Trellix Atr Report Summer 2022 NBH

THE
THREAT
REPORT Summer 2022
Presented by Trellix Threat Labs

TABLE OF CONTENTS
3 LETTER FROM OUR LEAD SCIENTIST
5 EVOLUTION OF RUSSIAN CYBERCRIME
7
METHODOLOGY
7 RANSOMWARE STATISTICS: Q1 2022
11 CRITICAL FLAWS IN BUILDING ACCESS CONTROL SYSTEMS
13 PREVALENT THREAT STATISTICS: Q1 2022
14 CALL TO ACTION: CONNECTED HEALTHCARE CYBERSECURITY
15 LIVING OFF THE LAND: Q1 2022
17 NATION-STATE STATISTICS: Q1 2022
18 EMAIL SECURITY TRENDS: Q1 2022
20 THREATS TO COUNTRIES CONTINENTS, SECTORS,

AND VECTORS: Q1 2022
20 BUG REPORT
22 EPPS SCORE
23 WRITING AND RESEARCH
23 RESOURCES
2 The Threat Report, Summer 2022

The first quarter of 2022 in cybersecurity was LETTER FROM OUR LEAD
SCIENTIST
more about evolution than revolution. The EVOLUTION OF RUSSIAN
techniques and prevalence of ransomware CYBERCRIME
METHODOLOGY
attacks advanced while Russian cyberattacks
RANSOMWARE STATISTICS:
continued a slow-building evolution fed by the Q1 2022
CRITICAL FLAWS IN
continuing conflict in Ukraine. Our latest Trellix BUILDING ACCESS
CONTROL SYSTEMS
Threat Report includes our findings from Q1
PREVALENT THREAT
2022 and other vital research including the STATISTICS: Q1 2022
CALL TO ACTION:
evolution of Russian cybercrime, ransomware CONNECTED HEALTHCARE
CYBERSECURITY
in the United States, and email security
LIVING OFF THE LAND:
trends. We also share our team’s recent Q1 2022
NATION-STATE STATISTICS:
research into vulnerabilities found in building Q1 2022
access control systems, and risks unique to EMAIL SECURITY TRENDS:

Q1 2022
connected healthcare. THREATS TO COUNTRIES,
CONTINENTS, SECTORS,
LETTER FROM OUR LEAD SCIENTIST
BUG REPORT
Welcome to our latest threat report. EPPS SCORE
When we started the journey with Trellix, we knew merging two major WRITING AND RESEARCH
backends would give us a tremendous cyberthreat perspective of
what’s happening in the world. This edition includes a new category RESOURCES
providing our readers more insights into what kind of threats are
being observed from an email perspective.
We enjoyed seeing so many of you at RSA where we released and

presented several pieces of our research ranging from an overview
of attacks observed in the Ukraine to vulnerabilities we discovered in
medical devices and building access control technology. This report
highlights this research and other prevalent threats and attacks
observed in the wild as well as and our data and findings from the
first quarter of 2022.

When we’re at Black Hat, DEFCON, RSA, and other conferences, we
appreciate the kind words and feedback we receive for our threat
LETTER FROM OUR LEAD
report. Don’t be a stranger between conferences and always feel SCIENTIST
free to reach out to us on our socials if you have a suggestion or
missed information. EVOLUTION OF RUSSIAN
CYBERCRIME
Until next time, please check out our Trellix Threat Labs blog
METHODOLOGY
page featuring our latest threat content, videos, and research.
— Christiaan Beek Q1 2022
Lead Scientist
CRITICAL FLAWS IN
Twitter @ChristiaanBeek BUILDING ACCESS
CONTROL SYSTEMS
PREVALENT THREAT
STATISTICS: Q1 2022
CALL TO ACTION:
CONNECTED HEALTHCARE
CYBERSECURITY

Q1 2022
Q1 2022
EMAIL SECURITY TRENDS:

Q1 2022
THREATS TO COUNTRIES,
BUG REPORT
EPPS SCORE
WRITING AND RESEARCH
RESOURCES

THE EVOLUTION OF RUSSIAN CYBERCRIME
Per public attribution, Russian cybercriminal groups have always LETTER FROM OUR LEAD
SCIENTIST
been active. Their tactics, techniques, and procedures (TTPs) have
not significantly evolved over time, although some changes have EVOLUTION OF RUSSIAN
been observed. Lately, the threat landscape has changed, as multiple CYBERCRIME
domains have partially merged. This trend was already on-going,
METHODOLOGY
but the increased digital activity further accelerated and exposed
said trend.  RANSOMWARE STATISTICS:
Q1 2022
Trellix has historically had a significant customer base in Ukraine
and when the cyberattacks targeting the country intensified, we CRITICAL FLAWS IN
BUILDING ACCESS
coordinated closely with government and industry partners to
CONTROL SYSTEMS
provide greater visibility into the evolving threat landscape. We have
been eager to support the region against malicious cyber activity PREVALENT THREAT
and have been able to go beyond sharing knowledge to also provide STATISTICS: Q1 2022
a wide range of security appliances at no cost in the affected region CALL TO ACTION:
(our special thanks go out to our partners at Mandiant in getting CONNECTED HEALTHCARE
some of the appliances deployed at those organizations who needed CYBERSECURITY
protection the most).
To support our customers and the people of Ukraine, Trellix Threat Q1 2022
Labs coordinated with multiple government institutions to provide NATION-STATE STATISTICS:
them with the necessary telemetry insights, intelligence briefings Q1 2022
and analysis of the malware tools used by Russian actors. A large
portion of Trellix’s efforts were performed in discretion as protection
Q1 2022
of our customers is our highest priority. In coordination with RSA, our
Trellix Threat Labs team released our research (Growling Bears Make THREATS TO COUNTRIES,
Thunderous Noise) on the Russian cybercriminal evolutions over time, CONTINENTS, SECTORS,
the impact of a (cyber) war, and observed organization and activity.
BUG REPORT
EPPS SCORE
RESOURCES
Figure 1: Initial attack techniques used by observed groups

The report includes detailed research not only on the impact of
post-Russian invasion cyberwar, but also on many cyber groups and
campaigns associated with the conflict: SCIENTIST
• Phishing the Ukrainian Ministry of Defense EVOLUTION OF RUSSIAN

CYBERCRIME
• Gamaredon
METHODOLOGY
• Wipers
• Targeted exchange servers Q1 2022
• UAC-0056 CRITICAL FLAWS IN

BUILDING ACCESS
• APT28 CONTROL SYSTEMS
• DoubleDrop PREVALENT THREAT

STATISTICS: Q1 2022
Read more on the evolution of Russian cybercrime in the full report.
CALL TO ACTION:
METHODOLOGY CYBERSECURITY
Trellix’s backend systems are providing telemetry that we use as input
for our quarterly threat reports. We combine our telemetry with open- Q1 2022
source intelligence around threats and our own investigations into
prevalent threats like ransomware, nation-state activity, etc. NATION-STATE STATISTICS:
Q1 2022

When we talk about telemetry, we talk about detections, not
Q1 2022
infections. A detection is recorded when a file, URL, IP address or other
indicator is detected by one of our products and reported back to us. THREATS TO COUNTRIES,
Privacy of our customers is key. It also is important when it comes
down to telemetry and mapping that out to the sectors and countries BUG REPORT
of our customers. Client-base per country differs and number could EPPS SCORE
be showcasing increases while we have to look deeper into the data
to explain. An example: The Telecom sector often scores high in our WRITING AND RESEARCH
data. It doesn’t necessarily mean this sector is highly targeted. The RESOURCES
Telecom sector contains ISP providers as well that own IP-address
spaces that can be bought by companies. What does that mean?
Submissions from the IP-address space of the ISP are showing up
as Telecom detections but could be from ISP clients that are in a
different sector operating.

U.S. RANSOMWARE: Q1 2022
In the beginning of 2022, we were optimistic when news came out SCIENTIST
that the Russian FSB had arrested several members of the REvil
ransomware gang in Russia. Based on our analysis these affiliates EVOLUTION OF RUSSIAN
played a minor role within the crime group, nevertheless, we were CYBERCRIME
hopeful that this fragile hint of cooperation would lead to more METHODOLOGY
arrests in Russia.
Q1 2022
With the Russian invasion of Ukraine at the end of January 2022, we
now know that this was wishful thinking. The war became a catalyst CRITICAL FLAWS IN
for cybercriminals to split up. Historically, politics were often set BUILDING ACCESS
aside by cybercriminals, and we suspected we may see RU and UA CONTROL SYSTEMS
ransomware criminals working together for financial gain. PREVALENT THREAT
STATISTICS: Q1 2022
The choosing of sides became most evident with Conti ransomware
gang when they publicly expressed their support for the Russian CALL TO ACTION:
administration and their actions.
CYBERSECURITY

Q1 2022
Q1 2022

Q1 2022
Figure 2: Conti expressing their support to the Russian administration AND VECTORS: Q1 2022
BUG REPORT
This public statement did not go unnoticed and within a few days an
anonymous researcher using the twitter handle @contileaks began EPPS SCORE
publishing Conti’s internal communications online. The chats spanned
across several years and consisted of thousands of messages that
we dubbed this the “Panama Papers of Ransomware.” RESOURCES
Trellix has examined the leaked chats extensively and published a

very extensive blog that is well worth the read. Highlights we found
in the chats included their public statement supporting the Russian
administration and a possible close relationship between the Conti
leadership and the Russian intelligence services. These ties support
the findings from the report; “In the Crosshairs: Organizations and
Nation-State Cyber Threats” which we published earlier this year in
collaboration with CSIS. One of the key findings of the report was
that the line between state and non-state actors continues to blur.

Initially we expected this communication breach to have a severe
impact on the ransomware gang’s operation. However, it seemed that
they were doubling down and continued their attacks, to a point that SCIENTIST
they brought a complete nation, Costa Rica, to a state of emergency.
At the end of Q2 2022, we observed Conti-related infrastructure EVOLUTION OF RUSSIAN
CYBERCRIME
being dismantled. However, this isn’t exactly a reason to celebrate.
Given the fact no senior members of this crime group have been METHODOLOGY
arrested, and their connections to the Russian intelligence agencies,
we should consider we might be witnessing the formation of a hybrid
Q1 2022
group, one that can attack targets chosen by the government, but
maintaining the plausible deniability of a crime group after financial CRITICAL FLAWS IN
gain. The ransomware might have a dual purpose, on the one hand BUILDING ACCESS
being disruptive in nature and on the other hand serving as a CONTROL SYSTEMS
distraction for a data exfiltration operation. PREVALENT THREAT
STATISTICS: Q1 2022
Therefore, we highly urge every organization to take close note of
CALL TO ACTION:
ransomware TTPs especially if you have already determined RU state-
sponsored groups to be your most likely threat. CYBERSECURITY
Innovation-wise, we are observing more ransomware groups building LIVING OFF THE LAND:
lockers targeting ESXi systems, seemingly realizing virtualization Q1 2022
services play an important role in an organization. This trend has NATION-STATE STATISTICS:
been ongoing for quite some time, but with varied success leading to Q1 2022
corrupted VMs due to faulty lockers and or decryptors.
Q1 2022
Is it all bad news? Not necessarily. The Q1 2022 statistics from
ransomware incident-response company Coveware do show a strong THREATS TO COUNTRIES,
decline in the amount of cases in which victims were forced to pay CONTINENTS, SECTORS,
the ransom amount to the attackers. This gives us hope, because not AND VECTORS: Q1 2022
paying is still the best way to disrupt the criminal business model. BUG REPORT
EPPS SCORE
U.S. RANSOMWARE SECTORS Q1 2022 WRITING AND RESEARCH
Business Services accounted for 64%

RESOURCES
64%
of total ransomware detections among
the top 10 sectors in the United States
in Q1 2022. Non-profits ranked a distant
second among ransomware detections.

TOOLS USED IN U.S. RANSOMWARE CAMPAIGNS
Q1 2022 LETTER FROM OUR LEAD
SCIENTIST
32%
EVOLUTION OF RUSSIAN
CYBERCRIME
METHODOLOGY
Cobalt Strike was the malware tool used in 32% of top-10 U.S. ransomware
queries in Q1 2022, reaching a prevalence equal to the next-most prevalent RANSOMWARE STATISTICS:
RCLONE (12%), BloodHound (10%), and Bazar Loader (10%) combined. Q1 2022
CRITICAL FLAWS IN
BUILDING ACCESS
U.S. RANSOMWARE FAMILIES Q1 2022 CONTROL SYSTEMS
Lockbit was the most prevalent of ransomware PREVALENT THREAT

families, used in 26% of top-10 queries in the U.S. STATISTICS: Q1 2022
in Q1 2022, ahead of Conti (13%), BlackCat (11%),
and Ryuk (10%). CALL TO ACTION:
Lockbit CYBERSECURITY
Blackcat
Conti
Q1 2022
Ryuk
Q1 2022
MOST DETECTED U.S. RANSOMWARE CAMPAIGNS Q1 2022 EMAIL SECURITY TRENDS:

Q1 2022
Connecting Ryuk Lockbit Agrius launching Conti
Vatet, PyXie, and disruptive
Defray 777 attacks on
Israeli Targets CONTINENTS, SECTORS,
17% 14% 13% 9% 8%
BUG REPORT
EPPS SCORE
MOST DETECTED TOOLS USED IN
U.S. RANSOMWARE WRITING AND RESEARCH
U.S. RANSOMWARE
MITRE ATTACK CAMPAIGNS Q1 2022
RESOURCES
PATTERNS Q1 2022
1. Cmd 14%
1. Data Encrypted for Impact 14% 2. Mimikatz 14%
2. File and Directory Discovery 12% 3. PsExec 13%
3. Process Discovery 11% 4. AdFind 11%
4. System Information Discovery 10% 5. Ping.exe 11%
5. PowerShell 10%

GLOBAL RANSOMWARE: Q1 2022
SCIENTIST
MOST REPORTED RANSOMWARE
GLOBAL CUSTOMER SECTORS EVOLUTION OF RUSSIAN
Q1 2022 CYBERCRIME
METHODOLOGY
Telecom
Business Services RANSOMWARE STATISTICS:
Q1 2022
Media & Communications
Finance CRITICAL FLAWS IN
Transportation & Shipping BUILDING ACCESS
CONTROL SYSTEMS
PREVALENT THREAT
STATISTICS: Q1 2022
53%
RANSOMWARE FAMILY
DETECTIONS Q4 2021 TO Q1 2022 CALL TO ACTION:
Telecom led the global

44% 37% 55%
Lockbit Conti Cuba
CYBERSECURITY
customer sector LIVING OFF THE LAND:

ransomware category
Ransomware Family detections were down in Q1 of 2022. Q1 2022
with 53% of detections
Lockbit accounted for 20% of top-10 ransomware tool
among top-10 sectors
queries, followed by Conti (17%), and Cuba (14%) in Q4 of NATION-STATE STATISTICS:
for the second Q1 2022
2021. However, queries of all three Q4 category prevalence
consecutive quarter.
leaders – Lockbit (-44%), Conti (-37%), and Cuba (-55%) –
decreased in Q1 of 2022 when compared to Q1 of 2022. EMAIL SECURITY TRENDS:
Q1 2022
MOST REPORTED MALWARE USED IN CONTINENTS, SECTORS,
RANSOMWARE MITRE-ATT&CK GLOBAL RANSOMWARE AND VECTORS: Q1 2022
TECHNIQUES Q1 2022 CAMPAIGNS IN Q1 2022
QUERIES BUG REPORT
EPPS SCORE
1. Data Encrypted for Impact 1. Cobalt Stike 30%
2. File and Directory Discovery
2. Bazar Loader 15%
3. PowerShell
ENTERPRISE CUSTOMER 3. RCLONE 10% RESOURCES
SECTORS
4. Process Discovery 4. BloodHound 9%
5. System Information Discovery 5. TrickBot 7%

TRELLIX RESEARCHERS UNCOVER CRITICAL FLAWS IN BUILDING
ACCESS CONTROL SYSTEM   LETTER FROM OUR LEAD
SCIENTIST
Critical infrastructure continues to represent one of the most
enticing targets for criminals, worldwide. This industry is plagued by EVOLUTION OF RUSSIAN
legacy systems and riddled with trivial hardware and software flaws, CYBERCRIME
configuration issues, and exceptionally sluggish update cycles. Yet,
METHODOLOGY
behind this façade, are many of the most essential systems we rely
on, from fuel pipelines to water treatment, energy grids to building RANSOMWARE STATISTICS:
automation, defense systems and much more.   Q1 2022
One often-overlooked area of industrial control systems is access CRITICAL FLAWS IN

BUILDING ACCESS
control, part of the building automation framework. Access control
CONTROL SYSTEMS
systems are commonplace, de facto solutions which provide
automation and remote management for card readers and entry/exit PREVALENT THREAT
points to secure locations. STATISTICS: Q1 2022
CALL TO ACTION:
According to a study done by IBM in 2021, the average cost of a
physical security compromise is 3.54 million dollars and takes an
CYBERSECURITY
average of 223 days to identify a breach. The stakes are high for
organizations that rely on access control systems to ensure the LIVING OFF THE LAND:
security and safety of facilities.  Q1 2022
Trellix Labs recently unveiled breaking research into one such
Q1 2022
system, a ubiquitous access control panel by HID Mercury. Numerous
OEM vendors rely on Mercury boards and firmware to implement EMAIL SECURITY TRENDS:
their access control solutions. Our team shared our findings at Q1 2022
Hardwear.io in Santa Clara on June 9, 2022 and will be featured at THREATS TO COUNTRIES,
BlackHat this summer as well. Their findings highlighted four zero- CONTINENTS, SECTORS,
day vulnerabilities and four previously patched vulnerabilities, AND VECTORS: Q1 2022
never published as CVEs, with the top two leading to remote code
BUG REPORT
execution and arbitrary reboot, completely unauthenticated. This
means attackers on a building network could remotely lock and EPPS SCORE
unlock doors, and avoid detection via the management software.
The researchers prepared a blog highlighting the findings and will
release a multi-part technical deep dive coinciding with BlackHat. RESOURCES
Furthermore, they filmed a demonstration video of the attack, using
two of the vulnerabilities to compromise a production cloned access
control system in their lab.  
Watch Our Demonstration Video 

  Vulnerability Findings
CVE Detail Summary Mercury CVSS Score

Firmware SCIENTIST
Version
CVE-2022- Unauthenticated command <=1.291  Base 9.0, Overall 8.1 
31479 injection CYBERCRIME
CVE-2022- Unauthenticated denial-of- <=1.291  Base 7.5, Overall 6.7  METHODOLOGY

31480  service 
CVE-2022- Unauthenticated remote <=1.291  Base 10.0, Overall 9.0 
31481  code execution  Q1 2022
CRITICAL FLAWS IN
CVE-2022- Authenticated command <=1.291 Base 8.8, Overall 8.2 
31486  injection  (no patch) BUILDING ACCESS
CONTROL SYSTEMS
CVE-2022- Unauthenticated denial- <=1.265  Base 7.5, Overall 6.7 
31482  of-service  PREVALENT THREAT
STATISTICS: Q1 2022
CVE-2022- Authenticated arbitrary <=1.265  Base 9.1, Overall 8.2 
31483  file write  CALL TO ACTION:
CVE-2022- Unauthenticated user <=1.265  Base 7.5, Overall 6.7  CONNECTED HEALTHCARE
31484  modification  CYBERSECURITY
CVE-2022- Unauthenticated <=1.265  Base 5.3, Overall 4.8
31485  information spoofing  LIVING OFF THE LAND:
Q1 2022
Table 1: CVE Filings for Mercury Access Control Vulnerabilities  NATION-STATE STATISTICS:
Q1 2022
Security Updates 
Q1 2022
Carrier has released a new advisory on its product security page with
specifics of the flaws and recommended mitigations and firmware THREATS TO COUNTRIES,
updates. Applying vendor patches should be the first course of CONTINENTS, SECTORS,
action, whenever possible.  AND VECTORS: Q1 2022
BUG REPORT
EPPS SCORE
RESOURCES

PREVALENT THREAT STATISTICS
Our team tracked threat categories in the first quarter of 2022. LETTER FROM OUR LEAD
SCIENTIST
The research reflects percentages of detections in the type of
prevalent Malware families observed, associated Client Countries, EVOLUTION OF RUSSIAN
Enterprise Customer Sectors, and MITRE ATT&CK techniques. CYBERCRIME
METHODOLOGY
MALWARE FAMILIES Q1 2022 RANSOMWARE STATISTICS:

Q1 2022
23%
Phorpiex
Electron Bot CRITICAL FLAWS IN

RedLine Stealer BUILDING ACCESS
Phorpiex was the most
prevalent Tool Malware
CONTROL SYSTEMS
Agent Tesla
Family queried in Q1
of 2022
Remcos RAT PREVALENT THREAT
STATISTICS: Q1 2022
CALL TO ACTION:
MALWARE CLIENT COUNTRY MOST REPORTED CYBERSECURITY
DETECTIONS Q1 2022 MITRE ATT&CK
GERMANY TECHNIQUES Q1 2022 LIVING OFF THE LAND:
Q4 Q1 Q1 2022
ISRAEL
UNITED 1. Ingress Tool Transfer NATION-STATE STATISTICS:
STATES
2. Obfuscated Files or Q1 2022

INDIA
UNITED Information
TURKEY KINGDOM
3. Web Protocols Q1 2022
4. Deobfuscate/Decode THREATS TO COUNTRIES,
Files or Information
5. Modify Registry AND VECTORS: Q1 2022
BUG REPORT
EPPS SCORE
MALWARE SECTORS Q1 2022 DETECTIONS Q1 2022
RESOURCES
Telecom
Business Services
Finance
Transportation & Shipping

CALL TO ACTION: CONNECTED HEALTHCARE CYBERSECURITY
The medical industry is at unique risk of attack due to the numerous SCIENTIST
purpose-built devices used, such as anesthesia machines, IV pumps,
point of care systems, MRI machines, and numerous others. Many EVOLUTION OF RUSSIAN
CYBERCRIME
of these devices are not found in other industries nor the average
household. Their lack of ubiquity creates a false sense of security and METHODOLOGY
reduced scrutiny from the security research industry.
Medical devices and software are falling short in fundamental Q1 2022
security practices such as handling credentials and are ripe with
CRITICAL FLAWS IN
RCE vulnerabilities. This is enticing to cybercriminals and we must BUILDING ACCESS
be on our guard to prevent further attacks as it won’t be an ignored CONTROL SYSTEMS
attack surface forever. All stakeholders must acknowledge that
PREVALENT THREAT
the large selection of authentication vulnerabilities indicates the
STATISTICS: Q1 2022
medical space needs more research, both internally and externally,
to harden these devices. It’s not simply management systems and CALL TO ACTION:
other web-based applications we need to focus on, but any network CONNECTED HEALTHCARE
CYBERSECURITY
connected medical device needs to be accessed. Currently it doesn’t
appear that these devices are being targeted by malicious actors LIVING OFF THE LAND:
but this doesn’t mean we can relax. There have been plenty of RCE Q1 2022
vulnerabilities to choose from and public exploit code for re-use.
While attackers are using other methods to attack hospitals and
Q1 2022
clinics they will search for easier access when those methods run
dry. Society as whole cannot allow medical devices and software to EMAIL SECURITY TRENDS:
continue to be a weak point for attackers to exploit and therefore Q1 2022
should encourage both internal and external security testing across THREATS TO COUNTRIES,
developers and researchers alike. CONTINENTS, SECTORS,
You can read the details of our research in our recent Connected
Healthcare: A Cybersecurity Battlefield We Must Win blog. Using BUG REPORT
public data such as CVE databases we analyzed the current state of EPPS SCORE
the attack surface in the medical space and evaluated active threats
and distribution of discovered vulnerabilities. We believe that more WRITING AND RESEARCH
partnerships between medical device vendors, medical care facilities RESOURCES
and security researchers in junction with increased security testing is
warranted to prevent a growing attack surface from becoming even
more attractive to malicious actors.

LIVING OFF THE LAND
We track threat actors, tactics techniques and procedures as well as LETTER FROM OUR LEAD
SCIENTIST
malware being used. We have also identified and reported quarterly
regarding non-malicious and often necessary default binaries that EVOLUTION OF RUSSIAN
can and often are abused to conduct various phases in an attack. CYBERCRIME
While it remains necessary to know the custom and commodity
METHODOLOGY
malware, as well as living of the land TTP’s to defend against, it is also
necessary to know the enemy and identify objectives. Diving a little RANSOMWARE STATISTICS:
deeper into the LoLBins the question remains who is using these Q1 2022
our tools against us and why? Do they not have the ability to write
CRITICAL FLAWS IN
custom malware that may accomplish the objective at hand? Or is it BUILDING ACCESS
simply a tool of convenience and an attempt to stay unseen? After all CONTROL SYSTEMS
threat actors are often employed much like everyone else, they have
PREVALENT THREAT
meetings with their overlords, they have daily, quarterly, and yearly
STATISTICS: Q1 2022
goals, work on sprints and earn a paycheck.
CALL TO ACTION:
If we are going to honor our mission “To Deliver Living Security CONNECTED HEALTHCARE
Everywhere” we must equip ourselves, our customers and our CYBERSECURITY
colleagues who are in the day-to-day fight to protect our critical
information, infrastructures, and assets from those who seek to profit
Q1 2022
from the exploitation of vulnerabilities and theft of intellectual and
organizational data. NATION-STATE STATISTICS:
Q1 2022
What binaries have we seen being abused and who have we
identified abusing them in Q1 2022?
Q1 2022
WINDOWS BINARIES ADMINISTRATIVE TOOLS
Q1 2022 Q1 2022
BUG REPORT
1. Remote Access
1. Windows Command
Tools 20.48% EPPS SCORE
Shell/CMD 41.90%
2. File Transfer 6.19%
2. PowerShell 37.14% WRITING AND RESEARCH
3. Network Discovery 6.19%
3. WMI/WMIC 21.43%
4. Archive Utilities 5.71% RESOURCES
4. Schtasks 19.05%
5. Remote Program
5. Rundll32 14.29%
Execution 4.29%

THREAT ACTORS ABUSING WINDOWS BINARIES
AND ADMINISTRATIVE TOOLS Q1 2022 LETTER FROM OUR LEAD
SCIENTIST
Throughout events in Q1 of 2022,
our analysis attributed the following
1. APT41 39% EVOLUTION OF RUSSIAN
threat groups as the top abusers 2. Gamaredon CYBERCRIME
of legitimate Windows Binaries and Group 39%
Administrative Tools: METHODOLOGY
3. APT35 33%
4. Winnti Group 33% RANSOMWARE STATISTICS:
5. MuddyWater 24% Q1 2022
CRITICAL FLAWS IN
BUILDING ACCESS
CONTROL SYSTEMS
RANSOMWARE ABUSING WINDOWS BINARIES AND
ADMINISTRATIVE TOOLS Q1 2022 PREVALENT THREAT
STATISTICS: Q1 2022
Additionally, through our tracking
and analysis, we identified the
1. BlackCat 29.63% CALL TO ACTION:
following ransomware families 2. LockBit 16.67% CONNECTED HEALTHCARE
that abused legitimate Windows
3. Midas 16.67% CYBERSECURITY
Binaries and Administrative
Tools prior to deployment of a 4. BlackByte 14.81% LIVING OFF THE LAND:
ransomware payload:
5. Hermetic Q1 2022
Ransom 14.81%
Q1 2022
NATION-STATE STATISTICS: Q1 2022 EMAIL SECURITY TRENDS:
Our team tracks and monitors Nation-State campaigns and Q1 2022
associated indicators and techniques. Our research reflects Threat
Actors, Tools, Client Countries, Customer Sectors, and MITRE ATT&CK
Techniques from Q1 of 2022. All of the data around these events,
including indicators, YARA rules, and detection logic are available
in Insights. BUG REPORT
EPPS SCORE
TOP 5 MOST ACTIVE
APT GROUPS Q1 2022
RESOURCES
15%
APT 36 was the most active APT
group accounting for 15% of the
detections in Q1 of 2022.
APT36
APT27
APT29
APT28
IndigoZebra

NATION-STATE CLIENT TURKEY
COUNTRIES Q1 2022 Q4 Q1
SCIENTIST
31%
CYBERCRIME
ISRAEL
METHODOLOGY
Nation-State activity in Turkey UNITED
KINGDOM
accounted for 31% of top 10 MEXICO UNITED RANSOMWARE STATISTICS:

STATES
detections among client countries Q1 2022
in Q1 2022, followed by Israel (18%),
United Kingdom (11%), Mexico 10%), CRITICAL FLAWS IN
and the United States (8%). BUILDING ACCESS
CONTROL SYSTEMS
PREVALENT THREAT
MOST REPORTED NATION-STATE STATISTICS: Q1 2022
MITRE ATT&CK SECTORS Q1 2022
CALL TO ACTION:
PATTERNS Q1 2022 CONNECTED HEALTHCARE
CYBERSECURITY
1. Obfuscated Files or
Information
Q1 2022
2. Deobfuscate/Decode
Files or Information NATION-STATE STATISTICS:
Q1 2022
3. Spearphishing
Attachment Telecom
Business Servicres
4. System Information Q1 2022
Discovery
Finance THREATS TO COUNTRIES,
5. Web Protocols CONTINENTS, SECTORS,
Transportation & Shipping
BUG REPORT
MALWARE USED IN NATION-STATE CAMPAIGNS Q1 2022
22% Cobalt Strike ranked highest (22%) among top-10

EPPS SCORE
malware used in Q1 2022 APT campaigns.
Cobalt njRAT PlugX PoisonIvy Crimson RAT
Strike
RESOURCES
22% 10% 10% 8% 8%

EMAIL SECURITY TRENDS: Q1 2022
Email telemetry analysis from the first quarter of 2022 revealed LETTER FROM OUR LEAD
SCIENTIST
phishing URLs and malicious document trends in email security.
Most of the malicious emails detected contained a phishing URL used
CYBERCRIME
to either steal credentials or lure the victims to download malware.
Next in popularity we identified emails with malicious documents METHODOLOGY
such as Microsoft Office files or PDFs attached. These documents
contain macros that work as downloaders or exploits that result Q1 2022
in the attacker gaining control of the victim system. Lastly, we
encounter several emails with malicious executables like infostealers CRITICAL FLAWS IN
BUILDING ACCESS
or trojans attached.
CONTROL SYSTEMS
Exploits PREVALENT THREAT
STATISTICS: Q1 2022
When we focus on the exploits used, we realize that most of them
come packed as malicious RTF files, MS Office documents with CALL TO ACTION:
weaponized OLE objects, or PDFs infected with Adobe Reader CONNECTED HEALTHCARE
exploits or malicious JS scripts. In the following figure we can see that CYBERSECURITY
the top three file formats are the windows rtf, followed by the latest LIVING OFF THE LAND:
office format and finally we have the legacy role office formats. Q1 2022
Q1 2022
RTF 50.76%
CVE-2017-11882 15.7%
Q1 2022
CVE-2012-0158  12.84% THREATS TO COUNTRIES,

CVE-2017-0199 11.94% AND VECTORS: Q1 2022
CVE-2014-1761  5.8%
BUG REPORT
EPPS SCORE
CVE-2017-8759  4.41%
OFFICE 31.25% RESOURCES

CVE-2017-11882 23.84%
CVE-2017-0199 3.05%
CVE-2017-8570 1.7%
OLE 17.99%
CVE-2017-11882 12.74%
CVE-2012-0158  4.16%

THREATS TO COUNTRIES, CONTINENTS, SECTORS,
AND VECTORS: Q1 2022 LETTER FROM OUR LEAD
SCIENTIST
Notable country and continent increases of open-sourced publicly
reported incidents in the first quarter of 2022 include: EVOLUTION OF RUSSIAN
CYBERCRIME
490%
METHODOLOGY
ATTACK VECTORS Q1 2022
Q1 2022
Russia recorded the
highest increase of CRITICAL FLAWS IN
incidents reported from BUILDING ACCESS
Q4 2021 to Q1 2022. CONTROL SYSTEMS
PREVALENT THREAT
35%
STATISTICS: Q1 2022
Malware
CALL TO ACTION:
Unknown
The United States
Account Takeover CYBERSECURITY
experienced the most
Targeted Takeover
reported incidents LIVING OFF THE LAND:
Vulnerability
in Q1 2022. Q1 2022
ATTACK SECTORS Q1 2022 Q1 2022
Multiple Industries EMAIL SECURITY TRENDS:

Healthcare Q1 2022
Public
Individuals
Financial AND VECTORS: Q1 2022
Top 5 graph to come BUG REPORT
EPPS SCORE
RESOURCES

BUG REPORT
If Bugs were a Band, Here’s Their Greatest Hits  LETTER FROM OUR LEAD
SCIENTIST
Any music nerd worth their salt will
tell you digging into a new artist is
CYBERCRIME
best done not by Googling their hit
singles, but by digesting them album METHODOLOGY
by album – each release promising to
bring something novel, worthwhile, Q1 2022
and self-contained. For the rockstars
at Trellix Threat Labs , this might mean CRITICAL FLAWS IN
BUILDING ACCESS
tuning in to our monthly Bug Report,
CONTROL SYSTEMS
where we highlight the most impactful
vulnerabilities each month based on qualitative analysis and decades PREVALENT THREAT
of collective industry experience – not just CVSS scores. We realize, STATISTICS: Q1 2022
however, that not everyone has the time to sit down with a nice drink, CALL TO ACTION:
put on their coziest bathrobe, and listen to an entire discography. CONNECTED HEALTHCARE
For those wishing to dip their toes, consider this the Bug Report’s CYBERSECURITY
Greatest Hits of 2022. And if you like what you hear, be sure to check
out our other work – we treat our groupies right. 
Q1 2022
Crème de la Crème  NATION-STATE STATISTICS:
Q1 2022
Truthfully, the bugs that make the cut each month are already
standouts in their own right among the dozens competing for the EMAIL SECURITY TRENDS:
ever-scarce attention span of Twitter, so selecting a handful of Q1 2022
winners from these is no small feat. Our greatest tool in this endeavor THREATS TO COUNTRIES,
is the benefit of hindsight. In other words, we want to pick out the CONTINENTS, SECTORS,
classics from the one-hit wonders – which vulns have demonstrated AND VECTORS: Q1 2022
an impact, or we anticipate will demonstrate an impact, well beyond
BUG REPORT
their respective months of infamy? 
EPPS SCORE
The first that comes to mind is CVE-2022-
0847, AKA “Dirty Pipe.” Although perhaps WRITING AND RESEARCH
not as sexy as some 9.8 RCEs, this Linux
RESOURCES
kernel bug went beyond a simple escalation
of privilege and allowed unfettered write
access to any file, a concerning state of
affairs for an environment where everything
is a file. The nail in the coffin, however, is
that unless you’re a masochist running a bleeding-edge distro like
Arch, kernel updates are not standard fare for devices running Linux,
meaning vulnerable devices are likely to stay that way for a good
while. Add the incredibly simple PoC and evidence of in-the-wild
exploitation to the mix, and you’ve got a bug that’s guaranteed to go
double platinum. 

Another standout comes to us courtesy of our April issue, and not
just because I happened to author that one: CVE-2022-22965 AKA
“Spring4Shell.” In case the name didn’t give it away, the InfoSec SCIENTIST
community immediately saw its similarities to 2021’s biggest vuln
(likely in part due to collective PTSD) and the moniker, while clunky, EVOLUTION OF RUSSIAN
CYBERCRIME
stuck. Instead of targeting a popular open-source Java logging
library, however, this one targeted a popular open-source Java METHODOLOGY
framework known as Spring. Like a cash-grab sequel to a popular
movie with no ideas of its own, Spring4Shell also went through a
Q1 2022
life cycle of less-than-perfect patches and also saw in-the-wild
exploitation within 48 hours of public disclosure. If nothing else, this CRITICAL FLAWS IN
further solidifies Log4Shell’s importance, as its cheap knockoff is a BUILDING ACCESS
strong contender for top vuln of 2022 thus far.  CONTROL SYSTEMS
PREVALENT THREAT
Hidden Gems 
STATISTICS: Q1 2022
Although a Greatest Hits album can serve as an CALL TO ACTION:
efficient highlight reel for an artist, it is inevitable CONNECTED HEALTHCARE
that some hidden gems will slip through the CYBERSECURITY
cracks. For Microsoft, one such surprise hit
was CVE-2022-30190 AKA “Follina,” an RCE-
Q1 2022
capable (with minimal user interaction) bug in
the Microsoft Support Diagnostic Tool (MSDT). If NATION-STATE STATISTICS:
you want to lose any remaining faith in humanity, Q1 2022
we highly advise you take a look at the disclosure timeline for this bug. EMAIL SECURITY TRENDS:
The issue, albeit utilizing a different attack vector, was disclosed to Q1 2022
Microsoft several times as early as March, and Microsoft was provided
with evidence of in-the-wild exploitation as early as April, only for
Microsoft to dismiss it outright or silently patch the highlighted attack AND VECTORS: Q1 2022
vector and not the root cause each time. It wasn’t until May 30th that
Microsoft finally issued a CVE and mitigation advisory for the core BUG REPORT
MSDT bug, resulting in it being left out of our May Bug Report.  EPPS SCORE
CVE-2022-22954 and CVE-2022-22960, on the other hand, slipped WRITING AND RESEARCH
through the cracks as a result of us misjudging their severity, resulting
RESOURCES
in them not making the cut for our April Bug Report although they
probably should have. While the former is a true RCE and the latter is a
privilege escalation vulnerability, we mention them together because
they both affect a sizable fraction of VMware’s suite of widely used
enterprise software. Additionally, these two vulns have been utilized,
sometimes in combination, in numerous exploitation campaigns
conducted by APT groups, according to a recent CISA advisory. Having
received IOCs from multiple large corporations, federal agencies were
mandated to either patch or take offline all impacted software by
May 5th, less than a month from the vulnerability’s public disclosure.
Unfortunately, this is where the musician analogy completely falls
apart, as I’m going to have to agree with the feds on this one. 

Zooming Out  
With the benefit of hindsight, what’s the lesson learned, both for LETTER FROM OUR LEAD
SCIENTIST
us and our groupies readers? Well, I think the biggest blind spot
demonstrated in our evaluation of the severity of these vulnerabilities EVOLUTION OF RUSSIAN
was attempting to judge them in a vacuum based largely on the CYBERCRIME
technical merit of the vulnerability alone. In actuality, the deciding
METHODOLOGY
factors for which vulnerabilities proved most impactful in 2022 were
their utilization in campaigns and the ubiquity of the platforms RANSOMWARE STATISTICS:
they affected. This does, however, grant us further confidence in Q1 2022
our approach of looking beyond the CVSS score, as this contextual
CRITICAL FLAWS IN
insight is often poorly represented in a numerical score alone.  BUILDING ACCESS
CONTROL SYSTEMS
EPPS SCORE
PREVALENT THREAT
With the amount of released CVE’s, the suggested updates/patches, STATISTICS: Q1 2022
it is hard to determine which ones to prioritize. Within Trellix we have
CALL TO ACTION:
embraced the ‘Exploit Prediction Scoring System’ (EPSS). The mission CONNECTED HEALTHCARE
of this model is what is the likekood/probability of the vulnerability CYBERSECURITY
being exploited. Several features/telemetry are put into a model that
than will calculate the score of that CVE. The output of the model will
Q1 2022
be a score will be a probability score between 0 and 1 (0 and 100%).
The higher the score, the greater the probability that a vulnerability NATION-STATE STATISTICS:
will be exploited. For the first quarter of 2022, the following CVEs Q1 2022
ranked as a top 10: EMAIL SECURITY TRENDS:
Q1 2022
CVE Number
CVE-2022-0543 CONTINENTS, SECTORS,
CVE-2022-24734
BUG REPORT
CVE-2022-0441
EPPS SCORE
CVE-2022-21371
CVE-2022-21907
RESOURCES
CVE-2022-24112
CVE-2022-20699
CVE-2022-0824
CVE-2021-22947
CVE-2022-24862

Alfred Alvarado Charles McFarland Sam Quinn LETTER FROM OUR LEAD
SCIENTIST
Christiaan Beek Doug McKee Leandro Velasco
Mark Bereza Tim Polzer
CYBERCRIME
John Fokker Steve Povolny
METHODOLOGY
RESOURCES
To keep track of the latest threats and research, see Q1 2022
these Trellix resources: CRITICAL FLAWS IN

BUILDING ACCESS
Threat Center – Today’s most impactful threats identified CONTROL SYSTEMS
by our team.
PREVALENT THREAT
STATISTICS: Q1 2022
TWITTER
CALL TO ACTION:
Trellix Threat Labs Douglas McKee CONNECTED HEALTHCARE
Christiaan Beek Steve Povolny CYBERSECURITY
John Fokker LIVING OFF THE LAND:

Q1 2022
DOWNLOAD PDF NATION-STATE STATISTICS:

View Threat Report Archives Q1 2022

ABOUT TRELLIX
Q1 2022
Trellix is a global company redefining the future of cybersecurity and
soulful work. The company’s open and native extended detection CONTINENTS, SECTORS,
and response (XDR) platform helps organizations confronted by AND VECTORS: Q1 2022
today’s most advanced threats gain confidence in the protection and
BUG REPORT
resilience of their operations. Trellix, along with an extensive partner
ecosystem, accelerates technology innovation through machine WRITING AND RESEARCH
learning and automation to empower over 40,000 business and
RESOURCES
government customers with living security. More at https://trellix.com.
Trellix Threat Labs
Subscribe to Receive Our Threat Information
This document and the information contained herein describes computer security research for
educational purposes only and the convenience of Trellix customers. Trellix conducts research in
accordance with its Vulnerability Reasonable Disclosure Policy | Trellix. Any attempt to recreate part
or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will
bear any responsibility or liability.
Visit Trellix.com to learn more.

About Trellix
Trellix is a global company redefining the future of cybersecurity. The company’s open and native extended detection and response
(XDR) platform helps organizations confronted by today’s most advanced threats gain confidence in the protection and resilience of their
operations. Trellix’s security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning
and automation to empower over 40,000 business and government customers.
Copyright © 2022 Musarubra US LLC 072022-05

Trellix Atr Report Summer 2022 NBH

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Trellix Atr Report Summer 2022 NBH

Uploaded by

Copyright:

Available Formats

THE

Presented by Trellix Threat Labs

3 LETTER FROM OUR LEAD SCIENTIST

5 EVOLUTION OF RUSSIAN CYBERCRIME

7 RANSOMWARE STATISTICS: Q1 2022

11 CRITICAL FLAWS IN BUILDING ACCESS CONTROL SYSTEMS

13 PREVALENT THREAT STATISTICS: Q1 2022

14 CALL TO ACTION: CONNECTED HEALTHCARE CYBERSECURITY

15 LIVING OFF THE LAND: Q1 2022

17 NATION-STATE STATISTICS: Q1 2022

18 EMAIL SECURITY TRENDS: Q1 2022

20 THREATS TO COUNTRIES CONTINENTS, SECTORS,

23 WRITING AND RESEARCH

2 The Threat Report, Summer 2022

access control systems, and risks unique to EMAIL SECURITY TRENDS:

We enjoyed seeing so many of you at RSA where we released and

3 The Threat Report, Summer 2022

LIVING OFF THE LAND:

EMAIL SECURITY TRENDS:

WRITING AND RESEARCH

4 The Threat Report, Summer 2022

WRITING AND RESEARCH

Figure 1: Initial attack techniques used by observed groups

5 The Threat Report, Summer 2022

• Phishing the Ukrainian Ministry of Defense EVOLUTION OF RUSSIAN

• UAC-0056 CRITICAL FLAWS IN

• DoubleDrop PREVALENT THREAT

EMAIL SECURITY TRENDS:

6 The Threat Report, Summer 2022

LIVING OFF THE LAND:

EMAIL SECURITY TRENDS:

Trellix has examined the leaked chats extensively and published a

7 The Threat Report, Summer 2022

U.S. RANSOMWARE SECTORS Q1 2022 WRITING AND RESEARCH

Business Services accounted for 64%

8 The Threat Report, Summer 2022

Lockbit was the most prevalent of ransomware PREVALENT THREAT

MOST DETECTED U.S. RANSOMWARE CAMPAIGNS Q1 2022 EMAIL SECURITY TRENDS:

9 The Threat Report, Summer 2022

Telecom led the global

customer sector LIVING OFF THE LAND:

10 The Threat Report, Summer 2022

One often-overlooked area of industrial control systems is access CRITICAL FLAWS IN

Watch Our Demonstration Video

11 The Threat Report, Summer 2022

CVE Detail Summary Mercury CVSS Score

CVE-2022- Unauthenticated denial-of- <=1.291 Base 7.5, Overall 6.7 METHODOLOGY

WRITING AND RESEARCH

12 The Threat Report, Summer 2022

MALWARE FAMILIES Q1 2022 RANSOMWARE STATISTICS:

Electron Bot CRITICAL FLAWS IN

2. Obfuscated Files or Q1 2022

Media & Communications

Transportation & Shipping

13 The Threat Report, Summer 2022

14 The Threat Report, Summer 2022

15 The Threat Report, Summer 2022

16 The Threat Report, Summer 2022

accounted for 31% of top 10 MEXICO UNITED RANSOMWARE STATISTICS:

22% Cobalt Strike ranked highest (22%) among top-10

22% 10% 10% 8% 8%

17 The Threat Report, Summer 2022

CVE-2012-0158 12.84% THREATS TO COUNTRIES,

7 RANSOMWARE STATISTICS: Q1 2022

Watch Our Demonstration Video 

CVE-2022- Unauthenticated denial-of- <=1.291  Base 7.5, Overall 6.7  METHODOLOGY

CVE-2012-0158  12.84% THREATS TO COUNTRIES,