Data, technology and insight provider Kroll on Wednesday delivered its Q4 2021 Threat Landscape report, tracking the most common cyberattack vectors and results of successful attacks at the end of last year. The report reinforces what hopefully has become common wisdom by now, the value of teaching your employees how to recognize phishing attempts.
Phishing, trying to fool someone into clicking a download link and creating an opportunity for bad actors to upload malware onto a system, is only one of six initial access vectors (read: first point of attack) tracked in the report. It was the highest reported initial access vector in Q3 at 51% and again in Q4 at 39%.
One particularly nasty phishing technique, described in the webinar held by Kroll on Wednesday afternoon that presented the report, involved bogus emails informing employees they had been terminated, with all relevant information included in an attached Excel spreadsheet. This was actually a campaign to spread Dridex malware that steals information from infected computers.
Kroll also noticed in Q4 2021 a new email hijacking campaign that could make phishing emails difficult to detect with just a casual glance. Cyberattackers figured out how to retrieve and send responses to spam emails using the Microsoft Exchange API. Because the emails were technically coming from internal servers, even if the emails were relegated to spam folders, this effectively provided them camouflage.
“The danger here is from a detection perspective,” says Keith Wojcieszek, managing director for Kroll’s cyber risk practice. “On the client side, there were no indicators of compromise of malicious activity to alert them of this activity. For the organization receiving the emails, the incoming email does not look suspicious because it is coming from the domain of a trusted entity and is responding to a legacy email thread. It is likely to evade a spam filter and looks like a legitimate email.”
“Further to this, because emails sent internally are typically subject to fewer security checks than those coming from an external sender, they allow an attacker to generate lateral movement to other endpoints on the network with very little effort,” says Wojcieszek.
According to Kroll, forensic review determined that the bad actors had been scanning Microsoft Exchange for vulnerabilities for weeks prior to the attack, that was launched less than 24 hours after a new version of Exchange was downloaded by the target org. The new version had not been fully patched and the attack itself was invisible.
It’s just another reminder for IT departments to thoroughly test updates prior to publishing them live. In fact, Kroll reports that the second most popular initial access vector, common vulnerabilities and exposure (CVEs) and zero-day exploitation (finding vulnerabilities in new software before the vulnerability is detected and patched) attacks rose by 356% from Q3 to Q4 of 2021.
The Popular Price to Pay if the Hackers Win
Kroll also published its most popular threat incident types (read: what happens if cyberattackers get past your security) reported in Q3 and Q4 2021. Ransomware continues to be the most common threat incident. This should come as a surprise to no one.
The second incident type, “email compromise,” might actually be considered a number of different threats that branch off the same source. “Most commonly we see it lead to Business Email Compromise where actors takeover email accounts in order to send or approve fraudulent wire transfers or transactions,” says Wojcieszek. “In other instances, an email compromise could indicate a phishing email or link, sometimes this is to perform reply-chain attacks (encouraging victims to open an email because it is sent by a colleague), or it may have been contained before spreading into a malware infection.
“We see email compromise that aims to gain unauthorized access, either for theft of confidential information – particularly useful if associated with a high-net-worth individual that may be at risk of extortion – or as a conduit to compromise other accounts through password resets. While email compromise has many motives, ultimately, most often it aims to access an address book that can lead to additional victims. It is worth saying that several times we have seen actors take over accounts for the sole purpose of sending a spam campaign,” Wojcieszek says.
Kroll also reports that despite a series of successful interventions by law enforcement in Q4 2021, including the takedown of the REvil ransomware site and the arrest of two affiliates, and pressuring the BlackMatter ransomware gang to shut down, bad actors quickly rallied and by the end of the year had already improved the effectiveness of Emotet malware. Battles were won but the war continues.