Expanding Attack Blueprints: 2022 Annual Cybersecurity Report
In this blog entry, we shine a spotlight on some of the most critical cybersecurity concerns of 2022, which we discuss in full in our annual cybersecurity report, “Rethinking Tactics: 2022 Annual Security Report.”
The year 2022 — which was beset with economic turmoil, supply chain problems, and even a war — proved to be an arduous year for organizations not just offline, but online, too. While businesses worked overtime to keep their organizations protected against threats amid challenges and shortages, malicious actors also toiled around the clock to keep their criminal operations running. This is evidenced by the 146.4 billion threats we detected and blocked in 2022, a staggering 55.3% increase from the previous year’s numbers.
This blog entry discusses some of the most critical cybersecurity concerns that happened in 2022. The full report, which includes a more detailed view of last year’s cybersecurity threat landscape, is in our annual roundup, “Rethinking Tactics: 2022 Annual Security Report.”
Cybercriminals use old and new infiltration strategies
Top three ATT&CK techniques in 2022
Based on our observation of the top MITRE ATT&CK frameworks used in last year’s attacks, most malicious actors used similar methods in the initial phases. Upon closer investigation of the top three ATT&CK methods for 2022, we observed that cybercriminals are gaining access via remote services and proceed to abuse valid accounts through credential dumping.
- Remote Services, Technique T1021 – Enterprise | MITRE ATT&CK® (lateral movement)
o Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
- Valid Accounts, Technique T1078 – Enterprise | MITRE ATT&CK® (initial access)
o Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services.
- OS Credential Dumping, Technique T1003 – Enterprise | MITRE ATT&CK® (credential access)
o Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Countering Microsoft’s move with malicious alternatives
Malicious actors have been known to abuse Microsoft Office documents by embedding malicious macros in their attacks. Typically, these malicious payloads are attached to socially engineered emails that attempt to lure victims into inadvertently downloading and executing malware.
In 2022, Microsoft blocked the execution of macro programs in Office documents to deter cybercriminals from abusing them as initial access vectors. This move caused a significant decline in the use of Office macros in attacks and prompted cybercriminals to find alternatives, such as HTML smuggling, malvertising, and living off the land tactics.
Malicious actors take aim at the cloud’s weak spots
Supply-chain attack on serverless platforms
As more organizations started shifting to serverless platforms to help them focus on creating better code and not on managing and securing resources, malicious actors were quick to follow suit.
Last year, we investigated the security of serverless platforms — ones that organizations use to oversee complex processes and host sensitive data — and identified weak spots that malicious actors can abuse. Malicious actors have started stealing cloud service credentials to get sensitive environmental variables and launching supply-chain attacks, such as when a Python library had its code changed to harvest sensitive variable content.
Launching cryptocurrency-mining attacks on Linux machines
Based on our observation of last year’s attacks, malicious actors focused on compromising Linux machines with cryptocurrency-mining malware. In fact, in November 2022, we discovered and blocked a cryptocurrency-mining attack using the CHAOS Remote Administrative Tool, a remote access trojan (RAT) that targets Linux machines.
Table 1. Cryptominer Linux and MacOS counts in 2021 versus 2022
Cryptominers negatively impact an organization’s overall cloud infrastructure by increasing CPU utilization rates from an average of 13% to 100%, increasing electricity consumption costs by a whopping 600% per cloud instance, and disrupting or halting online services.
How can organizations defend against evolutionary tactics?
In 2022, the world transitioned to a hybrid workforce and continued to adopt new technologies to ensure business continuity. These dramatically increased the attack surface that security teams had to secure amid a shortage of skilled cybersecurity workers. Malicious actors, meanwhile, took on a more professional approach in their cybercriminal operations to ensure maximum exploitation and enhanced resilience.
Organizations can remain protected against ever-evolving threats by applying security best practices such as properly monitoring their different technologies and networks, updating software as soon as possible, and ensuring that cloud infrastructure is set up with security in mind.
Download our annual cybersecurity report to learn more security recommendations, discover other critical cybersecurity concerns in 2022, and gain a better understanding of the threat landscape.