Trellix Advanced Research Center Details Latest Cyberthreats
“Threat actors continued to make headlines in Q3 2022 and at Trellix, we delivered a new, powerful resource to support the future of extended detection and response (XDR) and cybersecurity — the Trellix Advanced Research Center,” commented Vibin Shaju, VP EMEA Solutions Engineering at Trellix. “With this report, we continue to deliver much needed industry research and findings on a global scale and remain committed to helping organizations better understand, detect and respond to cyber threats.”
The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors. It examines malicious cyberactivity including threats to email, the malicious use of legitimate third-party security tools, and more. Key findings:
- Double the Ransomware Activity in Transportation & Shipping: The transportation and shipping sector saw increased detections linked to multiple threat actors in Q3. Globally, transportation was the second most active sector (31%) following telecom (47%). APTs were also detected in transportation more than any other sector.
- Highest Detections Seen in Germany: Not only did Germany generate the most threat detections related to APT actors in Q3 (29% of observed activity), but they also had the most ransomware detections. Ransomware detections rose 32% in Germany in Q3 and generated 27% of global activity.
- Emerging Threat Actors Scaled: The China-linked threat actor Mustang Panda — who hasn’t been featured in previous reports from Trellix — had the most detected threat indicators in Q3, accounting for 12% of global activity. The next most active groups were Russian-linked APT29 and Pakistan-linked APT36.
- Shining a Light on Phobos: Phobos, a ransomware sold as a complete kit in the cybercriminal underground, has avoided mainstream attention and public reports until now. It accounted for 10% of global detected activity.
- Malicious Use of Cobalt Strike: Trellix saw Cobalt Strike used in 33% of observed global ransomware activity and in 18% of APT detections in Q3. Cobalt Strike, a legitimate third-party tool created to emulate attack scenarios to improve security operations, is a favorite tool of attackers who repurpose its capabilities for malicious intent.
- LockBit most active ransomware family: LockBit continues to be the most detected ransomware globally, generating 22% of detections. At the end of Q3 their “builder” was released, and allegedly various groups are already establishing their own RaaS with it.
- Old Vulnerabilities Continued to Prevail: Years-old vulnerabilities continue to be successful exploitation vectors. Trellix observed Microsoft Equation Editor vulnerabilities comprised by CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to be the most exploited among malicious emails received by customers during Q3.
- Email Security Trends: Financial Services was the sector most impacted by malicious emails in Q3 2022, followed by State and Local Government (13%), Manufacturing (12%), Federal Government (11%), and Services & Consulting (10%). URL was the most utilized means of packing malicious payloads.
“So far in 2022, we have seen unremitting activity out of Russia and other state-sponsored groups,” said John Fokker, Head of Threat Intelligence, Trellix. “This activity is compounded by a rise in politically motivated hacktivism and sustained ransomware attacks on healthcare and education. The need for increased inspection of cyberthreat actors and their methods has never been greater.”