Ransomware, BEC, and Phishing Top Cisco Talos Incident Response Trends Q3 2022 Report

Cisco Talos Incident Response (CTIR) researchers published their Quarterly Report, Incident Response Trends in Q3 2022. Key findings cover ransomware, phishing, and BEC trends.
Ransomware, BEC, and Phishing Top Cisco Talos Incident Response Trends Q3 2022 Report

Key Takeaways

On October 25, 2022, Cisco Talos Incident Response (CTIR) researchers published their Quarterly Report: Incident Response Trends in Q3 2022. Key findings include:

  • Ransomware was the top threat this quarter, a slight change from last quarter where commodity trojans surpassed ransomware by a narrow margin.
  • Several high-profile ransomware groups appeared in CTIR engagements this quarter, including Hive and Vice Society.
  • CTIR observed adversaries leveraging a variety of publicly available tools and scripts hosted on GitHub repositories or from third-party websites to support operations across multiple stages of the attack lifecycle.
  • The next most observed threats this quarter included commodity malware such as the Qakbot banking trojan and infostealers like Redline.

Secondary findings included:

  • Nearly 18 percent of engagements either did not have multi-factor authentication (MFA) enabled or only had it enabled on a select handful of accounts and critical services.
  • Adversaries’ tools focused on accessing and collecting credentials, highlighting the role these tools play in potentially furthering an adversary’s objectives.
  • Talos has been monitoring the increased use of dual-use tools in these attacks, such as Anonymous Fox, Brute Ratel, Sliver, and Manjusaka.
  • CTIR continued to observe threats which are consistently seen across previous quarters, including phishing and business email compromise (BEC), attempts to take advantage of weaknesses or vulnerabilities in public-facing applications, distributed denial-of-service (DDoS) attacks, and insider threats.

RH-ISAC Data Comparison

The threat intel trend data tracked by RH-ISAC from member sharing largely corroborates the key findings from the Cisco Q3 Incident Response Trends report. As shown in the most recent Intelligence Trends Summary, credential harvesting, phishing, and ransomware all rate in the top threat trends reported by members. In addition, top malware and tools listed in the Cisco report, such as QakBot, are frequently and consistently observed, stopped, and reported by member analysts. Overall, RH-ISAC members are sharing threat data that lines up with the trends identified in the Cisco report, indicating that these trends are likely wider in scope than the RH-ISAC community and are being seen across sectors globally during the third quarter of 2022.

According to Talos researchers, sectors overlapping with the RH-ISAC community (retail/home improvement, arts and entertainment, food service, manufacturing, trade, and agriculture) did not rate in the topmost targeted sectors, which they identify as Education, Energy, Finance, and Government.


Talos researchers also provided the following tactics, techniques, and procedures (TTPs):


Initial Access (TA0001)T1078 Valid AccountsAdversary leveraged stolen or compromised credentials
Reconnaissance (TA0043)T1592 Gather Victim Host InformationText file contains details about host
Persistence (TA0003)T1136 Create AccountCreated a user to add to the local administrator’s group
Execution (TA0002)T1059.001 Command and Scripting Interpreter: PowerShellExecutes PowerShell code to retrieve information about the client’s Active Directory environment
Discovery (TA0007)T1482 Domain Trust DiscoveryUse various utilities to identify information on domain trusts
Credential Access (TA0006)T1003 OS Credential DumpingDeploy Mimikatz and publicly available password lookup utilities
Privilege Escalation (TA0004)T1068 Exploitation for Privilege EscalationExploit ZeroLogon to escalate privileges with a direct path to a compromised domain
Lateral Movement (TA0008)T1021.001 Remote Desktop ProtocolAdversary made attempts to move laterally using Windows Remote Desktop
Defense Evasion (TA0005)T1027 Obfuscated Files or InformationUse base64-encoded PowerShell scripts
Command and Control (TA0011)T1105 Ingress Tool TransferAdversaries transfer/download tools from an external system
Impact (TA0040)T1486 Data Encrypted for ImpactDeploy Hive ransomware and encrypt critical systems
Exfiltration (TA0010)T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud StorageActor exfiltrated data to file sharing site mega[.]nz
Collection (TA0009)T1074 Data StagedStage data in separate output files
Software/ToolS0002 MimikatzUse Mimikatz to obtain account logins and passwords

More Recent Blog Posts