Construction and transport sector high cyber targets
ReliaQuest, a force multiplier of security operations, has unveiled its Annual Cyber Threat Report. The report is based on data from February 1, 2022 to February 1, 2023 where it remediated 35,000 incidents affecting clients.
The key findings are as follows:
- The construction sector (with an average of 226 incidents annually) is the most targeted by cyber criminals closely followed by transportation (167), wholesale trade (138), manufacturing (116) and retailers (105). These sectors are highly vulnerable to outages which may explain why they are more targeted by criminals.
- The most detected attack technique is the attempted exploitation of exposed remote services, such as virtual private networks (VPNs) and remote desktop protocol (RDP)
- Initial Access Brokers (IAB) provide a route into the above and compromised remote desktop protocol (RDP) is the most commonly advertised on criminal forums with 24.4% of all listings with an average price of $1,000 but can fetch up to $2,700.
- Virtual Private Networks also allow attackers to gain access to organizations and commonly sold for an average of $500. However, these prices can vary by vertical sector with access to banking entities trading on average for $5,500 but can reach as high as $23,000.
- The most common risk alert type is credential exposure – ReliaQuest alerted its customers to over three million exposed credentials over the period. However, marked document exposure, open ports, impersonating domains and subdomains remain a significant issue with approximately 400,000 incidents for each of these risk types remediated over the period.
- Ransomware remains the biggest risk facing business in 2023 – LockBit is overwhelmingly the most active ransomware group and using the SocGholish malware distribution framework is supercharging their efforts to gain access to networks.
Manufacturing sector subject to ransomware attacks
The report reveals a close relationship between IAB listings and organisations subsequently falling victim to ransomware attacks. The manufacturing sector was the most targeted by IABs with 142 listings advertised and also the most claimed by ransomware groups with 614 victims. Similarly, professional, scientific and technical services was ranked second for both with 136 IABs listings versus 464 claimed by ransomware groups.
A trend first observed in 2022 and carrying on in recent months is the use of the SocGholish (aka FakeUpdates) malware distribution framework. This common initial access method deceives individuals into downloading a fake web-browser update which contains an archive file with an embedded SocGholish JavaScript payload. The use of SocGholish is helping criminals by providing a foothold for additional cybercrime groups to follow up after initial access is established.
Mike McPherson, SVP of Technical Operations at ReliaQuest said: “Criminals are using any means at their disposal to infiltrate organisations and the exploitation of remote services continues to be the easiest way in. It’s essential for organizations to adequately monitor and secure these. Merging vulnerability intelligence with security operations is the best way to thwart the most prevalent cyber risks.
McPherson continues: “Ransomware remains the biggest risk facing business in 2023, and the last quarter saw more victims than ever before. Utilizing malware such as SocGholish has made their efforts more potent, which is why keeping abreast of the latest developments in tactics, techniques and procedures (TTPs) of ransomware activity, in addition to tracking groups known to be targeting your sector, is the best way to stay ahead of the curve from this pernicious activity.”
ReliaQuest cyber advice
- Taking a patch-all approach to vulnerability management is an ineffective method of tackling vulnerability risk. Adding vulnerability intelligence can guide security teams in tackling the common vulnerabilities and exposures (CVEs) that represent the greatest chance of causing an impact to businesses. Getting a robust, consistent, and repeatable vulnerability remediation program in place can go a long way in raising overall cyber resilience.
- Vulnerability management platforms discover known vulnerabilities and potential exploits, while breach and attack simulation capabilities highlight configuration weaknesses, detection and prevention gaps, and architectural issues. Organizations should ensure that an effective response and recovery plan is properly evaluated through tabletop exercises and is tested periodically and adjusted as the threat landscape, people, systems and business processes change. By combining threat and vulnerability management, organizations can increase their security confidence and decrease their overall risk.
- Pay attention to email security controls – Initial access malware continues to be delivered through the delivery of phishing emails. Increasing resilience to this form of malware is best accomplished through a combination of email security controls, group policy to minimize the chance of a malicious file being delivered/opened, and user awareness programs.
- Keep abreast of the latest developments in the tactics, techniques and procedures (TTPs) of ransomware activity, in addition to tracking groups known to be targeted targeting your sector, this is the best way to stay ahead of the curve from this pernicious activity.
- Use the trends identified in this report to inform your own threat model and act accordingly. It’s always better to ‘stay left of boom’ and act in a proactive manner. Prevention is always a better approach than remediation.