Trellix Report Details Rise in Fake CEO Phishing Attacks


Latest Cyberthreat Trends Detailed in Trellix Advanced Research Center Report

Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), released The Threat Report: February 2023 from its Advanced Research Center, examining cybersecurity trends from the final quarter of 2022. Trellix combines telemetry collected from its extensive network of endpoint protection installs and its complete XDR product line with data gathered from open and closed-source intelligence reports to deliver report insights.

“Q4 saw malicious actors push the limits of attack vectors,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “Grey zone conflict and hacktivism have both led to an increase in cyber as statecraft as well as a rise in activity on threat actor leak sites. As the economic climate changes, organisations need to make the most effective security out of scarce resources.”

The report includes evidence of malicious activity linked to ransomware and nation-state-backed advanced persistent threat (APT) actors and examines threats to email, the malicious use of legitimate security tools, and more. Key findings include:

  • Fake CEO Emails Led to Business Email Compromise: Trellix determined 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases, resulting in a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns.
  • Critical Infrastructure Sectors Most Targeted: Sectors across critical infrastructure were most impacted by cyber threats. Trellix observed 69% of detected malicious activity linked to nation-state-backed APT actors targeting transportation and shipping, followed by energy, oil, and gas. According to Trellix telemetry, finance and healthcare were among the top sectors targeted by ransomware actors, and telecom, government, and finance were among the top sectors targeted via malicious email.
  • Attacks on Cloud Infrastructure on the Rise: AWS leads to the highest number of threat detections, likely due to the size of the marketplace. It’s also interesting to note that because the majority of enterprise accounts use Multi-Factor Authentications enabled, adversaries land on MFA platforms, resulting in a spike of MFA-related detections. Trellix saw hackers take advantage of MFA fatigue in 2022 and successfully breach networks by exhausting employees with push notifications.
  • LockBit 3.0 Most Aggressive with Ransom Demands: While no longer the most active ransomware group according to Trellix telemetry – Cuba and Hive ransomware families generated more detections in Q4 – the LockBit cybercriminal organization’s leak site reported the most victims. This data makes LockBit the most aggressive in pressuring its victims to comply with ransom demands. These cybercriminals use a variety of techniques to execute their campaigns, including exploiting vulnerabilities found as far back as 2018.

“As threat landscape complexity progresses, so will our research. Our mission will remain wholly focused on delivering actionable intelligence to our stakeholders to ensure they can protect what matters most,” commented Vibin Shaju, VP Solutions Engineering, EMEA at Trellix. “But organisations need to do their part too. To effectively defend against these evolving threats, regional enterprises need an adaptable and responsive defence strategy and strong cybersecurity governance that starts at the board of directors.”

The Threat Report: February 2023 includes proprietary data from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by the Trellix Advanced Research Center, open and closed source intelligence, and threat actor leak sites. The report is based on telemetry related to the detection of threats when a file, URL, IP address, suspicious email, network behaviour or other indicator is detected and reported by the Trellix XDR platform.