There has been a significant increase in advanced persistent threat (APT) attacks on critical infrastructure, including telecommunications, energy, and manufacturing sectors.
This is one of the key findings of research by Trellix, a specialist in extended detection and response (XDR).
According to the Trellix June 2023 Cyber Threat Report released by the company’s Advanced Research Centre, the first quarter of 2023 showed evidence of activity linked to ransomware and nation-state-backed APT actors, threats to email, as well as malicious use of legitimate security tools.
It says that nations are leveraging offensive cyber capabilities for espionage and disruption and employing sophisticated techniques to infiltrate and compromise computer networks, enabling them to gather valuable intelligence, access classified information, and possibly disrupt the operations of rival countries.
The company highlights that motivations for ransomware are still largely financial.
The most prevalent ransomware families in Q1 were Cuba (25.6%) and Play (21.9%). However, overall, there was a drop across the board in ransom-related cyber criminal activity at the start of the year, especially in January.
Trellix adds that despite a continued drop in activity from Lockbit in two consecutive quarters - responsible for 18.2% of all ransomware detections in Q1, over a third drop from Q4 2022 - Lockbit continues to be the most aggressive in pressuring their victims to comply with ransom demands. This aligns with Lockbit’s growing notoriety and awareness in the cyber landscape.
John Fokker, head of threat intelligence, Trellix Advanced Research Centre, says, “From our team’s research, a majority of the most critical vulnerabilities and bugs in Q1 consisted of bypasses to patches for older common vulnerabilities and exposures( CVEs), supply chain bugs resulting from the utilisation of ancient libraries, or long-patched vulnerabilities that were never properly updated and addressed.”
Local link in BRICS
Carlo Bolzonello, Trellix South Africa country lead, says the vulnerabilities outlined in the threat report are, and will continue to be, particularly relevant to the South African market. He also mentions the possible link between heightened cyber threats and the forthcoming BRICS (Brazil, Russia, India, China and South Africa) conference.
“Regarding threat actors, the South African threat landscape has become more diverse than ever before, with various bad actors emerging from different countries. We are seeing a heightened detection of cyber threat presence since December of 2022 across all sectors of the South African economy, which could be linked to diplomatic tensions during the lead-up to the BRICS conference.
“Ransomware activity in South Africa also continues to rise... Public sector agencies are being targeted with increased frequency – seeing some organisations attacked at least two to three times in the past few years alone. A ‘living security’ approach, as opposed to one or many individual tools, can make public sector organisations more resilient through the interconnection of a wide variety of threat sensors and capabilities, so they know their operations are protected.”