www.csoonline.com
Open in
urlscan Pro
151.101.194.165
Public Scan
URL:
https://www.csoonline.com/article/3688362/backdoor-deployment-overtakes-ransomware-as-top-attacker-action.html
Submission: On February 23 via api from TR — Scanned from DE
Submission: On February 23 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany × search More from the Foundry Network * About Us | * Contact | * Republication Permissions | * Privacy Policy | * Cookie Policy | * European Privacy Settings | * Member Preferences | * Advertising | * Foundry Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * Ransomware is top cyberattack type, as manufacturing gets hit hardest * RELATED STORIES * Attacks on industrial infrastructure on the rise, defenses struggle to keep up * SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed * Ransomware ecosystem becoming more diverse for 2023 * Many ICS flaws remain unpatched as attacks against critical infrastructure rise * Home * Security * Cyberattacks News Analysis BACKDOOR DEPLOYMENT OVERTAKES RANSOMWARE AS TOP ATTACKER ACTION THANKS TO THE AVAILABILITY OF MALWARE SUCH AS EMOTET, DEPLOYING BACKDOORS ON VICTIMS' NETWORKS IS BECOMING EASIER AND MORE LUCRATIVE FOR CYBERCRIMINALS. * * * * * * * By Samira Sarraf Regional Editor for Australia and New Zealand, CSO | 22 February 2023 12:22 IDG / Thinkstock Deployment of backdoors on networks was the top action attackers made in almost a quarter of all incidents remediated in 2022. "Backdoors led to a notable spike in Emotet cases in February and March. That spike inflated the ranking of backdoor cases significantly, as those deployed in this timeframe account for 47% of all backdoors identified globally throughout 2022," according to the newly released IBM Security X-Force Threat Intelligence Index. “Increased backdoor deployment may also be due to the amount of money this kind of access can generate on the dark web. Compromised corporate network access from an initial access broker typically sells for several thousands of US dollars,” stated the report. Ransomware, which had been the number one attack in 2021, came as a close second with 17% and business email compromise (BEC) followed with 6%. The study found 19 ransomware variants in 2022. LockBit variants comprised 17% of total ransomware incidents observed, up from 7% in 2021. Phobos tied with WannaCry for second at 11%. Many WannaCry cases were the result of infections from three to five years ago, taking place on old, unpatched equipment. THE TOP IMPACTS OF CYBERATTACKS Extortion was the main impact at 21% of incidents observed by X-Force. Extortion cases were often achieved through ransomware or BEC and often include the use of remote access tools, cryptominers, backdoors, downloaders, and web shells. One tactic observed in 2022 was attackers making stolen data more accessible to downstream victims. “By making it easier for second-hand victims to identify their data among a data leak, operators seek to increase the subsequent pressure on the organization targeted by the ransomware group or affiliate in the first place,” the report found. In second place came data theft with 19% followed by credential harvesting with 11%. Data thefts have not all resulted in data leaks, which happened in 11% of all the cyberattacks. WHAT IBM X-FORCE OBSERVED IN THE MALWARE LANDSCAPE A 17% spike in the Raspberry Robin malware between early June and early August was identified in the oil and gas, manufacturing, and transportation industries. X-Force advises ensuring security tools block known USB-based malware (such as Raspberry Robin), implementing security awareness training, and disabling autorun features for any removable media. IBM X-Force also noticed an increase in popularity of the Rust programming language with developers releasing Rust versions of their malware including BlackCat, Hive, Zeon, and RansomExx. A “sudden” influx of Vidar InfoStealer was noticed in June through to early 2023. Vidar can be used to retrieve device information such as credit card information, usernames, passwords, and files. It can also take screenshots of the user’s desktop or steal Bitcoin and Ethereum cryptocurrency wallets. MANUFACTURING IS THE MOST TARGETED OT INDUSTRY Of the operational technology (OT) industries, manufacturing experienced 58% of incidents X-Force helped remediate. In line with the main findings of the report, deployment of backdoors was the top action on objective, identified in 28% of cases in the manufacturing sector. X-Force believes this to be a favorite of ransomware actors likely due to these organizations’ low tolerance for downtime. Spear phishing accounted for 38% of initial access vectors in OT-related industries, including use of attachments (22%), use of links (14%) and spear phishing as a service (2%). This was followed by exploitation of public-facing applications followed with 24%, detection of backdoors with 20% and ransomware with 19%. The most popular impact of such attacks was extortion (29%) followed by data theft (24%). CYBERATTACKS TRENDS BY GEOGRAPHY For the second consecutive year, Asia-Pacific was the most attacked region in 2022 registering 31% of all incidents. This represents a 5% increase compared to 2021, according to the report. Japan was the epicenter of the Emotet spike in 2022. Manufacturing was the most attacked industry in the region with 48% followed by finance and insurance with 18%. Other global trends also applied including spear phishing by attachment being the top infection vector at 40% and deployment of backdoors being the top action on objective at 31%. Japan was the most targeted nation with 91% of the received attacks followed by the Philippines with 5%, and Australia, India, and Vietnam each at 1.5%. Europe was the second most targeted region with 28% of attacks. The region was the hardest hit by extortion, with 44% of all extortion cases observed. The top impact caused by attacks was extortion (38%) across the region. The United Kingdom was the most attacked country in Europe, accounting for 43% of cases. Germany accounted for 14%, Portugal 9%, Italy 8%, and France 7%. The most attacked industries were professional, business, and consumer services, which tied with finance and insurance for the most-attacked industry, each ranking 25% of the cases to which X-Force responded. Manufacturing was second with 12% of cases, and energy and healthcare followed in third place at 10%. X-Force saw no evidence of widespread state-sponsored cyber activity following the invasion of Ukraine. However, it did find that Russia has deployed an unprecedented number of wipers against targets in Ukraine. The wipers were mostly used against Ukraine’s networks from before the country’s invasion through to March 2022. One of the most prolific self-proclaimed hacktivist groups observed was Killnet, a Russia-sympathetic group that has claimed DDoS attacks against public services, government ministries, airports, banks and energy companies based in North Atlantic Treaty Organization (NATO) member states, allied countries in Europe, as well as in Japan and the United States. North America experienced a slight increase in the number of incidents with 25% in 2022 from 23% in 2021. The region’s most attacked industries were energy with 20% of attacks, manufacturing and retail-wholesale followed with 14% each, however manufacturing represents a 50% drop in cases when compared to 2021. The US accounted for 80% of the region’s attacks and Canada 20%. The biggest impact in the region was credential harvesting (25%) and the top infection vectors were exploitation of public-facing applications at 35% and spear phishing attachments at 20%. Ransomware incidents accounted for 23% of cases. In Latin America, retail-wholesale was the most attacked industry with 28% of cases followed by finance and insurance (24%) and energy (20%). Ransomware accounted for 32% of attacks and extortion was the most common impact at 27%. Brazil accounted for 67%, Colombia 17% and Mexico 8%. Peru and Chile split the remaining 8%. Deployment of backdoors was detected in 27% of cases to which X-Force responded in the Middle East and Africa in 2022. Finance and insurance were the most targeted industries in the region, accounting for 44%. Saudi Arabia comprised two-thirds of the cases in the region to which X-Force responded. The remaining cases were split between Qatar, United Arab Emirates and South Africa. WHAT TO DO TO SECURE YOUR ORGANIZATION X-Force makes six recommendations to help companies secure systems against malicious threats including those mentioned above. Understand the data the company possesses. This is key to understanding what is being defended and the most critical data to the business. Managing assets has been, and still is, one of the biggest issues facing cybersecurity teams today, John Hendley, head of strategy at IBM Security X-Force tells CSO. “This is especially the case on the perimeter, where the presence of any vulnerabilities can introduce a foothold into your environment for threat actors. That’s why we’ve seen such a large shift in strategy for defenders, away from perfecting perimeter security and towards detection and response, including the principles behind zero trust.” Know your adversary. Adopt a view that emphasizes the specific threat actors that are most likely to target your industry, organization, and geography. In Hendley’s words, CISOs need to adopt the hacker mindset. “Doing so makes you see your systems, your networks, and really the whole world in a new way. Red teaming your defenses—whether that be simply probing for vulnerabilities or misconfigurations, or more in-depth detection and response testing can help you get that understanding.” Better understand how threat actors operate. Identify their level of sophistication and know which tactics, techniques, and procedures (TTP) attackers are most likely to employ. “For example, the actions and tactics of threat actors targeting pharmaceutical companies for intellectual property will be a world apart from cyber gangs that target elementary schools with ransomware. Being sharp on who your adversary is can push defender teams to that next level,” Hendley says. Maintain visibility at key points throughout the enterprise. Ensure alerts are generated and acted on in a timely manner are critical to stopping attackers. Assume compromise. This will ensure cybersecurity teams are constantly re-examining possible infiltration points, detection response capabilities and how difficult it can be for an attacker to access critical systems and data. Apply threat intelligence. Analyze common attack paths and identify key opportunities for mitigating common attacks and be prepared by developing an incident response plan. Next read this * The 10 most powerful cybersecurity companies * 7 hot cybersecurity trends (and 2 going cold) * The Apache Log4j vulnerabilities: A timeline * Using the NIST Cybersecurity Framework to address organizational risk * 11 penetration testing tools the pros use Related: * Cyberattacks * Malware * Network Security * Ransomware With years of experience covering technology and business across the IT channel, Samira Sarraf managed the enterprise IT content at and wrote for the CIO.com, CSO Online, and Computerworld editions in Australia and New Zealand. She is now an editor with CSO Online global. Follow * * * * Copyright © 2023 IDG Communications, Inc. 7 hot cybersecurity trends (and 2 going cold) CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Republication Permissions * Privacy Policy * Cookie Policy * European Privacy Settings * Member Preferences * Advertising * Foundry Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2023 IDG Communications, Inc. Explore the Foundry Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World CSO WANTS TO SHOW YOU NOTIFICATIONS -------------------------------------------------------------------------------- YOU CAN TURN OFF NOTIFICATIONS AT ANY TIME FROM YOUR BROWSER Accept Do not accept POWERED BY SUBSCRIBERS