《BlackBerry:2022年度网络安全威胁报告(英文版)(73页).pdf》由会员分享,可在线阅读,更多相关《BlackBerry:2022年度网络安全威胁报告(英文版)(73页).pdf(73页珍藏版)》请在三个皮匠报告上搜索。
1、REPORTTHREAT20222BLACKBERRY /2022 THREAT REPORT 2BLACKBERRY /2022 THREAT REPORT CONTENTSINTRODUCTION 3 Executive Summary 4 2021 Timeline of High-Profile Cyberattacks 6CYBERTHREATS 7 Cobalt Strike 8 Supply Chain Attacks 13 Log4j/Log4Shell Exploits 16 Old Dogs New Tricks Obscure Programming Languages
2、17 Initial Access Brokers 19 ChaChi 20TYPES OF ATTACKS 21 Ransomware 22 Infostealers 27 All Top 10 Threats 31DATA SCIENCE 33 AI and Adversarial Attacks 34CYBERSECURITY INSIGHTS 37 Incident Response Year in Review and Trends 38 Attack Lifecycle 41 Protecting Critical Infrastructure 43 Prevention-Firs
3、t AI 44 A Prevention-First Approach to Securing an Increasingly Hybrid Workforce 46 Extended Detection and Response 48 The Evolution of Managed Detection and Response Services 50 Expanding the Role of Network Security and AI/ML in Preventing Zero-Day Attacks 52 Mobile Threats and Security 55 Connect
4、ed VehiclesMoving Toward Security 57 Critical Event ManagementBe Prepared for Anything 59 New Cybersecurity Legislative and Regulatory Initiatives and Forecast 62 Predictions:Looking Ahead to 2022 and Beyond 67CONCLUSION 70023BLACKBERRY /2022 THREAT REPORT INTRODUCTIONThe BlackBerry 2022 Threat Repo
5、rt is not a simple retrospective of the cyberattacks of 2021.It is a high-level look at issues affecting cybersecurity across the globe,both directly and indirectly.It covers elements of critical infrastructure exploitation,adversarial artificial intelligence(AI),initial access brokers(IABs),critica
6、l event management(CEM),extended detection and response(XDR),and other issues shaping our current security environment.This report covers topics confronting individuals and organizations around the world.As always,it represents our unique piece of the overall security puzzle.Our goal is to improve t
7、he global security posture by sharing our information,predictions,and experiences with everyone.To accomplish that,the report examines 2021s major security events and how they may shape the cybersecurity landscape going forward.It provides a deep dive into the cybersecurity issues we face today,and
8、offers readers additional information and context to perform their own thoughtful analysis.That said,readers expecting our annual breakdown of the top 10 malware attacks witnessed by BlackBerry over the past year will not be disappointed.Nor will those who look forward to our incident response(IR)ye
9、ar in review,annual cybersecurity legislative updates,and near-term predictions.Many of the sections our readers have come to enjoy from previous BlackBerry threat reports have returned.In addition,this year,we tackle supply chain attacks,dangerous new programming languages,security in the Metaverse
10、,quantum computing,ransomware campaigns,and other relevant emerging topics.The fluidity of modern cyberattacks can require organizations to frequently rethink their approach to cybersecurity and consider new options.They must constantly assess new technologies and approaches that can outperform lega
11、cy antivirus(AV)solutions,ranging from prevention-first AI to adopting Zero Trust architecture.Accordingly,the BlackBerry 2022 Threat Report offers suggestions on cybersecurity strategies and technologies that could have prevented the greatest security lapses of the past year.We sincerely hope the i
12、nformation contained in this report will help protect users and keep organizations secure in 2022 and beyond.03This report examines 2021s major security events and how they may shape the cybersecurity landscape going forward.04BLACKBERRY /2022 THREAT REPORT EXECUTIVE SUMMARY The most widely publiciz
13、ed cyber events of 2021 involved ransomware attacks on critical infrastructure and technology companies.The ransomware threat group REvil attacked Acer,JBS Foods,and others while DarkSide crippled Colonial Pipeline and Avaddon infiltrated AXA.In short,the scope and success of various threat groups l
14、ast yearparticularly against private sector companies considered part of national infrastructureproved unsettling.Governments responded to the attacks,with G7 countries and NATO allies putting cybersecurity at the top of the public policy agenda.U.S.President Joe Biden issued an Executive Order on“I
15、mproving the Nations Cybersecurity”,while the Department of Justice established a Ransomware and Digital Extortion Task Force.As the year wore on,a Microsoft Exchange Server zero-day vulnerability spiraled into a crisis after the HAFNIUM group exploited the flaw.Other threat actors were quick to cap
16、italize on the opportunity by reverse engineering the patch and targeting organizations worldwide.The swift proliferation of HAFNIUM-style attacks reinforced the importance of both organizations and individuals keeping software up to date.However,updating software as a reactive practice cannot save
17、the initial victim of an attackaka,the“sacrificial lamb”.This has many organizations looking to alternative security approaches like the Zero Trust framework,XDR,and prevention-first AI.At the end of 2020,a supply chain attack against SolarWinds made international headlines.The same style of attack
18、reemerged in 2021,when Kaseyas VSA software was compromised,ultimately affecting over 1,000 businesses.Supply chain attacks often rely on the trust already established between providers and customers to propagateoffering another strong case for adopting a Zero Trust framework.While attacks on large
19、organizations dominated the 2021 news cycle,small to medium-sized businesses(SMBs)also suffered countless attacks,both directly and through the supply chain.BlackBerry threat researchers discovered SMBs averaging 11 to 13 threats per device,a number much higher than enterprises.Threat actors owe the
20、ir success in 2021 to a variety of factors.Many have learned to adopt and mimic private sector capabilities by using service providers such as ransomware-as-a-service(RaaS),infrastructure-as-a-service(IaaS),and malware-as-a-service(Maas)to leverage malicious attacks.Others have created a layer of ob
21、fuscation between themselves and their targets by using IABs and impersonating other threat groups.New programming languages were exploited to some effect,with Go,D,Nim,and Rust making appearances across the threat landscape.Cobalt Strike remained active as a pivotal tool for command-and-control net
22、works to proliferate malware and attacks.05BLACKBERRY /2022 THREAT REPORT Progress was made on integrating security into connected vehicles with the International Organization for Standardization(ISO),the Society of Automotive Engineers(SAE),and the United Nations(UN)providing firm guidance to autom
23、akers.Mobile apps remained notoriously insecure.The vulnerable SHAREit app,which allowed remote code execution,was downloaded over one billion times.Recent studies found 63%of tested mobile apps use open-source code known to be vulnerable.Adding to smartphone users woes,SMS phishing(smishing)attacks
24、 were up 300%in North America over the last year.The cyberattacks of 2021 affected people at every level,from large organizations to individual cellphone owners.BlackBerrys internal reporting shows every industry is open to cyberattacks.The same cybersecurity issues that threaten non-profits are als
25、o risks for transportation companies,public organizations,utilities,healthcare organizations,financial institutions,etc.It reminded us that no one is safe.When it comes to cyberattacks,there is zero immunity.However,there are a number of cybersecurity innovations and approaches offering stronger pro
26、tection to organizations.For example,organizations seeking effective new security measures should consider adopting a Zero Trust framework.They could also use prevention-first technology,migrate to an XDR platform,or engage a managed XDR team.300%SMS phishing(smishing)attacks were up 300%in North Am
27、erica over the last year.06BLACKBERRY /2022 THREAT REPORT FEBRUARY A water treatment plant in Oldsmar,Florida was compromised when an attacker attempted to poison the water supply.CD Projekt Red was attacked by HelloKitty ransomware.MARCH Channel Nine in Australia had broadcasts disrupted by cyberat
28、tacks.University of Highlands and Islands was attacked with Cobalt Strike.CNA Insurance was attacked by Evil Corp.Buffalo Public Schools in New York were attacked with ransomware.Microsoft Exchange Servers were attacked by HAFNIUM.APRIL The Houston Rockets basketball team(NBA)was attacked by Babuk.M
29、AY Colonial Pipeline was attacked by DarkSide.AXA was attacked by Avaddon.Brenntag(chemical distributor)was attacked by DarkSide.Acer was attacked by REvil.JBS Foods was attacked by REvil.Irelands Health Service Executive(HSE)was attacked by Conti.JULYRansomware attacks were launched in Chile,Italy,
30、Taiwan,and the U.K.by the LockBit threat group.Kaseya suffered a supply chain attack from REvil.NOVEMBER The Robin Hood trading platform was breached and information on seven million user accounts was taken.DECEMBER Log4j vulnerability revealed and exploited by multiple threat actors.These well-know
31、n attacks made national or international news due to their considerable scale,sophistication,ruthlessness,or ransom demands.However,their stories do not tell the true toll cyber crime took upon public and private organizations.Over 70%of SMBs have suffered from cyberattacks,according to a study by t
32、he Ponemon Institute.Of those attacked,60%go out of business within six months.Government agencies and large companies may survive a cyberattack,but for SMBs,it is often a death sentence.The cyberattacks of 2021 hit multiple industries,affected organizations of all sizes,and serve as stark reminders
33、 that no one is safe.There is zero immunity from dedicated threat actors,and anyone operating in the digital space may be targeted next.With malicious hacking attempts occurring every 39 seconds,an organization will exhaust itself relying on reactive security measures.Fortunately,prevention-first to
34、ols,predictive AI technologies,and Zero Trust frameworks can offer organizations an effective alternative to traditional cybersecurity solutions.07BLACKBERRY /2022 THREAT REPORT THREATSCYBER08BLACKBERRY /2022 THREAT REPORT Finding Beacons in the Dark:A Guide to Cyber Threat IntelligenceCOBALT STRIKE
35、 No threat report would be complete without at least a passing mention of Cobalt Strike.This year,BlackBerry collated insights and trends from an internal dataset of over 7,000 Cobalt Strike Team Servers and 60,000 Beacons.Tracking and monitoring Cobalt Strike Team Servers that are deployed in the w
36、ild can greatly assist the threat intelligence lifecycle.Doing so provides invaluable information for fine-tuning security solutions and aiding with incident investigations.A detailed breakdown of threat intelligence gained from analyzing Cobalt Strike can be found in The BlackBerry Threat Research
37、and Intelligence Teams new eBook,“Finding Beacons in the Dark:A Guide to Cyber Threat Intelligence”.Our annual review of Cobalt Strike activity begins with some of the most interesting stats involving Team Server deployments.For example,observe the top 10 autonomous system numbers(ASNs)and netblocks
38、(ranges of consecutive IP addresses)responsible for hosting Cobalt Strikes immensely versatile Beacon payload.This reveals a fascinating trend:Threat actors are increasingly likely to use legitimate cloud providers for hosting.This allows the malware operators to conceal their traffic from monitorin
39、g systems,which makes the task of automated blocking trickier.Adding to detection difficulties,several large and reputable companies are found in the top 20 list of providers.Figure 1 shows the top 10 ASNs found hosting the Cobalt Strike Beacon:AS132839 Power Line DatacenterAS137951 Clayer LimitedAS
40、14061 DigitalOcean,LLCAS16509 A,Inc.AS20473 The Constant Company,LLCAS25820 IT7 Networks Inc.AS36352 ColoCrossingAS37963 Hangzhou Alibaba Advertising Co.,Ltd.AS45090 Shenzhen Tencent Computer Systems Co.,Ltd.AS8100 QuadraNet Enterprises,LLC0%10%20%30%40%50%60%JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECFigu
41、re 1-Top 10 ASNs responsible for hosting the Cobalt Strike payload,Beacon 09BLACKBERRY /2022 THREAT REPORT From a geographical perspective,the following countries are the top 10 used for hosting Beacon:JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDEC0%25%30%35%20%15%10%5%1.117.0.0/18185.153.196.0/22154.216.64.0
42、/19218.253.224.0/19158.247.192.0/1831.44.184.0/24168.206.128.0/1739.96.0.0/14179.60.150.0/2447.98.0.0/15JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDEC0%10%20%30%40%50%60%70%80%90%100%ChinaNetherlandsGermanyRussiaHong KongRussian FederationKorea,Republic ofSingaporeJapanUnited StatesFigure 2-Top 10 netblocks r
43、esponsible for hosting BeaconsFigure 3-Top 10 countries hosting Team Servers for Cobalt Strike 10BLACKBERRY /2022 THREAT REPORT Figure 4-Top 10 ports used for serving Beacon payloads Figure 5-Top 10 Malleable profiles used by Cobalt Strike Beacon Ports 80,443,and 8080 take top honors(seen in Figure
44、4)for serving up Beacon payloads from Team Servers.These ports are typically open in most environments,making them an obvious choice for routing command-and-control(C2)traffic.Cobalt Strike Beacons are highly configurable through their use of Malleable C2 profiles,which specify how a Beacon acts and
45、 looks in the target environment.These profiles also specify what parameters are used within their communication protocol and the method that Beacon uses to inject into other processes.The top 10 Malleable profiles observed throughout 2021 are shown in Figure 5.Using Malleable C2 Profiles,Cobalt Str
46、ike Beacon can be configured to perform a technique called domain fronting.This is used to route HTTPS traffic via trusted third-party content delivery networks.The top 10 hosts used for domain fronting in 2021 were:804438080999966668988099amazon.profiledefault.profilejquery-c2.4.2.profil
47、eetumbot.profilehavex.profilegmail.profileoffice365_calendar.profilemicrosoftupdate_getonly.profilebingsearch_getonly.profilejquery-c2.3.11.profile00.20.40.60.81.0JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECFigure 6-Top 10 hosts used by Cobalt Strike Beacon for domain fronting and masquerading us.to11BLACKB
48、ERRY /2022 THREAT REPORT Figure 7-Top 10 DNS redirector IPs used by Cobalt Strike Figure 8-Spawned processes created for Cobalt Strike injections Cobalt Strike Beacon can be configured to use DNS redirectors to forward C2 traffic to a Team Server.Figure 7 shows the top 10 DNS redirector Internet Pro
49、tocols(IPs)from 2021.Cobalt Strike Beacon spawns processes and then injects dynamic-link library payloads into them.These processes can be configured to work on different architectures(x86/x64)through the SPAWNTO option.The default process,and most popular choice,is rundll32.exe.Refer to Figure 8.In
50、 addition to the Secure Sockets Layer(SSL)certificates deployed on the Team Server,Beacons are also bundled with an additional SSL public key.This is part of a public/private key pair that is generated on the server whenever someone installs Cobalt Strike.The public key is subsequently embedded in a
51、ll Beacons generated on the same server and used for C2 check-ins.It is important to note that this key pair is entirely different from the SSL key pair used for the HTTPS certificate on the Team Server.Unlike watermarks,the SSL public key stored within a Beacons configuration offers a fantastic mea
52、ns of clustering Beacons.It is virtually guaranteed that the keys are unique per Team Server installation,but are often reused,for example via virtual machine redeployments.In other instances,threat actors will use a single Team Server to configure payloads for deployment from other servers within t
53、heir control.This makes spotting,tracking,and monitoring their infrastructure considerably easier.8.8.4.40.0.0.08.8.8.874.125.196.113114.114.114.1142.221.165.103223.5.5.513.77.161.179217.12.218.46204.79.197.219dllhost.exerundll32.exegpupdate.exemstsc.exesvchost.exewusa.exeWerFault.exesvchost.exek ne
54、tsvcsrunonce.exeWUAUCLT.exe12BLACKBERRY /2022 THREAT REPORT The top 10 SSL public keys mostly belong to leaked builds of Cobalt Strike Team Server:Finally,it is possible to track Team Server builds via a configuration setting called PROCINJ_STUB.It contains a message-digest algorithm(MD5)hash of the
55、 Cobalt Strike Java archive(cobaltstrike.jar).This archive contains the server-side component that provides the Team Server operators with a graphical user interface to generate,operate,deploy,and control Beacon payloads.The MD5 hash of the cobaltstrike.jar package allows us to determine several thi
56、ngs.By correlating it with its corresponding Java archive commonly found in online malware repositories such as VirusTotal,we discover:The exact version of the Team Server used Whether the Team Server in operation is a leaked,cracked,or a trial version If the Team Server is a private,licensed versio
57、n Even if the Java archive is unavailable to assist with version identification,it is still an extremely valuable clustering mechanism.This is especially true in the case of private and customized builds.JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDEC0%50%60%40%30%20%10%0ce7b6482c1f24e42f2935f5026d338d11869145
58、78623be126e5f3e8c058d71979b6e333634c506f6f710dde179796ed81a3eeb8ceb74cf508f6bcfc408e03058ac540617dddcdf575f6dc207abb734494a0ea78a00b04d14d25e55dacba3ac3defb5d95ce99e1ebbf421a1a38d9cb64e9ae865f5ce0359f6020af61884abc8f4ba7a0caa288b326a70eefd1415e5a5a26b856156bd4ae61a547fFigure 9-The top 10
59、public keys of Cobalt Strike Team Servers 13BLACKBERRY /2022 THREAT REPORT The top 10 Team Server builds in 2021(based on the PROCINJ_STUB hash value)were as follows:In addition to our research,the Department of Homeland Securitys Cybersecurity&Infrastructure Security Agency(CISA)released a report o
60、n Cobalt Strike Beacon in May 2021.Their document includes a list of recommendations users and organizations can follow to minimize exposure to this threat.SUPPLY CHAIN ATTACKS Supply chain attacks are not a recent concept.However,the software supply chain has been increasingly used as an attack vec
61、tor in recent years.Why is this the case?For one,the potential impact and spread of a supply chain attack can be far greater than that of targeting an individual victim.The potential for damage varies depending on the customer base of the product.The relation between producer and consumers is essent
62、ially one-to-many,with a single point of failure.This means that the larger the customer base,the larger the potential attack base,too.Threat actors know exploiting the trust people place in the integrity and security of their supply chain is easier than compromising fortified targets.Adversaries ty
63、pically look for the path of least resistance;the supply chain represents the latest evolution in their tradecraft.dd4c91e0e6d9bbf6eefdd84284d67a3fb54afe01ec6a75edf35e1a44f8bd3929b2736f1cbba90d42286fc42bfba74f4d-4.3a56c813864af878a4c10083ca1578e0a-4.0a49f5445f01a9f3240eea9e46ee66c81-4.332cd41edf0810
64、c5b5f498edf4731cc6d-4.3222b8f27dbdfba8ddd559eeca27ea648187ab8f98098de95714613f8544c9613-4.10ce2f55444e4793516b5afe967be9255-4.200000000000000000000000000000000000%10%20%30%40%50%60%70%80%JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECFigure 10-The top 10 Team Server builds in 2021 14BLACKBERRY /2022 THREAT REP
65、ORT WHAT IS A SUPPLY CHAIN ATTACK?Figure 11-Topological view of a supply chain attack To better understand supply chain attacks,see the topological representation of company interactions in Figure 11.Supply chain attacks occur when an organization relies on a third party for part of their product de
66、velopment,hardware,software,or other services.The U.S.Department of Defense defines a supply chain risk as one where the adversary may“sabotage,maliciously introduce unwanted function,or otherwise subvert the design,integrity,manufacturing,production,distribution,installation,operation,or maintenanc
67、e of a system to surveil,deny,disrupt,or otherwise degrade the function,use,or operation of such systems”.Take another look at Figure 11.The central organization depends on Vendors A through C for different requirements.All is well until Vendor C is breached and a foothold is established in their en
68、vironment.Vendor Cs product development lifecycle is compromised and a malicious component included in their product.The product,in its compromised state,is distributed to the organization where it serves as a foothold for malicious adversaries to infiltrate and compromise.Once attackers are inside,
69、all information they can access may be exfiltrated,including product information,financial information,and personal information.If the compromised organization has a weak security posture,further propagation of this attack may spread to linked organizations and their customer base.InitialCompromiseE
70、stablishFootholdEscalatePrivilegesInternalReconMoveLaterallyExfiltrateDataEncryptOrganizationVendorCVendorALinkedOrganizationLinkedOrganizationPersonalInformationFinancialInformationProductInformationVendorB15BLACKBERRY /2022 THREAT REPORT POTENTIAL IMPACT Depending on the size of the compromised or
71、ganizations customer base,the impact of a supply chain attack can be huge.Determining which customers have been affected,and to what extent,can prove difficult.As a result,as soon as a breach has been identified,customers should be notified so they can begin their own remediation efforts.Organizatio
72、ns should plan for the worst in these scenarios:assume that their customers have been breached and the danger of further reputational damage is imminent.The longer it takes for threat disclosure and response,the greater the risk that attackers gain a persistent foothold in customer environments.Ther
73、e is also the possibility of a knock-on effect,where if the breach is not contained,other linked organizations can be affected too.RECENT SUPPLY CHAIN ATTACKS Supply chain attacks sound dangerous,and they are.The prospect of a trusted source being the initial point of compromise is one that many pre
74、fer to believe will not happen,but it does.Some examples of historical software supply chain attacks include:The NotPetya ransomware attacks in 2017.Attackers compromised the Ukrainian tax software MEDoc and caused billions in damages to pharmaceutical giants.The SolarWinds breach in 2020.The Orion
75、IT Management and monitoring software was compromised and pushed out to a number of high-profile entities.Kaseya in 2021.A zero-day exploit allowed attackers to deploy an update to every customer running their Virtual System/Server Administration(VSA)software.The update was pure ransomware,and it en
76、crypted a large portion of Kaseyas VSA customer base.The European Union Agency for Cybersecurity recently published a report studying 24 supply chain attacks from January 2020 to July 2021.The report revealed some stark statistics:Suppliers either did not know or did not report how they were comprom
77、ised in 66%of supply chain attacks.Advanced persistent threat(APT)groups were credited with carrying out 50%of supply chain attacks.Exploiting trust in the supplier accounted for nearly 62%of attacks on customers.In 24 recent supply chain attacks,advanced persistent threat(APT)groups were credited w
78、ith carrying out 50%of them.50%16BLACKBERRY /2022 THREAT REPORT HOW DO SUPPLY CHAIN ATTACKS EVADE DETECTION?At its core,a supply chain attack is an abuse of trust.A trusted supplier or vendor is assumed to maintain rigorous security standards.For example,an analyst responding to alerts showing C2 ne
79、twork traffic may have a bias based on their level of trust in an application.They may see a particular domain of interest in the network traffic,or its SSL certificates.However,as it comes from a trusted application,the threat indicator is assumed to be legitimate.This bias serves to highlight the
80、benefits of a Zero Trust approach,and how implicit trust can be a major vulnerability.It also reinforces the need to investigate and more thoroughly vet third-party applications.A chain is only as strong as its weakest link:If one part breaks,the whole system can fail.HOW CAN BETTER PROTECTION BE AC
81、HIEVED?Many security issues can be addressed through taking a holistic approach to security and adopting the principles of Zero Trust.All threat vectors need to be covered,including sources usually trusted as benign.An organizations product security incident response team(PSIRT)is likewise a key com
82、ponent of improving its security posture.For example,a PSIRT can work closely with other teams,communicating valuable security insights to them throughout the software development lifecycle(SDLC).As its inclusion in the SDLC continues,the PSIRT will reach new levels of maturity and become more proac
83、tive.This helps ensure that the products and build processes are as secure as possible.The risk of a supply chain attack is reduced when the lines of communication between teams are well-formed.For security analysts,it is important to reduce ones natural bias in favor of trusted applications and ser
84、vices.While certificate signing,provenance,build tooling,and other steps that can be taken have security value,it is imperative for security operations(SecOps)teams to always remain skeptical.Rapid disclosure and containment of a breach is likewise critical for protecting organizations and the custo
85、mers that rely on their products or services.LOG4J/LOG4SHELL EXPLOITS Log4j is an open-source logging package used by countless applications and major frameworks,including Apache Struts2.Toward the end of 2021,a vulnerability in this software component that attackers can exploit by sending specially
86、 crafted text was discovered.Attacks targeting this vulnerability,also called Log4Shell exploits,allow threat actors to fetch code from a remote server and perform remote code execution(RCE).Since Log4j is not malware,it is not susceptible to cybersecurity measures and tools exclusively focused on d
87、etecting malicious code.Many security issues can be addressed through taking a holistic approach to security and adopting the principles of Zero Trust.17BLACKBERRY /2022 THREAT REPORT The Log4j vulnerability,first reported by Chen Zhaojun on November 24,is further described in CVE-2021-44228.On Dece
88、mber 10,the vulnerability was publicly disclosed in the National Vulnerability Database,maintained by the National Institute of Standards and Technology(NIST).Revelation of this vulnerability led to a swift increase in attacks that quickly numbered millions per hour.The Log4j vulnerability is partic
89、ularly troublesome,as it is difficult for organizations to know which applications and services are at risk.A standalone application using Log4j may be easy to identify,but what about cases where the package is six levels deep in the dependency chain?The widespread use of Log4j paired with the compl
90、ex nature of software dependencies indicate this vulnerability will present a threat for years to come.While anti-malware measures are not useful for detecting and remediating the Log4j vulnerability,other cybersecurity strategies can reduce an organizations exposure to this risk.For example,adoptin
91、g a Zero Trust framework can limit an attackers use of the vulnerability by restricting the access of exploited processes.Zero Trust environments can further reduce risks by enforcing least-privilege access polices throughout the environment.Also,as many cyberattacks rely on delivering a malicious p
92、ayload,anti-malware tooling may ultimately prevent file-based attacks resulting from the exploit.OLD DOGS NEW TRICKSOBSCURE PROGRAMMING LANGUAGES The BlackBerry Threat Research and Intelligence Team has been tracking and monitoring the threat landscape for the appearance of four obscure programming
93、languages:Go D Nim Rust These languages are currently being observed to track their use and adoption by threat actors.Selection of these languages was partially driven by an uptick in their misuse for malicious activities.Another factor is their increasing role in malware families authored and uncov
94、ered within the overall threat landscape.Generally,new programming languages are often developed to improve on various aspects or shortfalls in current ones.This,consequently,also makes them an attractive option for abuse by threat actors.New languages can be used as a wrapper or loader for an exist
95、ing malware family,to rewrite existing malware,or develop brand-new malware.This trend has been seen in the past with the use of VB6 and Delphi to develop wrappers for then-current malware.Old Dogs,New Tricks:Attackers adopt exotic programming languages18BLACKBERRY /2022 THREAT REPORT More recently,
96、in March 2021,the BazarLoader malware family was rewritten in the Nim programming language and dubbed Nimzaloader.Several months later,in May,RustyBeur appeared,which was a variant of the Buer-loader malware rewritten in Rust.From a threat actors perspective,the use of exotic programming languages p
97、rovides many advantages.These include:Enhanced performance Lack of available analysis tooling Analysts unfamiliarity with their composition Increased ability to thwart signature-based antivirus detection It could be argued that these languages act as a layer of obfuscation.Their newness and the lack
98、 of available analysis tooling means they can look rather alien to inexperienced researchers.BlackBerry observed these languages being used in the development of an increasing number of droppers and loaders.They were used as new,first-stage pieces of malware designed to drop/decode,load,and deploy c
99、ommonly seen commodity malware families.Threats currently using these new languages include the Remcos and NanoCore remote access trojans and Cobalt Strike Beacons.Many of these languages can also be cross compiled to target multiple operating systems.This powerful feature has been abused relentless
100、ly by threat actors.Specifically,the Russian-based APT29 group and their Wellmess malware,which was written in Go and compiled to target both Windows and Linux operating systems.A further example of this was the appearance of ElectroRAT malware in January 2021.It was also developed in Go and then cr
101、oss-compiled to target all major operating systemsWindows,macOS,and Linux.Nim and Go have been used in different parts of the same attack chain to enhance the attackers detection evasion capability.For example,threat group APT28 leveraged a Nim-based downloader to retrieve a Go-based payload in its
102、Zebrocy malware.The benefits and popularity of these languages have resulted in an uptick in their adoption by the security community.Due to their offensive advantages,they are of particular use in the development of Red Team tooling.In late 2020,FireEye disclosed that a threat actor had gained unau
103、thorized access to some of its Red Team tools.As a countermeasure,they released a statement along with a GitHub repository comprised of various detection signatures to help identify the stolen tools.Within this 19BLACKBERRY /2022 THREAT REPORT repository,FireEye revealed that its Red Team had been e
104、mploying a combination of publicly available,modified tools and in-house custom tools.Some of these Red Team tools were written in DLang,Rust,and Go.Malicious binaries authored in these languages currently constitute a small portion of those being utilized by threat actors.However,their use in cyber
105、attacks is a trend that is likely to increase in the coming decade.INITIAL ACCESS BROKERS The BlackBerry Threat Research and Intelligence Team has been tracking a previously undocumented IAB that BlackBerry has dubbed Zebra2104.Our investigation uncovered a mass of interlinking malicious infrastruct
106、ure that showed an unusual connection between several seemingly unrelated threat groups.The first revelation came in April 2021,with the discovery of a Cobalt Strike Beacon-serving domain that also doubled as a C2 server.By following a trail of network breadcrumbs,we found numerous overlaps with pre
107、viously documented malspam infrastructure.This infrastructure served various payloads,including Dridex,over the past year.It was also associated with a phishing campaign targeting Australian-based entities,both private and government.Further research uncovered additional links to a MountLocker ranso
108、mware intrusion in March 2021,via some shared domain registrant information for the domain .More digging revealed another related domain,that resolved to the same IP in an alternating fashion as over several months.Open-source intelligence confirmed that this domain had previously been tagged as a S
109、trongPity C2 server in June 2020.Promethium(aka,StrongPity)is an APT group that has been active since 2012.The group typically uses watering hole attacks as a mechanism to deliver trojanized versions of commonly used utilities.WinRAR,CCleaner,and Internet Download Manager are a few of the utilities
110、that have been maliciously repurposed to distribute the groups malware.While seeking further evidence to prove these two disparate groups cooperated in some capacity,our researchers came across another interesting find.A tweet from The DFIR Report in August 2020 stated that additional ransomware was
111、 being distributed from .This time,the malware belonged to Phobos family,not MountLocker.20BLACKBERRY /2022 THREAT REPORT This raised more questions regarding the connection between these threat groups.Were they related or just sharing the same infrastructure?Had we uncovered some sort of distributi
112、on system?Was an IAB the missing link binding these groups together?An IAB is an entity whose aim is to gain unlawful access into an organizations network.They establish a foothold,usually by installing a backdoor,then sell their ill-gotten access on the dark web.Pricing for their services may range
113、 from as low as$25 USD up to thousands of dollars.After receiving access,buyers will often deploy malware within the victim environment.Although different ransomware groups may share infrastructure,our research during this investigation indicates this was not the case.In numerous instances,a delay w
114、as seen between the initial compromise employing Cobalt Strike and the distribution of additional ransomware.These factors led us to infer that the overlapping infrastructure is not that of MountLocker,Phobos,or Promethium.Rather,it belongs to a fourth group that has acted as a middleman to facilita
115、te the operations of the first three.This arrangement was achieved by either providing/selling initial access,or by the provision of IaaS.Additionally,the domains found throughout this overlapping infrastructure used to resolve to IPs were provided by a singular Bulgarian ASN belonging to Neterra LT
116、D.The fact that all the IPs were clustered together on the same ASN adds credence to the theory that they are owned by one threat group.This group also likely laid the groundwork for the other threat actors to access networks breached by the IAB.CHACHI The BlackBerry Threat Research and Intelligence
117、 Team has been tracking a previously unnamed Golang remote access trojan(RAT)targeting Windows systems.Weve dubbed this RAT ChaChi.This RAT has been used by operators of the PYSA(aka,Mespinoza)ransomware as part of their toolset to attack victims globally.Recently,the malware has been targeting educ
118、ation organizations.ChaChi has been observed in the wild since the first half of 2020 without receiving much attention from the cybersecurity industry.The first known variant of ChaChi was used in attacks on the networks of local government authorities in France.It was listed as an indicator of comp
119、romise(IOC)in a publication by CERT France at the time of the attacks.Since then,BlackBerry analysts have observed more refined versions of ChaChi being deployed by the PYSA ransomware operators.Their campaign focused on educational institutions across the U.S.,which is evident by a recent increase
120、in activity,as reported by the FBI.PYSA Loves ChaChi:a New GoLang RAT21BLACKBERRY /2022 THREAT REPORT ATTACKSTYPES OF22BLACKBERRY /2022 THREAT REPORT RANSOMWAREREVILThe FBI named the Russia-affiliated RaaS group REvil(aka,Sodin or Sodinokibi)as the culprits behind attacks on the worlds largest meat
121、supplier,JBS.These attacks threatened the global food supply chain and serve as a reminder of the vulnerable state of critical infrastructure worldwide.The malware acts as a RaaS,and became prolific after another RaaS group,GandCrab,shut down its operations.Security researchers have identified many
122、similarities and code reuse between REvil and GandCrab.REvil was first advertised on Russian language cyber crime forums and is associated with the threat actor Unknown (aka,UNKN).REvil is most famously associated with recent attacks on the travel insurance industry,Acer,and computer manufacturers.A
123、cting as a RaaS,REvil relies on affiliates or partners to perform its attacks.The REvil developers receive a percentage of all proceeds from ransom payments.Because the ransomware is distributed by different entities,the initial infection vector can vary.Typically,infection is achieved via phishing
124、campaigns,brute force attacks to compromise remote desktop protocol(RDP),or through software vulnerabilities.REvil is also known to be distributed by other malware,such as IcedID.REvil was first advertised on Russian language cyber crime forums and is associated with the threat actor Unknown(aka,UNK
125、N).0%20%40%60%80%100%JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECBanksCommercial&Professional ServicesConsumer Durables&ApparelDiversified FinancialsFood,Beverage&TobaccoHealth Care Services&EquipmentInsuranceLegal ServicesPublic SectorReal EstateRetail&Wholesale TradeTransportationUtilitiesFigure 12-Indust
126、ries attacked by REvil,2021 23BLACKBERRY /2022 THREAT REPORT DARKSIDE The DarkSide ransomware variant first appeared in mid-2020.It is distributed as a RaaS that is used to conduct targeted attacks.DarkSide targets machines running both Windows and Linux.It made headlines in 2021 with its attack on
127、the U.S.fuel pipeline system,Colonial Pipeline.DarkSide uses a double extortion scheme,where data is both encrypted locally and exfiltrated before the ransom demand is made.If the victim refuses to pay,their data is published to a site located on the dark web.After the Colonial Pipeline attack,the D
128、arkSide Group stated that it did not intend to affect hospitals or medical facilities,education,not-for-profit,or government systems.The DarkSide Group was reportedly shut down in May 2021,possibly by the U.S.militarys Cyber Command.0%20%40%60%80%100%JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECAutomobiles&C
129、omponentsBanksCommercial&Professional ServicesDiversified FinancialsFood,Beverage&TobaccoHealth Care Services&EquipmentInsuranceLegal ServicesMaterialsPublic SectorRetail&Wholesale TradeTechnology-SoftwareTransportationUtilitiesFigure 13-Industries attacked by DarkSide,202124BLACKBERRY /2022 THREAT
130、REPORT CONTI Conti ransomware made international headlines after its initial discovery in mid-2020.BlackBerry researchers have observed Conti attacks against manufacturing,insurance,and healthcare service providers across Japan,Europe,and the U.S.Conti is offered as a RaaS,which is a popular way for
131、 threat actors to distribute and sell their malicious services via underground forums.As this threat is offered as a saleable service,it is customizable and thus its functionality can be altered from one infection to another.Threat actors released a decryptor for this threat in May 2021,which can he
132、lp recover files altered by a specific strain of Conti.Conti has seen a rise in popularity since the infamous ransomware Ryuk apparently ceased operations.Many analysts regard Conti as the ransomware that replaced Ryuk,and consider it to be one of the most troubling ransomware threats in the wild.Ma
133、ny analysts regard Conti as the ransomware that replaced Ryuk,and consider it to be one of the most troubling ransomware threats in the wild.0%20%40%60%80%100%JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECBanksCapital GoodsCommercial&Professional ServicesDiversified FinancialsEducationFood,Beverage&TobaccoHea
134、lth Care Services&EquipmentInsuranceLegal ServicesMaterialsPublic SectorRetail&Wholesale TradeTransportationFigure 14-Industries attacked by Conti,202125BLACKBERRY /2022 THREAT REPORT AVADDONThe Avaddon ransomware variant first appeared in early 2020.It made international headlines due to recent att
135、acks against Australian organizations and the Asia-based cyber insurance company,AXA.Both the FBI and the Australian Cyber Security Center have released warnings regarding an ongoing attack by this malware family.Like DarkSide and REvil ransomware,Avaddon also uses a double extortion scheme,where da
136、ta is encrypted locally and exfiltrated before the ransom demand is made.If the victim refuses to pay,their data is published to a site located on the dark web.Avaddon,however,goes one step further.To further encourage compliance,attackers also subject victims to a distributed denial-of-service(DDoS
137、)attack until the ransom is paid.After drawing attention for its role in several high-profile ransomware incidents,the group behind Avaddon seems to be shuttering its current operations.Law enforcement efforts to track down malware operators visibly increased after the attack on Colonial Pipeline,wh
138、ich likewise prompted DarkSide to shut down operations.Avaddon has released the decryptors to the latest version of its threat.Figure 15-Industries attacked by Avaddon,2021 Public SectorRetail&Wholesale TradeTransportationInsuranceBanksCommercial&Professional ServicesHealth Care Services&Equipment0%
139、20%40%60%80%100%JANFEBMARMAYAPRJUNJULAUGSEPOCTNOVDEC26BLACKBERRY /2022 THREAT REPORT RAGNAR LOCKERRagnar Locker ransomware made international headlines for its attacks against a Taiwanese manufacturer of high-performance DRAM modules and NAND Flash products.The first variant of this family appeared
140、in late 2019.Like many other well-known ransomware variants(such as DarkSide,Avaddon,and REvil),the current variant of Ragnar Locker also uses a double extortion technique to encourage victims to pay.Ragnar Lockers dark website lists its latest victims on a self-dubbed“wall of shame”.The threat grou
141、p currently claims to have exfiltrated 1.5TB of data from a high-profile victim.According to the website,this information has been stealthily gathered over a long period of time.HIVE First seen in June 2021,the Hive ransomware family made headlines for attacking commercial real estate software compa
142、ny Altus Group.This threat also employs double extortion techniques.Victims refusing to cooperate with the threat actor risk having their data published to groups site,Hive Leaks.Hive samples are written in the Go programming language and compiled for both 32-bit and 64-bit machines.The samples them
143、selves are UPX packed to reduce their size,as Go binaries tend to be quite large.Ragnar Locker claims to have exfiltrated 1.5TB of data from a single high-profile victim.1.5TBHealth Care Services&EquipmentInsuranceRetail&Wholesale TradeFood,Beverage&TobaccoBanksCapital GoodsCommercial&Professional S
144、ervices0%20%40%60%80%100%JULAUGSEPOCTNOVDECFigure 16-Industries attacked by Hive,2021 27BLACKBERRY /2022 THREAT REPORT INFOSTEALERS REDLINE RedLine is an infostealer malware family that is distributed via COVID-19-themed phishing email campaigns.It was an active threat throughout 2020.In 2021,it was
145、 delivered through malicious Google advertisements and spear phishing campaigns against 3D or digital artists using nonfungible tokens(NFTs).NFTs are digital tokens tied to assets that can be bought,sold,and traded.RedLine is extremely versatile and has appeared as various trojanized services,games,
146、cracks,and tools.Many samples of RedLine also appear with legitimate-looking digital certificates.Once connection to its C2 panel is established,RedLine malware has a wide range of applications and services.In all cases,it attempts to perform illicit exfiltration of victims data.The malware gathers
147、information from web-browsers,file transfer protocol(FTP)clients,instant messengers,cryptocurrency wallets,virtual private network(VPN)services,and gaming clients.It also has remote functionality to drop and execute further malware onto the victim machine.RedLine is an infostealer malware family tha
148、t is distributed via COVID-19-themed phishing email campaigns.0%20%40%60%80%100%JANFEBMARAPRMAYJUNJULAUGSEPCapital GoodsCommercial&Professional ServicesEducationGovernment-State/ProvincialHealth Care Services&EquipmentMaterialsPublic SectorReal EstateRetail&Wholesale TradeTelecommunication ServicesT
149、ransportationFigure 17-Industries attacked by RedLine,2021 28BLACKBERRY /2022 THREAT REPORT AGENT TESLA First seen in the wild in 2014,Agent Tesla is.NET-compiled and contains an array of powerful infostealing features.It was initially available for purchase through a website,with the malwares autho
150、r offering several fixed-term licenses for its use.Since then,the Agent Tesla infostealer has been consistently employed by cyber criminals in various campaigns,often using spam emails to facilitate infection.The malware has evolved to gather information regarding a users Wi-Fi profile,potentially a
151、s a propagation mechanism.This upgrade follows a similar enhancement to the Emotet malware variant,which also received a Wi-Fi spreader module.The Agent Tesla infostealer has been consistently employed by cyber criminals in various campaigns,often using spam emails to facilitate infection.Automobile
152、s&ComponentsBanksCapital GoodsCommercial&Professional ServicesConsumer Durables&ApparelDiversified FinancialsEducationFood,Beverage&TobaccoGovernment-State/ProvincialHealth Care Services&EquipmentPublic SectorInsuranceLegal ServicesMaterialsMedia&EntertainmentTransportationUtilitiesReal EstateRetail
153、&Wholesale TradeTechnology-SoftwareTelecommunication Services0%20%40%60%80%100%JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECFigure 18-Industries attacked by Agent Tesla,2021 29BLACKBERRY /2022 THREAT REPORT FICKER Ficker is a malicious infostealer that is sold and distributed on underground Russian forums by
154、 a threat actor using the alias atficker.This MaaS was first discovered in the wild in 2020.Ficker has been previously distributed via trojanized web links and compromised websites.For example,it could direct victims to pages purportedly offering free downloads of legitimate paid services like Spoti
155、fy and YouTube Premium.It has also been deployed via the known malware downloader,Hancitor.Notably written in Rust,Ficker has several targets for its information stealing activities,including:Web browsers Credit card information Crypto wallets FTP clients Other applications Ficker uses anti-analysis
156、 checks,and can deploy further functionality and download additional malware once a system is successfully compromised.Figure 19-Industries attacked by Ficker,2021 Ficker is a malicious infostealer that directs victims to pages purportedly offering free downloads of legitimate paid services like Spo
157、tify and YouTube Premium.0%20%40%60%80%100%JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECBanksCapital GoodsCommercial&Professional ServicesConsumer Durables&ApparelDiversified FinancialsEducationFood,Beverage&TobaccoInsuranceMaterialsPublic SectorUtilities30BLACKBERRY /2022 THREAT REPORT HANCITOR Hancitor(aka
158、,Chanitor)was first discovered in the wild in 2013.It spreads via social engineering techniques,such as appearing to be from the legitimate document-signing service DocuSign.Once victims are deceived into allowing its malicious macro code to execute,it infects their systems.Hancitor then connects wi
159、th its C2 infrastructure and attempts to download a wide range of malicious components,according to the needs of the operators campaign.This year,Hancitor has been observed downloading known-malware family Ficker(aka,FickerStealer),as well as a Cobalt Strike Beacon payload.InsurancePublic SectorFood
160、,Beverage&TobaccoBanksCommercial&Professional ServicesDiversified Financials0%20%40%60%80%100%JANFEBMARAPRMAYJUNJULAUGSEPOCTNOVDECFigure 20-Industries attacked by Hancitor,2021 31BLACKBERRY /2022 THREAT REPORT ALL TOP 10 THREATS OCCURRENCES OF THE TOP 10 THREATS IN 2021Figure 21 shows the monthly pr
161、evalence of each of the malware families according to BlackBerrys internal data.TOP 10 VS.THE BLACKBERRY PREDICTIVE ADVANTAGE No one wants to be patient zero for a new threat.By learning everyday lessons from the wide world of threats,organizations dont have to be.With predictive threat detection mo
162、dels,forward-leaning cybersecurity models have moved from legacy detection methods to techniques driven by machine learning(ML).Training ML models extensively on current malware allows AI-driven solutions to predict how threats will appear and behave in the future.BlackBerry solutions,built using Cy
163、lance AI,learn to predict emerging malware families and variants by training on existing samples drawn from the threat landscape.This approach gives AI-driven cybersecurity the ability to detect both known and zero-day threats before they can impact their targets.0%20%40%60%80%100%JANFEBMARAPRMAYJUN
164、JULAUGSEPOCTNOVDECAgent TeslaAvaddonContiDarkSideFickerHancitorHiveRagnarRedLineREvilFigure 21-Prevalence of the top 10 malware threats,2021 32BLACKBERRY /2022 THREAT REPORT Predictive Advantage retroactively measures the period of time an AI-driven model would have detected and prevented a new thre
165、at prior to its discovery.WHAT IS PREDICTIVE ADVANTAGE?Predictive Advantage retroactively measures the period of time an AI-driven model would have detected and prevented a new threat prior to its discovery.For example,if an ML model protects against a threat that appears one year after the models c
166、reation,it scores a predictive advantage of 12 months.The measurement uses an offline local prediction algorithm for testing,without any updates or an Internet connection.This ensures the ML model performs exactly as it did upon its original release date,without enhancements or upgrades.BlackBerry h
167、as performed a predictive advantage test to score our detections against the top 10 malware families described in this annual report.This illustrates how far in advance the AI model offered protection against the largest threats facing our customers in 2021.The AI model represented in this test was
168、created in October 2015.It was deployed with the BlackBerry Protect agent version 1320.The numbers in Figure 22 show how many months in advance our model could have protected customers from each threat before it was discovered.RedLineFickerAvaddonAgent TeslaHiveRagnar LockerDarkSideREvilContiHancito
169、r*007080Figure 22-BlackBerry Predictive Advantage,in months,over the top 10 threats to our customers*NOTE:Hancitor is not represented in the chart as its discovery pre-dates October 2015.33BLACKBERRY /2022 THREAT REPORT SCIENCE DATA34BLACKBERRY /2022 THREAT REPORT AI AND ADVERSARIAL ATTAC
170、KS As the previous examples of Predictive Advantage indicate,artificial intelligence and machine learning can be mighty weapons in the fight against cyber crime.Unfortunately,they also have the potential for misuse or abuse at the hands of sophisticated and unscrupulous actors with malicious intent.
171、Consider the case of deep learning,one of the most hyped technologies of the past decade.Despite its promise for industry,it also introduces another target for threat actors to compromise.DEEP LEARNING AND ADVERSARIAL ATTACKS Over the past decade,the rise of deep learning(aka,neural networks)has pro
172、vided a massive boon to technical industries.This disruptive technology has enabled companies to improve products and optimize key performance indicators by uncovering patterns previously hidden in their internal data.These algorithms have allowed companies to reallocate manpower away from tedious a
173、nalytics tasks:specifically,those tasks in which huge quantities of rule sets or other heuristics were manually generated.Unfortunately,this progress has come at a cost.An entire field known as adversarial learning has emerged as a threat to all products employing predictive algorithms.The primary g
174、oal of this field is to discover ways neural networks can be taught to fool other predictive algorithms by subtly changing input data.As an example,adversarial algorithms have been used to determine how to apply small patches of tape to a stop sign to render it invisible to classification algorithms
175、.For imagery or audio,adversarial attacks can be used to make nearly undetectable changes to a sample to fool otherwise highly accurate prediction algorithms.In cybersecurity,these algorithms have been used to modify malicious files to allow them to bypass both heuristic and ML-aided defenses.It is
176、not simple to make arbitrary changes to files(which have their own structure and structural rules),so most of these attacks use a bulk iterative strategy.Using this technique,algorithms make thousands(or even hundreds of thousands)of small additions to a file that individually have no impact on its
177、functionality.However,each change can nudge a predictive algorithms decisions on threat classification in the benign direction.Concerningly,the files generated by these adversarial algorithms seem to be capable of being transferred between models.This means an attack trained on one defense might be
178、capable of bypassing dozens of commercial cybersecurity products.In spite of the danger posed by these algorithms,the pace of research in this area is accelerating,largely due to misaligned incentives.Deep learning is an extremely competitive and popular field,giving academics and large technology c
179、ompanies strong motivation to publish as much research as possible.As a result,the field of An entire field known as adversarial learning has emerged as a threat to all products employing predictive algorithms.35BLACKBERRY /2022 THREAT REPORT adversarial attacks is extremely active.For example,a sea
180、rch for adversarial attacks on Google Scholar for 2020 returns thousands of entries,of which a few hundred focus on cybersecurity.Similarly,ML engineers looking to interview at high-level tech companies are usually encouraged to create useful open-source packages to demonstrate their skills.A quick
181、search for adversarial learning across GitHub yields nearly 5,000 separate repositories,some with over 1,000 stars(or likes).Career-based incentives have had the net effect of democratizing and commoditizing adversarial algorithms,making them ubiquitous and reducing their barrier to entry.ALGORITHMI
182、C DEFENSES A secondary field dubbed adversarial learning or adversarial defenses was created not long after adversarial attacks were discovered.These defenses often focus on ways to architect or train models,or preprocess data beforehand,to mitigate the effects of adversarial attacks.This field is s
183、till playing catch-up in terms of its overall efficacy.No adversarial defense appears to be robust in white-box attacks where the attacker has full knowledge of the type of model and defense(s)being employed.However,many adversarial defenses appear to be fairly robust to black-box attacks.Thus,organ
184、izations can prevent white-box attacks and force attackers to rely on less efficient black-box attacks by using a couple of techniques.They can obfuscate the output of a defense,typically by reducing its precision,or throttle the ability of attackers to bulk query a defense.As mentioned previously,a
185、dversarial examples are often transferable,and are potentially capable of evading numerous defenses,as recent publications have confirmed.However,these attacks only evaded products that didnt employ adversarial defenses generated by deep learning.BlackBerry has internally verified that attacks gener
186、ated in this manner are unlikely to bypass models utilizing multiple robust deep learning defensive schemes.Also,adversarial attacks on files need to rely on iterative approaches that are not typically used in other areas(such as on visual or auditory models).As a result,many open-source adversarial
187、 attack toolkits cannot be easily modified to focus on cybersecurity defenses.Unfortunately,a perusal of GitHub yields a few pages containing what appear to be amateur efforts at generating adversarial examples.This does not bode well for what may follow as the field matures.36BLACKBERRY /2022 THREA
188、T REPORT OUTLOOK In the near term,the outlook in this area is mixed.The field of adversarial attacks is still white-hot,and open-source software has greatly lowered the barrier to entry for people looking to generate adversarial examples.The amount of expertise necessary to generate bypasses is stil
189、l quite high.Given this,we do not expect widespread use of this technology in the next one to two years.Any open-source adversarial packages will still likely need to rely on bulk approaches to generating attacks.This means cybersecurity companies have a reasonable path forward,which can be summariz
190、ed as follows:Hire people who understand adversarial deep learning Employ multiple robust defensive schemes(even for products using heuristic defenses)Keep defensive schemes secret/internal-only Prevent attackers from rapidly querying defenses to find subtle holes Nothing in security is guaranteed.H
191、owever,for organizations that follow these rules,adversarial attacks should prove to be a manageable threat vector in the near term.37BLACKBERRY /2022 THREAT REPORT CYBERSECURITYINSIGHTS38BLACKBERRY /2022 THREAT REPORT 38BLACKBERRY /2022 THREAT REPORT INCIDENT RESPONSE YEAR IN REVIEW AND TRENDS Rans
192、omware has continued to take center stage for the BlackBerry Incident Response Team over the last year.As discussed in the BlackBerry 2021 Threat Report,the double extortion strategy of ransom and data exfiltration has now become the norm.In fact,the trend has escalated,with instances of triple(addi
193、ng harassment)and quadruple(disruptive attacks such as DDoS)extortion occurring.As a result of these expanding threat actor strategies,there is an increasing spike in public data leakage.Evolving extortion methods have created a close alignment between the tactics used by nation-state APT threat act
194、ors and profit-seeking criminal organizations.Their approaches and operational goals are strikingly similar,although their core motivations,levels of technical expertise and methods of execution often vary.As such,the vast majority of attacks that occur today follow a similar attack pattern,as detai
195、led in Figure 23.Figure 23-Typical threat actor attack flow One main difference between APT groups and ransomware organizations is how long each group plans to stay active in the environment.This,in turn,affects how covertly they behave.APT groups frequently plan for long-term residence in a victims
196、 environment.Ransomware groups are more like smash-and-grab home invaders.For example,APTs often prefer to“live off the land”by using legitimate system resources so their activity is hard to distinguish from daily operations.They take their time to carefully study an environment and understand the s
197、ecurity measures in place before executing any malicious actions.Ransomware attacks are more opportunistic and therefore operate more quickly and recklessly.As a result,they typically generate more noise for an endpoint protection platform(EPP)and endpoint detect and response(EDR)tooling to detect.F
198、or example,they may use tools such as PowerShell,Windows batch scripting,or WMI to attempt to disable antivirus products,backup solutions,and other system processes.Another key difference is that nation-state groups are often looking for specific information to exfiltrate.They may use it for intelli
199、gence purposes,often in pursuit of political or economic advantage.Conversely,ransomware groups often look for anything valuable that could increase the likelihood of getting paid.Frequent favorites include targeting databases that may contain customer or financial information.InitialCompromiseEstab
200、lishFootholdEscalatePrivilegesInternalReconMoveLaterallyExfiltrateDataEncrypt39BLACKBERRY /2022 THREAT REPORT In the public eye,size really does matter when it comes to headlines and data leakage.Therefore,profit-seeking threat actors will attempt to grab as much as they can while they are in the sy
201、stem or network.As a result,BlackBerry has observed some automated“scatter-gun”approaches to data exfiltration by ransomware groups over the last year.Some showcase nicely engineered scripts targeting specific file types to collect:typically Microsoft Word,Excel,and PDF documents that are under a ye
202、ar old.Stolen data is then uploaded to the attackers infrastructure.In other instances,BlackBerry identified threat actors attempting to compress entire shared drives from the top level within corporations in attempts to grab everything available.Along with ransomware groups like Conti,DarkSide,Blac
203、kMatter,and others currently making headlines,there is a new influx of ransomware operations occurring through RaaS.BlackBerry has observed several incidents where companies were attacked using a variant of a well-known ransomware.However,the tactics,techniques,and procedures(TTPs)utilized by the at
204、tacker lacked sophistication or depth.In multiple incidents,BlackBerry identified threat actors leaving behind playbook text files containing IOCs with exact commands,IP addresses,target lists,and more.This suggests that the authors of these sophisticated ransomware families are not the ones actuall
205、y carrying out the attacks.Financially motivated attackers still focus on low-hanging fruit when it comes to the initial compromise phase of their attack.Unfortunately,there was an overabundance of targets last year due to continued use of older technologies and infrastructure in victim environments
206、,such as on-premises servers.For example,ProxyLogon and ProxyShell,common names for two sets of vulnerabilities impacting many on-premises Microsoft Exchange Servers,were widely exploited throughout 2021.The HAFNIUM APT group was first to exploit the vulnerabilities in multiple organizations.After p
207、ublication of the ProxyLogon vulnerability and proof-of-concept exploits,other threat actors began rapidly scanning and infecting numerous on-premises Exchange hosts.Threat actors exploiting these vulnerabilities often implanted additional backdoors,commonly in the form of China Chopper web shells,a
208、n increasingly popular web shell that packs a powerful punch in a small package.Externally accessible RDP continues to be an enduring favorite,however it is becoming less common compared to other techniques.Vulnerabilities impacting vendor appliances,especially VPNs,firewalls,and perimeter network d
209、evices,remain the root cause for many incidents.While these vulnerabilities are often dated and well documented,BlackBerry observed several incidents where devices remained unpatched.Financially motivated attackers still focus on low-hanging fruit when it comes to the initial compromise phase of the
210、ir attack.40BLACKBERRY /2022 THREAT REPORT In other cases,previously vulnerable network appliances were patched,but not until after they were already compromised.These incidents resulted in credentials being stolen or back doors being installed.The sheer number of compromised environments and creden
211、tials have bolstered flourishing dark web marketplaces,where premiums are placed on domain administrator accounts.However,it is not difficult to find company or private credentials that are available for free,as well.In addition to the previously mentioned techniques,BlackBerry observed multiple inc
212、idents involving watering hole attacks.Watering hole attacks provide threat actors with a unique way to obtain a foothold and establish persistent access into an environment.These attacks targeted users performing legitimate searches for business-related material,a common workplace practice.In these
213、 incidents,search results returned the watering hole URL near the top of the first page of Google search.The watering hole site presented the user with what appeared to be a helpful forum post containing a link to exactly what they needed.It included several fake comments claiming that the linked-to
214、 file was an exact match to their query.If users open the weaponized document,however,malware would download and install a Cobalt Strike Beacon,giving threat actors a foothold in the environment.REvil is one of the best-known attack groups currently using this ploy.This threat group was initially id
215、entified in 2019.They are one of the dominant ransomware groups,claiming responsibility for some of the more infamous ransomware attacks of the past few years.They were also closely linked to the DarkSide Group,which was responsible for the Colonial Pipeline attack.The Russia-linked group has been u
216、nder scrutiny recently and has gone underground on numerous occasions,only to reemerge.The increasing use of Cobalt Strike is another trend observed over the last year.BlackBerry has witnessed it being leveraged as a highly effective and popular post-exploitation toolkit for several years.Its abuse
217、has continued to increase to the point that it is not uncommon to find evidence of its usage during an incident response engagement.For those unfamiliar with it,BlackBerry recommends reviewing our authoritative new book on Cobalt Strike,published by the BlackBerry Threat Research and Intelligence Te
218、am in November 2021.Finding Beacons in the Dark:A Guide to Cyber Threat Intelligence41BLACKBERRY /2022 THREAT REPORT ATTACK LIFECYCLE The BlackBerry Red Team analyzes the entire attack lifecycle as part of our mission and portfolio of service offerings.Our end-to-end adversarial simulation provides
219、a unique threat actor perspective,by allowing us to observe the effectiveness of different defenses in a variety of organizations.These experiences have prompted us to reveal some of the most common attacks and effective defenses we encounter.INITIAL RECONNAISSANCE The initial recon that an attacker
220、 performs can be passive,active,or both.Since passive recon does not touch any of the targets systems,it can be difficult to detect.However,once the recon moves to more active and intrusive activities,such as probing systems for vulnerabilities,defenders should be alerted.Key defensive strategies fo
221、r this phase involve knowing your organizations assets,proactive scanning,patching,monitoring,and attack surface reduction.INITIAL COMPROMISE AND ESTABLISHING THE FOOTHOLD Once a vulnerability is discovered during the recon phase,attackers exploit the vulnerability and establish presence on the host
222、.From there,threat actors can regain entry at a later point and pivot to other systems in the network.This activity is something that organizations should detect and block via a layered defense of AI-based network and host visibility,and blocking.ESCALATION Attackers typically gain access equivalent
223、 to that of the application they exploited,and use that to compromise the host.This is one of many reasons why the principle of least privilege matters.In addition to following best practices,EPP software should contain layers of defense to include script blocking and memory protection.The goal Figu
224、re 24-Typical attack lifecycleEscalatePrivilegesInternalReconMoveLaterallyMaintainPresenceEstablishFootholdCompleteMissionInitialCompromiseInitialReconInitialCompromiseEstablishFootholdEscalatePrivilegesInternalReconMoveLaterallyExfiltrateDataEncryptOrganizationVendorCVendorALinkedOrganizationLinked
225、OrganizationPersonalInformationFinancialInformationProductInformationVendorBRoboticsSix Branches ofAIFuzzyLogicNaturalLanguageProcessingExpertSystemsNeuralNetworksMachineLearning42BLACKBERRY /2022 THREAT REPORT 42BLACKBERRY /2022 THREAT REPORT is to make it extremely difficult for an attacker to ach
226、ieve each step in the attack lifecycle.Slowing the adversarys progress also buys time for the defenders to detect and block the attack.INTERNAL RECON AND LATERAL MOVEMENT Once an attacker gains sufficient privileges,they will move through the network and position themselves to achieve their goal.One
227、 of the best defenses in this situation is to employ network segmentation and watch for anomalies resulting from the use of stolen credentials.In this phase,defensive teams can greatly benefit from using AI-powered defensive technology,such as continuous authentication using passive biometrics.These
228、 passive biometrics are low user-burden activitiessuch as keyboard and mouse usage patternsthat uniquely identify users.An ML algorithm can be applied to this metadata to create a risk score.Organizations can then utilize actions,such as force re-authentication or block user,when the risk score exce
229、eds the organizationally defined threshold.COMPLETE THE MISSION Before the BlackBerry Red Team conducts an adversarial simulation exercise,we jointly define the goals with our clients.This almost always includes some sort of data(or flag)exfiltration,since many threat actors are financially motivate
230、d.Threat actors can get paid in many ways,such as selling stolen data,threatening to sell stolen data,or unlocking encrypted data.TAKEAWAY Here are some helpful universal truths to remember regarding the attack lifecycle and cyber kill-chain:Be proactive.The“further to the left”you are in the attack
231、 lifecycle(see Figure 24),the easier and cheaper it is to discover and fend off an attack.Anything less than around-the-clock monitoring is not sufficient.The mission of most threat actors today is to exfiltrate data and launch ransomware for profit.AI-based defenses help organizations avoid becomin
232、g patient zero and are immune to the lag time from signature writing that occurs with traditional defenses.Defensive efforts must always be continuous,due to newly discovered vulnerabilities and an ever-evolving threat landscape.Prevention is key.The ability to recover from backups does not address
233、the double extortion tactic derived from attackers threatening to sell stolen data.Ways threat actors can get paidThreatening to sell stolen dataPAYNOWUnlocking encrypted dataSelling stolen data 43BLACKBERRY /2022 THREAT REPORT 43BLACKBERRY /2022 THREAT REPORT PROTECTING CRITICAL INFRASTRUCTURE Ever
234、y organization,in every vertical industry sector,runs the risk of breach,ransomware deployment,and extortion.However,few carry the same real-world risk from cyberattacks as those in the critical infrastructure sector.The public expects that utilities such as power,gas,water,and waste treatment will
235、always be able to provide these necessary services.As a result,these organizations are significantly motivated to meet these expectations,which makes them lucrative targets for ransom and extortion.Unfortunately,the challenges for this sector dont stop at being high-value targets.The following facto
236、rs often compound the problem:Older,inherently vulnerable,and sensitive devices Legacy operating systems The need for offline/disconnected environments Many critical infrastructure systems and devices have been around for a long time and were originally designed for serial communication,but later ad
237、apted to ubiquitous TCP/IP networks.This adaptation of connectivity may not necessarily include a security upgrade.Since these environments can be difficult and expensive to modernize,they typically run older,and usually unsupported,operating systems.Often,the need to protect the environments result
238、s in segmentation from other networks,and hopefully the Internet as well.However,this segmentation poses additional management and protection challenges.In summary,protections need to be extended to older devices,running legacy operating systems,that are disconnected from networks and the Internet.O
239、ne possible solution is the use of machine-learning-based endpoint protection that lives on the endpoint itself.This type of endpoint protection platform(EPP)software can run on legacy operating systems such as Windows XP/2003.If it is lightweight,it wont overtax antiquated hardware.The localized ma
240、th model must be designed to avoid the constant need for deploying signature updates.Legacy AV software requires signatures to be written for the latest threats and released as often as every hour.This is difficult to keep up to date,even on modern hardware and Internet-connected hosts.This makes it
241、 a poor fit for critical infrastructure that is disconnected and would require a“sneakernet”approach to distribute signature updates.AI-based defenses allow a much longer wait time before requiring updates,as they identify threats using millions of attributes,not through known signatures.Critical in
242、frastructure is a challenging environment to secure,but the situation is not hopeless.Like other industry sectors,it simply needs to evolve beyond reliance on legacy defensive technology that cannot scale to prevent modern cyberattacks.Every organization,in every vertical industry sector,runs the ri
243、sk of breach,ransomware deployment,and extortion.However,few carry the same real-world risk from cyberattacks as those in the critical infrastructure sector.44BLACKBERRY /2022 THREAT REPORT 44PREVENTION-FIRST AI AI and ML offer many capabilities and advantages for protecting organizations from cyber
244、attacks.While the terms AI and ML are often used interchangeably,they are different concepts in certain key aspects.AI describes the ability of computers and machines to perform activities that imitate intelligent human behavior.ML is a subset of AI that relies on mathematical algorithms to achieve
245、AI behavior and functionality.The process behind training ML requires access to vast amounts of historical data as a base for its learning.Through multiple phases,new data is introduced to improve the ML models learning functions before it ultimately becomes a component of AI.In fact,ML is only one
246、of six branches of AI.The other branches are neural networks,expert systems,natural language processing,fuzzy logic,and robotics.BlackBerrys Cylance AI,for example,combines ML and neural networks to identify and prevent cyberattacks before they execute.Because the AI security agents are well-trained
247、 and extremely lightweight,they can reside upon users endpoints without impacting resources.These on-device security agents protect devices whether they are online or offline.BlackBerry has put considerable research and development funding and effort into developing its Cylance AI.We hold hundreds o
248、f patents in AI,ML,security,and forensics,which puts us alongside other leading AI-centric companies such as Google,Facebook,and Amazon.ML is classified into two different categories:supervised and unsupervised.These classifications describe the ways ML models learn to classify input data into the c
249、orrect output assumptionsin other words,how they make accurate predictions.Figure 25-Six Branches Of AIInitialCompromiseEstablishFootholdEscalatePrivilegesInternalReconMoveLaterallyExfiltrateDataEncryptOrganizationVendorCVendorALinkedOrganizationLinkedOrganizationPersonalInformationFinancialInformat
250、ionProductInformationVendorBRoboticsSix Branches ofAIFuzzyLogicNaturalLanguageProcessingExpertSystemsNeuralNetworksMachineLearning45BLACKBERRY /2022 THREAT REPORT Supervised learning is an assisted process where the math algorithm is guided to predict the outcomes from the input of a data training s
251、et.With this method,humans supervise the ML by manually labeling the training data sets.Supervised ML is like a child learning to ride a bike with training wheels.The parent offers guidance until the child is ready to remove the training wheels and ride on their own.Supervised learning requires incr
252、edibly large amounts of training data and guidance before the math models can assess the inputs and return the desired outputs.Unsupervised ML classifies data into the correct output assumptions without human intervention or labelled data.Unsupervised learning is usually the second stage of training
253、 math models,after they ingest vast amounts of input data from supervised training sets.This phase allows data scientists to see how math models run on their own,and how well they create the desired outputs.Going back to the bicycle allegory,unsupervised learning is the parent removing the training
254、wheels and seeing how well a child rides the bike unassisted.At BlackBerry,our AI math models use both supervised and unsupervised ML to train on identifying a good binary,and differentiating it from a bad one.The data sets are extensive and based upon millions of file features.When determining the
255、danger posed by a file,its features(everything that makes up the file)are extracted to essentially provide its digital DNA.These features are correlated across approximately 2.7 million others that our math models have previously trained upon.By training on such a large set of file features,Cylance
256、AI has learned to quickly identify what is a good or a bad(aka,malicious)file.BlackBerry Protect,built using Cylance AI,can perform this feature correlation within 100 milliseconds or less,and,most importantly,it can do it pre-execution.That means it stops the threat before it can run.This allows Bl
257、ackBerry Protect to stop malicious files from executing,whether they are known malware or a never-before-seen threat.This ability to stop emerging and zero-day malware is called the BlackBerry Predictive Advantage.It is achieved by the accuracy of our math models,which can correctly identify malicio
258、us files,often years before they are seen in the wild.HOW IS FEATURE EXTRACTION/VECTORIZATION ACCOMPLISHED?For machines to interpret the ML associations of feature extraction and produce an output,vectorization has to occur.Vectorization is the process of converting input data into mathematical vect
259、ors using a format readable by ML algorithms and computers.Vectorization has been around since computers were first built.It is how ML math models can correlate and cluster good file features from bad.It formats file feature information in a way computers and math models understand,and allows them t
260、o provide output.When a file feature,such as code expected in a specific area of At BlackBerry,our AI math models use both supervised and unsupervised ML to train on identifying a good binary,and differentiating it from a bad one.AI+ML46BLACKBERRY /2022 THREAT REPORT memory,is extracted from a file,
261、it is converted into a mathematical value of 1s and 0s.This allows the ML algorithms in BlackBerry Protect to determine whether a file is safe.If so,it is cleared for execution,but malicious ones are blocked and quarantined.It should be noted that BlackBerry Protect,in the beginning phases of the al
262、gorithm learning process,identified approximately 300 million file features.This has since been distilled down to 2.7 million critical features it can use to categorize and label file safety.Features refer to both what is found in files and what is expected.For example,if particular data is expected
263、 to appear in a specific part of a files DNA but is not there,that is also a feature.Well-trained AI offers an incredible advantage over human counterparts for performing this type of analysis and predictive work.A human analyst might take considerable time to identify 150 to 200 features of a file.
264、Trained ML algorithms can identify,correlate,and assess millions of file features and determine a files threat probability within milliseconds.A PREVENTION-FIRST APPROACH TO SECURING AN INCREASINGLY HYBRID WORKFORCE Its tempting to blame the massive increase in cyberattacks over the past 18 months o
265、n the COVID-19 pandemic and resulting shift to a distributed workforce.A recent IBM survey seems to support this view:Its true that expanding the corporate network to encompass the home environment and personally-owned devices creates new security gaps for adversaries to exploit.But if our current s
266、ecurity technologies and practices were robust enough to scale gracefully,the transition could have been much less disruptive for many organizations than it turned out to be.Spear phishing and credential abuse were major problems before the pandemic.They continue to account for most breaches today.V
267、PN and virtual desktop infrastructure products were vulnerable to exploitation before COVID-19.They still are today.Its the same story with unpatched servers and threats caused by malicious insiders,or by users practicing poor cyber hygiene.Longer to identify and contain a breach when 50%or more of
268、employees work remotely.$1.07M58 DaysIncrease in breach costs (from$3.89M to$4.96M)when remote work was a factor.47BLACKBERRY /2022 THREAT REPORT The real problem is that current security approaches are unsustainable because they are inherently reactive and unrealistic.A human resources employee res
269、ponsible for examining resumes all day should not be expected to know when a document is weaponized,and avoid opening it.SecOps and NetOps professionals responsible for protecting a complex and rapidly changing infrastructure should not be expected to anticipate and manually quash every possible att
270、ack.The problem cannot be solved by training every employee to also become a cybersecurity expert.It cannot be fixed by adding yet another security tool or layer to a fundamentally reactive security architecture.BlackBerry believes that a more realistic solution is to transition to a prevention-firs
271、t security strategy.By leveraging intelligent solutions that focus on impairing and impeding cyberattacks,employees can focus on the jobs they were hired to do.At the device level,this means traditional blocking and tackling.Vulnerable systems should be patched and updated.Reactive,signature-based d
272、efenses should be replaced with AI-powered endpoint protection that prevents the execution of known and zero-day malware.Next,user-focused security controls should be deployed at every enterprise network and cloud application ingress point that prevent remote employees from intentionally or accident
273、ally abusing their credentials or violating security policies.Each users access to resources should be controlled dynamically,based on real-time risk assessments of their current behavior.To preserve productivity,this continuous authentication process should be as transparent to users as possible,bu
274、t permit no workarounds or evasions.Tools that rely on static rules-based analysis cannot achieve this.Its simply not possible to devise rules that anticipate every gradation of risky or anomalous behavior.And the retrospective analysis they often produce comes too late to prevent exploitation.That
275、requires solutions built with AI that learn how to assess risks and prevent exploitation proactively,not respond after the fact when damage is already underway.Properly implemented,a prevention-first strategy preserves the flexibility and productivity benefits of having a remote or hybrid workforce
276、in the first place.Prevention and productivity in balance:The best of both worlds.48BLACKBERRY /2022 THREAT REPORT EXTENDED DETECTION AND RESPONSE Security teams today face numerous challenges.Attackers are swiftly executing more sophisticated,stealthy,multi-vector attacks across multiple attack sur
277、faces including endpoints,the cloud,networks,apps,and mobile devices.Endpoint detection and response(EDR)solutions created a defensive blueprint by delivering powerful threat detection and incident response capability for endpoints.However,a more proactive and comprehensive protection is needed acro
278、ss the entire attack surface.This demand has driven the creation of XDR.It is an evolution of EDR,unifying protection at the endpoint with other security tooling.It gives security analysts improved visibility and high-efficacy detection,as well as more effective correlation,investigation,and respons
279、e.WHAT IS XDR?XDR products are,at their core,about data inclusion and enrichment strategies.This means that they incorporate information gleaned from their own product platforms,and integrate it with telemetry ingested from partners and other sources.This data is combined to create additional contex
280、t,which is shared as actionable cyberthreat intelligence(CTI)within their product.When leveraged for threat hunting,combining this novel intelligence allows XDR vendors to improve product capabilities and increase market opportunities.This threat intelligence enables products to proactively remediat
281、e risks,and then inform customers of the actions taken to protect their organizations.Better threat intelligence also allows product development to be proactive to customer needs and asks.WHAT ARE THE BENEFITS OF XDR?Enriched threat intelligence,gathered across the entire attack surface,can be conte
282、xtualized to improve human and automated response actions.For example,a security analyst may lose considerable time sifting through alerts and threat data reported from multiple sources.An XDR platform could intelligently correlate threat data from across the environment and forward high-value infor
283、mation to analysts while filtering out noise.With enriched XDR data,the analyst has a better understanding of the environment and more time to make informed and effective security decisions.XDR vendors like BlackBerry understand data and its meaning to the security community and to our customers,reg
284、ardless of structure,origin,or location.We persist data in a structure that supports easy shared access and processing,so it can be utilized by all portions of our platform.XDR vendors can ensure they offer the highest fidelity event alerting by having experts who understand and vet the data flowing
285、 in from multiple sensors.Professionally curated data allows for automated responses to prevent threats and provide remediation that continues to improve even as attacks grow more sophisticated.XDR is an evolution of EDR,unifying protection at the endpoint with other security tooling.It gives securi
286、ty analysts improved visibility and high-efficacy detection,as well as more effective correlation,investigation,and response.49BLACKBERRY /2022 THREAT REPORT HOW IS XDR DIFFERENT FROM SIEM?The security operation center(SOC)teams typical approach of having security information and event management(SI
287、EM)on top of all detection products has many shortcomings.SIEM solutions are good for collecting and storing logs to help with compliance and forensic use cases,but cannot generate high-fidelity detection alerts.SIEM solutions do not produce and collect data natively.They simply consume data,without
288、 gathering or considering context.SOC teams must manually collect and correlate telemetry produced in silos,which results in low-fidelity alerts.A new architectural approach is required to solve some of these modern SOC issues.This is where XDR comes into play.A vendors sensor and security agent pro
289、duce and collect most of the telemetry across the attack surface and centralize it into a cloud platform.This provides a repository of valuable threat data without requiring manual data ingestion,correlation,and enrichment.When incidents occur,SOC analysts are often forced to squander critical respo
290、nse time manually stitching telemetry to build a timeline summary necessary for determining an attackers intent.XDR solutions can enable automated threat hunting with pre-built attack stories.This automation reduces the time needed to detect and respond.WHAT SHOULD A GOOD XDR SOLUTION HAVE?XDR is a
291、platform that unifies the capabilities of numerous disparate products into a single,simple,robust,and customizable experience.It represents the amalgamation of intelligence across native and third-party products,allowing for necessary response capabilities.In short,effective XDR products should:Of c
292、ourse,even the best XDR solutions cannot stop threats by themselves.Some XDR platforms may include prevention-first technologies,AI-assisted analysis,and automation,but human specialists must still determine what qualifies as a threat in their environment.Be customizableAllow aggregation of alertsHa
293、ve response capabilitiesHave pertinent integrationsAllow both native and cross telemetryProvide an excellent user experienceInitialCompromiseEstablishFootholdEscalatePrivilegesInternalReconMoveLaterallyExfiltrateDataEncryptOrganizationVendorCVendorALinkedOrganizationLinkedOrganizationPersonalInforma
294、tionFinancialInformationProductInformationVendorBRoboticsSix Branches ofAIFuzzyLogicNaturalLanguageProcessingExpertSystemsNeuralNetworksMachineLearning50BLACKBERRY /2022 THREAT REPORT All of the threat telemetry XDR gathers from primary and third-party solutions must ultimately be interpreted by tra
295、ined analysts.This can make managed XDR services an appealing option to organizations operating with smaller cybersecurity budgets.THE EVOLUTION OF MANAGED DETECTION AND RESPONSE SERVICES Increasingly complex and sophisticated cyberthreats are changing the way organizations approach cybersecurity.So
296、me attackers are shifting their target focus from compromising infrastructure to exploiting individuals through increases in targeted phishing campaigns.This change,among others,means traditional defenses are inadequate for addressing the myriad of threat vectors exploited by contemporary adversarie
297、s.Organizations looking for detection and response partners today need vendors who can address a wide variety of advanced cyberattacks.A brief look at the threat landscape shows that organizations face an uphill battle:667 million new malware detections were discovered worldwide in 2020.There was a
298、600%increase in cyber crimes due to the COVID-19 pandemic.4 million additional cybersecurity workers are needed globally.1 million daily security alerts are seen in 25%of SOCs.Organizations are operating in an environment of constant change while threat actors quietly stalk them,looking for an oppor
299、tunity to strike.Organizations must find a way to forge ahead without leaving themselves open to opportunistic cyberattacks.Managed detection and response(MDR)services can help organizations safely navigate the troubled waters of insecure technology and a hybrid or mobile workforce.MDR platforms off
300、er 365x24x7 professional support for intrusion detection,incident response,and threat elimination.The HAFNIUM attack of January 2021 offers a perfect example of how MDR assists organizations.During the campaign,at least 30,000 organizations in the U.S.were compromised by a Chinese cyber espionage un
301、it,known as HAFNIUM.These attacks were largely automated,and targeted unpatched Microsoft Exchange Servers.An MDR team could combat HAFNIUM by gathering and extensively researching all available threat intel feeds.Collected information might include IOCs,command lines,running processes,registry keys
302、,DNS requests,and more.The MDR team would then perform additional threat hunting.For example,BlackBerry teams would continue searching for threats by using tools like InstaQuery,which is carried out via API.Amount of increase in cyber crimes due to COVID-19.600%51BLACKBERRY /2022 THREAT REPORT Throu
303、gh information gathering and threat hunting,an experienced MDR team can quickly identify a specific cyberthreat.They quickly provide their customers with remediation instructions and best practices,as well as offer updates as more information becomes available.Proactive MDR teams could even set up a
304、 series of HAFNIUM-specific rules directly in an EDR toolrules applying the techniques found in the MITRE ATT&CK framework,for example.Given the evolving and sophisticated threat landscape,the need for analysts to have holistic visibility and telemetry across security tools has increased.Managed XDR
305、 builds on the MDR services framework by incorporating XDR visibility across the enterprise.XDR platforms unify security-relevant endpoint detections by collecting and contextualizing threat telemetry across third-party tools.For example,an XDR platform might collect and analyze data from network so
306、urces and SIEM,email security,identity and access management,next-generation firewall,and more.Managed XDR is cloud-native and built on a Big Data infrastructure to provide security teams with flexibility,scalability,and opportunities for automation.A managed XDR can offer SMBs a level of protection
307、 that few organizations can otherwise afford.For example,a managed XDR may provide:Managed XDR can offer organizations around-the-clock access to seasoned cybersecurity professionals using state-of-the-art threat detection and response tools.This can give organizations considerable peace of mind and
308、 allow them to focus on their primary mission instead of worrying about cyberattacks.365x24x7 threat monitoring across the environment,endpoints,and usersRapid incident investigation and mitigationExpert threat identification and hunting across all attack surfacesAdvanced cybersecurity solutions tha
309、t harness the predictive power of AI and ML Technical experts and experienced cybersecurity analystsInitialCompromiseEstablishFootholdEscalatePrivilegesInternalReconMoveLaterallyExfiltrateDataEncryptOrganizationVendorCVendorALinkedOrganizationLinkedOrganizationPersonalInformationFinancialInformation
310、ProductInformationVendorBRoboticsSix Branches ofAIFuzzyLogicNaturalLanguageProcessingExpertSystemsNeuralNetworksMachineLearning52BLACKBERRY /2022 THREAT REPORT EXPANDING THE ROLE OF NETWORK SECURITY AND AI/ML IN PREVENTING ZERO-DAY ATTACKS The network has been the carrier of the most targeted and hi
311、ghly exploited vulnerabilities of 2020 and 2021.In 2020,several of these vulnerabilities affected remote work,VPNs,or cloud-based technologies.In 2021,malicious cyber actors continued to target and compromise perimeter-type devices.Highly exploited vulnerabilities were discovered in many popular cyb
312、er platforms,including those of Microsoft,Pulse,Accellion,VMware,and Fortinet.This run of successful attacks resulted in an increased focus on securing and protecting network connectivity.Organizations are turning to newer cybersecurity approaches such as Zero Trust Network Access(ZTNA),Secure Acces
313、s Service Edge,and XDR.At a macro level,the MITRE ATT&CK framework has also provided resources that improve the attack coverage for network-specific vulnerabilities.Zero-day attacks have encouraged security analysts to combine defenses and technologies to strengthen security measures.Among the appro
314、aches being used are:Prevention-first technology Protection-first approaches Signature-based analysis AI-and ML-based anomaly and threat detection in the network layer Advanced correlation across multiple telemetry sources The network fabric is also facing major changes.VPN solutions that are IPSec-
315、based have been a flash point for several recent exploits,highlighting the necessity for secure and modern TCP/IP stacks.Similarly,a purely signature-based approach to malware requires at least one user to become infected so a malicious sample can be obtained.This has driven the rise of AI and ML ap
316、proaches,which can analyze threats in the network layer and prevent zero-day attacks.THE ROLE OF AI AND ML In network threat detection,AI and ML play an important role by modeling the normal behavior of the organization and its users.They then detect anomalies that do not match the behavior of any a
317、uthorized user.They can also predict whether a particular networking behavior has lower or higher probability of being associated with a specific user.This provides an effective way to identify C2 beacons,for example,and differentiate them from benign process and user-initiated network usage.This AI
318、-driven,model-based anomaly detection and user-specific prediction capability can reduce both false positives and false negatives.53BLACKBERRY /2022 THREAT REPORT THE MALICIOUS INSIDER For malicious insiders,anomalous access detection and predictive behavior modeling on their own may be less effecti
319、ve.The malicious insider will often conform with their own past behavior and may share many characteristics with otherwise normal user and organizational access.However,overtly malicious,aberrant,or suspicious behavior may still draw attention.THE MALICIOUS OUTSIDER AI modeling is highly effective a
320、gainst malicious outsiders,like those who access an unlocked device surreptitiously or obtain illicit access to legitimate user credentials.It is much less likely that a malicious outsiders behavior will continuously conform to the compromised users modeled behavior.It is also likely the outsiders b
321、ehavior will conflict with those of the organization as a whole.They may log in outside of normal work hours,access new resources,or perform atypical actions such as attempting to download databases that quickly identify them as threats.MALWARE As with malicious outsiders,anomalous or low-probabilit
322、y endpoint access by malware can trigger detections.Alerting the legitimate user to the malicious activity allows them to halt access and report the issue to their SOC.In addition,malware and its associated C2 exhibit networking patterns that are atypical of legitimate,user-driven behavior.For addit
323、ional protection,threat behavior may be separately modeled for increased detection.Configuring automated response actions to modeled threat behavior protects the environment in cases where the legitimate user does not reject suspicious access attempts.RULES-BASED NETWORK THREAT DETECTION Holistic ne
324、twork protection includes a combination of AI and ML technology and rules-based network threat detection.For example,IDS/IPS traffic can be used to analyze,assess,and filter communications.Traffic can be assessed by pre-created rules,like SNORT,then deployed to prevent and detect malicious traffic.A
325、 rule can be associated with a corresponding response action such as alert,allow,or block.Typically,SOC admins maintain visibility into the actions performed by SNORT or similar rules.Rules-based detection by itself can significantly increase the MITRE ATT&CK coverage in areas such as privilege esca
326、lation,lateral movement,command-and-control,data exfiltration,etc.54BLACKBERRY /2022 THREAT REPORT MICROSOFT HAFNIUM The state-sponsored threat actor HAFNIUM utilized patch vulnerabilities in on-premises Microsoft Exchange Servers to compromise email accounts.Within days,malicious actors beyond HAFN
327、IUM began targeting unpatched systems and installing malware to ensure long-term access to compromised environments.A combination of prevention-first cybersecurity and fast detection technology can thwart HAFNIUM-style attacks.Specifically,the vulnerabilities exploited by HAFNIUM could have been pro
328、tected by:ZTNA principles A least-privilege approach to access An identity-aware network platform Continuous authentication and adaptive access technology Remote work solutions that authenticate access to individual applications,not the entire network VPN EXPLOITS Zero-day VPN exploits hammered the
329、industry in 2021,from Sonic VPN,to Pulse Secure,to Fortinet VPN.While several of these vulnerabilities have existed for a while,recent work-from-home and remote access trends have brought them increased attention.As a technology attracts more users and organizations,it becomes increasingly valuable
330、to threat actors.To avoid VPN exploits while supporting a remote and mobile workforce,organizations should consider adopting:A software-defined Zero Trust network architecture A network built upon a robust TCP/IP stack Securing connectivity using the principles of least privilege access Solutions of
331、fering segmented network access control to separate professional and personal network traffic Dynamic access controls that can provide just-in-time access to a platform that offers full visibility into network traffic across on-premises and cloud resources55BLACKBERRY /2022 THREAT REPORT MOBILE THRE
332、ATS AND SECURITY Mobile device security should be a serious concern for every organization.Consider the current state of the smartphone market,which is divided between Android and iPhone devices.According to recent studies,a staggering 76%of tested mobile applications store data insecurely.Insecure
333、apps threaten organizations with BYOD policies,and those supporting mobile or remote workers.The danger arises from employees increasingly using unmanaged personal devices to perform professional tasks.When business resources and vulnerable apps occupy the same device and connect to multiple networks,there are many opportunities for disaster.Vulnerable apps are not the only mobile threat facing o