Regionally, according to the firm’s user base data, activities by state-sponsored and organized threat groups originating from China had eclipsed those of state-sponsored groups operating from Russia and North Korea. Also:

• Generative AI was a double-edged sword, with the data showing threat actors exploiting it to create convincing phishing content with 10–15% higher click-through rates; develop malware faster, and circumvent authentication and identity verifications by synthetically generating imagery and voice representations.
• Cyber defenders were also leveraging generative AI and other forms of AI to enhance their own efficiency and effectiveness to accelerate the resolution of low-level cyberattacks, freeing up defenders to focus on more complex issues.
• Regional threats and trends:

  • Indonesia: The top two exploited vulnerabilities in the firm’s user base were CVE-2017-0199 (Arbitrary Code Execution on Microsoft Office 2007 to 2016 and Windows Vista SP2 to Windows 8.1 and Windows Server 2008 SP2) and CVE-2006-1540 (Denial of Service and Arbitrary Code Execution on Microsoft Office 2000 to 2003).

    The Government, Financial Services, Insurance (FSI), and Commercial industry groups were the top industries targeted by threat actors. With the series of cyberattacks performed by the Desorden threat group, the Commercial industry group was significantly battered. Many of these attacks were contributed by organized crime group attacks through data breaches and ransomware attacks, notably on SMEs in the cyber supply chain leading to the newsworthy incidents

  • Hong Kong: The firm’s SAR users saw sustained cyberattacks from menuPass and Operation Dragon Castling threat groups, a state-sponsored threat group and an organized crime threat group respectively — both associated with China.

    In the context of cryptocurrency exchanges, for which Hong Kong is an emerging hub, the cryptocurrencies are attractive to financially motivated threat groups targeting weaknesses in the cryptocurrency services infrastructure and wallets to steal cryptocurrency or to support money laundering.

  • Malaysia: The highest exploited vulnerabilities were fairly consistent with the top vulnerabilities observed from the firm’s data in 2021 and 2013. This may indicate that threat actors were leveraging the Malaysia digital attack surface to testbed the vulnerabilities before using them at scale at more mature territories. The continued focused exploitation attempts on CVE-2021-44228, the Apache Log4j arbitrary code execution vulnerability, indicate that the threat actors were seeing a higher return on investments for exploiting this vulnerability. This suggests that organizations in Malaysia are still playing catch-up in patching the vulnerabilities which are now more than a year old.

  • Singapore: The highest exploited vulnerabilities were not necessarily the latest published vulnerabilities or zero days exploits but vulnerabilities dating as far back as 2006. This indicates that threat actors were still optimistic in finding old, unpatched vulnerabilities to compromise for higher return-on-investment, demonstrating the poor cyber hygiene in victim organizations. The avoidance of more current vulnerabilities may point towards the assumption that patch management frequencies were generally higher in Singapore compared to the rest of the region due to compliance and regulations.

    The Healthcare and Transport industries in the country rose into the top targeted industries, together with the Oil and Gas sector.

  • South Korea: The country saw sustained cyberattacks from North Korea-based threat groups. In 2022, Roaming Mantis started compromising domestic Wi-Fi routers and Android smartphone users to create opportunities for surveillance and data exfiltration.

    Of the threat groups, Kimsuky, Lazarus Group and were material threat groups demonstrating the three elements of Intent, Capability and Opportunity. Kimsuky and its affiliate, Lazarus Group, have been known to target South Korea, and have been observed to leverage domestic software vulnerabilities, phishing campaigns and Ransomware to compromise their victims.

    Exploitation of CVE-2021-44228, an Apache Log4j arbitrary code execution vulnerability, indicates that threat actors were still seeing some utility and return on investments in exploiting it in South Korea. Also, old vulnerabilities related to Microsoft productivity solutions and operating systems were being targeted.