The key to any robust cyber defense strategy involves two things: insight into your own vulnerabilities and insight into evolving adversarial tactics — only then can you truly build defenses that align with evolving enemy strategies. A report by Kroll, a U.S. provider of technology and insights related to risk and governance, claims the threat environment remains complex, and attackers are increasingly targeting email for initial access and extortion.
Following is a high-level summary of their findings.
In an interesting turn of events, while so-called business email compromise (BEC), a highly-targeted, corporate phishing attack, and ransomware continue to be the top two threat incident types, the latter slipped 30% down from the previous quarter while BEC attacks showed an increase of nearly 19% in comparison to Q4 2021. The report also stated that BEC is playing an increasingly important role in the intrusion lifecycle of cyber extortion attacks.
In one such example, attackers sent a phishing email to IT departments of businesses. Unsuspecting victims clicked on the malicious link and entered their credentials. Once admin credentials were harvested, attackers used them to access the system and took over email accounts belonging to senior IT staff and C-level executives.
They continued to persist on the network, downloading email attachments and data from OneDrive and SharePoint accounts. Attackers then used different methods to contact compromised account holders via text messages and email, sending them ransom notes and demanding payment to end the attack. In some cases, they hijacked social media accounts to further pressure users into meeting their extortionist demands.
In Q1 2022, phishing as a means to gain initial access to target environments soared by 54% compared to other top tactics such as zero-day exploits and third-party vulnerabilities. Kroll researchers believe that the rise in phishing for initial access may be driven by campaigns originating from Emotet and IcedID developers, who are constantly looking for ways to infiltrate organizations without being detected. The research highlighted a case where an email chain between a third party and an employee led the victim to download a malicious .zip file containing an excel document with macros, which then launched a Microsoft configuration management program called PowerShell. Fortunately, the Emotet attack was blocked by an endpoint detection and response solution. However, the email was still shared internally, which led to multiple infections.
While ransomware activity appeared to slow down in Q1 2022, ransomware incidents still account for 32% of all observed cases. The frequency of Conti ransomware attacks dropped by nearly 43% compared to the previous quarter. However, other strains such as LockBit 2.0, AvosLocker, QuantumLocker and Ragnar Locker showed increased activity. Kroll also reported that ransomware gangs continue to exploit vulnerabilities such as ProxyShell and Log4J to gain initial access to target networks. The manufacturing industry was reportedly hit the hardest — with 68% of incidents being ransomware and an overall 33% increase in cyber incidents over the previous quarter.
Phishing, along with its variants like spear phishing and BEC scams, continues to reign as the primary root cause for all cyberattacks. Unpatched software is another top root cause. If organizations focus on these two aspects and design defenses around them, they will be in much better shape to defend against the bulk of cyberattacks. Here are some security best practices that can help:
As we look for the best ways to position our cybersecurity strategy, it’s important to remember that while tactics can evolve, root causes will always remain the same. If security teams learn to focus on addressing the root causes and not get distracted by the symptoms — ransomware is a symptom, how ransomware got in is a root cause — attackers will have no choice but to move on to the next target.
Source – propertycasualty360.com