Most ransomware was blocked last year, but cyberattacks are advancing faster

A new study by IBM Security suggests that cyber attackers are taking byways that are less visible and are becoming much faster at infiltrating perimeters.

The latest annual IBM X-Force Threat Intelligence Index, released today, reports that the use of backdoor malware, which allows remote access to systems, has become the top action taken by cyber attackers over the past year. About 67% of these backdoor cases were related to ransomware attempts detected by defenders.

The IBM report found that ransomware declined by 4 percentage points between 2021 and 2022 and defenders were more successful in detecting and preventing these attacks. However, cyber attackers have become much faster at infiltrating perimeters, with the average time to complete a ransomware attack dropping from two months to less than four days.

Jump to:

Legacy exploits are still hanging around and active

Malware that made headlines years ago, although perhaps forgotten, is far from gone, according to the IBM study. For example, malware infections like WannaCry and Conficker are still spreading as vulnerabilities hit a record high in 2022 and cybercriminals access more than 78,000 known exploits. All of this makes it easier for hackers to use older, unpatched access points, according to John Hendley, IBM’s head of strategy for X-Force.

“Because cybercriminals have access to these thousands of exploits, they don’t have to invest as much time and money to find new ones. Older people are fine,” Hendley said. “WannaCry is a great example: Five years later, vulnerabilities that lead to WannaCry infections are still a significant threat.”

SEE: Recognize the common features of ransomware attacks to avoid them (TechRepublic)

He said X-Force had observed the WannaCry ransomware’s traffic increase by 800% since April 2022, although the pesky Conficker worm might be more surprising given its age. “Conficker is so old that if he were human he could race this year, but we still see him,” he said. “The activity of these legacy exploits only speaks to the fact that we still have a long way to go.”

The demand for backdoor access is reflected in premium prices

The X-Force Threat Intelligence Index, which tracks trends and attack patterns from data collected from networks and endpoints, incident responses and other sources, reported that the rise in backdoor deployments is partly due to their high market value. X-Force observed threat actors selling existing backdoor access for up to $10,000 versus stolen credit card credentials, which can sell for less than $10.

According to Hendley, the fact that nearly 70% of backdoor attacks failed — thanks to defenders disrupting the backdoor before ransomware was deployed — shows that the shift to detection and response is paying off.

“But it comes with one caveat: It’s temporary. Attack and defense is a game of cat and mouse, and once opponents innovate and adapt tactics and procedures to evade detection, we would expect the error rate to drop – they always innovate,” he added, noting that in less than three years attackers increased their speed by 95%. “You can now run 15 ransomware attacks in the time it took one to complete.”

Industry, energy, and email thread hijacking are prominent features

The IBM study cites several notable trends, including evidence that political unrest in Europe is fueling attacks on local industries and attackers everywhere are increasingly trying to use email threads as a target.

• blackmail by BECs and ransomware was the target of most cyberattacks in 2022, with Europe being the most targeted region and accounting for 44% of extortion cases observed by IBM. Manufacturing was the top blackmailed industry for the second year in a row.
• Thread Hijacking: Escapes from email threads have doubled over the past year, with attackers using compromised email accounts to reply in ongoing conversations impersonating the original participant. X-Force found that over the past year, attackers used this tactic to proliferate Emotet, Qakbot, and IcedID — malicious software that often leads to ransomware infections.
• Exploit research lagging vulnerabilities: The ratio of known exploits to vulnerabilities has been declining in recent years, by 10 percentage points since 2018.

• Credit card details fade: The number of phishing exploits targeting credit card information has fallen by 52% in one year, suggesting attackers are prioritizing personal information such as names, email addresses, and home addresses, which sells for a higher price on the dark web or can be used for other activities operations.

• Energy attacks hit North America: The energy sector held its ground as the fourth most attacked industry last year, with North American energy organizations responsible for 46% of all energy attacks, a 25% increase from 2021.

• Asia accounted for nearly a third of all attacks IBM X-Force responded to in 2022.

According to Hendley, email thread hijacking is a particularly malicious exploit, most likely fueled by trends promoting remote work over the past year.

“We observed that monthly threat hijacking attempts increased by 100% compared to 2021,” he said, noting that these are broadly similar to identity attacks where scammers create cloned profiles and use them for misleading ones use purposes.

“But what makes threat hijacking particularly dangerous is that attackers hit people when their defenses are down because that first layer of trust has already been established between people, so an attack can create a domino effect of potential victims once they’ve.” a threat actor could gain access.”

3 tips for security administrators

Hendley proposed three general principles for corporate defenders.

1. Assume breach: Proactively look for these indicators of compromise. Assuming the attacker is already active in the area makes it easier to find them.
2. Enable Least Privileged: Restrict IT admin access to those who specifically need it for their job role.
3. Explicitly check who and what is on your network at any time.

He added that organizations that follow these general principles will make it significantly more difficult for threat actors to gain initial access, and if they do so, it will be more difficult for them to move laterally to reach their objective.

SEE: New cybersecurity data reveals persistent social engineering vulnerabilities (TechRepublic)

“And if they’re taking longer to do that, it’s easier for defenders to find them before they can do any damage,” Hendley said. “It’s a mentality shift: instead of saying, ‘We’re going to let everyone out, nobody’s going to come in,’ we’re going to say, ‘Well, let’s assume they’re already inside and if so, how do we take care of that?'”