Phishing emerged as the number one threat vector in 2021, but cases of vulnerability exploitation surged 33% year-on-year thanks to the impact of Log4Shell, according to IBM.
The X-Force Threat Intelligence Index 2022 was compiled from billions of datapoints, including network and endpoint detection devices, incident response engagements and domain name tracking.
It revealed that phishing overtook vulnerability exploitation as the top pathway for compromise globally last year, accounting for 41% of initial access attempts, up from 33% in 2020.
Interestingly, click rates for the average targeted phishing campaign increased around three-fold, from 18% to 53%, when phone phishing (vishing) was also used by threat actors.
In the UK, an estimated 80% of consumers received a scam call or text over the summer of 2021. Regulator Ofcom this week announced new measures which will demand more proactive work from operators to root out the use of spoofed numbers.
IBM highlighted business email compromise (BEC) and ransomware actors as particularly prolific users of phishing during 2021.
Despite dropping into second place, vulnerability exploitation remains a major threat to organizations. The number of incidents using this as an infection vector surged by a third year-on-year in 2021.
“X-Force observed actors leveraging multiple known vulnerabilities, such as CVE-2021-35464 (a Java deserialization vulnerability) and CVE-2019-19781 (a Citrix path traversal flaw), to gain initial access to networks of interest,” the report noted.
“In addition, we observed threat actors leverage zero-day vulnerabilities in major attacks like the Kaseya ransomware attack and Microsoft Exchange Server incidents to access victim networks and devices.”
However, it was Log4j vulnerability CVE-2021-44228 (aka Log4Shell) which appears to have driven the vector’s rise in popularity in 2021. Despite only being disclosed in December, it was the second-most exploited bug over the whole year, the report claimed.
This echoes findings from Fortinet, which revealed this week that Log4Shell was its most prevalent detection of the entire second half of 2021.
“In less than a month, the Log4j RCE managed nearly 50 times the activity of 2021’s other darling, ProxyLogon, measured by peak 10-day average volume,” it said.