ZeroFox Intelligence
Quarterly Threat Landscape Scorecards
QTLR Hub Hero Graphic

Ongoing geopolitical risks from the war in Ukraine and expected threats such as vulnerability exploits and ransomware remain persistent and consistent, with threat actors conducting increasingly more damaging attacks. Here’s what you need to know.

The frontline is shifting outside the perimeter

Social Engineering

Social engineering remained one of the most frequently reported intrusion tactics in Q3, across all industries. This increasing trend will surely continue based on the effectiveness of tactics like smishing, callback phishing (vishing), and phishing techniques that bypass MFA.

Key Takeaways
  • Malicious email attachments remain a prominent method of disseminating malware.
  • Threat actors are very likely to continue targeting desirable employees in job-related scams—especially those in leadership positions with elevated access levels, which increases the risk of financial harm or corporate exposure.

Cybercriminals use social engineering in 98% of attacks.

Source: PurpleSec

72+ CVEs were disclosed per day in Q3 2022.

Source: ZeroFox

Vulnerability Exploitation

The threat from Common Vulnerabilities and Exposures (CVEs) and previously-unknown software vulnerabilities (zero-days) increased in Q3 2022 – likely representing the new normal for exploit disclosures. What’s more, high-profile vulnerabilities disclosed this quarter will continue to be exploited by threat actors despite the longstanding availability of patches.

Key Takeaways
  • Vulnerabilities in the cloud and network perimeter — including routers, firewalls, and commonly-used software modules — will likely continue to dominate the exploit landscape.
  • Threat actors will continue to leverage high-profile vulnerabilities in widely-used software long after security patches were released.

Initial Access Brokers (IABs)

ZeroFox Intelligence saw a steady flow of attempts to sell illicit access to secure networks, based on monitoring covert communications channels and open marketplaces – and beyond. Most IABs continue to be driven by financial gain rather than ideological objectives.

Key Takeaways
  • ZeroFox Intelligence anticipates a continued resurgence in threats from IABs given strong demand from buyers and the likelihood that disruption to IAB operations is only temporary.
  • Threat actors may be pushed increasingly to more private means to sell illicit access, making the identification of activity more difficult.

Winter 2022 saw consistent IABs, listings, and prices.

Source: ZeroFox Intelligence

In Q3, infostealers deployed botnets to harvest nearly 45 million credentials.

Source: ZeroFox


Botnets deploying information stealers continued to pose a significant threat to organizations, rapidly taking advantage of new exploits and upgrading detection evasion capabilities. Expansion of the botnet market continued, with new botnets — including Fodcha, Panchan, and the Mirai-based Enemybot — emerging to target web servers, modems, routers, Internet-of-Things (IoT), and Android devices.

Key Takeaways
  • Botnets leveraged by Russia-aligned entities could exacerbate geopolitical tensions, particularly if more capable threat actors get engaged.
  • Emotet is resurging, which poses an urgent, significant threat to organizations of all sizes, sectors, and locations.

Malware & Ransomware

The threats from malware and ransomware remain high and unlikely to reduce given ease-of-acquisition. However, both activities likely remained broadly consistent in Q3 2022, though the nature of the threat changed significantly. Threat actors demonstrated greater capability than in prior attacks in Q2 2022. High-profile attacks targeted the finance, manufacturing, retail, healthcare, and public sectors.

Key Takeaways
  • A high volume of Malware-as-a-Service offerings will very likely sustain low barriers to entry for threat actors and drive down the price of acquiring highly-capable malware.
  • If ransomware operators may be struggling to elicit payments from victims, which means they will likely resort to more extreme pressure tactics that threaten to cause greater operational downtime and reputational damage.

Ransomware attacks take place every 11 seconds.

Source: National Law Review

Geopolitics and cybersecurity have become inextricably linked.

Source: Gartner


As expected, Russia and its war in Ukraine were the primary drivers of geopolitical risk across industries in Winter 2022. Russia demonstrated an eagerness to deliberately worsen existing inflation, energy, and cost-of-living issues by strategically limiting energy supplies and using threat actors to target Western allies of Ukraine. On the other hand, malicious activities from other traditional sources of geopolitical tension, like China and Iran, are minor in comparison.

Key Takeaways
  • In the short term, businesses with physical operations or sales in EU states, particularly those with close geographic or cultural ties with Russia, should be prepared for an increase in low-level cyber threat activity.
  • A wave of economic defaults before 2023 – triggered by the war – has the potential for straining business operations. The energy crisis, particularly for natural gas, will worsen.
Quarterly threat landscape report
Previous Issues

The threat landscape evolves at a drastic pace. Follow our quarterly reports to gain situational awareness and a…

The threat landscape evolves at a drastic pace. Follow our quarterly reports to gain situational awareness and a…

The threat landscape evolves at a drastic pace. Follow our quarterly reports to gain situational awareness and a…

The threat landscape evolves at a drastic pace. Follow our quarterly reports to gain situational awareness and a…

External attacks are the

Leading cause of breaches.

Only unified external cybersecurity can protect
you beyond the perimeter.

Talk to us now.