Cisco Talos observes 'novel increase' in APT activity in Q1

Advanced persistent threat actors have been busy over the past few months, according to Cisco Talos.

The security vendor released its Quarterly Trends report Tuesday, which examined incident response trends from engagements in the first quarter of 2022. While ransomware remained the top threat, as it has for the past two years now, Cisco observed a new trend of increased APT activity. The Cisco Talos Incident Response (CTIR) team attributed some of the increase to groups like Iranian state-sponsored Muddywater and China-based Mustang Panda.

One suspected Chinese APT, dubbed "Deep Panda," was connected to exploitation of the Log4j flaw that was discovered last year in the widely used Java logging tool. Log4j exploitation was the second most common threat for Q1 behind ransomware, indicating the bug is a growing threat despite a patch being available.

"In January 2022, CTIR started to observe a growing number of engagements in which adversaries are attempting to exploit Log4j in vulnerable VMware Horizon servers," the blog post said.

While the initial attack vector was often hard to determine, Cisco discovered adversaries commonly targeted exposed applications that were vulnerable to the Log4j vulnerability, which is commonly known as Log4Shell. Cisco noted signs of Log4j exploitation in an attack on an unnamed education organization, such as the use of "PowerShell scripts including a line that killed the process 'ws_TomcatService.exe', a key parent process in commonly observed malicious Log4j activity," according to the blog.

Nick Biasini, head of outreach for Cisco Talos, told SearchSecurity that because Log4shell is a far-reaching vulnerability that can effectively be leveraged for remote code execution, it's an attractive attack vector for a large number of groups, including ransomware gangs, APT actors and the average cybercriminal.

"If you haven't patched or mitigated the risk associated with Log4j you should be moving to do so immediately. The vulnerability isn't difficult to exploit and exploitation of systems behind the perimeter can be achieved," Biasini said in an email.

In addition to the "novel increase" in APT activity and the continued trouble caused by Log4Shell, new ransomware groups also emerged, according to Cisco Talos. In addition to the three new groups -- Cerber, Entropy and Cuba -- high-profile families such as Hive and Conti remained on the threat radar.

Ransomware comprised the majority of threats CTIR responded to, according to the blog. However, in a separate threat summary, Cisco said compared to previous quarters, ransomware "made up a slightly smaller percentage and comprised only 25 percent of all threats observed this quarter compared to 27 percent last quarter."

Threats stemmed from a variety of ransomware strains.

"No one ransomware family was observed twice in incidents that closed out this quarter. This is indicative of a trend toward greater democratization of ransomware adversaries that Talos began observing last year," the blog post said.

Another new trend was a change in the targeted sectors. Telecommunications became the most targeted industry, "breaking a several quarters-long streak in which attackers targeted health care more than any other industry."

This appears to line up with recent attacks. For example, this month T-Mobile was breached in a suspected Lapsus$ attack, and last month attackers targeted Viasat's satellite internet network, which affected European customers, including thousands in Ukraine.

While Cisco Talos did observe an increase in APT activity for Q1, Biasini said they haven't noticed any direct connection between Russia's invasion of Ukraine and activity from other nation-states.

"Russia is just one player in a large landscape and their activities continue," he said.

To mitigate the observed threats, Cisco Talos' top recommendation was implementing multifactor authentication (MFA).

"MFA is an effective way to prevent adversaries from gaining unwanted access, and we routinely see threat activity that could have been prevented if MFA had been enabled," the blog said.