Over half of cyber-attacks exploiting known vulnerabilities are the work of state-sponsored groups from abroad, mainly from China. According to cybersecurity company Recorded Future’s research arm, Insikt Group, 53 percent of observed exploitation activity in the first half of this year was driven by state-sponsored and suspected state-sponsored actors and conducted for espionage, surveillance, or other geopolitical objectives.
Publication of Insikt Group’s report follows hard on the heels of a joint cybersecurity advisory issued by the US National Security Agency (NSA), warning that threat actors sponsored by the Chinese government, have been consistently targeting telecommunications, government, transportation, lodging, and military infrastructure networks globally.
“The presence of state-sponsored actors underlines that many governments’ cyber units have the resources to weaponize new flaws quickly, often within days of a disclosure. The significant state-sponsored involvement also implies that these threats are not just random or opportunistic but often targeted and persistent campaigns aiming at specific sectors or high-value systems,” reports Insikt Group.
Financially motivated groups accounted for 27 percent of exploitations. Another 20 percent of exploitation was attributed to ransomware and extortion groups.
Ideal for industrial espionage
Insikt Group also reports that the most commonly observed malware used post-compromise was the offensive security tool Cobalt Strike. Tools such as Cobalt Strike are ideal for gaining a reliable foothold for attackers as they provide a full-featured toolkit to run commands, escalate privileges, and move laterally, while blending in with normal network traffic. This makes them ideal for conducting long-term surveillance and political and industrial espionage.
Internet-facing systems and unpatched client software remain prime targets. Inskit Group warns that failing to patch those creates an avenue for attackers to get in and escalate their privileges. Companies should, therefore, ensure that both their perimeter systems and endpoint applications are up to date, and have monitoring in place in order to spot exploit attempts in real time.
“Attackers are also investing in exploits that require user interaction (for example, a malicious email attachment or drive-by download that triggers an exploit on the victim’s end). In these scenarios, the vulnerability may be in a client-side application such as a browser or office document software, and the attacker socially engineers the victim into running the exploit,” warns Insikt Group.
Insikt Group also observed ClickFix as a prominent, emerging initial access technique in the first half of this year. ClickFix is a social engineering technique that tricks users into running malicious scripts by presenting deceptive error messages or verification instructions.
