Features 26.10.2023
Five-Minute Snapshot: What You Need to Know About the SecureWorks State of the Threat Report
Top trends include ransomware, nation-state attacks and business email compromise
Features 26.10.2023
Top trends include ransomware, nation-state attacks and business email compromise
Cyber attack methods are constantly evolving, so it’s fair to say that keeping up with new trends is an exhausting task. That’s where analysis such as the SecureWorks State of The Threat Report – which provides an overview of the biggest threats to businesses – can help.
But reading and digesting the complex data in the 70-page report is a lengthy job, so Assured Intelligence has taken one for the team. According to the State of the Threat Report, here’s a condensed version of what you need to know about the threats your business faces and the adversaries doing the most damage.
The report analyses how cybersecurity threats have evolved over the last 12 months. Now in its seventh year, the latest report covers June 2022 to July 2023.
The devil is very much in the detail, with insights gathered by researchers in the SecureWorks Counter Threat Unit (CTU) covering adversary tooling and behaviour, as well as the team’s experience of real-life incidents.
This year, trends have been heavily influenced by global geopolitical tensions, including the Russia-Ukraine war. Attackers also take advantage of unpatched software holes, with new and well-established cyber criminals continuing to cause havoc.
This could be the most prolific year for ransomware attacks to date, and that’s saying something. According to the report, attack numbers returned to and exceeded historical norms after slowing last year following Russia’s invasion of Ukraine.
“The criminal actors may be calculating that even smaller disruptions coupled with data extortion provide sufficient leverage to make money”Rafe Pilling
Average dwell time – in other words, how long an attacker is in an organisation’s systems – has fallen between initial access and ransomware payload delivery to a median figure of just 24 hours. A year ago, that stat was four and a half days. In just over 10% of cases, ransomware was deployed rapidly within five hours after initial access.
This is significant because it gives firms less time to discover attacks and respond. “It’s a smaller window for network defenders to detect malicious activity and take decisive action to disrupt it,” says Rafe Pilling, director of threat research at SecureWorks CTU.
According to Pilling, It also reflects that adversaries are not spending so much time “deeply compromising” an organisation before deploying ransomware. “The criminal actors may be calculating that even smaller disruptions coupled with data extortion provide sufficient leverage to make money,” he warns.
Overall, ransomware attacks have become less complex, making them more accessible to criminals of all abilities. This is partly due to so-called ransomware-as-a-service (RaaS), the out-of-a-box solution that can be procured in dark markets in the same way cloud SaaS can be purchased in the business world.
The SecureWorks State of The Threat Report lists the nation-state attackers that businesses should be aware of: China, Russia, Iran and North Korea. Russia’s primary focus is the war in Ukraine; North Korea’s aim is cryptocurrency theft; Iran wants to suppress its opposition; and China’s target is cyber espionage, according to the report.
However, regional focus is starting to shift, particularly in China. This is mainly due to territorial disputes and trade relations, particularly the Belt and Road Initiative – a strategy adopted by the Chinese government in 2013 whereby it invests in 150 countries and international organisations.
In some cases, the shift towards targeting certain regions has been driven by international conflicts such as Russia’s invasion of Ukraine, says Marc Burnard, senior security researcher at SecureWorks CTU. “Alongside maintaining a situational awareness of the Russian invasion, China wants to learn from challenges faced by Russia and the international response in case it moves to invade Taiwan.”
Another interesting development has seen Russian cyber attackers leverage third-party cloud services, including Notion and Mockbin, in targeted spear phishing campaigns. “These services are attractive as they tend to offer free or low-cost API services which can be coded into custom loaders and backdoors,” says Tony Adams, senior security researcher at SecureWorks CTU.
He warns that these legitimate services blend in with user traffic and bypass security filters.
Another threat that businesses must not lose sight of is supply chain attacks, where adversaries compromise the weakest link in the chain to gain “maximum impact for effort expended”, the report says. It outlines how, in April 2023, an attack on trading platform X_Trader allowed adversaries to access a second supply chain at the 3CX communications software firm.
Business email compromise (BEC) is also something to be wary of: the report calls this targeted email phishing attack “one of the most financially damaging online crimes overall”.
Meanwhile, the SecureWorks report found an increase in the use of infostealers, a type of malware that can steal sensitive information such as login credentials and financial details from compromised computers and networks.
“BEC is one of the most financially damaging online crimes overall”
At the same time, the report has made a clear case for patching systems in a timely fashion. It found that adversaries are happily taking advantage of software holes to compromise firms of all sizes – and some of these vulnerabilities were fixed by vendors a year or more ago.
The report highlights a growing threat from artificial intelligence (AI) – although it counters that it’s not yet a priority. SecureWorks says the reality is much less scary because of the “abundance of sensationalist headlines and hyperbole” around ChatGPT and AI. Today, the most common malicious use of ChatGPT is to help compose the phishing emails used to encourage your employees to click on a malicious link or download a malware-ridden attachment.
However, researchers and adversaries are experimenting with malware that leverages ChatGPT to evade business defences and create code.
Concerningly, many criminal forums contain dedicated sub-forums to discuss AI and machine learning. One forum, XSS, has created an AI Bot called XSSBot, which will answer questions put to it by the forum’s users.
As the report makes clear, staying one step ahead of attackers is a constant battle. What steps can you take as a business to ensure you are as resilient as possible? Everyone knows the basics are important, and the report certainly backs up the fact that patching is vital to protecting your organisation.
In 32% of ransomware cases, the report says that scan-and-exploit – where attackers scan for vulnerable systems before using the flaws as a route in –is how adversaries initially accessed organisations’ systems.
“Exposed vulnerable systems are a risk that should be entirely within a company’s ability to control,” warns Pilling. “Patching known vulnerabilities is a critical activity. Too many organisations do not have a good vulnerability management capability, exposing them to attacks for extended periods.”
He also advises using multi-factor authentication (MFA) – extra layers of security such as biometrics, an authenticator app or a security key in addition to passwords – for all remote access services.
At the same time, training employees is integral. “Raise awareness of cyber attacks with employees and management using examples highlighted in the report,” Pilling says. “Ensure your business is well positioned to rapidly detect and respond to security incidents before they become more serious.”
As far as ransomware goes, businesses that make themselves a “hard target” will be less desirable, says Pilling. “Criminals favour organisations that can easily obtain access, steal data and encrypt systems.”
So there you have it: Don’t forget the basics, train staff, patch everything and be aware of your risks as a business based on threat intelligence data. These things might not stop cyber attacks altogether, but they’ll make it much more difficult for adversaries to access your systems and data.