Malware targeting manufacturing, utilities and energy industry up 238% – Technologist

The Unit 42 Network Threat Trends Research Report, Volume 2 reveals a 55% increase in attacks targeting vulnerabilities, known and unknown, including remote code execution (RCE), emails, compromised websites, newly registered domains (NRDs), ChatGPT/AI scams and crypto miner traffic.

“Today’s threat actors are like shape-shifting masters, continuously adapting their tactics to slip through the cracks of our interconnected network. With a cunning blend of evasion tools and camouflage methods, the bad actors have weaponized the threats,” says Steven Scheurmann, regional vice president for ASEAN at Palo Alto Networks.

“Threat actors have become adept at exploiting vulnerabilities, and by the time security researchers and software vendors close the door on one vulnerability, cybercriminals have already found the next door to creak open.”

Steven Scheurmann

Organisations must, therefore, simultaneously guard against malware designed to exploit older vulnerabilities while proactively staying ahead of sophisticated new attacks,” he added.

Some of the key findings from the report include:

The exploitation of vulnerabilities has increased: There was a 55% increase in vulnerability exploitation attempts, per customer, on average, compared to 2021.

PDFs are the most popular file type for delivering malware: PDFs are the primary malicious email attachment type, being used 66% of the time to deliver malware via email.

ChatGPT scams: Between November 2022-April 2023, Unit 42 saw a 910% increase in monthly registrations for domains, both benign and malicious, related to ChatGPT, in an attempt to mimic ChatGPT.

Malware aimed at industries using OT technology is increasing: The average number of malware attacks experienced per organisation in the manufacturing, utilities and energy industry increased by 238% (between 2021 and 2022).

Linux malware is on the rise, targeting cloud workload devices: An estimated 90% of public cloud instances run on Linux. Attackers seek new opportunities in cloud workloads and IoT devices running on Unix-like operating systems. The most common types of threats against Linux systems are botnets (47%), coinminers (21%) and backdoors (11%).

Cryptominer traffic is on the rise: Doubling in 2022, cryptomining continues to be an area of interest to threat actors, with 45% of sampled organisations having a signature trigger history that contains cryptominer-related traffic.

Newly Registered Domains: To avoid detection, threat actors use newly registered domains (NRDs) for phishing, social engineering and spreading malware. Threat actors are more likely to target people visiting adult websites (20.2%) and financial services (13.9%) sites with NRDs.

Evasive Threats will Continue to Become Increasingly Complex: While attackers’ continued use of old vulnerabilities shows that they will reuse code as long as it proves lucrative, there comes a point where creating newer, more complex attack techniques is necessary. When basic evasions became popular and security vendors started detecting them, attackers responded by moving toward more advanced techniques.

Encrypted Malware in Traffic will Keep Increasing: 12.91% of malware traffic is already SSL encrypted. As threat actors adopt more tactics that mimic those of legitimate businesses, it’s expected malware families using SSL-encrypted traffic to blend in with benign network traffic will continue growing.

“As millions of people use ChatGPT, it’s unsurprising that we see ChatGPT-related scams, which have exploded over the past year, as cybercriminals take advantage of the hype around AI. But, the trusty email PDF is still the most common way cybercriminals deliver malware,” says Sean Duca, VP and Regional Chief Security Officer at Palo Alto Networks.

“Cybercriminals, no doubt, are looking at how they can leverage it for their nefarious activities, but for now, simple social engineering will do just fine at tricking potential victims. Organisations must therefore take a holistic view of their security environment to provide comprehensive oversight of their network and ensure security best practices are followed at every level of the organisation.”

Sean Duca