Arctic Wolf has observed a significant increase in the number of malicious files delivered and opened via OneNote email attachments. Unlike malicious Word and Excel files, infected OneNote files do not require the security prompt asking the end-user to allow macros, thus increasing the chances of unknowingly running the malicious executable.

Vulnerabilities cause the majority of cybercrime. There are always new vulnerabilities appearing as software gets updated and as cyber criminals work behind the scenes to find new backdoors to organizations’ systems. In the first half of 2022 alone, 81% of incidents happened through an external exposure — either a known vulnerability or a remote desktop protocol. The sheer volume of vulnerabilities grew again in 2022, with over 25,000 recorded, and over 800 have been actively exploited.

On February 3, 2023, the developers of GoAnywhere MFT (Managed File Transfer) sent an advisory to their customers warning them of a zero-day remote code execution vulnerability being actively exploited in the wild. Exploitation of this vulnerability could allow sensitive data to be leaked and potentially used for extortion.

The new year is upon us, but from a cybersecurity perspective, things look much the same as they did last year. January brought fresh attacks on a pair of familiar targets, high-stakes escalations in the ransomware game, and questionable crisis management from a high-profile victim. In other words, business as usual for cybercriminals! Let’s look at a few noteworthy cybercrimes from January 2023.

Early Friday morning, February 3, 2023, Arctic Wolf Labs began monitoring a new ransomware campaign targeting public-facing ESXi servers. The campaign has grown exponentially over the weekend, with approximately 3,000 victims worldwide as of early-Monday morning. Based on reporting from OVH, the threat actors behind this campaign are likely leveraging a nearly two year old heap overflow vulnerability (CVE-2021-21974) in VMware ESXi’s OpenSLP service.

Say what you want about bots, but you have to admire their versatility. Bots do everything from rank Google results and serve up cat photos on your Facebook feed, to sway elections and defraud retailers. Basically, they’re quite flexible. These days, bad bots are big business, with cybercriminals around the world using them to fraudulently access accounts, attack networks, and steal data.

On January 30, 2023, QNAP Systems Inc. disclosed a new critical vulnerability that could allow remote attackers to inject malicious code on QNAP NAS devices that were exposed to the internet. QNAP has stated that the vulnerability is a SQL Injection flaw being tracked as CVE-2022-27596 and can be abused in low-complexity attacks by unauthenticated malicious remote threat actors without requiring user interaction.

Security teams need to continually bolster their cybersecurity controls and expertise to keep up with the evolving threat landscape. Successful readiness and response to a cybersecurity breach requires the right mix of people, processes and technology. Yet challenges with staffing, technical issues, and budget hamper threat detection and response for too many organizations, creating gaps that threat actors are eager to exploit.