In the first quarter of 2023, attacks on the financial, telecommunications and energy sectors increased. In the ransomware space, financial gain is still crucial for the APT groups.
"More than a year into the Ukraine war, cyberattacks have become a strategic weapon used by states to spy on adversaries and fuel societal divisions," said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “Well-known APT groups are a real threat to critical infrastructure such as telecommunications, energy supply and manufacturing in both leading economies and emerging markets. It is therefore imperative for public and private actors to take appropriate defensive measures to protect themselves against the increasingly sophisticated attacks of state-sponsored cybercriminals.”
The latest report from the Trellix Advanced Research Center covers the first quarter of 2023 and provides updates on security-related activities in the areas of ransomware, nation-state APT attacks, email threats, security tool abuse and more.
The most important results at a glance:
Coordinated espionage in cyber space
APT groups linked to China, such as Mustang Panda and UNC4191, were the most notable in the first quarter. These actors accounted for 79 percent of all identified attacks with a state background. It can be assumed that APT groups will continue to couple espionage and disruption in cyberspace with conventional military activities in the future.
When it comes to ransomware, money is all that counts
In the ransomware space, financial gain is still crucial. The insurance and financial sectors are correspondingly often targeted (20% and 17% respectively). The victims of leak sites are mostly US (48%) medium-sized companies with 51 to 200 employees (32%) and a turnover of 10 to 50 million USD (38%).
Cobalt Strike continues to be popular
Despite attempts made in 2022 to make Cobalt Strike less attractive for abusive use, it is gaining popularity among cybercriminals and ransomware actors. For example, Cobalt Strike was involved in 35 percent of nation-state activity and 28 percent of ransomware threats — nearly doubling from Q2022 XNUMX.
A greeting from the past
Many critical vulnerabilities arise from bypassing patches for legacy CVEs, from supply chain bugs that leverage obsolete libraries, or from security vulnerabilities that have not been consistently addressed. An example of this is the Apple problem uncovered in February 2023, which ultimately goes back to the FORCEDENTRY exploit from 2021.
Unauthorized access to the cloud
The infrastructure of Amazon, Microsoft and Google is increasingly becoming the focus of cyber criminals. Although more sophisticated attack strategies using multi-factor authentication, proxy server compromise, and API execution continue to play a role, most intruders enter systems using valid accounts. Specifically, this attack vector is used twice as often as other methods. Unauthorized access to legitimate user accounts in the course of telecommuting is and remains a serious problem.
Herculean task: protecting companies from attacks
"Security operations teams struggle every day to effectively protect their organizations' expanding attack surfaces," said Joseph "Yossi" Tal, SVP, Trellix Advanced Research Center. “Chronically understaffed departments must keep an eye on millions of data points in increasingly complex networks. Trellix supports them in this Herculean task by providing comprehensive insights and analysis that can be translated directly into greater security.”
The CyberThreat Report leverages proprietary data from the Trellix sensor network, Trellix Advanced Research Center analysis of government-sponsored and criminal cyber activity, data from open and closed source sources, and threat actor leak sites. Threat evidence is the telemetry-based detection and reporting of a file, URL, IP address, suspicious email, network behavior, or other indicator through the Trellix XDR platform.
More at Trellix.com
About Trellix Trellix is a global company redefining the future of cybersecurity. The company's open and native Extended Detection and Response (XDR) platform helps organizations facing today's most advanced threats gain confidence that their operations are protected and resilient. Trellix security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning and automation to support over 40.000 business and government customers.