Q2 Public Sector Quarterly Threat Landscape Scorecard

Key Findings Q2 Public Sector

• The threat to public sector organizations from ransomware and digital extortion (R&DE) likely remained broadly consistent in Q2 2023, bucking an upward trend seen in almost all other sectors. This is likely driven by Clop operatives’ statement that they would not extort government organizations as part of their successful exploitation of a zero-day vulnerability in MOVEit file transfer software. The threat of nefarious actors exploiting Common Vulnerabilities and Exposure (CVEs) remained high in Q2 2023, with threat actors continuing to target commonly-used software modules and products reportedly utilized by multiple federal, national, and central government entities.
• Search Engine Optimization (SEO) poisoning and leveraging of malicious Google adverts to disseminate malware continued on an upward trajectory.
• ZeroFox Intelligence assesses with low confidence that the threat to the public sector from malware deployment increased in Q2 2023, underpinned by indications of increased Advanced Persistent Threat (APT) activity targeting government entities globally.
• Illicit access to public sector organizations advertised in dark web forums reduced in Q2 2023, bucking an overall upward trend seen in most other sectors

Social Engineering

ZeroFox Intelligence identified no significant change in the threat to the public sector from social engineering in Q2 2023. The threat remained high to public sector employees, as well as members of the public via government entity impersonation. Threat actors leveraged topical lures–such as tax-return season–in spear- phishing, smishing, and telephone-oriented attacks. Threat actors impersonated government entities to steal credentials and sensitive information. Malicious apps continued to be used to disseminate malware, posing a high risk for government entities that permit employees to sync personal devices with corporate networks. SEO poisoning likely remained on an upward trajectory, as well as campaigns leveraging malicious Google ads that promote popular software to distribute malware. Threat actors continued to turn to less traditional file types in malicious emails, including OneNote, restricted permission messages (RPMSG), and Windows Script.

Forward Look:

SEO poisoning and the use of malicious Google ads are likely to continue on an upward trajectory.

Recommendations:

Leverage ZeroFox to conduct ongoing monitoring for impersonating domains and provide alerts and support for mitigation.

Vulnerability Exploitation

There was likely little change in threat from nefarious actors exploiting CVEs to target public sector entities in Q2 2023. The Cybersecurity and Infrastructure Security Agency’s (CISA) updates to its Known Exploited Vulnerabilities (KEV) catalog included critical exploits that almost certainly impacted public sector entities, including exploits impacting iOS systems, Google Chrome, and Barracuda Email Security products. Public sector entities were very likely impacted by critical vulnerabilities in VMware enabling remote code execution. Clop’s May 2023 exploitation of CVE-2023-34362, a zero-day exploit in MOVEit file transfer software, demonstrated the potential impact exploitation of these CVEs can have; while public sector entities were compromised in the attack, Clop operatives stated that they have no interest in extorting government organizations.

Forward Look:

• Vulnerabilities in commonly-used software, cloud, and network perimeter infrastructure will likely continue to dominate the exploit landscape.

Recommendations:

• Use the ZeroFox Platform’s Intelligence Search capability to investigate vulnerabilities and associated exploits.

Initial Access Brokers

ZeroFox Intelligence assesses with low confidence that the threat from nefarious actors advertising access into public sector organizations in deep and dark web forums reduced in Q2 2023. The number of posts fell in Q2 2023, bucking an overall upward trend seen in most other sectors. ZeroFox Intelligence notes the possibility that access to public sector organizations is either so valuable or likely to draw unwanted attention from authorities that IABs are disproportionately selling it in private channels directly to trusted buyers. Advertisement content across all sectors continued to typically focus on vulnerabilities in remote working infrastructure, including Virtual Private Networks and Remote Desktop Protocol.

Forward Look:

• IABs will continue to increasingly leverage private communication channels to give first refusal to established buyers.

Recommendations:

• Proactively monitor for IAB operators advertising access to organizations directly, as well as to partners and suppliers.
• Subscribe to the ZeroFox Advanced Web Search and Dark Ops Curated Intelligence for early warnings and indicators of threat actor chatter.

Botnets

Botnets continued to pose a high threat to public sector organizations in Q2 2023 via stealing credentials and remotely-controlling infected devices. ZeroFox Intelligence ingested over 150 million credentials harvested by infostealer families commonly deployed by botnets, of which Raccoon was most active. European and North American public sector entities continued to see a high threat of Distributed Denial of Service (DDoS) attacks, particularly from Russia-aligned groups. However, the impact of attacks remained limited, typically rendering websites unusable for a short period of time.

Forward Look: 

• The threat to public sector entities from compromised credentials is likely on an ongoing upward trajectory. 
• Russia-aligned threat actors’ DDoS attacks against public sector institutions will likely continue to have limited impact.

Recommendations: 

• Utilize the ZeroFox Platform’s Intelligence Search interface to investigate network and infrastructure Indicators of Compromise (IOCs) of interest, including C2 Domains and Compromised Account Credentials.

Malware

ZeroFox Intelligence assesses with low confidence that the threat to the public sector from malware deployment increased in Q2 2023, underpinned by indications of increased APT activity targeting government entities globally. This includes disclosures of campaigns by previously undocumented actors. Infostealers and trojans remained highly prevalent, facilitating cyber espionage and data breaches, with the public sector frequently impacted by data leaks of sensitive information. In Q2 2023, prolific threat actors updated well-established strains such as Qbot, and launched new strains, including threat actors with a history of targeting public sector entities. Dissemination of powerful loaders designed to facilitate the deployment of follow-on malicious payloads remained high.

Forward Look:

• Disclosures of a range of APTs targeting public sector entities will likely increase in coming quarters.
• Malware-as-a-service offerings will very likely sustain low barriers to entry for threat actors.

Recommendations:

• Utilize the ZeroFox Platform’s Intelligence Search interface to investigate IOCs and metadata related to malware.

Ransomware & Digital Extortion

The threat to public organizations from R&DE likely remained broadly consistent in Q2 2023, bucking an upward trend seen in almost all other sectors. Across the landscape, the number of R&DE incidents increased more than 50 percent, whereas attacks against the public sector fell slightly from Q1 2023. This discrepancy is very likely underpinned by Clop operatives’ statement that they would not extort government organizations as part of its successful exploitation of a zero-day vulnerability in MOVEit file transfer software. LockBit remained the primary digital extortion threat to the sector. However, both the total number and proportion of attacks that leveraged the strain fell. Instead, ZeroFox Intelligence identified increased prevalence of well-established strains, such as BlackByte, Play, and Royal, as well as emerging strains like Akira and Rhysida. Local government and third-party service providers remained most likely to be targeted. This likely reflects a continuation of threat actors’ perception that attacks against such targets will garner little blowback. Despite a fall in the proportion of attacks targeting the Asia-Pacific region, North America-based entities remained the most frequently targeted, with entities in Europe also seeing an elevated level of threat.

Forward Look: 

• The R&DE threat to the public sector is unlikely to change significantly in the short term. 
• With little blowback, threat actors will likely become increasingly emboldened in targeting public sector entities.

Recommendations: 

• Utilize the ZeroFox Platform’s Intelligence Search interface to investigate IOCs and metadata related to ransomware. 
• Should an organization be impacted by a ransomware event, engage ZeroFox Intelligence for support.

Outlook

ZeroFox Intelligence anticipates the R&DE threat to the public sector will likely remain broadly consistent in Q3 2023, with continued diversification in the strains used in attacks. 

Illicit access to public sector entities advertised in dark web forums will likely remain lower than other sectors, with threat actors leveraging private communication channels to give first refusal to established buyers. 

ZeroFox Intelligence anticipates little change to the social engineering threat to public sector organizations in Q3 2023. SEO poisoning and the leveraging of malicious Google advertisements to disseminate malware will likely continue on an upward trajectory. 

ZeroFox Intelligence anticipates disclosures of APTs and nation-state actors targeting public sector entities will likely increase in Q3 2023, with malicious modules enabling espionage, data exfiltration, and broader system corruption.

To learn more, be sure to check out the full report.