While the use of stolen credentials was the previous dominant Initial Access Vector, one firm has observed a new trend …
In an overview of how the global cybersecurity threat landscape has evolved over the last 12 months in terms of a cybersecurity firm’s user base, some major new trends were observed.
Ransomware continued to remain the primary threat facing organizations accounting for more than a quarter of all attacks. Despite the series of high-profile law enforcement interventions and public leaks, and a small slowdown over the summer months, ransomware operators had maintained high levels of activity.
The median detection window in Secureworks’ user base was four-and-a-half days in 2021 compared to five days in 2021. The mean dwell time in 2021 was 22 days but so far in 2022 was down at 11 days. Users in the firm’s study population effectively had one working week to respond to and mitigate damage.
In the study period, the biggest offenders, based on the firm’s incident response engagements were tied to Russia: Gold Mystic, Gold Blazer, Gold Matador and Gold Hawthorne.
In some instances, the adversaries are making use of the fear surrounding ransomware to undertake lower tech crimes. Hack-and-leak operations where data is stolen and a ransom is demanded but no ransomware is deployed continued into 2022, with Gold Tomahawk and Gold Rainforest among the top culprits. Also:
- Vulnerabilities in remote services were the biggest issue in the user base. This is a change from 2021, when the dominant initial access vector (IAV) was the use of stolen or guessed credentials.
- There was a 150% in increase in the sale of network access sourced from credentials acquired by information stealers. In a single day in June 2022, researchers observed over 2.2m credentials obtained by info stealers made available for sale on just one underground marketplace. The main info stealers include: Genesis Market, Russian Market, 2easy, Redline, Vidar, Raccoon, Taurus and AZORult. Innovative distribution methods for info stealers have included cloned websites and trojanized installers for messaging apps such as Signal.
- Between July 2021 and June 2022, two big names in the loader landscape disappeared (Trickbot and IceID) and two returned (Emotet and Quakbot). This indicates that groups are moving away from the complex, fully featured botnets that evolved from the early banking trojans toward more lightweight loaders that are easier to develop and maintain: a trend that has only increased with the use of post-exploitation tools such as Cobalt Strike.
- Several significant activities could be attributed to state-sponsored threat groups:
- China: Running some of the most prolific and well-resourced threats in cybersecurity, the country has targeted both Russia and Ukraine. A notable behavior from these adversaries is the use of ransomware as a smokescreen for intellectual property theft and cyber espionage, rather than financial gain.
- Russia: The war against Ukraine has been revealing for Russia’s cyber threat capabilities. At the outset of the conflict there were wide fears of destructive attacks with wide scale repercussions as was seen with NotPetya in 2017. However, no widely disruptive attacks have been observed to be successful so far. The most visible Russian threat group in the firm’s user base over the past year had been Iron Tilden. This group is notable for spear-phishing attacks conducted primarily against Ukraine but also against Latvia’s parliament in April.
- Iran: Links of Iranian threat groups to government have become clearer over the past year. Ransomware continues to develop as a theme across Iranian threat group activity although often it appears with the purpose of disruption rather than financial gain.
- North Korea: Multiple ransomware families have been linked to North Korea over the past 12 months, including TFlower, Maui, VHD Locker, PXJ, BEAF, ZZZZ and ChiChi. It is likely is a stream of revenue that NKorea operators in the region will continue to pursue. Cryptocurrency and decentralized finance organizations have been a major focus of activity, and North Korean threat groups have reportedly stolen over US$200m from crypto exchanges since 2018.
According to the firm’s chief threat intelligence officer, Barry Hensley: “While ransomware remains the most prominent threat to businesses, we are tracking notable behavioral shifts in threat actors and their approach to campaigns. It’s too simple to claim that Ransomware-as-a-Service is slowing. Our (data) shows a rise in info-stealer-use and an evolution of tools and adversaries. The threat is changing, but it is not going away.