Trellix released the June 2023 edition of
The CyberThreat Report from the
Trellix Advanced Research Center
which analyzes cybersecurity trends from the last quarter. Insights
were gleaned from a global network of expert researchers who analyze
over 30 million detections of malicious samples daily. Combined
telemetry is collected from one billion sensors, and data from open and
closed-source intelligence.
"A year into the Russia-Ukraine conflict, offensive cyber capabilities
are being leveraged strategically by nation-states for espionage and
disruption," said John Fokker, Head of Threat Intelligence, Trellix
Advanced Research Center. "For both leading and developing countries, we
see risks to critical infrastructures like telecommunications, energy,
and manufacturing by notable APT groups - a warning to public and
private organizations to deploy modern protections to stay ahead of
rapidly evolving threats."
The latest Trellix Advanced Research Center report covers the first
quarter of 2023 and is comprised of evidence of activity linked to
ransomware and nation-state-backed APT actors, threats to email,
malicious use of legitimate security tools, and more. Key findings
include:
-
Coordinated Cyber Espionage. APT groups linked to China,
including Mustang Panda and UNC4191, are the most active in targeting
nation-states, generating 79% of all activity detected. Trellix predicts
APT groups will continue cyber espionage and disruptive cyberattacks in
tandem with physical military activity.
-
In Ransomware, Cash is King. Motivations for ransomware are still
financial - reflected in the Insurance (20%) and Financial Services
(17%) sectors having the most detections of potential attacks. The most
common leak site victims are US-based (48%) mid-sized businesses with
51-200 employees (32%) and $10-50M in revenue (38%).
-
Cobalt Strike is a Favorite. Despite attempts in 2022 to make it
harder for threat actors to abuse the tool, Cobalt Strike grows as a
tool favored by cybercriminals and ransomware actors. Trellix detected
Cobalt Strike in 35% of nation-state activity and 28% of ransomware
incidents - almost double from Q4 2022.
-
Old Vulns, a Blast from the Past. Many critical vulnerabilities
consist of bypasses to patches for older CVEs, supply chain bugs
utilizing outdated libraries, or long-patched vulnerabilities that were
never properly addressed. A disclosed Apple vulnerability in February
2023 had roots as far back as the FORCEDENTRY exploit disclosed in 2021.
-
Rogue Access to the Cloud. Cloud infrastructure attacks on
Amazon, Microsoft, and Google are rising. Though more sophisticated
attacks with multifactor authentication, proxy penetration, and API
execution continue, the dominant attack technique uses valid accounts,
at 2x more detections than any other vector. Rogue access to legitimate
accounts in remote-work environments remains significant.
"Security Operations teams are in a race to enhance defense capabilities
to protect organizations from growing attack surfaces," said Joseph
"Yossi" Tal, SVP, Trellix Advanced Research Center. "Already
understaffed, teams are in a daily catch-up to process millions of data
points across complicated networks. Trellix's goal is to provide
research to strengthen security postures through insights gleaned from
our massive reservoir of intelligence."