Thanks for just showing up, said the team that cranked out the Verizon 2021 Data Breach Investigations Report (DBIR). It’s quite the accomplishment that we all made it through the “often frightening and always unpredictable dystopian wasteland that was 2020,” the carrier noted, with cybersecurity practitioners still “having enough interest and energy to care about making the world a safer place.”
This latest edition of the long-running DBIR couldn’t help waxing rueful about the past year, which saw sharp spikes in cyberattacks as COVID-19 gave rise to pandemic-themed spear-phishing, brute-force attacks on remote workers, and a focus on exploiting or abusing collaboration platforms.
Plenty of others have observed the same: For example, in March, Kaspersky issued a report finding that brute-force attacks (where attackers try random usernames and passwords against accounts) on Remote Desktop Protocol (RDP) connections ramped up globally, surging 197 percent from 93.1 million worldwide in February to 277.4 million in March.
This year’s DBIR analyzed 5,258 breaches from 83 contributors in 88 countries: about a third more breaches than were analyzed last year. Phishing and ransomware attacks on remote workers were up 11 percent and 6 percent, respectively. Web applications meanwhile were targeted in 39 percent of breaches, reflecting the lickety-split uptake of cloud services as workers were suddenly ordered to go home and stay there.
As far as what motivated cyberattacks, there’s no surprise here: Just like in previous years, most threat actors were involved in financially motivated campaigns. As far as who’s doing the dirty work, threat actors categorized as organized crime were far and away the No.1 perpetrators.
Credentials were again the top data variety they were after. The DBIR noted however that since 2015, state-sponsored actors have also been after el dinero: Over the past six years, these actors’ financial motives have fluctuated between 6 and 16 percent of recorded breaches. No surprise then that the two most common cybercrime terms found on criminal forums are related to bank accounts and credit cards.
It’s Been a Phishing Phreak Show
In last year’s report, DBIR forecast a possible increase in phishing, use of stolen credentials, ransomware and misconfiguration breaches. How did this (data-enriched) gut feeling pan out?
Not so shabby, the 2021 DBIR concluded: Phishing is still one of the top breach varieties, just as it has been over the past two years. It’s gotten ambitious, though, or, to put it in DBIR-speak, phishing hasn’t been content just “to rest on its scaly laurels.”
For instance, spear-phishers have jumped on the quarantined population to pump up the volume: Phishing frequency in the past year has played a part in 36 percent of breaches, up from 25 percent last year.
“This increase correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect,” according to the DBIR. “Phishing is respo
nsible for the vast majority of breaches in this pattern, with cloud-based email servers being a target of choice.”
James McQuiggan, security awareness advocate at KnowBe4, noted that phishing or other social-engineering campaigns have turned up as the initial attack vector for breaches for the past several years. It’s getting more sophisticated, to boot, he told Threatpost via email on Thursday.
“Cybercriminals are evolving their social-engineering attacks through creative means,” he said. “Whether it’s a password reset to a social-media account, or having kits that can automatically insert the logo of the target company, or even misinformation about the gas shortage and where to find gas, all have caused people to fall for the phishing lures of curiosity, fear or greed.”
Martin McKeay, security researcher and editorial director at Akamai – which is one of the many partners that contribute data to the DBIR – told Threatpost on Thursday that it shouldn’t surprise anyone that Akamai agrees with Verizon that there’s been a ” a huge increase” in the number of phishing-based compromises during the pandemic. Akamai itself has analyzed the effect of the pandemic on traffic and attack patterns multiple times in the last year, he noted via email on Thursday. Akamai itself has released a SOTI/research report on how it affected Akamai’s own systems.
Credential Rip-Offs Held Steady
The typical point of phishing, of course, is to rip off credentials. Understandably enough, the DBIR crew expected to see a jump in the use of stolen credentials in breaches due to the pandemic-induced growth in the remote workforce. Was that a correct prediction? Turns out, not so much: In fact, the numbers of stolen credentials used in breaches have held steady at around 25 percent of breaches – though, as the team pointed out, that’s still a significant number.
Sharing Your Desktop With Cyber-Crooks
Tim Erlin, vice president of product management and strategy at Tripwire, pointed out what he called the “meaningful” growth in exploiting desktop-sharing as an attack vector in 2020. That’s a trend that organizations should pay attention to, he told Threatpost via email on Thursday.
“If you’re going to use desktop-sharing applications, you should ensure you can accurately inventory their use, assess their configurations and identify vulnerabilities in them,” Erlin said.
As far as targeted assets go, servers – specifically, web-application servers – dominated the field in terms of targeted assets. “If you’re going to focus your security controls on one type of asset, you’ll get the biggest bang for your buck with your web servers,” he said.
Yet More Bang for the Buck: Focusing on Old Bugs
Erlin said that it’s telling that the attackers continue to exploit older vulnerabilities, but that newer vulnerabilities are less of a problem. “If you’re responsible for vulnerability management in your organization, it’s worth examining how your prioritization tactics match up with the exploit data,” he suggested.
“Misconfigurations make up the largest percentage of miscellaneous errors causing breaches. It might be more fun to spend resources on the latest AI-driven threat-hunting tool, but implementing configuration management and change detection will go a long way in maintaining the integrity of your digital assets,” Erlin said.
Here are some more takeaways from this year’s DBIR:
- 85 percent of breaches involved a human element.
- 61 percent of breaches involved credentials.
- 13 percent of non-denial-of-service (non-DoS) incidents involved ransomware.
- 3 percent of breaches involved the exploitation of a vulnerability.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!