A lock and tag that say "Lock out" and Tag out."
Image: artboyshf142/Adobe Stock

It was a mixed year for cybersecurity in 2022 that ended with some troubling trends, with an  acknowledgement at the World Economic Forum that 2023 could see major new attacks.

Monitoring threat surfaces takes time, energy and vigilance, because malicious actors are doing likewise. Every potential threat of sideloading, credential theft, malware injection, trojan attack or other exploits must have eyes outward. Censys, which sponsored this post, makes web intelligence their area of total focus, with comprehensive daily Internet scanning delivering best-in-class visibility to threat hunters, attack surface managers, and other security professionals. Click here to find out more.

Indeed, while the ransomware curve seemed to be heading down last year, NCC Group reported that December saw a rapid increase in ransomware attacks, particularly from threat group BlackCat. The group increased their attacks 100% from 15 attacks in November to 30 in December, the highest number of attacks the criminal group has undertaken in a single month.

Earlier this month, security group Cloudflare reported a 79% increase in DDoS attacks in the fourth quarter of 2022, with over 16% of respondents to their survey saying they had received a threat or ransom demand in concert with DDoS attacks.

Jump to:

Business and cyber leaders are stacking sandbags against cyberattacks

A just-released WEF report, Global Cybersecurity Outlook 2023, found that business leaders are “far more aware” of the cyber threat than the year prior. About 93% of cybersecurity respondents predicted a far-reaching and catastrophic cyber event within 24 months.

The report said that:

  • Almost 75% of cyber security and business leaders plan to strengthen policies and practices for engaging direct-connection third parties with data access.
  • Some 29% of business leaders versus 17% of cyber leaders strongly agree that more sector-wide regulatory enforcement would increase cyber resilience.
  • Three-quarters of organization leaders said that global geopolitical instability has influenced their cybersecurity strategy.
  • Respondents think artificial intelligence and machine learning (20%), greater adoption of cloud technology (19%), and advances in user identity and access management (15%) will have the greatest influence on their cyber risk strategies over the next two years.

Breaking down silos key to successful security strategy

Respondents to the WEF survey who reported successful changes in their cybersecurity strategy cited organizational structures that supported interaction among cyber leaders, business leaders across functions and boards of directors toward collaboration on digital resilience across business activities.

During an interview at Davos, Sadie Creese, professor of cybersecurity at the University of Oxford, gave a shout-out to cyber resilience.

“There is no such thing as 100% security,” she said. “It’s about resilience in the face of insecurity.”

Detection is one half of resilience. Censys, a leading internet intelligence platform for threat hunting and exposure management, performs daily scans of 101 protocols across the top 3,500+ ports on a key internet protocol, IPv4, and its top 100 ports to give best-in-class visibility to threat hunters, attack surface managers, and other security professionals.

In the survey, 95% of business executives and 93% of cyber executives — with that latter figure up from 75% in 2022 — agreed that cyber resilience is integrated into their organization’s enterprise risk-management strategies.

Q4 2022 saw increased activity from new threat players

In its review of year-end cyber events, NCC Group found:

  • There were 269 ransomware attacks in December, a 2% increase compared to November (at 265 attacks), and counter to the prior year trend, which saw decreases during the holiday season.
  • December posted the highest number of ransomware victims since the peaks reached in March and April last year.
  • LockBit 3.0 regained its leading position accounting for 19% of attacks, followed by BianLain (12%) and BlackCat (11%).
  • BianLain saw a 113% increase in ransomware activity in December versus November.
  • Play, discovered in July 2022, aimed at government sectors in Latin America with four victims (15% of attacks).

NCC Group expects LockBit 3.0 to remain at the top spot for the foreseeable future after seeing the group fall to third place in November. Its most targeted sectors remain largely similar to those of previous months with little deviation — industrials (30%), consumer cyclicals (14%) and technology (11%).

SEE: Recent 2022 cyberattacks presage a rocky 2023 (TechRepublic)

Meanwhile, BianLain, with victims in the education, technology and real estate sectors, has taken to releasing victim names in stages, using asterisks or question marks as a censor. NCC Group opined that this screw-tightening tactic aims to prompt organizations into payment. They said they have noticed two other hacker groups using this approach.

  • North America was the target of 120 ransomware attacks (45%), making it the most targeted region, followed by Europe with 72 attacks (27%) and Asia with 33 attacks (12%).
  • Consumer cyclicals (44%) and industrials (25%), remain the top two most targeted sectors for ransomware attacks. The technology sector (11%) experienced 34 ransomware incidents, a 21% increase from the 28 attacks reported in November.

NCC Group reports a family resemblance between Play, Hive and Nokoyawa ransomware variants: File names and file paths of their respective tools and payloads are similar.

“Although December saw some stability in the volume of ransomware attacks, this was a deviation from what we normally observe,” said Matt Hull, global head of threat intelligence at NCC Group. “Over the seasonal period, we’ve come to expect a downturn in the volume of attacks, as demonstrated by the 37% decrease at the same time last year.”

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

New malware hits the beachhead

A research team at cybersecurity firm Uptycs reported that they discovered a campaign involving malware called Titan Stealer, which is being marketed and sold through a Telegram channel. The group said the malware can exfiltrate credential data from browsers and crypto wallets, FTP client details, screenshots, system information and grabbed files.

The builder tool for the malware has a UX that lets attackers specify information to steal and file types to extract from the victim’s machine.

Because ransomware and DDoS variants, worms, viruses and other exploits are trending generally higher, much of it automated and programmatic, companies should do security risk assessments at least annually. Consider using a checklist — such as the xlsx file from TechRepublic Premium. Download it here.

Censys’ highly structured data enables threat hunters to identify unique characteristics of attacker-controlled infrastructure and easily locate hosts. Last year, for example, Censys found a ransomware command and control network capable of launching attacks, including one host located in the U.S. Learn more about Censys here. Click here to learn more about this and other exploits discovered and tracked by Censys.

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays