In April, May and June, the number of cyberattacks increased by 25 per cent compared to the first quarter. Hackers managed to infiltrate corporate networks by exploiting compromised credentials. The healthcare sector was the most affected by cyber attacks.
These are some of the results of the most recent edition of the Cisco Talos Incident Response Quarterly Report, which covers the second quarter of 2023.
Ransomware accounts for 17 per cent of Talos IR contracts
Cisco Talos Incident Response (Talos IR) responded to more incidents in the past quarter where corporate data was stolen, and customers were extorted without using ransomware. Therefore, data theft and extortion were the biggest digital threats in the second quarter.
The cybersecurity company also suffered a lot from ransomware attacks. In addition, company files are encrypted so that employees can no longer access this data. The perpetrators threaten to sell or disclose the stolen data unless the victim is willing to pay a ransom. In that case, he gets the decryption or decryption key to remove the digital lock from the files.
This form of extortion, known as double extortion, accounted for 17% of all Talos IR engagements. The security company mainly had to deal with LockBit and Royal ransomware. Ransomware families such as 8Base and MoneyMessage also appeared regularly.
Leaked credentials and PowerShell are most commonly used in cyberattacks
As in the first three months of the year, the healthcare sector was the primary victim of hackers. One-fifth of incident response engagements (22%) were against healthcare agencies. After healthcare, financial services and utilities such as energy companies and water treatment plants were favourite targets for cybercriminals.
The attackers often abused compromised data to break into companies and organizations. In 40 per cent of cases, they managed to penetrate corporate networks by using leaked credentials. These may have been obtained through data breaches from other parties, purchased on the dark web, or obtained through phishing campaigns. That is a 22 per cent increase compared to the first quarter of this year.
In addition, PowerShell, Microsoft’s scripting platform for automating tasks and configuration management, proved to be a popular method of accessing confidential data. PowerShell was used in more than half of cyberattacks in the past quarter. According to the researchers, this is due to the utility’s invisibility, convenience, and extensive management capabilities.
Lack of MFA leading cause of data theft
A significant reason that the number of cyberattacks increased in the second quarter is the lack or incorrect implementation of multi-factor authentication (MFA). In more than 40 per cent of the cases, this was the cause of security incidents. In the cases where hackers used compromised credentials, it was found that 90 per cent did not have MFA enabled. In some cases, victims were bombarded with MFA push notifications by cybercriminals. To get rid of this, they gave permission and allowed hackers to break into corporate networks.
“The Cisco Talos findings on the Q2 cyber threats highlight the importance of strong passwords and enabling MFA where possible. Data theft and ransomware attacks are becoming more common in various industries. It is and therefore remains important for everyone to remain alert to suspicious digital activities,” emphasizes Jan Heijdra, security specialist at Cisco Netherlands.
The full Talos IR report can be found on the company’s blog page.