Tackling the Growing and Evolving Digital Attack Surface 2022 Midyear Cybersecurity Report

According to our Trend Micro Smart Protection Network (SPN) platform, Emotet detections soared in the first six months of 2022 with 148,701 detections compared to the 13,811 detections in the first half of the previous year. Based on our telemetry, Japan was the country with the highest number of detections.

Source: Trend Micro Smart Protection Network

Source: Trend Micro Smart Protection Network

Ransomware-as-a-service (RaaS) schemes were also prevalent during this period. This model allows developers’ affiliates — even ones without significant technical knowledge — to purchase or rent ransomware tools and infrastructures to make attacks even more sophisticated. Based on available data for the first half of 2022, there were 67 active RaaS and extortion groups with over 1,200 victim organizations. 

The numbers of active RaaS and extortion groups and the number of victim organizations of successful ransomware attacks in the first half of 202

Source: RaaS and extortion groups’ leak sites

Our SPN data also shows that LockBit, Conti, and BlackCat were the three ransomware families that stood out in the RaaS arena in terms of detections.

Source: Trend Micro Smart Protection Network

The pervasiveness of cloud misconfiguration and cryptocurrency-mining attacks

Cloud-based containers have been integral to the digital transformation strategies of organizations worldwide. Unfortunately, because of containers’ ubiquity and tendency to be misconfigured, malicious actors continue to target them in varied and evolutionary attacks.

A survey conducted by Red Hat in May 2022 further proves just how substantial the misconfiguration problem in organizations is. 300 DevOps, engineering, and security professionals comprised the respondents, 53% of whom shared that they detected a misconfiguration in their containers and/or Kubernetes deployments.

In May 2022, we investigated Kubernetes clusters that were publicly exposed via port 10250 and saw over 243,000 exposed cluster nodes via Shodan. It should be noted that almost 600 nodes returned the “200 – OK” notification, which attackers could exploit by installing and running malicious programs on the kubelet API.

Aside from abusing publicly exposed Kubernetes clusters, cybercriminals also continued to steal cryptocurrency-mining capabilities from victims’ resources in the first half of the year. We determined the five most prominent actor groups in the cryptocurrency-mining space based on research we conducted last year and published earlier this year: Outlaw targets internet-of-things (IoT) devices and Linux cloud servers by exploiting known vulnerabilities or performing brute-force Secure Shell Protocol (SSH) attacks, while TeamTNT is one of the most technically proficient threat actors focused on cryptocurrency mining. Kinsing is known for quickly abusing new exploits (including the Log4Shell vulnerability) in a short period, while 8220 is known for exploiting Oracle WebLogic vulnerabilities. Finally, Kek Security is a relatively new group that uses sophisticated techniques and integrates new exploits in its attacks.

Protecting organizations from sophisticated and complex threats amid an expanding attack surface

Two years after the onset of a global health crisis, many organizations around the world have started to return to their offices, while the rest have opted for a hybrid or a permanent remote work setup. To keep interconnected working environments and new tools and technologies secure, cybersecurity teams require a strong and unified cybersecurity strategy that can cover the burgeoning digital attack surface. Read our midyear cybersecurity report, “Defending the Expanding Attack Surface,” to learn more about the threat landscape in the first half of 2022 and gain critical insights on security protocols and best practices.