According to the latest quarterly Trends report by Cisco Talos, ransomware was back on top as the #1 cyber threat in 2023, with education and manufacturing tied as the most targeted verticals, “accounting for nearly 50% … of incident response engagements, closely followed by healthcare and public administration.”
The company’s findings say ransomware rose significantly in Q4 2023, with the education sector now one of the biggest targets.
Ransomware and pre-ransomware activity together accounted for more than 28% of all Cisco Talos Incident Response engagements, a rise of 17%, compared to the third quarter of the year.
Initial access:
Compromised credentials on valid accounts and exploiting public-facing applications accounted for 28% of access methods, with phishing running a close second place. Phishing attacks using malicious links and QR codes leading to fake login sites were the most widely seen.
Security Weaknesses:
Researchers report “a lack of MFA or proper MFA implementation” and “misconfigured or unpatched systems” accounted for fully 36% of all attacks responded to.
“attacks that could have been prevented if MFA was enabled on critical services, such as RDP.”
Stephen Gates, Principal Security SME, Horizon3.ai:
“From what I observe, (and due to no fault of their own,) when journalists hear that someone got ransomed, the community tends to jump on the “it must have been some super-special malware” bandwagon. However, the vast majority of human-operated, ransom-based attacks have little if anything to do with “malware”. Instead, the real cause of the problem is due to easily compromised and reused credentials, effortlessly discovered, and unprotected data, software and hardware misconfigurations, unpatched yet fully known software vulnerabilities, poorly implemented security controls, and weak and/or unenforceable security policies. These issues are the primary cause of attackers gaining access and maintaining footholds in someone’s networks.
“Once attackers gain a foothold, administrative access is next obtained (think domain admin). Then attackers proceed with their objectives of exfiltrating your data, encrypting your data, proving they have your data, sabotaging your backup/recovery processes, and telling you to pay up to get your data back. If you don’t pay their initial ransom demands, they effectively take your entire enterprise offline by either crashing your systems (since they have admin access) or they make it impossible to recover your data on your own. This is Big Game hunting that can generate extremely high payouts. That is why it is the most pressing security issue worldwide – and rightfully so.
For those in education who want to learn more about what human-operated ransom-based attacks are all about, they should consider reading this paper.
Steve Hahn, Executive VP, BullWall had this comment:
“Companies must keep their systems up to date with the latest security patches, use strong and complex passwords, implement MFA, maintain regular backups of critical data and also consider implementing a rapid containment strategy. Ransomware Containment tools are becoming a critical part of this overall strategy.”
Mark Campbell, Sr. Director, Cigent adds this comment:
“It is not surprising to see Education and Manufacturing at the top of the list for ransomware targets. Both verticals often operate legacy operational infrastructure and lack adequate cybersecurity controls. The combination of their interconnected systems and a general lack of cybersecurity awareness among staff make them ideal targets for attackers.
“Once inside, the attackers can move laterally to gain additional access to strategic systems to exfiltrate data and execute ransomware. Stopping initial access is the single most effective cybersecurity measure and MFA is a proven, cost-effective control to thwart initial access. And, in most cases, can be implemented on top of existing systems using their users’ phones.”
Troy Batterberry, CEO and Founder, EchoMark follows with this:
“Threats to our critical infrastructure and attacks on education, manufacturing, healthcare, and public administration sectors emphasize the need for greater attention to cybersecurity. The fact that nearly one-third of successful adversary access methods were through compromised credentials and the exploitation of public-facing applications is a clear call for organizations to reinforce their frontline defenses and enforce strict security measures such as MFA and other password policies.
“However, these security changes aren’t enough on their own. Employees must be trained to recognize and respond appropriately to threats, especially as it relates to their roles and responsibilities within their organization. These are not just technical measures but fundamental aspects of an organization’s security culture. If companies desire to empower their people to work effectively, there must be protective measures in place to safeguard intellectual property, devices, accounts, and any other areas that employees can access and manage, to enable the secure flow of information.”
MFA or better yet a passwordless solution is a great way to secure your network. Not having one of these systems, or ensuring that it is properly configured is a sure route to getting pwned.
Like this:
Like Loading...
Related
This entry was posted on January 30, 2024 at 8:40 am and is filed under Commentary with tags Cisco. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Ransomware The Most Pressing Security Issue Worldwide: Cisco Talos
According to the latest quarterly Trends report by Cisco Talos, ransomware was back on top as the #1 cyber threat in 2023, with education and manufacturing tied as the most targeted verticals, “accounting for nearly 50% … of incident response engagements, closely followed by healthcare and public administration.”
The company’s findings say ransomware rose significantly in Q4 2023, with the education sector now one of the biggest targets.
Ransomware and pre-ransomware activity together accounted for more than 28% of all Cisco Talos Incident Response engagements, a rise of 17%, compared to the third quarter of the year.
Initial access:
Compromised credentials on valid accounts and exploiting public-facing applications accounted for 28% of access methods, with phishing running a close second place. Phishing attacks using malicious links and QR codes leading to fake login sites were the most widely seen.
Security Weaknesses:
Researchers report “a lack of MFA or proper MFA implementation” and “misconfigured or unpatched systems” accounted for fully 36% of all attacks responded to.
“attacks that could have been prevented if MFA was enabled on critical services, such as RDP.”
Stephen Gates, Principal Security SME, Horizon3.ai:
“From what I observe, (and due to no fault of their own,) when journalists hear that someone got ransomed, the community tends to jump on the “it must have been some super-special malware” bandwagon. However, the vast majority of human-operated, ransom-based attacks have little if anything to do with “malware”. Instead, the real cause of the problem is due to easily compromised and reused credentials, effortlessly discovered, and unprotected data, software and hardware misconfigurations, unpatched yet fully known software vulnerabilities, poorly implemented security controls, and weak and/or unenforceable security policies. These issues are the primary cause of attackers gaining access and maintaining footholds in someone’s networks.
“Once attackers gain a foothold, administrative access is next obtained (think domain admin). Then attackers proceed with their objectives of exfiltrating your data, encrypting your data, proving they have your data, sabotaging your backup/recovery processes, and telling you to pay up to get your data back. If you don’t pay their initial ransom demands, they effectively take your entire enterprise offline by either crashing your systems (since they have admin access) or they make it impossible to recover your data on your own. This is Big Game hunting that can generate extremely high payouts. That is why it is the most pressing security issue worldwide – and rightfully so.
For those in education who want to learn more about what human-operated ransom-based attacks are all about, they should consider reading this paper.
Steve Hahn, Executive VP, BullWall had this comment:
“Companies must keep their systems up to date with the latest security patches, use strong and complex passwords, implement MFA, maintain regular backups of critical data and also consider implementing a rapid containment strategy. Ransomware Containment tools are becoming a critical part of this overall strategy.”
Mark Campbell, Sr. Director, Cigent adds this comment:
“It is not surprising to see Education and Manufacturing at the top of the list for ransomware targets. Both verticals often operate legacy operational infrastructure and lack adequate cybersecurity controls. The combination of their interconnected systems and a general lack of cybersecurity awareness among staff make them ideal targets for attackers.
“Once inside, the attackers can move laterally to gain additional access to strategic systems to exfiltrate data and execute ransomware. Stopping initial access is the single most effective cybersecurity measure and MFA is a proven, cost-effective control to thwart initial access. And, in most cases, can be implemented on top of existing systems using their users’ phones.”
Troy Batterberry, CEO and Founder, EchoMark follows with this:
“Threats to our critical infrastructure and attacks on education, manufacturing, healthcare, and public administration sectors emphasize the need for greater attention to cybersecurity. The fact that nearly one-third of successful adversary access methods were through compromised credentials and the exploitation of public-facing applications is a clear call for organizations to reinforce their frontline defenses and enforce strict security measures such as MFA and other password policies.
“However, these security changes aren’t enough on their own. Employees must be trained to recognize and respond appropriately to threats, especially as it relates to their roles and responsibilities within their organization. These are not just technical measures but fundamental aspects of an organization’s security culture. If companies desire to empower their people to work effectively, there must be protective measures in place to safeguard intellectual property, devices, accounts, and any other areas that employees can access and manage, to enable the secure flow of information.”
MFA or better yet a passwordless solution is a great way to secure your network. Not having one of these systems, or ensuring that it is properly configured is a sure route to getting pwned.
Share this:
Like this:
Related
This entry was posted on January 30, 2024 at 8:40 am and is filed under Commentary with tags Cisco. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.