Malicious actors push the limits of attack vectors
The war in Ukraine has seen the emergence of new forms of cyberattacks, and hacktivists became savvier and more emboldened to deface sites, leak information and execute DDoS attacks, according to Trellix.
“Q4 saw malicious actors push the limits of attack vectors,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “Grey zone conflict and hacktivism have both led to an increase in cyber as statecraft as well as a rise in activity on threat actor leak sites. As the economic climate changes, organizations need to make the most effective security out of scarce resources.”
The report includes evidence of malicious activity linked to ransomware and nation-state-backed APT actors, and examines threats to email, the malicious use of legitimate security tools, and more. Key findings include:
LockBit 3.0 most aggressive with ransom demands
While no longer the most active ransomware group according to Trellix telemetry – Cuba and Hive ransomware families generated more detections in Q4 – the LockBit cybercriminal organization’s leak site reported the most victims. This data makes LockBit the most aggressive in pressuring their victims to comply with ransom demands. These cybercriminals use a variety of techniques to execute their campaigns, including exploiting vulnerabilities found as far back as 2018.
Nation-state activity led by China
PT actors linked to China, including Mustang Panda and UNC4191, were the most active in the quarter, generating a combined 71% of detected nation-state-backed activity. Actors tied to North Korea, Russia, and Iran followed. The same four countries ranked the most active APT actors in public reports.
Critical infrastructure sectors most targeted by malicious activity
Sectors across critical infrastructure were most impacted by cyberthreats. Trellix observed 69% of detected malicious activity linked to nation-state backed APT actors targeting transportation and shipping, followed by energy, oil, and gas. According to Trellix telemetry, finance and healthcare were among the top sectors targeted by ransomware actors, and telecom, government, and finance among the top sectors targeted via malicious email.
Fake CEO emails led to business email compromise
Trellix determined 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases, resulting in a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns.