That was what one cybersecurity firm’s user base incident report data showed, among other findings on APT threats.

While 2021 ended on a dire note with the unveiling of the Log4j vulnerability, things happening in one cybersecurity solutions vendor’s user ecosystem in Q3 were already showing the emergence of new tools and tactics among ransomware groups and advanced global threat actors.

In a deep dive on these Q3 trends, the firm found that despite a community reckoning to ban ransomware activity from online forums, hacker groups were using alternate personas to continue to target the financial, utilities and retail sectors most often, accounting for nearly 60% of ransomware detections in its user base.

Other Q3 trends released in the report include:

  • The resurgence of the DarkSide ransomware group as BlackMatter, despite the group’s claim to have stopped operating. In using many of the same modus operandi that DarkSide used in the Colonial Pipeline attack, BlackMatter continued to leverage the double extortion approach.
  • The REvil/Sodinokibi family of ransomware continued to account for nearly half of the ransomware detections in the firm’s user base.
  • Security operations tools like Cobalt Strike were being abused by state-sponsored actors to gain access to over one-third of the APT campaigns tracked. Mimikatz was also detected in over a quarter of campaigns.
  • Threat activity believed to be from Russian and Chinese APT groups were responsible for 46% (combined) of all observed APT threat activity in the user base. This assessment was based on analysis of available technical indicators.
  • The financial sector was targeted in nearly 40% of observed APT activity, followed by utilities, retail and government. This sector led in publicly reported cyber incidents with a 21% increase in Q3 in terms of detected ransomware samples and APT group activity.
  • Bad actors used software already on a target system to carry out attacks (aka ‘living off the land’). This method is often used by state-sponsored actors and large criminal organizations to get around developing advanced tools internally. PowerShell was used in 42% and Windows Command Shell (CMD) in 40% of such attacks occurring in Q3. Other native operating tools commonly used included Rundll32, WMIC and Excel, along with administrative remote services tools like AnyDesk, ConnectWise Control, RDP and WinSCP.
  • Regional swings in attack incidence, with Russia experiencing a 79% decrease from Q2 while France saw an increase of 400%. North America recorded the most incidents among continents in the user base, but this was a 12% decrease from Q2.
  • Nearly half of detected attacks were APT MITRE ATT&CK techniques including spear phishing attachments, obfuscated files or information, and PowerShell, accounting for nearly half of detected incidents in the system.
  • Almost 80% of malware detections comprised Formbook, Remcos RAT and LokiBot malware, with Formbook found in over one-third. Reported malware incidents decreased 24% compared to Q2 2021.

According to Raj Samani, Chief Scientist & Fellow, Trellix, which produced the report: Q3 saw “the use and abuse of ransomware group personas; APT actors seeking to burrow deeper into finance and other critical industries; and new Living off the Land attacks exploiting native Microsoft system tools in new ways.”