52% of ransomware incidents started with compromise of unpatched remote services
The exploitation in remote services has become the primary initial access vector in ransomware attacks over the past year, accounting for 52% of ransomware incidents, overtaking credentials-based attacks from 2021, according to a new report.
Secureworks has published its annual State of the Threat Report, revealing that there has been a 150% rise in the use of infostealers, making them a key precursor to ransomware. Both these factors keep ransomware the primary threat for organisations, who must fight to stay abreast of the demands of new vulnerability prioritisation and patching.
The 2022 State of the Threat Report from Secureworks provides an overview of how the global cybersecurity threat landscape has evolved over the last 12 months, with a focus on the Secureworks Counter Threat Units (CTU) first hand observations of threat actor tooling and behaviors.
"We conduct thousands of incident response engagements every year. While ransomware remains the most prominent threat to businesses, we are tracking notable shifts in threat actor behaviours and their approach to campaigns," says Barry Hensley, Chief Threat Intelligence officer, Secureworks.
"It's too simple to claim that ransomware as a service is slowing. Our research clearly shows a rise in Infostealers use and an evolution of tools and adversaries.
"The threat is changing, but it is not going away," he says.
"It is critical for organisations to stay ahead of the adversary with solutions that effectively prioritise risk, based on the most up-to-date intelligence. When businesses understand the nature of the threat, they can better focus resources and move quickly to optimise response."
Highlights from the Report Include:
- Shift to exploiting vulnerabilities as primary initial access vector (IAV) over credentials-based attacks
- Accelerated use of Infostealers as a means of enabling ransomware operations Insights into the changing groups and threats associated with the continued dominance of ransomware
- Changes and newcomers in the loader landscape
- Tools and tactics of hostile government-sponsored groups across the world
The Onward March of Ransomware
Ransomware continues to remain the primary threat facing organisations accounting for more than a quarter of all attacks. Despite a series of high-profile law enforcement interventions and public leaks, and a small slow down over the summer months, ransomware operators have maintained high levels of activity.
The median detection window in 2022 is four and a half days, compared to five days in 2021. The mean dwell time in 2021 was 22 days but so far in 2022 is down at 11 days. Companies effectively have one working week to respond to and mitigate damage.
The number of victims listed on public Name and Shame sites continues to remain high with no year-over-year reduction. Despite some monthly fluctuations, the number of victims named in the first six months of 2022 is slightly higher at 1,307 than the 1,170 named in the first six months of 2021.
This years Biggest Offenders based on Securework's incident response engagements are GOLD MYSTIC, GOLD BLAZER, GOLD MATADOR and GOLD HAWTHORNE. Notably, all of these groups are tied to Russia.
In some instances, the adversaries are making use of the fear surrounding ransomware to undertake lower tech crimes. Hack and leak operations where data is stolen and a ransom is demanded but no ransomware is deployed continued into 2022, with GOLD TOMAHAWK and GOLD RAINFOREST among the top culprits.
Vulnerabilities in Remote Services become the Biggest Issue
The 2022 State of the Threat Report from Secureworks also highlights that exploitation of vulnerabilities in internet-facing systems has become the most common initial access vector (IAV) observed. This is a change from 2021, when the dominant IAV was the use of stolen or guessed credentials.
As new vulnerabilities are discovered, developers of widely available offensive security tools used by threat actors are quick to incorporate new vulnerabilities into their tools, often meaning that even less sophisticated threat actors are able to exploit new vulnerabilities before security teams can patch.
The Rise of Infostealers
CTU researchers have seen an increase in the sale of network access sourced from credentials acquired by information stealers. In a single day in June 2022, CTU researchers observed over 2.2 million credentials obtained by Infostealers available for sale on just one underground marketplace; last year this figure on the same market with respect to the same stealers was 878,429. That's an increase year on year of over 150%.
The three main stealer markets include: Genesis Market, Russian Market and 2easy. There is a plethora of stealers for sale on underground forums but some of the major ones include Redline, Vidar, Raccoon, Taurus, and AZORult.
Infostealers provide the means to quickly and easily obtain credentials that can be used for initial access, making them a major enabler of ransomware operations. Innovative distribution methods for Infostealers have included cloned websites and trojanised installers for messaging apps such as Signal.
A Change in the Loader Landscape
Between July 2021 and June 2022, two big names in the loader landscape disappeared (Trickbot and IceID) and two returned (Emotet and Quakbot). This indicates that groups are moving away from the complex, fully featured botnets that evolved from the early banking trojans towards more lightweight loaders that are easier to develop and maintain a trend that has only increased with the use of post-exploitation tools such as Cobalt Strike.