editor ’ s question

The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat ( APT ) actors . It examines malicious cyberactivity including threats to email , the malicious use of legitimate third-party security tools , and more . Key findings include :

• US ransomware activity leads the pack : In the US alone , ransomware activity increased 100 % quarter over quarter in transportation and shipping . Globally , transportation was the second most active sector ( following telecom ). APTs were also detected in transportation more than in any other sector .

• Germany saw the highest detections : Not only did Germany generate the most threat detections related to APT actors in Q3 ( 29 % of observed activity ), but it also had the most ransomware detections . Ransomware detections rose 32 % in Germany in Q3 and generated 27 % of global activity .

• Emerging threat actors scaled : The China-linked threat actor , Mustang Panda , had the most detected threat indicators in Q3 , followed by Russian-linked APT29 and Pakistanlinked APT36 .

• Ransomware evolved : Phobos , a ransomware sold as a complete kit in the cybercriminal underground , has avoided public reports until now . It accounted for 10 % of global detected activity and was the second most used ransomware detected in the US . LockBit continued to be the most detected ransomware globally , generating 22 % of detections .

• Old vulnerabilities continued to prevail : Years-old vulnerabilities continue to be successful exploitation vectors . Trellix observed Microsoft Equation Editor vulnerabilities comprised by CVE- 2017-11882 , CVE-2018-0798 and CVE-2018-0802 to be the most exploited among malicious emails received by customers during Q3 .

• Malicious use of Cobalt Strike : Trellix saw Cobalt Strike used in

33 % of observed global ransomware activity and in 18 % of APT detections in Q3 . Cobalt Strike , a legitimate third-party tool created to emulate attack scenarios to improve security operations , is a favourite tool of attackers who repurpose its capabilities for malicious intent .

“ In 2022 , we [ saw ] unremitting activity out of Russia and other state-sponsored groups ,” said John Fokker , Head of Threat Intelligence , Trellix . “ This activity is compounded by a rise in politically motivated hacktivism and sustained ransomware attacks on healthcare and education . The need for increased inspection of cyberthreat actors and their methods has never been greater .”

The Threat Report : Fall 2022 leverages proprietary data from Trellix ’ s sensor network , investigations into nation-state and ransomware activity by the Trellix Advanced Research Center , and opensource intelligence . Telemetry related to detection of threats is used for this report . A detection is when a file , URL , IP-address , suspicious email , network behaviour , or other indicator is detected and reported via the Trellix XDR platform . www . intelligentciso . com

27