IBM’s annual X-Force Threat Intelligence Index, an analysis of data gathered from network sensors and incident investigations, is filled with a dizzying array of numbers about breaches of security controls.
But arguably only one is the most important: The one that shows us how most successful attacks start. And the answer for 2022 — again — is phishing.
The report, released today, says phishing remained the leading infection vector last year, identified in 41 per cent of incidents. Of those phishing attacks, 62 per cent were spear-phishing.
The exploitation of public-facing applications — because, for example, they were unsecured or unpatched — accounted for 26 per cent of incidents.
Abuse of valid accounts was identified in 16 per cent of the observed incidents. These are cases where adversaries obtained and abused the credentials of existing accounts as a means of gaining access. These incidents included cloud accounts, default accounts, domain accounts, and local accounts.
The exploitation of remote services was the fourth most common attack vector, used in 12 per cent of successful attacks. Not every vulnerability exploited by threat actors results in a cyber incident, the report adds. The number of incidents resulting from vulnerability exploitation in 2022 decreased 19 per cent from 2021, after rising 34 per cent from 2020. IBM believes this swing was driven by the widespread Log4J vulnerability at the end of 2021.
Infections by malicious macros have fallen out of favor, adds the report, likely due to Microsoft’s decision to block macros by default. To compensate, attackers are increasingly using malicious ISO and LNK files as the primary tactic to deliver malware through spam.
Among other interesting numbers:
–- credit card information as a target in phishing kits dropped significantly. Last year only 29 per cent of phishing kits targeted credit cards. That suggests phishers are prioritizing personally identifiable information (PII), says the report;
— although ransomware’s share of incidents declined only slightly (4 percentage points) from 2021 to 2022, defenders were more successful in detecting and preventing ransomware. Despite this, attackers continued to innovate, with the report showing the average time to complete a ransomware attack dropped from two months down to less than four days;
— the deployment of backdoors after gaining access emerged as the top action by attackers last year. Twenty-one per cent of incidents involved the installation of backdoors. About 67 per cent of those backdoor cases were related to ransomware attempts where defenders were able to detect the backdoor before ransomware was deployed, says the report. The uptick in backdoor deployments can be partially attributed to their high market value, the report says. Threat actors last year sold existing backdoor access for as much as US$10,000, compared to stolen credit card data, which can sell for less than US$10 today;
— the second most common action after getting network access was deploying ransomware. One particularly damaging way ransomware operators distribute their payload across a network is by compromising domain controllers, the report notes;
— the most common impact from cyberattacks in 2022 was extortion, which was primarily achieved through ransomware or business email compromise attacks. Europe was the most targeted region for this method, representing 44 per cent of extortion cases observed, as threat actors sought to exploit geopolitical tensions. Data theft and credential harvesting were the second and third most common impacts;
— thread hijacking saw a significant rise in 2022, with attackers using compromised email accounts to reply within ongoing conversations, posing as the original participant;
— the proportion of known exploits relative to vulnerabilities declined 10 percentage points from 2018 to 2022, due to the fact that the number of vulnerabilities hit another record high in 2022. IBM concludes that legacy exploits enabled older malware infections such as WannaCry and Conficker to continue to exist and spread. On the other hand, the reduction of vulnerabilities with known exploits is evidence of the benefit of a well-maintained patch management process, the report says;
— don’t forget to close the door (or, more accurately, the ports) on USB-based attacks. In 2022, IBM saw the spread of the Raspberry Robin worm through employees plugging in infected USB devices. By early August, Raspberry Robin peaked at 17 per cent of infection attempts that X-Force observed;
— on the operational technology (OT) side, industrial control systems (ICS) vulnerabilities discovered in 2022 decreased for the first time in two years (457 in 2022 compared to 715 in 2021 and 472 in 2020). One explanation, says the report, may be found in ICS lifecycles and how they’re generally managed and patched. Attackers know that, with the demand for minimal downtime, long equipment lifecycles, and older, less-supported software, many ICS components and OT networks are still at risk from older vulnerabilities. Infrastructure is usually in place for many years longer than standard office workstations, which extends the lifespan of ICS-specific vulnerabilities beyond those that exploit IT.
Among the report’s recommendations for infosec leaders:
— organizations should develop incident response plans customized for their environment. Those plans should be regularly tested and modified as the organization changes, with a focus on improving response, remediation and recovery time;
— prioritizing the discovery of assets on the perimeter, understanding the organization’s exposure to phishing attacks, and reducing those attack surfaces further contribute to holistic security. Extend asset management programs to include source code, credentials, and other data that could already exist on the internet or dark web;
— have appropriate visibility into the data sources that would indicate an attacker’s presence.
The full report can be downloaded here. Registration required.