According to the findings, vishing attacks have overtaken business email compromise as the second most reported response-based email threat since Q3 2021.

MINNEAPOLIS, May 23, 2022 /PRNewswire-PRWeb/ -- Vishing (voice phishing) cases have increased almost 550 percent over the last twelve months (Q1 2022 to Q1 2021), according to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs, both of which are part of the HelpSystems cybersecurity portfolio.

In Q1 2022, Agari and PhishLabs detected and mitigated hundreds of thousands of phishing, social media, email, and dark web threats targeting a broad range of enterprises and brands. The report provides an analysis of the latest findings and insights into key trends shaping the threat landscape.

According to the findings, vishing attacks have overtaken business email compromise (BEC) as the second most reported response-based email threat since Q3 2021. By the end of the year, more than one in four of every reported response-based threat was a vishing attack, and this makeup continued through Q1 2022.

"Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of total share in volume so far in 2022," said John LaCour, principal strategist at HelpSystems. "We are seeing an increase in threat actors moving away from standard voice phishing campaigns to initiating multi-stage malicious email attacks. In these campaigns, actors use a callback number within the body of the email as a lure, then rely on social engineering and impersonation to trick the victim into calling and interacting with a fake representative."

Additional Key Findings

*   Social media impersonation attacks are on the rise. Since Q2 2021, the volume of brand impersonations increased 339% and executive impersonations 273%. According to the findings, brands prove to be convenient targets for threat actors, especially when associated with retail counterfeit operations. However, for some unique attacks, executive accounts are preyed on to make the spoofs seem more realistic.
*   Credential theft email scams continue to be the most common email threat type reported by employees, contributing to nearly 59% of all threat types encountered. Credential theft reports increased 6.9% in volume from Q4 2021.
*   The malware landscape continues to be ever changing. Qbot was once again the payload of choice for threat actors attempting ransomware attacks, but Emotet reemerged in Q1 and was the second leading payload.
*   While nearly half of all phishing sites rely on a free tool or service for staging, Q1 2022 was the first quarter in five consecutive quarters where paid or compromised services (52%) outnumbered free solutions for the use of staging phishing sites.

"As the variety of digital channels organizations use to conduct operations and communicate with consumers expands, bad actors are provided with multiple vectors to exploit their victims," added LaCour. "Most attack campaigns are not built from scratch; they are based on reshaping traditional tactics and incorporating multiple platforms. Therefore, to remain secure, it's no longer effective for organizations to only look within the network perimeter. They must also have visibility into a variety of external channels to proactively gather intelligence and monitor for threats.

"Additionally, security teams should invest in partnerships that will ensure the swift and complete mitigation of attacks before they result in reputational and financial damage."

Additional Resources

To learn more about the report findings, attend the live webinar at 2 PM EST on Tuesday, May 24 or watch on-demand: https://www.phishlabs.com/webinars/details/?commid=541642.

To access the complete Agari and PhishLabs Quarterly Threat Trends & Intelligence Report, visit: https://info.phishlabs.com/quarterly-threat-trends-and-intelligence-may-2022.

About Agari by HelpSystems  
Agari restores trust to your inbox by increasing overall email deliverability and preserving brand integrity. It does this through an identity-centric approach that uniquely learns sender-receiver behavior. This model protects customers, partners, and employees from devastating phishing and socially engineered attacks, such as inbound business email compromise, supply chain fraud and account takeover-based attacks, as well as from outbound email spoofing. Visit http://www.agari.com to learn more.

About PhishLabs by HelpSystems  
PhishLabs by HelpSystems is a cyber threat intelligence company that delivers Digital Risk Protection through curated threat intelligence and complete mitigation. PhishLabs provides brand impersonation, account takeover, data leakage and social media threat protection in one complete solution for the world's leading brands and companies. For more information visit http://www.phishlabs.com.

About HelpSystems  
HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at http://www.helpsystems.com.

Vishing Attacks Reach All Time High, According to Latest Agari and PhishLabs Report

Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, no user interaction required.

A vulnerability chain discovered in Zoom's chat functionality can be exploited to allow zero-click remote code execution (RCE), threat hunters have revealed.

Google's Project Zero uncovered an attack path that would allow cyber adversaries to silently force a victim to connect to a man-in-the-middle (MitM) server — no user action needed. From there, attackers can intercept and modify client update requests and responses in order to send the victim a malicious update, which will automatically download and execute, thus allowing RCE.

The only capability needed to carry this off successfully is the ability to send messages to the victim over Zoom chat, Project Zero researcher Ivan Fratric noted in a posting that was made public on Tuesday.   

"With the massive popularity and broad reach of Zoom, any vulnerability that could allow a remote compromise like this is of concern," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "While an attack appears to require the threat actor to be on an active Zoom call with the target, the wide prevalence of the platform and the number of large group meetings means it shouldn’t be difficult for a malicious actor to find suitable victims."  

**XMPP "Stanza Smuggling" Bug  
**Zoom chat uses a messaging protocol based on XML called XMPP. Fratric explained that messages are exchanged using short snippets of XML called "stanzas" that are sent over a single stream back and forth from client to server. The initial issue is the fact that the client and server don't see eye-to-eye when interpreting whether message code is well formed, leading to parsing inconsistencies.

"The clients use gloox library for XML parsing … and Zoom's server … uses fast\_xml for XML parsing, which in turn uses an XML parser called Expat," the researcher noted. "Indeed, it turns out that Expat and gloox parse XML in a different way and (at least one) exploitable inconsistency exists."

At issue is the fact that the server's Expat parser is lax when it comes to validating tag and attribute names, Fratric said. Specifically, it will forward tag names containing question marks (i.e., "<?xml ?>") to the client, even though it shouldn't. And when the client's gloox parser sees the question-mark sequence, it will reset the parser state so that anything coming after that will be considered a legitimate root node of the next stanza.

This makes it possible to escape the <message> tag safeguards, he noted, to add in whatever content the attacker would like: "The <message> tag here can, of course, be replaced with <iq> or any other tag and it will be accepted by the client as the data coming from the server." He dubbed this "stanza-smuggling."

Since attackers now have complete control over the message tag, that also means they can manipulate the "from" attribute, in order to spoof messages as if coming from another user. And, Fratric noted, they can also lead the victim's contacts to malicious websites for phishing or drive-by malware attacks. This is accomplished by altering the file-integration tag, to surreptitiously replace the URL that's opened when the user wants to share a file with another user, using Dropbox, Google Drive, SharePoint, and other cloud-based services.  

**Achieving Man-in-the-Middle Status  
**The MitM attack is accomplished by changing the <strem:error> tag. Using a specially crafted stanza, bad actors can create "a 'ClusterSwitch' task in the Zoom client, with an attacker-controlled 'web domain' as a parameter," Fratric said.

To trigger the attack, adversaries can simply type and send a message to the victim containing the magic string "iddqd" in the tag. That will cause the victim client to connect to the /clusterswitch endpoint on the attacker-provided domain, thus setting up the ability to see and modify traffic between the client and the Zoom Web server.

"From /clusterswitch endpoint, a client gets a list of domains to be used for various services," Fratric explained. "Since the attacker is already in the man-in-the-middle position, they can replace any of the domains with their own, acting as a reverse proxy and intercepting communications."

**Exploiting the Client Update Process  
**The escalation to arbitrary code execution was a logical next step, Fratric noted, given that Zoom clients will periodically query the update endpoint from Zoom's Web server to see if there's anything new to install.

"Since the attacker is already in the MitM position, they can, of course, replace these endpoints and serve arbitrary data," according to the researcher.

Fratric ran into a snag here, though: The client downloads two files as part of the update process, and verifies their legitimacy — the "Installer.exe" file must be signed by "Zoom Video Communications, Inc." to start with; once installed, it checks the hash of the second .cab file.

However, it turns out that attackers can get around these hurdles with a downgrade attack.

"I served Installer.exe and .cab from Zoom version 4.4 (from mid-2019)," the researcher explained. "The installer for this version is still properly signed; however, it does not do any security checks on the .cab file."

**Patch Now**

In all, Fratric reported a total of six security vulnerabilities, including four Zoom-specific issues fixed in version 5.10.4 of the Zoom client:  

*   CVE-2022-22784 (improper XML parsing)
*   CVE-2022-22786 (update package downgrade),
*   CVE-2022-22787 (insufficient hostname validation​​),
*   CVE-2022-22785 (improperly constrained session cookies)

There's unfortunately also a software supply chain issue at work: The two others (CVE-2022-25235, CVE-2022-25236) affect the Expat parser, which is open source and used in plenty of other applications, including wares from Aruba, F5, IBM, and Oracle, as well as the Red Hat Linux distro. They're patched in Expat version 2.4.5.

"Some or all parts of the chain are likely applicable to other platforms," Fratric said.

Zoom became a popular target for "Zoom-bombing" and other attacks in the wake of the work-from-home wave during the pandemic, calling into question the security of the platform and its encryption practices. The company implemented a raft of security changes to match it's heightened status, but nonetheless, bugs like these are somewhat inevitable, researchers noted.

"In 2020, we all instantly became hyper-connected to the Internet…and so did all of the systems we use," Mark Lambert, vice president of products at ArmorCode, tells Dark Reading. "Two years later, and it is clear that there is no looking back. Unfortunately, these types of vulnerabilities are inevitable given the speed that software is released to meet business goals. The only way for us to protect ourselves is to detect as soon as possible and react even quicker."

Managing the volume of software vulnerabilities and alerts is a difficult challenge for developers, he notes. "The only way for them to keep up with the pace of delivery is to operationalize application security and embed it into their DevOps pipeline."

Zero-Click Zoom Bug Allows Code Execution Just by Sending a Message

This year's finalists tackle such vital security concerns as permissions management, software supply chain vulnerability, and data governance. Winners will be announced June 6.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meet the 10 Finalists in the RSA Conference Innovation Sandbox

Purporting to publish leaked emails of pro-Brexit leadership in the UK, a new site's operations have been traced to Russian cyber-threat actors, Google says.

A new website has popped up called Very English Coop d'Etat, publishing what it claims are private emails from pro-Brexit leadership in the UK in an attempt to gin up conspiracy theories around the country's split from the European Union.   

Both UK foreign intelligence and Google's cybersecurity team confirmed that Russian cyberattack group Cold River is behind the campaign, according to Reuters. 

Steve Huntley, with Google's Threat Analysis Group, said that this campaign has "clear technical links" to other Cold River disinformation campaigns, according to the report.

Victims of the leaks include former MI6 spy agency head Richard Dearlove, public Brexit supporter Gisela Stuart, and historian Robert Toombs, according to the report, who say their accounts were breached by Russian government actors. 

Reuters added that this incident is the second time since 2020 that Moscow-backed cyberattackers have stolen and leaked private emails from British national officials. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Brexit Leak Site Linked to Russian Hackers

Implement zero-trust policies for greater control, use BYOD management tools, and take proactive steps such as keeping apps current and training staff to keep sensitive company data safe and employees' devices secure.

Mobile workers are productive and often essential to a business's success, but it puts an immense amount of pressure on IT to protect the company's corporate apps and data while maintaining worker privacy.

Bring your own device, also known as BYOD, challenges corporate security protocols and IT staff to protect their intellectual property and keep hackers at bay.

**BYOD Security Risks  
**When the pandemic first hit, organizations were forced to shift from mainly supporting corporate-owned, fully managed devices to supporting personal devices used for work purposes. This abrupt move to remote work forced companies to quickly shift their networking and security capabilities, creating a large amount of risk to their organization. Without proper security measures in place, these unmanaged BYOD devices grant employees access to company resources and sensitive data, which poses a potential risk for sensitive data to be leaked, inadvertently or on purpose.

With over 58% of employees saying their use of personal devices for work purposes increased during the COVID-19 pandemic, shortcuts were destined to be taken with the quick shift to remote work and BYOD. We saw IT teams prioritizing and investing in network access capabilities rather than remote security. With 84% of survey respondents saying they didn't invest in data protection, it's doubtful their security measures increased during the duration of the pandemic. As employees start to return to the office and regain access to even more company resources and sensitive data, their use of BYOD at work could expose their company to new risks.

Here's a spring-cleaning checklist to keep your employee's devices secure for their return to office and beyond:

**Step 1: Improve your BYOD security policy.** If you don't have a BYOD security policy, create one now! For the 39% of organizations that have a formal policy in place, ask yourself if your company's BYOD security policy is restrictive or too vague and adjust as needed. Consider employee's privacy and productivity concerns when making improvements to the policy.

**Step 2: Implement zero-trust security.** With 72% of organizations around the world that have either adopted or are in the process of planning or adopting zero trust, it has become the new business standard for reliable security in our "work-from-anywhere" world. Whether you're working in the office, checking your email in the airport, or working from home, zero-trust security expands beyond a company's security perimeter. Zero trust prescribes that every resource — including devices — must be assessed for potential risks or policy violations before gaining access to corporate data, giving greater control over a BYOD environment.

**Step 3: Make use of BYOD management tools.** It's difficult for companies to manage a fleet of devices across multiple departmental disciplines and mobile device management (MDM) software can help make it simple and easy. Various core functions of MDM ensure that devices are remotely available for auditing, update over the air, that software runs effectively, and devices are available for remote diagnosis and troubleshooting. According to Markets and Markets, the MDM market is anticipated to grow to $15.7 billion by 2025.

**Step 4: Keep your apps and their components up to date.** Each day, hundreds of vulnerabilities are discovered in the mobile and web space, and patches are released regularly. Developers should incorporate these patches in their applications and encourage their users to regularly update their app and their operating systems. This ensures that hackers who try to exploit these known vulnerabilities will be unsuccessful.

**Step 5: Empower employees with information.** According to Trustlook, more than 50% of employees haven't received formal instructions for how to safely use BYOD in the workplace. One of the biggest things companies can do to make sure BYOD devices are secure is empowering employees with information to understand how their devices can be risky to the company's data and create vulnerabilities. Without understanding the cause and effect of BYOD devices to the company, employees won't value a BYOD security policy.

**Step 6: Mitigate future mobile application security issues.** Don't let the wrong mobile security strategy result in customer data being stolen or misused by a cyber scam. Encourage your employees to scan all their mobile apps whether they're for personal or business use.

**Choosing Your Path  
**Large organizations with distributed and often multinational operations need to ensure employees use the latest technologies without putting corporate data and intellectual property at risk. Hybrid and remote work are here to stay, and the demand for BYOD will continue to increase. Determine which security tools and strategies are right for your organization and start implementing them before they cost you in the long run.

Spring Cleaning Checklist for Keeping Your Devices Safe at Work

In just one month, the ransomware group's activity rose by 2,100%, a new report finds.

While on the whole the ransomware landscape remained fairly stable between March and April, a new analysis shows a sizable hike in attack activity from the CLOP ransomware group.

The NCC Group April Threat Pulse update says that the CLOP ransomware group leapfrogged from dead last to the fourth most active group for the month, a 2,100% increase over March. 

The industrial sector was most targeted in April, suffering 35% of ransomware attacks, followed by consumer cyclicals (19%) and technology (10%), according to NCC. 

CLOP appears to favor targeting the industrial and technology sector, the researchers warn. 

"The increase in CL0P's activity seems to suggest they have returned to the threat landscape," Matt Hull, global lead for strategic threat intelligence at NCC Group, said in a statement about the new ransomware group activity findings. "Organizations within CL0P's most targeted sectors — notably industrials and technology — should consider the threat this ransomware group presents, and be prepared for it." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CLOP Ransomware Activity Spiked in April

With manufacturing ranking as the fourth most targeted sector, manufacturers that understand their exposure will be able to build the necessary security maturity.

Digital transformation within the manufacturing industry, often referred to as Industry 4.0, is bringing a new world of connectivity and efficiency to modern-day factories. Smart factories incorporate new technology — such as factory automation, artificial intelligence, and the Internet of Things — at all levels of production and the supply chain. Whether robots on the factory floor, wearable devices that improve safety, or monitoring of equipment data through the IoT, adopting Industry 4.0 is the way forward to ongoing success and innovation in the industry.

Manufacturers are on board with the change: The market for smart factory equipment is expected to expand from $295.65 billion in 2021 to more than $500 billion in 2026. However, cyber threats are increasing in tandem with the rise of Industry 4.0.

According to the Kroll "Q4 2021 Threat Landscape" report, manufacturing is the fourth most targeted sector, behind only professional services, technology/telecommunications, and healthcare. As with most other sectors, phishing is the most common attack vector detected against manufacturing targets.

The threat landscape will only continue to expand. Manufacturers that take steps now to understand their exposure will be able to build the security maturity needed to embrace connected technology.

**Manufacturing's Security Maturity  
**Cyberattackers are pivoting toward manufacturing due to the industry's comparatively low level of security maturity, newfound connectivity in core processes, and the difficulty of securing complex manufacturing environments. Differentiated manufacturing processes have always been considered trade secrets, and the industry is highly sensitive to interruptions in service.

However, in the past, mission-critical systems were air gapped, or not Internet connected. This drove attackers to look for easier targets in financial services or healthcare, both of which have lucrative assets, connected devices, and operate with a high degree of urgency, which can lead to security shortcuts, and connected devices.

Now that manufacturing is adopting connected devices, analyzing more data, and feeding that data into custom software, the need for security maturity in the manufacturing sector is urgent. This is a problem that transcends the IT department. Effective security maturity is a multidisciplinary undertaking that must consider the ways that technologies, processes, and people contribute to keeping critical data and devices secure. Protecting industry 4.0 requires dedicated cybersecurity knowledge and expertise.

**Current Cyber Threats in Manufacturing  
**Threats against the manufacturing sector fall into three main categories.

Traditional cyber threats include ransomware against IT systems, data theft, supply chain attacks, and intellectual property theft. These are serious threats that can cost manufacturing businesses time, money, and credibility. They are also threats that smaller manufacturers, in particular, have not yet built strong defenses against due to limited time, resources, or hiring capabilities.

Manufacturing firms are also uniquely at risk for targeted attacks against industrial control systems (ICS). As operational technology (OT) works more closely with traditional IT assets, including connected industrial IoT (IIoT) devices, it is becoming easier to bridge the gap between those groups of devices, and to compromise OT that was originally designed or configured as an isolated network. This can lead not only to the compromise of sensitive information but also interruptions in service and delays in fulfillment.

Another layer of threat against the manufacturing sector involves bespoke software. To make sense of the data that connected systems create, and to enjoy efficiency advantages this data can offer, that data has to be fed into other software. The software is often custom-made for an individual company's technology and data assets. This software and the infrastructure on which it runs can be an attractive target. If it wasn't designed from the start with security in mind, and if it is not implemented and maintained with security in mind, that bespoke software can become the weak link that lets an attacker in.

**What's Next: Adopting Industry 4.0 Securely  
**As a manufacturer, you cannot afford _not_ to adopt Industry 4.0. For efficiency reasons, including just-in-time manufacturing, as well as workplace monitoring, Industry 4.0 is the path toward factories that are both more cost-effective and safer. These changes are not only exciting, but they are becoming necessary: Customers are demanding the flexibility, agility, and information that only Industry 4.0 provides.

However, this is not just a revolution in what you can do on the factory floor, and in what you can do to delight customers. It is also a revolution in how your company needs to think about security. Consider your products: Putting a safe, high-quality product on the market in the first place is more efficient and cheaper in the long run than having to handle a recall if something goes wrong.

A similar attitude makes sense in security. Considering security from the beginning, both in terms of connected infrastructure and the custom code that holds systems together, leads to smoother operations and avoids the major business disruption, cost, and reputational damage that comes with incident response, and the subsequent remaking of code or infrastructure after an issue is exploited.

Effectively preparing and defending against the security challenges of Industry 4.0 is an endeavor that requires action and initiative from people beyond IT. In short, it requires dedicated cybersecurity expertise, with people who can consistently analyze risks and the threat landscape. The effort needs professionals who know how to design and implement effective security controls that prevent active threats, and can make sense of log data and identify anomalies, as well as respond to attacks. They can also oversee that best practices are followed for secure design and coding in applications that ingest and process factory data.

Industry 4.0 Points Up Need for Improved Security for Manufacturers

A DDoS campaign observed by Akamai from actors claiming to be REvil would represent a major pivot in tactics for the gang.

Concern has been raised that a coordinated distributed denial-of-service (DDoS) attack from a malicious actor could be associated with the notorious ransomware-as-a-service (RaaS) group REvil.  

According to a report from Akamai’s Security Intelligence Response Team (SIRT), the attack was aimed at one of Akamai’s hospitality customers. It consisted of a simple HTTP GET request, with a message demanding payment to a Bitcoin (BTC) wallet in exchange for stopping the attack. It also included an additional request for the company to stop operating in a specific country.

Given the request to stop operating in the geospecific location appeared to stem from a recent Supreme Court decision in that country, the attack took on a political flavor that Akamai analysts say would be a break with REvil’s earlier strategies.

“We haven’t seen them linked to hacktivism or political goals in any of the previously reported attacks,” according to Akamai.

On the technical front, the use of proxying capabilities and “fairly well” distributed IPs participating in the attack indicated that some level of coordination was required between the attacker and the proxying system, the Wednesday report notes.

And, due to the extensive use of MikroTik devices identified in the attacking sources, the report suggests the attack could be supported by the MikroTik-based Meris botnet, which also has links to REvil. That said, the low volume of requests per second (Rps) and relatively unsophisticated nature of the campaign are atypical of Meris attacks, the report notes.

**REvil Redux?**

Since being reportedly dismantled by the Russian government earlier this year, there have been hints that REvil – or at least some previous members of the gang – is putting itself back together.

In April, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

Then in March, security firm Imperva reported mitigating a ransom DDoS attack tied to the Meris botnet measuring 2.5 million requests per second (Mrps). It included a series of ransom notes received by the customer that also claimed it came from REvil.

While DDoS has been used in the past by some groups as an extra layer of pressure on ransomware victims to pay up, in both the March incident and this latest case, the attack is pure-play DDoS.

"We haven't seen ransomware linked to these campaigns. The only tie to ransomware is the naming of REvil in the extortion demands," says SIRT engineer Chad Seaman.  

But as to whether this latest incident means that REvil is truly back and testing out new techniques, Seaman is skeptical.

"I don't feel there are strong indicators here that this is indeed a resurgence of REvil,” he says. “Even in the prior reported campaigns, I don't believe there are strong indicators that positively attribute those attacks to REvil in reality."

For instance, the alert also pointed out that the BTC wallet does not have any previous connection to REvil. And the gang has maintained in the past that it is purely profit driven, after all.

Seaman says the threat is more likely to stem from a copycat group looking to leverage REvil’s notoriety.

**DDoS Extortion: A New Avenue for Fear**

He added that be it REvil or someone leveraging the name or reputation, the attack is clearly a play on fear in the hopes of easy money, so the most concerning takeaway from Akamai’s investigation is the fear and panic associated with the threat.

“This is the goal of these types of attacks: to scare the victim into paying, lending credibility to the threat using a scary name,” he explained. “When these campaigns spin up and start to get press, it's typically followed by a surge of copycats.”

From Seaman’s perspective, the publishing of reports like these requires a delicate balance of notifying the public of the threat without the threat turning into a wildfire of copycats.

“We're hoping to help raise awareness while ramping down the associated fear because if we don't get out in front of these types of campaigns and fear-based reporting outpaces sane analysis, it only serves to fuel the fire, not fight it,” he said.

DDoS Extortion Attack Flagged as Possible REvil Resurgence

Verizon's "2022 Data Breach Investigations Report" repeatedly makes the point that criminals are stealing credentials to carry out their attacks.

Credentials, phishing, exploiting vulnerabilities, and botnets "pervade all areas of the DBIR, and no organization is safe without a plan to handle them all," Verizon's team of researchers wrote in this year's "Data Breach Investigations Report."

Attackers don't have to bother with zero-day vulnerabilities or build out elaborate attack tools when they can just steal credentials and log right in. Whether the report is looking at Web application attacks, email scams such as business email compromise, or malware, the theme was consistent: Stolen credentials played a role. 

DBIR is chock-full of charts and visualizations, so it is difficult to pick just one -- though the chart about what types of data attackers are stealing is a particularly striking. For a long time, criminals were interested in personal data -- data that could be used for identity theft or other types of financial fraud. While that is still the case, that is not the complete story. Attackers are focusing heavily on obtaining stolen credentials, since those credentials make carrying out other attacks even easier and harder to detect. The report considers 180 different actions that lead to data breaches, and the use of stolen credentials is the most common.

"We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system," the report says.

Consider how ransomware gets onto the targeted system: 40% of ransomware incidents involve the use of desktop sharing software, such as remote desktop protocol. And the easiest way to access RDP is via weak passwords.

While third-party breaches represent just 1% of breaches in the 2022 dataset, about half of them involved the use of stolen credentials. 

Phishing and stolen credentials were the top two actions in data breaches involving social engineering attacks. The third is "pretexting," almost all of which are business email compromises. A quarter of BECs used stolen credentials against the victim organization, according to the report.

And finally, in the area of web application attacks, the vast majority of incidents use stolen credentials as their entry point. Over 80% of the breaches that was categorized under web application attacks in this year's DBIR can be attributed to stolen credentials. In comparison, the second most common action, exploiting vulnerabilities, is less than 20%.

"There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years," the report says.

"Even if passwordless authentication isn't ready for prime time in your organization, the report findings can be used to help fund and implement multi-factor authentication," says Rick Holland, CISO and vice-president of strategy at Digital Shadows.

DBIR Makes a Case for Passwordless

Ransomware has become so efficient, and the underground economy so professional, that traditional monetization of stolen data may be on its way out.

The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component.

That's the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year's report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that's more than the previous five years of growth combined.

The 15th annual DBIR analyzed 23,896 security incidents, of which 5,212 were confirmed breaches. About four in five of those were the handiwork of external cybercriminal gangs and threat groups, according to Verizon. And according to Alex Pinto, manager of the Verizon Security Research team, these nefarious types are finding it easier and easier to earn an ill-gotten living with ransomware, making other types of breaches increasingly obsolete.

"Everything in cybercrime has become so commoditized, so much like a business now, and it's just too darn efficient of a methodology for monetizing their activity," he tells Dark Reading, noting that with the emergence of ransomware as-a-service (RaaS) and initial-access brokers, it takes very little skill or effort to get into the extortion game.

"Before, you had to get in somehow, look around, and find something worth stealing that would have a reseller on the other end," he explains. "In 2008 when we started the DBIR, it was by and large payment-card data that was stolen. Now, that has fallen precipitously because they can just pay for access someone else established and install rented ransomware, and it's so much simpler to reach the same goal of getting money."

A corollary to this story is that any and every organization is a target — companies no longer need to have something worth stealing in the way of highly sensitive data to fall in the cybercrime crosshairs. That means that small- and midmarket organizations should beware, Pinto said, as well as very small, mom-and-pop organizations.

"You don't have to go for the big guys anymore," Pinto said. "In fact, going for the big guys might be counterproductive because those folks usually have their ducks more in a row as far as defenses. If a business has a handful of computers and they care about their data, you're potentially going to make a few bucks out of them."

Put into a different context, the DBIR found that around 40% of data breaches are due to the installation of malware, he said (what Verizon refers to as system intrusions), and the rise in RaaS has led to 55% of those specific breach incidents involving ransomware.

"Our concern is that really, there's no ceiling here," Pinto says. "I think we're not convinced anymore that it's going to stop — unless someone comes up with something that's even more efficient. I cannot imagine what that would be, but maybe this is why I'm not in the organized crime business."

**The SolarWinds Effect**

The fallout from the infamous SolarWinds supply-chain hack blew far and wide over the course of the year, with the "software updates" vector pushing the "partner breach" category up to being responsible for 62% of system-intrusion incidents (including ransomware incidents) — and that's way, way up, from a negligible 1% in 2020.

Pinto noted that despite the headlines and the interest in incidents like SolarWinds (and others, such as the Kaseya-related ransomware attacks), dealing with supply-chain breaches doesn't require an operational overhaul for most businesses.

"Protecting against the fallout of a supply-chain breach if you were one of the affected customers is not so different from protecting from several other types of malware, because your servers are beaconing out to somewhere they shouldn't be. If you're a CISO, the techniques you use should be fairly similar to the ones you already use because, quite frankly, trying to go after every single software supplier you have to try to make them secure will make you insane. It's a very big lift."

**Where to Start on Ransomware Defense**

In examining the entry paths for breaches, Pinto noted that attacks can reliably be boiled down to four different (and familiar) avenues: the use of stolen credentials; social engineering and phishing; vulnerability exploits; and the use of malware.

"The one thing when you close this report to do is, go look at those four things in your environment and what controls you have for them," Pinto says.

When it comes to ransomware-related breaches in particular, 40% of incidents analyzed involved the use of desktop sharing software such as Remote Desktop Protocol. And 35% involved the use of email (phishing, mostly).

"Locking down your external-facing infrastructure, especially RDP and emails, can go a long way toward protecting your organization against ransomware," Pinto says.

It's worth noting that overall, 82% of all breaches analyzed by Verizon relied on human error (misconfigurations, for example, accounting for 13% of breaches) or interaction (phishing, social engineering, or stolen credentials). Artur Kane, vice president of product at GoodAccess, says that this indicates a few best practices to take a look at.

First, there are the technical solutions, such as requiring multifactor authentication (MFA) and network segmentation by access privileges, along with implementing real-time threat detection capability, keeping continuous access logs, and running regular backups.

"However, security administrators also need to have solid response and recovery plans in place for these occurrences, and should conduct regular trainings and drills," Kane says. "\[And\] user training can greatly contribute to improving the overall company security posture. As a large part of ransomware attacks opens with a phishing lure, training employees in how to spot them can save millions of dollars in later breach recovery."

Source

DARKReading