With the rapid development of cyberspace technology, network security is a topic that cannot be ignored while people maintain interoperability.
Through the analysis of emergency response events recorded by NSFOCUS, we have summarized the development trends of network threats and would like to share the top seven predictions we discovered to look ahead to the rest of 2023.
NSFOCUS received 563 emergency response incidents in 2022, an increase of 29% compared to last year. In the first quarter, there were 94 incidents, which remained flat year-on-year; Since the second quarter, the number of events continued to mount, and by July, the number of events exploded to the annual peak, an increase of 158% compared to June; Since August, the number of incidents has gradually fell back.
Fig 1. Trend of emergency response events in the past three years
The top five security incidents in 2022 were phishing attacks, ransomware, virtual mining, Trojan horse programs, and backdoors.
Fig 2. Distribution of incident types in 2022
Prediction 1: The targets tend to be industry-directed
From the perspective of cyber attacks targets, there have been more industry-directed trends.
Fig 3. Distribution of security incidents by industry in 2022
As one of the most commonly used attack methods, the phishing attack aims to induce people to download and execute malware, and disclose sensitive information to achieve host intrusion, financial transfer, etc. Therefore, its targets tend to be large-scale industries with significant economic value, such as enterprises, finance, telco, transportation, and energy.
Ransomware gangs are not only considering industries with high economic value, but also targeting critical information infrastructure (CII). This is also determined by the characteristics of ransomware, which has great destructive effects on data security and business operations. These damages will force industries that are vulnerable to data and business to quickly pay ransoms to restore normal work order as soon as possible. Ransomware incidents are more prominent in healthcare and energy.
Other commonly used attack methods like virtual mining are used to achieve goals by stealing computing resources, while also having the characteristics of hiding themselves. Therefore, their target industries are mainly those with a large number of computing resources or vague assets, such as education, government agencies, and healthcare. The common intention of webpage tampering attacks has political attributes and the government agency is its main target.
Prediction 2: APT attack surface gradually expands
As an advanced means of attacks, APT attacks can be used to hit geopolitically-dominated targets like CII or for large-scale ransomware attacks. According to security incidents recorded by NSFOCUS in 2022, the number of APT events doubled compared with that of last year, and attacks are mainly exploited by vulnerabilities. Relevant incidents account for 75% of the total APT incidents. In addition, 25% of incidents are caused by phishing attacks.
Fig 4. Distribution of APT attack vectors
Prediction 3: Traditional attack methods are still effective in breaking through network boundaries
For attackers, the network boundary is the first springboard to penetrate into the intranet. Port scanning, weak-password brute force, Trojans, and vulnerability exploitation of border devices are all common methods. In the attacks against network borders recorded by NSFOCUS in 2022, security awareness events such as weak-password brute force still dominate, and efforts to improve security awareness still need to be strengthened.
Fig 5. Distribution of network border attack causes
Prediction 4: Ransomware is continuously evolving
According to the ransomware attacks handled by NSFOCUS, mainstream ransomware families such as Phobos, TellYouThePass, and Magniber still use automated methods for attacks, reflecting that the basic security hygiene of most organizations is still at a relatively low level. Attacks with higher ransom rates mainly occur in ransomware families that use human decision-making, including Hive, BlackCat, Ceber, etc. They are more inclined towards medium to large enterprises, stealing, encrypting, or destroying value data in the network environments they intrude to set ransom amounts based on the business operations information they have searched.
Fig 6. Distribution of ransomware families by ransomware incidents in 2022
The tactics of ransomware attacks are also quite different from last year. Overall, ransomware attacks tend to be more concealed and complicated. The use of persistent technologies and tactics has increased significantly, and some ransomware attack groups have been latent in the victim’s internal network for a long time, which may also be caused by the staggered process and timeline delay behind ransomware as a service (RaaS). The technology and tactics of lateral movement still maintain a high proportion, and attack groups still tend to gain more access to assets and data to increase the probability of victims delivering ransoms. Credential access techniques and tactics have declined, but it only shows that the number of attacks using credential access as the initial intrusion method is reduced, which does not represent the real performance of credential access techniques and tactics. According to ransomware-related intelligence, ransomware attack gangs will purchase relevant access credentials in trading markets such as the dark web more often than using some initial intrusion method to obtain the portal by themselves. This also makes it more difficult to restore the attack chain and find “the Patient 0” in the emergency response of ransomware incidents.
Fig 7. Ransomware attack techniques and tactics
In addition, from the perspective of ransom payment, the global average ransom payment for ransom events in the third quarter of 2022 was USD 258,143, an increase of 13.2% compared with the second quarter of 2022. The median ransom payment was $41,987, up 15.5% from Q2 2022. This trend reflects the fact that the ransomware-as-a-service (RaaS) community is consolidating and impacting the middle market.
Prediction 5: Software supply chain security incidents will occur frequently
Attacks on supply chains have gradually become the norm. Third-party office systems and security products used in various industries frequently leak vulnerabilities, especially the supply chain attacks against the OA system are becoming more and more intense. In 2022, 12% of the emergency events handled by NSFOCUS CERT involved software supply chain security, and attacks against the OA system accounted for more than 50%.
Fig 8. Distribution of supply chain attack targets
Fig 6. Supply chain attacks – growth trend of OA events
NSFOCUS has done a lot of research on software supply chain security and shared a series of articles on software supply chain security on the NSFOCUS Blog.
Prediction 6: Viruses attach to hot vulnerabilities for rapid iteration
The spread of viruses is often accompanied by vulnerability exploitation attacks. For example, Log4j vulnerability exploitation appeared in the transmission of TellYouThePass ransomware, Globeimploster ransomware, and BillGates Trojan horse after the outbreak of the Log4j on November 9, 2021. At the same time, virus developers also prefer critical and zero-Day vulnerabilities like MS17-010, CVE-2021-40444, and Log4j which have a wide range of impact and great harm when developing propagation modules. Unlike passive propagation methods such as email and mobile devices, these types of viruses can actively spread by relying solely on their own port scanning and vulnerability attack modules.
In addition to new viruses, classic viruses and worms are still active on the Internet, such as Conficker, Ramnit, and Mirai. Worm events accounted for about 4% of all emergencies monitored in 2022, and the oldest worm handled was the 24-year-old Marker.BO worm, which originated from the Marler macrovirus in the late 1990s, but fortunately, the Marker.BO worm was not severely destructive to computers. Developers are more likely to write to show off. The worm that handled the most in the past year was WannaCry, which used the EternalBlue vulnerability (MS17-010) for propagation. The first outbreak has been five years, but the monitoring data shows that the worm cleaning and vulnerability patching are still not optimistic.
Prediction 7: IoT devices will become the main carrier of botnets
The number of IoT devices has surged, with over 10 billion active IoT devices by the end of 2022. The vast resources of the Internet of Things have become a favorable weapon for attackers to launch attacks, including:
- Performing DDoS attacks on targets
- Attack intranets as a springboard
- Traffic hijacking through network devices
- Obtaining personal privacy information through monitoring devices
The Mirai and Gafgyt botnet families are worms that specifically target IoT devices. In 2022, NSFOCUS CERT dealt with many Mirai botnet DDoS attacks, mostly by IoT devices such as optical cats, routers, cameras, etc.
Protection Recommendations
Through the analysis of a large number of security incidents, we found that the vast majority of incidents are related to the basic network protection and management system of organizations. Therefore, we have compiled the following security protection suggestions for reference:
(1) Cultivation of personnel security awareness
Some research reports show that about 60% of network attacks come from the inside of an organization, while most internal attacks are caused by employees being exploited and controlled by external attackers. In today’s highly developed information technology, the ways that attackers can attack include phishing emails, watering hole websites, mobile phone SMS, social software, public Wi-Fi, etc. Organizations can test the security awareness level of all employees through regular security awareness training and emergency drills.
(2) Strengthen password complexity management
Weak passwords are a cliché d issue that is most easily overlooked by businesses and also the most favored vulnerability for attackers. For all IT assets of an organization, it is necessary to develop and implement unified password complexity configuration standards to avoid weak passwords, general passwords, or regular passwords. Organizations can avoid them by formulating relevant security regulations, business launch processes, baseline configuration verification, and other means.
(3) Back up important data regularly
In recent years, ransomware, as an attack method driven by direct interests, is favored by attackers due to its remarkable attack effect, low attack cost and anonymity of transactions. At the same time, because of its numerous communication channels, while organizations or individuals do a good job in basic security protection, data backup is the most effective solution. Organizations can regularly back up and properly keep important business data through private clouds, storage devices, network synchronization and other reliable ways.
(4) Strengthen vulnerability lifecycle management
New network attack methods and security vulnerabilities emerge with each passing day. Organizations should consider vulnerability management as a continuous and routine task, and develop detailed processes, including development specifications, vulnerability acquisition, vulnerability investigation, vulnerability repair, vulnerability verification, etc. At the same time, organizations should also regularly conduct gray box security testing to proactively identify security vulnerabilities and hidden dangers in systems, applications, and networks.
(5) Strengthen network boundary asset management
In several typical security incident cases, we found that attackers used network boundary assets as a springboard to to horizontally expand the attack on the internal network, which eventually caused a significant impact. Due to the exposure of some businesses to the internet, network boundary assets of organizations are often targeted by attackers as the primary target for breaking through the defense system. Organizations can strengthen network boundary management through security domain division, ACL refinement with firewalls, and application vulnerability protection.
(6) Sift and monitor sensitive information leakage risks
As an important part of the black-box testing process, information collection plays a crucial role in the final results of security testing. In addition to using search engines and big data to collect Internet assets of target organizations, attackers will also collect leaked sensitive information through network disks, libraries, Github and other channels, such as mailbox passwords, database configurations, application system source codes, etc. Organizations should establish a long-term mechanism. While restricting employees’ behaviors through management systems, they also need to monitor the exposure of sensitive information on the Internet through technical means.
(7) Pay attention to security risks of supply chain attacks
Supply chain attacks, as a highly covert form of attack, may ultimately affect hundreds or even billions of target users. The supply chain risks faced by organizations mainly exist in multiple stages such as equipment procurement, software development, product delivery, and system operation and maintenance. IT supply chain security is a wide-ranging and complex system, and problems at any stage will inevitably affect the upstream and downstream security of the supply chain. Organizations should establish product procurement and supply chain vendor management systems, establish and improve application development lifecycle security management systems, establish upstream and downstream security threat notification mechanisms to timely spot application and product security risks, and improve communication, coordination, and emergency response efficiency.
(8) Deploying threat traceability and audit platform
For security devices deployed at a single point, effective attack events cannot be found in time due to the inability of unified management and analysis. At the same time, further traceability analysis cannot be carried out afterwards due to the lack of key data such as logs and samples. For business systems with high security protection requirements, malicious network attacks can be detected in time by deploying a situation awareness platform in combination with threat intelligence data. In addition, the full traffic storage and analysis platform can provide organizations with the capabilities of capturing unknown attacks and tracing security incidents.