Following two years of Covid-19 disruption, 2022 was a “return to business as usual for the world’s cybercriminals,” Proofpoint, a cybersecurity and compliance company, said in a new report.
Cyber attackers had to find new ways to hit victims, from sharpening their social engineering skills, to commoditizing once-sophisticated attack techniques, and hunting for new opportunities in unmined areas, Proofpoint said in its Human Factor study.
Cyberattackers Get Creative
The company called 2022 a year of “unprecedented creativity” by attackers as they “varied attack chains and tested and “discarded” delivery mechanisms. The report focuses on the combination of technology and psychology that makes modern cyberattacks dangerous among the three main facets of user risk: vulnerability, attacks and privilege, the company said.
Ryan Kalember, Proofpoint executive vice president, Cybersecurity Strategy, commented on the nature of threat attacks:
“As security controls have slowly improved, threat actors have innovated and scaled their bypasses. Once the domain of red teams, techniques like MFA bypass and telephone-oriented attack delivery, for example, are now commonplace. While many threat actors are still experimenting, what remains the same is that attackers exploit people, and they are the most critical variable in today’s attack chain.”
Smishing and Pig Butchering Threat Surge
Key findings highlighted in Proofpoint’s 2023 Human Factor report include:
- Office macros declined in use after Microsoft updated how its software handles files downloaded from the web. The changes set off an ongoing flurry of experimentation by threat actors to seek alternative techniques to compromise targets.
- Conversational smishing and pig butchering threats (a type of cryto scam) — which start with attackers sending seemingly harmless messages — surged last year. In the mobile space, it was the year's fastest-growing threat, experiencing a twelvefold increase in volume.
- Off-the-shelf MFA bypass phishings kits have become ubiquitous, allowing even non-technical criminals to spin up a phishing campaign.
- Most organizations faced threats originating from cloud giants Microsoft and Amazon, whose infrastructure hosts countless legitimate services that organizations rely upon.
- The threat actor behind SocGholish, TA569, has increasingly been able to infect websites to deliver malware exclusively through drive-by downloads, tricking victims into downloading it through fake browser updates.
- 94% of cloud tenants are targeted every month by either a precision or brute-force cloud attack, indicating a frequency on par with email and mobile vectors. The number of brute-force attacks — notably password spraying — increased from a monthly average of 40 million in 2022 to nearly 200 million in early 2023.
- Abusing the familiarity and trust in major brands is one of the simplest forms of social engineering. Microsoft products and services occupied four of the top five positions for abused brands, with Amazon being the most abused brand.
- As many as 40% of misconfigured, or “shadow,” administration identities can be exploited in a single step, such as resetting a domain password to elevate privileges.
- Despite sending over 25 million messages in 2022 — more than double the volume of the second most prominent threat actor — Emotet's presence has been intermittent, with the group also showing signs of lethargy in adapting to the post-macro threat landscape.
- While financially driven crime largely dominates the threat landscape, a single outlier attack by an Advanced Persistent Threat (APT) actor can have a massive impact. One large campaign by TA471, a Russian-aligned APT group that engages in both corporate and government espionage, propelled that actor to the top of the APT message volume charts.