Trend Micro 2023 Midyear Cybersecurity Threat Report
A set of proactive and holistic security solutions is crucial, as our midyear cybersecurity threat report shows that illegal actors are shifting targets, utilizing innovations, and becoming more creative to increase efficiency and prolificacy.
AI-enabled tools had been simplifying enacting scams, automating refining targets, and increasing scalability with a crop of new crimes. Ransomware actors increasingly deployed bring-your-own-vulnerable-driver (BYOVD) attacks this year while also exploiting zero-day vulnerabilities like those in GoAnywhere, 3CX, PaperCut, and MOVEit. Meanwhile, enterprise threats continued to leverage entry through weak or default passwords.
Our attack surface risk management (ASRM) data showed that the United States, Brazil, and India had the most risk events detected in the first half of 2023, while the manufacturing, healthcare, and technology industries registered the most detections in the same period.
* * *
In the following infographics, we present highlights from our telemetry covering the broadest attack surface view across 500,000 commercial clients and millions of consumer customers. With native sensors across endpoints, email and messaging, network and web traffic, cloud and operational technology, we present the top techniques, tactics, and trends in threat actor activity. We also cover targets in the risk landscape, including threats that range from ransomware, cloud and enterprise, and advanced persistent threats (APT) — all available at a glance.
Shift left to stay ahead of connected ransomware groups with ever-changing targets
Ransomware groups continue to update their tools and techniques for expanded targets and efficient data extraction. Earlier this year, new player Mimic abused the legitimate search tool Everything to query file extensions and names to determine which files to encrypt and avoid. Meanwhile, the Royal ransomware has been expanding its targets with an update aiming at Linux platforms.
Our investigations of Royal and Mimic suggested connections with the larger and more notorious Conti ransomware group, while our investigation of TargetCompany showed its links to other families such as the BlueSky and the GlobeImposter ransomware. These connections are consistent with our ransomware revolution insight about how collaborations could lead to lower costs and increased market presence while also maintaining the efficacy of criminal activities.
Meanwhile, financial gain might not be the only motivator for ransomware groups, as government entities could offer recruitment opportunities to operators in lieu of prosecution. In our May report on the RomCom backdoor, we discussed how the historical use of the backdoor in geopolitically motivated attacks on Ukraine since at least October 2022 suggests a shift in Void Rabisu’s targets. Recent ransomware attacks are now comparable to APT groups in terms of skills, approach, and attack capabilities.
Ransomware players who remain in it for money might also turn their data exfiltration efforts toward cryptocurrency theft, business email compromise (BEC), and deploying short-and-distort schemes for stock market manipulation. Cryptocurrency has also made payment schemes more efficient in favor of threat actors, underlining the demand to shift left — meaning implementing as many measures as possible for blocking threats from entering the network in the first place — when anticipating ransomware-related attacks that trigger extortion only after gaining access and exfiltrating data.
AI innovations simplify tasks, even for cybercriminals
As early as 2021, 52% of companies accelerated their AI adoption plans because of the COVID-19 crisis. Meanwhile, organizations are increasingly embedding AI capabilities in their operations. AI adoption continued at a stable pace last year, with 35% of companies using AI in their business. One in every four companies is adopting AI to bridge labor and skills gaps, while two in every three companies are planning to apply AI to address sustainability goals.
The cybersecurity industry can also expect an increase in demand for identity-aware anti-fraud techniques along with an uptick in cybercriminals leveraging AI to carry out virtual crimes more efficiently. Virtual kidnappers, for example, currently use voice cloning, SIM jacking, ChatGPT, and social network analysis and propensities (SNAP) modeling to identify the most profitable targets and execute their ploy.
Meanwhile, ChatGPT and other AI tools create nested tiers of automation to gather information, form target groups, and identify and prioritize vulnerable behaviors by expected revenue to lure big-name victims (also known as “big fish”) in harpoon whaling attacks and romance scams. Other threat actors play the long game and con victims off their money through cryptocurrency investment scams known as pig butchering. There are also reports that AI-based coding assistants and ChatGPT can be tricked into writing malicious code.
The occurrence of such cybercrimes will only surge as more individuals and enterprises adopt and invest in artificial intelligence to streamline their own operations.
Cyber Risk Index lowers to moderate range, but threats still abound as actors innovate
The Cyber Risk Index (CRI) decreased to moderate range with a score of +0.01 in the second half of 2022, according to a survey of over 3,700 businesses across four regions. However, details of our report show that North America’s CRI is the most elevated among regions at -0.10, with its Cyber Preparedness Index worsening from 5.30 to 5.29 and its Cyber Threat Index dropping from 5.63 to 5.39. As for vulnerability advisories, 894 were published in the first half of 2023, only 50 fewer than those published in the first half of the previous year.
Meanwhile, threat actors are casting a wider net by leveraging vulnerabilities in smaller platforms for more specific targets, such as file transfer service MOVEit, business communications software 3CX, and print management software solution PaperCut. In June, the Clop ransomware leveraged a vulnerability in MOVEit and compromised various government agencies in the United States earlier this year, namely the Department of Energy, university systems in multiple states, and private businesses.
In May, Google launched eight new top-level domains (TLDs), including .zip and .mov. This can pose security risks when exploited by cybercriminals to hide malicious URLs behind legitimate websites for malware delivery and other attacks — a tried-and-tested technique that remains effective today.
While innovations continue to evolve and involve more data, threat actors are finding more ways to victimize people. For example, today’s connected cars contain over 100 million lines of code, giving smart functionality to the user but also opening doors to hackers. As more smart cars saturate the market, attackers will try to gain access to user account data and leverage it for crimes.
These threats underline the need for a proactive cyber risk management that operationalizes elements of a zero-trust strategy and continuous visibility and assessment across the entire risk life cycle that would comprise discovery, assessment, and mitigation. Investments in extended detection and response would result in sufficient data, analytics, and integrations from which security teams and researchers can reap insights into threat activity and how well defenses are coping.
Threat comebacks feature new tools to evade detection and expand portability
Malicious actors continue to create new and updated tools and techniques to minimize the detection of their arsenal and cast a wider net for victims.
In its latest campaign last year, APT34 used DNS-based command-and-control (C&C) communication combined with legitimate SMTP (Simple Mail Transfer Protocol) mail traffic to bypass security policies within network perimeters. Further investigations reveal that APT34 could have a deep foothold in the government domain forest.
Earth Preta shifted its focus to target critical infrastructure and key institutions that can affect national and international relations, economies, and securities. The APT group now uses hybrid techniques to deploy malware through Google Drive links embedded in decoy documents and leverages physical vectors for intrusion. It also leverages WinRAR and curl (aka cURL) and previously unseen pieces of malware to collect and transfer data. Intertwined traditional intelligence tradecraft and cyber collection efforts indicate a highly coordinated cyberespionage operation.
Other persistent threats are also resurfacing with new and improved tools and indicators of shifting targets. After a dormant period, APT41 subgroup Earth Longzhi resurged with a new technique that we dubbed “stack rumbling,” which disables security products via Image File Execution Options (IFEO). Notably, this is a new denial-of-service (DoS) technique first observed in this campaign. While samples from this campaign reveal that the group is targeting firms in the Philippines, Thailand, Taiwan and Fiji, embedded documents in samples suggest that the group might target enterprises in Vietnam and Indonesia next.
THREAT LANDSCAPE IN BRIEF
OVERALL NUMBER OF THREATS BLOCKED IN THE FIRST HALF OF 2023
BLOCKED EMAIL THREATS
BLOCKED MALICIOUS URLs
BLOCKED MALICIOUS FILES
EMAIL REPUTATION QUERIES
URL REPUTATION QUERIES
FILE REPUTATION QUERIES
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.