According to cybersecurity company Proofpoint, cybercriminals returned to their usual business practices in 2022 after two years of pandemic-induced disruption. As COVID-19 medical and economic programs began to wind down, attackers had to adapt and find new ways to make a living. This resulted in a surge of creativity among threat actors, who honed their social engineering skills, commoditized previously sophisticated attack techniques, and sought out new opportunities in unexpected places.
The threat landscape witnessed significant developments on multiple fronts in 2022. There was an increase in brute-force and targeted attacks on cloud tenants, a surge in conversational smishing attacks, and a proliferation of multifactor authentication (MFA) bypass techniques. Microsoft 365 served as a major target for attackers, with broad abuse of the platform taking place, from exploiting Office macros to manipulating OneNote documents.
Ryan Kalember, EVP of cybersecurity strategy at Proofpoint, emphasized the importance of people in today’s attack chain. He highlighted how threat actors have innovated and scaled their bypass techniques, turning previously red team techniques like MFA bypass and telephone-oriented attack delivery into commonplace methods. The creativity of threat actors was evident in the varied attack chains and the rapid testing and discarding of delivery mechanisms seen in 2022.
One significant development in 2022 was the decline in the use of Office macros as a malware distribution method. Microsoft’s updates to how its software handles files downloaded from the web played a role in this decline. However, threat actors quickly adjusted and embarked on a flurry of experimentation to find alternative techniques for compromising targets.
Conversational smishing and pig butchering threats experienced a surge in 2022. Conversational smishing involves attackers sending seemingly harmless messages to their targets, while pig butchering threats are attacks that start with the attacker posing as a friendly entity before turning malicious. In the mobile space, conversational smishing was the fastest-growing threat, with a twelvefold increase in volume. Telephone-oriented attack delivery (TOAD) also reached its peak, with 13 million messages being sent per month. Some state-sponsored advanced persistent threat (APT) actors even invested significant time building rapport with their targets through benign messages over the course of weeks and months.
MFA bypass phish kits such as EvilProxy, Evilginx2, and NakedPages were responsible for over a million phishing messages per month. Many organizations faced threats originating from well-known cloud giants like Microsoft and Amazon, whose infrastructure hosts numerous legitimate services relied upon by organizations. The threat actor behind SocGholish, known as TA569, used novel distribution methods involving drive-by downloads and fake browser updates to deliver malware exclusively through drive-by downloads. This allowed them to trick victims into downloading malware through disguised updates, with even the hosting sites often unaware that they were distributing malicious content.
Cloud threats have become ubiquitous, with 94% of cloud tenants being targeted every month by either precision or brute-force cloud attacks. The frequency of cloud attacks now matches that of email and mobile vectors. The number of brute-force attacks, particularly password spraying, increased significantly from a monthly average of 40 million in 2022 to nearly 200 million in early 2023. Attackers often abuse the familiarity and trust associated with major brands, with Microsoft and Amazon being among the most commonly abused brands.
Misconfigured or “shadow” admin identities remain a vulnerability for many organizations, with as many as 40% of them being exploitab
le in a single step. Additionally, 13% of shadow admins were found to already have domain admin privileges, providing attackers with access to corporate systems. A worrying 10% of endpoints have an unprotected privileged account password, with 26% of exposed accounts being domain admins.
Emotet, one of the most prominent threat actors, experienced intermittent presence in 2022. Despite sending over 25 million messages, more than double the volume of the second most prominent threat actor, Emotet’s activity showed signs of lethargy and a lack of adaptation to the post-pandemic threat landscape. However, Proofpoint warns that even a single attack by an advanced persistent threat (APT) actor can have a significant impact. TA471, a Russian-aligned APT group engaged in corporate and government espionage, propelled itself to the top of the APT message volume charts with one large campaign. Another active APT actor, TA416, aligned with the Chinese state, targeted European diplomatic entities involved in refugee and migrant services, especially during the Russia-Ukraine war.
In conclusion, 2022 was a year of creativity among cybercriminals, who adapted their attack methods to the changing post-pandemic landscape. The decline in the use of Office macros, the surge in conversational smishing and pig butchering threats, the prevalence of MFA bypass phish kits, and the ubiquity of cloud attacks all highlight the evolving tactics employed by threat actors. As organizations continue to improve their security controls, it becomes imperative to remain vigilant and proactive to counter these ever-evolving cyber threats.