Report offers key insights on top attacker trends, latest developments in ransomware, most targeted sectors and Business Email Compromise trends
Cisco has unveiled key insights into the cybersecurity landscape in the first quarter of this year. The Talos Incident Response (IR) Quarterly Trends (Q1 2024) report, developed by Cisco Talos Intelligence Group, aims to help organizations arm themselves against the most common cyberthreats.
Business Email Compromise on the Rise
The report indicates that for the first time in several quarters, business email compromise (BEC) emerged as the most common threat in Q1 2024. Business Email Compromise made up 46 percent of all Cisco Talos IR engagements in the first quarter, a significant spike from Q4 2023. Adversaries use this tactic to disguise themselves as legitimate members of a business and send phishing emails to other employees or third parties, often pointing to a malicious payload or engineering a scheme to steal money.
Weaknesses in Multi-Factor Authentication Persist
In Q1 2024, Cisco’s security researchers discovered a new phishing kit called Tycoon 2FA that bypasses multi-factor authentication (MFA). This has since become one of the most widespread phishing kits, although it has yet to appear in any Talos IR engagements. Overall, attackers were frequently trying to bypass MFA on endpoint detection and response (EDR) solutions to disable their alerting mechanisms.
Weaknesses involving MFA were observed within nearly half of engagements, with the top weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements. The lack of proper MFA implementation followed closely, accounting for 21 percent of engagements.
New Variants of Ransomware Enter the Fold
Incidences of ransomware, which was the top threat in the last quarter of 2023, decreased by 11 percent, representing 17 percent of engagements. In Q1 2024, Talos IR responded to new variants of Phobos and Akira ransomware for the first time, in addition to the previously seen LockBit and Black Basta ransomware operations. A recent engagement suggests that Akira has returned to using encryption as an additional extortion method, now deploying a multipronged attack strategy to target Windows and Linux machines.
Cisco’s security researchers also observed a variety of other threats, including data theft extortion, brute-force activity targeting virtual private network (VPN) infrastructure, and the previously seen commodity loader malware Gootloader.
Manufacturing Remains a Popular Target
Continuing the trend from Q4 2023, manufacturing was the most targeted vertical by attackers in the first quarter, accounting for 21 percent of the total incident response engagements, closely followed by education. Healthcare, public administration, and technology tied for the third spot. The report noted a 20 percent increase in manufacturing engagements from the previous quarter.
The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. Q1 2024 witnessed a wide range of threat activity targeting manufacturing organizations, including financially motivated attacks, such as BEC and ransomware, and brute-force attacks on VPNs.
Evolving Cyberattack Techniques
The most frequent means of gaining initial access was the use of compromised credentials on valid accounts, which made up 29 percent of engagements, a 75 percent increase from Q4 2023. The use of email hiding inbox rules was the top observed defense evasion technique, representing 21 percent of engagements, which was likely due to the increase in BEC and phishing.
Cisco’s Approach
Fady Younes, Managing Director for Cybersecurity at Cisco Middle East & Africa, says, “We have seen significant changes in the way attackers approach their malicious activities since last year. In this complex landscape full of rapidly evolving threats, a holistic digital security strategy that focuses on proactive cybersecurity measures is of critical importance. At Cisco, we are leveraging cutting-edge technologies, including AI, to help organizations embed advanced security controls across their infrastructure to prevent, detect, and effectively respond to all forms of cyberattacks.”
The implementation of MFA and a single sign-on system ensures only trusted parties can access corporate email accounts to prevent the spread of BEC. Lack of MFA remains among the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. Meanwhile, EDR solutions like Cisco Secure Endpoint can detect malicious activity on organizations’ networks and machines. In addition, Cisco’s Snort and ClamAV signatures can block many well-known ransomware families distributed in Q1 2024, such as Black Basta and Akira.