New Threat Report from Deep Instinct Identifies Gang Changes, New Tactics, and New Victims in 2022

Deep Instinct, the first company to apply end-to-end deep learning to cybersecurity, today released its 2022 Bi-Annual Cyber Threat Report. The newest edition of the report focuses on the top malware and ransomware trends and tactics from the first half of 2022 and provides key takeaways and predictions for the ever-evolving cybersecurity threat landscape.

“2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defenses,” said Mark Vaitzman, Threat Lab Team Leader at Deep Instinct. “The goal of this report is to outline the wide range of challenges that organizations and their security teams face daily. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.”

Report findings include the following key takeaways:

  1. Changes in threat actor structure: Some of the most prevalent activities observed include changes within the world of ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of Quantum, BlackBasta, and BlackByte. These three prominent former affiliate groups to the Conti operation emerged under their own operations following the decline of Conti.
  2. Malware campaigns in flux: The report highlights the reasons behind significant changes to Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.
  3. As Microsoft shuts down one avenue, bad actors open others: Deep Instinct’s researchers found that the use of documents for malware has decreased as the prior number one attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already been seen shifting gears and implementing other methods to deploy their malware, such as LNK, HTML, and archive email attachments.
  4. Major exploitable vulnerabilities: Vulnerabilities such as SpoolFool, Follina, and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security. Analysis of CISA’s published known exploited vulnerability catalog suggests that the number of exploited in-the-wild vulnerabilities spikes every 3-4 months and we’re expecting the next spike as we get closer to the end of the year.
  5. Data exfiltration attacks are now extending to third parties: Threat actor groups are utilizing data exfiltration within their attack flows in order to demand ransom for the leaked data. In the case of sensitive data exfiltration, there are less remediation options so many threat actors are going even further and demanding ransoms from third-party companies if the leaked data contains their sensitive information.

 

Not surprisingly, ransomware attacks remain a serious threat to organizations, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.

The report also makes three specific predictions:

  • Insiders and affiliate programs: Malicious threat actors look for the weakest link. With continued innovations in cybersecurity some threat actors choose to locate either weak targets or simply pay an insider. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organization.
  • Protestware on the rise: There is an increase in the trending phenomenon of protestware, which can be defined as self-sabotaging one’s software and weaponizing it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine caused a surge in protestware, with the most notable example being the node-ipc wiper, a popular NPM package. It’s not easy to spot such supply chain attacks, and they are usually detected only after affecting several victims.
  • End-of-year attacks: While we have not yet heard of a major vulnerability in 2022 similar to the Log4J or the Exchange cases in 2021; there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. Threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs.

 

For more information on the current state of the cybersecurity threat landscape and how it will continue to evolve, please visit: https://www.deepinstinct.com/cyber-threat-reports.

Read more >
See our other articles here
© Chrysalis Investments Limited – All Rights Reserved

G10 Capital Limited is the AIFM to Chrysalis Investments Limited.
Chrysalis Investment Partners LLP is the investment adviser to G10 Capital Limited.
Chrysalis Investment Partners LLP is an appointed representative of G10 Capital Limited which is authorised and regulated by the Financial Conduct Authority.

Disclaimer - Important

THE WEBSITE YOU ARE SEEKING TO ACCESS IS MADE AVAILABLE BY CHRYSALIS INVESTMENTS LIMITED (THE “COMPANY“) IN GOOD FAITH AND IS PROVIDED FOR INFORMATION PURPOSES ONLY.

THE INFORMATION CONTAINED ON THIS WEBSITE IS INTENDED FOR PERSONS IN THE UNITED KINGDOM ONLY AND IN PARTICULAR IS NOT FOR RELEASE, PUBLICATION OR DISTRIBUTION, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, IN OR INTO ANY MEMBER STATE OF THE EUROPEAN ECONOMIC AREA (“EEA”), THE UNITED STATES, CANADA, AUSTRALIA, THE REPUBLIC OF SOUTH AFRICA OR JAPAN OR ANY OTHER JURISDICTION WHERE ITS RELEASE, PUBLICATION OR DISTRIBUTION IS OR MAY BE UNLAWFUL.

Please read this notice carefully – it applies to all persons who view this website. Please note that the terms set out below may be altered or updated without notice. You should read the following provisions in full each time you visit the site.

The information on this website is intended for, and may be accessed only by, persons in the United Kingdom. Viewing the materials you are seeking to access may not be lawful in other jurisdictions.

The information on this website is for information purposes only and does not constitute or form a part of any offer or invitation to sell or issue, or the solicitation of any offer to purchase or subscribe for, securities. Any subscription for securities in the Company may be made only pursuant to a prospectus issued by the Company from time to time that will provide detailed information about the Company and the securities to be offered (the “Prospectus”). Particular attention should be paid to the “Risk Factors” section of the Prospectus which will highlight specific risks relating to the Company.

No securities of the Company have been or will be registered under the US Securities Act of 1933, as amended (the “Securities Act“) or under the securities laws of any state or other jurisdiction of the United States and may not be offered, sold or delivered, directly or indirectly, in or into the United States, or to or for the account or benefit of any US person (within the meaning of Regulation S under the Securities Act). In addition, the Company has not been, and will not be, registered under the United States Investment Company Act of 1940, as amended. There will be no public offer of securities in the United States.

If you are not permitted to view this website or are in any doubt as to whether you are permitted to view this website, please exit this website immediately by clicking on the “Disagree” button below. The contents of this website must not be released or otherwise forwarded, distributed or sent, directly or indirectly, in whole or in part, outside the United Kingdom and in particular in or into any Member State of the EEA, the United States, Australia, Canada, the Republic of South Africa or Japan or any other jurisdiction where the distribution of such materials would or may breach any applicable law or regulation or would require any registration or licensing within such jurisdiction. Persons receiving any such materials (including, without limitation, custodians, nominees and trustees) should observe these restrictions and must not, directly or indirectly, in whole or in part, forward, distribute or send them in, into or from any jurisdiction outside the United Kingdom. Neither the Company, Jupiter Investment Management Limited (the “Investment Adviser”) nor their respective advisers accept any responsibility for any violation by any person of any of these restrictions.

Basis of access

Access to this website is for information purposes only. Any person seeking access to this website represents and warrants to the Company and the Investment Adviser that they are doing so for information purposes only. Making this website available does not constitute an offer to issue or sell or the solicitation of an offer to subscribe for or buy securities in the Company. Further, it does not constitute a recommendation by the Company or the Investment Manager or any associated company or any other person to subscribe for or buy securities in the Company. The information on this website is general in nature and does not in any way constitute investment, tax, legal or other advice.

None of the Company, the Investment Adviser or any other person has, or accepts, any responsibility or duty to update any information, document or announcement contained on this website and the Company reserves the right to add to, remove or amend any information available on this website at any time.

The information on this website is general in nature and may be subject to amendment and updating without notice. None of the Company, the Investment Adviser nor any other person guarantees the accuracy or completeness of any information on this website and each such person disclaims all representations and warranties, whether express or implied, to the greatest extent permitted by applicable law and regulation. By continuing to use this website, you agree to the exclusion by such persons, to the greatest extent permitted by applicable law and regulation, of any and all liability for any direct, indirect, punitive, consequential, incidental, special or other damages, including, without limitation, loss of profits, revenue or data arising out of or relating to the provision of and your use of this website and its content.
Neither the Company, its directors, the Investment Adviser nor any other person accepts any responsibility in respect of any information contained on any other website which may be linked to or from this website.

Use of Cookies

The Company uses cookies to track where you are accessing this website from. For further details of the types of cookie we use please refer to our Privacy and Cookies policy.

Confirmation of understanding and acceptance of terms

Please select your country of residence:

By clicking on the “Agree” button below, you confirm, represent and warrant to the Company and to Merian that you are located in the United Kingdom and you agree that you will not forward, distribute or send any materials contained in this website to any person outside the United Kingdom.

I have read and understood the terms set out above, which I understand may affect my rights and I agree to be bound by those terms. By clicking on the “Agree” button below, I confirm that I am permitted to access the website.