Four trends shaping the 2023 cyber threat landscape 


The commercialization of cybercrime drove an uptick in nearly all types of cyberattacks in 2022. The result? A booming malware economy where no organization is immune to cyberthreats.

The Sophos 2023 Threat Report details the current cyberthreat landscape, including which ransomware groups to watch for and the tools, tactics, and procedures (TTPs) used by today’s adversaries to execute attacks. 

Scott Barlow, Sophos Global Vice-President of Managed Service Providers (MSP) and Cloud Alliances, shares what to expect in the 2023 cyberthreat landscape: 

1. The commercialization of cybercrime isn’t slowing down.

Although ransomware-as-a-service (RaaS) isn’t a new phenomenon, the widespread adoption of the “as-a-service” model has made nearly every component of cybercrime available for purchase. Many bad actors specialize in one element of an attack (like initial ransomware infection or data extraction) and market and sell their tools and services on forums on the dark web.

Cybercriminals also use these forums to identify and recruit talent, growing their “organizations” and adding new capabilities. The proliferation of sub-cybercrime markets makes the most sophisticated tools and tactics available to every cybercriminal.

2. Demand skyrockets for infostealers and stolen credentials.

Infostealers and infostealing malware like keyloggers and remote access trojans (RATs) have always played a key role in the cyberthreat landscape. But the rise in demand for stolen credentials placed an even brighter spotlight on infostealing. Even though attackers historically relied on virtual private networks (VPNs) and remote desktop protocols (RDPs) to gain network access, stolen credentials provide more entry points and can be used to move laterally. For example, a bad actor can leverage stolen credentials to impersonate employees of an organization and bypass authentication measures.

The credential theft marketplace is also an effective way for attackers to get a foot in the door to the world of cybercrime — it’s a small investment without many obstacles standing in the way of gaining access. It’s a safe bet that demand will remain high for all types of stolen credentials in 2023, which means complete visibility across customers’ infrastructures is critical to defending against attacks.

3. Adversaries continue to leverage “living off the land binaries.”

In the past, threat actors used living-off-the-land binaries (LOLBins) to camouflage malicious activity post-exploitation. But more recently, fraudsters found new ways to leverage these binaries to help execute system commands, bypass preset security features, and move laterally across networks using native Windows components.

The most common LOLBin we saw in 2022 was the Windows command shell (cmd.exe) that most backdoors and shells use to launch malware. Attackers often used Windows scripting platforms like mshta.exe and wscipt.exe to download and execute malicious content, run Windows API calls, and collect data. Threat actors constantly find new ways to exploit LOLbins and evade security measures, so it’s essential to monitor this activity in 2023 and leverage machine learning (ML) solutions that reduce the complexity of the problem.

4. Attacks reach beyond Windows.

In the past, cyberattacks most often targeted Windows operating systems. But we’ve seen a growing number of attacks on Linux-based systems, macOS platforms, and even mobile applications. Financial fraud rings have unfolded alongside the rise in mobile attacks, some expanding globally. These organized crime campaigns involve specialized criminals like fake social profile builders and fraudulent web and application developers who execute social engineering tactics.

In these scenarios, fraudsters will develop fake social profiles to convince users to invest in illegitimate cryptocurrency and financial markets. And while malware attacks on Android aren’t a new trend, iOS users are now also susceptible to these attacks because fraudsters have learned how to bypass Apple’s security measures. Strong user authentication, phishing training, and regular penetration testing can help maintain mobile application security.

Cybercriminals are showing no signs of slowing down — just look at the 167% rise in data breaches from Q2 to Q3. In addition to encouraging good cybersecurity hygiene and deploying layered protection, it’s crucial to know when to outsource functions like threat detection and response.

To learn more, download the Sophos 2023 Threat Report for a closer look at the trends and events that continue to shape the cyberthreat landscape.