Malware-free cybercrimes have reached 71% of the cases recorded annually, up from 62% in 2021, According to newest cybercrime trends by Crowdstrike.
In most cases, valid credentials were leveraged to gain access to systems and have privileges as the legitimate user of the device. Contrary to the public perception of cyber attacks, malware was not at all used to gain access to systems nor to maintain persistence in using the device and connected systems.
According to the CrowdStrike Global Threat Report 2023, cybercriminals have been leveraging stolen credentials to gain initial access rather than malware. In fact, misuse of legitimate credentials doubled this year as it also helped them pass through security checks and gain access to connected systems and users.
Equally popular was the age-old technique of tracing and tapping unpatched vulnerabilities, noted the report.
Vulnerabilities, still harmful: Cybercrime Trends
In 2022, threat actors consistently relied on previously established attack vectors and components to achieve successful exploitation.
After discovering a vulnerability, actors may modify or reapply the same exploit to target other similarly vulnerable products, or they may focus on the known vulnerable components and circumvent patching by exploring other exploit vectors.
“This is particularly true for edge devices, which are often vulnerable to various injection techniques and arbitrary file-delivery exploits,” said the report.
One prominent example of vulnerability discovery and exploitation in 2022 was the Log4Shell exploitation, which targeted numerous products. Variations of the exploit allowed for tailored exploitation in other products, where it was not initially achievable. Discussions among threat actors in the criminal underground about CVE-2021-44228 exploitation continued throughout the year, reflecting sustained interest in Log4Shell.
Similarly, in January 2022, a discovery and exploitation process across various products unfolded in the context of the PwnKit exploit, which targeted the Polkit package. Vulnerable packages from external sources also contributed to proprietary software exploitation throughout the year.
Cybercrime Trends indicate Circumventing patches bugs
Threat actors demonstrated their ability to circumvent mitigations from previous patches by leveraging specialized knowledge to exploit zero-day and N-day vulnerabilities in 2022.
“For example, the proxy mechanisms exploited to compromise Microsoft Exchange during ProxyLogon and ProxyShell campaigns in 2021 were targeted again in Q4 2022, this time using an authenticated variation called ProxyNotShell (CVE-2022-41040 and CVE-2022-41082),” said the report
“ProxyNotShell mitigations were subsequently bypassed when ransomwareaffiliated actors used an alternative exploitation vector that abused CVE-2022-41080 to accomplish the same objectives.”
A similar pattern emerged with a series of zero-day exploits associated with the Windows Common Log File System (CLFS) driver observed between March and August 2022.
Developers of the CVE-2022-37969 exploit employed a technique to identify and bypass mitigations intended for an earlier CLFS vulnerability (CVE-2022-24521), demonstrating their expertise.
Cybercriminals in 2022
Pandemic-related cybercrimes lessoned and nation-state cybercrimes using computer network operations were observed all throughout the year, 2022, fulfilling state goals. Several cyberattacks were made with anti-Ukraine chants being left on impacted systems by state-sponsored threat actors.
Iran was found conducting regional espionage cyberattacks and the Democratic People’s Republic of Korea state-nexus hackers continued hacking crypto wallets to increase state funds to supply after the COVID-19 pandemic.
Even though legal agencies and researchers were tracing cybercriminals to their locations, they were observed to be regrouping and rebranding themselves with tools that were developed more to keep up with sophisticated defensive technology adopted by companies.
Access broker services were sought heavily on the dark web which increased 112% as compared to 2021 showing cybercriminals’ increased need for access. Over 2,500 advertisements for the same were found across the criminal underground platforms. Some other observations on the cybercrime landscape in 2022 were as follows:
- Vishing was opted for to circumvent multifactor authentication requests and download malware. Voice call phishing also led cybercriminals to contact targets directly.
- Misinformation was used as a tool to spread the wrong message with an increased targeting of European and U.S. companies in the latter half of 2022.
- CrowdStrike traced over 200 cybercriminals throughout the year with most of the eCrime being traced from Eastern Europe and Russia. The Syria-nexus adversary DEADEYE JACKAL who renamed itself to DEADEYE HAWK was founded in 2022.
The 1-10-60 rule of the 2022 cybercrime landscape
The time taken to move laterally from a host device was 98 mins in 2021 which was reduced to 84 mins in 2022. This emphasized the need for a quicker mitigation time requirement.
The 1-10-60 denotes 1 to be the time frame within which the threat must be detected, 10 mins in which the threat must be understood, and 60 denotes the time range within which the team must respond adequately to mitigate the incident.