Trellix released The Threat Report: February 2023 from its Advanced Research Centre, examining cybersecurity trends from the final quarter of 2022. Trellix combines telemetry collected from its extensive network of endpoint protection installs and its complete XDR product line with data gathered from open and closed source intelligence reports to deliver report insights.
“Q4 saw malicious actors push the limits of attack vectors,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Centre. “Grey zone conflict and hacktivism have both led to an increase in cyber as statecraft as well as a rise in activity on threat actor leak sites. As the economic climate changes, organisations need to make the most effective security out of scarce resources.”
The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors, and examines threats to email, the malicious use of legitimate security tools, and more. Key findings include:
- Fake CEO Emails Led to Business Email Compromise: Trellix determined 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases, resulting in a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns.
- Critical Infrastructure Sectors Most Targeted: Sectors across critical infrastructure were most impacted by cyberthreats. Trellix observed 69% of detected malicious activity linked to nation-state backed APT actors targeting transportation and shipping, followed by energy, oil, and gas. According to Trellix telemetry, finance and healthcare were among the top sectors targeted by ransomware actors, and telecom, government, and finance among the top sectors targeted via malicious email.
- Attacks on Cloud Infrastructure on the Rise: AWS leads to the highest number of threat detections, likely due to the size in the marketplace. It’s also interesting to note that because majority of enterprise accounts use Multi Factor Authentications enabled, adversaries land on MFA platforms, resulting in a spike of MFA related detections. Trellix saw hackers take advantage of MFA fatigue in 2022, and successfully breach networks by exhausting employees with push notifications.
- LockBit 3.0 Most Aggressive with Ransom Demands: While no longer the most active ransomware group according to Trellix telemetry – Cuba and Hive ransomware families generated more detections in Q4 – the LockBit cybercriminal organisation’s leak site reported the most victims. This data makes LockBit the most aggressive in pressuring their victims to comply with ransom demands. These cybercriminals use a variety of techniques to execute their campaigns, including exploiting vulnerabilities found as far back as 2018.
“As threat landscape complexity progresses, so will our research. Our mission will remain wholly focused on delivering actionable intelligence to our stakeholders to ensure they can protect what matters most,” commented Vibin Shaju, VP Solutions Engineering, EMEA at Trellix. “But organisations need to do their part too. To effectively defend against these evolving threats, regional enterprises need an adaptable and responsive defense strategy and strong cybersecurity governance that starts at the board of directors.”
The Threat Report: February 2023 includes proprietary data from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by the Trellix Advanced Research Centre, open and closed source intelligence, and threat actor leak sites. The report is based on telemetry related to detection of threats, when a file, URL, IP-address, suspicious email, network behavior or other indicator is detected and reported by the Trellix XDR platform.
Discussion about this post