A new study from IBM Security suggests cyberattackers are taking side routes that are less visible, and they are getting much faster at infiltrating perimeters.
The latest annual IBM X-Force Threat Intelligence Index released today reported that deployment of backdoor malware, which allows remote access to systems, emerged as the top action by cyberattackers last year. About 67% of those backdoor cases were related to ransomware attempts that were detected by defenders.
The IBM report noted that ransomware declined 4 percentage points between 2021 and 2022, and defenders were more successful at detecting and preventing those attacks. However, cyberattackers have gotten much faster at infiltrating perimeters, with the average time to complete a ransomware attack dropping from two months to less than four days.
Jump to:
Legacy exploits still hanging around and active
Malware that made headlines years ago, while perhaps forgotten, are nowhere near gone, according to the IBM study. For instance, malware infections such as WannaCry and Conficker are still spreading, as vulnerabilities hit a record high in 2022, with cybercriminals accessing more than 78,000 known exploits. All of which makes it easier for hackers to use older, unpatched access points, according to John Hendley, head of strategy for IBM’s X-Force.
“Because cybercriminals have access to these thousands of exploits, they don’t have to invest as much time or money finding new ones; older ones are doing just fine,” said Hendley. “WannaCry is a great example: It’s five years later, and vulnerabilities leading to WannaCry infections are still a significant threat.”
SEE: Recognize the commonalities in ransomware attacks to avoid them (TechRepublic)
He said X-Force has watched WannaCry ransomware traffic jump 800% since April 2022, though the Conficker nuisance worm is perhaps more surprising for its age. “Conficker is so old that, if it were a person, it would be able to drive this year, but we still see it,” he said. “The activity of these legacy exploits just speaks to the fact that there’s a long way to go.”
Demand for backdoor access reflected in premium pricing
The X-Force Threat Intelligence Index, which tracks trends and attack patterns from data garnered from networks and endpoint devices, incident response engagements and other sources, reported that the uptick in backdoor deployments can be partially attributed to their high market value. X-Force observed threat actors selling existing backdoor access for as much as $10,000, compared to stolen credit card data, which can sell for less than $10.
Hendley said the fact that nearly 70% of backdoor attacks failed — thanks to defenders disrupting the backdoor before ransomware was deployed — shows that the shift toward detection and response is paying off.
“But it comes with a caveat: It’s temporary. Offense and defense is a cat-and-mouse game, and once adversaries innovate and adjust tactics and procedures to evade detection we would expect a drop in failure rate — they are always innovating,” he added, noting that in less than three years attackers increased their speed by 95%. “They can do 15 ransomware attacks now in the time it took to complete one.”
Industry, energy and email thread hijacking are standouts
The IBM study cited various notable trends, which include suggesting that political unrest in Europe is driving attacks on industry there, and attackers everywhere are increasing efforts to use email threads as an attack surface.
- Extortion through BECs and ransomware was the goal of most cyberattacks in 2022, with Europe being the most targeted region, representing 44% of extortion cases IBM observed. Manufacturing was the most extorted industry for the second consecutive year.
- Thread hijacking: Subterfuge of email threads doubled last year, with attackers using compromised email accounts to reply within ongoing conversations posing as the original participant. X-Force found that over the past year attackers used this tactic to deliver Emotet, Qakbot and IcedID – malicious software that often results in ransomware infections.
- Exploit research lagging vulnerabilities: The ratio of known exploits to vulnerabilities has been declining over the last few years, down 10 percentage points since 2018.
- Credit card data fades: The number of phishing exploits targeting credit card information dropped 52% in one year, indicating that attackers are prioritizing personally identifiable information such as names, emails and home addresses, which can be sold for a higher price on the dark web or used to conduct further operations.
- Energy attacks hit North America: The energy sector held its spot as the 4th most attacked industry last year, with North American energy organizations accounting for 46% of all energy attacks, a 25% increase from 2021.
- Asia accounted for nearly one-third of all attacks that IBM X-Force responded to in 2022.
Hendley said email thread hijacking is a particularly pernicious exploit, and one quite likely fueled last year by trends favoring remote work.
“We observed the monthly threat hijacking attempts increase 100% versus 2021,” he said, pointing out that these are broadly similar to impersonation attacks, where scammers create cloned profiles and use them for deceptive ends.
“But what makes threat hijacking specifically so dangerous is that attackers are hitting people when their defenses are down, because that first level of trust has already been established between the people, so that attack can create a domino effect of potential victims once a threat actor has been able to gain access.”
3 tips for security admins
Hendley suggested three general principles for enterprise defenders.
- Assume breach: Proactively go out and hunt for these indicators of compromise. Assuming the threat actor is already active in the environment makes it easier to find them.
- Enable least privileged: Limit IT administrative access to those who explicitly need it for their job role.
- Explicitly verify who and what is inside your network at all times.
He added that when organizations follow these general principles they will make it a lot harder for threat actors to gain initial access, and if they do so, they will have a harder time moving laterally to achieve their objective.
SEE: New cybersecurity data reveals persistent social engineering vulnerabilities (TechRepublic)
“And if, in the process, they have to take a longer amount of time, it will be easier for defenders to find them before they are able to cause damage,” Hendley said. “It’s a mindset shift: Instead of saying, ‘We’re going to keep everyone out, nobody’s going to get in,’ we are going to say, ‘Well, let’s assume they are already in and, if they are, how do we handle that?’”