A massive review of cyber incidents and related data in 2022 showed some common denominators of vulnerabilities and cyber risks.
Drawing from one of the cybersecurity industry’s largest and most diverse global cybersecurity data sets across email, the Cloud and mobile computing sourced from more than 2.6bn email messages, 49bn URLs, 1.9bn attachments, 28m cloud accounts, 1.7bn suspicious SMS messages, and other data, a cybersecurity firm has produced a report on how humans were a critical factor in 2022’s cyber threat landscape.
Citing complex techniques such as multi-factor authentication bypass techniques, to telephone-oriented attack delivery, to conversational threats that relied solely on the attacker’s charm, the report asserted that 2022 was a year of unprecedented creativity among threat actors that varied attack chains, and rapidly tested and discarded delivery mechanisms.
Key findings in the report include:
- Changes to the Microsoft Office macro abuse landscape: After almost three decades of service as a popular malware distribution method, Office macros finally began to decline in use after Microsoft updated how its software handles files downloaded from the web. The changes set off an ongoing flurry of experimentation by threat actors in 2022 to seek alternative techniques to compromise targets.
- Conversational scams: Smishing and pig butchering threats surged in the 2022 data analyzed. In the mobile space, it increased twelvefold in volume. Telephone-oriented attack delivery (TOAD) peaked at 13m messages per month. Several state-sponsored APT actors invested significant time in these conversational threats.
- More off-the-shelf MFA bypass phish kits: EvilProxy, Evilginx2, and NakedPages and similar kits have enabled even non-technical criminals to spin up a phishing campaign, accounting for more than a million phishing messages per month in the data set analyzed.
- Many cloud-based attacks occurred in legitimate infrastructure: Most organizations faced threats originating from cloud giants Microsoft and Amazon, whose infrastructure host countless legitimate services that organizations relied upon.
- Novel distribution methods: With a novel distribution method involving drive-by downloads and fake browser updates, threat actors behind SocGholish (TA569) had increasingly been able to infect websites to deliver malware exclusively through drive-by downloads, tricking victims into downloading it through fake browser updates. Many sites hosting the SocGholish malware were unaware they were hosting it, further proliferating its delivery.
- More cloud threats detected: 94% of cloud tenants were targeted every month in the 2022 data, by either a precision or brute-force cloud attack, a frequency on a par with email and mobile vectors. The number of brute-force attacks — notably password spraying — had increased from a monthly average of 40m in 2022 to nearly 200m in early 2023.
- Top two abused brands: Microsoft products and services occupied four of the top five positions for abused brands, with Amazon being the most abused brand in the data analyzed.
- Breaking-in through shadow admin privileges: As many as 40% of misconfigured, or “shadow” admin identities can be exploited in a single step, such as resetting a domain password to elevate privileges. And 13% of shadow admins in the data analyzed were found to already have domain admin privileges, allowing attackers to harvest credentials and access corporate systems. Around 10% of endpoints had an unprotected privileged account password, with 26% of those exposed accounts being domain admins.
- Emotet roared back as the world’s most prominent threat actor: One year after law enforcement took the botnet offline in January 2021, the threat group sent over 25m messages in the 2022 data set analyzed: more than double the volume of the second most prominent threat actor.
- Financially driven crime largely dominated the 2022 threat landscape: However, a single outlier attack by an Advanced Persistent Threat (APT) actor can have a massive impact: One large campaign by TA471, a Russia-linked APT group that engages in both corporate and government espionage, propelled that actor to the top of the APT message volume charts. TA416, an APT actor aligned with China, was one of the most active. Significant new campaigns by TA416 coincided with the start of the Russia-Ukraine war, targeting European diplomatic entities involved in refugee and migrant services.
According to Ryan Kalember, Executive Vice President (Cybersecurity Strategy), Proofpoint, Inc., the firm that produced the report: “As security controls have slowly improved, threat actors have innovated and scaled their bypasses. Once the domain of red teams, techniques like MFA bypass and telephone-oriented attack delivery, for example, are now commonplace. While many threat actors are still experimenting, what remains the same is that attackers exploit people, and (people) are the most critical variable in today’s attack chain.”