X-ForceThreat

IntelligenceIndex

2023

IBMSecurity

Tableofcontents

01→

Executivesummary

07→

Cyber-relateddevelopments

ofRussia’swarinUkraine

12→

Recommendations

02→

13→

Reporthighlights

08→

Themalwarelandscape

About

us

03→

14→

Keystats

09→

ThreatstoOTandindustrial

Contributors

04→

Topinitialaccessvectors

controlsystems

15→

Appendi

x

10→

05→

Topactionsonobjective

s

Geographictrends

11→

06→

Topimpacts

Industrytrends

3

01

Executivesummary

includesbillionsofdatapointsrangingfromnetworkandendpointdevices,incidentresponse(IR)engagements,vulnerabilityandexploitdatabasesandmore.ThisreportisacomprehensivecollectionofourresearchdatafromJanuaryto

December2022.

WeprovidethesefindingsasaresourcetoIBMclients,cybersecurityresearchers,policymakers,themediaandthe

largercommunityofsecurityindustryprofessionalsandindustryleaders.Today’svolatilelandscape,withitsincreasinglysophisticatedandmaliciousthreats,requiresacollaborativeefforttoprotectbusinessandcitizens.Morethanever,youneedtobearmedwiththreatintelligenceandsecurityinsightstostayaheadof

attackersandfortifyyourcriticalassets.

Soyoutoocanthrive.

Theyear2022wasanothertumultuous

oneforcybersecurity.Whiletherewasno

shortageofcontributingevents,amongthe

mostsignificantwerethecontinuingeffects

ofthepandemicandtheeruptionofthe

militaryconflictinUkraine.Disruption

made2022ayearofeconomic,geopolitical

andhumanupheavalandcost—creating

exactlythekindofchaosinwhich

cybercriminalsthrive.

Andthrivetheydid.

IBMSecurity?X-Force?witnessed

opportunisticthreatactorswhocapitalize

ondisorder,usingthelandscapetotheir

advantagetoinfiltrategovernmentsand

organizationsacrosstheglobe.

TheIBMSecurityX-ForceThreat

IntelligenceIndex2023tracksnewand

existingtrendsandattackpatternsand

3

Nextchapter

01Executivesummary

Howourdataanalysischanged

for2022

In2022,wemodifiedhowweexaminedportionsofourdata.Thechangesallowustooffermoreinsightfulanalysisandalignmorecloselytoindustrystandardframeworks.That,inturn,enablesyoutomakemoreinformedsecuritydecisionsandbetterprotectyourorganizationfromthreats.

Changestoouranalysisin2022included:

–Initialaccessvectors:AdoptingtheMITREATT&CKframeworktotrackinitialaccessvectorsmorecloselyalignsourresearchfindingswiththebroadercybersecurityindustryandallowsustoidentifyimportanttrendsatthetechniquelevel.

–Exploitsandzerodaycompromises:

Extrapolatingfromourrobust

vulnerabilitydatabase—whichincludes

nearly30yearsofdata—helpslend

contexttoouranalysisandidentifythe

actualthreatposedbyvulnerabilities.

Thisprocessalsolendscontexttothe

diminishingproportionofweaponizable

exploitsandimpactfulzerodays.

–Threatactormethodsandtheirimpact:Uncouplingthestepsthreatactorstakeduringanattackfromtheactualimpactofanincidentallowedustoidentifycriticalstagesofanincident.Thisprocess,inturn,uncoveredareasthatrespondersshouldbepreparedtohandleintheaftermathofanincident.

Nextchapter

4

02

Reporthighlights

Topactionsonobjectivesobserved:

Inalmostone-quarterofallincidentsremediatedin2022,thedeploymentofbackdoorsat21%wasthetopactiononobjective.Notably,anearlyyearspikeinEmotet,amultipurposemalware,contributedsignificantlytothejumpinbackdooractivityobservedyearoveryear.Despitethisspikeinbackdooractivity,ransomware,whichheldthetopspotsinceatleast2020,constitutedalargeshareoftheincidentsat17%,reinforcingtheenduringthreatthismalwareposes.

extortion,ascybercriminalscontinuedthe

trendofexploitingastrainedindustry.

Phishingwasthetopinitialaccessvector:

Phishingremainstheleadinginfection

vector,identifiedin41%ofincidents,

followedbyexploitationofpublic-facing

applicationsin26%.Infectionsby

maliciousmacroshavefallenoutoffavor,

likelyduetoMicrosoft’sdecisiontoblock

macrosbydefault.MaliciousISOandLNK

filesuseescalatedastheprimarytacticto

delivermalwarethroughspamin2022.

modernwarfare.Althoughthedirestcyberspacepredictionshaven’tcometofruitionasofthispublication,therewasanotableresurgenceofhacktivismanddestructivemalware.X-Forcealsoobservedunprecedented

shiftsinthecybercriminal

world

withincreasedcooperationbetweencybercriminalgroups,andTrickbotgangstargetingUkrainianorganizations.

Extortionwasthemostcommonattackimpactonorganizations:At27%,extortionwastheclearimpactofchoicebythreatactors.Victimsinmanufacturingaccountedfor30%ofincidentsthatresultedin

Increaseinhacktivismanddestructive

malware:Russia’swarinUkraine

openedthedoortowhatmanyinthe

cybersecuritycommunityexpectedto

beashowcaseofhowcyberenables

Previouschapter

Nextchapter

5

03

Keystats

27%

Percentageofattackswithextortion

Threatactorssoughttoextortmoneyfromvictimsinmorethanone-

quarterofallincidentstowhichX-Forcerespondedin2022.The

tacticstheyusehaveevolvedinthelastdecade,atrendexpectedto

continueasthreatactorsmoreaggressivelyseekprofits.

2

1%

Shareofincidentsthatsaw

backdoorsdeployed

Deploymentofbackdoorswasthetopactiononobjectivelastyear,

occurringinmorethanoneinfivereportedincidentsworldwide.

Successfulinterventionbydefenderslikelypreventedthreatactors

fromfulfillingfurtherobjectivesthatmayhaveincludedransomware.

17%

Ransomware’sshareofattacks

Evenamidachaoticyearforsomeofthemostprolificransomware

syndicates,ransomwarewasthesecondmostcommonactionon

objective,followingcloselybehindbackdoordeploymentsand

continuingtodisruptorganizations’operations.Ransomware’sshare

ofincidentsdeclinedfrom21%in2021to17%in2022.

Previouschapter

Nextchapter

6

03Keystats

41%

Percentageofincidentsinvolvingphishingforinitialaccess

Phishingoperationscontinuedtobethetoppathwaytocompromisein2022,with41%ofincidentsremediatedbyX-Forceusingthistechniquetogaininitialaccess.

62%

Percentageofphishingattacksusingspearphishingattachments

Attackerspreferredweaponizedattachments,deployedbythemselvesorincombinationwithlinksorspearphishingviaservice.

100%

Increaseinthenumberofthread

hijackingattemptspermonth

Thereweretwiceasmanythreadhijackingattemptspermonthin2022,comparedto2021data.SpamemailleadingtoEmotet,QakbotandIcedIDmadeheavyuseofthreadhijacking.

26%

Shareof2022vulnerabilitieswith

knownexploits

Twenty-sixpercentof2022’svulnerabilitieshadknownexploits.AccordingtodatathatX-Forcehastrackedsincetheearly1990s,thatproportionhasbeendroppinginrecentyears,showcasingthebenefitofawell-maintainedpatchmanagementprocess.

52%

Dropinreportedphishingkitsseekingcreditcarddata

Almosteveryphishingkitanalyzedinthedatasoughttogathernamesat98%andemailaddressesat73%,followedbyhomeaddressesat66%andpasswordsat58%.Creditcardinformation,targeted61%ofthetimein2021,felloutoffavorforthreatactors—datashowsitwassoughtinonly29%ofphishingkitsin2022,a52%decline.

31%

ShareofglobalattacksthattargetedtheAsia-Pacificregion

Asia-Pacificretainedthetopspotasthemost-attackedregionin2022,accountingfor31%ofallincidents.ThisstatisticrepresentsafivepercentagepointincreasefromthetotalshareofattackstowhichX-Forcerespondedintheregionin2021.

Previouschapter

Nextchapter

7

Tpiitilt2022

8

04

Topinitialaccessvectors

Topinitialaccessvectors2022

Exploitpublic-facingapplication

Phishing-Spearphishingattachment

26%

25%

Phishing-Spearphishinglink

Externalremoteservices

Validaccounts-Local

Validaccounts-Domain

Hardwareadditions

Validaccounts-Default

Phishing-Spearphishingviaservice

Validaccounts-Cloud

14%

12%

7%

In2022,X-Forcemovedfromtracking

initialaccessvectorsasbroadercategories,

suchasphishingandstolencredentials,to

theinitialaccesstechniqueslistedwithin

the

MITREATT&CKMatrix

forEnterprise

framework.ThisshiftallowsX-Forceto

trackimportanttrendsmoregranularlyat

thetechniquelevel.Italsoprovidesmore

readilyconsumableandcross-comparable

dataandalignswiththebroaderindustry’s

standardizationefforts.

5%

3%

2%

2%

2%

Figure1:TopinitialaccessvectorsX-Forceobservedin2022.Source:X-Force

Nextchapter

8

Previouschapter

04Topinitialaccessvectors

Phishing

Phishingtypeseenas%oftotalphishingcases

5%

33%

PhishingLinkAttachment

viaservice

62%

Phishing(T1566)

,whetherthroughattachment,linkorasaservice,remainstheleadinfectionvector,whichcomprised41%ofallincidentsremediatedbyX-Forcein2022.Thispercentageholdssteadyfrom

2021afterhavingincreasedfrom33%in

2020.Lookingatallphishingincidents,

spearphishingattachments(T1566.001)

wereusedin62%ofthoseattacks,

spear

phishinglinks(T1566.002)

in33%and

spearphishingasaservice(T1566.003)

in5%.X-Forcealsowitnessedthreatactorsuseattachmentsalongsidephishingasaserviceorlinksinsomeinstances.

IBMX-ForceReddatafrom2022further

highlightsthevalueofphishingand

mishandledcredentialstothreatactors.

Across2022’spenetrationtestsforclients,X-ForceRedfoundthatapproximately54%oftestsrevealedimproperauthenticationorhandlingofcredentials.TheX-ForceRedAdversarySimulationteamregularlyperformedspearphishingwithQRcodestargetingmultifactorauthentication(MFA)tokens.Manyorganizationslackedvisibilityintoapplicationsandendpointsexposedthroughidentityaccessmanagementandsinglesign-on(SSO)portals,suchasOkta.

Insecondplace,

exploitationofpublic-

facingapplications(T1190)

—defined

asadversariestakingadvantageofa

weaknessinaninternet-facingcomputer

orprogram—wasidentifiedin26%of

incidentstowhichX-Forceresponded.

ThiscorrelatestowhatpastThreatIntelligenceIndexreportsreferredtoas“vulnerabilityexploitation”andmarksadropfrom34%in2021.

Inthirdplace,

abuseofvalidaccounts

(T1078)

wasidentifiedin16%oftheobservedincidents.Thesearecaseswhereadversariesobtainedandabusedcredentialsofexistingaccountsasameansofgainingaccess.Theseincidentsincludedcloudaccounts

(T1078.004)

anddefaultaccounts

(T1078.001)

at2%each,domainaccounts

(T1078.002)

at5%,andlocalaccounts

(T1078.003)

at7%.

Figure2:Typesofphishingsubtechniquesasa

percentageoftotalphishingcasesobservedby

X-Forcein2022.Source:X-Force

Previouschapter

Nextchapter

9

04Topinitialaccessvectors

Creditcardinformation

droppedsignificantlyfrom

beingtargeted61%ofthe

timein2021to29%of

phishingkitsin2022.

Phishingkitslastinglonger,targetingPIIovercreditcarddata

IBMSecurityanalyzedthousandsofphishingkitsfromaroundtheworldforthesecondyearinarowanddiscoveredkitdeploymentsareoperationallongerandreachingmoreusers.Thedataindicatesthatthelifespanofphishingkitsobservedhasmorethandoubledyearoveryear,whilethemediandeploymentacrossthedatasetremainedrelativelylowat3.7days.

Overall,theshortestdeploymentlasted

minutesandthelongest,discoveredin

2022,ranlongerthanthreeyears.Our

investigationfoundthefollowing:

–One-thirdofdeployedkitslasted

approximately2.3dayslastyear,more

thandoublethelengthoftheyearprior

whenthesameproportionlastedno

longerthanoneday.

–Approximatelyhalfofallreportedkitsimpacted93users,whereasin2021,eachdeploymentonaveragehadnogreaterthan75potentialvictims.

–Themaximumtotalvictimsofonereportedphishingattackwasjustover4,000,althoughthiswasanoutlier.

–Almosteveryreportedphishingkitanalyzedsoughttogathernamesat98%.Thiswasfollowedbyemailaddressesat73%,homeaddressesat66%and

passwordsat58%.

–Creditcardinformationdroppedsignificantlyfrombeingtargeted61%ofthetimein2021to29%ofphishingkitsin2022.

–Lowerinstancesofphishingkitsseekingcreditcarddataindicatethatphishersareprioritizingpersonallyidentifiableinformation(PII),whichallowsthembroaderandmorenefariousoptions.PIIcaneitherbegatheredandsoldonthedarkweborotherforumsorusedtoconductfurtheroperationsagainsttargets.

Previouschapter

Nextchapter

10

04Topinitialaccessvectors

Topspoofedbrands

Thetopbrandsobservedbeingspoofed

aremadeupmostlyofthebiggestnames

intech.X-Forcebelievesthisshiftfrom

2021’ssomewhatmorediverselistis

duetoimprovedabilitytoidentifythe

brandsthatakitisconfiguredtospoof,

notjusttheoneit’stargetingbydefault.

Manyphishingkitsaremultipurpose,and

thebrandbeingspoofedcanbechanged

byalteringasimpleparameter.For

example,akitcanspoofGmailbydefault,

butaone-lineupdatechangesitintoan

attackspoofingMicrosoft.

Stolencredentialsforsuchservicesarevaluable.Gainingaccesstoaccountsthatvictimsusetomanageentireportionsoftheironlinepresencecanopenthedoorforaccesstootheraccounts.Attackers’focusonthisformofinitialaccessishighlightedinthe

2022CloudThreatLandscape

Report

,whichfoundamorethanthreefoldincreaseat200%ofthenumberofcloudaccountsbeingadvertisedforsaleonthedarkweboverwhatwasobservedin2021.

Topspoofedbrandsyearoveryear

2022

2021

1

Microsoft

Microsoft

2

Google

Apple

3

Yahoo

Google

4

Facebook

BMOHarrisBank

5

Outlook

Chase

6

Apple

Amazon

7

Adobe

Dropbox

8

AOL

DHL

9

PayPal

CNN

10Office365Hotmail

Figure3:Thischartidentifiesthe

topspoofedbrandsin2021and

2022,demonstratingthatthreat

actorsareincreasinglyfocusing

onlargetechnologybrands.

Source:IBMphishingkitdata

Previouschapter

Nextchapter

11

04Topinitialaccessvectors

Vulnerabilities

Shareofincidentsresultingfromvulnerabilityexploitationoverthelastfouryears

2022

2021

2020

35%

2019

26%

34%

30%

Vulnerabilityexploitation—capturedfor

2022as

exploitationofpublic-facing

applications(T1190)

—placedsecond

amongtopinfectionvectorsandhasbeen

apreferredmethodofcompromiseby

attackerssince2019.Vulnerabilitieswere

exploitedin26%ofattacksthatX-Force

remediatedin2022,34%in2021,35%in

2020and30%in2019.

Noteveryvulnerabilityexploitedby

threatactorsresultsinacyberincident.

Thenumberofincidentsresulting

fromvulnerabilityexploitationin2022

decreased19%from2021,afterrising

34%from2020.X-Forceassessedthat

thisswingwasdrivenbythewidespread

Log4Jvulnerabilityattheendof2021.

Exploitationforaccessisakeyareaof

researchthattheteamatX-ForceRed

AdversarySimulationServicespursued

tokeepsimulatingadvancedthreats.

Theteamincreaseditsfocuson

vulnerabilityresearchforexploitationof

operatingsystems(OS)andapplications

toexpandaccessandperformprivilege

escalation.Thisfocuswaslargelydueto

pastexerciseswithlong-standingclients

whohavehardenedtraditionalActive

Directoryattackpathsandtheneedto

pursuenewattackpaths.

Whilevulnerabilitiesareacommoninitialaccessvector,andtheindustryrespondstoseveralmajoronesinanygivenyear,noteveryvulnerabilityisthesame.It’simportantfordecisionmakerstotakeafullviewofthevulnerabilitylandscapeandensurethey’reequippedwiththenecessarycontexttounderstandtherealthreatagivenvulnerabilityposestotheirnetworks.

Almost30yearsagoandpredatingtheadventoftheCommonVulnerabilitiesandExposures(CVE)system,X-Forcebeganbuildingarobustvulnerabilitydatabase.Thisdatabaseisnowoneofthemostcomprehensiveinthecybersecurityindustry.Whilevulnerabilitiesareamajorrisktosecurity,therearefarmorereportedvulnerabilitiesthanthereareknownweaponizedexploits.Further,despitepublicattentiononzerodays,theactualnumberofknownzerodaysisdwarfedbythetotalnumberofknownvulnerabilities.

Previouschapter

Nextchapter

12

04Topinitialaccessvectors

TotalX-Forcedatabaseofvulnerabilitiesversusexploits

30,000

23,964

25,000

17,92318,11519,391

15,000

10,000

6,5056,0905,4795,7166,290

5,000

0

20182019202020212022

SumoftotalexploitsSumoftotalvulnerabilities

20,000

21,518

Everyyearseesanewrecordnumber

ofvulnerabilitiesdiscovered.Thetotal

numberofvulnerabilitiestrackedin2022

was23,964comparedto21,518in2021.

Thetrendofyear-to-yearvulnerability

increaseshaspersistedoverthelast

decade.Tothebenefitofdefenders,

analysisofourvulnerabilitydatabase

showedtheproportionofknown,viable

exploitstoreportedvulnerabilities

decreasinginrecentyears—36%in2018,

34%in2019,28%in2020,27%in2021

and26%in2022.

Thesenumberscanshiftwiththeexposureofzerodaysandexploitsbeingdevelopedforoldervulnerabilities—sometimesyearsafterthey’reidentified—andthereareseveralpotentialexplanationsbehindthis

decline.First,theestablishmentofformalbugbountyprogramshasincentivizedtheproactivediscoveryofvulnerabilitieswithinapplications.Additionally,ahandfulofwidelypopularandwell-establishedvulnerabilitiesexistthatalreadyserveasameansofsystemexploitationforattackers,reducingtheneedforthreatactorstodevelopnewexploits.Thedropislikelyduetoacombinationofmultiplefactorsbutdoesn’tpointtovulnerabilityexploitationbecominglessofathreat.

Whiletheproportionofexploitstovulnerabilitiesdrops,theseverityofthoseexploitsX-Forcetrackshasincreasedinthelastfiveyears.In2018,58%ofvulnerabilitieshadaCommonVulnerabilityScoringSystem(CVSS)scoreofmedium,

Figure4:X-Forcevulnerabilitydatabaseviewshowing

vulnerabilitiesandexploitsoverthepastfiveyears.

Source:X-Force

Previouschapter

Nextchapter

13

04Topinitialaccessvectors

CVSSscoresofvulnerabilitiesinX-Forcedatabase

58%

55%

47%

42%

36%

4%

0.4%

20182019202020212022

CriticalHighMediumLow

0.4%

0.4%

0.6%

0.5%

47%

46%

49%

49%

38%

4%

4%

6%

6%

4.0-6.9outof10,comparedtojustunder36%high,7.0-9.9.Thespreadbetweenthosetwoinvertedin2021,andhighseverityvulnerabilitiesnowaccountforfivepercentagepointsmorethanthosethatscoredmedium.

Still,ofallthevulnerabilitiesX-Forcehastrackedsince1988,38%ofthemrankhigh,withonly1%cominginatthecriticalscoreof10.Halfoftrackedvulnerabilitiesrankmediumwiththeremaining11%cominginatlow,3.9andbelow.Thesescoresalonedon’tcorrelatetothereal-worldseverityofanyoneCVE,sinceitdoesn’taccountfor

howexploitationisaccomplishedorifanexploitevenexists.However,thescoresdohelpdefenderscomparevulnerabilitiesandprioritizehowquicklytoaddressthem.TheFigure6graphiconthefollowingpagehelpstoputintoperspectivethetruenatureofthevulnerabilityproblemfacingthecybersecurityindustry.

Figure5:X-Forcevulnerabilitydatabaseshowing

severityofvulnerabilitiestrackedinoursystem.

Source:X-Force

Previouschapter

Nextchapter

14

15

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

2022

Cumlativevulnerabilities,exploitsandzerodayssince1988

%

N/A

34%

Number

228,167

78,156

Category

Totalvulnerabilities

Totalexploited

vulnerabilities

Totalunexploited

vulnerabilities

Totalzerodays

Critical

High

Medium

Low

ProxyNotShellSpring4ShellSynLapse

Shellshock

2008

Conficker

2011

Beast

2012

Crime

1993

XFDBprecursor

1997

XFDB(ISS)founded

1999

CVEfounded

Meltdown

2019

BlueKeep

2020

SunburstSupernovaZerologon

2003

Metasploitcreated

2004

ExploitDBcreated

2015

Freak

2016

Sweet32

150,011

66%

7,327

2,746

86,595

114,480

24,274

3%1%38%50%

11%

04Topinitialaccessvectors

Operationaltechnology(OT)

vulnerabilities

Industrialcontrolsystems(ICS)

vulnerabilitiesdiscoveredin2022

decreasedforthefirsttimeintwo

years—457in2022comparedto715in

2021and472in2020.Oneexplanation

forthismaybefoundinICSlifecycles

andhowthey’regenerallymanagedand

patched.Attackersknowthatwith

demandforminimaldowntime,

longequipmentlifecyclesandolder,

less-supportedsoftware,manyICS

componentsandOTnetworksarestill

atriskofoldervulnerabilities.

Infrastructureisusuallyinplacefor

manyyearslongerthanstandardoffice

workstations,whichextendsthelifespan

ofICS-specificvulnerabilitiesbeyond

thosethatcanexploitIT.

Thevulnerabilityproblem

300,000

2021

2017

Log4JWreckSudo

2022

Follina

280,000

EternalBlue

260,000

2018

2013

Breach

2014

HeartbleedPoodle

240,000

Spectre

220,000

200,000

180,000

160,000

140,000

120,000

100,000

80,000

60,000

40,000

20,000

0

VulnerabilitiesWeaponizedexploitsZeroday

Figure6:Graphicshowingthegrowthofvulnerabilities,exploitsandzerodayssince1988.Also

includedisatimelineofmajoreventinvolvingvulnerabilitiessince1993.XFDBstandsforX-Force

DatabaseandExploitDBstandsforExploitDatabase.Source:X-Force

Nextchapter

15

Previouschapter

16

05

Topactionsonobjectives

Previously,theX-ForceThreatIntelligence

Indexexaminedthebroadcategoryoftop

attacks.For2022,X-Forcedissectedthis

classificationintotwodistinctcategories:

thespecificactionsthreatactorstookon

victimnetworks,oradversaryactionon

objective,andtheintendedor