The latest report, Cisco Talos Incident Response Trends Q3 2024, examining network security breaches in the third quarter of 2024, indicates that identity-related attacks were the most popular in recent months, with credential theft being the main target in every fourth recorded attack. The sectors most affected by the attacks were education, industrial production, and financial services – attacks on organizations operating in these areas accounted for over 30% of all incidents observed by Cisco Talos.
Identity-based attacks are particularly dangerous because they often occur within the system using compromised accounts, making them difficult to detect. Once an account is taken over, the attacker can take a number of malicious actions, such as creating new accounts, escalating privileges to gain access to more sensitive information, or conducting social engineering attacks, such as business email compromise (BEC), targeting other network users. Therefore, it is crucial that companies regularly monitor their systems and implement security measures to prevent such attacks.
In the third quarter of 2024, as many as 25% of incidents related to password spraying and/or brute force attacks. The first type of attack involves trying to access multiple accounts by using a small number of common passwords – e.g. “123456,” whereas brute force is a method of attack where all possible password or encryption key combinations are systematically checked to gain access to a protected resource.
The Cisco Talos team also observed Adversary-in-the-Middle (AitM) phishing attacks. AitM phishing attacks are an advanced form of phishing, where cybercriminals use a middleman server to intercept credentials and user sessions in real-time. In classic phishing, the user is tricked and provides their login data on a fake page. In an Aitm attack, the criminal, using an external server, becomes the “middleman” between the user and the real website. This allows them not only to intercept usernames and passwords but also session tokens or one-time codes used for two-factor authentication (2FA).
Ransomware attacks, pre-ransomware, and extortion involving data theft constituted almost 40% of the incidents reported in the past quarter. The Cisco Talos team first observed RansomHub, RCRU64, and DragonForce ransomware variants, as well as those already well-known to the group: BlackByte, Cerber, and BlackSuit. One-third of the attacks involved exploiting known vulnerabilities, such as the ESXi hypervisor vulnerability observed in a BlackByte ransomware attack.
Despite the continually emerging new ransomware groups, those already operating for some time still pose a serious threat. Cisco Talos recorded the activity of the RansomHub group in two separate incidents where different extortion models were used: double extortion and data theft-related extortion. In the case of data theft-related extortion, the perpetrators threatened to reveal stolen information without using ransomware or encryption. Whereas, in the double extortion model, they deployed ransomware, encrypted data, and stole it to demand a ransom.
For the fourth consecutive time within the past year, the most commonly observed method of gaining initial access was through exploiting valid accounts (66% of incidents). This is a slight increase from the previous quarter (60%). Also, 20% of Cisco Talos interventions concerned incidents where vulnerable and publicly accessible applications were used. Cisco Talos experts anticipate that network equipment will continue to be an attractive target due to the large attack surface it offers and potential network access to victims. This information again highlights the need for regular system updates, especially for devices exposed to network attacks.
A significant number of compromises could still be avoided by implementing basic security principles, such as MFA and proper configuration of threat detection products on endpoints. In nearly 40% of incidents, the main cause of breaches was poorly configured MFA, its lack, or bypassing. Additionally, in all Cisco Talos interventions following phishing attacks, it turned out that MFA was bypassed or not fully enabled, while in over 20% of ransomware incidents, MFA was not activated on VPNs.
The Cisco Talos report emphasizes that identity attacks are still a serious threat, especially in the education, industrial production, and financial services sectors. Many of the detected incidents could have been minimized by implementing effective security practices, such as MFA and proper system configuration. Therefore, regular monitoring and security updates are key to protecting against these types of attacks in the future.
Source: https://managerplus.pl/raport-cisco-talos-q3-2024-kradziez-tozsamosci-i-ransomware-na-szczycie-incydentow-61471