The prediction in our 2022 assessment that threat actors would continue the adoption of established tooling, as well as commodity and open-source tools, was correct. Actors across the spectrum are using tools like command-and-control (C2) frameworks, anonymization networks, remote monitoring and management software, and legitimate internet service proxies as a matter of course. We specifically note trends in Russian and Chinese state-sponsored malicious infrastructure, where the use of anonymization networks and legitimate internet services is increasing. Since such tools allow malicious activity to blend in and make attribution more difficult, we suggest network defenders examine and improve their capabilities in detecting and stopping attacks.
The top offensive security tools observed this year include Cobalt Strike, Viper, and Meterpreter. Remote access tools (RATs) topping the list this year are AsyncRAT, QuasarRAT, PlugX, ShadowPad, and DarkComet.
We share this information for others to consider when evaluating their own threat models, to allow other researchers to corroborate their data, and to assist the community in seeing a better overall picture of the state of malicious infrastructure for 2023. We believe that this information can help guide updates to risk assessments, drive security control decisions, and lead to a better understanding of the overall cyber threat landscape.
We foresee the continuing use of government takedowns of malicious infrastructure, with varying degrees of impact. These actions do make criminal operations more difficult and are worth undertaking. We also believe that there will be increasing adoption of legitimate internet services, anonymization proxies, and other tools that allow attackers to blend into the victim’s environment and make attribution difficult. We also expect to see a steady adoption of artificial intelligence by a variety of threat actors to better automate their operations and increase efficiency in other ways.
Countering some of these threats may entail difficult decisions. For example, organizations concerned about the use of legitimate internet services as malicious infrastructure should minimally create a baseline of the services seen on their network and tune their current security controls to the extent possible. More advanced security measures, such as decrypting and monitoring TLS traffic, may be required to truly combat this threat, but organizations must also consider the privacy implications, costs of implementation, and potential impacts on network systems and productivity.
Views: 0
