The number of attacks via web shells increased at an above-average rate in the first three months of 2023. The Cisco Talos Report shows that attacks via web shells are the new top attack vector in the first quarter of 1. Ransomware can be warded off better.
According to Cisco Talos analysis, this type of attack was responsible for a quarter of all incidents investigated by the Incident Response Team in the first quarter of 2023. At the same time, the proportion of detected ransomware attacks fell from 20% to 10%. However, the cyber researchers are not giving the all-clear: Because one fifth of all observed threat activities were attributable to measures by attackers, which typically precede and prepare for a ransomware attack.
Threat situation for the first quarter of 2023
Talos, one of the world's largest commercial threat intelligence organizations, has released its quarterly threat assessment for the first quarter of 2023. Accordingly, publicly available web applications were a major target of threat actors during this period. Almost half of all attacks (45%) use such applications as an initial vector to gain access to systems. Compared to the previous quarter, this corresponds to an increase of 15%.
Many of these attacks used web shells that compromised servers exposed to the internet. Generally speaking, a web shell is a malicious script that masquerades as a legitimate file, thereby opening a backdoor to the web server. Web shells are usually "left behind" for further attacks after an already successful infiltration. According to the Talos researchers, attackers benefited from the fact that many web application user accounts were only protected with weak passwords or single-factor authentication.
Attack via poorly secured web applications
"Failures to secure web applications take revenge," says Holger Unterbrink, technical leader at Cisco Talos in Germany. “The results of our report make it clear once again that multifactor authentication and strong passwords are now part of the basics of cyber hygiene. Especially when it comes to such prominent applications as websites.”
Reinforced ransomware defenses: Vice Society mitigated
The ransomware threat remains high. While Cisco Talos saw a general decline in successful extortion cases in Q1, overall ransomware activity remains high. So-called "pre-ransomware" activities accounted for around one fifth of all attacks, so that an increase in successful attacks can be expected again in the coming months. Cisco Talos was able to link many of the preparatory attack measures to well-known ransomware groups such as Vice Society. According to the researchers, the rapid intervention of the security teams at the victim companies helped contain attacks before encryption could take place.
In the first quarter of 2023, healthcare was the main target for criminals, closely followed by retail, real estate and hospitality.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
OneNote documents as an attack vector
So-called “commodity malware” was already on the rise last year. It is widely used and can be purchased or downloaded for free. Commodity malware is typically non-customized and exploited by threat actors at various stages of their activities. In the first quarter of 2023, the previously sighted commodity loaders such as Qakbot made a stronger appearance again. Qakbot often used malicious OneNote documents.
The use of malicious OneNote attachments could also be observed in other attack attempts. So threat actors continue to experiment with file types that don't rely on macros, according to Talos' analysis. Microsoft began disabling macros in its applications by default in July 2022. Other applications that contain and manage other files are also affected.
Further results in the first quarter of 2023
- Thirty percent of the observed attack cases either had multi-factor authentication (MFA) not enabled at all or only for a few accounts and critical services.
- Recent successes by law enforcement agencies in breaking up large ransomware gangs (e.g. Hive) are having an effect. However, this creates space for new families or the formation of new partnerships. A new ransomware-as-a-service (RaaS) family appeared with Daixin Ransomware in Q1/2023.
- The open-source toolkit Mimikatz was used in nearly 60 percent of ransomware and pre-ransomware deployments this quarter. Mimikatz is a widely used post-exploitation tool used to steal login IDs, passwords, and authentication tokens from compromised Windows systems.
About Cisco Cisco is the world's leading technology company that makes the Internet possible. Cisco is opening new possibilities for applications, data security, infrastructure transformation and the empowerment of teams for a global and inclusive future.