Top Targets for Cyber Threat Actors
According to Blackberry’s most recent Global Threat Intelligence Report, the two most attacked sectors are healthcare and financial services. The information for the report was gathered between March and May 2023 from its cybersecurity systems, which stopped over 1.5 million attacks at about 11.5 attacks every minute and discovered 1.7 novel malware samples every minute, showing a 13% increase compared to the last reporting time.
During the reporting time, Blackberry discovered 13,433 unique malware binaries and stopped more than 109,922 disparate attacks throughout the healthcare industry. Ransomware and data theft malware were remarkably common. The Amadey bot and the RedLine information stealer were often blocked threats. Amadey possesses data-stealing abilities and is usually employed to execute reconnaissance prior to downloading more malicious payloads. The Emotet, SmokeLoader and IcedID malware families were likewise broadly employed in attacks on the industry. These have data-stealing abilities and can download extra malware payloads.
Cyber threat actors are attracted to the healthcare industry because of the amount of sensitive information saved by healthcare companies, the ease of making money with that information, and the dependence on data access and computer systems for offering important services.
It is not merely financially driven cybercriminal organizations that are targeting the healthcare sector. State-sponsored cybercriminals are attacking healthcare defenses and extracting private healthcare information. Cyber threat groups have attacked the industry to retaliate the U.S. for supporting Ukraine. The RomCom group, for instance, attacked U.S. medical teams giving humanitarian help to Ukrainian refugees.
During the reporting period, two advanced persistent threat (APT) groups were very active — Lazarus Group (aka Hidden Cobra, Labyrinth Chollima, Guardians of Peace, Nickel Academy, and Zinc) and APT28 (aka Sofacy/Fancy Bear). APT28 is a remarkably competent cyber espionage group considered to work for the Russian government and Lazarus Group is considered to be a North Korean state-sponsored threat group.
Attacks on federal and public sector organizations increased by 40% compared to the last reporting time, with 55,000 attacks on public sector institutions stopped throughout the 90-day reporting time. Ransomware groups like LockBit, BlackCat/ALPHV, Royal, and Clop were very active, making up a big percentage of the cyberattacks on city, state, and federal systems as well as public sector agencies. The following cyberattacks occurred in this reporting period:
- BlackByte’s Royal ransomware attacks on the cities of Augusta, GA and Dallas, TX
- LockBit ransomware attack on the City of Oakland, CA,
- Clop group’s mass exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer solution
A few of the most popular tools employed by threat actors are
- AdFind for stealing data from Active Directory (AD)
- Mimikatz for credential theft
- Cobalt Strike works as an attack framework
- Extreme RAT for remote access, espionage, and malware delivery
The most common malware families discovered and blocked throughout all industries were
- droppers/downloaders like Emotet, SmokeLoader, PrivateLoader
- data stealers like Racoon Stealer, RedLine, IcedID, and Vidar
- remote access Trojans like Agent Tesla
Blackberry’s telemetry indicates a 13% rise in unique malware samples, indicating threat actors are varying their tools when compiling their malware. Although the malware employed is the same, the compilation method creates different hashes for the same samples so as to avert the simple filters and feeds utilized by more conventional security operations facilities.
Blackberry forecasts the number of attacks on the healthcare sector will keep on increasing and suggests putting first identification of the most often employed techniques in the attacks – discovery and protection evasion. Knowing about the tactics, techniques, and procedures employed by threat groups could aid system defenders considerably to lessen the effect of attacks, and will help their threat hunting, incident response, and recuperation attempts.
Cybersecurity Organizations Reveal 2022’s Most Often Exploited Vulnerabilities
The National Security Agency (NSA), U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and their Five Eyes intelligence partners have published a joint security alert https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a describing the most often exploited vulnerabilities in 2022. Cybercriminals attack Internet-facing systems that consist of unpatched vulnerabilities to acquire preliminary access to internal networks of organizations, enabling them to steal sensitive information and carry out other after-exploitation activities. The alert provides the Top 12 Common Vulnerabilities and Exposures (CVEs) that malicious actors exploited in 2022 together with 30 more CVEs that were broadly exploited by cyber threat actors. This 2023, the vulnerability listing consists of related Common Weakness Enumerations (CWEs), which indicate the actual cause that permitted the vulnerabilities exploitation.
Although sophisticated threat groups continue to discover zero-day vulnerabilities or create exploits for newly revealed CVEs, in 2022, malicious actors took advantage of older vulnerabilities far more often compared to newly disclosed vulnerabilities. A lot of the vulnerabilities in the listing got Proof-of-Concept (PoC) exploits available in the public domain, which permitted vulnerability exploitation by a much wider variety of threat actors. Leading the list is CVE-2018-13379, a five-year-old vulnerability found in Fortinet’s SSL VPNs (FortiOs/FortiProxy). In spite of the vulnerability ranking as the 15th most often exploited vulnerability in 2021 with a patch out there as of May 2019, a lot of companies did not patch and were prone to attack. Advanced Persistent Threat (APT) actors and cybercriminal groups like ransomware groups exploited the vulnerability.
The same thing happened with a group of Microsoft Exchange Server vulnerabilities called Proxy Shell (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) which permits security functions to be circumvented, escalation of privileges, and remote code execution. The vulnerabilities were discovered and patched the prior year, and in spite of substantial media coverage and security alerts regarding the vulnerabilities, patches were not implemented to resolve the vulnerabilities. An authentication bypass vulnerability in Zoho ManageEngine which permitted remote code execution as well as a code execution vulnerability in Atlassian’s Confluence Server and Data Center were likewise exposed and had patches available the prior year.
Threat actors create exploits for identified vulnerabilities and could normally exploit them effectively for a few years in cheap, high-impact attacks because of the inability of a lot of organizations to patch them immediately or apply advised mitigations. The cybersecurity organizations encourage all companies to work with the listing as a guide to enable them to prioritize patching. The inability to use patches immediately, particularly known exploited vulnerabilities, helps attackers to acquire access to companies’ systems easily.
Besides using a centralized patch management system, patching immediately, and performing routine vulnerability scans, the cybersecurity companies urge vendors, designers, creators, and end-user companies to take other actions to minimize the risk of breach by malicious cyber actors, like employing secure-by-design principles, putting first secure-by-default options, and making sure disclosed CVEs comprise of the appropriate CWE reporting the underlying cause of the vulnerability.
