Kroll has released the results of its Q4 Threat Landscape Report.
The report found the quarter was characterized by a 356 per cent growth in the number of attacks where the infection vector was CVE/zero day vulnerabilities compared to Q3. This shows that attackers are becoming more adept at exploiting vulnerabilities, in some cases leveraging them on the same day that the proof-of-concept exploit would appear.
Law enforcement disrupted a significant amount of cybercrime in the quarter, according to the report. REvil suffered a takedown, there were arrests made around the Kaseya exploitation, and BlackMatter was closed alongside several dark web markets. In total, six key cyber criminal groups exited in the fourth quarter of 2021. Consequently, there was a spike in new extortion sites and new ransomware variants as cyber criminals adapted and regrouped following law enforcement action.
Other findings of note included:
- Despite a 12 point reduction compared to last quarter, phishing remained the most popular source of infection vector, responsible for 39 per cent of all suspected initial access methods during the final quarter of 2021.
- Kroll saw a slight drop in the number of ransomware attacks in Q4, but it remained the most popular attack type accounting for 40 per cent of all threats in Q4. Conti and LockBit were the top ransomware variants observed. Splinter ransomware groups are emerging, in some cases selling on their initial access to other groups.
- The professional services sector was the most targeted, followed by technology/ telecom, healthcare, manufacturing, financial services and education.
Keith Wojcieszek, Managing Director for Cyber Risk at Kroll says: "It is no surprise that phishing and ransomware were heavily featured in the quarterly Kroll Threat Landscape Report, but the extent of regrouping and reattacking done by cyber criminal groups was unusual. While law enforcement made significant headway in disrupting attackers, the fact that we saw new ransomware variations and extortion sites, combined with splinter ransomware groups, demonstrates the agile operations and malicious intent of these criminal groups. Add this to the higher number of software vulnerabilities being exploited by ransomware operators and the speed at which they are compromised, and it underlines the importance of legislative action against attackers to take them out of operation completely.
“Above all, organisations must be able to identify gaps in their security posture, be able to quickly detect threats and confidently respond to those that do make it through. When you consider the speed with which attackers are exploiting vulnerabilities and the extent of patching that needs to be done by security teams, taking six months to test a patch until you’re comfortable to deploy is simply risky. By further verifying these security measures through vulnerability assessments and red team exercises, true resilience can be tested and assured.”