Rapid7 released its 2023 Mid-Year Threat Review, which provides a detailed snapshot of the attack landscape in the first six months of this year, together with actionable guidance for organisations on how to protect themselves from common threats.
The report aggregates data and analysis from Rapid7’s vulnerability intelligence, managed services and threat analytics teams. During these first six months, Rapid7 tracked more than 1,500 ransomware incidents and 79 attacks attributed to state-sponsored threat actors.
Researchers also tracked more than a dozen new vulnerabilities that were exploited en masse, as well as reporting a 69 per cent uptick in incident response case volume.
Christiaan Beek, Senior Director Threat Analytics, Rapid7, says, “Exploitation of public-facing applications has been a popular initial access strategy so far this year, including for advanced persistent threat actors (APTs) and state-sponsored adversaries."
“APTs exploited both zero-day and known vulnerabilities in routers, security appliances, printer management software, Voice over Internet Protocol technologies, amongst other attack vectors. Cyber espionage, cyber warfare and financial gain were the main motives attributed to state-sponsored threat campaigns,” he adds.
The real number of ransomware incidents reported is likely to be higher than the roughly 1,500 Rapid7 tracked, in part because public reports can be a bit of a trailing indicator, and in part because of when Rapid7 compiled its data.
Caitlin Condon, Rapid7’s Head of Vulnerability Research, explains, “The Cl0p ransomware gang was still actively claiming new victims from the MOVEit Transfer hack perpetrated at the end of May.
“One key point we make is that counting primary victims, the organisations directly targeted or compromised in ransomware or extortion campaigns, underestimates the true impact of these incidents, which frequently involve data exposure for downstream users or partner organisations.”
Looking ahead, Condon anticipates more extortion campaigns hitting businesses like those used against MOVEit Transfer and GoAnywhere MFT.
“We expect to see more smash-and-grab-style exploits targeting applications that house sensitive data. Why bother deploying ransomware or planning a multi-stage attack when you can exploit a public-facing application and simply exfiltrate tranches of data in one go?,” warns Condon.
Rapid7’s mid-year data shows that basic security hygiene is still a challenge for many businesses.
Condon says, “39% of incidents our managed services teams responded to stemmed from either lax or lacking multi-factor authentication."
According to Rapid7, as a priority, businesses should ensure multi-factor authentication is in place and enforced wherever possible, including and especially on VPNs and virtual desktop infrastructure.
Establishing baseline vulnerability management and asset inventory programs is also critically important. Organisations can mitigate data theft and extortion risk by taking measures to prevent data exfiltration wherever possible.
This could include restricting or alerting on large file uploads, blocking known file sharing sites, and monitoring the use of data archiving utilities, to name a few.