Forescout researchers identify prominent cyberthreat trends, popular hacking groups, and evolving extortion techniques

Vedere Labs, the cybersecurity research arm of Forescout Technologies, analyze the notable cyberthreat trends evolved during 2022H1

Forescout Technologies, the global leader in automated cybersecurity, recently analysed and chronicled various the evolving complexity of the cyberthreats landscape – with ransomware being the main threat targeting most organisations nowadays. The new threat report highlights a series of observations about the most relevant activity they have seen during the 2022H1, and also the ways to bolster the current defensive strategies to account for these developments.

The report covers the three other notable cyberthreat trends also evolved during this period :

• Threat actors – We saw an almost equal split between cybercriminals and state-sponsored actor activity, with the vast majority of malicious activity perpetrated by Russian or Eastern European actors. The main targeted sectors were government and financial services.
• New malware – Significant malware families such as wipers, OT/ICS malware and botnets targeted not only IT systems but also many types of IoT devices.
• Active hacking groups – Because of the ongoing conflict in Ukraine, hundreds of hacktivists perpetrated DDoS and other types of attacks. Alongside the politically motivated activity, other large groups focusing on data exfiltration for financial gains have been active.

It also highlights the figures around the cybercriminals and state-sponsored ransomware, based on data from the Forescout Device Cloud, one of the world’s largest repositories of connected enterprise device data — including IT, OT and IoT device data — whose number of devices grows daily. The report includes the percentage of malicious requests based on the threat actor’s country of origin, which include Russia and Eastern Europe, followed by China and Pakistan.

The observed actors in the report targeted many different sectors. Government networks were targeted most often (41%), followed by financial services (28%). Both sectors have long been preferred targets for cyber activities.

Similarly, new malware – wipers, OT/ICS malware, and botnets have emerged as frequent threat actors, with several exploits for IoT devices as well as enterprise IT applications. Moreover, ZuoRAT is a recent Remote Access Trojan (RAT) that leverages exposed and vulnerable routers for initial infection, enumerates IT devices connected to the network, then uses DNS and HTTP hijacking to install other malware on the identified devices. Researchers have speculated that  is operated by a state-sponsored group because of its complexity.

The report significantly identifies the change in extortion techniques too. LAPSUS$ is a hacking group that has been active since 2021 and has breached several high-profile organizations, starting with major Brazilian governmental agencies and companies. In 2022 it moved on to global businesses such as Microsoft, Nvidia and Okta. Following a series of arrests in the UK in March, the group has been mostly silent. Other groups focusing on data extortion include RansomHouse and Karakurt. The latter is connected to the Conti ransomware gang.

The Report concludes with some suggested mitigation efforts such as segmentation of network to isolate  IT and OT, limiting network connections to only specifically allowed management and engineering workstations ; monitoring of insider threats, large data transfers and activity in dark nets to prevent or mitigate data leakage by hacktivists and data extortion groups ; using strong and unique passwords and employ multi factor authentication whenever possible to ensure that stolen credentials cannot easily be used against the organization ; following the NCSC-UK’s guide on Denial of Service attacks, which includes understanding weak points in the service, ensuring that service providers can handle resource exhaustion ; Identifying and patching vulnerable IoT devices to prevent them from being used as part of DDoS botnets ; Monitoring the traffic of IoT devices to identify those being used as part of distributed attacks.