An invariant of the cybersecurity industry is that attacks will continue to happen, but even at a global level the preferred methods and outcomes of attackers are changing and adapting at noticeable levels. Sometimes, these changes happen with new malware tools being sold on the dark web or delivered as RaaS (ransomware-as-a-service). For example, the recent Emotet email-targeting malware caused a spike in backdoor deployments in early 2022. Many of these malware tools rely on network infrastructure deployed worldwide, which can be disrupted by local authorities and security firms, forcing hacker groups to pivot and use different attack vectors.
With the average deployment time of ransomware decreasing from 2+ months to 3.85 days from 2019 to 2021*, one would assume that this would also lead to an increase in the share of incidents impacted by ransomware. However, the percentage of attacks that included ransomware decreased from previous years 21% to 17% in 2022, with backdoor attacks increasing to 21% of incidents investigated by IBM’s X-Force. The decrease in ransomware use is in part because of recent instability within main attacker syndicates that maintain widely used ransomware services. Another reason is the changing trends due to greater collaboration between attacker groups selling goods to exploitation groups with higher success rates.
Many groups have adopted the strategy of once gaining backdoor access, selling it at auction for prices of around $5,000-$10,000 (US) to other groups who want to carry on the attack. It is quite unsurprising then that attack objectives have changed: credit card data being sold on the dark web goes for about $10 per credit card, so the proportion of credit card data being targeted by phishing kits dropped from 61% to 29% year on year. Instead, hacker groups are acquiring other types of data, especially personally identifiable information (PII), such as names, email addresses, home addresses, and passwords. This is because of the possibilities PII offers: it can be used in reconnaissance to develop an attack plan further or sold to others on the dark web that are enticed by the opportunity.
Additionally, it is easier to exploit human error by use of a phishing email than exploiting a known vulnerability or zero-day in internet-facing apps. The number one initial attack vector used by attackers was phishing at 41% of attacks, while vulnerability exploitation comprised 26% of attacks. It should be noted that zero-day exploits make up less than 10% of all vulnerability exploits, with 90% of exploits being known and documented vulnerabilities!
Overall, understanding how hacker groups operate and their changing methods is crucial to acknowledging which parts of a security system are most important at being defended and analysed. The trend analysis explored above provides some context of where businesses should focus attention – good service hygiene; ensuring digital assets are updated regularly, protecting data, especially PII information of employees and customers, and ensuring security awareness is a mature process to minimise exploitation and ensure the process is well known should someone fall victim.
If you have any questions or would like to understand how Net Reply can help you with Security,, or follow us on LinkedIn !* Note: The statistics used are from IBM's X-Force Threat Intelligence Index 2023