On October 25, 2022, Cisco Talos Incident Response (CTIR) researchers published their Quarterly Report: Incident Response Trends in Q3 2022. Key findings include:
- Ransomware was the top threat this quarter, a slight change from last quarter where commodity trojans surpassed ransomware by a narrow margin.
- Several high-profile ransomware groups appeared in CTIR engagements this quarter, including Hive and Vice Society.
- CTIR observed adversaries leveraging a variety of publicly available tools and scripts hosted on GitHub repositories or from third-party websites to support operations across multiple stages of the attack lifecycle.
- The next most observed threats this quarter included commodity malware such as the Qakbot banking trojan and infostealers like Redline.
Secondary findings included:
- Nearly 18 percent of engagements either did not have multi-factor authentication (MFA) enabled or only had it enabled on a select handful of accounts and critical services.
- Adversaries’ tools focused on accessing and collecting credentials, highlighting the role these tools play in potentially furthering an adversary’s objectives.
- Talos has been monitoring the increased use of dual-use tools in these attacks, such as Anonymous Fox, Brute Ratel, Sliver, and Manjusaka.
- CTIR continued to observe threats which are consistently seen across previous quarters, including phishing and business email compromise (BEC), attempts to take advantage of weaknesses or vulnerabilities in public-facing applications, distributed denial-of-service (DDoS) attacks, and insider threats.
RH-ISAC Data Comparison
The threat intel trend data tracked by RH-ISAC from member sharing largely corroborates the key findings from the Cisco Q3 Incident Response Trends report. As shown in the most recent Intelligence Trends Summary, credential harvesting, phishing, and ransomware all rate in the top threat trends reported by members. In addition, top malware and tools listed in the Cisco report, such as QakBot, are frequently and consistently observed, stopped, and reported by member analysts. Overall, RH-ISAC members are sharing threat data that lines up with the trends identified in the Cisco report, indicating that these trends are likely wider in scope than the RH-ISAC community and are being seen across sectors globally during the third quarter of 2022.
According to Talos researchers, sectors overlapping with the RH-ISAC community (retail/home improvement, arts and entertainment, food service, manufacturing, trade, and agriculture) did not rate in the topmost targeted sectors, which they identify as Education, Energy, Finance, and Government.
Talos researchers also provided the following tactics, techniques, and procedures (TTPs):
|Initial Access (TA0001)||T1078 Valid Accounts||Adversary leveraged stolen or compromised credentials|
|Reconnaissance (TA0043)||T1592 Gather Victim Host Information||Text file contains details about host|
|Persistence (TA0003)||T1136 Create Account||Created a user to add to the local administrator’s group|
|Execution (TA0002)||T1059.001 Command and Scripting Interpreter: PowerShell||Executes PowerShell code to retrieve information about the client’s Active Directory environment|
|Discovery (TA0007)||T1482 Domain Trust Discovery||Use various utilities to identify information on domain trusts|
|Credential Access (TA0006)||T1003 OS Credential Dumping||Deploy Mimikatz and publicly available password lookup utilities|
|Privilege Escalation (TA0004)||T1068 Exploitation for Privilege Escalation||Exploit ZeroLogon to escalate privileges with a direct path to a compromised domain|
|Lateral Movement (TA0008)||T1021.001 Remote Desktop Protocol||Adversary made attempts to move laterally using Windows Remote Desktop|
|Defense Evasion (TA0005)||T1027 Obfuscated Files or Information||Use base64-encoded PowerShell scripts|
|Command and Control (TA0011)||T1105 Ingress Tool Transfer||Adversaries transfer/download tools from an external system|
|Impact (TA0040)||T1486 Data Encrypted for Impact||Deploy Hive ransomware and encrypt critical systems|
|Exfiltration (TA0010)||T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage||Actor exfiltrated data to file sharing site mega[.]nz|
|Collection (TA0009)||T1074 Data Staged||Stage data in separate output files|
|Software/Tool||S0002 Mimikatz||Use Mimikatz to obtain account logins and passwords|