Stolen Credentials and Vulnerabilities Weaponized Against Businesses in 2019
IBM Security released the X-Force Threat Intelligence Index 2020, highlighting how cybercriminals' techniques have evolved after decades of access to tens of billions of corporate and personal records and hundreds of thousands of software flaws. According to the report, 60% of initial entries into victims' networks that were observed leveraged either previously stolen credentials or known software vulnerabilities, allowing attackers to rely less on deception to gain access.
The report highlights contributing factors to this evolution, including the top three initial attack vectors. Phishing was a successful initial infection vector in less than one-third of incidents (31%) observed, compared to half in 2018. Scanning and exploitation of vulnerabilities resulted in 30% of observed incidents, compared to just 8% in 2018. In fact, older, known vulnerabilities in Microsoft Office and Windows Server Message Block were still finding high rates of exploitation in 2019. The use of previously stolen credentials is also gaining ground as a preferred point-of-entry 29% of the time in observed incidents. Just in 2019, the report states more than 8.5 billion records were compromised, resulting in a 200% increase in exposed data reported year over year, adding to the growing number of stolen credentials that cybercriminals can use as their source material.
IBM X-Force conducted its analysis based on insights and observations from monitoring 70 billion security events per day in more than 130 countries. In addition, data is gathered and analyzed from multiple sources including X-Force IRIS, X-Force Red, IBM Managed Security Services, and publicly disclosed data breach information. X-Force also runs thousands of spam traps around the world and monitors tens of millions of spam and phishing attacks daily while analyzing billions of web pages and images to detect fraudulent activity and brand abuse.
IBM's analysis found that of the more than 8.5 billion breached records reported in 2019, seven billion of those, or over 85%, were due to misconfigured cloud servers and other improperly configured systems. That is a stark departure from 2018 when these records made up less than half of total records. Some of the most active banking trojans found in the report, such as TrickBot, were increasingly observed to set the stage for full-on ransomware attacks. In fact, novel code used by banking trojans and ransomware topped the charts compared to other malware variants discussed in the report.
The report found that tech, social media and content streaming household brands make up the "Top 10" spoofed brands that cyber attackers are impersonating in phishing attempts. This shift could demonstrate the increasing trust put in technology providers over historically trusted retail and financial brands. Top brands used in squatting schemes include Google, YouTube and Apple.
The report revealed trends in ransomware attacks worldwide. It shows an uptick in ransomware activity in 2019 with IBM X-Force deploying its incident response team to ransomware incidents in 13 different industries worldwide, reaffirming that these attacks are industry agnostic. 80% of observed ransomware attempts, attackers were exploiting Windows Server Message Block vulnerabilities, the same tactic used to propagate WannaCry, an attack that crippled businesses across 150 countries in 2017.
With ransomware attacks costing organizations over $7.5 billion in 2019, adversaries are reaping the rewards and have no incentive to slow down in 2020. In collaboration with Intezer, IBM's report states that new malware code was observed in 45% of banking trojans and 36% of ransomware. This suggests that by creating new code attackers are continuing to invest in efforts to avoid detection.
As consumers become more aware of phishing emails, phishing tactics themselves are becoming more targeted. In collaboration with Quad9, IBM observed a squatting trend in phishing campaigns, wherein attackers are impersonating consumer tech brands with tempting links, using tech, social media and content streaming companies to trick users into clicking malicious links in phishing attempts. Nearly 60% of the top 10 spoofed brands identified were Google and YouTube domains, while Apple (15%) and Amazon (12%) domains were also spoofed by attackers looking to steal users' monetizable data.
Facebook, Instagram and Netflix also made the list of top 10 spoofed brands observed but at a significantly lower use rate. This may be due to the fact that these services don't typically hold directly monetizable data. As attackers often bet on credential reuse to gain access to accounts with more lucrative payouts, IBM X-Force suggests that frequent password reuse may be what potentially made these brands targets.