Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), today released The Threat Report: February 2023 from its Advanced Research Center, examining cybersecurity trends from the final quarter of 2022.
To produce report insights, Trellix combines telemetry obtained from its vast network of endpoint security installs and its entire XDR product range with information obtained from both open- and closed-source intelligence reports.
John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center said “Q4 saw malicious actors push the limits of attack vectors.”
Fokker said “Grey zone conflict and hacktivism have both led to an increase in cyber as statecraft as well as a rise in activity on threat actor leak sites. As the economic climate changes, organizations need to make the most effective security out of scarce resources.”
The report includes evidence of malicious activity linked to ransomware and nation-state-backed advanced persistent threat (APT) actors and examines threats to email, the malicious use of legitimate security tools, and more. Key findings include:
• Fake CEO Emails Led to Business Email Compromise: According to Trellix, fake CEO emails using typical CEO expressions accounted for 78% of business email compromise (BEC), which increased by 64% between Q3 and Q4 of 2022. The use of voice-phishing, or vishing, tactics included asking workers to confirm their direct phone numbers. Since 82% of the emails were sent using free email services, threat actors do not require specialised infrastructure to carry out their operations.
• Critical Infrastructure Sectors Most Targeted: Sectors across critical infrastructure were most impacted by cyber threats. Trellix observed 69% of detected malicious activity linked to nation-state-backed APT actors targeting transportation and shipping, followed by energy, oil, and gas. According to Trellix telemetry, finance and healthcare were among the top sectors targeted by ransomware actors, and telecom, government, and finance were among the top sectors targeted via malicious email.
• Attacks on Cloud Infrastructure on the Rise: The largest number of threat detections are associated with AWS, which is likely due to its dominant position in the marketplace. It is worth noting that the majority of enterprise accounts have Multi-Factor Authentication (MFA) enabled, which has led to a significant increase in detections related to MFA platforms. In 2022, Trellix observed that hackers exploited MFA fatigue and managed to breach networks by overwhelming employees with push notifications.
• LockBit 3.0 Most Aggressive with Ransom Demands: While no longer the most active ransomware group according to Trellix telemetry – Cuba and Hive ransomware families generated more detections in Q4 – the LockBit cybercriminal organization’s leak site reported the most victims. This data makes LockBit the most aggressive in pressuring its victims to comply with ransom demands. These cybercriminals use a variety of techniques to execute their campaigns, including exploiting vulnerabilities found as far back as 2018.
Vibin Shaju, VP Solutions Engineering, EMEA at Trellix said “As threat landscape complexity progresses, so will our research. Our mission will remain wholly focused on delivering actionable intelligence to our stakeholders to ensure they can protect what matters most.”
Shaju added “But organizations need to do their part too. To effectively defend against these evolving threats, regional enterprises need an adaptable and responsive defence strategy and strong cybersecurity governance that starts at the board of directors.”
Trellix’s Threat Report for February 2023 utilizes exclusive data gathered from the organization’s sensor network, research conducted by the Trellix Advanced Research Center on cybercriminal and nation-state operations, intelligence obtained from both public and private sources, as well as information obtained from threat actor leak sites. The report is generated based on the detection of potential security risks, such as suspicious emails, network activities, IP addresses, URLs, and other indicators that are identified and reported by the Trellix XDR platform.
