Skip to main content

Secureworks® Counter Threat Unit™ Cyber ​​Threat Landscape Analysis Highlights Key Changes in Adversary Tools and Behaviors Around the World

ATLANTE, October 4, 2022 /PRNewswire/ — Secureworks® (NASDAQ:SCWX), today released its annual State of the Threat Report, revealing that exploitation in remote services has become the primary initial access vector (IAV) in ransomware attacks on the over the past year, accounting for 52% of ransomware incidents analyzed by Secureworks over the period (surpassing credential-based attacks as of 2021). Along with this, there has also been a 150% increase in the use of infostealers, making them a key precursor to ransomware. These two factors make ransomware the main threat for organizations, which must fight to stay on top of the demands of prioritizing and patching new vulnerabilities.

The Secureworks 2022 State of Threat Report provides an overview of the evolution of the global cybersecurity threat landscape over the past 12 months, with a focus on Secureworks’ Counter-Threat Unit. (CTU) first-hand observations of threat actor tools and behaviors.

“We conduct thousands of incident response engagements each year. While ransomware remains the most significant threat to businesses, we track notable changes in threat actor behaviors and their approach to campaigns. It is too simple to say that ransomware as a service is slowing down. Our research clearly shows an increase in the use of infostealers and an evolution in tools and adversaries. The threat is changing, but it’s not going away,” says Barry Hensley, Head of Threat Intelligence, Secureworks. “It’s critical for organizations to stay ahead of the adversary with solutions that effectively prioritize risk, based on the most up-to-date information. When companies understand the nature of the threat, they can better focus their resources and act quickly to optimize the response. “

Highlights of the report include:

  • Move to exploiting vulnerabilities as the primary initial access vector (IAV) over credential-based attacks
  • Accelerated use of Infostealers as a means to enable ransomware operations
  • Overview of evolving groups and threats associated with the continued dominance of ransomware
  • Changes and novelties in the loader landscape
  • Tools and tactics of hostile government-sponsored groups around the world

The advance of ransomware

Ransomware remains the top threat facing organizations, accounting for more than a quarter of all attacks. Despite a series of high-profile police interventions and public leaks, and a slight slowdown over the summer months, ransomware operators have maintained high levels of activity.

The median detection window in 2022 is four and a half days, compared to five days in 2021. The average dwell time in 2021 was 22 days, but so far in 2022 it is down to 11 days. Companies have one working week to react and limit the damage.

The number of victims listed on public “Name and Shame” sites continues to remain high with no year-over-year reduction. Despite some monthly fluctuations, the number of victims named in the first six months of 2022 is slightly higher at 1,307 compared to the 1,170 named in the first six months of 2021.

This year’s biggest offenders according to Secureworks Incident Response Commitments are MYSTICAL GOLD, GOLD JACKET, GOLDEN MATADOR and GOLD HAWTHORNE. In particular, all these groups are linked to Russia.

In some cases, adversaries use the fear surrounding ransomware to commit lower-tech crimes. Hacking and leaking operations where data is stolen and a ransom is demanded but no ransomware is deployed continued in 2022, with TOMAHAWK GOLD and GOLDEN RAINFOREST among the main culprits.

Vulnerabilities in remote services become the biggest problem

The Secureworks 2022 State of Threat Report also highlights that exploiting vulnerabilities in internet-connected systems has become the most commonly observed initial access vector (IAV). This is a change from 2021, when the dominant IAV was the use of stolen or guessed credentials.

As new vulnerabilities are discovered, developers of widely available offensive security tools used by threat actors quickly incorporate new vulnerabilities into their tools, which often means that even threat actors less sophisticated are able to exploit new vulnerabilities before security teams can patch.

The rise of information thieves

CTU researchers have found an increase in the sale of network access from credentials acquired by information thieves. In a single day June 2022CTU researchers observed over 2.2 million credentials obtained by Infostealers available for sale in a single underground market; last year, that figure in the same market versus same thieves was 878,429. That’s a year-over-year increase of more than 150%.

The three main thieves markets include: Genesis Market, Russian market and 2easy. There are a plethora of rogues for sale on underground forums, but some of the major ones include Redline, Vidar, Raccoon, Taurus, and AZORult.

Information thieves provide the means to quickly and easily obtain credentials that can be used for initial access, making them a major enabler of ransomware operations. Innovative distribution methods for information thieves include cloned websites and trojanized installers for messaging apps such as Signal.

A change in the shipper landscape

Between July 2021 and June 2022, two big names in the loader landscape have disappeared (Trickbot and IceID) and two have returned (Emotet and Quakbot). This indicates that groups are moving away from the complex, full-featured botnets that have evolved from early banking Trojans to lighter loaders that are easier to develop and maintain – a trend that has only grown with the times. using post-mining tools such as Cobalt Strike.

Understanding the Nation-State Threat

Secureworks CTU has tracked several significant activities that can be attributed to nation-state sponsored threat groups, including their motivations, behaviors and tactics.

  • China: Chinese government-sponsored groups are among the most prolific and well-resourced cybersecurity threats. During the course Russia/Ukraine conflict, threat activity observed by Chinese government-sponsored groups has targeted both Russia and Ukraine. A notable behavior of these adversaries is the use of ransomware as a smokescreen for intellectual property theft and cyber espionage, rather than for financial gain.
  • Russia: The war against Ukraine is revealing since Russia cyber capabilities. At the start of the conflict, there were great fears of destructive attacks with large-scale repercussions, as seen with NotPetya in 2017. However, despite a steady cadence of cyber activity directed against Ukrainian targets, including some are identifiable by the threat sponsored by the Russian government. actors, no largely disruptive attack succeeded. The most visible Russian threat group tracked by CTU over the past year has been IRON TILDEN. This group is distinguished by its harpooning attacks carried out mainly against Ukraine but also against latvia Parliament in April.
  • Iran: The links of Iranian threat groups to the government have become clearer over the past year. Ransomware continues to grow as a theme in the activity of Iranian threat groups, although it often appears for the purpose of disruption rather than financial gain. Over the past year, Secureworks Incident Responders have investigated COBALT CANDLING ransomware attacks against organizations in IsraelUnited States, Europe and Australia and the team was able identify individuals behind the group.
  • North Korea: Several ransomware families have been linked to North Korea in the last 12 months, including TFlower, maui, VHD Locker, PXJ, BEAF, ZZZZ and ChiChi. The continued emergence and evolution of these ransomware families strongly suggests that this is a revenue stream that operators in the region will continue to seek. Cryptocurrency and decentralized financial organizations have been at the center of their activities, and North Korean threat groups have allegedly stolen more than 200 million US dollars crypto exchanges since 2018.

State of the threat 2022

The Secureworks CTU 2022 State of Threat Report can be read in full here:

About SecureWorks

Secureworks (NASDAQ:SCWX) is a global cybersecurity leader that protects customers’ progress with Secureworks® Taegis™, a cloud-native security analytics platform based on more than 20 years of threat intelligence and research real world, improving customers’ ability to detect advanced threats. , streamline and collaborate on investigations, and automate the right actions.

Connect with Secureworks via Twitter, LinkedIn and Facebook and
Read the Secureworks Blog

SOURCESecureworks, Inc.