Criminal groups focus on Australia and US

A new threat report from Netskope shows a significant number of criminal adversaries are attempting to infiltrate customer environments, with Russia-based Wizard Spider targeting more organisations than any other group. The Cloud and Threat Report: Top Adversary Tactics and Techniques highlights the most pervasive threat groups, identifies regions and threats most at risk and the top techniques being employed.

Most pervasive threat groups

Netskope found that the top criminal adversary groups were based in Russia and Ukraine, and the top geopolitical threat groups were based in China. As the top group attempting to target users of the Netskope Security Cloud platform, Wizard Spider is a criminal adversary credited with creating the notorious, ever-evolving TrickBot malware. Other active criminal adversary groups relying heavily on ransomware included TA505, creators of Clop ransomware, and FIN7, who used REvil the ransomware and created the Darkside ransomware, while geopolitical threat groups were led by memupass and Aquatic Panda.

Geopolitical adversaries target specific regions and industries for their intellectual property, as opposed to financially motivated actors who develop playbooks optimised for replicable targeting, where they can recycle tactics and techniques with minimal customisation.

Vertical and regional threats

Based on Netskope findings, the financial services and healthcare industry verticals saw a significantly higher percentage of activity attributable to geopolitical threat groups. In those verticals, nearly half of activity observed comes from these adversaries, as opposed to financially motivated groups. Verticals such as manufacturing, state, local, education (SLED) and technology saw less than 15% of activity coming from geopolitically motivated actors, with the remaining threats being financially motivated.

From a regional perspective, Australia and North America have the highest percentage of attacks from adversary activity attributable to criminal groups, while other parts of the world, such as Africa, Asia, Latin America and the Middle East led in geopolitical motivated attacks.

Top techniques

Spearphishing links and attachments are the most popular techniques for initial access so far in 2023, and as of August, adversaries were three times more successful at tricking victims into downloading spearphishing attachments compared to the end of 2022. While email continues to be a common channel used by adversaries, the success rate is low due to advanced anti-phishing filters and user awareness. However, adversaries have found this recent success using personal email accounts.

To date this year, 16 times as many users attempted to download a phishing attachment from a personal webmail app compared to managed organisation webmail apps. 55% of malware that users attempted to download was delivered via cloud apps, making cloud apps the number one vehicle for successful malware execution. The most popular cloud app in the enterprise, Microsoft OneDrive, was responsible for more than one-quarter of all cloud malware downloads.

“If organisations can look at who our top adversaries are and the incentives that motivate them, then you can look at your defences and ask, ‘What protections do I have in place against those tactics and techniques? How will this help me hone in on what my defensive strategy should be?’” said Ray Canzanese, Threat Research Director, Netskope Threat Labs.

“If you can defend effectively against the techniques outlined in the report, you’re defending effectively against a really wide swath of adversaries. No matter who you’re up against, you’ll have defences in place.”

Key takeaways for organisations

Based on these uncovered techniques, Netskope recommends organisations evaluate their defences to determine how their cybersecurity strategy needs to evolve. The most pervasive techniques organisations need to be prepared to defend against include:

• Spearphishing links and attachments: Implement anti-phishing defences that go beyond email to ensure that users are protected against spearphishing links, no matter where they originate.
• Malicious links and files: Ensure that high-risk file types, like executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before being downloaded.
• Web protocols and exfiltration over C2 channel: Detect and prevent adversary C2 traffic over web protocols using an SWG and an IPS to identify communication to known C2 infrastructure and common C2 patterns.
   

Image credit: iStock.com/stnazkul