Malware development and vulnerability exploitation in H1 2022 were defined by tenacity along several aspects, including criminal services, exploit targets, infrastructure maintenance, and operational longevity. The malware categories that were at the forefront of public and criminal attention were wipers, such
as were observed targeting Ukraine, infostealers, with some popular variants resurging after an initial disappearance, and ransomware, which continues to victimize all sectors worldwide.
The vulnerability most in defenders’ sights at the beginning of the year was Log4Shell, while by the end of June, the Follina vulnerability (which can be exploited via a malicious document without using macros) indicated a future potential direction for zero-day exploits for the rest of the year.
The top referenced malware variants associated with cyberattacks in H1 2022 were Cobalt Strike, Conti ransomware, Pegasus, DeadBolt ransomware, and Emotet. References to Cobalt Strike were sharply higher than for the others, demonstrating its continued prevalence across many types of cyberattack campaigns.
The top referenced vulnerabilities associated with cyberattacks in H1 2022 affected Apache’s Log4J (Log4Shell), Microsoft Windows (Follina), Microsoft Exchange Server (ProxyShell), Atlassian’s Confluence, and the Java Spring Framework. This landscape reflects both zero-day exploitation and continued targeting of known vulnerabilities, and Log4Shell exploitation was observed up to the end of June.
Our outlook for the rest of 2022 based on H1 2022 is that ransomware remains a major threat (although a decline is overdue), more widespread multi-factor authentication (MFA) will reshape many areas of the criminal landscape, and Russia’s war against Ukraine is likely to result in yet more novel malware
from that region.
Tenacity Defines H1 2022
If there is a word that sums up the landscape of malware development and vulnerability exploitation in H1 2022, it is almost certainly “tenacious”. The high-volume creation of wiper malware against Ukraine, the re-emergence of a popular infostealer, the ongoing attention to major vulnerabilities like Log4Shell and ProxyShell, the disbandment of the Conti ransomware group to support other ransomware operations, the appearance of new tactics in the (still not dead) Emotet botnet, and the continuing
evolution in tactics from major cybercrime group FIN7 exemplify a criminal underground and APT threat landscape in which many threats can disappear or change temporarily but are very difficult to stop entirely. While not directly within H1 2022, the emergence of Lockbit 3.0 as the most recent version of that ransomware further supports this view of the threat landscape.
The criminal underground on which threat actors rely for new malware or vulnerability exploits has shown a similar level of persistence. The “Faceless” proxy service, which we reported on in April 2022, involves many of the aspects we have seen across malware and vulnerabilities in the first half of 2022: malware
designed to target online retailers, emphasis on remote code execution (RCE) and zero-day vulnerabilities, and long-term criminal operations that can survive law enforcement action, rebranding, and lack of access to infrastructure. Similarly, the creation of BreachForums after the seizure of Raid Forums by law enforcement shows the persistence of criminal networks and the ease with which new forums can replace closed ones where there is continued demand.
The charts below show the top most referenced malware variants and vulnerabilities associated with reported cyberattacks in H1 2022. These were based on queries for any malware entity or any vulnerability entity that appeared in reports of a cyberattack as collected in the Recorded Future Platform.
The malware data set best shows the persistent reliance of threat actors on Cobalt Strike for command-and-control (C2) infrastructure, although a larger shift to the pentesting tool Brute Ratel C4 may be in the near future. Another trend highlighted in Figure 1 is the persistent ransomware threat, with attackers
continuing to develop novel ransomware for specific targets like QNAP (in the case of DeadBolt).