While some cyberattacks are motivated by espionage or revenge, the leading motivation for cyberattacks is far and away financial. If you want to know where cyber attackers are going, and what types of attacks they are likely to deploy, “follow the money.” Palo Alto Networks Unit 42 recently issued the 2022 version of their Incident Response Report, and there is a lot of good data about the threat landscape.
Types of Attacks
A full 70% of incident cases they saw over the past 12 months were either Business Email Compromise (BEC) or ransomware.
Historically these have been the most lucrative forms of cybercrime. With BEC, attackers convince victims to wire money directly to them, in transfers averaging $286,000 per BEC attack. With a nod toward the estimated annual haul of these attacks, the FBI calls BEC “The $43 Billion Scam.”
High profile cases lead to ransomware’s reputation as the “jackpot” of cybercrime, with several multi-million-dollar payouts widely reported in the press. Smaller payments are more common, but still lucrative: The median ransomware payout for high-tech victims was over $500,000.
Proof of cybercriminal’s continued investment in ransomware can be found in their ongoing refinement of the approach. Many Ransomware-as-a-Service tools available on the dark web include capabilities to exfiltrate data before encrypting it. This gives cybercriminals additional leverage, as they can threaten to release embarrassing data – or actually release enough to add teeth to their threats — if the victim doesn’t pay up.
In other cases, criminals are turning to intermittent or partial encryption, which is faster than full encryption and more likely to evade detection than full encryption yet does similarly irretrievable damage. In other instances, cybercriminals are skipping encryption entirely and going straight to extortion. It’s technically much simpler, with no need to deal with encryption, keys and so on. And if the data is sensitive or confidential, it is probably just as effective.
Extortion, either accompanying ransomware or standalone, is also on the rise and still rules when it comes to attacks on cloud-based resources. Because deploying ransomware in the cloud can be more difficult, cybercriminals often simply steal credentials and use them to steal data or destroy it for extortion purposes. Another extortion technique is to use stolen access to threaten (or actually initiate) heavy resource use that could result in exorbitant bills from cloud service providers.
Initial Access Vectors
A large majority – over 77% – of attacks start with one of three access vectors: phishing, known vulnerabilities, and brute force attacks, which in most cases, leverages Remote Desktop Protocol (RDP).
Phishing is a perennial favorite because despite user training, far too many users still click on links that take them to an infected site or download an infected attachment. Many companies still rely on insufficiently effective user training to combat phishing, and have not taken proactive steps to defend their systems against users who click on the wrong link or download the wrong attachment.
Attackers are incredibly aggressive about exploiting known vulnerabilities. CVE reports alert cybersecurity professionals to known vulnerabilities so they can act quickly to apply patches, but those same reports alert threat actors to the vulnerability. If cybercriminals act more quickly to exploit the vulnerability than security professionals do to patch, organizations that are exposed can be in trouble. The report states that attempts to exploit a vulnerability can be detected within just 15 minutes of when a CVE report is issued. Over 2,500 exploitation attempts were detected within ten hours of release of a threat signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388).
Some companies continue to run end-of-life applications that are no longer patchable, which have known vulnerabilities that leave them exposed.
With many users failing to follow best password hygiene practices, and many companies not yet requiring Multi-Factor Authentication (MFA), RDP ports are a relatively easy path for brute force attacks.
Another initial attack vector that has been shown to be very easily exploited is misconfigured cloud computing setups. The cloud environment is very dynamic, and quite complex. Projects and workloads come and go quickly, many different applications and tools may be in use, and sometimes there are applications and tools that are hosted across multiple cloud providers.
IT teams depend on security controls provided by the cloud provider to protect them, but those controls can’t work without being properly configured and activated. The researchers found that an astounding 99% of cloud accounts did not have necessary Identity and Access Management (IAM) controls in place.
Incident responders are seeing increasing numbers of “amateurs” trying their hands at cybercrime, most likely influenced by publicity surrounding big ransomware payouts. Broad availability of Ransomware-as-a-Service tools means people with limited technical skills can try their hand at breaking into cybercrime. The good news is that given their limited skill set, amateurs are easier to spot – and stop — than professionals.
Researchers also expect to see increased focus on BEC and a possible move back to credit card fraud as cryptocurrencies turn out to be less anonymous than was once thought, as demonstrated by the recovery of millions of dollars’ worth of crypto that was paid out in the Colonial Pipeline ransomware case.
Protecting Against Today’s Threats
If this all sounds frightening, keep in mind that effective action can significantly help protect organizations from cyberattacks:
- Put strong Identity and Access Management (IAM) controls in place, including Multi-Factor Authentication (MFA). MFA alone won’t stop all attacks, but according to one Microsoft estimate, it could stop 90% of them. IAM protects against attacks using stolen credentials and brute force attacks.
- Deploy Remote Browser Isolation (RBI). RBI opens websites and attachments to emails in isolated cloud-based containers and streams only safe rendering data to browsers on user endpoints. If a user does click the wrong link or open a malicious attachment, no malware can infect the user’s device or the company’s network.
- Use ZTEdge Web Application Isolation (WAI) to protect web app surfaces. WAI is the flip side of RBI; your apps are isolated from the web so users cannot probe surfaces for vulnerabilities or see where they can attack, yet are freely accessible for legitimate interactions.
- Use ZTEdge Zero Trust Network Access (ZTNA) to ensure least privilege access by leveraging microsegmentation to prevent over-permissive access by authorized users and minimize damage in the event that an attacker succeeds in breaching defenses.
- Patch promptly. With cybercriminals targeting known vulnerabilities within 15 minutes of when they are announced, rapidly patching and updating is essential. Waiting a few days can expose your company to harm.
- Require payment verification external to email to protect against BEC attacks.
The simplest way to implement many of the above cybersecurity features and more is with an cloud-based Secure Access Service Edge (SASE) solution such as ZTEdge. ZTEdge is a modular solution that integrates easily with existing security infrastructure and provides organizations with a simple path to comprehensive cloud security.