Trellix, a cybersecurity company that is delivering the future of extended detection and response (XDR), has released The Threat Report: November 2022 from its Advanced Research Center, which is home to the world’s most elite security researchers and intelligence experts. The most recent report examines cybersecurity trends in the third quarter of 2022.
“Threat actors continued to make headlines in Q3 2022 and at Trellix, we delivered a new, powerful resource to support the future of extended detection and response (XDR) and cybersecurity — the Trellix Advanced Research Center,” commented Vibin Shaju, VP EMEA Solutions Engineering at Trellix.
“With this report, we continue to deliver much needed industry research and findings on a global scale and remain committed to helping organizations better understand, detect and respond to cyber threats.”
The report contains evidence of malicious activity linked to ransomware and nation-state-backed advanced persistent threat (APT) actors. It investigates malicious cyberactivity such as email threats and the malicious use of legitimate third-party security tools, among other things. Key findings:
Double the Ransomware Activity in Transportation & Shipping: The transportation and shipping sector saw increased detections linked to multiple threat actors in Q3. Globally, transportation was the second most active sector (31%) following telecom (47%). APTs were also detected in transportation more than any other sector.
Highest Detections Seen in Germany: Not only did Germany generate the most threat detections related to APT actors in Q3 (29% of observed activity), but they also had the most ransomware detections. Ransomware detections rose 32% in Germany in Q3 and generated 27% of global activity.
Emerging Threat Actors Scaled: The China-linked threat actor Mustang Panda — who hasn’t been featured in previous reports from Trellix — had the most detected threat indicators in Q3, accounting for 12% of global activity. The next most active groups were Russian-linked APT29 and Pakistan-linked APT36.
Shining a Light on Phobos: Phobos, a ransomware sold as a complete kit in the cybercriminal underground, has avoided mainstream attention and public reports until now. It accounted for 10% of global detected activity.
Malicious Use of Cobalt Strike: Trellix saw Cobalt Strike used in 33% of observed global ransomware activity and in 18% of APT detections in Q3. Cobalt Strike, a legitimate third-party tool created to emulate attack scenarios to improve security operations, is a favorite tool of attackers who repurpose its capabilities for malicious intent.
LockBit most active ransomware family: LockBit continues to be the most detected ransomware globally, generating 22% of detections. At the end of Q3 their “builder” was released, and allegedly various groups are already establishing their own RaaS with it.
Old Vulnerabilities Continued to Prevail: Years-old vulnerabilities continue to be successful exploitation vectors. Trellix observed Microsoft Equation Editor vulnerabilities comprised by CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to be the most exploited among malicious emails received by customers during Q3.
Email Security Trends: Financial Services was the sector most impacted by malicious emails in Q3 2022, followed by State and Local Government (13%), Manufacturing (12%), Federal Government (11%), and Services & Consulting (10%). URL was the most utilized means of packing malicious payloads.
“So far in 2022, we have seen unremitting activity out of Russia and other state-sponsored groups,” said John Fokker, Head of Threat Intelligence, Trellix. “This activity is compounded by a rise in politically motivated hacktivism and sustained ransomware attacks on healthcare and education. The need for increased inspection of cyberthreat actors and their methods has never been greater.”
The Threat Report: November 2022 is based on proprietary data from Trellix’s sensor network, Trellix Advanced Research Center investigations into nation-state and ransomware activity, and open-source intelligence. This report makes use of telemetry related to threat detection. When a file, URL, IP-address, suspicious email, network behavior, or other indicator is detected and reported via the Trellix XDR platform, this is referred to as a detection.
