace enlace

So far in this report, we have highlighted that cloud and SaaS apps continue to grow in popularity in the enterprise, gaining more users and more interactions per user every year. We also highlighted that social engineering was the most common infiltration technique in 2023, with phishing and Trojans hosted on and targeting SaaS apps ranking among the top techniques. But who were the adversaries employing these techniques? What were their motivations and objectives? What risk did they present to the organizations they were targeting? This section explores the answers to all three of these questions.

Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques so that we can build better defenses against them. We generally categorize adversary motivations as either criminal or geopolitical.

Criminal adversaries
The primary objective of a criminal adversary group is financial gain, which recently has meant a heavy focus on extortion. Extortion has been an extremely profitable business for cybercriminals, with an estimated $457 million in ransom payments made in 2022. These days, criminal adversaries have expanded their portfolio of extortion techniques to help increase the likelihood of success. These techniques include:

  • Deploying ransomware. The objective is to grind the victim’s operations and systems to a halt by encrypting all of their data. The initial negotiation tactic is to promise to decrypt their data if they pay the ransom. Some adversaries even go as far as to claim to be helping the victim–the victim is so lucky that the benevolent adversary only wants money to decrypt the files and does not want to do any real harm. Imagine if someone with more nefarious intentions had gained access to the victim’s environment!
  • Deploying an infostealer. An infostealer steals sensitive data from the victim, usually compressing and exfiltrating the data over HTTP or HTTPS to blend in with other traffic. The stolen data is used as leverage to convince the victim to pay the ransom. For example, if the victim can easily restore from backups and resume normal operations, they would not be particularly motivated to pay. Perhaps the threat of exposing sensitive data publicly might change their mind.
  • Sabotaging systems. Wipers are being more commonly deployed by criminal organizations as a final tactic to help motivate payment. Adversaries will begin destroying data and knocking systems offline the longer the extortion negotiations continue, with the expectation that this might further motivate the victim to pay.

Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.

Geopolitical adversaries
Geopolitical adversary groups are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. Geopolitical groups typically engage in cyber operations against other nation-states as a modern international relations strategy. The lines between geopolitical and criminal adversaries can blur, with some geopolitical groups also engaging in financially motivated activities. The specific cyber-operations undertaken by geopolitical adversaries vary including:

  • Cyber espionage
  • Sabotaging critical infrastructure
  • Information warfare
  • Spreading propaganda
  • Manipulating public opinion
  • Influencing elections

Attribution
Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same tooling or infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. Adversary attributions are fuzzy and subject to change and evolve as new information comes to light.

The majority of adversary activity targeting Netskope customers in 2023 was criminally motivated, with geopolitical adversaries most active against users in Asia and Latin America. Within Asia, the highest concentration of geopolitical adversary activity targeted victims in India and Singapore, and in Latin America it targeted victims in Brazil.

Adversary motivations by target region

Overall, the majority of the adversary activity was attributed to criminal groups based in Russia (targeted throughout the world), followed by geopolitical groups in China (targeted primarily at victims in Asia, especially Singapore). Adversary groups located in other regions accounted for less than one-quarter of all adversary activity tracked by Netskope Threat Labs in 2023. In the remainder of this section, we provide an adversary profile for the five most active adversary groups in 2023, highlighting their motivations, tactics, techniques, and targeting strategies. This list includes three criminal groups based in Russia and two geopolitical groups based in China.

Adversary activity by location

 

TA551

Location: Russia
Motivation: Criminal
Aliases: GOLD CABIN, Shathak

The activity attributed to TA551 was primarily from banking Trojans, specifically variants of Pinkslipbot, Ursnif, and QakBot. TA551 targeted victims throughout the world and in multiple industry verticals, including manufacturing, financial services, technology, and healthcare. While many criminal organizations have pivoted to an extortion-centric strategy, TA551 appears to be content in sticking with their tried-and-true strategy of stealing banking information directly from their victims.

 

Wizard Spider

Location: Russia
Motivation: Criminal
Aliases: UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest

Wizard Spider is perhaps most infamous for developing the TrickBot malware and has since pivoted to conducting ransomware operations. In 2023, Netskope tracked activity associated with Wizard Spider targeting victims throughout the world. In most of their operations, they used the popular red team tool Cobalt Strike to establish persistence in victim environments. The Cobalt Strike framework provides a lightweight executable that is implanted in the victim’s environment and communicates back to an attacker-controlled server. It is typically used to provide remote access and deploy additional malware payloads (in this case, primarily ransomware). Most of the Wizard Spider activity we tracked in 2023 followed a common pattern–avoiding DNS lookups by communicating directly with the attacker-controlled server via its IP address over HTTP.

 

TA505

Location: Russia
Motivation: Criminal
Aliases: Hive0065

TA505 is another Russian criminal ransomware group and is responsible for the Clop ransomware. Like Wizard Spider, they also heavily used Cobalt Strike for persistence and to deploy ransomware payloads. They also used the Amaday botnet to deploy ransomware and other malware payloads on infected systems. Similar to Wizard Spider, their Cobalt Strike and Amadey implants tended to communicate directly with their C2 infrastructure via IP addresses, bypassing DNS lookups. Unlike Wizard Spider, who targeted organizations worldwide, TA505’s activities were concentrated in Asia and Europe.

 

APT41

Location: China
Motivation: Geopolitical
Aliases: Wicked Panda

APT41 is a state-sponsored espionage group that also engages in financially-motivated ransomware attacks. Although their activities in the past have been spread throughout the world, their activities in 2023 were focused primarily in Asia and Europe, especially financial services organizations based in Singapore. Like other groups, they heavily relied on the Cobalt Strike framework for persistence and to deploy additional payloads. They also used the POISONPLUG backdoor, variants of which use social media platforms as command and control channels.

 

Earth Lusca

Location: China
Motivation: Geopolitical
Aliases: TAG-22

Earth Lusca is closely related to APT41 in that it uses very similar tooling. In 2023, they used Cobalt Strike and POISONPLUG against targets throughout the world spanning multiple industries including financial services, manufacturing, healthcare, technology, and SLED.

 

Recomendaciones enlace enlace

The complexity of an enterprise environment where users are constantly introducing new apps into the fold while existing apps become increasingly embedded in core business processes can make such environments challenging to secure. Netskope Threat Labs recommends limiting app access to only those apps that serve a legitimate business purpose and creating a review and approval process for new apps. For widely used and heavily integrated apps, Netskope recommends implementing a continuous posture management process to ensure that the apps are configured to reduce risk to the organization. We also recommend implementing a continuous monitoring process that will alert security operators when apps are being misused or have been compromised.

With generative AI apps having established a foothold in the enterprise, ensuring the safe enablement and adoption of AI apps should now be an urgent priority for most organizations. Safe enablement involves identifying permissible apps and implementing controls that empower users to use them to their fullest potential while safeguarding the organization from risks. For more detailed information about how Netskope can help, please refer to the ChatGPT and Generative AI Data Protection solution brief.

In light of the continuing increase of social engineering for initial access, Netskope Threat Labs recommends continuing investments into reducing the risk of social engineering, including security awareness training and anti-phishing technology. Because of increasing adversary focus on targeting and abusing cloud and SaaS apps, organizations should ensure that their security solutions thoroughly inspect all network traffic (including traffic to and from popular cloud and SaaS apps) and are actively monitoring managed apps for signs of abuse and compromise.

There are many commonalities among the active adversary groups, including the installation of implants such as Cobalt Strike to enable clandestine remote access; the deployment of ransomware, infostealers, and wipers; and the subsequent extortion attempts. Locking down remote access, patching systems against known exploits, and reducing the risks of social engineering can help prevent initial access and therefore also the more significant and costly attacker activity. However, additional layers of controls should also be deployed to catch determined adversaries that manage to find their way past the initial layers. These extra layers include deploying network and endpoint security that can block intrusion attempts, command and control communications, and malicious data exfiltration. They also include deploying network and endpoint security tools that can detect the unusual activity that typically occurs when an adversary has infiltrated a system but has yet to deploy ransomware or exfiltrate data. Detecting and disrupting an adversary at this stage can still prevent an attack from becoming damaging or costly.

A multi-layered cybersecurity strategy focused on risk reduction, blocking adversary activities, and continuous monitoring can help protect organizations from the staggering losses caused by a successful cyberattack.

 

azul claro más

Informes de nube y amenazas

El informe Netskope Cloud and Threat Report ofrece una visión única sobre la adopción de aplicaciones en la nube, los cambios en el panorama de las amenazas en la nube y los riesgos para los datos de la empresa.

Storm with lightning over the city at night

Acelere su estrategia de seguridad con el líder en SASE.