Wrap-up

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

This wraps up another year of delving deep into data breaches to mine for useful nuggets of information and analysis.

It is, as always, our hope that you found it instructive, actionable and maybe even fun to read.59 All of us here on the team feel extremely fortunate to be where we are and doing what we do. We would also like to extend our most sincere gratitude once again to our faithful readers. The feedback and stories you have provided to us throughout the years drives us to work diligently to continually evolve and improve this report.

As always, be well, be prosperous and be prepared for anything.60


Year in review

January

The VTRAC Intelligence Analysts experienced déjà vu as we began 2022 tracking attacks exploiting Log4j in much the same way SolarWinds campaigns kicked off 2021. During the first week of December 2021, the Log4j vulnerability became the biggest blip on the InfoSec risk radar. About a week later, VMware observed Log4Shell attacks, and “the majority of the attacks target Linux systems.” Log4j, and especially attacks on VMware, remained a persistent risk issue through 2022. Before the end of the month, Prophet Spider, a notorious initial access broker, was selling VMware Horizons systems breached using Log4j. The Russian Ember Bear threat actor (TA) launched attacks on Ukraine using WhisperGate wiper malware. Microsoft patched a zero-day vulnerability in the Win32k.sys driver. Apple patched a zero-day vulnerability impacting iPhones and iPads

February

Collection and analysis of intelligence covering cyberattacks supporting Russia’s February 2022 invasion of Ukraine was the most significant activity for VTRAC in February. On and before February 24, the Russian Main Intelligence Directorate (GRU)61 launched AcidRain wiper malware attacks on the Viasat satellite communications terminals in Ukraine, but significant collateral damage was also done to terminals scattered across Europe. Ukraine was targeted with at least six new wiper malwares by Russian TAs. On February 25, the notorious cybercrime-as-a-service TA, “Conti” announced support for Russia. Two days later, Twitter user “@ContiLeaks” released 400 internal Conti files including 60,000 chat messages. “Ordinary” cyber intelligence in February included zero-day vulnerabilities in Zimbra, Chrome, Apple OS and Adobe Commerce/Magento. Cybercriminals controlling Emotet leveraged the Russia-Ukraine conflict in bait themes in their malspam.

March

Zero-day exploitation of vulnerabilities in Chrome, Firefox, Trend Micro Apex Central and Mitel business telephony components kept enterprise security and patch management teams busy in March. Increased vigilance looking for evidence of Russian-Ukraine cyber-attacks yielded intelligence on APT actors from China, Iran and North Korea. Chinese APT actor Mustang Panda used the Russia-Ukraine conflict in attacks on diplomatic missions, think tanks and ISPs in Mongolia, Vietnam, Myanmar and Russia. New intelligence detailing the exploitation of a vulnerable web application led to lateral exploitation of networks in several US state governments by APT41 (Winnti), another Chinese APT actor. Iranian APT MuddyWater targeted the Arabian Peninsula, Turkey and Pakistan. The largest cryptocurrency theft to date occurred when North Korea’s Lazarus Group stole more than US$620 million from the Ronin Network. North Korean APT Kimsuky targeted a nuclear-related think tank with their signature “BabyShark” malware. The Lapsus$ TA shifted tactics, techniques and procedures (TTP) from ransomware to data theft extortion, claiming compromises at Microsoft, Okta, Nvidia and Samsung.

April

Patch management teams were especially harried in April mitigating zero-day vulnerabilities under attack in the Windows CLFS, Apple OS, Trend Micro security products, Chrome browser and VMware. Sophos firewalls came under attack hours after release of a security advisory and patches. SonicWall, Zyxel and FortiGuard also released security advisories and updates for their firewalls. The VTRAC began collecting more than the usual volume of intelligence on APT-grade actors yielding TTP updates usable by both other TAs and Verizon Cyber Security Consulting clients. A campaign by the Chinese APT-grade actor Deep Panda had been exploiting the ill-famed Log4Shell vulnerability in VMware Horizon servers missing December’s patches. We also collected intelligence on Russian state actors attacking Ukraine, including details on the attack on Viasat in February, and four operations by North Korea’s Lazarus Group. Attacks by cybercrime TAs including LockBit, FIN7, ALPHV, Hive, CL0P and Conti continued unabated.

May

Vulnerabilities in infrastructure components began to emerge as a recurring theme in 2022. In the wild exploitation commenced within one week of the release of security advisories and patches in vulnerabilities in F5 BIG-IP appliances (CVE-2022-1388) and Zyxel firewalls (CVE-2022-30525). Microsoft patched 74 vulnerabilities in May’s Patch Tuesday, including a zero-day Windows LSA Spoofing Vulnerability (CVE-2022-26925). CISA initially added it to their Known Exploited Vulnerabilities Catalog but quickly removed it to avoid outages caused by authentication failures resulting from precipitous domain controller patching. Two infamous malware families, Emotet and REvil, thought to have shut down, each made a resurgence in May, but the controversial ransomware group Conti disbanded. As May ended, intelligence emerged that a Chinese APT actor was exploiting another Windows zero-day vulnerability (CVE-2022- 30190) to attack targets in Russia and Belarus. The “Folina” vulnerability was a remote code execution vulnerability in the Microsoft Support Diagnostic Tool (MSDT).

June

Days after the discovery of Folina, Atlassian announced patches for a zero-day remote code execution vulnerability (CVE-2022-26134) in Confluence Data Center and Server. Over the Memorial Day weekend in the United States, Volexity’s incident responders had detected suspicious activity on two internet-facing Atlassian Confluence Servers with Behinder web shells installed, probably by Chinese threat actors. Volexity also reported that a zero-day vulnerability in Sophos Firewall (CVE- 2022-1040) was being exploited by a Chinese APT actor they labeled, “DriftingCloud.” Intelligence indicated that widespread attacks, by the infamous Chinese APT actor Deep Panda, were continuing to successfully exploit Log4j in unpatched VMware Horizon servers.

July

The release of cyber intelligence reports usually precedes the Black Hat USA and DEF CON conferences. The quality, quantity and breadth of those reports in 2022 represented the most significant intelligence for the month of July. Tracking successful TTPs has been an intelligence requirement because our adversaries are adept at learning from open source intelligence (OSINT), making agility in tuning security architecture an imperative. Exploitation of zero-day vulnerabilities in Google’s Chrome browser and Windows CSRSS kept patch management teams busy, as did three unexploited critical vulnerabilities in multiple Atlassian products. Intelligence emerged that a ransomware and crypto mining TA had been successfully exploiting one, CVE-2022-26138, since June.

August

In addition to “Folina” a second zero-day remote code vulnerability in the Microsoft Windows Support Diagnostic Tool was discovered, exploited and patched in August. Apple, macOS, iOS and iPadOS plus Google Chrome all had their own zero-day vulnerabilities reported and patched. In early August, current and former employees of Twilio received smishing messages purporting to be from Twilio’s IT department calling for a password change. That breach led to the compromise of 9,931 accounts in 130+ organizations, most of which used Okta identity and access management solutions. The threat actor compromised 93 users of Twilio’s Authy multifactor authentication solutions. Intelligence emerged attributing these and multiple identity attacks at least as far back as March to the “Scatter Swine” or Oktapus TA.

September

September was the zero-day-palooza month for 2022. Two days into the new month, Google Chrome and Microsoft Edge were patching a zero-day vulnerability in their browsers. Trend Micro mitigated their second zero-day vulnerability of the year following successful in-the-wild attacks on their Apex One security products. And Sophos firewall customers had to patch their second zero-day of the year. The most significant zero-days were attributed to a Chinese APT actor that chained a pair of Windows vulnerabilities quickly nicknamed “ProxyNotShell.” VMware servers were also targeted by a Chinese cyberespionage actor employing malicious vSphere installation bundles for ESXi, Linux and Windows servers.

October

Microsoft did not patch “ProxyNotShell” in October’s Patch Tuesday release, but they did release a patch for CVE-2022-41033, an elevation of privilege zero-day. Fortinet patched a zero-day authentication bypass vulnerability in multiple products. More than 1,600 servers were breached by exploiting a zero-day in Zimbra Collaboration Suite, CVE-2022-41352, and tardy patching of three earlier Zimbra vulnerabilities. “Text4Shell” entered the InfoSec lexicon after a new Apache Commons Text library vulnerability, even though no attacks were reported. Two notorious malwares repurposed to expand their target sets: URSNIF and Emotet each exhibited significant TTP shifts, the former from banking Trojan to initial access downloader and the latter awoke from a four-month siesta as the tool of a full-service malware-as-a-service operator. Other zero-day attacks, vulnerabilities and patches were reported in Chrome browser and, separately, iOS and iPadOS.

November

Several strains of malware highlighted InfoSec risk intelligence in November. Forty days after the initial reports of ProxyNotShell attacks on Exchange, Microsoft patched those two vulnerabilities. Microsoft also patched four other zero-days in its products on Patch Tuesday. Chrome browser also mitigated a zero-day vulnerability. Updated intelligence on three malware families were prominent in the VTRAC collections. SocGholish is a JavaScript framework and malware-as-a-service used by cybercriminals to implement drive-by-downloads. Bumblebee, a new malicious loader, first appeared in May and in November began delivering Meterpreter and Cobalt Strike payloads. Cybercriminals controlling the Raspberry Robin worm evolved into initial access brokers for deploying other payloads.

December

Breaking the string of end-of-year InfoSec milestones set in 2020 with SolarWinds Orion and in 2021 by Log4j, December 2022 was comparatively boring. Intelligence indicated several threat actors were abusing Microsoft developer accounts to get malicious drivers signed through their profiles to be used in cyberattacks, including ransomware incidents and SIM swapping operations. The streak of months with attacks exploiting zero-day vulnerabilities was extended with reports of successful attacks on Microsoft, Apple, Fortinet and Citrix products. OWASSRF is a new attack chain exploiting on-premises Exchange Servers using the URL rewrite mitigations provided by Microsoft responding to September’s ProxyNotShell attack chain. The Play ransomware threat actors had exploited OWASSRF to attack at least eight victims. Among the best intelligence collections was a virtual order of battle of TA subordinate to Bureau 121 in the Reconnaissance General Bureau (RGB), North Korea’s military intelligence agency. 

Special thanks to Dave Kennedy of the Verizon Threat Research Advisory Center (VTRAC) for his continued support and yearly contribution to this report.

59 OK, that might be a stretch. How about “not the all-around cure for insomnia”?

60 Unofficial DBIR team motto, by the way

61 Now known as the Main Directorate of the General Staff of the Armed Forces of the Russian Federation—how’s that for a mouthful?

Let's get started.