Secureworks has published its annual State of the Threat Report, revealing that the exploitation in remote services has become the primary initial access vector (IAV) in ransomware attacks over the past year, accounting for 52% of ransomware incidents analysed by Secureworks over the period (overtaking credentials-based attacks from 2021).

Alongside this, there has also been a 150% rise in the use of infostealers, making them a key precursor to ransomware. Both these factors keep ransomware the primary threat for organisations, who must fight to stay abreast of the demands of new vulnerability prioritisation and patching.

The 2022 State of the Threat Report from Secureworks provides an overview of how the global cybersecurity threat landscape has evolved over the last 12 months, with a focus on the Secureworks Counter Threat Unit’s (CTU) first hand observations of threat actor tooling and behaviors.

Highlights from the Report include:

• Shift to exploiting vulnerabilities as primary initial access vector (IAV) over credentials-based attacks
• Accelerated use of Infostealers as a means of enabling ransomware operations
• Insights into the changing groups and threats associated with the continued dominance of ransomware
• Changes and newcomers in the loader landscape
• Tools and tactics of hostile government-sponsored groups across the world

The onward march of ransomware

Ransomware continues to remain the primary threat facing organisations accounting for more than a quarter of all attacks. Despite a series of high-profile law enforcement interventions and public leaks, and a small slow down over the summer months, ransomware operators have maintained high levels of activity.

The median detection window in 2022 is four and a half days, compared to five days in 2021. The mean dwell time in 2021 was 22 days but so far in 2022 is down at 11 days. Companies effectively have one working week to respond to and mitigate damage.

The number of victims listed on public “Name and Shame” sites continues to remain high with no year-over-year reduction.  Despite some monthly fluctuations, the number of victims named in the first six months of 2022 is slightly higher at 1,307 than the 1,170 named in the first six months of 2021.

This year’s Biggest Offenders based on Secureworks’ incident response engagements are GOLD MYSTIC, GOLD BLAZER, GOLD MATADOR and GOLD HAWTHORNE. Notably, all of these groups are tied to Russia.

In some instances, the adversaries are making use of the fear surrounding ransomware to undertake lower tech crimes. Hack and leak operations where data is stolen and a ransom is demanded but no ransomware is deployed continued into 2022, with GOLD TOMAHAWK and GOLD RAINFOREST among the top culprits.

Vulnerabilities in remote services become the biggest Issue

The 2022 State of the Threat Report from Secureworks also highlights that exploitation of vulnerabilities in internet-facing systems has become the most common initial access vector (IAV) observed. This is a change from 2021, when the dominant IAV was the use of stolen or guessed credentials.

As new vulnerabilities are discovered, developers of widely available offensive security tools used by threat actors are quick to incorporate new vulnerabilities into their tools, often meaning that even less sophisticated threat actors are able to exploit new vulnerabilities before security teams can patch.

The rise of infostealers

CTU researchers have seen an increase in the sale of network access sourced from credentials acquired by information stealers. In a single day in June 2022, CTU™ researchers observed over 2.2 million credentials obtained by Infostealers available for sale on just one underground marketplace; last year this figure on the same market with respect to the same stealers was 878,429. That’s an increase year on year of over 150%.

The three main stealer markets include: Genesis Market, Russian Market and 2easy. There is a plethora of stealers for sale on underground forums but some of the major ones include Redline, Vidar, Raccoon, Taurus, and AZORult. 

Infostealers provide the means to quickly and easily obtain credentials that can be used for initial access, making them a major enabler of ransomware operations. Innovative distribution methods for Infostealers have included cloned websites and trojanised installers for messaging apps such as Signal.

A Change in the loader landscape

Between July 2021 and June 2022, two big names in the loader landscape disappeared (Trickbot and IceID) and two returned (Emotet and Quakbot). This indicates that groups are moving away from the complex, fully featured botnets that evolved from the early banking trojans towards more lightweight loaders that are easier to develop and maintain – a trend that has only increased with the use of post-exploitation tools such as Cobalt Strike.

Understanding the nation-state threat

The Secureworks CTU has tracked several significant activities which can be attributed to nation-state sponsored threat groups, including their motivations, behaviors and tactics

• China:Chinese government sponsored groups are some of the most prolific and well-resourced threats in cybersecurity. Over the course of the ongoing Russia/Ukraine conflict, observed threat activity from Chinese government sponsored groups has targeted both Russia and Ukraine. A notable behavior from these adversaries is the use of ransomware as a smokescreen for intellectual property theft and cyberespionage, rather than for financial gain.
• Russia: The war against Ukraine has been revealing for Russia’s cyber capabilities. At the outset of the conflict there were wide fears of destructive attacks with wide scale repercussions as was seen with NotPetya in 2017. However, despite a steady cadence of cyber activity directed against Ukrainian targets, some of which is identifiably from Russian government-sponsored threat actors, no widely disruptive attacks have been successful. The most visible Russian threat group tracked by the CTU over the past year has been IRON TILDEN. This group is notable for spearphishing attacks conducted primarily against Ukraine but also against Latvia’s parliament in April.
• Iran: Links of Iranian threat groups to government have become clearer over the past year. Ransomware continues to develop as a theme across Iranian threat group activity although often it appears with the purpose of disruption rather than financial gain. Over the past year Secureworks incident responders have investigated COBALT MIRAGE ransomware attacks against organisations in Israel, the US, Europe and Australia and the team was able to identify the individuals behind the group.
• North Korea: Multiple ransomware families have been linked to North Korea over the past 12 months, including TFlower, Maui, VHD Locker, PXJ, BEAF, ZZZZ, and ChiChi. The continued emergence and evolution of these ransomware families strongly suggests it is a stream of revenue that operators in the region will continue to pursue. Cryptocurrency and decentralised finance organisations have been a major focus of activity, and North Korean threat groups have reportedly stolen over $200 million USD from crypto exchanges since 2018.

State of the Threat 2022

The Secureworks CTU 2022 State of the Threat Report can be read in full HERE.