X-Force Threat Intelligence

X-Force Threat
Intelligence Index
2023
IBM Security
Table of contents 01 → 07 → 12 →
Executive summary Cyber-related developments Recommendations
of Russia’s war in Ukraine
02 → 13 →
Report highlights 08 → About us
The malware landscape
03 → 14 →
Key stats 09 → Contributors
Threats to OT and industrial
04 → control systems 15 →
Top initial access vectors Appendix
10 →
05 → Geographic trends
Top actions on objectives
11 →
06 → Industry trends
Top impacts
01
Executive summary
The year 2022 was another tumultuous includes billions of datapoints ranging from
one for cybersecurity. While there was no network and endpoint devices, incident
shortage of contributing events, among the response (IR) engagements, vulnerability
most significant were the continuing effects and exploit databases and more. This
of the pandemic and the eruption of the report is a comprehensive collection of
military conflict in Ukraine. Disruption our research data from January to
made 2022 a year of economic, geopolitical December 2022.
and human upheaval and cost—creating
exactly the kind of chaos in which We provide these findings as a resource
cybercriminals thrive. to IBM clients, cybersecurity researchers,
policymakers, the media and the
And thrive they did. larger community of security industry
professionals and industry leaders. Today’s
IBM Security® X-Force® witnessed volatile landscape, with its increasingly
opportunistic threat actors who capitalize sophisticated and malicious threats,
on disorder, using the landscape to their requires a collaborative effort to protect
advantage to infiltrate governments and business and citizens. More than ever, you
organizations across the globe. need to be armed with threat intelligence
and security insights to stay ahead of
The IBM Security X-Force Threat attackers and fortify your critical assets.
Intelligence Index 2023 tracks new and
existing trends and attack patterns and So you too can thrive.
Next chapter 3
01 Executive summary
How our data analysis changed

for 2022
In 2022, we modified how we examined – Exploits and zero day compromises:

portions of our data. The changes allow Extrapolating from our robust
us to offer more insightful analysis and vulnerability database—which includes
align more closely to industry standard nearly 30 years of data—helps lend
frameworks. That, in turn, enables you to context to our analysis and identify the
make more informed security decisions actual threat posed by vulnerabilities.
and better protect your organization This process also lends context to the
from threats. diminishing proportion of weaponizable
exploits and impactful zero days.
Changes to our analysis in 2022 included:
– Threat actor methods and their impact:
– Initial access vectors: Adopting the Uncoupling the steps threat actors take
MITRE ATT&CK framework to track during an attack from the actual impact
initial access vectors more closely aligns of an incident allowed us to identify
our research findings with the broader critical stages of an incident. This
cybersecurity industry and allows us process, in turn, uncovered areas that
to identify important trends at the responders should be prepared to handle
technique level. in the aftermath of an incident.
Next chapter 4
02
Report highlights
Top actions on objectives observed: extortion, as cybercriminals continued the modern warfare. Although the direst
In almost one-quarter of all incidents trend of exploiting a strained industry. cyberspace predictions haven’t come to
remediated in 2022, the deployment of fruition as of this publication, there was
backdoors at 21% was the top action on Phishing was the top initial access vector: a notable resurgence of hacktivism and
objective. Notably, an early year spike Phishing remains the leading infection destructive malware. X-Force also observed
in Emotet, a multipurpose malware, vector, identified in 41% of incidents, unprecedented shifts in the cybercriminal
contributed significantly to the jump in followed by exploitation of public-facing world with increased cooperation between
backdoor activity observed year over year. applications in 26%. Infections by cybercriminal groups, and Trickbot gangs
Despite this spike in backdoor activity, malicious macros have fallen out of favor, targeting Ukrainian organizations.
ransomware, which held the top spot since likely due to Microsoft’s decision to block
at least 2020, constituted a large share macros by default. Malicious ISO and LNK
of the incidents at 17%, reinforcing the files use escalated as the primary tactic to
enduring threat this malware poses. deliver malware through spam in 2022.
Extortion was the most common attack Increase in hacktivism and destructive
impact on organizations: At 27%, extortion malware: Russia’s war in Ukraine
was the clear impact of choice by threat opened the door to what many in the
actors. Victims in manufacturing accounted cybersecurity community expected to
for 30% of incidents that resulted in be a showcase of how cyber enables
Previous chapter Next chapter 5

03
27%
Percentage of attacks with extortion
Threat actors sought to extort money from victims in more than one-
Key stats quarter of all incidents to which X-Force responded in 2022. The
tactics they use have evolved in the last decade, a trend expected to
continue as threat actors more aggressively seek profits.
21%
Share of incidents that saw
backdoors deployed
Deployment of backdoors was the top action on objective last year,
occurring in more than one in five reported incidents worldwide.
Successful intervention by defenders likely prevented threat actors
from fulfilling further objectives that may have included ransomware.
17%
Ransomware’s share of attacks
Even amid a chaotic year for some of the most prolific ransomware
syndicates, ransomware was the second most common action on
objective, following closely behind backdoor deployments and
continuing to disrupt organizations’ operations. Ransomware’s share
of incidents declined from 21% in 2021 to 17% in 2022.

03 Key stats
41% 100% 52%

Percentage of incidents involving phishing Increase in the number of thread Drop in reported phishing kits seeking
for initial access hijacking attempts per month credit card data
Phishing operations continued to be the top There were twice as many thread hijacking Almost every phishing kit analyzed in the
pathway to compromise in 2022, with 41% attempts per month in 2022, compared to data sought to gather names at 98% and
of incidents remediated by X-Force using 2021 data. Spam email leading to Emotet, email addresses at 73%, followed by home
this technique to gain initial access. Qakbot and IcedID made heavy use of addresses at 66% and passwords at 58%.
thread hijacking. Credit card information, targeted 61%
of the time in 2021, fell out of favor for
threat actors—data shows it was sought
in only 29% of phishing kits in 2022,
a 52% decline.
62% 26% 31%

Percentage of phishing attacks using Share of 2022 vulnerabilities with Share of global attacks that targeted the
spear phishing attachments known exploits Asia-Pacific region
Attackers preferred weaponized Twenty-six percent of 2022’s vulnerabilities Asia-Pacific retained the top spot as the
attachments, deployed by themselves or had known exploits. According to data that most-attacked region in 2022, accounting
in combination with links or spear phishing X-Force has tracked since the early 1990s, for 31% of all incidents. This statistic
via service. that proportion has been dropping in recent represents a five percentage point increase
years, showcasing the benefit of a well- from the total share of attacks to which
maintained patch management process. X-Force responded in the region in 2021.

04
Top initial access vectors

Top initial
Top initial access
access vectors
vectors 2022
Top initial access vectors 2022
In 2022, X-Force moved from tracking Exploit public-facing application

26%
initial access vectors as broader categories,
such as phishing and stolen credentials, to Phishing - Spear phishing attachment
the initial access techniques listed within 25%
the MITRE ATT&CK Matrix for Enterprise
Phishing - Spear phishing link
framework. This shift allows X-Force to 14%
track important trends more granularly at
the technique level. It also provides more External remote services
12%
readily consumable and cross-comparable
data and aligns with the broader industry’s Valid accounts - Local
standardization efforts. 7%
Valid accounts - Domain

5%
Hardware additions
3%
Valid accounts - Default

2%
Phishing - Spear phishing via service

2%
Valid accounts - Cloud

2%
Figure 1: Top initial access vectors X-Force observed in 2022. Source: X-Force

04 Top initial access vectors
Phishing
Phishing (T1566), whether through Across 2022’s penetration tests for clients, This correlates to what past Threat
Phishing type seen as % of total attachment, link or as a service, remains X-Force Red found that approximately 54% Intelligence Index reports referred to as
phishing cases the lead infection vector, which comprised of tests revealed improper authentication “vulnerability exploitation” and marks a
41% of all incidents remediated by X-Force or handling of credentials. The X-Force drop from 34% in 2021.
in 2022. This percentage holds steady from Red Adversary Simulation team regularly
5% 2021 after having increased from 33% in performed spear phishing with QR codes In third place, abuse of valid accounts
2020. Looking at all phishing incidents, targeting multifactor authentication (MFA) (T1078) was identified in 16% of the
spear phishing attachments (T1566.001) tokens. Many organizations lacked visibility observed incidents. These are cases
33% were used in 62% of those attacks, spear into applications and endpoints exposed where adversaries obtained and abused
62%
phishing links (T1566.002) in 33% and through identity access management and credentials of existing accounts as a means
spear phishing as a service (T1566.003) in single sign-on (SSO) portals, such as Okta. of gaining access. These incidents included
5%. X-Force also witnessed threat actors cloud accounts (T1078.004) and default
use attachments alongside phishing as a In second place, exploitation of public- accounts (T1078.001) at 2% each, domain
service or links in some instances. facing applications (T1190)—defined accounts (T1078.002) at 5%, and local
as adversaries taking advantage of a accounts (T1078.003) at 7%.
Phishing Link Attachment IBM X-Force Red data from 2022 further weakness in an internet-facing computer
via service
highlights the value of phishing and or program—was identified in 26% of
mishandled credentials to threat actors. incidents to which X-Force responded.
Figure 2: Types of phishing subtechniques as a

percentage of total phishing cases observed by
X-Force in 2022. Source: X-Force

Phishing kits lasting longer, targeting

PII over credit card data
Credit card information IBM Security analyzed thousands of – Approximately half of all reported kits – Credit card information dropped
phishing kits from around the world for the impacted 93 users, whereas in 2021, significantly from being targeted 61%
dropped significantly from
second year in a row and discovered kit each deployment on average had no of the time in 2021 to 29% of phishing
being targeted 61% of the deployments are operational longer and greater than 75 potential victims. kits in 2022.
time in 2021 to 29% of reaching more users. The data indicates
that the lifespan of phishing kits observed – The maximum total victims of one – Lower instances of phishing kits seeking
phishing kits in 2022. has more than doubled year over year, reported phishing attack was just over credit card data indicate that phishers
while the median deployment across 4,000, although this was an outlier. are prioritizing personally identifiable
the data set remained relatively low at information (PII), which allows them
3.7 days. – Almost every reported phishing kit broader and more nefarious options.
analyzed sought to gather names at 98%. PII can either be gathered and sold
Overall, the shortest deployment lasted This was followed by email addresses on the dark web or other forums or
minutes and the longest, discovered in at 73%, home addresses at 66% and used to conduct further operations
2022, ran longer than three years. Our passwords at 58%. against targets.
investigation found the following:
– One-third of deployed kits lasted

approximately 2.3 days last year, more
than double the length of the year prior
when the same proportion lasted no
longer than one day.

Top spoofed brands
The top brands observed being spoofed Stolen credentials for such services are Top spoofed brands year over year
are made up mostly of the biggest names valuable. Gaining access to accounts that
in tech. X-Force believes this shift from victims use to manage entire portions of
2022 2021
2021’s somewhat more diverse list is their online presence can open the door for
due to improved ability to identify the access to other accounts. Attackers’ focus
1 Microsoft Microsoft
brands that a kit is configured to spoof, on this form of initial access is highlighted
not just the one it’s targeting by default. in the 2022 Cloud Threat Landscape
2 Google Apple
Many phishing kits are multipurpose, and Report, which found a more than threefold
the brand being spoofed can be changed increase at 200% of the number of cloud
3 Yahoo Google
by altering a simple parameter. For accounts being advertised for sale on the
example, a kit can spoof Gmail by default, dark web over what was observed in 2021.
4 Facebook BMO Harris Bank
but a one-line update changes it into an
attack spoofing Microsoft.
5 Outlook Chase
6 Apple Amazon
7 Adobe Dropbox Figure 3: This chart identifies the

top spoofed brands in 2021 and
8 AOL DHL 2022, demonstrating that threat
actors are increasingly focusing
on large technology brands.
9 PayPal CNN Source: IBM phishing kit data
10 Office365 Hotmail

Vulnerabilities
Vulnerability exploitation—captured for Adversary Simulation Services pursued Almost 30 years ago and predating the
Share of incidents resulting from 2022 as exploitation of public-facing to keep simulating advanced threats. advent of the Common Vulnerabilities
vulnerability exploitation over the applications (T1190)—placed second The team increased its focus on and Exposures (CVE) system, X-Force
last four years among top infection vectors and has been vulnerability research for exploitation of began building a robust vulnerability
a preferred method of compromise by operating systems (OS) and applications database. This database is now one of the
attackers since 2019. Vulnerabilities were to expand access and perform privilege most comprehensive in the cybersecurity
2022
26% exploited in 26% of attacks that X-Force escalation. This focus was largely due to industry. While vulnerabilities are a major
remediated in 2022, 34% in 2021, 35% in past exercises with long-standing clients risk to security, there are far more reported
2021 2020 and 30% in 2019. who have hardened traditional Active vulnerabilities than there are known
34%
Directory attack paths and the need to weaponized exploits. Further, despite
2020 Not every vulnerability exploited by pursue new attack paths. public attention on zero days, the actual
35% threat actors results in a cyber incident. number of known zero days is dwarfed by
The number of incidents resulting While vulnerabilities are a common initial the total number of known vulnerabilities.
2019
30% from vulnerability exploitation in 2022 access vector, and the industry responds
decreased 19% from 2021, after rising to several major ones in any given year,
34% from 2020. X-Force assessed that not every vulnerability is the same. It’s
this swing was driven by the widespread important for decision makers to take a
Log4J vulnerability at the end of 2021. full view of the vulnerability landscape and
ensure they’re equipped with the necessary
Exploitation for access is a key area of context to understand the real threat a
research that the team at X-Force Red given vulnerability poses to their networks.

Every year sees a new record number decline. First, the establishment of formal
Total X-Force database of vulnerabilities versus exploits of vulnerabilities discovered. The total bug bounty programs has incentivized
number of vulnerabilities tracked in 2022 the proactive discovery of vulnerabilities
was 23,964 compared to 21,518 in 2021. within applications. Additionally, a handful
30,000 The trend of year-to-year vulnerability of widely popular and well-established
23,964 increases has persisted over the last vulnerabilities exist that already serve as a
25,000 21,518
19,391
decade. To the benefit of defenders, means of system exploitation for attackers,
17,923 18,115
20,000 analysis of our vulnerability database reducing the need for threat actors to
showed the proportion of known, viable develop new exploits. The drop is likely due
15,000
exploits to reported vulnerabilities to a combination of multiple factors but
10,000
6,505
decreasing in recent years—36% in 2018, doesn’t point to vulnerability exploitation
6,090 5,479 5,716 6,290
34% in 2019, 28% in 2020, 27% in 2021 becoming less of a threat.
5,000
and 26% in 2022.
0 While the proportion of exploits to
2018 2019 2020 2021 2022 These numbers can shift with the exposure vulnerabilities drops, the severity of those
of zero days and exploits being developed exploits X-Force tracks has increased
Sum of total exploits Sum of total vulnerabilities for older vulnerabilities—sometimes years in the last five years. In 2018, 58% of
after they’re identified—and there are vulnerabilities had a Common Vulnerability
several potential explanations behind this Scoring System (CVSS) score of medium,
Figure 4: X-Force vulnerability database view showing
vulnerabilities and exploits over the past five years.
Source: X-Force

4.0-6.9 out of 10, compared to just under how exploitation is accomplished or if an

CVSS scores of vulnerabilities in X-Force database 36% high, 7.0-9.9. The spread between exploit even exists. However, the scores
those two inverted in 2021, and high do help defenders compare vulnerabilities
severity vulnerabilities now account for five and prioritize how quickly to address them.
58%
55%
percentage points more than those that The Figure 6 graphic on the following page
49% 49% scored medium. helps to put into perspective the true
47% 46% 47%
42% nature of the vulnerability problem facing
36% 38% Still, of all the vulnerabilities X-Force has the cybersecurity industry.
tracked since 1988, 38% of them rank high,
with only 1% coming in at the critical score
of 10. Half of tracked vulnerabilities rank
6% 6%
4% 4% 4% medium with the remaining 11% coming in
0.4% 0.4% 0.4% 0.5% 0.6% at low, 3.9 and below. These scores alone
2018 2019 2020 2021 2022 don’t correlate to the real-world severity of
any one CVE, since it doesn’t account for
Critical High Medium Low
Figure 5: X-Force vulnerability database showing

severity of vulnerabilities tracked in our system.
Source: X-Force

Operational technology (OT)

vulnerabilities The vulnerability problem
300,000
Industrial control systems (ICS) 2021
280,000
2017 Log4J
vulnerabilities discovered in 2022 Cumlative vulnerabilities, exploits and EternalBlue Wreck Sudo
260,000 zero days since 1988
decreased for the first time in two
2018
years—457 in 2022 compared to 715 in 240,000 Category Number % 2013 Spectre
2022
Follina
2021 and 472 in 2020. One explanation 220,000 Total vulnerabilities 228,167 N/A
Breach Meltdown Proxy
for this may be found in ICS lifecycles 2003
200,000 2014 NotShell
Total exploited 78,156 34% Metasploit created 2019
and how they’re generally managed and vulnerabilities Heartbleed Spring4Shell
180,000 BlueKeep SynLapse
patched. Attackers know that with 2004 Poodle
160,000 Total unexploited 150,011 66% Shellshock
demand for minimal downtime, Exploit DB created 2020
vulnerabilities
Sunburst
long equipment lifecycles and older, 140,000
Total zero days 7,327 3% 2008 2015 Supernova
less-supported software, many ICS 120,000 1993 Conficker Freak Zerologon
Critical 2,746 1% XFDB precursor
components and OT networks are still 100,000
High 86,595 38% 2011 2016
at risk of older vulnerabilities. 80,000 1997 Beast Sweet32
Infrastructure is usually in place for Medium 114,480 50% XFDB (ISS) founded
60,000
many years longer than standard office Low 24,274 11% 2012
40,000 1999 Crime
workstations, which extends the lifespan CVE founded
of ICS-specific vulnerabilities beyond 20,000
those that can exploit IT. 0

0
8
98
9 9 91 992 993 994 995 996 997 998 999 000 001 002 003 004 005 06 007 008 09 010 011 012 013 014 015 016 017 018 019 020 021 022
1 98 1 19 1 9 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 0 2 2 2 0 2 2 2 2 2 2 2 2 2 2 2 2 2
Vulnerabilities Weaponized exploits Zero day
Figure 6: Graphic showing the growth of vulnerabilities, exploits and zero days since 1988. Also
included is a timeline of major event involving vulnerabilities since 1993. XFDB stands for X-Force
Database and Exploit DB stands for Exploit Database. Source: X-Force

05
Top actions on objectives

Top actions on objectives 2022
Previously, the X-Force Threat Intelligence

Index examined the broad category of top
attacks. For 2022, X-Force dissected this
classification into two distinct categories:
the specific actions threat actors took on
victim networks, or adversary action on
objective, and the intended or realized
effect of that action on the victim,
or impact. 21%
Malware -
17%
Backdoors
According to X-Force Incident Response
data, deployment of backdoors was
the most common action on objective,
occurring in 21% of all reported incidents.
Malware -
Ransomware
5% 5%
Server Spam
This was followed by ransomware at 17% access campaign
and business email compromise (BEC) at
6%. Malicious documents (maldocs),
spam campaigns, remote access tools
and server access were discovered in 5%
of cases each.
6% 5% 5%
Business email Tool - Remote Malware -
compromise (BEC) access Maldoc
Figure 7: Top actions on objectives observed by X-Force in 2022. Source: X-Force

05 Top actions on objectives
In cases where a backdoor deployment establish access themselves may also

Distribution of Emotet cases across 2022 was classified as an action on objective, seek backdoors.
it’s probable that the threat actor had
additional plans when the backdoor was Initial access brokers typically attempt to
70%
62% operationalized. Successful intervention by auction their accesses, which X-Force has
60% security teams or incident responders likely seen at USD 5,000-10,000, though final
50%
prevented the threat actor from fulfilling prices may be less. Others have reported
further objectives. Such further malicious accesses selling for USD 2,000-4,000, with
40%
activity would likely have included one reaching USD 50,000. These amounts
30% ransomware, as about two-thirds of those compare to the significantly lower price
23% backdoor cases had the markings of a for something like a single credit card,
20%
ransomware attack. seen offered for under USD 10.
8% 8%
10%
Increased backdoor deployment may also Backdoors led to a notable spike in
0
be due to the amount of money this kind Emotet cases in February and March.
of access can generate on the dark web. That spike inflated the ranking of backdoor
Compromised corporate network access cases significantly, as those deployed
from an initial access broker typically sells in this timeframe account for 47% of all
Figure 8: Graph showing spike in Emotet cases in early for several thousands of US dollars. This backdoors identified globally throughout
2022. Source: X-Force
type of access may be sought by malicious 2022. Following Emotet’s hiatus from July
actors looking to make a quick profit by through November—after which it ramped
avoiding issues with maintaining access back up for nearly two weeks at much
while moving laterally and exfiltrating high- lower volume—the number of backdoor
value data. Those malicious actors who cases dropped significantly.
lack access to the requisite malware to

Ransomware Ransomware variants
Even amid a chaotic year for some of the One particularly damaging way ransomware As ransomware groups and related access
Ransomware attack average duration most prolific ransomware syndicates, operators distribute their payload brokers come and go, X-Force has seen
ransomware was the second most across a network is by compromising regular churn in the top groups active
common action on objective, following domain controllers. A small percentage, in this space. X-Force encountered 19
2019 2021
closely behind backdoor deployments approximately 4%, of network penetration ransomware variants in 2022, compared
2+ months 3+ days and continuing to disrupt organizations’ test findings by X-Force Red revealed to 16 in 2021. LockBit variants comprised
operations. Ransomware’s share of entities that had misconfigurations in 17% of total ransomware incidents
incidents declined from 21% in 2021 Active Directory that could leave them observed, up from 7% in 2021. Phobos
to 17% in 2022. open to privilege escalation or total domain tied with WannaCry for second at 11%.
takeover. In 2022, X-Force also observed The top groups in 2022 displaced 2021’s
An IBM Security X-Force study revealed more aggressive ransomware attacks on first place REvil, also known as Sodinokibi,
there was a 94% reduction in the average underlying infrastructure, such as ESXi with 37% of cases in 2021, and second
time for the deployment of ransomware and Hyper-V. The potentially high impact place Ryuk with 13%, both down to 3%.
attacks. What took attackers over two of these attack methods underscores the
months in 2019 took just under four days importance of securing domain controllers LockBit 3.0 is the latest variant of the
in 2021. With attackers moving faster, and hypervisors properly. LockBit ransomware family that’s part
organizations must take a proactive, of a ransomware-as-a-service (RaaS)
threat-driven approach to cybersecurity. operation associated with LockerGoga and
MegaCortex. LockBit has been in operation
since September 2019, and LockBit 3.0
was released in 2022. A significant portion
of the LockBit 3.0 source code appears
to have been borrowed from the
BlackMatter ransomware.

Business email compromise (BEC)
Researchers first discovered Phobos BEC held its rank of third in 2022 with 6%
2022 ransomware variants and frequency ransomware in early 2019. Based on of incidents to which X-Force responded.
similarities in code, delivery mechanisms, This rank is slightly lower than 8% of
LockBit
exploitation techniques and ransom notes, attacks in 2021 and 9% for fifth place in
17%
Phobos 11% Phobos was identified as a fork of the 2020. It displaced 2021’s second place
WannaCry 11% previously known ransomware families attack, which was server access attacks.
BlackCat 9% Crysis and Dharma. Phobos has been This type of attack occurs when an attacker
Conti 6%
Djvu 6% commonly used for smaller-scale attacks, gains access to a server for unknown end
Babuk 6% which involve lower ransom demands. goals—which in 2022 was more granularly
5x2tr 3% Email phishing campaigns and exploitation classified by what type of access those
REvil 3%
Hive 3%
of vulnerable Remote Desktop Protocol actors achieved. Spear phishing links
Vice Society 3% (RDP) ports are the main distribution were used in half of BEC cases to which
DefrayX 3% methods observed for Phobos. X-Force responded. Malicious attachments
Makop 3%
MedusaLocker 3%
and abuse of valid accounts were used to
Venom 3% WannaCry, first seen in 2017, spreads enable BEC attempts in 25% of cases each.
Ryuk 3% itself by using EternalBlue to exploit
Cat4er 3%
Venus
the vulnerability in the Microsoft Server
3%
Lizard 3% Message Block 1.0 (SMBv1) server (MS17-
010). Several cases of WannaCry or Ryuk
that X-Force saw in 2022 were the result of
infections from three to five years ago and
Figure 9: Ransomware variants and the frequency occurred on old, unpatched equipment,
with which they were observed in X-Force Incident highlighting the importance of proper
Response engagements in 2022. Source: X-Force cleanup after such events.

06
Top impacts
Top impacts 2022
X-Force also took a closer look at the

effect of incidents on victim organizations
to better understand the impact that 21%
threat actors sought to have through the Extortion
incidents to which X-Force responded. With
this information, organizations can get a
better understanding of the most common
impacts to plan responses to potential
future incidents more effectively. 19%
Data theft
11%
The analysis found that more than one
in four incidents aimed to extort victim
organizations—making it the top impact Credential
observed across incidents remediated by harvesting
X-Force. The observed extortion cases
were most frequently achieved through
ransomware or BEC, and often included the
use of remote access tools, cryptominers,
backdoors, downloaders and web shells.
9%
11% Brand
reputation
Data leak
Figure 10: Top impacts X-Force observed in incident
response engagements in 2022. Source: X-Force

06 Top impacts
Data theft came in second and accounted

Percentage of extortion cases by industry 2022 for 19% of all incidents that X-Force
remediated. Credential harvesting that
Manufacturing 30% led to stolen usernames and passwords
and required corresponding mitigations
PBC services 22%
accounted for 11%. Incidents where
Energy 13% X-Force could identify targeted information
actually leaked after being stolen was less
Finance & insurance 13% common than the theft of data at 11%.
Retail & wholesale
Impacts to brand reputation, such as
9%
disruption to the services clients provide
Media & telecom 4% to their customers, accounted for 9% of
incidents. See Appendix for the full list of
Education 4%
impacts X-Force tracked. Incidents that
Transportation 4% impacted victims’ brand reputation were
mainly distributed denial of service
(DDoS) attacks, which are also frequently
used to extort victims to pay money to
Figure 11: The percentage of extortion cases by
stop the attack.
industry X-Force observed in incident response
engagements in 2022. Numbers do not add to 100%
due to rounding. Source: X-Force

06 Top impacts
Extortion
While extortion is most commonly with enhanced or novel downstream victim

Notable developments in online extortion1-9 associated with ransomware today, notification to increase the potential legal
extortion campaigns have included a and reputational costs of an intrusion.
variety of methods to apply pressure on
Year Event Tactic
their targets. These include DDoS threats, Often, both defenders and victims of
encrypting data and, more recently, double cyberattacks focus on the observed
2013 Cryptolocker—one of the Data encryption
and triple extortion threats combining impacts to an organization by threat actors.
first major ransomware
several previously seen elements. However, it’s important to consider the
outbreaks
intentions of threat actors, their capabilities
Another tactic that at least one and how they evolve over time. This
2014 DDoS 4 Bitcoin, Ransom DDoS
ransomware group experimented with approach enables better discernment of
Armada Collective
starting in 2022 was making the data they what the next evolution of capabilities
had stolen more accessible to downstream may be. Given the ever-expanding menu
2015 Chimera ransomware Double extortion
victims. By making it easier for secondhand of extortion options and ransomware
adds threat of leaking
victims to identify their data among a actors’ primary goal of financial gain, the
stolen data online
data leak, operators seek to increase the X-Force team assesses that threat actors
subsequent pressure on the organization will continue to evolve and expand their
2017–18 BitPaymer and SamSam Big game hunting
targeted by the ransomware group or extortion methodologies to find new ways
affiliate in the first place. In 2023, X-Force to pressure victims into paying.
2020 Vastaamo ransomware Triple extortion
expects to see threat actors experimenting
case

07
Cyber-related developments
of Russia’s war in Ukraine
Russian state-sponsored cyber activity cyber operations and related disruptions
following Russia’s invasion of Ukraine in Ukraine and elsewhere. X-Force
has not, as of this publication, resulted in assessed the most significant threats
the widespread and high-impact attacks that have emerged include the return of
originally feared by Western government hacktivism and wiper malware, as well
entities. However, Russia has deployed as significant shifts in the cybercriminal
an unprecedented number of wipers world. Most of these operations victimized
against targets in Ukraine, highlighting entities centered in Ukraine, Russia and
its continued investment in destructive neighboring countries, but some have
malware capabilities. Furthermore, the spread to other areas, as well.
invasion has led to the resurgence of
hacktivist activity undertaken by groups Alternatively, defenders are adeptly
sympathetic to either side, as well as employing the strides made in detection,
a reordering of the Eastern European response and information sharing that were
cybercriminal landscape. developed over the last several years. Many
of the early attempted wiper attacks were
Considering Russia’s demonstrated quickly identified, analyzed and publicized.
advanced capabilities for cyberattacks These attacks include at least eight
against critical infrastructure since 2015, identified wipers and the discovery and
international cybersecurity agencies disruption of a planned Russian cyberattack
issued a warning in April 2022. The on Ukraine's electric grid in April 2022.
warning mentioned potentially significant

07 Cyber-related developments
of Russia's war in Ukraine
Timeline of select hacktivist events 2022
Mar. 18th
NB65 claims hack May. 21th
of Russian space Sep. 6th
In cyberspace, the most widely-felt agency Roscosmos
Anonymous
Killnet starts
Feb. 24th declares cyberwar
effects of the ongoing war come from self- Russia invades on Killnet
DDoSing
Japanese networks
proclaimed hacktivist groups operating in Ukraine
support of Ukrainian or Russian national Jul. 6th
Apr. 29th
interests. While many groups have formed Feb. 26th May. 31th Killnet starts Nov.22th
Killnet starts
since Russia’s invasion and are operating Ukrainian
DDoSing Romanian NB65 threatens
DDoSing
Killnet targets
government Latvian networks
Serbian government
against both Russian and Ukrainian announces
networks UK’s Royal
with hacks Family
networks to make political points, Killnet is creation of IT army
one of the most prolific Russia-sympathetic

groups. It has claimed DDoS attacks
against public services, government
FEB. MAR. APR. MAY. JUN. JUL. AUG. SEP. OCT. NOV.
ministries, airports, banks and energy
companies based in North Atlantic Treaty May. 30th
Feb. 24th
Organization (NATO) member states, allied Anonymous Killnet threatens
countries in Europe, as well as in Japan and announces it's in attacks on Italy Aug. 11th
cyberwar against that last Killnet continues
the United States. Entities that fit Killnet's Russian government several days DDoSes against Oct. 5th
Mar. 17th
targeting profile should consider ensuring Jun. 20th Latvian Parliament Killnet starts
Anonymous claims Killnet starts DDoSing
that DDoS mitigation measures are in place, hack of R&D firm
May. 11th
DDoSing Lithuanian US networks
Killnet starts
such as engaging the services of a associated with
targeting
networks for about
Russian oil pipeline 10 days
third-party DDoS mitigation provider. giant Transneft Italian networks
Figure 12: Image showing hacktivist events observed to date during the conflict in Ukraine.
Source: X-Force analysis of open source reporting

Wipers featured in Russia's

war in Ukraine
Russia’s war in Ukraine stands out for the against a limited set of targets. However,
use of multiple wiper families deployed the notable exceptions of WannaCry and
against multiple targets in rapid succession NotPetya, which spread indiscriminately
and on a scale not previously seen, as well after impacting their initial victims, raise
as the use of malware alongside kinetic concerns of such wipers either spreading
military operations. more widely or being repurposed for
malicious operations elsewhere.
These deployments include at least nine
new wipers—AcidRain, WhisperGate, X-Force continues to assess that Russian
HermeticWiper, IsaacWiper, CaddyWiper, state-sponsored cyberthreat actors still
DoubleZero, AwfulShred, OrcShred pose significant threats to computer
and SoloShred. These wipers were networks and critical infrastructure around
predominantly used against Ukrainian the world. This judgment is based on
networks from before the initial invasion longstanding Russian cyberoperations
through the early stages of the war, mainly aimed at Ukrainian, European, NATO
January through March 2022. While and US networks and attack operations
wipers have been used in the past, they executed by Russian threat groups
have been mostly stand-alone campaigns since 2015.

Upheaval among Russian

cybercrime groups
2022 was a tumultuous year for ITG23— Additionally, the group has seemingly The group also released a new version of
one of the most prominent Russian retired two of their most high-profile their Anchor malware, a stealthy backdoor
cybercriminal syndicates primarily known malware families, Trickbot and Bazar, that the group had traditionally deployed
for developing the Trickbot banking Trojan and shut down their Conti ransomware against high-profile targets. The upgraded
and Conti ransomware. The group suffered operation. Various reports have suggested version discovered by X-Force, and named
a series of high-profile leaks in early 2022, that a significant reshuffling of personnel AnchorMail, has a novel email-based
after publicly backing Russia’s involvement may be occurring, with the group splitting command and control (C2) communication
in the war. Referred to as the ContiLeaks into several factions and some members mechanism. The C2 server uses the
and TrickLeaks, they resulted in the moving on entirely. Simple Mail Transfer Protocol Secure
publication of thousands of chat messages (SMTPS) and Internet Message Access
and the doxing of numerous group The shutdown of Trickbot and Bazar, which Protocol Secure (IMAPS) protocols, and
members. X-Force uncovered evidence accounted for a significant number of the malware communicates with the server
indicating that ITG23 began systematically infections in 2021, resulted in a void that by sending and receiving specially crafted
attacking in mid-April through at least has been quickly filled by malware families email messages.
mid-June of 2022—an unprecedented such as Emotet, IcedID, Qakbot and
shift, as the group had not previously Bumblebee. Prior to its shutdown, ITG23
targeted Ukraine. was still deploying Conti ransomware
prolifically, accounting for a third of all
ransomware engagements to which
X-Force responded in the first quarter
of 2022.

08
The malware landscape

Increase in USB-spreading worms
After X-Force observed Raspberry Robin The spread of USB-based worms is enabled
infection attempts impacting organizations through social engineering and requires
in mid-May 2022, the enigmatic worm some physical access to a network or
began spreading quickly within victims’ endpoint to infect successfully, whether
networks from users sharing Universal by a legitimate user or some other means.
Serial Bus (USB) devices. The infections X-Force advises ensuring your security
spiked in early June, and by early August tools block known USB-based malware,
Raspberry Robin peaked at 17% of implementing security awareness training
infection attempts that X-Force observed. and disabling autorun features for any
This peak was identified in the oil and removable media. In especially sensitive
gas, manufacturing and transportation environments, such as OT or where air gaps
industries. The 17% infection attempt exist, it’s safest to simply prohibit the use
rate in these industries is significant, since of USB flash drives entirely. If it’s necessary
less than 1% of X-Force clients in total to allow them, strictly control the approved
have seen the same strain of malware. number of portable devices for use in your
X-Force also observed more Raspberry environment in addition to implementing
Robin activity from September through the previous suggestions.
November 2022.

08 The malware landscape
Rust rises Vidar InfoStealer
The Rust Programming Language steadily X-Force noted a sudden influx of Vidar This database can then be sold on the
increased in popularity among malware InfoStealer malware which began in June dark web or through the private messaging
developers during 2022, thanks to its 2022 and continued through early 2023. app, Telegram. Threat actors may use the
cross-platform support and low antivirus First observed in 2018, Vidar is a malicious information to commit various types of
detection rates compared to other, more information-stealer Trojan, distributed as fraud, such as applying for bank loans or
common languages. Similar to the Go malware as a service (MaaS). The Trojan credit cards, purchasing items online or
language, it also benefits from a more is usually executed by users clicking making fraudulent health insurance claims.
convoluted compilation process that can on malicious spam (malspam) links or
make the malware more time-consuming attachments. Due to its extensive feature Threat actors can use compromised login
to analyze for reverse engineers. Several set, Vidar can be used to retrieve a wide credentials to gain entry to corporate
ransomware developers have released variety of device information that includes accounts and remote services. The average
Rust versions of their malware, including credit card information, usernames, cost to use an info stealer is approximately
BlackCat, Hive, Zeon and most recently passwords and files, as well as taking USD 250 per month, and it’s up to the users
RansomExx. Additionally, X-Force has screenshots of the user’s desktop. Vidar to deploy the malware of their choice.
analyzed an ITG23 crypter written in can also steal Bitcoin and Ethereum X-Force regularly sees marketplaces
Rust, along with the CargoBay family of cryptocurrency wallets. attempting to sell access captured by info
backdoors and downloaders. The rising stealer malware for USD 10-75. When
popularity of Rust highlights a continued Attacks through an information stealer access has been obtained, threat actors
focus across the ransomware ecosystem on (info stealer) are typically financially can easily use the hacked account’s
innovating to evade detection. motivated. The stolen data is analyzed, and privileges as a starting point to initiate
any valuable information is collated and further malicious activity.
organized into a database.

Evolution of malware delivery

mechanisms
It has become increasingly commonplace within Microsoft Excel known as Macro Office documents, but sophisticated
for malware to be delivered through 4.0. Malicious Excel documents have been groups adopted a more intricate and
malicious Microsoft Office documents, used for quite some time. However, most complex infection chain. These newer
usually attached to phishing emails. security mechanisms were built around tactics involve a combination of HTML
Malware developers created these VBA macros within an Excel document. For files that have a binary embedded within
documents containing malicious macros a time, Excel Macro 4.0 macros provided a or a password-protected compressed
designed to execute malware when the good means of evading detection. Around file. Those files also contain an ISO image
document is opened. The use of macros this same time, some threat actors began which may contain a LNK file, CMD file or
for this purpose became so widespread sending links within an email to take a other file types unlikely to be sent to an
that Microsoft Office products started victim to a dropper site to download the email recipient or downloaded from the
including security warnings when opening malicious documents rather than sending internet. Others include remote template
macro-enabled documents. In July 2022, them as a mail attachment. As Microsoft injection or exploitation of vulnerabilities.
Microsoft began to block macro execution made changes to allow administrators to CVE-2021-40444, a remote code execution
by default in documents received through disable Macro 4.0 and also block execution vulnerability in Microsoft HTML (MSHTML),
email or from the internet. of macros downloaded from the internet, is one example where a software
threat actors were forced to change component is used to render web pages in
As defenders increased their detection and tactics again. Microsoft Windows to execute the malware,
prevention capabilities, threat actors began rather than relying on macros.
moving away from Visual Basic Application After Microsoft’s changes, many malware
(VBA) to an older existing macro format authors still use macro-enabled Microsoft

Spam data highlights ransomware

threat and further illustrates
macro trends
X-Force analyzed trends in phishing and X-Force identified a surge of Qakbot

Malware10-18 Ransomware
spam email to better understand their activity in September 2022 that used
overall effectiveness and use by threat HTML smuggling to compromise victims.
Trickbot Conti
actors. The investigation found that spam Those infections are linked to extensive
emails have been used regularly throughout post-compromise activity, including
Bazarloader Conti, Diavol
the year to deliver malware, such as reconnaissance, information gathering
Emotet, Qakbot, IcedID and Bumblebee, and deployment of additional payloads.
IcedID Conti, Quantum
which often lead to ransomware infections. Unchecked Qakbot infections throughout
2022 led to multiple Black Basta infections.
Bumblebee Conti, Diavol, Quantum
X-Force saw ransomware attacks claimed
on the Black Basta ransomware group's
Emotet Conti, BlackCat, Quantum
leak site markedly decrease during the
break in Qakbot's phishing activity in the
Qakbot REvil, Conti, Black Basta
summer of 2022. X-Force expects the
resumption of Qakbot activity will similarly
SocGholish LockBit
be correlated with higher numbers of
ransomware victims.
The data in this table covers the period from late
2021 to the publication of this report. Italics indicate
that the malware or ransomware was seen in 2022,
but has not been observed by X-Force as of at least
October 2022.

Circumventing macros
The use of ISO and LNK files has emerged – Another way of getting around macro – Encrypted compressed extensions, which
as an important tactic to infecting victim restrictions is to include payloads directly are more difficult for antivirus software
organizations in response to Microsoft’s in LNK files that, when clicked, launch to detect and flag as malicious, were
macro changes starting in October 2021. arbitrary commands mostly used to discovered more frequently in 2022. The
This tactic includes both direct delivery either download or load the next stages. average number of spam emails with
of their payloads through those container Prior to early 2022, there was only one such attachments delivered per week
files, as well as obfuscating macro-enabled campaign in February 2021 that used increased ninefold in 2022, compared to
files within them. this tactic. X-Force first saw it recurring in 2021 data since April of that year.
late February-March 2022 and now sees
– ISO files and compressed files are being it regularly. – Thread hijacking, in which threat actors
used to circumvent the mark of the web insert themselves into existing email
(MOTW) attribute that Microsoft is using Additional trends that X-Force detected in threads, is a longstanding tactic used
to help targets enable malicious macros. threat actors’ spam campaigns include the to increase spam legitimacy and more
While the ISO or compressed files will increased use of encrypted compressed effectively entice victims to engage. This
look to be downloaded from the internet, archives as attachments and thread tactic saw a marked rise in 2022—when
the macro-enabled attachment within hijacking, as explained here. compared to the majority of 2021—and
it will not, allowing threat actors to tapered off by the spring, a trend that
continue this attack. X-Force assesses is driven in large part
by Emotet spamming.

– Emotet returned in November 2021 after – Spam email leading to Emotet, Qakbot
Thread hijacking spam email activity April 2021 – December 2022 the botnet was disrupted in January and IcedID made heavy use of thread
2021. It continued activity into 2022, hijacking. Emotet’s return in November
took a nearly four-month break starting 2021 contributed to the unsteady
mid-July, and returned for nearly two increase through May 2022. The overall
10.3% weeks in November 2022. decline in the latter half of the year
aligns with Emotet’s hiatus from July
7.8% 8% – The data showed just about twice as through October and brief return in
6.8% 7.2%
6%
many regular attempts per month in November 2022.
5.5% 5.5%
4.7% 4.7%
2022 compared to available data since
4.6%
3.5% 3.8% 4.1% April 2021. Thread hijacking was on an – Tracking thread hijacking and accurately
2.9% 2.9% 2.8% 2.7% 3% unsteady incline through May 2022, and distinguishing it from instances of actors
2%
1.2% its decline in the latter half of the year simply adding a reply subject line header
aligns roughly with Emotet’s inactivity. to a spam email is difficult and likely to
become more so. For example, some
Q2 Q3 Q4 Q1 Q2 Q3 Q4 threat actors have started to remove
“Re:” subject line headers, likely because
2021 2022 they are aware that these headers can be
used to track their activity.
Figure 13: Figures show percentage by month of total

thread hijacking attempts detected in X-Force data
since April 2021. Source: X-Force

09
Threats to OT and industrial

control systems Threats to operational technology
2022 saw the discovery of two new OT- Alerts indicating probable brute force
specific pieces of malware, Industroyer2 attempts were most common among
and INCONTROLLER, also known as Incident Command System (ICS)-specific
PIPEDREAM, and the disclosure of many network attack data, followed closely
OT vulnerabilities called OT:ICEFALL. The by weak encryption alerts. The most
OT cyberthreat landscape is expanding common alerts for weak encryption
dramatically, and OT asset owners and concerned the continued use of Transport
operators need to be keenly aware of the Layer Security (TLS) 1.0, an outdated and
shifting landscape. insecure encryption method deprecated in
March 2021. Though the US government
X-Force looked more closely at OT- recommends reconfiguration to use TLS 1.2
specific network attack and IR data to or 1.3, National Institute of Standards and
help derive insights on how threat actors Technology (NIST) guidelines address in
are seeking to compromise clients in OT- more depth the common reality. This reality
related industries. Network attack data is that older systems may need to continue
shows brute force attacks, use of weak and using weaker versions of encryption to
outdated encryption standards and weak ensure continued functionality. Weak or
or default passwords are common alerts in default password alerts were also notable,
these industries’ IT and OT environments. especially given these are basic

09 Threats to OT and industrial
control systems
Manufacturing continues to be the

most targeted OT industry
vulnerabilities that make brute force The second most common vulnerability, Looking at the subset of incidents in
attacks easier for attackers. Widespread however, dates back to 2016—a filter OT-related industries, manufacturing was
and likely indiscriminate internal and bypass vulnerability in the Trihedral the most attacked in 2022, according
external vulnerability scanning was the VTScada application, CVE-2016-4510, to the data. The industry was victimized
most common attack attempt against that could allow unauthenticated users to in 58% of incidents X-Force assisted in
OT-related industries. The data revealed send HTTP requests to access files. Further remediating. Deployment of backdoors was
that old vulnerabilities and threats are still highlighting the risks of older threats are the top action on objective, identified in
relevant today. A group of vulnerabilities attack types, like WannaCry and Conficker, 28% of cases in the manufacturing sector.
discovered in 2021 by Cisco Talos in which continue to pose significant Ransomware actors in particular find this
Advantech R-SeeNet monitoring software threats to OT. industry to be an attractive target, likely
triggered a slim majority of vulnerability due to these organizations’ low tolerance
scanning alerts across OT industries in for downtime.
2022. These vulnerabilities could allow
attackers to execute arbitrary code
or commands.

09 Threats to OT and industrial
control systems
Looking at initial access vectors across Another major vulnerability exploited in OT

OT industries targeted in 2022 cases in OT-related industries, spear is lack of proper segmentation between
phishing accounted for 38% of cases, OT and IT networks. The team at X-Force
including use of attachments at 22%, Red Adversary Simulation Services
Manufacturing 58% use of links at 14% and spear phishing as a regularly targets weak segmentation to
service at 2%. Exploitation of public-facing gain access to isolated OT environments.
Energy 17%
applications took second place at 24%, These environments include targeting
following the broader industrywide trend. jump servers, dual-homed operator
Oil and gas 10%
Detection of backdoors also led among workstations and reporting servers, such
these industries’ incidents in 20% of cases, as data historians that expose web and SQL
Transportation 10%
followed by ransomware at 19%. Extortion services from OT to corporate IT networks.
Heavy and civil also remains in first among impacts at Properly segmenting these portions of
2%
engineering 29%, with data theft close behind in your networks and closely monitoring
Mining
24% of cases. communication across them can keep
2%
assets safe.
Water utilities 1%
0 10% 20% 30% 40% 50% 60% 70%
Figure 14: Proportion of IR cases by OT-related

industry to which X-Force responded in 2022.
Source: X-Force

10
Geographic trends
Incidents by region 2020 – 2022
For the second year in a row, the Asia-

31% 31%
Pacific region holds the top spot as the
most-attacked region in 2022, accounting 28%
27%
for 31% of the incidents to which X-Force 26%
25% 25%
24%
IR responded. Europe followed closely 23%
behind with 28% of attacks and North
America saw 25% of incidents. Asia-Pacific
and Europe saw higher proportions of
cases, increasing five percentage points
and four percentage points respectively
from 2021 figures, with a significant drop 14%
13%
in the Middle East from 14% to 4%. 12%
9%
8%
4%
Asia-Pacific Europe North America Latin America Middle East
2022 2021 2020
Figure 15: Proportion of IR cases by region to which X-Force responded from 2020-2022. Source: X-Force

10 Geographic trends
#1 | Asia-Pacific
The Asia-Pacific region, specifically Japan, Spear phishing by attachment was the The Asia-Pacific region
was the epicenter of the Emotet spike in top infection vector at 40% across this
saw manufacturing as the
2022. While not directly related to the war region, followed by exploiting public-facing
in Europe, the surge of Emotet cases in applications at 22%. Cases of external top-attacked industry at
Japan occurred alongside Russia’s invasion remote services and spear phishing links 48% of cases.
of Ukraine, which other researchers in the tied for third place at 12%.
cybersecurity community noted helped
drive significant Emotet activity at the Deployments of backdoors were the most
time. Spam campaigns were identified common action on objective in 31% of
across several industries, with most cases in the region. Ransomware placed
cases occurring in manufacturing and second at 13% and maldocs third at
finance and insurance. Emotet is delivered 10%. Extortion was the most common
mainly through spam campaigns that use impact observed in 28% of cases. Impacts
attention-grabbing headlines. to brand reputation was in second place
at 22% and data theft was in third
Manufacturing tops the list of attacked place at 19%.
industries in this region in 48% of cases,
with finance and insurance a distant second Japan accounted for 91% of Asia-Pacific
place at 18%. cases, the Philippines 5%, and Australia,
India and Vietnam each at 1.5%.

#2 | Europe
Europe saw a significant uptick in the links following at 14%, notably down The United Kingdom was
deployment of backdoors starting in March from 42% in 2021. This decrease in spear
the most attacked country
2022, just after Russia invaded Ukraine. phishing links may be a result of better
Deployments of backdoors accounted for user awareness, stronger email security in Europe, accounting for
21% of cases in the region and ransomware defenses or more effective defenses 43% of cases.
11%. Remote access tools were identified catching malware after installation.
in 10% of incidents to which X-Force
responded. Of impacts to clients, 38% of Professional, business and consumer
cases X-Force observed in Europe were services tied with finance and insurance
extortion-related, 17% resulted in data for the most-attacked industry, each
theft and 14% were credential harvesting. ranking 25% of the cases to which X-Force
Europe was the region hardest hit by responded. Manufacturing placed second
extortion, representing 44% of all extortion with 12% of cases, and energy and
cases observed. healthcare tied for third place at 10%.
The exploitation of public-facing The United Kingdom was the most

applications was the top infection vector attacked country in Europe, accounting
used against European organizations, for 43% of cases. Germany accounted for
accounting for 32% of all incidents that 14%, Portugal 9%, Italy 8%, and France
X-Force remediated in the region, several 7%. “X-Force also responded to smaller
of which led to ransomware infections. numbers of cases in Norway, Denmark,
Abuse of valid local accounts came in Switzerland, Austria, Greece, Greenland,
second place at 18%, with spear phishing Spain, and Serbia.

#3 | North America
X-Force observed a slight increase in the at 20%. Ransomware incidents accounted North America’s most
number of incidents in North America, for 23% of cases, a few of which were the
commonly attacked
moving from 23% of all cases in 2021 to result of detections of lingering infections
25% in 2022. of WannaCry or Ryuk dating back to 2018 organizations were energy
or 2019, highlighting the importance of firms at 20% of cases.
Energy firms rose to the top of the victim proper cleanup after such events. In the
list in North America, constituting 20% of region, 12% of cases were botnets, with
all attacks to which X-Force responded backdoors and BEC tying for third place at
in 2022. Manufacturing and the retail- 10% each.
wholesale sector tied for second place
in 14% of cases each. While retail- When looking at the top impact threat
wholesale held a similar position in actors had, credential harvesting took
2021, the numbers for manufacturing the pole position at 25% of incidents that
represented a 50% decline from 2021. X-Force remediated in North America. Data
Professional, business and consumer leak and data theft tied for second place
services took third place in 2022 at 12%, at 17% each, with extortion accounting for
amid a rise in ransomware and other 13% of cases.
malware-related cases.
The United States accounted for 80%
The top identified infection vectors were of the region’s attacks compared to
exploitation of public-facing applications Canada’s 20%.
at 35% and spear phishing attachments

#4 | Latin America
For the purposes of reporting, IBM tied for third place at 11% each. Extortion In Latin America, Brazil
considers Latin America to include Mexico, and data theft were the most commonly
accounted for 67% of cases to
Central America and South America. seen impacts in the region at 27% of cases,
with financial loss at 20%. Data destruction which X-Force responded.
Incidents in Latin America bucked global and leaks tied for third place at 13% of
trends, returning retail-wholesale as the cases each.
most-attacked industry at 28% of cases
that X-Force remediated, and moved up Top initial access vectors included external
from second place in 2021. The finance and remote services at 30% and exploitation of
insurance industry was the second-most public-facing applications at 20%. Drive-
targeted with 24% of cases, followed by by compromise, hardware additions, valid
energy at 20%. domain accounts, valid local accounts and
spear phishing attachments accounted for
Ransomware outstripped other attacks in 10% each.
Latin America, accounting for 32% of cases
to which X-Force responded. Deployment In all the cases that X-Force responded to
of backdoors was the second-most in Latin America, Brazil accounted for 67%,
identified action on objective at 16%, Colombia 17% and Mexico 8%. Peru and
while BEC and email thread hijacking Chile split the remaining 8%.

#5 | Middle East and Africa
For the purpose of reporting, IBM considers other third of the incidents that X-Force The most common attack in
the Middle East and Africa to include the remediated in the Middle East and Africa.
this region was deployment of
Levant, Arabian Peninsula, Egypt, Iran and Finance and insurance was the most-
Iraq, and the entire African continent. targeted industry in the Middle East and backdoors at 27% of cases.
Africa in 2022, accounting for 44% of
Deployment of backdoors was detected in incidents and down slightly from 2021 at
27% of cases to which X-Force responded 48%. Professional, business and consumer
in this region in 2022. Ransomware and services accounted for 22% of attacks, with
worms tied for the second-most common manufacturing and energy tying for third
attack type at 18% each. Extortion and place at 11%.
financial loss each accounted for half of
identified impacts in incidents across the Saudi Arabia comprised two-thirds of
region in 2021. the cases in the region to which X-Force
responded. The remaining cases were split
Spear phishing links were used for between Qatar, United Arab Emirates and
initial access in two-thirds of cases, South Africa.
and removable media accounted for the

11
Industry trends
Share of attacks by industry 2018 – 2022
For the second year in a row, manufacturing Industry 2022 2021 2020 2019 2018
was the top-attacked industry, according
to X-Force incident response data. Finance Manufacturing 24.8% 23.2 17.7 8 10
and insurance lost the top spot by just one
percentage point in 2021—after holding Finance and insurance 18.9% 22.4 23 17 19
the title for five consecutive years—and is
in second place again in 2022 by a larger Professional, business and 14.6% 12.7 8.7 10 12
margin of nearly six percentage points. consumer services
Energy 10.7% 8.2 11.1 6 6
Retail and wholesale 8.7% 7.3 10.2 16 11
Education 7.3% 2.8 4 8 6
Healthcare 5.8% 5.1 6.6 3 6
Government 4.8% 2.8 7.9 8 8
Transportation 3.9% 4 5.1 13 13
Media and telecom 0.5% 2.5 5.7 10 8

11 Industry trends
24.8% #1 | Manufacturing
of X-Force incident response Manufacturing was the top-attacked phishing links and valid default accounts
industry and by a slightly larger margin tied for third place as the initial access in
cases occurred in the
compared to 2021. In 2022, backdoors 10% of cases.
manufacturing sector. were deployed in 28% of incidents, beating
out ransomware, which appeared in 23% Extortion was the leading impact to
of incidents remediated by X-Force. The manufacturing organizations, seen in 32%
percentage of backdoor deployments also of cases. Manufacturers notoriously have
was driven by the Emotet infection spike. little-to-no tolerance for downtime, and
Some of these cases could have led to this intolerance makes extortion a lucrative
ransomware attacks, among other more strategy for attackers. Data theft was the
malicious activity, but they were identified second-most common at 19% of incidents,
early enough to be remediated. followed by data leaks at 16%. The Asia-
Pacific region saw the most incidents in
Spear phishing attachments and manufacturing in approximately 61% of
exploitation of public-facing applications cases. Europe and North America tied for
tied for the top two infection vectors second place at 14%, Latin American at 8%
at 28% each. External remote services and the Middle East and Africa at 4%.
came in second place at 14%, with spear

11 Industry trends
18.9% #2 | Finance and insurance
of X-Force incident response Finance and insurance organizations made followed by ransomware and maldocs at
up less than one in five attacks to which 11% each. The top infection vector was
cases occurred in the finance
X-Force responded in 2022, earning it spear phishing attachments, used in 53%
and insurance sector. second place. This percentage indicated a of attacks against this sector. Exploitation
slight decrease over the past few years as of public-facing applications came in
other industries began to gain the attention second place at 18% of attacks, and spear
of attackers, particularly manufacturing. phishing links were the initial access vector
at 12% of cases.
Finance and insurance organizations
tend to be further along in both digital Europe saw the highest volume of attacks
transformations and cloud adoption on finance and insurance organizations
progress relative to other industries. As a with approximately 33% of all attacks,
result, attackers may need to work harder with Asia-Pacific a close second place
to successfully execute attacks against at approximately 31%. Latin America
these organizations. experienced approximately 15% of
incidents to which X-Force responded,
Backdoor attacks were the most commonly with North America and the Middle East
observed action on objective at 29%, and Africa experiencing approximately
10% each.

11 Industry trends
#3 | Professional, business
14.6% and consumer services
of X-Force incident response The professional services industry Professional, business and consumer
includes consultancies, management services experienced ransomware and
companies and law firms. These services backdoor attacks most frequently in 18% of
professional, business and make up 52% of victims in this segment. cases each. The top two infection vectors
consumer services sector. Business services, by contrast, include were the exploitation of public-facing
firms, such as IT and technology applications and external remote services
services, public relations, advertising at 23% each. Spear phishing attachments
and communications. These services and valid local accounts were the cause of
represent 37% of victims. Consumer 15% of cases each.
services, encompassing home builders, real
estate, arts, entertainment and recreation, Extortion was the most common impact in
accounted for 11% of cases. Together, 28% of cases, with data theft, credential
they form the professional, business and harvesting and data leaks at 17% each.
consumer services category of the 2023 X-Force responded to 47% of cases in
X-Force Threat Intelligence Index. Europe, 33% in North America, 10% in
Asia-Pacific, 7% in the Middle East and
Africa, and 3% in Latin America.

11 Industry trends
10.7% #4 | Energy
of X-Force incident response Energy organizations, including electric Data theft and extortion were noted in 23%
utilities and oil and gas companies, were of cases, followed by credential harvesting
the fourth-most attacked industry—the and botnet infections at 15% each. In
energy sector. same as 2021—representing 10.7% of all the cases that X-Force responded to
attacks. The exploitation of a public-facing worldwide, North American organizations
application was the most common infection were the most common victims at 46%,
vector at 40%. Spear phishing links and compared to Europe and Latin America
external remote services accounted for at 23% each, and just under 5% in Asia-
20% of cases each. Botnets were the most Pacific and the Middle East and Africa.
frequent action on objective in 19% of
cases, with ransomware and BEC tying The energy industry remains under
for second place at 15%. pressure from a variety of global forces,
especially those exacerbated by Russia’s
war in Ukraine and how that has affected
an already tumultuous global energy trade.

11 Industry trends
8.7% #5 | Retail and wholesale
of X-Force incident response Retailers are responsible for the sale of services, spear phishing with malicious
goods to consumers and wholesalers. attachments and hardware additions
cases occurred in the retail
Wholesalers are typically responsible for accounted for 17% each.
and wholesale sector. the transportation and distribution of these
goods directly from manufacturers to Ransomware, backdoors and BEC were the
retailers or directly to consumers. The retail most common actions taken by attackers,
and wholesale industry was the fifth-most each comprising 19% of activities. Worms
targeted industry, according to X-Force IR were identified in 10% of cases. Victims
data, the same as its 2021 ranking. experienced extortion in 50% of cases,
and credential harvesting and financial
The most common initial access vector loss at 25% each. North America and Latin
in attacks on retail and wholesale was America experienced the most cases at
spear phishing emails with a malicious link 39% each, compared to Europe’s 22%.
at 33%. Compromised external remote

11 Industry trends
7.3% #6 | Education
of X-Force incident response Incidents in education involved backdoor

cases in 20% of attacks to which X-Force
responded. Ransomware, adware and
education sector. spam accounted for 13% each. Exploitation
of public-facing applications was the
most commonly observed initial access in
42% of cases, followed by spear phishing
attachments at 25%. Phishing through
service, through link and valid cloud and
local account abuse comprised 8% of
initial access vectors each. Data theft, data
leak, extortion and reconnaissance were
the impacts at 25% each. Asia-Pacific
accounted for 67% of cases, North America
for 27% and Latin America for 6%.

11 Industry trends
5.8% #7 | Healthcare
of X-Force incident response Healthcare dropped back to seventh

place among the top 10 industries,
further declining from sixth in 2021. The
healthcare sector. proportion of healthcare cases to which
X-Force has responded has remained
at approximately 5%-6% for the last
three years. Backdoor attacks occurred
in 27% of cases, and web shells in 18%.
Adware, BEC, cryptominers, loaders,
reconnaissance and scanning tools, and
remote access tools comprised 9% each.
Reconnaissance comprised most of the
observed impacts at 50%, while data theft
and digital currency mining were identified
in 25% of cases each.
European-based targets accounted for 58%

of incidents, with North American cases
comprising the remainder at 42%.

11 Industry trends
4.8% #8 | Government
of X-Force incident response Government targets were another top Of the cases in this sector, X-Force was
target of backdoors, comprising 25% of able to tie incidents to cybercriminals,
X-Force IR cases. This percentage tied insider threats that led to data destruction,
government sector. with DDoS attacks, which also accounted hacktivists and state-sponsored threat
for one-quarter of cases. The rich sensitive groups conducting espionage, each in
information in public sector networks equal proportion.
is a common target of cyber espionage
campaigns. This information can include Exploitation of public-facing applications
extensive databases of PII and other and spear phishing attachments were the
information that could be used by state- lead infection vectors at 40% each, while
sponsored groups or sold for profit by abuse of valid default accounts comprised
cybercriminals. Maldocs were identified in 20%. Government entities in Asia-Pacific
17% of cases, and cryptominers, credential were the most targeted at 50% of cases,
acquisition tools, ransomware and web with Europe at 30% and North America
shells split the remainder of cases at 83%. at 20%.

11 Industry trends
3.9% #9 | Transportation
of X-Force incident response Down from seventh place in 2021, and deployment of remote access tools at
transportation returned to its 2020 ranking 25% each, followed by spam campaigns,
of ninth place. However, the industry still ransomware, backdoors and defacement in
transportation sector. comprised roughly the same percentage 13% of cases each.
of incidents to which X-Force responded.
Phishing was the most common initial Data theft was most common in 50%
access vector in 51% of cases—evenly of cases, with extortion and impacts to
split between links, attachments and spear brand reputation at 25% each. European
phishing as a service. Abuse of valid local transportation entities were the most
accounts made up 33% of initial access targeted group, comprising 62% of cases,
vectors, with valid cloud accounts serving with Asia-Pacific in second place at just
as the entry point for 17% of cases. The top over 37%.
actions on objectives were server access

11 Industry trends
0.5% #10 | Media and telecom
of X-Force incident response Media and telecommunications accounted

for a small fraction of incidents to which
X-Force responded, coming in last place
media and telecom sector. for the second year running. Abuse of
external remote services, such as VPNs
and other access mechanisms, and valid
domain accounts were the observed
infection vectors. These vectors led to
ransomware attacks. The actions observed
in these cases included deployment of
ransomware and data exfiltration tools.
These actions, in turn, led to data theft,
leak, destruction and extortion.

12
Recommendations
The following recommendations are actions Know your adversary: While many
you should take to secure your organization organizations have a broad view of the
against malicious threats, including those threat landscape, X-Force recommends
presented in this report. organizations adopt a view that emphasizes
the specific threat actors that are most
Manage your assets: “What do we have? likely to target your industry, organization
What are we defending? What data is and geography. This perspective includes
critical to our business?” These are the first understanding how threat actors operate,
questions any security team should answer identifying their level of sophistication, and
to build a successful defense. Prioritizing knowing which tactics, techniques
discovery of assets on your perimeter, and procedures attackers are most likely
understanding your exposure to phishing to employ.
attacks and reducing those attack surfaces
further contribute to holistic security. Manage visibility: After understanding
Finally, organizations must extend their more about the adversaries most likely to
asset management programs to include attack, organizations must confirm they
source code, credentials and other data have appropriate visibility into the data
that could already exist on the internet or sources that would indicate an attacker’s
dark web. presence. Maintaining visibility at key
points throughout the enterprise and
ensuring alerts are generated and acted on
in a timely manner are critical to stopping
attackers before they can cause disruption.

12 Recommendations
Challenge assumptions: Organizations Act on intelligence: Apply threat Having a reputable IR vendor on retainer Boost security with
must assume that they already have been intelligence everywhere. Effective reduces the amount of time it takes to get
these actions:
compromised. By doing so, teams can application of threat intelligence will skilled responders focused on mitigating
continually reexamine the following: enable you to analyze common attack an attack. Additionally, including your IR
paths and identify key opportunities for vendor in response plan development and Manage your assets
– How attackers can infiltrate their mitigating common attacks, in addition testing is critical and contributes to a more
systems to helping develop high-fidelity detection effective and efficient response. The best Know your adversary
– How well their detection and opportunities. Application of threat IR plans include a cross-organizational
response capabilities fare against intelligence should be coupled with response, incorporate stakeholders outside Manage visibility
emerging tactics, techniques understanding your adversaries and how of IT and test lines of communication
and procedures they operate. between technical teams and senior Challenge assumptions
– The level of difficulty for a likely leadership. Finally, testing your plan in
adversary to compromise your most Be prepared: Attacks are inevitable; an immersive, high-pressure cyber range Act on intelligence
critical data and systems failure doesn’t have to be. Organizations exercise can greatly enhance your ability to
should develop incident response plans respond to an attack. Be prepared
The most successful security teams customized for their environment. Those
perform regular offensive testing including plans should be regularly drilled and
threat hunting, penetration testing and modified as the organization changes, with
objective-based red teaming to detect or a focus on improving response, remediation
validate opportunistic attack paths into and recovery time.
their environments.

13
About us
IBM Security X-Force IBM Security
IBM Security X-Force is a threat-centric response and crisis management services, IBM Security adapts to your ever-
team of hackers, responders, researchers the X-Force Incident Response team knows expanding footprint and works in step
and analysts. The X-Force portfolio includes where threats may hide and how to stop with you to keep you on the right track. We
offensive and defensive products and them. X-Force researchers create offensive help you ensure that you’re always staying
services, fueled by a 360-degree view techniques for detecting and preventing one step ahead—with greater speed and
of threats. threats, while analysts with X-Force collect greater accuracy—with our dynamic AI and
and translate threat data into actionable automation capabilities. Feel confident that
In an age of relentless cyberattacks, a information for reducing risk. you’re making the right moves today and
connected everything and increasing tomorrow with insights from our trusted
regulatory mandates, organizations need With a deep understanding of how threat team of industry-leading experts. From
a focused security approach. X-Force actors think, strategize and strike, X-Force predicting threats to helping to protect
believes the threat should be the focal can help you prevent, detect, respond to data; working across vendors, or around
point. Through penetration testing, and recover from incidents and focus on the world; no matter where your business
vulnerability management and adversary business priorities. is headed, IBM Security can help you to
simulation services, the X-Force Red team strive for ambitious business goals, while
of hackers assumes the role of threat actors If your organization would like support exploring pivotal new technologies and
to find security vulnerabilities—exposing strengthening your security posture, helping minimize unexpected threats.
your most important assets. Through schedule a one-on-one consultation with
incident preparedness, detection and an IBM Security X-Force expert.
Learn more
Schedule a consult

14
Contributors
Michael Worley Guy-Vincent Jourdan

Christopher Caridi Scott Lohr
Michelle Alvarez Mitch Mayne
Karlina Bakken Dave McMillen
Yannick Bedard Kat Metrick
Michele Brancati Scott Moore
Christopher Bedell Golo Mühr
Joshua Chung Vio Onut
Scott Craig Andy Piazza
Joseph DiRe Johnny Shaieb
John Dwyer Benjamin Shipley
Emmy Ebanks Christopher Thompson
Richard Emerson Ole Villadsen
Charlotte Hammond Reginald Wong
Kevin Henson John Zorabedian

15
Appendix
List of impacts
Impacts Impacts
Botnet Digital currency mining
Brand reputation Espionage
Credential harvesting Extortion
Data destruction Financial loss
Data leak Production halted (OT)
Data theft Reconnaissance
Previous chapter 57
1. “A timeline of the biggest ransomware attacks,” 10. “BazarCall to Conti Ransomware via Trickbot and © Copyright IBM Corporation 2023 THE INFORMATION IN THIS DOCUMENT IS
CNET, 15 November 2021 Cobalt Strike,” The DFIR Report, 1 August 2021 PROVIDED “AS IS” WITHOUT ANY WARRANTY,
IBM Corporation EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY
2. “International action against DD4BC cybercriminal 11. “Diavol Ransomware,” The DFIR Report, 13 New Orchard Road WARRANTIES OF MERCHANTABILITY, FITNESS FOR
group,” Europol, 12 January 2016 December 2021 Armonk, NY 10504 A PARTICULAR PURPOSE AND ANY WARRANTY OR
CONDITION OF NON-INFRINGEMENT. IBM products
3. “DD4BC, Armada Collective, and the Rise of Cyber 12. “Quantum Ransomware,” The DFIR Report, 25 Produced in the United States of America are warranted according to the terms and conditions
Extortion,” Recorded Future, 7 December 2015 April 2022 February 2023 of the agreements under which they are provided.
4. “A Brief History of Ransomware.” Varonis, 10 13. “Bumblebee Loader Linked to Conti and Used In IBM, the IBM logo, IBM Security, and X-Force are Statement of Good Security Practices: No IT system
November 2015 Quantum Locker Attacks,” Kroll, 6 June 2022 trademarks or registered trademarks of International or product should be considered completely secure,
Business Machines Corporation, in the United and no single product, service or security measure
5. “Inside Chimera Ransomware - the first 14. “This isn't Optimus Prime’s Bumblebee but it’s Still States and/or other countries. Other product and can be completely effective in preventing improper
‘doxingware’ in wild,” MalwardBytes Labs, 8 Transforming,” Proofpoint, 28 April 2022, service names might be trademarks of IBM or other use or access. IBM does not warrant that any systems,
December 2015 companies. A current list of IBM trademarks is products or services are immune from, or will make
15. “Understanding REvil: REvil Threat Actors May available on ibm.com/trademark. your enterprise immune from, the malicious or illegal
6. “Big Game Hunting: The Evolution of INDRIK Have Returned (Updated),” Unit 42, 3 June 2022 conduct of any party.
SPIDER From Dridex Wire Fraud to BitPaymer Microsoft and Windows are trademarks of Microsoft
Targeted Ransomware,” Crowdstrike, 14 November 16. “AdvIntel’s State of Emotet aka “SpmTools” Corporation in the United States, other countries, or The client is responsible for ensuring compliance with
2018 Displays Over Million Compromised Machines both. laws and regulations applicable to it. IBM does not
Through 2022,” AdvIntel, 13 September 2022 provide legal advice or represent or warrant that its
7. “Operators of SamSam Continue to Receive This document is current as of the initial date of services or products will ensure that the client is in
Significant Ransom Payments,” Crowdstrike, 11 17. “Back in Black: Unlocking a LockBit 3.0 publication and may be changed by IBM at any time. compliance with any law or regulation. Statements
April 2018 Ransomware Attack,” NCC Group, 19 August 2022 Not all offerings are available in every country in which regarding IBM’s future direction and intent are subject
IBM operates. to change or withdrawal without notice, and represent
8. “Triple Extortion Ransomware: The DDoS Flavour,” 18. “Back in Black: Unlocking a LockBit 3.0 goals and objectives only.
PacketLabs, 12 May 2022 Ransomware Attack,” NCC Group, 19 August 2022,
9. “They Told Their Therapists Everything. Hackers

Leaked It All,” Wired, 4 May 2021

X-Force Threat Intelligence

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

X-Force Threat Intelligence

Uploaded by

Copyright:

Available Formats

X-Force Threat

How our data analysis changed

In 2022, we modified how we examined – Exploits and zero day compromises:

Previous chapter Next chapter 5

Previous chapter Next chapter 6

41% 100% 52%

62% 26% 31%

Previous chapter Next chapter 7

Top initial access vectors

In 2022, X-Force moved from tracking Exploit public-facing application

Valid accounts - Domain

Valid accounts - Default

Phishing - Spear phishing via service

Valid accounts - Cloud

Previous chapter Next chapter 8

Figure 2: Types of phishing subtechniques as a

Previous chapter Next chapter 9

Phishing kits lasting longer, targeting

– One-third of deployed kits lasted

Previous chapter Next chapter 10

Top spoofed brands

7 Adobe Dropbox Figure 3: This chart identifies the

Previous chapter Next chapter 11

Previous chapter Next chapter 12

Previous chapter Next chapter 13

4.0-6.9 out of 10, compared to just under how exploitation is accomplished or if an

Figure 5: X-Force vulnerability database showing

Previous chapter Next chapter 14

Operational technology (OT)

those that can exploit IT. 0

Vulnerabilities Weaponized exploits Zero day

Previous chapter Next chapter 15

Top actions on objectives

Previously, the X-Force Threat Intelligence

Figure 7: Top actions on objectives observed by X-Force in 2022. Source: X-Force

Previous chapter Next chapter 16

In cases where a backdoor deployment establish access themselves may also

Previous chapter Next chapter 17

Ransomware Ransomware variants

Previous chapter Next chapter 18

Business email compromise (BEC)

Previous chapter Next chapter 19

X-Force also took a closer look at the

Previous chapter Next chapter 20

Data theft came in second and accounted

Previous chapter Next chapter 21

While extortion is most commonly with enhanced or novel downstream victim

Previous chapter Next chapter 22

Previous chapter Next chapter 23

Timeline of select hacktivist events 2022

one of the most prolific Russia-sympathetic

Previous chapter Next chapter 24

Wipers featured in Russia's

Previous chapter Next chapter 25

Upheaval among Russian

Previous chapter Next chapter 26

The malware landscape

Previous chapter Next chapter 27

Rust rises Vidar InfoStealer

Previous chapter Next chapter 28

Evolution of malware delivery

Previous chapter Next chapter 29

Spam data highlights ransomware

X-Force analyzed trends in phishing and X-Force identified a surge of Qakbot