In nearly a quarter of all incidents remediated in 2022, attackers deployed backdoors on networks, according to the IBM Security X-Force Threat Intelligence Index. The main reason for the increase was the spike in the use of the multi-purpose Emotet malware early in the year, which accounted for 47% of backdoors deployed throughout the year. The report suggests that the increased deployment of backdoors could also be due to the high amount of money that this type of access can generate on the dark web, where compromised corporate network access from an initial access broker typically sells for several thousand US dollars.
Ransomware, which was the top attack in 2021, came in second place with 17%, and business email compromise (BEC) followed with 6%. The study identified 19 ransomware variants in 2022, with LockBit variants comprising 17% of total ransomware incidents observed, up from 7% in 2021. Phobos and WannaCry tied for second place at 11%. Many WannaCry cases resulted from infections that occurred three to five years ago, taking place on old, unpatched equipment.
The Top Impacts of Cyberattacks
According to X-Force, extortion was the primary consequence, accounting for 21% of the incidents observed. Ransomware or BEC were frequently utilized in extortion incidents, along with remote access tools, cryptominers, backdoors, downloaders, and web shells. In 2022, attackers made stolen data more accessible to downstream victims as a strategy. The report noted that by doing so, the operators aimed to increase the pressure on the original target organization by having more victims identifying their data among a data leak. Data theft and credential harvesting followed, accounting for 19% and 11%, respectively. Data theft did not always result in data leaks, which occurred in only 11% of all cyberattacks.
What IBM X-Force Observed in the Malware Landscape
The oil and gas, manufacturing, and transportation industries experienced a 17% increase in Raspberry Robin malware between early June and early August, according to IBM X-Force. To prevent such attacks, X-Force advises implementing security measures such as blocking known USB-based malware, like Raspberry Robin, providing security awareness training, and disabling autorun features for removable media.
Additionally, X-Force observed a growing trend in the use of Rust programming language for malware development, with malware such as BlackCat, Hive, Zeon, and RansomExx being released in Rust versions. In June, there was a sudden surge in the use of Vidar InfoStealer, which can steal device information such as credit card details, usernames, passwords, files, and cryptocurrency wallets, or take screenshots of the user’s desktop.
Manufacturing is the Most Targeted OT Industry
X-Force assisted in remediating 58% of incidents in the manufacturing industry out of all the operational technology (OT) industries. The report’s primary findings indicate that backdoor deployment was the most common objective, accounting for 28% of cases in the manufacturing sector. Ransomware actors are likely to prefer this technique because of these organizations’ low tolerance for downtime. Initial access vectors in OT-related industries involved spear phishing, accounting for 38% of cases, with the use of attachments (22%), links (14%), and spear phishing as a service (2%). This was followed by exploitation of public-facing applications with 24% and detection of backdoors with 20%. Ransomware accounted for 19%. The most prevalent impact of such attacks was extortion, accounting for 29%, followed by data theft, accounting for 24%.
Cyberattacks Trends by Geography
In 2022, for the second consecutive year, Asia-Pacific had the highest number of cyber-attacks, making up 31% of all incidents, a 5% increase from 2021. The region’s most attacked industry was manufacturing with 48%, followed by finance and insurance with 18%. Spear phishing by attachment was the most common infection vector, accounting for 40% of incidents, and deployment of backdoors was the top action taken by attackers, at 31%.
In Asia-Pacific, Japan was the epicenter of the Emotet spike, and Japan was the most targeted nation with 91% of received attacks. The Philippines received 5% of the attacks, while Australia, India, and Vietnam each received 1.5% of the attacks.
Europe was the second most targeted region, accounting for 28% of attacks. The most attacked industry in Europe was professional, business, and consumer services and finance and insurance, each accounting for 25% of cases to which X-Force responded. The United Kingdom was the most attacked country in Europe, accounting for 43% of cases, followed by Germany at 14%, Portugal at 9%, Italy at 8%, and France at 7%. Manufacturing was second with 12% of cases, and energy and healthcare followed in third place with 10%.
X-Force did not find evidence of widespread state-sponsored cyber activity following the invasion of Ukraine, but it did find that Russia had deployed an unprecedented number of wipers against targets in Ukraine. Killnet, a Russia-sympathetic group, was one of the most prolific self-proclaimed hacktivist groups observed, claiming DDoS attacks against public services, government ministries, airports, banks, and energy companies based in NATO member states, allied countries in Europe, as well as in Japan and the United States.
In North America, there was a slight increase in the number of incidents with 25% in 2022, up from 23% in 2021. The most attacked industries were energy with 20% of attacks, followed by manufacturing and retail-wholesale, each accounting for 14% of incidents, although manufacturing saw a 50% decrease in cases compared to 2021. The US accounted for 80% of the region’s attacks, and Canada accounted for 20%. The most common impact in the region was credential harvesting, accounting for 25% of incidents, and the top infection vectors were exploitation of public-facing applications at 35% and spear phishing attachments at 20%. Ransomware incidents accounted for 23% of cases.
In Latin America, retail-wholesale was the most attacked industry with 28% of cases, followed by finance and insurance at 24%, and energy at 20%. Ransomware accounted for 32% of attacks, and extortion was the most common impact at 27%. Brazil accounted for 67% of attacks, Colombia for 17%, and Mexico for 8%. Peru and Chile split the remaining 8%. In the Middle East and Africa, 44% of attacks targeted finance and insurance. Deployment of backdoors was detected in 27% of cases to which X-Force responded.
How to Secure Your Organization
X-Force makes six recommendations to help companies secure systems against malicious threats including those mentioned above.
Understand the data the company possesses. This is key to understanding what is being defended and the most critical data to the business. Managing assets has been, and still is, one of the biggest issues facing cybersecurity teams today, John Hendley, head of strategy at IBM Security X-Force tells CSO. “This is especially the case on the perimeter, where the presence of any vulnerabilities can introduce a foothold into your environment for threat actors. That’s why we’ve seen such a large shift in strategy for defenders, away from perfecting perimeter security and towards detection and response, including the principles behind zero trust.”
Know your adversary. Adopt a view that emphasizes the specific threat actors that are most likely to target your industry, organization, and geography. In Hendley’s words, CISOs need to adopt the hacker mindset. “Doing so makes you see your systems, your networks, and really the whole world in a new way. Red teaming your defenses—whether that be simply probing for vulnerabilities or misconfigurations, or more in-depth detection and response testing can help you get that understanding.”
Better understand how threat actors operate. Identify their level of sophistication and know which tactics, techniques, and procedures (TTP) attackers are most likely to employ. “For example, the actions and tactics of threat actors targeting pharmaceutical companies for intellectual property will be a world apart from cyber gangs that target elementary schools with ransomware. Being sharp on who your adversary is can push defender teams to that next level,” Hendley says.
Maintain visibility at key points throughout the enterprise. Ensure alerts are generated and acted on in a timely manner are critical to stopping attackers.
Assume compromise. This will ensure cybersecurity teams are constantly re-examining possible infiltration points, detection response capabilities, and how difficult it can be for an attacker to access critical systems and data.
Apply threat intelligence. Analyze common attack paths and identify key opportunities for mitigating common attacks and be prepared by developing an incident response plan.
Go to Source
Author:
