Around the world, 2022 was a year of instability and conflict which added to the daily challenges faced by cybersecurity professionals. But they weren’t the only ones feeling the strain. Bad actors were also forced to adapt, trying to maintain “business as usual” by exploring new infiltration methods and by targeting more lucrative victims.
Even if 2023 proves to be more predictable than last year, the cyber threat landscape is already undergoing big changes. To keep one step ahead of adversaries and the growing digital attack surface, cybersecurity professionals will need to prepare for three major shifts that are already underway.
Learn more: Rethinking Tactics – Annual Cybersecurity Roundup 2022
How are cyber threats changing?
Ransomware groups and other bad actors are changing their initial access vectors as the digital attack surface and vulnerabilities shift. They’re also taking advantage of commercial tools to disguise their breaches and deploying new ransomware schemes to suit the changing cyber threat landscape.
Last year, Microsoft drastically changed the cybersecurity landscape by blocking the most common initial access vector for cyber threats: macros. Documents with malicious macros embedded could be sent through an email and triggered by an unwary recipient. Blocking macros caused a dramatic decrease in the number of threat campaigns beginning with Microsoft Office documents, but other initial access vectors—such as container files, malware, HTML smuggling, and malvertising—are becoming more common in response.
The ongoing shift is clear to see when we compare the common vulnerabilities and exposures (CVEs) that saw the most use in 2021 and 2022. According to Trend Micro Research, the top three spots, once claimed by Microsoft Exchange vulnerabilities, now belong to a pair of Log4J vulnerabilities and a more obscure CVE for a content management service.
As adversaries adapt to the new threat landscape, their underground business models are shifting with them. The demand for access as a service (AaaS), where a broker trades entry to a targeted system for a fee, is growing. Defending critical data from insider threats—whether they’re malicious, careless, working in tandem with bad actors, or used like pawns—poses new challenges for cybersecurity leaders.
Learn more: Complete Guide to Protecting 7 Attack Vectors
Tools of the Trade
Another worrying development is how adversaries are embracing conventional and commercially available development tools to make cyber threats faster and harder to detect, a trend called “living off the land." Penetration testing tools or pentools (such as Cobalt Strike and Brute Ratel) are made for red teaming and adversarial attack simulations. They enable cybersecurity teams to take the measure of their network security with a suite of tools for cracking passwords, launching spear phishing attacks, remotely controlling and monitoring attacks with command and control (C2) framework, and producing reports to analyse the effectiveness of these simulated attacks.
In the wrong hands, these pentools enable attacks that are fast, effective, and all too real. Some are actually designed to avoid detection by antivirus solutions, or even by endpoint detection and response (EDR). In one case, QAKBOT malware deployed a pentool as a secondary payload to staggering effect. After one user clicked a URL and inadvertently downloaded a malicious file, it took just 43 minutes for lateral movement to begin within the infected system.
And pentools aren’t the only conventional tools being misused by bad actors. Exploits disguised by built-in tools and programmes for operating systems, like PowerShell and Net.exe, can also deceive threat detection and response systems. Cybersecurity leaders who overlook these deceptive tactics risk being blindsided by rapid and powerful cyber threats that could easily go unnoticed.
Adversaries study the changing threat landscape just as closely as cybersecurity leaders, and some of the most effective groups are changing how they do business to become more effective at targeting and infiltrating your networks. Take LockBit: the ransomware group has been rebranding and restructuring its affiliate organisation after years of bad press. They even introduced the first bug bounty programme offered by a ransomware group, with incentives of up to $1 million for vulnerabilities they can exploit.
Other groups, like BlackCat and Hive, are changing with the times by deploying ransomware in the cross-platform language Rust, which allows for customisation and targeting Linux systems. Programming languages like Rust and Go provide the benefits of code security and concurrent programming for adversaries, while broadening their range of available targets. This shift is already well underway—Trend Micro Research reports that last year Linux was second only to Windows in malware detections by OS.
Although awareness and government regulation of cryptocurrency are helping to curb payouts to ransomware groups (revenue from victim payouts decreased 38% from 2021 to 2022) it won’t be long before the ransomware groups adapt.
Ransomware business models are already evolving as new sanctions are introduced, through automation, professionalisation, and by finding new targets in both Linux and internet of things (IoT) endpoints. It won’t be long before a revolution brings more widespread changes to the threat landscape, whether that means replacing ransomware payloads with more lucrative business email compromise (BEC) attacks, or branching out to any number of related criminal activities—such as stock fraud, money laundering, and cryptocurrency theft.
Learn more: Ransomware Spotlight Series
Each shift to the way enterprises do business—from hybrid work to online operations and cloud migration—leads to new cyber threats, each one primed to take advantage of a new front in the growing digital attack surface. Facing these new challenges during an ongoing skills shortage requires a holistic security solution that can bolster your existing people, processes, and technology.
A cybersecurity platform that can both monitor and protect your various technologies and networks, such as Trend One, provides attack surface visibility that surpasses the piecemeal data from siloed sources.
Check out Trend Micro’s report – 3 Ways to Evolve Your Security Operations – for more information on how to defend against evolving cyber threats.