BECs double in 2022, overtaking ransomware
A look at 4th quarter 2022, data suggests that new threat surfaces not withstanding, low-code cybersecurity business email compromises including phishing, as well as MFA bombing are still the prevalent exploits favored by threat actors.
Cybersecurity defenders peering into the fog hoping to catch a glimpse of the next threat might be staring too hard at artificial and other sophisticated vectors. At least in the short term, low-code attacks are king, specifically business email compromise.
New research by the Secureworks Counter Threat Unit suggests the attackers are, by and large, using simple means to exploit a tried-and-true social engineering opportunity: People aren’t, in the digital sense, washing their hands and singing “happy birthday.” for 20 seconds.
SEE: Explore how zero trust can be applied to email and other credentials (TechRepublic)
Phishing the leading BECs exploit, with big drop in ransomware
The firm took a hard look at its own remediation data from some 500 exploits between January and December last year to get insights. Among other things, the researchers discovered that:
- The number of incidents involving BECs doubled, putting ransomware in second place for financially motivated cyberthreats to organizations.
- Phishing campaigns drove growth in BEC, accounting for 33% of incidents where the initial access vector could be established, a near three-fold increase compared to 2021 (13%).
- Vulnerabilities in internet-facing systems represented one third of attacks where instant account verification could be established.
- By contrast, ransomware incidents fell by 57%, but remain a core threat, per the firm, which said the reduction could be due as much to a change in tactics as it is to increase law enforcement after the Colonial Pipeline and Kaseya attacks.
The report found weaknesses in cloud-facing assets, noting that fundamental security controls in the cloud were either misconfigured or entirely absent, “Potentially because of a rushed move to cloud during COVID-19,” the firm said.
Push bombing is also on the rise. This is an attack to obtain multi factor authentication from victims through target fatigue after multiple access requests. Threat actors don’t have to find zero day vulnerabilities; They’re able to exploit common vulnerabilities and exposures, such as Log4Shell and ProxyShell.
Companies need to up their visibility game
Secureworks recommends that organizations enhance their ability to detect threats across their host, network and cloud environments. The firm suggests doing this by, among other things, employing centralized log retention and analysis across hosts and network and cloud resources. It also endorses reputation-based web filtering and network detection for suspicious domains and IPs.
Mike McLellan, director of intelligence at Secureworks, noted that BECs are relatively easy to launch, and attackers don’t need major skills to phish multiple organizations with a big net.
“Attackers are still going around the parking lot and seeing which doors are unlocked,” said McLellan, in a statement. “Bulk scanners will quickly show an attacker which machines are not patched.”
He asserted that internet-facing applications need to be secure or risk giving threat actors access to an organization. “Once they are in, the clock starts ticking to stop an attacker turning that intrusion to their advantage,” he said. “Already in 2023, we’ve seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging.”
A recent Palo Alto Networks study reported that only about 10% of respondents couldn’t detect, contain and resolve threats in less than an hour. In addition, 68% of organizations were unable to even detect a security incident in less than an hour, and among those that did, 69% could not respond in an hour.
Nation-state players actively using pen-testing exploit
Secureworks found that hostile state-sponsored activity increased to 9% of analyzed incidents, up from 6% in 2021. Furthermore, 90% were attributed to threat actors affiliated with China.
Cybersecurity firm WithSecure recently reported intrusions looked like precursors to ransomware deployments. Specifically, WithSecure discovered a beacon loader for the penetration tester Cobalt Strike, often used by attackers. The loader leveraged DLL side-loading, which it is calling SILKLOADER.
“By taking a closer look at the loader, we found several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems,” said the firm in its report on the exploit.
Also, nearly 80% of attacks were financially motivated, potentially connected to the Russia/Ukraine conflict, disturbing cybercrime supply chains by the likes of the Conti ransomware group.
“Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same,” said McClellan.
For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage. The intent is different, but the ransomware itself isn’t. The same is true for the IAVs; it’s all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to.”