• United States



Apurva Venkat
Special Correspondent

Hackers changed tactics, went cross-platform in 2022, says Trend Micro

Mar 28, 20233 mins

cso security hacker breach privacy ransomware malware attack gettyimages 1216075693 by towfiqu aham

Payouts from ransomware victims declined by 38% in 2022, prompting hackers to adopt more professional and corporate tactics to ensure higher returns, according to Trend Micro’s Annual Cybersecurity Report

Many ransomware groups have structured their organizations to operate like legitimate businesses, including leveraging established networks and offering technical support to victims. There is an increasing level of professionalism from these groups and the adoption of more sophisticated business tactics, Trend said.  

“For instance, LockBit ransomware, has been around for a couple of years now and we are seeing version 3.0 of it. They have started their bug bounty program,” said Vijendra Katiyar, country manager for India at Trend Micro. 

Usually, bug bounty programs are run by companies that invite ethical hackers to identify vulnerabilities in their software and inform them in return for a reward. “With ransomware groups, it becomes a platform for hackers or cybercriminals to show their talent and discover new malware to be deployed, “Katiyar said. 

Shift to Rust to target Linux

Ransomware groups such as Agenda, BlackCat, Hive, and RansomExx have also developed versions of their ransomware in the programing language Rust. “This cross-platform language allows groups to customize malware for operating systems like Windows and Linux, which are widely used by businesses,” Trend Micro said. 

This could be attributed to the fact that the focus of cybercriminals has shifted from Microsoft Windows to MacOS and Linux, as Microsoft blocked macros on Office documents. Using Rust makes it easier to target Linux and more difficult for antivirus engines to analyze and detect the malware, making it more appealing to threat actors. Katiyar says that there has been a 6% increase in attacks on Linux and MacOS. 

Malicious alternatives to macros 

In late 2022, researchers also identified a list of popular brands and applications whose keywords were hijacked to display malicious ads — a case of malvertising. “For example, a Google search for “Adobe Reader” will show an advertisement that leads to a malicious site,” Trend Micro said in its report. 

Cybercriminals were abusing valid systems and tools more in 2022. Specifically, legitimate pen-testing tools Cobalt Strike and Brute Ratel were used in malicious attacks.

Microsoft’s move on macros also prompted a shift in terms of vulnerabilities. The researchers noted that there was change in focus from exploiting common vulnerabilities and exposures (CVEs) in Microsoft products to exploiting Log4J19 CVEs. 

Serverless cloud platforms continued to pose issues

Another trend noticed by the researcher was that as cloud service providers use more serverless platforms, there are increased cases of misconfiguration. “Misconfiguration is a major issue in the cloud. We also observed that developers pay little attention to security, especially when using scripts from GitHub,” Katiyar said. 

Serverless computing services are being used by businesses to oversee complex processes and house information integral to business operations. Handling and managing secrets, as well as sensitive data. Researchers observed that the default configurations on cloud services are not the best options from a security perspective. “Users should look to solutions involving hardening an operating system and see how the security steps should also be followed in the serverless world,” Trend Micro said in the report. 

Patching is also a major concern. Last year, Trend Micro sent 1,700 advisories on vulnerabilities. As there are more and more cloud services, and as companies make more use of these services, they increase the risk of introducing a new vulnerability. 

“Compensatory controls like virtual patching should be taken advantage if an organization cannot do patching immediately. This will ensure that applications that are not patched can at least be shielded,” Katiyar said.

Apurva Venkat
Special Correspondent

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld. She has previously worked at ISMG, IDG India, Bangalore Mirror, and Business Standard, where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news, and education.

More from this author