Transportation sector targeted by both ransomware and APTs

Trellix released The Threat Report: Fall 2022 from its Advanced Research Center, which analyzes cybersecurity trends from the third quarter (Q3) of 2022.

The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors. It examines malicious cyberactivity including threats to email, the malicious use of legitimate third-party security tools, and more.

Q3 cybersecurity trends

• US ransomware activity leads the pack: In the US alone, ransomware activity increased 100% quarter over quarter in transportation and shipping. Globally, transportation was the second most active sector (following telecom). APTs were also detected in transportation more than in any other sector.
• Germany saw the highest detections: Not only did Germany generate the most threat detections related to APT actors in Q3 (29% of observed activity), but they also had the most ransomware detections. Ransomware detections rose 32% in Germany in Q3 and generated 27% of global activity.
• Emerging threat actors scaled: The China-linked threat actor, Mustang Panda, had the most detected threat indicators in Q3, followed by Russian-linked APT29 and Pakistan-linked APT36.
• Ransomware evolved: Phobos, a ransomware sold as a complete kit in the cybercriminal underground, has avoided public reports until now. It accounted for 10% of global detected activity and was the second most used ransomware detected in the US. LockBit continued to be the most detected ransomware globally, generating 22% of detections.
• Old vulnerabilities continued to prevail: Years-old vulnerabilities continue to be successful exploitation vectors. Trellix observed Microsoft Equation Editor vulnerabilities comprised by CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to be the most exploited among malicious emails received by customers during Q3.
• Malicious use of Cobalt Strike: Trellix saw Cobalt Strike used in 33% of observed global ransomware activity and in 18% of APT detections in Q3. Cobalt Strike, a legitimate third-party tool created to emulate attack scenarios to improve security operations, is a favorite tool of attackers who repurpose its capabilities for malicious intent.

“So far in 2022, we have seen unremitting activity out of Russia and other state-sponsored groups,” said John Fokker, Head of Threat Intelligence, Trellix. “This activity is compounded by a rise in politically motivated hacktivism and sustained ransomware attacks on healthcare and education. The need for increased inspection of cyberthreat actors and their methods has never been greater.”