Cyberattacks are a constant threat to businesses, organizations, governments, and individuals worldwide. In order to stay secure against cybercriminal activity, it is essential to understand the various cyberattack methods and common targets used by cybercriminals in 2022. This article provides an overview of some of the most notable cyberattack methods being utilized as well as common targets which cybercriminals focus their efforts on. By understanding these key aspects of cybercrime, security teams can be better prepared for potential cyber threats.
Notable Cyberattack Methods and Tools of 2022
Threat actors are increasingly utilizing lateral movement after they penetrate the targeted systems. In a quarter of all cyberattacks in 2022, cybercriminals employed various methods of lateral movement, including the use of dual-use tools and scripts for malicious purposes. These dual-use tools refer to system tools and legitimate software that can be manipulated to achieve nefarious goals. Zero-day exploits have also been increasingly leveraged over the past year. Let us delve into each of the common threats more deeply:
#1 Zero-Day Exploits
Zero-day exploits are cyberattacks that take advantage of previously unknown software vulnerabilities. These attacks often use malicious code to exploit these vulnerabilities before the software developer is even aware they exist. Zero-day exploits can be extremely difficult to defend against and are thought to have become increasingly common in 2022 due to the Russo-Ukrainian war.
Findings from Google's Project Zero (GPZ), which looks for vulnerable security gaps inside major software products, showed that in the initial six months of 2022, 18 zero-day vulnerabilities were exploited by hackers until a software update became available.[1] GPZ suggests that half of these security breaches were preventable—had vendors conducted more thorough testing and developed broader patches. Even more alarmingly, four out of these eighteen vulnerabilities in 2022 were shown to be variants of 2021 zero-day vulnerabilities.
#2 Phishing
In 2022, ransomware attacks were often initiated through some form of a phishing email. Spam campaigns and spear-phishing tactics (the more targeted approach to phishing) were employed to infiltrate organizations' networks, with many cases attributed to insufficient user security training. Drive-by downloads were also utilized in order to facilitate credential escalation, allowing attackers to move laterally, gaining access to administrative accounts.[2] In addition, malvertising was another form of phishing that was widely used for the same purpose in 2022, leveraging malicious online advertising to infect a user's device when an ad is clicked on or interacted with. The malicious code delivered, such as a virus or malware, would then be used for credential escalation on the target device.
#3 Nefariously Used Legitimate Programs:
Cybercriminals are returning to the basics and revamping their tried-and-true methods by leveraging existing tools and simpler techniques. A few of these popular programs and tactics include:
Cobalt Strike: Cobalt Strike is a cybersecurity tool used for the purposes of penetration testing and cyberattack simulations. However, an unintended consequence is that cybercriminals can exploit the tool to perform real cyber-attacks, such as stealing data or compromising systems with relative ease. Additionally, Cobalt Strike enables cyber criminals to write their own malicious code, known as a payload, which can then be deployed against targeted systems. These payloads can be used to execute various activities such as installing backdoors into targeted networks and downloading malware onto vulnerable hosts. As a result, cybercriminals have increasingly been leveraging Cobalt Strike in 2022 to execute targeted malware attacks against organizations and individuals across the globe.[3]
PsExec: PsExec is a system administration utility used to execute programs on remote Windows hosts. This lightweight, standalone utility provides an easy way to access and interact with programs running remotely. However, in the wrong hands, PsExec provides threat actors with the ability to exfiltrate data or execute malware on a victim's computer.[4] For this reason, PsExec has become increasingly popular among threat actors in 2022 due to its versatility and ease of use, making it a valuable tool for exploiting vulnerabilities and targeting systems.
Local existing software: Attackers occasionally “live off the land,” using software already present on the target network for their infiltration attempts. For example, malicious actors may utilize lesser-known functionalities from programs already installed on the victim's computer, even common local and web-based applications such as Microsoft Excel to perform nefarious activities. These cyberattack methods can allow cybercriminals to bypass traditional detection techniques, as the software is already present and allowed on the host's device, causing most cybersecurity programs to overlook it.
New Red Team and penetration testing tools: Red Teams are a cybersecurity team consisting of specialized cybersecurity professionals. The goal of a Red Team is to test the resilience of an organization's cyber defenses by attacking them in real-life simulation scenarios. Pen testing tools, on the other hand, are software programs intended to be used by Red Teams to perform their penetration tests, thus evaluating, and uncovering vulnerabilities in targeted systems and applications. These tools can be used to simulate cyberattacks and identify possible weak points that could potentially be exploited. Nonetheless, much like the other items on this list, penetration tools may also be used illegitimately by cyber criminals. One example of a newer pen testing tool that will likely be used more in 2023 is Nighthawk. It simulates advanced cyberattack methods such as denial-of-service (DoS) attacks, privilege escalation exploits, and phishing campaigns. While there has been no indication that the program has been leaked or cracked, there is no guarantee that it will not be weaponized in the future, and cybersecurity experts are weary and on the lookout for Nighthawk in 2023.
Commonly Targeted Systems in 2022
In the year 2022, several ransomware trends became evident and are expected to continue through 2023. Attackers understood which techniques provided more successful outcomes and concentrated their efforts on those particular approaches. These were some of the major tendencies for ransomware in 2022:
#1 On-Premise Exchange Servers:
Microsoft Exchange Server is a business and enterprise email server developed by Microsoft to provide messaging services such as secure mail, as well as collaboration tools, and calendar applications. It is an on-premise application running on Windows servers meaning users have control over the hardware, software, and security of their organization's email system.
On-premise Exchange Servers were heavily targeted in cyberattacks during 2022 due to their vulnerabilities that left systems exposed if not maintained properly. Attackers took advantage of out-of-date equipment and improper patching to deploy malware that allowed them access to data stored on those systems. Attackers were also able to use exploits to gain access to active directory credentials, allowing them further access into a company’s network, creating, even more, cyberattack opportunities
Due to major hacks that exploited Exchange Servers in recent years, some have been led to believe that it is time to do away with the program altogether.[6]
#2 Unpatched Systems
Cyberattacks leveraging unpatched systems have been an enduring problem beyond just 2022. Numerous ransomware assaults make use of zero-day vulnerabilities, but the majority still exploit known weaknesses on vulnerable devices and software.
#3 RDP Ports:
Remote Desktop Protocol (RDP) ports are control services that enable remote connection to a system or computer. A cybercriminal can use RDP ports to gain access to targeted systems and networks, allowing them to manipulate or steal data, or deploy malware and ransomware. Throughout 2022, leaving RDP ports open constantly presented a security risk. Defenders all too often left these open, creating an easy entry point for malicious entities. Therefore, it is essential for organizations to protect their networks by regularly scanning for open RDP ports and closing them when not in use.
#4 Misconfigured Firewalls.
Firewalls are security systems designed to protect networks and systems from cyber threats. Firewalls control access to a system by examining incoming requests and blocking suspicious activities while allowing valid ones.[7] In 2022, cybercriminals frequently targeted unsecured or misconfigured firewalls in cyberattacks. By exploiting the vulnerabilities of these firewalls, attackers were able to gain unauthorized access to organizations' private datasets as well as launch malware attacks on internal networks.
Key Takeaways
- Zero-day exploits were often a primary vulnerability in 2022. Zero-day vulnerabilities were a highly prioritized method of initial compromise in 2022. Their exploitation has seen an exponential increase stemming from the start of the conflict in Ukraine, often being leveraged by highly-sophisticated threat actors deploying custom exploits.
- Malicious actors use legitimate programs. By using the functionality of legitimate programs, malicious actors are often able to bypass traditional modes of detection. Placing an emphasis on how programs are used rather than what programs are used, might provide more insight looking towards threat detection in 2023.
- Lateral movement is the new battleground. Dual-use tools—system utilities and trusted software often commandeered by attackers—have raised considerably, resulting in an increase of over 10% with regard to script hosts and file storage/synchronization (examples include Google Drive and OneDrive). This finding reflects a concerning lack of visibility into cloud storage channels.
- There is a lack of active monitoring of networks. Defenders often fail to actively monitor their networks, relying instead on Security Operations Centers (SOCs) to provide alarms and alerts that are often overlooked due to their high volume. Additionally, some network defenders lack the ability to accurately identify or interpret important data during cyber threats, leaving them vulnerable to attack.
[1] Zero-Day Vulnerabilities 2022: Getting Worse, but Mitigation Is Still Possible; Senseon, 2022.
[2] Common Types Of Network Security Vulnerabilities; Purplesec, 2022.
[3] New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons; The Hacker News, 2022.
[4] Threat Hunting: How to Detect PsExec; Praetorian, 2020.
[5] Microsoft Exchange Server; TechTarget, 2020.
[6] It Really is Time to Say Goodbye to On-Premises Exchange; Practical365, 2022.
[7] Common Types Of Network Security Vulnerabilities; Purplesec, 2022.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.