New report backs up factors that motivate hackers
Just as how other industries have adopted the 'as-a-service model', illicit service providers have done the same by selling tools, instruction manuals and target lists to novice or entry-level hackers. Some go beyond to provide cheat sheets for easy access to a list of easy targets - making it easy to zero-in on vulnerable links into finance and real estate companies.
Hacking is now a managed service similar to a pay-to-play environment that allows amateurs to quickly develop attacks that are far beyond their skill level. The low barriers of entry means that cybercriminals only need basic skills to launch common attacks, including phishing, distributed denial of service (DDoS), or any kind of targeted hacking.
Hacking as a service (HaaS) is the commercialisation of hacking skills, in which the hacker serves as an outsourced contractor. HaaS makes advanced code-breaking skills available to anyone with a web browser and a credit card. These elusive service providers are so organised in the dark web that anyone with money can pay for a list specialist hackers to hire and do the job.
According to a new report from Palo Alto Networks, a global cyber security company, software vulnerabilities, especially from finance and real estate industries, attract hackers who scour the internet for weak links they can make money from. Their investigation team identified that the finance industry and real estate were among the industries that received the highest average ransom demands, averaging $8 million and $5.2 million, respectively.
Ransom demands and payments by industry
Palo Alto Networks Unit 42 has a team of security consultants who can outpace threat actors, from their deep experiences in handling some of the largest cyberattacks in the public and private sectors in history.
They manage complex cyber risks and respond to advanced threats, including nation-state attacks, advanced persistent threats, or APTs, and complex ransomware investigations. In a new finding, the 2022 Unit 42 Incident Response Report offers deep insights from an extensive incident response (IR) work, by sampling over 600 cases to help CISOs and security teams understand the greatest security risks they face.
Easy Entry Job - better than a Ponzi Scheme
“Right now, cybercrime is an easy business to get into because of its low cost and often high returns. As such, unskilled, novice threat ‘actors’ can get started with access to tools like hacking-as-a-service becoming more popular and available on the dark web,” said Wendi Whitmore, senior vice president and head of Unit 42 at Palo Alto Networks.
“Ransomware attackers are also becoming more organised with their customer service and satisfaction surveys as they engage with cybercriminals and the victimised organisations.”
- Wendi Whitmore
- Wendi Whitmore
Overall, ransomware and business email compromise (BEC) were the top incident types that the Incident Response team responded to over the past 12 months, accounting for approximately 70% of incident response cases. The report can help security engineers prioritise resources to reduce and mitigate risks.
What attackers are going after in 2022
Typically, ransomware actors are only discovered after files are encrypted, and the victim organisation receives a ransom note. The median dwell time — meaning the time threat actors spend in a targeted environment before being detected — observed for ransomware attacks was 28 days.
Ransom demands have been as high as $30 million, and actual payouts have been as high as $8 million, a steady increase compared to the findings of the 2022 Unit 42 Ransomware Report. A new ransomware victim is posted on leak sites every four hours. Identifying ransomware activity early is critical for organisations. Increasingly, affected organisations can also expect threat actors to use double extortion, threatening to publicly release sensitive information if a ransom was not paid.
image source: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-incident-response-report-final.pdf
Business email compromise (BEC)
Cybercriminals use a variety of techniques in wire-fraud schemes to attack business email accounts. Phishing offers an easy and cost-effective way to gain covert access while maintaining a low risk of discovery. According to the report, in many cases fraudsters are simply asking their unwitting targets to hand over their credentials. Once they have acquired access, the median dwell time for BEC attacks was 38 days, and the average amount stolen was $286,000.
Attackers follow the money when it comes to targeting industries; however, many attackers are opportunistic, simply scanning the internet in search of systems where they can leverage known vulnerabilities. Unit 42 identified the top affected industries in incident response cases as finance, professional and legal services, manufacturing, healthcare, high tech, wholesale and retail. Organisations within these industries tend to store, transmit and process high volumes of sensitive information that can be monetised. This attracts threat actors and lure hackers.
Statistics from IR case report that cyber-attackers don’t want you to know:
- The top three initial access vectors used by threat actors were phishing, exploitation of known software vulnerabilities and brute-force credential attacks focused primarily on remote desktop protocol (RDP). Combined, these attack vectors make up 77% of the suspected root causes for intrusions.
- ProxyShell, which is an attack chain that exploits known vulnerabilities in Microsoft Exchange, accounted for more than half of all vulnerabilities exploited for initial access at 55%, followed by Log4J (14%), SonicWall (7%), ProxyLogon (5%) and Zoho ManageEngine ADSelfService Plus (4%).
- In half of all IR cases, organisations lack multi factor authentication on critical internet-facing systems, such as corporate webmail, virtual private network (VPN) solutions or other remote access solutions.
- In 13% of cases, organisations had no mitigations in place to ensure account lockout for brute-force credential attacks.
- In 28% of cases, having poor patch management procedures contributed to threat actor success.
- In 44% of cases, organisations did not have an endpoint detection and response (EDR) or extended detection and response (XDR) security solution, or it was not fully deployed on the initially impacted systems to detect and respond to malicious activities.
- 75% of insider threat cases involved a former employee
By consulting security experts with deep and real experiences, can organisations better understand how to contain, remediate and eradicate the problems effectively with the right set of tools and methods.