5 Observations from Lumen on 2022 Attack Trends

Defenders are under enormous pressure to keep pace with attack trends, and as 2023 progresses, it’s essential to look back at the previous year and think about how we can prepare for the future.

At Lumen, we glean insights from our network, security operations centers and our threat intelligence team, Black Lotus Labs, and more. Their mission is to leverage the unmatched visibility that the Lumen global backbone provides to protect customers and help keep the internet clean. With this visibility, Lumen has a unique perspective on the attack trends from 2022 and what it means for the cybersecurity community.

In this article, I’ll focus on trends in social engineering, zero-day vulnerabilities, ransomware, DDoS, and advanced actor techniques.

Trend #1: Complex social engineering campaigns are on the rise to evade traditional defenses

For years multifactor authentication (MFA) has been touted as one of the primary defenses against breaches protecting everything from corporate networks to personal bank accounts. The ubiquity of MFA, however, has driven threat actors to seek workarounds. And because a security program is only as strong as its weakest link, attackers are launching complex social engineering campaigns designed to capitalize on human error.

Social engineering is not a new concept, and the general population has become more aware of social engineering tactics, so threat actors have responded by adding new layers of complexity to their campaigns. The information obtained from these campaigns is used to help bypass MFA, penetrate an organization, and move laterally to steal data and credentials.

For a perfect example, look no further than Lapsus$, an amateur, extortion-focused group of teenagers that emerged in late 2021 and quickly found themselves on the FBI watch list. Lapsus$ breached numerous multinational technology organizations in 2022, including Samsung, Nvidia, T-Mobile, Ubisoft, Microsoft, and Uber.

Lapsus$ used a variety of methods to obtain initial access to targeted networks. Some techniques included, the use of stolen passwords and logins, searching public code repositories for credentials, and working to override weaker MFAs with session token replay. The group even paid some employees inside targeted organizations to hand over remote access. When Lapsus$ had all the information they needed, they triggered simple MFA prompts and waited for a legitimate user on a compromised account to consent to the access. Once in the system, they exploited unpatched vulnerabilities, stole data, and extorted their victims by threatening to publish the stolen data.

Takeaway: This is just one example of how social engineering is being used to evade MFA. Our Lumen security experts recommend organizations strengthen their remote access tools (e.g., VPN) by using strong passwords, implementing MFA, and limiting access to essential parties only. In addition, regular security training that teaches employees about social engineering campaigns will help protect the organization from human error.

Trend #2: Faster weaponization of zero-day vulnerabilities

Patch management has been a headache for defenders for years. Keeping up with the number of patches can be a full-time job in itself. In fact, when a patch is released, advanced actors immediately get to work exploiting the vulnerability. In 2022, attackers were laser-focused on that goal. We’ve seen that when a patch is released, attackers are able to develop an exploit in as little as 48 hours. This compressed timeline has caused patch management to go from a simple headache to a full-blown migraine.

In early 2022, we saw advanced persistent threat actors leveraging VMware vulnerabilities CVE-2022-22954 and CVE-2022-22960 to gain remote control of a target and launch ransomware attacks. Patches were released on April 6, 2022, but researchers soon discovered that malicious actors had reverse engineered the patches, developed an exploit, and began exploiting the disclosed vulnerabilities – all by April 8, 2022. VMware released additional patches, which triggered an alert from CISA with a stark warning: “all organizations with internet-facing affected systems that did not immediately apply updates—to assume compromise and initiate threat hunting activities.”. Black Lotus Labs identified and null-routed multiple malicious nodes that were exploiting the VMware vulnerabilities within the Lumen network.

Takeaway: Staying on top of patch management has never been more critical for technology companies and their customers. Everyone has a role to play to ensure that vulnerabilities do not remain open doors to critical data.

Trend #3: Chaotic transformation is running rampant in the ransomware space

In March 2022, Black Lotus Labs observed the Emotet malware family rise from the ashes, leading to the resurgence of one of the world’s most notorious botnets. While it did not amass to the same scale as its first run, Emotet 2.0 posed a looming, global threat from its bots, which used stolen credentials to send spam through legitimate mail servers. This, in turn, further propagated the malware and provided the threat actors with initial access to infected machines. That access was subsequently sold to other cybercriminals, such as ransomware operators.

As the world watched the past repeat itself with Emotet, we simultaneously looked on as one of the most dangerous ransomware groups, Conti, imploded. In May 2022, the Conti gang’s official website, Conti News, was shut down. This was most likely due to the weight of sanctions against Conti and Russia, and the emergence of a new malware family, BumbleBee. Conti publicly sided with Russia in the Ukraine conflict – an act that caused conflict inside the group and led to the leaking of group chat logs, that demonstrated how the group operated and whom they were targeting. With funding from extortions running dry, Conti could no longer support its activities.

But before the world counts Conti out, remember this: when a giant falls, others often rise to fill the void. Conti’s downfall has led to a rise in new smaller ransomware operators. Other organizations have leveraged Conti’s infrastructure, and members have moved on to participate in other cybercriminal activities. What comes next remains to be seen.

Takeaway: As the ransomware space begins to settle, the infosec community must continue working together to share information and monitor these groups and their malware.

Trend #4: Reflection DDoS attacks are rising – while Ransom DDoS activity dies down.

In 2020 and 2021, ransom DDoS dominated the headlines. The good news is that, in 2022 Lumen observed a decline in extortion demands among our customers. We believe this is because more organizations invested in DDoS mitigation services, and less sophisticated attacks couldn’t bypass more robust defenses. Additionally, cyber insurance companies have implemented stricter insurance policies to dissuade payments. And at the end of the day, more organizations are just unwilling to pay the ransom.

As financial gains dried up with ransom DDoS attacks, attackers sought to leverage techniques that would pay out with very little investment on their part. This is where reflection attacks enter the scene. A reflection attack is a DDoS attack where a threat actor pretends to be another entity and initiates a slew of communications to elicit a flood of traffic back to the unsuspecting victims. In addition to directing extraordinarily large amounts of traffic to the victim, this technique also hides the true IP of the attacker – a powerful nice-to-have feature for DDoS operators.

To make matters worse, reflection attacks leverage the types of servers that can amplify the attack traffic exponentially without the need for more attacker-owned resources. Threat actors are particularly fond of reflection vectors because they add potency without the need for additional investments such as procuring infrastructure or cultivating a botnet.

In October 2022, Black Lotus Labs uncovered CLDAP reflectors being used to carry out attacks with a bandwidth amplification factor of 56 to 70 times the original request. The May 2021 DDoS attacks targeting Belnet, one of the ISPs for the Belgian government, was at one point comprised almost entirely of reflected CLDAP traffic. In recent research, Black Lotus Labs found the number of CLDAP reflectors available on the internet has increased by more than 60% in the past year.

Takeaway: Black Lotus Labs is taking steps to help the internet community at large defend against reflection attacks. By observing commonly used attack patterns, we can create validators to track their behavior and flag if those patterns are being used. And while CLDAP attacks and reflection attacks aren’t a new phenomenon, the recent uptick is something to watch closely in 2023.

Trend #5: Unmonitored spaces continue to be targeted for stealthy advanced actor activity

Advanced threat actor activity is some of the most complex malicious activity to track. They thrive in the dark, and their techniques are intentionally used, so they often go unnoticed. This was the case when Black Lotus Labs discovered ZuoRAT in June 2022.

ZuoRAT was a years-long malware campaign targeting small office and home office (SOHO) routers. Advanced actors took advantage of the pandemic and the surge in remote work to launch a campaign that hid outside normal enterprise security perimeters. Nearly overnight, strict in-office security strategies became obsolete as employees transitioned to home offices where they were in charge of their own endpoints. Very few people monitor or patch their routers at home, so threat actors were able to leverage those devices to access and maintain a low-detection presence on target networks and exploit sensitive information transiting the LAN.

Black Lotus Labs identified a multi-stage remote access trojan (RAT) that was developed specifically for these devices. The RAT allowed threat actors to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.

While advanced actors have long demonstrated the capability and intent to target sensitive networks, the industry has uncovered only a handful of router-based malware specifically designed to target them covertly. The capabilities shown in the ZuoRAT campaign point to a highly sophisticated actor that we hypothesize had been living undetected on the edge of targeted networks for years.

When we discovered the ZuoRAT malware, Black Lotus Labs blocked the C2s from conducting traffic across the Lumen network, and they published research so the security community would be aware of the threat.

Takeaway: ZuoRAT took advantage of the sudden surge in remote work back in 202, and many organizations have since embraced remote and hybrid work environments. To maintain security with a dispersed workforce, Lumen strongly recommends that organizations consider comprehensive Secure Access Service Edge (SASE) to bolster their security posture and enable robust detection on network-based communication.

Conclusion

This article covers just a sliver of the infosec activity in 2022, but it was activity that had a significant impact throughout the year. With 2023 well underway, we can be certain of one thing: change will be constant, so defenders will need to stay vigilant. The attackers certainly are.

If you are interested in hearing more about the research from the Lumen Black Lotus Labs team, follow us on Twitter (@BlackLotusLabs).

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.