China has emerged as the leader in vulnerability exploitation

There are countries which are increasingly turning to cyberattacks and data theft - and the rise of cloud services is helping them. Crowdstrike's 2022 Global Threat Report details how the cyber-threat landscape has evolved during the past year. The report says, it had confirmed the exploitation of two vulnerabilities published in 2020 by China-nexus advanced persistent threat (APT) actors – in Oracle WebLogic and Zoho ManageEngine, respectively – but that last year it was able to confirm 12 vulnerabilities and nine different products being exploited, linked to 10 known APTs, including the infamous Wicked Panda (aka APT41 or Barium).

The analysts said that although Chinese APTs have long developed and deployed their own exploits in the targeted intrusions, 2021 saw an increased volume of activity from Chinese APTs, highlighting an evolution in how these groups go about their work. These countries are seeing that cyber campaigns can be easier to conduct than traditional espionage and are investing in these techniques. “In contrast, exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services. Among the vulnerabilities favoured by Chinese APTs in 2021 were the Microsoft Exchange bugs collectively known as ProxyLogon and ProxyShell, and other networking products such as VPNs and routers. They are also increasingly looking to enterprise software products hosted on internet-facing servers.

The team of CrowdStrike assessed that these exploits are largely being independently developed in-house or, in a new twist, acquired from legitimate sources in China. Exploits submitted at the Tianfu Cup have later been acquired by Chinese targeted intrusion actors for use in their operations. In several 2021 incidents, Chinese actors demonstrated an ability to rapidly operationalise public proof-of-concept exploit code.

The report details an 82% increase in ransomware-related data leaks, debuts two new adversaries – WOLF (Turkey) and OCELOT (Colombia) – and adds 21 new tracked adversaries across the globe. It further states that the ongoing adaptation of state-linked targeted intrusion adversaries to new opportunities and strategic requirements, and not just among those linked to China. The other big nation state adversaries – Russia, Iran and North Korea – also employed new forms of tradecraft in 2021, such as targeting IT and cloud services providers in Russia’s case, while the Iranians now favour masking their intrusions behind ransomware attacks, and the North Koreans have shifted their focus to crypto-linked targets to maintain their cashflow.

Dr. Deepak Kumar Sahu, President & CEO, VARINDIA