Reveals escalating cybersecurity threats in Q1 2023
The Trellix Advanced Research Center has released its highly anticipated report on cybersecurity threats in the first quarter of 2023, highlighting the alarming rise of offensive cyber capabilities employed by nation-states for espionage and disruption. The findings underscore the urgent need for public and private organizations to bolster their security measures to combat evolving threats in critical sectors such as telecommunications, energy, and manufacturing.
John Fokker, Head of Threat Intelligence at Trellix, emphasized the increasing utilization of offensive cyber capabilities by nation-states amidst the ongoing Russia-Ukraine conflict. “A year into the Russia-Ukraine conflict, offensive cyber capabilities are being leveraged strategically by nation-states for espionage and disruption,” Fokker stated. “Notable advanced persistent threat (APT) groups pose risks to critical infrastructures, urging organizations to deploy modern protections to stay ahead of rapidly evolving threats.”
The report sheds light on various key findings, including the prevalence of coordinated cyber espionage activities. APT groups associated with China, particularly Mustang Panda and UNC4191, emerged as the most active in targeting nation-states, accounting for 79 per cent of all detected activity. Trellix predicts that these APT groups will continue conducting cyber espionage and disruptive cyberattacks in conjunction with physical military operations.
Regarding ransomware attacks, the report reveals that financial motivations remain the driving force behind such incidents. The Insurance sector accounted for 20 per cent of potential attacks, followed by the Financial Services sector at 17 per cent. Most victims of ransomware leaks were mid-sized businesses based in the United States, with 51-200 employees and revenues ranging from $US10-50 million.
The report also highlights the persistent use of Cobalt Strike, a favoured tool among cybercriminals and ransomware actors. Despite efforts to make it more difficult for threat actors to abuse the tool, Cobalt Strike featured in 35 per cent of nation-state activity and 28 per cent of ransomware incidents, almost doubling its usage compared to the previous quarter.
Furthermore, the study unveils the continued exploitation of old vulnerabilities, including bypasses to outdated patches, supply chain bugs utilizing obsolete libraries, and long-patched vulnerabilities that were never adequately addressed. An Apple vulnerability disclosed in February 2023, for example, traced back to the FORCEDENTRY exploit revealed in 2021, underscoring the enduring risks associated with unresolved vulnerabilities.
Cloud infrastructure attacks on major providers like Amazon, Microsoft, and Google are also on the rise, with the report indicating a significant increase in incidents. While sophisticated attacks employing multifactor authentication, proxy penetration, and API execution are prevalent, the dominant attack technique involves unauthorized access using valid accounts, which accounted for twice as many detections as any other vector. Unauthorized access to legitimate accounts remains a significant threat, particularly in remote-work environments.
Joseph “Yossi” Tal, Senior Vice President at Trellix Advanced Research Centre, highlighted the challenges faced by security operations teams in the race to enhance defence capabilities against the growing attack surfaces. Tal emphasized the immense workload faced by understaffed teams in processing vast amounts of data across complex networks. Trellix aims to fortify security postures by providing research-driven insights derived from their extensive reservoir of intelligence.
As organizations grapple with the escalating cyber threats outlined in the Trellix report, it is evident that proactive measures and robust security strategies are crucial to safeguarding critical infrastructure and maintaining a secure digital landscape in an increasingly interconnected world.