2023: A Selection of Cybersecurity Threat Reports

Photo by Ales Nesetril on Unsplash

💡 DUE TO THE AMOUNT OF THREAT REPORTS COLLECTED IN THE FIRST SIX MONTHS OF 2023 THIS PROJECT HAS BEEN MOVED TO GITHUB FOR A MORE CLEAR AND SEARCHABLE OVERVIEW. THIS ARTICLE WILL NO LONGER BE UPDATED.

Trends: Every year there are shifts in the cyber threat landscape, changes in attack techniques, and the number of breaches. And each year vendors, security organisations, research institutes and government agencies publish relevant reports on the current cybersecurity threat landscape. As the number of various published reports can be daunting, I’ve tried (like in 2022) to create an overview of a selection of what has been published so far in 2023 — and, more importantly, where to get them. The selection is shown in alphabetical order based on the publishing organisation.

💡 This blog will be updated throughout the year with newly released reports and insights. Do you have any additions? Feel free to add them in the comments below!

💡 Also, for tips on how to read the reports more efficiently, click here (or scroll down to the end of the article).

2023 Threat reports

2023 Threat Report Compilation Monthly Status

Contents

Click on the name of the publisher to get immediately to the collected reports on this page, or feel free to scroll down.

• Adaptive Shield
• AIVD (Algemene Inlichtingen en Veiligheidsdienst, NL)
• amatas
• APPROACH
• Arctic Wolf Labs
• AT&T
• AttackIQ
• Bank of England
• Barracuda
• BlackBerry
• Checkmarx
• Check Point
• CISA (CyberSecurity & Infrastructure Security Agency, USA)
• Cofense
• CrowdStrike
• CSIT (Centre for Secure Information Technologies, Queen’s University Belfast, Northern Ireland)
• CSW (Cyber Security Works, together with Securin, Ivanti & Cyware)
• CTIVD (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten, NL)
• Cyber rescue Alliance
• Datadog
• DirectDefense
• Dragos
• Egress
• Embee Research
• ENISA
• ESET (/WeLiveSecurity)
• Estonian Foreign Intelligence Service
• EU CERT
• FBI (Federal Bureau of Investigation, USA)
• Fortinet
• Google
  - GCAT (Google Cybersecurity Actions Team)
  - GTAG (GoogleThreat Analysis Group)
• Group-IB
• HUMAN Security
• HYAS
• IBM
• Infoblox
• Intel471
• IronNet
• IRONSCALES
• jstnk9 (Jose Luis Sánchez Martínez)
• Kaspersky (SecureList)
• KPMG
• loginsoft
• Malwarebytes
• Mandiant
• Menlo Security
• Meta
• Microsoft
• MITRE Engenuity
• MIVD (Militaire Inlichtingen en Veiligheidsdienst, NL)
• Momentum
• National Security Archive (USA)
• NCC Group
• NCSC (National Cyber Security Centre, UK)
• Norma Cyber
• Office of the Director of National Intelligence (USA)
• Orca Security
• Palo Alto Unit 42
• Perception Point
• Picnic
• Picus Security
• Proofpoint
• PWC
• Qualys
• Recorded Future
• Red Alert (part of NSHC group)
• Red Canary
• Rezilion
• RiskLens
• SCPC (The State Cyber Protection Centre State Service of Special Communications and Information Protection of Ukraine)
• Security Intelligence
• SentinelLabs (SentinelOne)
• SonicWall
• Sophos
• SSS-CIP (The State Service of Special Communications and Information Protection of Ukraine)
• Synopsys
• Talos (Cisco)
• Team Cymru
• Technoir — Blog of Satharus (Ahmed Elmayyah)
• Tesseract Intelligence
• Thales
• The DFIR Report
• The Guardian
• Trellix
• Trend Micro
• VirusTotal
• VulnCheck
• Women in Cybersecurity (WiCyS)
• Z-CERT

Adaptive Shield

• 2023 SaaS-to-SaaS Access Report

To contents

AIVD (Algemene Inlichtingen en Veiligheidsdienst, the Netherlands)

• De Russische aanval op Oekraïne: een keerpunt in de geschiedenis (Dutch only, jointly published with the MIVD)
• AIVD-jaarverslag 2022 (Dutch only)

To contents

amatas

• Cyber Threat Report | January 2023
• Cyber Threat Report | February 2023
• Cyber Threat Report | March 2023
• Cyber Threat Report | April 2023

To contents

APPROACH

• Annual Pentest Report 2023

To contents

Arctic Wolf Labs

• Threat Report 2023

To contents

AT&T

• 2023 AT&T Cybersecurity Insights Report: Edge Ecosystem

To contents

AttackIQ

• Emulating Recent Malicious Activity from the Iranian Adversary OilRig

To contents

Bank of England

• Thematic findings from the 2022 cyber stress test

To contents

Barracuda

• Cybersecurity Threat Advisory: LastPass’ security incident update
• Cybersecurity Threat Advisory: NortonLifeLock compromised
• Cybersecurity Threat Advisory: Atlassian critical remote code execution vulnerability
• Cybersecurity Threat Advisory: OneNote malware delivery
• Cybersecurity Threat Advisory: Malicious packages found in Python Package Index (PyPI)
• Cybersecurity Threat Advisory: New phishing campaigns related to recent bank failures
• Cybersecurity Threat Advisory: Microsoft Outlook elevation of privilege vulnerability
• Cybersecurity Threat Advisory: 3CX supply chain attack updates
• Cybersecurity Threat Advisory: New QBot malware delivering campaigns discovered
• Cybersecurity Threat Advisory: EvilExtractor malware surge detected
• Threat Spotlight: Proportion of malicious HTML attachments doubles within a year

To contents

BlackBerry

• Global Threat Intelligence Report (January 2023)
• Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia’s Judiciary, Financial, Public, and Law Enforcement Entities
• From Google Ads Abuse to a Massive Spear-Phishing Campaign Impersonating Spain’s Tax Agency
• Global Threat Intelligence Report (April 2023)

To contents

CSIT (Centre for Secure Information Technologies)

• UK Cyber security sectoral analysis 2023
• Northern Ireland Cyber Security Snapshot

To contents

Checkmarx

• Software Supply Chain Security Threat Landscape — April 2023 Overview

To contents

Check Point

• Check Point Software’s 2023 Cyber Security Report
• Fake Websites Impersonating Association To ChatGPT Poses High Risk, Warns Check Point Research
• The Dragon Who Sold His Camaro: Analyzing Custom Router Implant

To contents

CTIVD (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten)

• Jaarverslag CTIVD 2022 (Dutch only)

To contents

CISA (CyberSecurity & Infrastructure Security Agency)

• #StopRansomware: Royal Ransomware
• #StopRansomware: BianLian Ransomware Group
• Advisory: APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers (joint report with the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI))
• Hunting Russian Intelligence “Snake” Malware (joint report with the Federal Bureau of Investigation (FBI, USA), National Security Agency (NSA, USA), Cyber National Mission Force (CNMF, USA), Canadian Centre for Cyber Security, Communications Security Establishment (CA), National Cyber Security Centre (NCSC, UK), Australian Cyber Security Centre, New Zealand National Cyber Security Centre

To contents

Cofense

• Summer-Time Scams: The Return of Vacation-Request Phishing Emails

To contents

CrowdStrike

• 2023 Global Threat Report

To contents

CSW (Cyber Security Works, together with Securin, Ivanti & Cyware)

• Ransomware Report 2023

To contents

Cyber Rescue Alliance

• Breaches Anticipated in 2023

To contents

Datadog

• State of Application Security
• The OverlayFS vulnerability CVE-2023–0386: Overview, detection, and remediation

To contents

The DFIR Report

• 2022 Year in Review
• Malicious ISO File Leads to Domain Wide Ransomware
• Collect, Exfiltrate, Sleep, Repeat
• ShareFinder: How Threat Actors Discover File Shares
• Unwrapping Ursnifs Gifts
• IcedID Macro Ends in Nokoyawa Ransomware

To contents

DirectDefense

• Security Operations Threat Report

To contents

Dragos

• 2022 ICS/OT Cybersecurity Year in Review
• Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure
• Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE

To contents

Egress

• Email Security Risk Report 2023

To contents

Embee Research

• AgentTesla — Full Loader Analysis — Resolving API Hashes Using Conditional Breakpoints

To contents

ENISA

• ENISA Threat Landscape: Transport Sector
• ENISA Foresight Cybersecurity Threats for 2030

To contents

ESET (/WeLiveSecurity)

• A year of wiper attacks in Ukraine
• ESET APT Activity Report T3 2022
• ESET Threat Report T3 2022
• How I (could’ve) stolen your corporate secrets for $100
• Evasive Panda APT group delivers malware via updates for popular Chinese software
• APT Activity Report: Q4 2022 — Q1 2023 | Lazarus Extends Targeting to All Major Desktop OSes

To contents

Estonian Foreign Intelligence Service

• International Security and Estonia 2023

To contents

EU CERT

• Threat Landscape Report 2023Q1

To contents

FBI (Federal Bureau of Investigation, USA)

• Internet Crime Report 2022

To contents

Fortinet

• Global Threat Landscape Report — A Semiannual Report by FortiGuard Labs (February Edition)
• 2023 Cloud Security Report

To contents

Google

GCAT (Google Cybersecurity Actions Team)

• Threat Horizons: April 2023 Threat Horizons Reports

GTAG (GoogleThreat Analysis Group)

• Ukraine remains Russia’s biggest cyber focus in 2023

To contents

Group-IB

• You’ve been kept in the dark (web): exposing Qilin’s RaaS program

To contents

The Guardian

• ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics

To contents

HUMAN Security

• 2023 Enterprise Bot Fraud Benchmark Report

To contents

HYAS

• Black Mamba: AI-Synthesized, Polymorphic Keylogger with On-The-Fly Program Modification

To contents

IBM

• X-Force Threat Intelligence Index 2023
• IBM X-Force Threat Activity Reports (account required)

To contents

Infoblox

• Q4 2022 Cyber Threat Intelligence Report
• Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic

To contents

IRONSCALES

• Defending the Enterprise: The Latest Trends and Tactics in BEC Attacks

To contents

Intel471

• Malvertising Surges to Distribute Malware
• A Ransomware Forecast for 2023
• Weekly Periscope Report

To contents

IronNet

• 2022 Annual Threat Report

To contents

jstnk9 (Jose Luis Sánchez Martínez)

• Dissecting GobRAT behaviors — Linux malware

To contents

Kaspersky (SecureList)

• APT trends report Q1 2023
• Tomiris called, they want their Turla malware back

To contents

KPMG

• Cybersecurity considerations 2023
• Cyber Incidents and Intelligence: 2022

To contents

loginsoft

• IcedID Malware: Traversing Through its Various Incarnations
• Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023–27350

To contents

Malwarebytes

• Fake system update drops Aurora stealer via Invalid Printer loader

To contents

Mandiant

• Global Perspectives on Threat Intelligence Report
• Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices
• Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
• APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations
• M-Trends 2023: Cybersecurity Insights From the Frontlines

To contents

Menlo Security

• CyberEdge Group 2023 Cyberthreat Defense Report

To contents

Meta

• Quarterly Adversarial Threat Report (Q1 2023)
• 2023–05 malware iocs
• The malware threat landscape: NodeStealer, DuckTail, and more

To contents

Microsoft

• MERCURY and DEV-1084: Destructive attack on hybrid environment
• Iran turning to cyber-enabled influence operations for greater effect
• Volt Typhoon targets US critical infrastructure with living-off-the-land techniques

To contents

MITRE Engenuity

• 2022 Impact Report

To contents

MIVD (Militaire Inlichtingen en Veiligheidsdienst, the Netherlands)

• De Russische aanval op Oekraïne: een keerpunt in de geschiedenis (Dutch only, jointly published with the AIVD)
• Openbaar Jaarverslag 2022 MIVD (Dutch only)

To contents

Momentum

• Cybersecurity Almanac 2023
• Cybersecurity Snapshot | January 2023
• Cybersecurity Snapshot | February 2023

To contents

National Security Archive (United States)

• APT Index

To contents

NCSC (National Cyber Security Centre, United Kingdom)

• Jaguar Tooth (joint report with the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI))

To contents

NCC Group

• Annual Threat Monitor Report 2022

To contents

Norma Cyber

• 2023 Annual Threat Assessment

To contents

Office of the Director of National Intelligence (USA)

• 2023 Annual Threat Assessment of the US Intelligence Community

To contents

Orca Security

• Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023–23383)

To contents

Palo Alto Unit 42

• 2023 Unit 42 Ransomware and Extortion Report
• Threat Brief: 3CXDesktopApp Supply Chain Attack
• Cloud Threat Report: Navigating the Expanding Attack Surface (volume 7)
• Chinese Alloy Taurus Updates PingPull Malware
• Threat Assessment: Royal Ransomware

To contents

Perception Point

• 2023 Annual Report:Cybersecurity Trends & Insights

To contents

Picnic

• Picnic Target Intelligence Report: Mailchimp
• Picnic Target Intelligence Report: Uber
• Kodi February 2023 Data Breach
• Activision Dec 2022 Social Engineering Attack and Data Breach

To contents

Picus Security

• The Red Report 2023
• CVE-2023–23397: Microsoft Office Outlook Privilege Escalation Vulnerability

To contents

Proofpoint

• TA444: The APT Startup Aimed at Acquisition (of Your Funds)
• OneNote Documents Increasingly Used to Deliver Malware
• TA569: SocGholish and Beyond
• ET SocGholish Rules Response Guidance
• Don’t Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests
• Fork in the Ice: The New Era of IcedID
• 2023 State of the Phish

To contents

PWC

• PWC Cyber Threats 2022: A Year in Retrospect
• Global Crisis and Resilience Survey 2023

To contents

Qualys

• 2023 Qualys TRU Risk Research Report

To contents

Recorded Future

• Russia’s War Against Ukraine Disrupts the Cybercriminal Ecosystem
• 2022 Annual Report

To contents

Red Alert (part of NSHC group)

• Monthly Threat Actor Group Intelligence Report, November 2022
• Monthly Threat Actor Group Intelligence Report, December 2022
• Threat Actor Targeting Vulnerable Links In Cyber Security
• Monthly Threat Actor Group Intelligence Report, January 2023 (ENG)

To contents

Red Canary

• January’s digest: credential access, Google workspace, Microsoft Sentinel & more
• Intelligence Insight: Tax-themed phishing emails delivering GuLoader
• Intelligence Insights: February 2023
• 2023 Red Canary Threat Detection Report

To contents

Rezilion

• Do You Know KEV? You Should (Because Hackers Do)!

To contents

RiskLens

• 2023 Cybersecurity Risk Report

To contents

Security Intelligence

• X-Force Prevents Zero Day from Going Anywhere
• BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

To contents

SentinelLabs (SentinelOne)

• Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit

To contents

SonicWall

• 2023 SonicWall Cyber Threat Report

To contents

Sophos

• Tax firms targeted by precision malware attacks

To contents

SCPC (The State Cyber Protection Centre State Service of Special Communications and Information Protection of Ukraine)

• UAC-0114: Campaign, Targeting Ukranian and Polish Gov Entities

To contents

SSS-CIP (The State Service of Special Communications and Information Protection of Ukraine)

• Russia’s Cyber Tactics: Lessons Learned in 2022 — SSSCIP analytical report on the year of russia’s full-scale cyberwar against Ukraine

To contents

Synopsys

• Software Vulnerability Snapshot

To contents

Talos (Cisco)

• Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities
• State-sponsored campaigns target global network infrastructure
• New phishing-as-a-service tool “Greatness” already seen in the wild

To contents

Team Cymru

• Desde Chile con Malware (From Chile with Malware)

To contents

Technoir — Blog of Satharus (Ahmed Elmayyah)

• Utilising EDR Tests to Enhance Threat Detection

To contents

Tesseract Intelligence

• Interesting findings: 13–30 January 2023
• Interesting findings: 1–15 February 2023
• Interesting findings: 15–28 February 2023
• Interesting findings: 1–17 March 2023
• Interesting findings: 18 March — 4 April 2023
• Interesting findings: 5–19 April 2023

To contents

Thales

• 2022–2023 : A year of Cyber Conflict in Ukraine

To contents

Trellix

• Q4 2022 Threat Overview
• Qakbot Evolves to OneNote Malware Distribution
• A Royal Analysis of Royal Ransom
• Genesis Market No Longer Feeds The Evil Cookie Monster

To contents

Trend Micro

• Rethinking Tactics: Annual Cybersecurity Roundup 2022
• Rapture, a Ransomware Family With Similarities to Paradise
• Attack on Security Titans: Earth Longzhi Returns With New Tricks
• Update Now: PaperCut Vulnerability CVE-2023–27350 Under Active Exploitation
• Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know

To contents

VirusTotal

• Lessons learned from 2022

To contents

VulnCheck

• The VulnCheck 2022 Exploited Vulnerability Report — A Year Long Review of the CISA KEV Catalog

To contents

Women in Cybersecurity (WiCyS)

• The State of Inclusion of Women in Cybersecurity 2023

To contents

Z-CERT

• Cybersecurity Dreigingsbeeld Zorg 2022 (Dutch only)

To contents

Tips for reading the reports efficiently

First and foremost, remember that none of the reports should be seen as a single source of truth — as much as some publishers might want you to. In some cases, data might be complementary or contradictory, depending on the scope of the data collected (e.g. due to differences in client base, research participants, or the way technical data is collected). Because of this, always keep a critical mind while reading.

Secondly, be aware of the period over which the publishing organisation is reporting. E.g. a “2022” report could be released in 2023. If you intend to create a personal knowledgebase with reports or whitepapers from multiple years, this is an important distinction to keep in mind.

Thirdly, focus on the parts of the reports that are relevant to your (client) organisation. This could for example be parts that focus on

• your industry,
• geographical location, or
• cloud infrastructure that your (client) organisation leverages

And lastly, keep in mind why you’re reading the report — a SOC Analyst requires different information from a threat report to fulfil their job than their CISO, and will thus always look at the data with a different view.

💡 Opinions expressed in my blogs are solely my own and do not express the views or opinions of my employer or clients