Trellix’s Threat Report: February 2023, scrutinising cybersecurity trends from the final quarter of 2022, says that cybercriminals are pushing the envelope when it comes to cyberattacks and that in South Africa they are targeting human error more than system flaws.
“The fourth quarter of 2022 saw malicious actors push the limits of attack vectors,” says John Fokker, head of Threat Intelligence at Trellix Advanced Research Centre. “Grey zone conflict and hacktivism led to an increase in cyber as statecraft and activity across threat actor leak sites.
“As the economic climate changes, organisations need to make the most effective security out of scarce resources,” Fokker adds.
In South Africa, the threats and vulnerabilities follow similar targets and methods of infiltration, where human error, rather than system flaws is exploited. Country lead for Trellix South Africa, Carlo Bolzonello, points to the country’s most important institutions as the most attractive prey for international syndicates.
“The South African context for our findings overlaying the global results shows that ransomware and email threats are still top of the biggest threats to South Africa, with government a large focus, followed by financial organisations,” Bolzonello says.
The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors, and examines threats to email, the malicious use of legitimate security tools, and more.
Key findings include:
* LockBit 3.0 most aggressive with ransom demands: While no longer the most active ransomware group based on Trellix telemetry – Cuba and Hive ransomware families generated more detections in Q4 – the LockBit cybercriminal organisation’s leak site reported the most victims. This makes LockBit the most vehement in pressuring their victims to comply with ransom demands. These cybercriminals use a variety of techniques to execute their campaigns, including exploiting vulnerabilities found as far back as 2018.
* Nation-state activity led by China: APT actors linked to China, including Mustang Panda and UNC4191, were the most active in the quarter, generating a combined 71% of detected nation-state backed activity. Actors tied to North Korea, Russia, and Iran followed. The same four countries ranked the most active APT actors in public reports.
* Critical infrastructure sectors most targeted: Sectors across critical infrastructure were most impacted by cyberthreats. Trellix observed 69% of detected malicious activity linked to nation-state backed APT actors targeting transportation and shipping, followed by energy, oil, and gas. According to Trellix telemetry, finance and healthcare were among the top targeted sectors by ransomware actors – and telecom, government and finance among the top sectors targeted via malicious email.
* Fake CEO emails led to business email compromise: Trellix determined that 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases. This was a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. Eighty two percent were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns.