Business email compromise doubled in 2022: Secureworks
With talk of advanced AI-driven threats dominating the cybersecurity industry, new research by the Secureworks Counter Threat Unit (CTU) has revealed that most real-world security incidents have more humble beginnings. "This highlights a need for businesses to focus on cyber hygiene to bolster their network defences," says CTU.
Between January and December 2022, Secureworks helped contain and remediate over 500 real-world security incidents. Secureworks CTU researchers analysed the data from these incidents to establish trends and emerging threats and released the following key findings.
The number of incidents involving business email compromise (BEC) has doubled, replacing ransomware as the most common type of financially motivated cyber threat to organisations.
The growth in BEC was linked to a surge in successful phishing campaigns, accounting for 33% of incidents where the initial access vector (IAV) could be established, a nearly three-fold increase compared to 2021 (13%).
An equally popular entry point for attackers - nation states and cybercriminals - was to exploit vulnerabilities in internet-facing systems, representing a third of incidents where IAV could be established. Typically, threat actors did not need to use zero-day vulnerabilities, instead relying on publicly disclosed vulnerabilities, such as ProxyLogon, ProxyShell and Log4Shell, to target unpatched machines.
Ransomware incidents fell by 57% but remain a core threat. This reduction could be due as much to a change in tactics as to a decrease in the threat level following increased law enforcement activity around high-profile attacks, like Colonial Pipeline and Kaseya. Equally, gangs may target smaller organisations, which are less likely to engage with incident responders (meaning they would fall outside the scope of this report).
"Business email compromise requires little to no technical skill but can be extremely lucrative. Attackers can simultaneously phish multiple organisations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models," says Mike McLellan, Director of Intelligence at Secureworks.
"Let's be clear, cybercriminals are opportunistic. Attackers are still going around the parking lot and seeing which doors are unlocked. Bulk scanners will quickly show an attacker which machines are not patched. If your internet-facing applications aren't secured, you're giving them the keys to the kingdom. Once they are in, the clock starts ticking to stop an attacker turning that intrusion to their advantage. Already in 2023, we've seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging."
Hostile state-sponsored activity increased to 9% of incidents analysed, up from 6% in 2021. An overwhelming majority (90%) were attributed to threat actors affiliated with China.
Financially motivated attacks accounted for most of the incidents investigated outside of state-sponsored activity, representing 79% of the total sample, which is lower than in previous years. This could be connected to the Russia/Ukraine conflict, disturbing cybercrime supply chains.
For instance, the leaked files connected to the Conti ransomware group took months to reconfigure and recover, which could have influenced ransomware's overall decline.
"Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same. For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage. The intent is different, but the ransomware itself isn't. The same is true for the initial access vector (IAVs); it's all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to," adds McLellan.
"Once a state-sponsored actor is through that door, they are very hard to detect and even harder to evict. As states such as China, Russia, Iran, and North Korea continue to use cyber to advance the economic and political goals of their countries, it is even more important that businesses get the right controls and resources in place to protect, detect, and remediate attacks."
The report also showed that fundamental security controls in the cloud were either misconfigured or absent, potentially because of a rushed move to the cloud during COVID-19. In addition, multi-factor authentication (MFA) fatigue attacks, whereby an attacker bombards a user with access requests to browbeat them into submission, were also on the rise.
To optimise security posture, Secureworks recommends that organisations ensure comprehensive visibility and intelligence-driven detection across their host, network, and cloud environments. Granular recommendations that prevent future reoccurrence include centralised log retention and analysis across host, network and cloud resources, reputation-based web filtering, and network detection for suspicious domains and IPs.