Trellix Advanced Research Center publishes first cyber threat report
Trellix, cyber security expert and pioneer in innovative XDR technologies, presents the latest Threat Report: November 2022 from the Advanced Research Center (ARC). Under the ARC umbrella, the world’s elite cyber security and intelligence experts work and analyse. The latest report provides information on the cyber security trends of the third quarter of 2022.
Highest APT figures in Germany
In a country comparison, Germany not only recorded the most APT attacks in the third quarter (29% of observed activities), but also the most ransomware cases. The latter increased by 32 per cent compared to the previous quarter and thus accounted for 27 % of global ransomware activity.
“Germany ranks 1st in the world in terms of criminal attacks in Q3 2022, which means that the results of the latest Trellix report could not be more frightening,” said Andreas Groß, Senior Manager Presales at Trellix. “German companies and organisations face enormous challenges in securing their critical infrastructures. To guarantee a comprehensive IT security strategy, cyber security must become one of the top agenda items for boards and executives now at the latest.”
The new Trellix report provides information on threats that can be traced back to ransomware and state-sponsored cyber attackers (APT actors). Other topics include email security threats and the misuse of third-party security tools.
The most important findings at a glance:
- Twice as many ransomware attacks on the logistics sector: transport and shipping companies were in the crosshairs of a whole armada of attackers in the third quarter. In the USA alone, ransomware activities shot up by 100 percent compared to the previous quarter. Worldwide, the logistics sector ranked second among the threatened industries, directly after the telecommunications industry. At the same time, more APT attacks were detected here than in any other industry.
- New threat actors: The most conspicuous in Q3 was Mustang Panda, an APT actor associated with China that had not yet appeared in previous reports. Also very active were the Russian hacker group APT29 and APT36 from Pakistan.
- New ransomware trends: The ransomware Phobos, distributed on the darknet as a complete package, has so far managed to remain largely below the radar of the general public. Nevertheless, this Trojan accounted for 10 per cent of global activity; in the USA, Phobos was even the second most common ransomware in the third quarter. Globally, LockBit remains in the lead, with 22 % of all detections.
- Old vulnerabilities persist: Vulnerabilities that have been known for years continue to be popular gateways. For example, the vulnerabilities CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 of Microsoft’s Equation Editor component led to a veritable flood of spam emails that users found in their inboxes during the reporting period.
- Abuse of Cobalt Strike: According to observations by Trellix experts, Cobalt Strike was involved in 33 percent of global ransomware activity and 18 percent of APT detections. Cobalt Strike is a legally available tool that can be used to emulate attack scenarios in order to increase operational security. At the same time, it is a popular tool for cyber criminals who abuse its functionality for their own purposes.
“From Russia, but also from other state actors, one wave of attacks after another has been coming since the beginning of the year,” explains John Fokker, Head of Threat Intelligence, Trellix. “These threats, along with the increasing number of politically motivated hacktivist actions and the ongoing ransomware attacks on healthcare and education, show that we need to target and analyse cyber criminals and their methods even more than before.”
The Threat Report: November 2022 uses proprietary data from the Trellix sensor network, analysis from the Trellix Advanced Research Center on ransomware and state actors, and open source information. Telemetry data is also used for threat detection. Threat detection is defined as the detection and reporting of a file, URL, IP address, suspicious email, network behaviour, or other indicator via the Trellix XDR platform.