Cyber risks. New threat report from Deep Instinct identifies gang changes, new tactics, and new victims during 2022
Cybersecurity specialist Deep Instinct has offered IT managers an insight into the top malware and ransomware trends and tactics in its 2022 bi-annual Cyber Threat Report.
The report confirmed that the cyber risks facing businesses during 2022 remain severe, with ransomware being the most serious threat to organisations.
Earlier this week for example the Australian Department of Defence confirmed that some personal details of Australian military personnel may have been stolen by hackers in a ransomware attack on a private contractor.
In its Cyber Threat Report, Deep Instinct examined the top malware and ransomware trends and tactics from the first half of 2022, and provided key takeaways and predictions for the ever-evolving cybersecurity threat landscape.
“2022 has been another record year for cyber criminals and ransomware gangs,” said Mark Vaitzman, Threat Lab Team Leader at Deep Instinct. “It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defenses.”
“The goal of this report is to outline the wide range of challenges that organisations and their security teams face daily,” said Vaitzman. “Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.”
The following is some of the key takeaways identified by the Deep Instinct report:
- Changes in threat actor structure: Some of the most prevalent activities observed include changes within the world of ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of Quantum, BlackBasta, and BlackByte. These three prominent former affiliate groups to the Conti operation emerged under their own operations following the decline of Conti.
- Malware campaigns in flux: The report highlights the reasons behind significant changes to Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.
- As Microsoft shuts down one avenue, bad actors open others: Deep Instinct’s researchers found that the use of documents for malware has decreased as the prior number one attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already been seen shifting gears and implementing other methods to deploy their malware, such as LNK, HTML, and archive email attachments.
- Major exploitable vulnerabilities: Vulnerabilities such as SpoolFool, Follina, and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security. Analysis of CISA’s published known exploited vulnerability catalogue suggests that the number of exploited in-the-wild vulnerabilities spikes every 3-4 months and we’re expecting the next spike as we get closer to the end of the year.
- Data exfiltration attacks are now extending to third parties: Threat actor groups are utilising data exfiltration within their attack flows in order to demand ransom for the leaked data. In the case of sensitive data exfiltration, there are less remediation options so many threat actors are going even further and demanding ransoms from third-party companies if the leaked data contains their sensitive information.
The Deep Instinct Cyber Threat Report also found that perhaps unsurprisingly, ransomware attacks remain a serious threat to organisations.
This is because there are currently 17 leaked databases operated by threat actors who are utilising the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.
The report also provides IT management with three specific predictions:
- Insiders and affiliate programs: Malicious threat actors look for the weakest link. With continued innovations in cybersecurity some threat actors choose to locate either weak targets or simply pay an insider. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organisation.
- Protestware on the rise: There is an increase in the trending phenomenon of protestware, which can be defined as self-sabotaging one’s software and weaponising it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine caused a surge in protestware, with the most notable example being the node-ipc wiper, a popular NPM package. It’s not easy to spot such supply chain attacks, and they are usually detected only after affecting several victims.
- End-of-year attacks: While we have not yet heard of a major vulnerability in 2022 similar to the Log4J or the Exchange cases in 2021; there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. Threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs.