Trellix released the June 2023 edition of The CyberThreat Report, from the Trellix Advanced Research Center, which analyses cybersecurity trends from the last quarter. Insights were gleaned from a global network of expert researchers who analyse over 30 million detections of malicious samples daily. Combined telemetry is collected from one billion sensors, and data from open and closed-source intelligence.
“Security Operations teams are in a race to enhance defense capabilities to protect organisations from growing attack surfaces,” said Joseph “Yossi” Tal, SVP, Trellix Advanced Research Center. “Already understaffed, teams are in a daily catch-up to process millions of data points across complicated networks. Trellix’s goal is to provide research to strengthen security postures through insights gleaned from our massive reservoir of intelligence.”
The latest Trellix Advanced Research Center report covers the first quarter of 2023 and is comprised of evidence of activity linked to ransomware and nation-state-backed APT actors, threats to email, malicious use of legitimate security tools, and more. Key findings include:
- Rogue Access to the Cloud. Cloud infrastructure attacks on Amazon, Microsoft, and Google are rising. Though more sophisticated attacks with multifactor authentication, proxy penetration, and API execution continue, the dominant attack technique uses valid accounts, at 2x more detections than any other vector. This emphasizes that the risk of rogue access is real, as cybercriminals access and sell legitimate account or website logins to infiltrate and conduct attacks.
- Email Security: Phishing attacks that leverage legitimate brands to scam users and steal their credentials are on the rise and though hundreds of brands were targeted, Microsoft products (38%) accounted for the most by a long shot in Q1 2023. IPFS (41%), Google Translate (33%) and DWeb (16%) were the web hosting providers most heavily utilised in email attacks. Government (11%) was the sector most targeted by malicious email in Q1 2023, followed by financial services (8%). In terms of the specific malware used for these attacks, Formbook accounted for almost half (44%) of email malware in Q1, closely followed by Agent Tesla.
- Coordinated Cyber Espionage. APT groups linked to China, including Mustang Panda and UNC4191, are the most active in targeting nation-states, generating 79% of all activity detected, followed by actors tied to North Korea, Russia, and Iran. The Philippines (34%) led countries with the most detections of nation-state activity in Q1 2023, followed by India, Myanmar, Cameroon and the United States. In terms of sectors, Energy/O&G, Outsourcing & Hosting, Wholesale, Financial and Education, saw the most detections of nation-state activity. Trellix predicts APT groups will continue cyber espionage and disruptive cyberattacks in tandem with physical military activity.
- In Ransomware, Cash is King. Motivations for ransomware are still financial – reflected in the Insurance (20%) and Financial Services (17%) sectors having the most detections of potential attacks. The United States (15%) continues to be the country most impacted by ransomware activity, closely followed by Turkey (14%) this quarter.
- Cobalt Strike is a Favorite. Despite attempts in 2022 to make it harder for threat actors to abuse the tool, Cobalt Strike grows as a tool favored by cybercriminals and ransomware actors. Trellix detected Cobalt Strike in 35% of nation-state activity and 28% of ransomware incidents – almost double from Q4 2022.
- Old Vulns, a Blast from the Past. Many critical vulnerabilities consist of bypasses to patches for older CVEs, supply chain bugs utilising outdated libraries, or long-patched vulnerabilities that were never properly addressed. A disclosed Apple vulnerability in February 2023 had roots as far back as the FORCEDENTRY exploit disclosed in 2021.
“A year into the Russia-Ukraine conflict, offensive cyber capabilities are being leveraged strategically by nation-states for espionage and disruption,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “For both leading and developing countries, we see risks to critical infrastructures like telecommunications, energy, and manufacturing by notable APT groups – a warning to public and private organisations to deploy modern protections to stay ahead of rapidly evolving threats.”
Fabien Rech, SVP and GM EMEA at Trellix, added, “It’s now crucial for businesses across all industries to bolster their defences if they are to successfully defend against sophisticated attacks. This sentiment is also validated by Trellix’s recent Mind of the CISO research, where 74% of CISOs across the UAE and KSA reported that not having the right technology is holding their organisations back from being cyber resilient. By implementing a security architecture that readily moulds and adapts to emerging threats, organisations can better mitigate against attacks and avoid disruption.”
The CyberThreat Report includes proprietary data from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by the Trellix Advanced Research Center, open and closed-source intelligence, and threat actor leak sites. The report is based on telemetry related to detection of threats, when a file, URL, IP-address, suspicious email, network behavior, or other indicator is detected and reported by the Trellix XDR platform.
Discussion about this post