New Trellix threat report throws light on evolution of Russian cybercrime, US ransomware, email security trends

Cybersecurity company Trellix has, in its latest report, provided details on the evolution of Russian cybercrime, threats to critical infrastructure, and email security, besides recent research into vulnerabilities found in building access control systems and risks unique to connected healthcare. It also said that business services have emerged as the top target for ransomware attacks. 

In its ‘The Threat Report: Summer 2022’ report, Trellix analyzes cybersecurity trends and attack methods from the first quarter of 2022. “Per public attribution, Russian cybercriminal groups have always been active. Their tactics, techniques, and procedures (TTPs) have not significantly evolved over time, although some changes have been observed. Lately, the threat landscape has changed, as multiple domains have partially merged. This trend was already ongoing, but the increased digital activity further accelerated and exposed said trend,” it added.

Trellix has historically had a significant customer base in Ukraine. When the cyberattacks targeting the country intensified, it coordinated closely with government and industry partners to provide greater visibility into the evolving threat landscape. “We have been eager to support the region against malicious cyber activity and have been able to go beyond sharing knowledge to also provide a wide range of security appliances at no cost in the affected region,” it added.

To support customers and the people of Ukraine, Trellix Threat Labs coordinated with multiple government institutions to provide them with the necessary telemetry insights, intelligence briefings, and analysis of the malware tools used by Russian actors. In addition, in coordination with RSA, the Trellix Threat Labs team released its research on the Russian cybercriminal evolutions over time, the impact of a (cyber) war, and observed organization and activity.

The report includes detailed research on the impact of the post-Russian invasion cyberwar and many cyber groups and campaigns associated with the conflict. For example, it covers Phishing The Ukrainian Ministry Of Defense, Gamaredon, Wipers, targeted Exchange servers, UAC-0056, Apt28, and Double Drop. 

Trellix reported that business services accounted for 64 percent of total ransomware detections among the top 10 sectors in the U.S. during the first quarter of this year. It also disclosed that non-profits ranked a distant second among ransomware detections. Telecom led the global customer sector ransomware category with 53 percent of detections among the top-10 sectors for the second consecutive quarter.

Lockbit was the most prevalent ransomware family, used in 26 percent of top-10 queries in the U.S. during the first quarter, ahead of Conti at 13 percent, BlackCat recording 11 percent, and Ryuk accounting for 10 percent of attacks. Overall, ransomware family detections were down in the first quarter of this year. Lockbit accounted for 20 percent of top-10 ransomware tool queries, followed by Conti at 17 percent, and Cuba at 14 percent during the fourth quarter of 2021. “However, queries of all three Q4 category prevalence leaders – Lockbit (-44%), Conti (-37%), and Cuba (-55%) – decreased in Q1 of 2022 when compared to Q4 of 2021,” the report added.

“Cobalt Strike was the malware tool used in 32% of top-10 U.S. ransomware queries in Q1 2022, reaching a prevalence equal to RCLONE (12%), BloodHound (10%), and Bazar Loader (10%) combined,” according to Trellix. 

Trellix evaluated that the critical infrastructure sector continues to represent one of the most enticing targets for criminals worldwide in cyber warfare. “This industry is plagued by legacy systems and riddled with trivial hardware and software flaws, configuration issues, and exceptionally sluggish update cycles. Yet, behind this façade, are many of the most essential systems we rely on, from fuel pipelines to water treatment, energy grids to building automation, defense systems, and much more,” it added. 

One often-overlooked area of industrial control systems (ICS) is access control, part of the building automation framework. Access control systems are commonplace, de facto solutions that provide automation and remote management for card readers and entry/exit points to secure locations. In its ‘Cost of a Data Breach Report’ released last July, IBM Security determined that the average cost of a physical security compromise is US$3.54 million, and it takes an average of 223 days to identify a breach. The stakes are high for organizations that rely on access control systems to ensure the security and safety of facilities.

Trellix Labs recently unveiled breaking research into one such system, a ubiquitous access control panel by HID Mercury. Numerous OEM vendors rely on Mercury boards and firmware to implement their access control solutions. “Our team shared our findings at Hardwear.io in Santa Clara on June 9, 2022 and will be featured at BlackHat this summer as well. Their findings highlighted four zero-day vulnerabilities and four previously patched vulnerabilities, never published as CVEs, with the top two leading to remote code execution and arbitrary reboot, completely unauthenticated. This means attackers on a building network could remotely lock and unlock doors, and avoid detection via the management software,” it added. 

The researchers prepared a blog highlighting the findings and will release a multi-part technical deep dive coinciding with BlackHat, Trellix said. “Furthermore, they filmed a demonstration video of the attack, using two of the vulnerabilities to compromise a production cloned access control system in their lab,” it added.

The Trellix report said that medical devices and software are falling short in fundamental security practices such as handling credentials and are ripe with RCE vulnerabilities. “This is enticing to cybercriminals and we must be on our guard to prevent further attacks as it won’t be an ignored attack surface forever. All stakeholders must acknowledge that the large selection of authentication vulnerabilities indicates the medical space needs more research, both internally and externally, to harden these devices.” 

“It’s not simply management systems and other web-based applications we need to focus on, but any network-connected medical device needs to be accessed,” Trellix said in the report. “Currently it doesn’t appear that these devices are being targeted by malicious actors but this doesn’t mean we can relax. There have been plenty of RCE vulnerabilities to choose from and public exploit code for re-use.” 

While attackers are using other methods to attack hospitals and clinics, they will search for easier access when those methods run dry, Trellix said in the report. “Society as a whole cannot allow medical devices and software to continue to be a weak point for attackers to exploit and therefore should encourage both internal and external security testing across developers and researchers alike,” it added.

Trellix also tracks and monitors nation-state campaigns and associated indicators and techniques. Its research reflects threat actors, tools, client countries, customer sectors, and MITRE ATT&CK techniques from the first quarter of this year. APT 36 was the most active APT group during the period, while nation-state activity in Turkey accounted for 31 percent of the top 10 detections among client countries during the period, followed by Israel at 18 percent, the U.K at 11 percent, Mexico at 10 percent, and the U.S. recording eight percent. 

Email telemetry analysis from the first quarter of the year revealed phishing URLs and malicious document trends in email security, Trellix said. “Most of the malicious emails detected contained a phishing URL used to either steal credentials or lure the victims to download malware. Next in popularity, we identified emails with malicious documents such as Microsoft Office files or PDFs attached. These documents contain macros that work as downloaders or exploits that result in the attacker gaining control of the victim system. Lastly, we encounter several emails with malicious executables like infostealers or trojans attached,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.