In the last year, ransomware and business email compromise (BEC) topped the types of cyber-attacks that IR (Incident Response) teams at Unit 42 resolved. Both these types collectively accounted for 70 per cent of total cases resolved by IR teams.
The strong presence of software vulnerabilities lead threat actors to indulge in opportunistic behaviour, highlighted the report released by Palo Alto Networks. Threat actors scour the internet for vulnerabilities and weak points. The 2022 Unit 42 Incident Response Report offers insights gleaned from the extensive incident response (IR) work done by Unit 42. The report leverages a sampling of over 600 IR cases to help CISOs and security teams to understand the greatest security risks. This report’s findings guide them in prioritising resources to reduce these risks.
Enterprises in real estate and finance were among the industries that received the highest average ransom threats, with an average demand of nearly $5.2 – $8 million, respectively. Overall, in the last year, IR teams listed ransomware and business email compromise (BEC) as the top incident types accounting for 70 per cent of total cases.
“Cybercrime has become an easy business due to its low cost and high returns nature. Even, unskilled, novice threat actors can get started with hacking-as-a-service tools. These tools are becoming more popular and are available on the dark web,” said Wendi Whitmore, SVP and head of Unit 42 at Palo Alto Networks. “Ransomware attackers are also becoming more organised with their customer service and satisfaction surveys as they engage with cybercriminals and the victimised organisations.”
Key trends covered in the report include:
A new ransomware victim is posted on leak sites every four hours. Identifying ransomware activity early is very critical to any organisation. Typically, ransomware acts are only discovered after encrypted files appear on the sites and after the victim organisation receives a ransom note. Unit 42 identified that the median dwell time (the time threat actors spend in a targeted environment before getting detected) for ransomware attacks was 28 days. Ransom demands have been as high as $30 million, and the actual payouts have been as high as $8 million, a steady increase compared to the 2022 Unit 42 Ransomware Report findings. Increasingly, affected organisations may receive double extortion threats, wherein threat attackers threaten to make sensitive information public if a ransom is not paid.
Cybercriminals used various techniques while committing wire fraud by targetting business emails. Phishing offers an easy and cost-effective way to gain covert access while maintaining a low risk of discovery. According to this report, in many cases, cybercriminals are simply asking their unwitting targets to hand over their credentials — and are getting them. Once they had access, the median dwell time for BEC attacks was 38 days, and the average amount stolen was $286,000.
Attackers follow the money when it comes to targeting enterprises. However, few attackers are opportunistic, they can leverage known vulnerabilities by scanning the internet in search of systems. where. After going through the incident response cases, Unit 42 identified the top affected industries from finance, legal, manufacturing, healthcare, high tech, wholesale, and retail. These industries store, transmit and process high volumes of sensitive monetisable information that attracts threat actors.
The report also reveals some statistics from IR cases that cyber attackers don’t want you to know:
- The top three initial access vectors used by threat actors were phishing, exploitation of known software vulnerabilities and brute-force credential attacks focused primarily on a remote desktop protocol (RDP). Combined, these attack vectors comprise 77 per cent of the suspected root causes for intrusions.
- ProxyShell accounted for more than half of all vulnerabilities exploited for initial access at 55 per cent, followed by Log4J (14 per cent), SonicWall (7 per cent), ProxyLogon (5 per cent) and Zoho ManageEngine ADSelfService Plus (4 per cent).
- In half of all IR cases, investigators discovered that organisations lacked multifactor authentication on critical internet-facing systems, such as corporate webmail, virtual private network (VPN) solutions or other remote access solutions.
- In 13 per cent of cases, organisations had no mitigations to ensure account lockout for brute-force credential attacks.
- In 28 per cent of cases, having poor patch management procedures contributed to threat actor success.
- In 44 per cent of cases, organisations did not have an endpoint detection and response (EDR) or extended detection and response (XDR) security solution, or it was not fully deployed on the initially impacted systems to detect and respond to malicious activities.
- 75 per cent of insider threat cases involved a former employee.
Cyber attacks are taking place in the absence of multifactor authentication on critical internet-facing systems such as corporate webmail and virtual private network (VPN) solutions and other access solutions, revealed report published by Palo Alto Networks.