A
new
study
from
IBM
Security
suggests
cyberattackers
are
taking
side
routes
that
are
less
visible,
and
they
are
getting
much
faster
at
infiltrating
perimeters.
The
latest
annual
IBM
X-Force
Threat
Intelligence
Index
released
today
reported
that
deployment
of
backdoor
malware,
which
allows
remote
access
to
systems,
emerged
as
the
top
action
by
cyberattackers
last
year.
About
67%
of
those
backdoor
cases
were
related
to
ransomware
attempts
that
were
detected
by
defenders.
The
IBM
report
noted
that
ransomware
declined
4
percentage
points
between
2021
and
2022,
and
defenders
were
more
successful
at
detecting
and
preventing
those
attacks.
However,
cyberattackers
have
gotten
much
faster
at
infiltrating
perimeters,
with
the
average
time
to
complete
a
ransomware
attack
dropping
from
two
months
to
less
than
four
days.
Jump
to:
Legacy
exploits
still
hanging
around
and
active
Malware
that
made
headlines
years
ago,
while
perhaps
forgotten,
are
nowhere
near
gone,
according
to
the
IBM
study.
For
instance,
malware
infections
such
as
WannaCry
and
Conficker
are
still
spreading,
as
vulnerabilities
hit
a
record
high
in
2022,
with
cybercriminals
accessing
more
than
78,000
known
exploits.
All
of
which
makes
it
easier
for
hackers
to
use
older,
unpatched
access
points,
according
to
John
Hendley,
head
of
strategy
for
IBM’s
X-Force.
“Because
cybercriminals
have
access
to
these
thousands
of
exploits,
they
don’t
have
to
invest
as
much
time
or
money
finding
new
ones;
older
ones
are
doing
just
fine,”
said
Hendley.
“WannaCry
is
a
great
example:
It’s
five
years
later,
and
vulnerabilities
leading
to
WannaCry
infections
are
still
a
significant
threat.”
SEE:
Recognize
the
commonalities
in
ransomware
attacks
to
avoid
them
(TechRepublic)
He
said
X-Force
has
watched
WannaCry
ransomware
traffic
jump
800%
since
April
2022,
though
the
Conficker
nuisance
worm
is
perhaps
more
surprising
for
its
age.
“Conficker
is
so
old
that,
if
it
were
a
person,
it
would
be
able
to
drive
this
year,
but
we
still
see
it,”
he
said.
“The
activity
of
these
legacy
exploits
just
speaks
to
the
fact
that
there’s
a
long
way
to
go.”
Demand
for
backdoor
access
reflected
in
premium
pricing
The
X-Force
Threat
Intelligence
Index,
which
tracks
trends
and
attack
patterns
from
data
garnered
from
networks
and
endpoint
devices,
incident
response
engagements
and
other
sources,
reported
that
the
uptick
in
backdoor
deployments
can
be
partially
attributed
to
their
high
market
value.
X-Force
observed
threat
actors
selling
existing
backdoor
access
for
as
much
as
$10,000,
compared
to
stolen
credit
card
data,
which
can
sell
for
less
than
$10.
Hendley
said
the
fact
that
nearly
70%
of
backdoor
attacks
failed
—
thanks
to
defenders
disrupting
the
backdoor
before
ransomware
was
deployed
—
shows
that
the
shift
toward
detection
and
response
is
paying
off.
“But
it
comes
with
a
caveat:
It’s
temporary.
Offense
and
defense
is
a
cat-and-mouse
game,
and
once
adversaries
innovate
and
adjust
tactics
and
procedures
to
evade
detection
we
would
expect
a
drop
in
failure
rate
—
they
are
always
innovating,”
he
added,
noting
that
in
less
than
three
years
attackers
increased
their
speed
by
95%.
“They
can
do
15
ransomware
attacks
now
in
the
time
it
took
to
complete
one.”
Industry,
energy
and
email
thread
hijacking
are
standouts
The
IBM
study
cited
various
notable
trends,
which
include
suggesting
that
political
unrest
in
Europe
is
driving
attacks
on
industry
there,
and
attackers
everywhere
are
increasing
efforts
to
use
email
threads
as
an
attack
surface.
-
Extortion
through
BECs
and
ransomware
was
the
goal
of
most
cyberattacks
in
2022,
with
Europe
being
the
most
targeted
region,
representing
44%
of
extortion
cases
IBM
observed.
Manufacturing
was
the
most
extorted
industry
for
the
second
consecutive
year. -
Thread
hijacking:
Subterfuge
of
email
threads
doubled
last
year,
with
attackers
using
compromised
email
accounts
to
reply
within
ongoing
conversations
posing
as
the
original
participant.
X-Force
found
that
over
the
past
year
attackers
used
this
tactic
to
deliver
Emotet,
Qakbot
and
IcedID
– malicious
software
that
often
results
in
ransomware
infections. -
Exploit
research
lagging
vulnerabilities:
The
ratio
of
known
exploits
to
vulnerabilities
has
been
declining
over
the
last
few
years,
down
10
percentage
points
since
2018.
-
Credit
card
data
fades:
The
number
of
phishing
exploits
targeting
credit
card
information
dropped
52%
in
one
year,
indicating
that
attackers
are
prioritizing
personally
identifiable
information
such
as
names,
emails
and
home
addresses,
which
can
be
sold
for
a
higher
price
on
the
dark
web
or
used
to
conduct
further
operations.
-
Energy
attacks
hit
North
America:
The
energy
sector
held
its
spot
as
the
4th
most
attacked
industry
last
year,
with
North
American
energy
organizations
accounting
for
46%
of
all
energy
attacks,
a
25%
increase
from
2021.
-
Asia
accounted
for
nearly
one-third
of
all
attacks
that
IBM
X-Force
responded
to
in
2022.
Hendley
said
email
thread
hijacking
is
a
particularly
pernicious
exploit,
and
one
quite
likely
fueled
last
year
by
trends
favoring
remote
work.
“We
observed
the
monthly
threat
hijacking
attempts
increase
100%
versus
2021,”
he
said,
pointing
out
that
these
are
broadly
similar
to
impersonation
attacks,
where
scammers
create
cloned
profiles
and
use
them
for
deceptive
ends.
“But
what
makes
threat
hijacking
specifically
so
dangerous
is
that
attackers
are
hitting
people
when
their
defenses
are
down,
because
that
first
level
of
trust
has
already
been
established
between
the
people,
so
that
attack
can
create
a
domino
effect
of
potential
victims
once
a
threat
actor
has
been
able
to
gain
access.”
3
tips
for
security
admins
Hendley
suggested
three
general
principles
for
enterprise
defenders.
-
Assume
breach:
Proactively
go
out
and
hunt
for
these
indicators
of
compromise.
Assuming
the
threat
actor
is
already
active
in
the
environment
makes
it
easier
to
find
them. -
Enable
least
privileged:
Limit
IT
administrative
access
to
those
who
explicitly
need
it
for
their
job
role. -
Explicitly
verify
who
and
what
is
inside
your
network
at
all
times.
He
added
that
when
organizations
follow
these
general
principles
they
will
make
it
a
lot
harder
for
threat
actors
to
gain
initial
access,
and
if
they
do
so,
they
will
have
a
harder
time
moving
laterally
to
achieve
their
objective.
SEE:
New
cybersecurity
data
reveals
persistent
social
engineering
vulnerabilities
(TechRepublic)
“And
if,
in
the
process,
they
have
to
take
a
longer
amount
of
time,
it
will
be
easier
for
defenders
to
find
them
before
they
are
able
to
cause
damage,”
Hendley
said.
“It’s
a
mindset
shift:
Instead
of
saying,
‘We’re
going
to
keep
everyone
out,
nobody’s
going
to
get
in,’
we
are
going
to
say,
‘Well,
let’s
assume
they
are
already
in
and,
if
they
are,
how
do
we
handle
that?’”