Ransomware and enterprise electronic mail compromise (BEC) assaults accounted for 60% of all incidents within the second quarter of 2024, in response to a Cisco Talos report.
Expertise was probably the most focused sector on this interval, making up 24% of incidents – a 30% rise on the earlier quarter. The researchers stated that attackers could view expertise companies as a gateway into different industries and organizations, given their position in servicing a variety of different industries, together with essential infrastructure.
The subsequent most incessantly focused sectors in Q2 had been retail, healthcare, prescription drugs and training.
The most typical preliminary entry technique was the usage of compromised credentials on legitimate accounts, making up 60% of assaults. This represents a 25% rise on the earlier quarter.
The joint most noticed safety weaknesses noticed by Cisco Talos in Q2 2024 had been susceptible or misconfigured techniques and an absence of correct MFA implementation, each up by 46% on the earlier quarter.
Ransomware Traits
Ransomware made up 30% of the Cisco Talos Incident Response (Talos IR) group’s engagement over this era, representing a 22% improve in comparison with Q1 2024.
The report detailed responses to assaults carried out by a variety of ransomware teams, a lot of whom deployed novel ways to compromise targets, together with the usage of legitimate instruments to take care of persistence and pursue lateral motion. These included:
- Underground Crew: On this incident, the risk actor leveraged Safe Shell (SSH) to maneuver laterally within the setting, and strategically reactivated sure Lively Listing person accounts that had been beforehand disabled. In the course of the engagement, the attackers despatched harassing messages to workers’ private emails, as a method of coercing the victims to reply to their calls for.
- BlackSuit: This risk actor gained entry with legitimate credentials via a VPN that was not protected by MFA. Persistence was established by deploying the distant administration instrument AnyDesk within the setting, in addition to Cobalt Strike. The attackers additionally leveraged living-off-the-land binaries (LoLBins) like PsExec and the Home windows Administration Instrumentation command line (WMIC) to maneuver laterally throughout the community.
- Black Basta: On this case, adversaries gained preliminary entry utilizing compromised credentials on a legitimate RDP account that was not protected with MFA. The attackers used distant PowerShell execution to begin a shell on distant techniques, and leveraged the open-source command line instrument Rclone to facilitate knowledge exfiltration.
Learn now: Ransomware Teams Prioritize Protection Evasion for Knowledge Exfiltration
Cisco Talos famous that in 80% of ransomware engagements in Q2 2024, correct MFA implementation on essential techniques, comparable to VPNs, was missing, making preliminary entry simpler.
BEC Traits
BEC assaults additionally made up 30% of incidents Cisco Talos engaged with from April to June 2024. This marks a fall from Q1 2024, when it made up 50% of assaults.
BEC assaults contain risk actors’ compromising professional enterprise electronic mail accounts and utilizing them to ship phishing emails to acquire delicate data, comparable to account credentials, and sending emails with fraudulent monetary requests.
The researchers noticed a variety of strategies used to compromise enterprise electronic mail accounts and launch BEC assaults. These included:
- Smishing assaults, the place attackers despatched targets fraudulent textual content messages to trick recipients into sharing private data or clicking on malicious hyperlinks to compromise their log in credentials
- In a single case, a phishing electronic mail was despatched to an worker’s private electronic mail deal with, redirecting them to a faux login web page. The person was despatched an MFA push notification and accepted it, granting the attackers entry
- In one other cluster of exercise, after accessing a person’s electronic mail account, the attackers created Microsoft Outlook mailbox guidelines to ship emails to a folder named “deleted” earlier than utilizing the compromised account to ship out over a thousand phishing emails to inside and exterior recipients.
