Proofpoint has released its annual Human Factor report, revealing that after two years of pandemic-induced disruption, 2022 was a return to business as usual for the world’s cyber criminals. As COVID-19 medical and economic programs began to wind down, attackers had to find new ways to make a living by honing their social engineering skills, commoditizing once-sophisticated attack techniques, and creatively searching for new opportunities in unexpected places.
From scaling brute-force and targeted attacks on cloud tenants to the surge in conversational smishing attacks and proliferation of multifactor authentication (MFA) bypass, the cyber-attack landscape witnessed significant developments on several fronts in 2022.
“As the world emerged from the pandemic, threat actors returned to business as usual, demonstrating heightened creativity and adaptability. The scale and commoditization of uncommon tools and techniques these actors use, from cloud-based attacks to conversational smishing and MFA bypasses, continue to shape the broad outlines of the threat landscape,” said Emile Abu Saleh, Regional Director, Middle East and Africa at Proofpoint. “Cyber-attacks have experienced a critical intersection of technology and psychology, emphasizing the importance of comprehensive security measures as security controls have steadily improved. Ultimately, what remains the same is that attackers exploit people, and they are the most critical variable in today’s attack chain.”
The Human Factor is the industry’s most comprehensive report from a single vendor and delves into the new developments across the threat landscape, focusing on the combination of technology and psychology that makes modern cyber-attacks so dangerous among the three main facets of user risk—vulnerability, attacks, and privilege. The report draws from one of the industry’s largest and most diverse global cybersecurity data sets across email, the cloud and mobile computing sourced from more than 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts, 1.7 billion suspicious SMS messages, and more.
From complex techniques like multi-factor authentication bypass, to telephone-oriented attack delivery, and conversational threats that rely solely on the attacker’s charm, 2022 was a year of unprecedented creativity among threat actors as they varied attack chains and rapidly tested and discarded delivery mechanisms.
Key findings highlighted in Proofpoint’s 2023 Human Factor Report include:
- Office macro use collapsed after Microsoft rolled out controls to block them: After almost three decades of service as a popular malware distribution method, Office macros finally began to decline in use after Microsoft updated how its software handles files downloaded from the web. The changes set off an ongoing flurry of experimentation by threat actors to seek alternative techniques to compromise targets.
- Threat actors began to match their ingenuity with new-found precision and patience: Conversational smishing and deceptive messages with malicious intent threats—which start with attackers sending seemingly harmless messages—surged last year. In the mobile space, it was the year’s fastest-growing threat, experiencing a twelvefold increase in volume. And telephone-oriented attack delivery (TOAD) peaked at 13 million messages per month. Several state-sponsored APT actors invested significant time exchanging benign messages with their targets to build rapport over the course of weeks and months.
- Off-the-shelf MFA bypass phish kits have become ubiquitous, allowing even non-technical criminals to spin up a phishing campaign: MFA-bypass frameworks such as EvilProxy, Evilginx2, and NakedPages accounted for more than a million phishing messages per month.
- Legitimate infrastructure plays a key role in the delivery of many cloud-based attacks and shows the limitations of rules-based protections: Most organizations faced threats originating from well-known cloud giants Microsoft and Amazon, whose infrastructure hosts countless legitimate services that organizations rely upon.
- Novel distribution methods pushed SocGholish into the top five malware by message volume: With a novel distribution method involving drive-by downloads and fake browser updates, the threat actor behind SocGholish—TA569—has increasingly been able to infect websites to deliver malware exclusively through drive-by downloads, tricking victims into downloading it through fake browser updates. Many sites hosting the SocGholish malware are unaware they are hosting it, further proliferating its delivery.
- Cloud threats have become ubiquitous: 94% of cloud tenants are targeted every month by either a precision or brute-force cloud attack, indicating a frequency on par with email and mobile vectors. The number of brute-force attacks—notably password spraying—increased from a monthly average of 40 million in 2022 to nearly 200 million in early 2023.
- Abusing the familiarity and trust in major brands is one of the simplest forms of social engineering: Microsoft products and services occupied four of the top five positions for abused brands, with Amazon being the most abused brand.
- Successful initial access can rapidly lead to domain-wide attacks such as ransomware infection or data theft: As many as 40% of misconfigured, or “shadow” admin identities can be exploited in a single step, such as resetting a domain password to elevate privileges. And 13% of shadow admins were found to already have domain admin privileges, allowing attackers to harvest credentials and access corporate systems. Around 10% of endpoints have an unprotected privileged account password, with 26% of those exposed accounts being domain admins.
- Emotet roared back as the world’s most prominent threat actor, one year after law enforcement took the botnet offline in January 2021: Yet despite sending over 25 million messages in 2022—more than double the volume of the second most prominent threat actor—Emotet’s presence has been intermittent, with the group also showing signs of lethargy in adapting to the post-macro threat landscape.
- While financially driven crime largely dominates the threat landscape, a single outlier attack by an Advanced Persistent Threat (APT) actor can have a massive impact: One large campaign by TA471, a Russian-aligned APT group that engages in both corporate and government espionage, propelled that actor to the top of the APT message volume charts. TA416, an APT actor aligned with the Chinese state, was one of the most active. In particular, significant new campaigns by TA416 coincided with the start of the Russia-Ukraine war, targeting European diplomatic entities involved in refugee and migrant services.