Trellix reveals evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat actors.
by D. Howard Kass • Nov 17, 2022
Ransomware activity in the U.S. doubled quarter-over-quarter in the transportation and shipping industries for Q3 2022, according to a newly released threat report by Trellix, a startup extended detection and response (XDR) provider.
The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors. It examines threats to email and the malicious use of legitimate third-party security tools as leveraged from Trellix’s sensor network, investigations into nation-state and ransomware activity and open-source intelligence.
A Closer Look at the Report
Here are some of the study’s key findings:
- Transportation was the second most active sector globally, following telecom. APTs were also detected in transportation more than in any other sector.
- Ransomware detections rose 32% in Germany in Q3 and generated 27% of global activity. Germany generated the most threat detections related to APT actors in Q3 (29% of observed activity), but they also had the most ransomware detections.
- Mustang Panda, a China-linked threat actor, had the most detected threat indicators in Q3, followed by Russian-linked APT29 and Pakistan-linked APT36.
- Phobos, a ransomware sold as a complete kit in the cybercriminal underground, accounted for 10% of global detected activity and was the second most used ransomware detected in the US.
- LockBit continued to be the most detected ransomware globally, generating 22% of detections.
- Years-old vulnerabilities continue to be successful exploitation vectors. Trellix observed Microsoft Equation Editor vulnerabilities CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to be the most exploited among malicious emails received by customers during Q3.
- Cobalt Strike, a legitimate third-party tool, was used in 33% of observed global ransomware activity and in 18% of APT detections in Q3.
Commenting on the report, John Fokker, Trellix head of threat intelligence, said:
“So far in 2022, we have seen unremitting activity out of Russia and other state-sponsored groups. This activity is compounded by a rise in politically motivated hacktivism and sustained ransomware attacks on healthcare and education. The need for increased inspection of cyberthreat actors and their methods has never been greater.”
Trellix Advances Partner Program
Last month, Trellix fleshed out its partner program to include a number of new features along with 10 new technology partners and technology integrations with its flagship platform. The partner additions bring Trellix’s ecosystem to some 800 partners integrated with its XDR platform.
Key elements of the updated program, which will launch early in 2023, include:
- Partner enablement to deliver a training curriculum that supports partners from first-sale to first-install of the Trellix XDR platform.
- Demand creation using differentiated sales plays to accelerate customer engagement, increase deal registration and build sales pipeline.
- Partner support to provide a premium post-sale experience including 24/7 support and resources, enabling trusted advisor relationships with Trellix XDR customers.
- Professional services featuring playbooks enabling partners to build managed services and incident response offerings, leveraging Trellix intellectual property, and apply threat intelligence from Trellix Advanced Research Center.
The merger of McAfee Enterprise and FireEye, backed by private equity firm Symphony Technology Group, was rebranded as Trellix earlier this year. The company dove into the XDR security solutions market with a channel-first market strategy.