The Threat Report: February 2023, published by Trellix, the cybersecurity business offering the future of extended detection and response (XDR), examines cybersecurity trends from the last quarter of 2022. To provide report insights, Trellix integrates telemetry obtained from its vast network of endpoint protection deployments and its whole XDR product range with information obtained from both open- and closed-source intelligence reports.
“Q4 saw malicious actors push the limits of attack vectors,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “Grey zone conflict and hacktivism have both led to an increase in cyber as statecraft as well as a rise in activity on threat actor leak sites. As the economic climate changes, organizations need to make the most effective security out of scarce resources.”
The research looks at risks to email, the malicious use of reliable security technologies, and other topics. It includes evidence of criminal behavior connected to ransomware and advanced persistent threat (APT) actors supported by nation-states. Major conclusions include:
- Most Extreme Ransom Demands in LockBit 3.0: Although the Cuba and Hive ransomware families generated more detections in Q4 according to Trellix telemetry, the LockBit cybercriminal organization’s leak site recorded the most victims. According to this information, LockBit is the most active in forcing its victims to pay the demanded ransom. These hackers employ a range of tactics to carry out their operations, including exploiting flaws discovered as recently as 2018.
- Country-State Action China was the most active nation-state-backed actor during the quarter, producing a combined 71% of all identified nation-state-backed activity. China-linked APT actors included Mustang Panda and UNC4191. Following were actors with ties to Iran, Russia, and North Korea. In publicly available reports, the top four APT actors were from the same four nations.
- Sectors Across Critical Infrastructure Most Affected by Cyberthreats: Critical infrastructure sectors were most frequently targeted. Transportation and shipping were the targets of the majority (69%) of detected malicious activity, which was then followed by energy, oil, and gas. Healthcare and finance were two of the top industries targeted by ransomware perpetrators, and telecom, government, and finance were three of the top industries targeted by malicious email, according to Trellix telemetry.
- Business email compromise was caused by phony CEO emails utilizing typical CEO words, according to Trellix, which found that 78% of BEC cases featured them. This led to a 64% spike from Q3 to Q4 2022. The use of voice-phishing, or vishing, tactics included asking employees to confirm their direct phone numbers. As 82% of the emails were delivered using free email providers, threat actors do not require specialized infrastructure to carry out their campaigns.
The Trellix Advanced Research Center’s investigations into nation-state and cybercriminal activity, open and closed source intelligence, threat actor leak sites, proprietary data from the sensor network of Trellix, as well as open and closed source intelligence, are all included in the Threat Report: February 2023. The report is based on telemetry linked to threat detection, which occurs when the Trellix XDR platform detects and reports a file, URL, IP address, suspicious email, network behavior, or another indicator.