Ransomware and business email compromise (BEC) attacks accounted for 60% of all incidents in the second quarter of 2024, according to a Cisco Talos report.
Technology was the most targeted sector in this period, making up 24% of incidents – a 30% rise on the previous quarter. The researchers said that attackers may view technology firms as a gateway into other industries and organizations, given their role in servicing a range of other industries, including critical infrastructure.
The next most frequently targeted sectors in Q2 were retail, healthcare, pharmaceuticals and education.
The most common initial access method was the use of compromised credentials on valid accounts, making up 60% of attacks. This represents a 25% rise on the previous quarter.
The joint most observed security weaknesses observed by Cisco Talos in Q2 2024 were vulnerable or misconfigured systems and a lack of proper MFA implementation, both up by 46% on the previous quarter.
Ransomware Trends
Ransomware made up 30% of the Cisco Talos Incident Response (Talos IR) team’s engagement over this period, representing a 22% increase compared to Q1 2024.
The report detailed responses to attacks conducted by a range of ransomware groups, many of whom deployed novel tactics to compromise targets, including the use of valid tools to maintain persistence and pursue lateral movement. These included:
- Underground Team: In this incident, the threat actor leveraged Secure Shell (SSH) to move laterally in the environment, and strategically reactivated certain Active Directory user accounts that had been previously disabled. During the engagement, the attackers sent harassing messages to employees’ personal emails, as a means of coercing the victims to respond to their demands.
- BlackSuit: This threat actor gained access with valid credentials through a VPN that was not protected by MFA. Persistence was established by deploying the remote management tool AnyDesk in the environment, as well as Cobalt Strike. The attackers also leveraged living-off-the-land binaries (LoLBins) like PsExec and the Windows Management Instrumentation command line (WMIC) to move laterally across the network.
- Black Basta: In this case, adversaries gained initial access using compromised credentials on a valid RDP account that was not protected with MFA. The attackers used remote PowerShell execution to start a shell on remote systems, and leveraged the open-source command line tool Rclone to facilitate data exfiltration.
Read now: Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
Cisco Talos noted that in 80% of ransomware engagements in Q2 2024, proper MFA implementation on critical systems, such as VPNs, was lacking, making initial access easier.
BEC Trends
BEC attacks also made up 30% of incidents Cisco Talos engaged with from April to June 2024. This marks a fall from Q1 2024, when it made up 50% of attacks.
BEC attacks involve threat actors’ compromising legitimate business email accounts and using them to send phishing emails to obtain sensitive information, such as account credentials, and sending emails with fraudulent financial requests.
The researchers observed a range of techniques used to compromise business email accounts and launch BEC attacks. These included:
- Smishing attacks, where attackers sent targets fraudulent text messages to trick recipients into sharing personal information or clicking on malicious links to compromise their log in credentials
- In one case, a phishing email was sent to an employee’s personal email address, redirecting them to a fake login page. The user was sent an MFA push notification and accepted it, granting the attackers access
- In another cluster of activity, after accessing a user’s email account, the attackers created Microsoft Outlook mailbox rules to send emails to a folder named “deleted” before using the compromised account to send out over a thousand phishing emails to internal and external recipients.