Most ransomware has been thwarted in the past year, but cyber-attacks are moving faster

A new study from IBM Security suggests that cyber attackers are taking less visible side routes, and are getting much faster at an infiltration perimeter.

The latest annual IBM X-Force Threat Intelligence Index released today reported that the deployment of backdoor malware, which allows remote access to systems, emerged as the top act of cyber attackers last year. About 67% of those backdoor cases involved ransomware attempts detected by the defenders.

The IBM report noted that ransomware declined by 4 percentage points between 2021 and 2022, and defenders became better at detecting and preventing such attacks. However, cyber attackers have become much faster at perimeter infiltration, and the average time to complete a ransomware attack has dropped from two months to less than four days.

Jump to:

Heritage works still hanging around and active

According to an IBM study, malware that made headlines years ago, though perhaps forgotten, has become obsolete. For example, malware infections such as WannaCry and Conficker continue to spread, as vulnerabilities hit a record high in 2022, with cybercriminals accessing more than 78,000 known exploits. All of this makes it easier for hackers to use older access points without a pass, according to John Hendley, IBM’s head of X-Force strategy.

“Because cybercriminals have access to thousands of these exploits, they don’t have to invest as much time or money in finding new ones; the older ones are doing fine,” Hendley said. “WannaCry is a great example: It’s five years later, and vulnerabilities that lead to WannaCry infections are still a significant threat.”

LOOK: Identify the commonalities in ransomware attacks to avoid them (Technology)

He said X-Force has seen the WannaCry ransomware traffic jump 800% since April 2022, although the Conficker nuisance worm is perhaps more surprising for its age. “Conficker is so old, if he were a person, he would be able to drive this year, but we still see him,” he said. “The activity of these heritage exploits speaks to the fact that there is a long way to go.”

The demand for backdoor access is reflected in premium pricing

The X-Force Threat Intelligence Index, which tracks attack trends and patterns from data collected from networks and endpoint devices, incident response engagements and other sources, reported that the increase in backdoor deployment can be attributed in part to its high market value. X-Force has noticed threat actors selling existing backdoor access for as much as $10,000, compared to stolen credit card data, which can sell for less than $10.

Hendley said that nearly 70% of backdoor attacks have failed – thanks to defenders disrupting the backdoor before ransomware was deployed – and the shift towards detection and response is paying off.

“But it comes with a caveat: It’s temporary. Offense and defense are a cat-and-mouse game, and once conflicts innovate and adjust tactics and procedures to avoid detection we would expect the failure rate to decrease – they are constantly innovating,” a he said, noting that there are attackers in less than three years. his speed increased by 95%. “They can now do 15 ransomware attacks in the time it took to do one.”

Industry, energy and e-mail thread hijacking are noteworthy

The IBM study cited several significant trends, including one that suggests political unrest in Europe is driving attacks on industry there, and attackers everywhere are increasingly trying to use email threads as an attack surface.

• Extortion via BECs and ransomware were the target of most cyber attacks in 2022, with Europe being the most targeted region, accounting for 44% of the extortion cases observed by IBM. Manufacturing was the industry with the largest decline for the second year in a row.
• Thread hijacking: Email thread subpoenas doubled last year, with attackers using compromised email accounts to reply within ongoing conversations while pretending to be the original participant. X-Force discovered that attackers have used this tactic over the past year to deliver Emotet, Qakbot and IcedID – malware that often leads to ransomware infections.
• Exploit research vulnerability vulnerabilities: The ratio between known exploits and vulnerabilities has decreased over the past few years, a 10 percentage point decrease since 2018.

• Enter credit card details: The number of phishers targeting credit card information fell by 52% in one year, indicating that attackers are prioritizing personally identifiable information such as names, emails and home addresses, which can be sold on higher price on the dark web or use it to make more. operations.

• Energy attacks hit North America: The energy sector ranked as the 4th most attacked industry last year, with North American energy organizations responsible for 46% of all energy attacks, a 25% increase from 2021.

• Asia they accounted for nearly one-third of all attacks responded to by IBM X-Force in 2022.

Hendley said that email thread hijacking is an extremely harmful exploit, and was likely initiated last year by trends in favor of remote work.

“We observed a 100% increase in monthly threat hijacking attempts compared to 2021,” he said, pointing out that these are generally similar to identity attacks, where scammers create and use cloned profiles them for deceptive purposes.

“But what makes hijacking threats so dangerous is that attackers are hitting people when their defenses are down, because the first level of trust has already been established between people, so that an attack can have an effect creating a domino for potential victims who was a threat actor. he was able to gain access.”

3 tips for security administrators

Hendley proposed three general principles for enterprise defendants.

1. Embrace the breach: Proactively go out and look for these compromising indicators. Assuming the threat actor is already active in the environment will make it easier to find them.
2. Empower the least privileged: Limit IT administrative access to those who specifically need it for their job role.
3. Always clearly verify who and what is within your network.

He added that when organizations follow these general principles it will be much more difficult for threat actors to gain initial access, and if they do, it will be more difficult for them to move laterally to achieve their objective.

LOOK: New cybersecurity data reveals persistent social engineering vulnerabilities (Technology)

“And if, in the process, they have to take more time, it makes it easier for defenders to find them before they can do damage,” Hendley said. “It’s a mindset shift: Instead of saying, ‘We’re going to keep everybody out, nobody’s going to get in,’ we’re going to say, ‘Well, let’s assume they’re already in and, if so, how did we handle that?’”