3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022

  /     /     /  
Publicated : 23/11/2024   Category : security


3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022


Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.



Popular attacks for a trio of critical vulnerabilities kept exploitation at the top of the list of initial-access methods in 2022, while the war between Russia and Ukraine resulted in an unprecedented volume of attacks from a specific group of threat actors.
Thats according to the annual M-Trends report from Google Clouds Mandiant, published on April 18, which highlights that a few global incidents can dramatically affect the overall threat landscape. 
The volume of attacks used in the Russia-Ukraine conflict, for example, resulted in the government sectors rise to the top of the list of targeted industries, accounting for 25% of all attacks investigated by Mandiant, up from 9% in 2021, when government agencies ranked sixth on the list. Meanwhile, about 36% of incidents investigated by Mandiant included the use of software exploits, with four out of every nine of those attacks targeting a vulnerable version of Log4j, the open source logging library.
Significant events — such as the Log4j patch effort — can have massive, albeit temporary, effects on the threat landscape, says Luke McNamara, a principal analyst with Mandiant.
You have this ... massive spike in these methods as the initial infection vector, but a lot of it was ... the impact of one singular incident, he says, comparing the impact to the surge in supply chain attacks in 2021 due to the compromise of SolarWinds. Its not necessarily indicative that this is going to be a large-scale trend that were gonna see more and more of, but just something that impacts the threat activity for that given year.
Similarly, Russias war against Ukraine had a dramatic impact on the threat landscape for more than year, Google Cloud stated in the report. A cyber-espionage group, UNC2589, and another group linked to Russian military intelligence, APT28, conducted extensive information collection and disinformation operations prior to Russias February 2022 invasion of Ukraine. Now the threat groups appear to alternate information gathering and espionage campaigns with destructive attacks.
In the first four months of the war, the Mandiant group recorded more destructive attacks against Ukrainian organizations than in the previous eight years, according to the report.
The invasion of Ukraine represents one of the first instances in which a major cyber power has conducted disruptive attacks, espionage, and information operations concurrently with widespread, kinetic military operations, the
Mandiant report
stated. Mandiant has never observed threat actor activity that matches the volume of attacks, variety of threat actors, and coordination of effort as was seen during the first months following the invasion by Russia.
Those attacks — and the threat landscape more generally — relied on a handful of initial access methods. Overall, 80% of the incidents investigated by Mandiant typically used a software exploit, phishing attacks, stolen credentials, or leveraged a prior compromise, the report stated. The exploitation of known vulnerabilities was the most popular initial access vector, accounting for 32% of incidents where the initial compromise could be determined, while phishing accounted for 22% and stolen credentials for 14%.
Among exploits, three vulnerabilities made up the lions share of the attacks. The
primary vulnerability in Log4j
(
CVE-2021-44228
) accounted for the largest portion (44%) of known exploits, but along with two other vulnerabilities —
one affecting F5s Big-IP
(
CVE-2022-1388
) and
another affecting VMwares Workspace One Access and Identity Manager
(
CVE-2022-22954
) — the trio accounted for nearly 90% of exploits.
Because all three vulnerabilities are often accessible remotely, attackers scan for them regularly, McNamara says.
Targeting and exploiting perimeter devices that are accessible via the internet — things like firewalls, virtualization solutions, VPN — those are highly sought after targets for attackers, he says. We saw this with Ukraine because [threat groups] leverage a lot kind of living on the edge, as we put it, where theyve used edge and perimeter network devices to come back in when theyve been kicked out multiple times from a given organization.
In another trend, the share of incidents discovered internally shrank in 2022, with 37% incidents detected by the targeted company and 63% of incidents disclosed to the target by a third party. The share of incidents not detected by a companys internal security teams has grown in every geography, slowly in the Americas, but much more quickly in the Asia-Pacific region (APAC) and the Europe, Middle East, and Africa (EMEA) regions.
Yet despite the more significant role played by third parties in attack detection, dwell time has decreased to 16 days in 2022, down from 21 in 2021. The debate is whether the decrease is due to defenders detecting attacks more quickly or attackers ending an attack with a destructive — and obvious — payload, Google Clouds McNamara says.
Really, the last two, three, four years, weve seen more and more disruptive activity, as the extortion space has become more multifaceted, he says. Trying to kind of tease out how much of that is due to organizational maturity — organizations are getting better at catching threat actors — and how much of it is due to ... the nature of the activity itself is difficult.
However, while the median dwell time is 16 days, ransomware investigations are only seeing a median dwell time of nine days, whereas its 17 days for non-ransomware investigations.
The cyber conflict between Russia and Ukraine also impacted the dwell time, according to Mandiants report, as external intelligence agencies and companies notified Ukrainian organizations of breaches.
The increase in external notification observed in 2022 is likely impacted by Mandiant’s investigative support of cyber threat activity which targeted Ukraine and an increase in proactive notification efforts, the report stated. Proactive notifications from security partners enable organizations to launch response efforts more effectively.

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022