A look at Q4 2022, data suggests that despite new threats, low-code cybersecurity business email compromises, including phishing, as well as MFA bombings are still the most prevalent exploits favored by security actors. the threat.
Cybersecurity advocates peering through the fog in hopes of catching a glimpse of the next threat might be looking too hard at artificial and sophisticated vectors. At least in the short term, low-code attacks are king, especially business email compromise.
New research by the Secureworks Counter Threat Unit suggests that attackers use, on the whole, simple means to exploit a social engineering opportunity: people don’t wash their hands and sing “happy birthday” for 20 seconds.
SEE: Learn how zero trust can be applied to email and other credentials (TechRepublic)
Jump to:
Phishing is the top BEC exploit, with ransomware dropping sharply
The company carefully looked at its own remediation data from some 500 exploits between January and December last year for insights. Among other things, the researchers found that:
- The number of incidents involving BECs has doubled, making ransomware the second most financially motivated cyber threat to organizations.
- Phishing campaigns drove BEC growth, accounting for 33% of incidents where the initial access vector could be established, nearly triple from 2021 (13%).
- Vulnerabilities in Internet-connected systems accounted for a third of attacks for which instant account verification could be established.
- By contrast, ransomware incidents fell 57% but remain a core threat, according to the company, which said the reduction could be due as much to a change in tactics as to increased law enforcement after the outbreak. Colonial Pipeline And Kaseya attacks.
The report found weaknesses in cloud-facing assets, noting that fundamental security controls in the cloud were either misconfigured or absent entirely, “Potentially due to a rushed move to the cloud during COVID-19,” said the society.
Push bombings are also on the increase. This is an attack to achieve multi-factor authentication of victims due to target fatigue after multiple access requests. Threat actors don’t have to find zero-day vulnerabilities; they are able to exploit common vulnerabilities and exposures, such as Log4Shell and ProxyShell.
Companies need to up their visibility game
Secureworks recommends that organizations strengthen their ability to detect threats across their host, network, and cloud environments. The company suggests doing this, among other things, by using centralized retention and analysis of logs across hosts and network and cloud resources. It also supports reputation-based web filtering and network detection for suspicious domains and IP addresses.
Mike McLellan, director of intelligence at Secureworks, noted that BECs are relatively easy to launch and attackers don’t need major skills to phish multiple organizations with a large network.
“Attackers are always going around the parking lot and seeing which doors are unlocked,” McLellan said, in a statement. “Mass scanners will quickly show an attacker which machines are unpatched.”
He asserted that applications accessed over the Internet must be secure or risk giving threat actors access to an organization. “Once they’re inside, the clock starts ticking to prevent an attacker from turning that intrusion to their advantage,” he said. “Already in 2023, we have seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging.”
A recent Palo Alto Networks study reported that only about 10% of respondents could not detect, contain, and resolve threats within an hour. Additionally, 68% of organizations were unable to even detect a security incident within an hour, and of those that did, 69% were unable to respond within an hour. hour.
Nation-state actors are actively using the penetration testing exploit
Secureworks found that hostile state-sponsored activity increased to 9% of incidents analyzed, up from 6% in 2021. Additionally, 90% were attributed to threat actors affiliated with China.
Cybersecurity company WithSecure recently reported the intrusions looked like precursors to ransomware deployments. Specifically, WithSecure discovered a tag loader for the penetration tester Cobalt Strike, often used by attackers. The charger put to good use Sideloading DLLswhich he calls SILKLOADER.
“Upon closer examination of the loader, we found several clusters of activity leveraging this loader within the Russian and Chinese cybercriminal ecosystems,” the company said in its report on the exploit.
In addition, almost 80% of attacks were financially motivated, potentially linked to the Russian-Ukrainian conflict, disrupting cybercrime supply chains through Conti ransomware band.
“Government-sponsored threat actors have a different focus than financially motivated ones, but the tools and techniques they use are often the same,” McClellan said.
“For example, Chinese threat actors have been detected deploying ransomware as a smokescreen for espionage. The intent is different, but the ransomware itself is not. The same is true for IAVs; it’s about getting your foot in the door in the quickest and easiest way possible, no matter which group you belong to.
