Geopolitical tensions and the largest war in Europe for decades have defined the malware landscape in 2022.
Recorded Future has been capturing global threat information from the internet, dark web, and technical sources for over a decade. The firm combines this vast amount of data with AI and human expertise to spot threats early and provide actionable insights to security professionals.
Toby Wilmington, Manager – Sales Engineering at Recorded Future, provided his analysis of the malware landscape over the first half of 2022 during a session at this year’s Cyber Security & Cloud Expo Europe.
“We’re starting to see the world become a reflection of the internet,” says Wilmington. “So influence operations, things that are going on online, are starting to have a geopolitical or kinetic impact — bombs being dropped, for instance.”
Recorded Future is getting its data from security vendor reporting, communication platforms like Telegram and Discord, social media, and more.
With its dark web collection abilities, the company is able to see what threat actors are talking about so they can help the good guys stay ahead. Such information could include what malware is being sold, what ransoms are being asked, and what penetration testing tools are being used.
In addition, Recorded Future is bringing in network traffic analysis data to see who is being impacted by cyberattacks, what technologies are being targeted, what infrastructure is being used, and to who it can be attributed.
All of this data is pulled together in real-time to provide a far more complete picture of the malware landscape than was traditionally possible. As a result, cybersecurity can become far more proactive than reactive.
Wiper variants
Following Russia’s invasion of Ukraine, nine distinct variants of the Wiper malware began circulating that were designed to disrupt the defending country’s operations.
According to Wilmington, the malware variants grew increasingly simplistic over time which “appeared to show the hostile government enjoying less time and fewer resources to develop malware against key geopolitical targets.”
Wilmington presents a timeline of Wiper variants used around conflicts:
“We’re seeing nation states wanting to isolate specific countries and bring operations down,” adds Wilmington.
Ransomware
Ransomware also continues to plague global security teams.
Conti is one of the most infamous forms of ransomware due to the speed with which encrypts data and spreads to other systems. In May 2021, the Conti ransomware attack on Ireland’s health service led to weeks of disruption with a projected cost of $100 million.
When Russia invaded Ukraine, Conti Group announced its support for Russia. However, approximately 60,000 messages from internal chat logs were leaked by an anonymous person who indicated their support for Ukraine, along with source code and other files used by the group.
In April this year, Conti ransomware was used against the government of Costa Rica in a five-day intrusion. On 8th May, Costa Rica was forced to declare a national emergency as the intrusion had extended to multiple government bodies.
Wilmington claims the Conti attack on Costa Rica was enabled “as part of a disbandment that allowed individual members to support other ransomware gangs.”
Despite Conti making headlines, Wilmington says the most prolific operators are those behind the Lockbit 3.0 and Hive ransomware families.
Recorded Future identified that the FIN7 ransomware group created a fake cybersecurity firm called Bastion Secure to recruit IT specialists and deploy PoS-exploitation tools. While the group is also thought to be Russian, Wilmington notes that such a tactic is often employed by North Korea.
Infostealers
One common malware type that Recorded Future has seen a “real rise” in use of over recent years is infostealers. This stolen info is then sold on the dark web.
Wilmington highlights that infostealers take a fingerprint from your browser and then anything that is done in that window will be taken, and people can then purchase that online.
“I can say, ‘If I buy this credential for $20, what does it give me access to? And does it come with a session cookie as well so I can actually jump around?’” explains Wilmington.
According to Wilmington, Raccoon Stealer was one of the most popular infostealers this year. However, it “went on a hiatus” in March 2022.
Threat actors then switched from Raccoon to Mars Stealer, MetaStealer, BlackGuard, RedLine, and Vidar. At the end of H1 2022, Raccoon Stealer 2.0 emerged and spiked again in popularity.
Wilmington goes on to show a graph of the top-referenced malware used in cyberattacks over H1 2022. Cobalt Strike takes the lead by a wide margin:
Vulnerabilities
On vulnerabilities, unsurprisingly it was Log4Shell – which is probably still causing many sleepless nights – that was by far the top-referenced vulnerability in H1 2022:
Microsoft vulnerability Follina took second place, followed by ProxyShell to round out the top three referenced vulnerabilities. ProxyShell, it’s worth noting, has been used by Conti affiliates to hack into Microsoft Exchange servers and compromise corporate networks.
Recorded Future applies risk scores to vulnerabilities based on whether they’re actively being exploited in the wild, either based on open-source reporting or the company’s internal honeypot.
Wilmington notes that Windows is normally the most affected vendor but, in H1 2022, the list has been largely dominated by vulnerabilities affecting Linux:
“Typically, we see Microsoft right at the top in terms of vulnerabilities,” explains Wilmington. “It’s quite interesting that Linux has been the main focus at the beginning of this year.”
Recorded Future typically sees around 2-4 weeks from a vulnerability being discovered to it being weaponised. Using early intelligence like Recorded Future provides can give the industry a quite substantial window to counter emerging threats before they cause damage.
Toby Wilmington was speaking at this year’s Cyber Security & Cloud Expo Europe. You can find out more information about the global series here.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.