Latest News

Trellix detects China-affiliated APT groups behind most nation-state threat activity

Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), today released the June 2023 edition of The CyberThreat Report from the Trellix Advanced Research Center which analyses cybersecurity trends from the last quarter. Insights were gleaned from a global network of expert researchers who analyse over 30 million detections of malicious samples daily. Combined telemetry is collected from one billion sensors, and data from open and closed-source intelligence.

“A year into the Russia-Ukraine conflict, offensive cyber capabilities are being leveraged strategically by nation-states for espionage and disruption,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “For both leading and developing countries, we see risks to critical infrastructures like telecommunications, energy, and manufacturing by notable APT groups – a warning to public and private organisations to deploy modern protections to stay ahead of rapidly evolving threats.”

The latest Trellix Advanced Research Center report covers the first quarter of 2023 and is comprised of evidence of activity linked to ransomware and nation-state-backed APT actors, threats to email, malicious use of legitimate security tools, and more. Key findings include:

• Coordinated cyber espionage. APT groups linked to China, including Mustang Panda and UNC4191, are the most active in targeting nation-states, generating 79% of all activity detected. Trellix predicts APT groups will continue cyber espionage and disruptive cyberattacks in tandem with physical military activity.

• In ransomware, cash is king. Motivations for ransomware are still financial – reflected in the Insurance (20%) and Financial Services (17%) sectors having the most detections of potential attacks. The most common leak site victims are US-based (48%) mid-sized businesses with 51-200 employees (32%) and $10-50M in revenue (38%).

• Cobalt strike is a favourite. Despite attempts in 2022 to make it harder for threat actors to abuse the tool, Cobalt Strike grows as a tool favoured by cybercriminals and ransomware actors. Trellix detected Cobalt Strike in 35% of nation-state activity and 28% of ransomware incidents – almost double from Q4 2022.

• Old vulns, a blast from the past. Many critical vulnerabilities consist of bypasses to patches for older CVEs, supply chain bugs utilising outdated libraries, or long-patched vulnerabilities that were never properly addressed. A disclosed Apple vulnerability in February 2023 had roots as far back as the FORCEDENTRY exploit disclosed in 2021.

• Rogue access to the cloud. Cloud infrastructure attacks on Amazon, Microsoft, and Google are rising. Though more sophisticated attacks with multifactor authentication, proxy penetration, and API execution continue, the dominant attack technique uses valid accounts, at 2x more detections than any other vector. Rogue access to legitimate accounts in remote-work environments remains significant.

Fabien Rech, SVP and GM EMEA at Trellix said that, “It’s clear from recent headlines that cybercriminals are continuing to sharpen their tools and use a range of techniques to infiltrate businesses. In fact, in Q1 this year, our research showed that insurance was the most targeted sector by ransomware groups, accounting for 20% of attacks. Yet, from a nation-state perspective, we saw energy, oil and gas have the most detected attacks, whereas in Q4 2022 transport and shipping was the sector most impacted by these types of attacks.

“Similarly, while the government was the most impacted sector by malicious emails, comprising 11% of attacks in Q1 2023, in the previous quarter the telecoms industry was the most targeted and accounted for 42% of nefarious email campaigns. As suspected, critical infrastructure continues to be a prime target for cybercriminals, as the impact of a successful attack can be particularly widespread and disruptive.

“It’s now crucial for businesses across all industries to bolster their defences if they are to successfully defend against sophisticated attacks. This sentiment is also echoed by UK CISOs where 96% agree that they need better solutions to protect their entity from cyber threats. By implementing a security architecture that can readily moulds and adapts to emerging threats, organisations can better mitigate against attacks and avoiding disruption.”