X-Force Threat Intelligence Index 2023 - IBM Security
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
X-Force Threat Intelligence Index 2023 IBM Security
Table of contents 01 → 07 → 12 →
Executive summary Cyber-related developments Recommendations
of Russia’s war in Ukraine
02 → 13 →
Report highlights 08 → About us
The malware landscape
03 → 14 →
Key stats 09 → Contributors
Threats to OT and industrial
04 → control systems 15 →
Top initial access vectors Appendix
10 →
05 → Geographic trends
Top actions on objectives
11 →
06 → Industry trends
Top impacts
01
Executive summary
The year 2022 was another tumultuous includes billions of datapoints ranging from
one for cybersecurity. While there was no network and endpoint devices, incident
shortage of contributing events, among the response (IR) engagements, vulnerability
most significant were the continuing effects and exploit databases and more. This
of the pandemic and the eruption of the report is a comprehensive collection of
military conflict in Ukraine. Disruption our research data from January to
made 2022 a year of economic, geopolitical December 2022.
and human upheaval and cost—creating
exactly the kind of chaos in which We provide these findings as a resource
cybercriminals thrive. to IBM clients, cybersecurity researchers,
policymakers, the media and the
And thrive they did. larger community of security industry
professionals and industry leaders. Today’s
IBM Security® X-Force® witnessed volatile landscape, with its increasingly
opportunistic threat actors who capitalize sophisticated and malicious threats,
on disorder, using the landscape to their requires a collaborative effort to protect
advantage to infiltrate governments and business and citizens. More than ever, you
organizations across the globe. need to be armed with threat intelligence
and security insights to stay ahead of
The IBM Security X-Force Threat attackers and fortify your critical assets.
Intelligence Index 2023 tracks new and
existing trends and attack patterns and So you too can thrive.
Next chapter 3
01 Executive summary
How our data analysis changed
for 2022
In 2022, we modified how we examined – Exploits and zero day compromises:
portions of our data. The changes allow Extrapolating from our robust
us to offer more insightful analysis and vulnerability database—which includes
align more closely to industry standard nearly 30 years of data—helps lend
frameworks. That, in turn, enables you to context to our analysis and identify the
make more informed security decisions actual threat posed by vulnerabilities.
and better protect your organization This process also lends context to the
from threats. diminishing proportion of weaponizable
exploits and impactful zero days.
Changes to our analysis in 2022 included:
– Threat actor methods and their impact:
– Initial access vectors: Adopting the Uncoupling the steps threat actors take
MITRE ATT&CK framework to track during an attack from the actual impact
initial access vectors more closely aligns of an incident allowed us to identify
our research findings with the broader critical stages of an incident. This
cybersecurity industry and allows us process, in turn, uncovered areas that
to identify important trends at the responders should be prepared to handle
technique level. in the aftermath of an incident.
Next chapter 4
02
Report highlights
Top actions on objectives observed: extortion, as cybercriminals continued the modern warfare. Although the direst
In almost one-quarter of all incidents trend of exploiting a strained industry. cyberspace predictions haven’t come to
remediated in 2022, the deployment of fruition as of this publication, there was
backdoors at 21% was the top action on Phishing was the top initial access vector: a notable resurgence of hacktivism and
objective. Notably, an early year spike Phishing remains the leading infection destructive malware. X-Force also observed
in Emotet, a multipurpose malware, vector, identified in 41% of incidents, unprecedented shifts in the cybercriminal
contributed significantly to the jump in followed by exploitation of public-facing world with increased cooperation between
backdoor activity observed year over year. applications in 26%. Infections by cybercriminal groups, and Trickbot gangs
Despite this spike in backdoor activity, malicious macros have fallen out of favor, targeting Ukrainian organizations.
ransomware, which held the top spot since likely due to Microsoft’s decision to block
at least 2020, constituted a large share macros by default. Malicious ISO and LNK
of the incidents at 17%, reinforcing the files use escalated as the primary tactic to
enduring threat this malware poses. deliver malware through spam in 2022.
Extortion was the most common attack Increase in hacktivism and destructive
impact on organizations: At 27%, extortion malware: Russia’s war in Ukraine
was the clear impact of choice by threat opened the door to what many in the
actors. Victims in manufacturing accounted cybersecurity community expected to
for 30% of incidents that resulted in be a showcase of how cyber enables
Previous chapter Next chapter 5
03
27%
Percentage of attacks with extortion
Threat actors sought to extort money from victims in more than one-
Key stats quarter of all incidents to which X-Force responded in 2022. The
tactics they use have evolved in the last decade, a trend expected to
continue as threat actors more aggressively seek profits.
21%
Share of incidents that saw
backdoors deployed
Deployment of backdoors was the top action on objective last year,
occurring in more than one in five reported incidents worldwide.
Successful intervention by defenders likely prevented threat actors
from fulfilling further objectives that may have included ransomware.
17%
Ransomware’s share of attacks
Even amid a chaotic year for some of the most prolific ransomware
syndicates, ransomware was the second most common action on
objective, following closely behind backdoor deployments and
continuing to disrupt organizations’ operations. Ransomware’s share
of incidents declined from 21% in 2021 to 17% in 2022.
Previous chapter Next chapter 6
03 Key stats
41% 100% 52%
Percentage of incidents involving phishing Increase in the number of thread Drop in reported phishing kits seeking
for initial access hijacking attempts per month credit card data
Phishing operations continued to be the top There were twice as many thread hijacking Almost every phishing kit analyzed in the
pathway to compromise in 2022, with 41% attempts per month in 2022, compared to data sought to gather names at 98% and
of incidents remediated by X-Force using 2021 data. Spam email leading to Emotet, email addresses at 73%, followed by home
this technique to gain initial access. Qakbot and IcedID made heavy use of addresses at 66% and passwords at 58%.
thread hijacking. Credit card information, targeted 61%
of the time in 2021, fell out of favor for
threat actors—data shows it was sought
in only 29% of phishing kits in 2022,
a 52% decline.
62% 26% 31%
Percentage of phishing attacks using Share of 2022 vulnerabilities with Share of global attacks that targeted the
spear phishing attachments known exploits Asia-Pacific region
Attackers preferred weaponized Twenty-six percent of 2022’s vulnerabilities Asia-Pacific retained the top spot as the
attachments, deployed by themselves or had known exploits. According to data that most-attacked region in 2022, accounting
in combination with links or spear phishing X-Force has tracked since the early 1990s, for 31% of all incidents. This statistic
via service. that proportion has been dropping in recent represents a five percentage point increase
years, showcasing the benefit of a well- from the total share of attacks to which
maintained patch management process. X-Force responded in the region in 2021.
Previous chapter Next chapter 7
04
Top initial access vectors
Top initial
Top initial access
access vectors
vectors 2022
Top initial access vectors 2022
In 2022, X-Force moved from tracking Exploit public-facing application
26%
initial access vectors as broader categories,
such as phishing and stolen credentials, to Phishing - Spear phishing attachment
the initial access techniques listed within 25%
the MITRE ATT&CK Matrix for Enterprise
Phishing - Spear phishing link
framework. This shift allows X-Force to 14%
track important trends more granularly at
the technique level. It also provides more External remote services
12%
readily consumable and cross-comparable
data and aligns with the broader industry’s Valid accounts - Local
standardization efforts. 7%
Valid accounts - Domain
5%
Hardware additions
3%
Valid accounts - Default
2%
Phishing - Spear phishing via service
2%
Valid accounts - Cloud
2%
Figure 1: Top initial access vectors X-Force observed in 2022. Source: X-Force
Previous chapter Next chapter 8
04 Top initial access vectors
Phishing
Phishing (T1566), whether through Across 2022’s penetration tests for clients, This correlates to what past Threat
Phishing type seen as % of total attachment, link or as a service, remains X-Force Red found that approximately 54% Intelligence Index reports referred to as
phishing cases the lead infection vector, which comprised of tests revealed improper authentication “vulnerability exploitation” and marks a
41% of all incidents remediated by X-Force or handling of credentials. The X-Force drop from 34% in 2021.
in 2022. This percentage holds steady from Red Adversary Simulation team regularly
5% 2021 after having increased from 33% in performed spear phishing with QR codes In third place, abuse of valid accounts
2020. Looking at all phishing incidents, targeting multifactor authentication (MFA) (T1078) was identified in 16% of the
spear phishing attachments (T1566.001) tokens. Many organizations lacked visibility observed incidents. These are cases
33% were used in 62% of those attacks, spear into applications and endpoints exposed where adversaries obtained and abused
62%
phishing links (T1566.002) in 33% and through identity access management and credentials of existing accounts as a means
spear phishing as a service (T1566.003) in single sign-on (SSO) portals, such as Okta. of gaining access. These incidents included
5%. X-Force also witnessed threat actors cloud accounts (T1078.004) and default
use attachments alongside phishing as a In second place, exploitation of public- accounts (T1078.001) at 2% each, domain
service or links in some instances. facing applications (T1190)—defined accounts (T1078.002) at 5%, and local
as adversaries taking advantage of a accounts (T1078.003) at 7%.
Phishing Link Attachment IBM X-Force Red data from 2022 further weakness in an internet-facing computer
via service
highlights the value of phishing and or program—was identified in 26% of
mishandled credentials to threat actors. incidents to which X-Force responded.
Figure 2: Types of phishing subtechniques as a
percentage of total phishing cases observed by
X-Force in 2022. Source: X-Force
Previous chapter Next chapter 9
04 Top initial access vectors
Phishing kits lasting longer, targeting
PII over credit card data
Credit card information IBM Security analyzed thousands of – Approximately half of all reported kits – Credit card information dropped
phishing kits from around the world for the impacted 93 users, whereas in 2021, significantly from being targeted 61%
dropped significantly from
second year in a row and discovered kit each deployment on average had no of the time in 2021 to 29% of phishing
being targeted 61% of the deployments are operational longer and greater than 75 potential victims. kits in 2022.
time in 2021 to 29% of reaching more users. The data indicates
that the lifespan of phishing kits observed – The maximum total victims of one – Lower instances of phishing kits seeking
phishing kits in 2022. has more than doubled year over year, reported phishing attack was just over credit card data indicate that phishers
while the median deployment across 4,000, although this was an outlier. are prioritizing personally identifiable
the data set remained relatively low at information (PII), which allows them
3.7 days. – Almost every reported phishing kit broader and more nefarious options.
analyzed sought to gather names at 98%. PII can either be gathered and sold
Overall, the shortest deployment lasted This was followed by email addresses on the dark web or other forums or
minutes and the longest, discovered in at 73%, home addresses at 66% and used to conduct further operations
2022, ran longer than three years. Our passwords at 58%. against targets.
investigation found the following:
– One-third of deployed kits lasted
approximately 2.3 days last year, more
than double the length of the year prior
when the same proportion lasted no
longer than one day.
Previous chapter Next chapter 1004 Top initial access vectors
Top spoofed brands
The top brands observed being spoofed Stolen credentials for such services are Top spoofed brands year over year
are made up mostly of the biggest names valuable. Gaining access to accounts that
in tech. X-Force believes this shift from victims use to manage entire portions of
2022 2021
2021’s somewhat more diverse list is their online presence can open the door for
due to improved ability to identify the access to other accounts. Attackers’ focus
1 Microsoft Microsoft
brands that a kit is configured to spoof, on this form of initial access is highlighted
not just the one it’s targeting by default. in the 2022 Cloud Threat Landscape
2 Google Apple
Many phishing kits are multipurpose, and Report, which found a more than threefold
the brand being spoofed can be changed increase at 200% of the number of cloud
3 Yahoo Google
by altering a simple parameter. For accounts being advertised for sale on the
example, a kit can spoof Gmail by default, dark web over what was observed in 2021.
4 Facebook BMO Harris Bank
but a one-line update changes it into an
attack spoofing Microsoft.
5 Outlook Chase
6 Apple Amazon
7 Adobe Dropbox Figure 3: This chart identifies the
top spoofed brands in 2021 and
8 AOL DHL 2022, demonstrating that threat
actors are increasingly focusing
on large technology brands.
9 PayPal CNN Source: IBM phishing kit data
10 Office365 Hotmail
Previous chapter Next chapter 1104 Top initial access vectors
Vulnerabilities
Vulnerability exploitation—captured for Adversary Simulation Services pursued Almost 30 years ago and predating the
Share of incidents resulting from 2022 as exploitation of public-facing to keep simulating advanced threats. advent of the Common Vulnerabilities
vulnerability exploitation over the applications (T1190)—placed second The team increased its focus on and Exposures (CVE) system, X-Force
last four years among top infection vectors and has been vulnerability research for exploitation of began building a robust vulnerability
a preferred method of compromise by operating systems (OS) and applications database. This database is now one of the
attackers since 2019. Vulnerabilities were to expand access and perform privilege most comprehensive in the cybersecurity
2022
26% exploited in 26% of attacks that X-Force escalation. This focus was largely due to industry. While vulnerabilities are a major
remediated in 2022, 34% in 2021, 35% in past exercises with long-standing clients risk to security, there are far more reported
2021 2020 and 30% in 2019. who have hardened traditional Active vulnerabilities than there are known
34%
Directory attack paths and the need to weaponized exploits. Further, despite
2020 Not every vulnerability exploited by pursue new attack paths. public attention on zero days, the actual
35% threat actors results in a cyber incident. number of known zero days is dwarfed by
The number of incidents resulting While vulnerabilities are a common initial the total number of known vulnerabilities.
2019
30% from vulnerability exploitation in 2022 access vector, and the industry responds
decreased 19% from 2021, after rising to several major ones in any given year,
34% from 2020. X-Force assessed that not every vulnerability is the same. It’s
this swing was driven by the widespread important for decision makers to take a
Log4J vulnerability at the end of 2021. full view of the vulnerability landscape and
ensure they’re equipped with the necessary
Exploitation for access is a key area of context to understand the real threat a
research that the team at X-Force Red given vulnerability poses to their networks.
Previous chapter Next chapter 1204 Top initial access vectors
Every year sees a new record number decline. First, the establishment of formal
Total X-Force database of vulnerabilities versus exploits of vulnerabilities discovered. The total bug bounty programs has incentivized
number of vulnerabilities tracked in 2022 the proactive discovery of vulnerabilities
was 23,964 compared to 21,518 in 2021. within applications. Additionally, a handful
30,000 The trend of year-to-year vulnerability of widely popular and well-established
23,964 increases has persisted over the last vulnerabilities exist that already serve as a
25,000 21,518
19,391
decade. To the benefit of defenders, means of system exploitation for attackers,
17,923 18,115
20,000 analysis of our vulnerability database reducing the need for threat actors to
showed the proportion of known, viable develop new exploits. The drop is likely due
15,000
exploits to reported vulnerabilities to a combination of multiple factors but
10,000
6,505
decreasing in recent years—36% in 2018, doesn’t point to vulnerability exploitation
6,090 5,479 5,716 6,290
34% in 2019, 28% in 2020, 27% in 2021 becoming less of a threat.
5,000
and 26% in 2022.
0 While the proportion of exploits to
2018 2019 2020 2021 2022 These numbers can shift with the exposure vulnerabilities drops, the severity of those
of zero days and exploits being developed exploits X-Force tracks has increased
Sum of total exploits Sum of total vulnerabilities for older vulnerabilities—sometimes years in the last five years. In 2018, 58% of
after they’re identified—and there are vulnerabilities had a Common Vulnerability
several potential explanations behind this Scoring System (CVSS) score of medium,
Figure 4: X-Force vulnerability database view showing
vulnerabilities and exploits over the past five years.
Source: X-Force
Previous chapter Next chapter 1304 Top initial access vectors
4.0-6.9 out of 10, compared to just under how exploitation is accomplished or if an
CVSS scores of vulnerabilities in X-Force database 36% high, 7.0-9.9. The spread between exploit even exists. However, the scores
those two inverted in 2021, and high do help defenders compare vulnerabilities
severity vulnerabilities now account for five and prioritize how quickly to address them.
58%
55%
percentage points more than those that The Figure 6 graphic on the following page
49% 49% scored medium. helps to put into perspective the true
47% 46% 47%
42% nature of the vulnerability problem facing
36% 38% Still, of all the vulnerabilities X-Force has the cybersecurity industry.
tracked since 1988, 38% of them rank high,
with only 1% coming in at the critical score
of 10. Half of tracked vulnerabilities rank
6% 6%
4% 4% 4% medium with the remaining 11% coming in
0.4% 0.4% 0.4% 0.5% 0.6% at low, 3.9 and below. These scores alone
2018 2019 2020 2021 2022 don’t correlate to the real-world severity of
any one CVE, since it doesn’t account for
Critical High Medium Low
Figure 5: X-Force vulnerability database showing
severity of vulnerabilities tracked in our system.
Source: X-Force
Previous chapter Next chapter 1404 Top initial access vectors
Operational technology (OT)
vulnerabilities The vulnerability problem
300,000
Industrial control systems (ICS) 2021
280,000
2017 Log4J
vulnerabilities discovered in 2022 Cumlative vulnerabilities, exploits and EternalBlue Wreck Sudo
260,000 zero days since 1988
decreased for the first time in two
2018
years—457 in 2022 compared to 715 in 240,000 Category Number % 2013 Spectre
2022
Follina
2021 and 472 in 2020. One explanation 220,000 Total vulnerabilities 228,167 N/A
Breach Meltdown Proxy
for this may be found in ICS lifecycles 2003
200,000 2014 NotShell
Total exploited 78,156 34% Metasploit created 2019
and how they’re generally managed and vulnerabilities Heartbleed Spring4Shell
180,000 BlueKeep SynLapse
patched. Attackers know that with 2004 Poodle
160,000 Total unexploited 150,011 66% Shellshock
demand for minimal downtime, Exploit DB created 2020
vulnerabilities
Sunburst
long equipment lifecycles and older, 140,000
Total zero days 7,327 3% 2008 2015 Supernova
less-supported software, many ICS 120,000 1993 Conficker Freak Zerologon
Critical 2,746 1% XFDB precursor
components and OT networks are still 100,000
High 86,595 38% 2011 2016
at risk of older vulnerabilities. 80,000 1997 Beast Sweet32
Infrastructure is usually in place for Medium 114,480 50% XFDB (ISS) founded
60,000
many years longer than standard office Low 24,274 11% 2012
40,000 1999 Crime
workstations, which extends the lifespan CVE founded
of ICS-specific vulnerabilities beyond 20,000
those that can exploit IT. 0
0
8
98
9 9 91 992 993 994 995 996 997 998 999 000 001 002 003 004 005 06 007 008 09 010 011 012 013 014 015 016 017 018 019 020 021 022
1 98 1 19 1 9 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 0 2 2 2 0 2 2 2 2 2 2 2 2 2 2 2 2 2
Vulnerabilities Weaponized exploits Zero day
Figure 6: Graphic showing the growth of vulnerabilities, exploits and zero days since 1988. Also
included is a timeline of major event involving vulnerabilities since 1993. XFDB stands for X-Force
Database and Exploit DB stands for Exploit Database. Source: X-Force
Previous chapter Next chapter 1505
Top actions on objectives
Top actions on objectives 2022
Previously, the X-Force Threat Intelligence
Index examined the broad category of top
attacks. For 2022, X-Force dissected this
classification into two distinct categories:
the specific actions threat actors took on
victim networks, or adversary action on
objective, and the intended or realized
effect of that action on the victim,
or impact. 21%
Malware -
17%
Backdoors
According to X-Force Incident Response
data, deployment of backdoors was
the most common action on objective,
occurring in 21% of all reported incidents.
Malware -
Ransomware
5% 5%
Server Spam
This was followed by ransomware at 17% access campaign
and business email compromise (BEC) at
6%. Malicious documents (maldocs),
spam campaigns, remote access tools
and server access were discovered in 5%
of cases each.
6% 5% 5%
Business email Tool - Remote Malware -
compromise (BEC) access Maldoc
Figure 7: Top actions on objectives observed by X-Force in 2022. Source: X-Force
Previous chapter Next chapter 1605 Top actions on objectives
In cases where a backdoor deployment establish access themselves may also
Distribution of Emotet cases across 2022 was classified as an action on objective, seek backdoors.
it’s probable that the threat actor had
additional plans when the backdoor was Initial access brokers typically attempt to
70%
62% operationalized. Successful intervention by auction their accesses, which X-Force has
60% security teams or incident responders likely seen at USD 5,000-10,000, though final
50%
prevented the threat actor from fulfilling prices may be less. Others have reported
further objectives. Such further malicious accesses selling for USD 2,000-4,000, with
40%
activity would likely have included one reaching USD 50,000. These amounts
30% ransomware, as about two-thirds of those compare to the significantly lower price
23% backdoor cases had the markings of a for something like a single credit card,
20%
ransomware attack. seen offered for under USD 10.
8% 8%
10%
Increased backdoor deployment may also Backdoors led to a notable spike in
0
be due to the amount of money this kind Emotet cases in February and March.
of access can generate on the dark web. That spike inflated the ranking of backdoor
Compromised corporate network access cases significantly, as those deployed
from an initial access broker typically sells in this timeframe account for 47% of all
Figure 8: Graph showing spike in Emotet cases in early for several thousands of US dollars. This backdoors identified globally throughout
2022. Source: X-Force
type of access may be sought by malicious 2022. Following Emotet’s hiatus from July
actors looking to make a quick profit by through November—after which it ramped
avoiding issues with maintaining access back up for nearly two weeks at much
while moving laterally and exfiltrating high- lower volume—the number of backdoor
value data. Those malicious actors who cases dropped significantly.
lack access to the requisite malware to
Previous chapter Next chapter 1705 Top actions on objectives
Ransomware Ransomware variants
Even amid a chaotic year for some of the One particularly damaging way ransomware As ransomware groups and related access
Ransomware attack average duration most prolific ransomware syndicates, operators distribute their payload brokers come and go, X-Force has seen
ransomware was the second most across a network is by compromising regular churn in the top groups active
common action on objective, following domain controllers. A small percentage, in this space. X-Force encountered 19
2019 2021
closely behind backdoor deployments approximately 4%, of network penetration ransomware variants in 2022, compared
2+ months 3+ days and continuing to disrupt organizations’ test findings by X-Force Red revealed to 16 in 2021. LockBit variants comprised
operations. Ransomware’s share of entities that had misconfigurations in 17% of total ransomware incidents
incidents declined from 21% in 2021 Active Directory that could leave them observed, up from 7% in 2021. Phobos
to 17% in 2022. open to privilege escalation or total domain tied with WannaCry for second at 11%.
takeover. In 2022, X-Force also observed The top groups in 2022 displaced 2021’s
An IBM Security X-Force study revealed more aggressive ransomware attacks on first place REvil, also known as Sodinokibi,
there was a 94% reduction in the average underlying infrastructure, such as ESXi with 37% of cases in 2021, and second
time for the deployment of ransomware and Hyper-V. The potentially high impact place Ryuk with 13%, both down to 3%.
attacks. What took attackers over two of these attack methods underscores the
months in 2019 took just under four days importance of securing domain controllers LockBit 3.0 is the latest variant of the
in 2021. With attackers moving faster, and hypervisors properly. LockBit ransomware family that’s part
organizations must take a proactive, of a ransomware-as-a-service (RaaS)
threat-driven approach to cybersecurity. operation associated with LockerGoga and
MegaCortex. LockBit has been in operation
since September 2019, and LockBit 3.0
was released in 2022. A significant portion
of the LockBit 3.0 source code appears
to have been borrowed from the
BlackMatter ransomware.
Previous chapter Next chapter 1805 Top actions on objectives
Business email compromise (BEC)
Researchers first discovered Phobos BEC held its rank of third in 2022 with 6%
2022 ransomware variants and frequency ransomware in early 2019. Based on of incidents to which X-Force responded.
similarities in code, delivery mechanisms, This rank is slightly lower than 8% of
LockBit
exploitation techniques and ransom notes, attacks in 2021 and 9% for fifth place in
17%
Phobos 11% Phobos was identified as a fork of the 2020. It displaced 2021’s second place
WannaCry 11% previously known ransomware families attack, which was server access attacks.
BlackCat 9% Crysis and Dharma. Phobos has been This type of attack occurs when an attacker
Conti 6%
Djvu 6% commonly used for smaller-scale attacks, gains access to a server for unknown end
Babuk 6% which involve lower ransom demands. goals—which in 2022 was more granularly
5x2tr 3% Email phishing campaigns and exploitation classified by what type of access those
REvil 3%
Hive 3%
of vulnerable Remote Desktop Protocol actors achieved. Spear phishing links
Vice Society 3% (RDP) ports are the main distribution were used in half of BEC cases to which
DefrayX 3% methods observed for Phobos. X-Force responded. Malicious attachments
Makop 3%
MedusaLocker 3%
and abuse of valid accounts were used to
Venom 3% WannaCry, first seen in 2017, spreads enable BEC attempts in 25% of cases each.
Ryuk 3% itself by using EternalBlue to exploit
Cat4er 3%
Venus
the vulnerability in the Microsoft Server
3%
Lizard 3% Message Block 1.0 (SMBv1) server (MS17-
010). Several cases of WannaCry or Ryuk
that X-Force saw in 2022 were the result of
infections from three to five years ago and
Figure 9: Ransomware variants and the frequency occurred on old, unpatched equipment,
with which they were observed in X-Force Incident highlighting the importance of proper
Response engagements in 2022. Source: X-Force cleanup after such events.
Previous chapter Next chapter 1906
Top impacts
Top impacts 2022
X-Force also took a closer look at the
effect of incidents on victim organizations
to better understand the impact that 21%
threat actors sought to have through the Extortion
incidents to which X-Force responded. With
this information, organizations can get a
better understanding of the most common
impacts to plan responses to potential
future incidents more effectively. 19%
Data theft
11%
The analysis found that more than one
in four incidents aimed to extort victim
organizations—making it the top impact Credential
observed across incidents remediated by harvesting
X-Force. The observed extortion cases
were most frequently achieved through
ransomware or BEC, and often included the
use of remote access tools, cryptominers,
backdoors, downloaders and web shells.
9%
11% Brand
reputation
Data leak
Figure 10: Top impacts X-Force observed in incident
response engagements in 2022. Source: X-Force
Previous chapter Next chapter 2006 Top impacts
Data theft came in second and accounted
Percentage of extortion cases by industry 2022 for 19% of all incidents that X-Force
remediated. Credential harvesting that
Manufacturing 30% led to stolen usernames and passwords
and required corresponding mitigations
PBC services 22%
accounted for 11%. Incidents where
Energy 13% X-Force could identify targeted information
actually leaked after being stolen was less
Finance & insurance 13% common than the theft of data at 11%.
Retail & wholesale
Impacts to brand reputation, such as
9%
disruption to the services clients provide
Media & telecom 4% to their customers, accounted for 9% of
incidents. See Appendix for the full list of
Education 4%
impacts X-Force tracked. Incidents that
Transportation 4% impacted victims’ brand reputation were
mainly distributed denial of service
(DDoS) attacks, which are also frequently
used to extort victims to pay money to
Figure 11: The percentage of extortion cases by
stop the attack.
industry X-Force observed in incident response
engagements in 2022. Numbers do not add to 100%
due to rounding. Source: X-Force
Previous chapter Next chapter 2106 Top impacts
Extortion
While extortion is most commonly with enhanced or novel downstream victim
Notable developments in online extortion1-9 associated with ransomware today, notification to increase the potential legal
extortion campaigns have included a and reputational costs of an intrusion.
variety of methods to apply pressure on
Year Event Tactic
their targets. These include DDoS threats, Often, both defenders and victims of
encrypting data and, more recently, double cyberattacks focus on the observed
2013 Cryptolocker—one of the Data encryption
and triple extortion threats combining impacts to an organization by threat actors.
first major ransomware
several previously seen elements. However, it’s important to consider the
outbreaks
intentions of threat actors, their capabilities
Another tactic that at least one and how they evolve over time. This
2014 DDoS 4 Bitcoin, Ransom DDoS
ransomware group experimented with approach enables better discernment of
Armada Collective
starting in 2022 was making the data they what the next evolution of capabilities
had stolen more accessible to downstream may be. Given the ever-expanding menu
2015 Chimera ransomware Double extortion
victims. By making it easier for secondhand of extortion options and ransomware
adds threat of leaking
victims to identify their data among a actors’ primary goal of financial gain, the
stolen data online
data leak, operators seek to increase the X-Force team assesses that threat actors
subsequent pressure on the organization will continue to evolve and expand their
2017–18 BitPaymer and SamSam Big game hunting
targeted by the ransomware group or extortion methodologies to find new ways
affiliate in the first place. In 2023, X-Force to pressure victims into paying.
2020 Vastaamo ransomware Triple extortion
expects to see threat actors experimenting
case
Previous chapter Next chapter 2207
Cyber-related developments
of Russia’s war in Ukraine
Russian state-sponsored cyber activity cyber operations and related disruptions
following Russia’s invasion of Ukraine in Ukraine and elsewhere. X-Force
has not, as of this publication, resulted in assessed the most significant threats
the widespread and high-impact attacks that have emerged include the return of
originally feared by Western government hacktivism and wiper malware, as well
entities. However, Russia has deployed as significant shifts in the cybercriminal
an unprecedented number of wipers world. Most of these operations victimized
against targets in Ukraine, highlighting entities centered in Ukraine, Russia and
its continued investment in destructive neighboring countries, but some have
malware capabilities. Furthermore, the spread to other areas, as well.
invasion has led to the resurgence of
hacktivist activity undertaken by groups Alternatively, defenders are adeptly
sympathetic to either side, as well as employing the strides made in detection,
a reordering of the Eastern European response and information sharing that were
cybercriminal landscape. developed over the last several years. Many
of the early attempted wiper attacks were
Considering Russia’s demonstrated quickly identified, analyzed and publicized.
advanced capabilities for cyberattacks These attacks include at least eight
against critical infrastructure since 2015, identified wipers and the discovery and
international cybersecurity agencies disruption of a planned Russian cyberattack
issued a warning in April 2022. The on Ukraine's electric grid in April 2022.
warning mentioned potentially significant
Previous chapter Next chapter 2307 Cyber-related developments
of Russia's war in Ukraine
Timeline of select hacktivist events 2022
Mar. 18th
NB65 claims hack May. 21th
of Russian space Sep. 6th
In cyberspace, the most widely-felt agency Roscosmos
Anonymous
Killnet starts
Feb. 24th declares cyberwar
effects of the ongoing war come from self- Russia invades on Killnet
DDoSing
Japanese networks
proclaimed hacktivist groups operating in Ukraine
support of Ukrainian or Russian national Jul. 6th
Apr. 29th
interests. While many groups have formed Feb. 26th May. 31th Killnet starts Nov.22th
Killnet starts
since Russia’s invasion and are operating Ukrainian
DDoSing Romanian NB65 threatens
DDoSing
Killnet targets
government Latvian networks
Serbian government
against both Russian and Ukrainian announces
networks UK’s Royal
with hacks Family
networks to make political points, Killnet is creation of IT army
one of the most prolific Russia-sympathetic
groups. It has claimed DDoS attacks
against public services, government
FEB. MAR. APR. MAY. JUN. JUL. AUG. SEP. OCT. NOV.
ministries, airports, banks and energy
companies based in North Atlantic Treaty May. 30th
Feb. 24th
Organization (NATO) member states, allied Anonymous Killnet threatens
countries in Europe, as well as in Japan and announces it's in attacks on Italy Aug. 11th
cyberwar against that last Killnet continues
the United States. Entities that fit Killnet's Russian government several days DDoSes against Oct. 5th
Mar. 17th
targeting profile should consider ensuring Jun. 20th Latvian Parliament Killnet starts
Anonymous claims Killnet starts DDoSing
that DDoS mitigation measures are in place, hack of R&D firm
May. 11th
DDoSing Lithuanian US networks
Killnet starts
such as engaging the services of a associated with
targeting
networks for about
Russian oil pipeline 10 days
third-party DDoS mitigation provider. giant Transneft Italian networks
Figure 12: Image showing hacktivist events observed to date during the conflict in Ukraine.
Source: X-Force analysis of open source reporting
Previous chapter Next chapter 2407 Cyber-related developments
of Russia's war in Ukraine
Wipers featured in Russia's
war in Ukraine
Russia’s war in Ukraine stands out for the against a limited set of targets. However,
use of multiple wiper families deployed the notable exceptions of WannaCry and
against multiple targets in rapid succession NotPetya, which spread indiscriminately
and on a scale not previously seen, as well after impacting their initial victims, raise
as the use of malware alongside kinetic concerns of such wipers either spreading
military operations. more widely or being repurposed for
malicious operations elsewhere.
These deployments include at least nine
new wipers—AcidRain, WhisperGate, X-Force continues to assess that Russian
HermeticWiper, IsaacWiper, CaddyWiper, state-sponsored cyberthreat actors still
DoubleZero, AwfulShred, OrcShred pose significant threats to computer
and SoloShred. These wipers were networks and critical infrastructure around
predominantly used against Ukrainian the world. This judgment is based on
networks from before the initial invasion longstanding Russian cyberoperations
through the early stages of the war, mainly aimed at Ukrainian, European, NATO
January through March 2022. While and US networks and attack operations
wipers have been used in the past, they executed by Russian threat groups
have been mostly stand-alone campaigns since 2015.
Previous chapter Next chapter 2507 Cyber-related developments
of Russia's war in Ukraine
Upheaval among Russian
cybercrime groups
2022 was a tumultuous year for ITG23— Additionally, the group has seemingly The group also released a new version of
one of the most prominent Russian retired two of their most high-profile their Anchor malware, a stealthy backdoor
cybercriminal syndicates primarily known malware families, Trickbot and Bazar, that the group had traditionally deployed
for developing the Trickbot banking Trojan and shut down their Conti ransomware against high-profile targets. The upgraded
and Conti ransomware. The group suffered operation. Various reports have suggested version discovered by X-Force, and named
a series of high-profile leaks in early 2022, that a significant reshuffling of personnel AnchorMail, has a novel email-based
after publicly backing Russia’s involvement may be occurring, with the group splitting command and control (C2) communication
in the war. Referred to as the ContiLeaks into several factions and some members mechanism. The C2 server uses the
and TrickLeaks, they resulted in the moving on entirely. Simple Mail Transfer Protocol Secure
publication of thousands of chat messages (SMTPS) and Internet Message Access
and the doxing of numerous group The shutdown of Trickbot and Bazar, which Protocol Secure (IMAPS) protocols, and
members. X-Force uncovered evidence accounted for a significant number of the malware communicates with the server
indicating that ITG23 began systematically infections in 2021, resulted in a void that by sending and receiving specially crafted
attacking in mid-April through at least has been quickly filled by malware families email messages.
mid-June of 2022—an unprecedented such as Emotet, IcedID, Qakbot and
shift, as the group had not previously Bumblebee. Prior to its shutdown, ITG23
targeted Ukraine. was still deploying Conti ransomware
prolifically, accounting for a third of all
ransomware engagements to which
X-Force responded in the first quarter
of 2022.
Previous chapter Next chapter 2608
The malware landscape
Increase in USB-spreading worms
After X-Force observed Raspberry Robin The spread of USB-based worms is enabled
infection attempts impacting organizations through social engineering and requires
in mid-May 2022, the enigmatic worm some physical access to a network or
began spreading quickly within victims’ endpoint to infect successfully, whether
networks from users sharing Universal by a legitimate user or some other means.
Serial Bus (USB) devices. The infections X-Force advises ensuring your security
spiked in early June, and by early August tools block known USB-based malware,
Raspberry Robin peaked at 17% of implementing security awareness training
infection attempts that X-Force observed. and disabling autorun features for any
This peak was identified in the oil and removable media. In especially sensitive
gas, manufacturing and transportation environments, such as OT or where air gaps
industries. The 17% infection attempt exist, it’s safest to simply prohibit the use
rate in these industries is significant, since of USB flash drives entirely. If it’s necessary
less than 1% of X-Force clients in total to allow them, strictly control the approved
have seen the same strain of malware. number of portable devices for use in your
X-Force also observed more Raspberry environment in addition to implementing
Robin activity from September through the previous suggestions.
November 2022.
Previous chapter Next chapter 2708 The malware landscape
Rust rises Vidar InfoStealer
The Rust Programming Language steadily X-Force noted a sudden influx of Vidar This database can then be sold on the
increased in popularity among malware InfoStealer malware which began in June dark web or through the private messaging
developers during 2022, thanks to its 2022 and continued through early 2023. app, Telegram. Threat actors may use the
cross-platform support and low antivirus First observed in 2018, Vidar is a malicious information to commit various types of
detection rates compared to other, more information-stealer Trojan, distributed as fraud, such as applying for bank loans or
common languages. Similar to the Go malware as a service (MaaS). The Trojan credit cards, purchasing items online or
language, it also benefits from a more is usually executed by users clicking making fraudulent health insurance claims.
convoluted compilation process that can on malicious spam (malspam) links or
make the malware more time-consuming attachments. Due to its extensive feature Threat actors can use compromised login
to analyze for reverse engineers. Several set, Vidar can be used to retrieve a wide credentials to gain entry to corporate
ransomware developers have released variety of device information that includes accounts and remote services. The average
Rust versions of their malware, including credit card information, usernames, cost to use an info stealer is approximately
BlackCat, Hive, Zeon and most recently passwords and files, as well as taking USD 250 per month, and it’s up to the users
RansomExx. Additionally, X-Force has screenshots of the user’s desktop. Vidar to deploy the malware of their choice.
analyzed an ITG23 crypter written in can also steal Bitcoin and Ethereum X-Force regularly sees marketplaces
Rust, along with the CargoBay family of cryptocurrency wallets. attempting to sell access captured by info
backdoors and downloaders. The rising stealer malware for USD 10-75. When
popularity of Rust highlights a continued Attacks through an information stealer access has been obtained, threat actors
focus across the ransomware ecosystem on (info stealer) are typically financially can easily use the hacked account’s
innovating to evade detection. motivated. The stolen data is analyzed, and privileges as a starting point to initiate
any valuable information is collated and further malicious activity.
organized into a database.
Previous chapter Next chapter 2808 The malware landscape
Evolution of malware delivery
mechanisms
It has become increasingly commonplace within Microsoft Excel known as Macro Office documents, but sophisticated
for malware to be delivered through 4.0. Malicious Excel documents have been groups adopted a more intricate and
malicious Microsoft Office documents, used for quite some time. However, most complex infection chain. These newer
usually attached to phishing emails. security mechanisms were built around tactics involve a combination of HTML
Malware developers created these VBA macros within an Excel document. For files that have a binary embedded within
documents containing malicious macros a time, Excel Macro 4.0 macros provided a or a password-protected compressed
designed to execute malware when the good means of evading detection. Around file. Those files also contain an ISO image
document is opened. The use of macros this same time, some threat actors began which may contain a LNK file, CMD file or
for this purpose became so widespread sending links within an email to take a other file types unlikely to be sent to an
that Microsoft Office products started victim to a dropper site to download the email recipient or downloaded from the
including security warnings when opening malicious documents rather than sending internet. Others include remote template
macro-enabled documents. In July 2022, them as a mail attachment. As Microsoft injection or exploitation of vulnerabilities.
Microsoft began to block macro execution made changes to allow administrators to CVE-2021-40444, a remote code execution
by default in documents received through disable Macro 4.0 and also block execution vulnerability in Microsoft HTML (MSHTML),
email or from the internet. of macros downloaded from the internet, is one example where a software
threat actors were forced to change component is used to render web pages in
As defenders increased their detection and tactics again. Microsoft Windows to execute the malware,
prevention capabilities, threat actors began rather than relying on macros.
moving away from Visual Basic Application After Microsoft’s changes, many malware
(VBA) to an older existing macro format authors still use macro-enabled Microsoft
Previous chapter Next chapter 2908 The malware landscape
Spam data highlights ransomware
threat and further illustrates
macro trends
X-Force analyzed trends in phishing and X-Force identified a surge of Qakbot
Malware10-18 Ransomware
spam email to better understand their activity in September 2022 that used
overall effectiveness and use by threat HTML smuggling to compromise victims.
Trickbot Conti
actors. The investigation found that spam Those infections are linked to extensive
emails have been used regularly throughout post-compromise activity, including
Bazarloader Conti, Diavol
the year to deliver malware, such as reconnaissance, information gathering
Emotet, Qakbot, IcedID and Bumblebee, and deployment of additional payloads.
IcedID Conti, Quantum
which often lead to ransomware infections. Unchecked Qakbot infections throughout
2022 led to multiple Black Basta infections.
Bumblebee Conti, Diavol, Quantum
X-Force saw ransomware attacks claimed
on the Black Basta ransomware group's
Emotet Conti, BlackCat, Quantum
leak site markedly decrease during the
break in Qakbot's phishing activity in the
Qakbot REvil, Conti, Black Basta
summer of 2022. X-Force expects the
resumption of Qakbot activity will similarly
SocGholish LockBit
be correlated with higher numbers of
ransomware victims.
The data in this table covers the period from late
2021 to the publication of this report. Italics indicate
that the malware or ransomware was seen in 2022,
but has not been observed by X-Force as of at least
October 2022.
Previous chapter Next chapter 3008 The malware landscape
Circumventing macros
The use of ISO and LNK files has emerged – Another way of getting around macro – Encrypted compressed extensions, which
as an important tactic to infecting victim restrictions is to include payloads directly are more difficult for antivirus software
organizations in response to Microsoft’s in LNK files that, when clicked, launch to detect and flag as malicious, were
macro changes starting in October 2021. arbitrary commands mostly used to discovered more frequently in 2022. The
This tactic includes both direct delivery either download or load the next stages. average number of spam emails with
of their payloads through those container Prior to early 2022, there was only one such attachments delivered per week
files, as well as obfuscating macro-enabled campaign in February 2021 that used increased ninefold in 2022, compared to
files within them. this tactic. X-Force first saw it recurring in 2021 data since April of that year.
late February-March 2022 and now sees
– ISO files and compressed files are being it regularly. – Thread hijacking, in which threat actors
used to circumvent the mark of the web insert themselves into existing email
(MOTW) attribute that Microsoft is using Additional trends that X-Force detected in threads, is a longstanding tactic used
to help targets enable malicious macros. threat actors’ spam campaigns include the to increase spam legitimacy and more
While the ISO or compressed files will increased use of encrypted compressed effectively entice victims to engage. This
look to be downloaded from the internet, archives as attachments and thread tactic saw a marked rise in 2022—when
the macro-enabled attachment within hijacking, as explained here. compared to the majority of 2021—and
it will not, allowing threat actors to tapered off by the spring, a trend that
continue this attack. X-Force assesses is driven in large part
by Emotet spamming.
Previous chapter Next chapter 3108 The malware landscape
– Emotet returned in November 2021 after – Spam email leading to Emotet, Qakbot
Thread hijacking spam email activity April 2021 – December 2022 the botnet was disrupted in January and IcedID made heavy use of thread
2021. It continued activity into 2022, hijacking. Emotet’s return in November
took a nearly four-month break starting 2021 contributed to the unsteady
mid-July, and returned for nearly two increase through May 2022. The overall
10.3% weeks in November 2022. decline in the latter half of the year
aligns with Emotet’s hiatus from July
7.8% 8% – The data showed just about twice as through October and brief return in
6.8% 7.2%
6%
many regular attempts per month in November 2022.
5.5% 5.5%
4.7% 4.7%
2022 compared to available data since
4.6%
3.5% 3.8% 4.1% April 2021. Thread hijacking was on an – Tracking thread hijacking and accurately
2.9% 2.9% 2.8% 2.7% 3% unsteady incline through May 2022, and distinguishing it from instances of actors
2%
1.2% its decline in the latter half of the year simply adding a reply subject line header
aligns roughly with Emotet’s inactivity. to a spam email is difficult and likely to
become more so. For example, some
Q2 Q3 Q4 Q1 Q2 Q3 Q4 threat actors have started to remove
“Re:” subject line headers, likely because
2021 2022 they are aware that these headers can be
used to track their activity.
Figure 13: Figures show percentage by month of total
thread hijacking attempts detected in X-Force data
since April 2021. Source: X-Force
Previous chapter Next chapter 3209
Threats to OT and industrial
control systems Threats to operational technology
2022 saw the discovery of two new OT- Alerts indicating probable brute force
specific pieces of malware, Industroyer2 attempts were most common among
and INCONTROLLER, also known as Incident Command System (ICS)-specific
PIPEDREAM, and the disclosure of many network attack data, followed closely
OT vulnerabilities called OT:ICEFALL. The by weak encryption alerts. The most
OT cyberthreat landscape is expanding common alerts for weak encryption
dramatically, and OT asset owners and concerned the continued use of Transport
operators need to be keenly aware of the Layer Security (TLS) 1.0, an outdated and
shifting landscape. insecure encryption method deprecated in
March 2021. Though the US government
X-Force looked more closely at OT- recommends reconfiguration to use TLS 1.2
specific network attack and IR data to or 1.3, National Institute of Standards and
help derive insights on how threat actors Technology (NIST) guidelines address in
are seeking to compromise clients in OT- more depth the common reality. This reality
related industries. Network attack data is that older systems may need to continue
shows brute force attacks, use of weak and using weaker versions of encryption to
outdated encryption standards and weak ensure continued functionality. Weak or
or default passwords are common alerts in default password alerts were also notable,
these industries’ IT and OT environments. especially given these are basic
Previous chapter Next chapter 3309 Threats to OT and industrial
control systems
Manufacturing continues to be the
most targeted OT industry
vulnerabilities that make brute force The second most common vulnerability, Looking at the subset of incidents in
attacks easier for attackers. Widespread however, dates back to 2016—a filter OT-related industries, manufacturing was
and likely indiscriminate internal and bypass vulnerability in the Trihedral the most attacked in 2022, according
external vulnerability scanning was the VTScada application, CVE-2016-4510, to the data. The industry was victimized
most common attack attempt against that could allow unauthenticated users to in 58% of incidents X-Force assisted in
OT-related industries. The data revealed send HTTP requests to access files. Further remediating. Deployment of backdoors was
that old vulnerabilities and threats are still highlighting the risks of older threats are the top action on objective, identified in
relevant today. A group of vulnerabilities attack types, like WannaCry and Conficker, 28% of cases in the manufacturing sector.
discovered in 2021 by Cisco Talos in which continue to pose significant Ransomware actors in particular find this
Advantech R-SeeNet monitoring software threats to OT. industry to be an attractive target, likely
triggered a slim majority of vulnerability due to these organizations’ low tolerance
scanning alerts across OT industries in for downtime.
2022. These vulnerabilities could allow
attackers to execute arbitrary code
or commands.
Previous chapter Next chapter 3409 Threats to OT and industrial
control systems
Looking at initial access vectors across Another major vulnerability exploited in OT
OT industries targeted in 2022 cases in OT-related industries, spear is lack of proper segmentation between
phishing accounted for 38% of cases, OT and IT networks. The team at X-Force
including use of attachments at 22%, Red Adversary Simulation Services
Manufacturing 58% use of links at 14% and spear phishing as a regularly targets weak segmentation to
service at 2%. Exploitation of public-facing gain access to isolated OT environments.
Energy 17%
applications took second place at 24%, These environments include targeting
following the broader industrywide trend. jump servers, dual-homed operator
Oil and gas 10%
Detection of backdoors also led among workstations and reporting servers, such
these industries’ incidents in 20% of cases, as data historians that expose web and SQL
Transportation 10%
followed by ransomware at 19%. Extortion services from OT to corporate IT networks.
Heavy and civil also remains in first among impacts at Properly segmenting these portions of
2%
engineering 29%, with data theft close behind in your networks and closely monitoring
Mining
24% of cases. communication across them can keep
2%
assets safe.
Water utilities 1%
0 10% 20% 30% 40% 50% 60% 70%
Figure 14: Proportion of IR cases by OT-related
industry to which X-Force responded in 2022.
Source: X-Force
Previous chapter Next chapter 3510
Geographic trends
Incidents by region 2020 – 2022
For the second year in a row, the Asia-
31% 31%
Pacific region holds the top spot as the
most-attacked region in 2022, accounting 28%
27%
for 31% of the incidents to which X-Force 26%
25% 25%
24%
IR responded. Europe followed closely 23%
behind with 28% of attacks and North
America saw 25% of incidents. Asia-Pacific
and Europe saw higher proportions of
cases, increasing five percentage points
and four percentage points respectively
from 2021 figures, with a significant drop 14%
13%
in the Middle East from 14% to 4%. 12%
9%
8%
4%
Asia-Pacific Europe North America Latin America Middle East
2022 2021 2020
Figure 15: Proportion of IR cases by region to which X-Force responded from 2020-2022. Source: X-Force
Previous chapter Next chapter 36You can also read
