New research shows cybercrime victims are increasingly compelled to download malware and circumvent multifactor authentication with SIM swapping through tactics including “vishing”, which is phishing for potential opportunities using voice rather than email.
These observations emerged in the ninth edition of the CrowdStrike Global Threat Report, which provides observations on the current trends, tactics, and behaviours of nation-states, cybercrime, and hacktivist threat actors globally.
The report tracks the activities of over 200 adversaries, including 33 new adversaries identified in the past year and revealed a surge in identity-based threats, cloud exploitations, China-nexus espionage, and attacks that re-weaponise previously patched vulnerabilities. The observations were made using data from trillions of daily events on the CrowdStrike Falcon platform and insights from CrowdStrike Falcon OverWatch.
Key highlights from this year’s report include:
- 71% of attacks detected were malware-free (up from 62% in 2021), and interactive intrusions (hands-on keyboard activity) increased by 50% in 2022 – Outlining how sophisticated human adversaries increasingly look to evade antivirus protection and outsmart machine-only defences.
- 112% year-over-year increase in access broker advertisements on the dark web – Illustrating the value of and demand for identity and access credentials in the underground economy.
- Cloud exploitation grew by 95%, and cases involving ‘cloud-conscious’ threat actors nearly tripled year-over-year – More evidence adversaries are increasingly targeting cloud environments.
- 33 new adversaries introduced – The most significant increase CrowdStrike has ever observed in one year – including the highly prolific SCATTERED SPIDER and SLIPPY SPIDER behind many recent high-profile attacks on telecommunication, BPO, and technology companies.
- Adversaries are re-weaponising and re-exploiting vulnerabilities – Spilling over from the end of 2021, Log4Shell continued to ravage the internet, while both known and new vulnerabilities like ProxyNotShell and Follina – just two of the more than 900 vulnerabilities and 30 zero-days Microsoft issued patches for in 2022 – were broadly exploited as nation-nexus and eCrime adversaries circumvented patches and sidestepped mitigations.
- eCrime actors moving beyond ransom payments for monetisation – 2022 saw a 20% increase in the number of adversaries conducting data theft and extortion campaigns.
- China-nexus espionage surged across all 39 global industry sectors and 20 geographic regions tracked by CrowdStrike Intelligence – Rise in China-nexus adversary activity shows that organisations worldwide and in every vertical must be vigilant against the threat from Beijing.
- Average eCrime breakout time is now 84 minutes – This is down from 98 minutes in 2021, demonstrating the extensive speed of today’s threat actors.
- The cyber impact of the Russia-Ukraine war was overhyped but not insignificant – CrowdStrike saw a jump in Russia-nexus adversaries employing intelligence gathering tactics and even fake ransomware, suggesting the Kremlin’s intent to widen targeting sectors and regions where destructive operations are considered politically risky.
- An uptick in social engineering tactics targeting human interactions – Tactics such as “vishing” direct victims to download malware and SIM swapping to circumvent multifactor authentication (MFA).
“The past 12 months brought a unique combination of threats to the forefront of security,” says Adam Meyers, head of intelligence at CrowdStrike. “Splintered eCrime groups re-emerged with greater sophistication, relentless threat actors sidestepped patched or mitigated vulnerabilities, and the feared threats of the Russia-Ukraine conflict masked more sinister and successful traction by a growing number of China-nexus adversaries.”
“Today’s threat actors are smarter, more sophisticated, and more well-resourced than they have ever been in the history of cybersecurity,” says Meyers. “Only by understanding their rapidly evolving tradecraft, techniques and objectives – and by embracing technology fueled by the latest threat intelligence – can companies remain one step ahead of today’s increasingly relentless adversaries.”
CrowdStrike added 33 newly tracked adversaries bringing the total number of known adversaries tracked to more than 200. More than 20 new additions were SPIDERS, the CrowdStrike naming convention for eCrime adversaries.
Among the newly tracked BEARs (Russia-nexus adversaries), Gossamer Bear’s credential-phishing operations were highly active throughout the first year of the Russia-Ukraine conflict, targeting government research labs, military suppliers, logistics companies and non-governmental organisations (NGOs).
CrowdStrike also introduced its first Syria-nexus adversary, Deadeye Hawk, which was formerly tracked as the hacktivist Deadeye Jackal.