Cybercriminals return to business as usual in a post-pandemic world

After two years of pandemic-induced disruption, 2022 was a return to business as usual for the world’s cybercriminals, according to Proofpoint.

post-pandemic threat landscape

As COVID-19 medical and economic programs began to wind down, attackers had to find new ways to make a living by honing their social engineering skills, commoditising once-sophisticated attack techniques, and creatively searching for new opportunities in unexpected places.

Creativity among threat actors

From scaling brute-force and targeted attacks on cloud tenants to the surge in conversational smishing attacks and proliferation of multifactor authentication (MFA) bypass, the cyber-attack landscape witnessed significant developments on several fronts in 2022.

“With Microsoft 365 forming a large percentage of the typical organization’s attack surface, broad abuse of that platform, from Office macros to OneNote documents, continues to shape the broad outlines of the threat landscape,” said Ryan Kalember, EVP, cybersecurity strategy, Proofpoint.

“As security controls have slowly improved, threat actors have innovated and scaled their bypasses; once the domain of red teams, techniques like MFA bypass and telephone-oriented attack delivery, for example, are now commonplace. While many threat actors are still experimenting, what remains the same is that attackers exploit people, and they are the most critical variable in today’s attack chain.” added Kalember.

From complex techniques like multi-factor authentication bypass, to telephone-oriented attack delivery, and conversational threats that rely solely on the attacker’s charm, 2022 was a year of unprecedented creativity among threat actors as they varied attack chains and rapidly tested and discarded delivery mechanisms.

Office macro use collapsed after Microsoft rolled out controls to block them

After almost three decades of service as a popular malware distribution method, Office macros finally began to decline in use after Microsoft updated how its software handles files downloaded from the web. The changes set off an ongoing flurry of experimentation by threat actors to seek alternative techniques to compromise targets.

Conversational smishing and pig butchering threats—which start with attackers sending seemingly harmless messages—surged last year. In the mobile space, it was the year’s fastest-growing threat, experiencing a twelvefold increase in volume.

And telephone-oriented attack delivery (TOAD) peaked at 13 million messages per month. Several state-sponsored APT actors invested significant time exchanging benign messages with their targets to build rapport over the course of weeks and months.

Off-the-shelf MFA bypass phish kits

MFA-bypass frameworks such as EvilProxy, Evilginx2, and NakedPages accounted for more than a million phishing messages per month.

Most organizations faced threats originating from well-known cloud giants Microsoft and Amazon, whose infrastructure hosts countless legitimate services that organizations rely upon.

With a novel distribution method involving drive-by downloads and fake browser updates, the threat actor behind SocGholish—TA569—has increasingly been able to infect websites to deliver malware exclusively through drive-by downloads, tricking victims into downloading it through fake browser updates. Many sites hosting the SocGholish malware are unaware they are hosting it, further proliferating its delivery.

Cloud threats have become ubiquitous

94% of cloud tenants are targeted every month by either a precision or brute-force cloud attack, indicating a frequency on par with email and mobile vectors. The number of brute-force attacks—notably password spraying—increased from a monthly average of 40 million in 2022 to nearly 200 million in early 2023.

Abusing the familiarity and trust in major brands is one of the simplest forms of social engineering: Microsoft products and services occupied four of the top five positions for abused brands, with Amazon being the most abused brand.

As many as 40% of misconfigured, or “shadow” admin identities can be exploited in a single step, such as resetting a domain password to elevate privileges. And 13% of shadow admins were found to already have domain admin privileges, allowing attackers to harvest credentials and access corporate systems. Around 10% of endpoints have an unprotected privileged account password, with 26% of those exposed accounts being domain admins.

Post-pandemic threat landscape

Despite sending over 25 million messages in 2022—more than double the volume of the second most prominent threat actor—Emotet’s presence has been intermittent, with the group also showing signs of lethargy in adapting to the post-pandemic threat landscape.

While financially driven crime largely dominates the post-pandemic threat landscape, a single outlier attack by an Advanced Persistent Threat (APT) actor can have a massive impact: One large campaign by TA471, a Russian-aligned APT group that engages in both corporate and government espionage, propelled that actor to the top of the APT message volume charts.

TA416, an APT actor aligned with the Chinese state, was one of the most active. In particular, significant new campaigns by TA416 coincided with the start of the Russia-Ukraine war, targeting European diplomatic entities involved in refugee and migrant services.

Don't miss