Financial services was the sector most targeted by malicious actors during the third quarter of 2021, seeing 22% of ransomware detections and 37% of advanced persistent threat (APT) detections – most of it linked to groups backed by Beijing and Moscow.
That is according to a newly released threat research report compiled by Trellix, a new cyber company formed in January 2022 out of what was McAfee Enterprise and FireEye. It found that publicly reported incidents in the financial services sector increased by 21% between July and September 2021 compared with the previous three months.
Trellix reported that despite the back end of 2021 seeing something of a reckoning for ransomware crews – with some being driven offline thanks to coordinated international action, and many underground forums attempting to drive out ransomware activity of their own accord – the use of ransomware nevertheless persisted, and proliferated, across an increasing spectrum of sectors.
“Despite the financial, utilities and retail sectors accounting for nearly 60% of all ransomware detections, no business or industry is safe from attack, and these findings should act as a reminder of this,” said Fabien Rech, Trellix EMEA VP. “As cyber criminals adapt their methods to target the most sensitive data and services, organisations must shore up their defences to mitigate further threats.
“To do this, businesses must deploy a security strategy that includes a living platform that can learn and adapt defences based on the threat. This platform generates and prioritises comprehensive threat insights from both outside and inside the company to adaptively strengthen detection, and it responds in real time to active threats.
“As the threat of ransomware continues to grow, businesses must rely on technology that moves as quickly as the cyber criminals and can adapt in real time to get ahead. Unfortunately, failing to take this approach only means businesses open themselves up to an attack.”
Saryu Nayya, CEO and founder of Gurucul, said she was not surprised by the list of most-targeted industries. “They either have the most important information to steal or disruption can be catastrophic to their business or their stakeholders,” she said.
“Attackers are modifying their techniques on a consistent basis and this includes variants on successful attacks that can evade most current XDR and traditional SIEM platforms.
“While rule-based analytics have been incorporated into these platforms, often falsely stated as machine learning or artificial intelligence, most of them are only useful for determining known attacks and often trigger too many events.
“This causes security teams to chase down too many minor threats or false positives while the more dangerous emerging attacks slip through the cracks for too long. Financial, critical infrastructure and retailers must research and invest in more cutting-edge security solutions, even as attackers have been successful at refining their capabilities to specifically target these groups.”
Trellix’s January 2022 Advanced threat report also contains some new insight into the threat landscape towards the end of 2021. Particularly noteworthy was a marked maturation in the techniques used by APT groups to bypass security controls, access their target networks and conduct cyber attacks. The ever-popular Cobalt Strike pen-testing framework was detected in more than one-third of the APT campaigns tracked, and Mimikatz, a post-exploit tool used to gain deeper access and escalate privileges, was detected in over a quarter of campaigns.
Threat actors are also increasingly using software already installed on target systems in support of their attacks – this is known as living off the land (LotL) and is increasingly favoured by both nation state APTs and financially motivated cyber criminals to get around developing advanced tools internally.
As an example of this, Trellix said it observed PowerShell being used in 42% of LotL detections, and Windows Command Shell in 40% – in both instances to execute commands and gain access. Other native operating tools currently favoured include Rundll32, WMIC and Excel, and admin remote services tools such as AnyDesk, ConnectWise Control, RDP and WinSCP.
Raj Samani, chief scientist and fellow at Trellix, said: “While we ended 2021 focused on a resurgent pandemic and the revelations around the Log4j vulnerability, our third-quarter deep dive into cyber threat activity found notable new tools and tactics among ransomware groups and advanced global threat actors.
“This report provides greater visibility into the use and abuse of ransomware group personas, how nation-state APT actors seek to burrow deeper into finance and other critical industries, and new living-off-the-land attacks exploiting native Microsoft system tools in new ways.”
The full report also contains new statistics on some of the most popular malware families currently circulating – Formbook, Remcos RAT and LokiBot between them accounted for almost 80% of detections, and more besides.