According to recent research from IBM Security, cyberattackers are adopting less obvious, but more rapid, routes to penetrate networks.
Some of the links on this site are affiliate links or sponsored partnerships, and the businesses who provide them may pay us a commission. While this may affect the placement of their products on our site, no amount of money could ever get us to change our unbiased ratings.
The latest annual IBM X-Force Threat Intelligence Index released today reported that deployment of backdoor malware, which allows remote access to systems, emerged as the top action by cyberattackers last year. About 67% of those backdoor cases were related to ransomware attempts that were detected by defenders.
The IBM report noted that ransomware declined 4 percentage points between 2021 and 2022, and defenders were more successful at detecting and preventing those attacks. However, cyberattackers have gotten much faster at infiltrating perimeters, with the average time to complete a ransomware attack dropping from two months to less than four days.
Legacy exploits still hanging around and active
While malware that made headlines several years ago may have faded from memory, a new study from IBM shows that they are far from being eradicated. In 2022, vulnerabilities reached an all-time high, giving thieves access to more than 78,000 known exploits; still, malware assaults like WannaCry and Conficker continue to spread. According to IBM X-Force strategy head John Hendley, this makes it simpler for hackers to exploit vulnerabilities in older access points that have not been fixed.
Hendley remarked, “Cybercriminals don’t have to devote as much time or money finding new exploits since they have access to these thousands of exploits; older ones are doing OK.” “WannaCry is an excellent case in point; even after five years, vulnerabilities that might cause WannaCry outbreaks remain a serious problem,” says one expert.
He claimed that X-Force has seen an increase of 800% in WannaCry ransomware traffic since April 2022, while the very long lifespan of the Conficker annoyance worm was more startling. If Conficker were a person, he or she would be old enough to drive this year, but we still see it, he said. In his words, “the activity of these legacy exploits just points to the reality that there is a long way to go.”
Demand for backdoor access reflected in premium pricing
The X-Force Threat Intelligence Index, which tracks trends and attack patterns from data garnered from networks and endpoint devices, incident response engagements and other sources, reported that the uptick in backdoor deployments can be partially attributed to their high market value. X-Force observed threat actors selling existing backdoor access for as much as $10,000, compared to stolen credit card data, which can sell for less than $10.
Hendley said the fact that nearly 70% of backdoor attacks failed — thanks to defenders disrupting the backdoor before ransomware was deployed — shows that the shift toward detection and response is paying off.
“But it comes with a caveat: It’s temporary. Offense and defense is a cat-and-mouse game, and once adversaries innovate and adjust tactics and procedures to evade detection we would expect a drop in failure rate — they are always innovating,” he added, noting that in less than three years attackers increased their speed by 95%. “They can do 15 ransomware attacks now in the time it took to complete one.”
Industry, energy and email thread hijacking are standouts
Among the many noteworthy tendencies mentioned by IBM’s analysis are the speculations that political upheaval in Europe is fueling assaults on industry there and that attackers everywhere are making greater efforts to utilize email threads as an attack surface.
Most cyberattacks in 2022 were designed to extract money from their victims using business email compromise (BEC) or ransomware (44% of all extortion cases recorded by IBM). For the second year in a row, manufacturing has been the most extorted sector.
Attackers utilizing hijacked email accounts to reply within ongoing conversations as the original participant, sometimes known as “thread hijacking,” increased by a factor of two in 2018. X-Force discovered that attackers utilized this method to spread Emotet, Qakbot, and IcedID — malicious software that frequently leads to ransomware attacks — over the past year.
Exploit research lags behind vulnerability discovery by 10 percentage points since 2018.
Expired credit card information: The number of phishing attacks designed to steal credit card data dropped by 52% in a single year, suggesting that cybercriminals are shifting their focus to more valuable targets’ names, email addresses, and physical addresses, which can be sold on the dark web for a higher price or used in further operations.
The energy industry remained the fourth most targeted sector in 2018 with 46% of all energy assaults occurring against companies in North America, a 25% increase from 2021.
Over a third of all threats that IBM X-Force repelled in 2022 originated in Asia.
According to Hendley, email thread hijacking is a particularly damaging attack that was likely spurred by the rise of remote work in 2016.
He went on to say, “We witnessed the monthly threat hijacking efforts climb 100% vs 2021,” highlighting the similarities between these and impersonation attacks, in which con artists exploit cloned profiles for fraudulent purposes.
However, “what makes threat hijacking particularly dangerous is that attackers are hitting people when their defenses are down, because that first level of trust has already been established between the people,” so that an attack can create a domino effect of potential victims once a threat actor has gained access.
3 tips for security admins
Hendley suggested three general principles for enterprise defenders.
- Assume a breach has already occurred and deliberately seek out these telltale signs of a security breach. If we assume the danger actor is already present, we can more easily track them down.
- Help the most disadvantaged: Confine control over IT resources to the minimum number of people need to perform their jobs.
- Be sure to double check constantly who and what is connected to your network.
He continued by saying that companies who adhere to these guidelines make it far more difficult for threat actors to get initial access and have a more difficult time laterally migrating around the network to achieve their goal.
And if attackers take longer to do it, Hendley argues, “defenders will have a better chance of finding them before they can do any damage.” It’s a change in perspective: “We’re going to presume they are already in and, if they are, how do we address that” as opposed to “We’re going to keep everyone out, nobody is going to get in.”
