Backdoor deployment overtakes ransomware as top attacker action

Backdoor deployment overtakes ransomware as top attacker action

Thanks to the availability of malware such as Emotet, deploying backdoors on victims' networks is becoming easier and more lucrative for cybercriminals.

Credit: Dreamstime

Deployment of backdoors on networks was the top action attackers made in almost a quarter of all incidents remediated in 2022. "Backdoors led to a notable spike in Emotet cases in February and March. That spike inflated the ranking of backdoor cases significantly, as those deployed in this timeframe account for 47 per cent of all backdoors identified globally throughout 2022," according to the newly released IBM Security X-Force Threat Intelligence Index.

“Increased backdoor deployment may also be due to the amount of money this kind of access can generate on the dark web. Compromised corporate network access from an initial access broker typically sells for several thousands of US dollars,” stated the report.

Ransomware, which had been the number one attack in 2021, came as a close second with 17 per cent and business email compromise (BEC) followed with 6 per cent. The study found 19 ransomware variants in 2022. LockBit variants comprised 17 per cent of total ransomware incidents observed, up from 7 per cent in 2021. Phobos tied with WannaCry for second at 11 per cent. Many WannaCry cases were the result of infections from three to five years ago, taking place on old, unpatched equipment.

The top impacts of cyberattacks

Extortion was the main impact at 21 per cent of incidents observed by X-Force. Extortion cases were often achieved through ransomware or BEC and often include the use of remote access tools, cryptominers, backdoors, downloaders, and web shells.

One tactic observed in 2022 was attackers making stolen data more accessible to downstream victims. “By making it easier for second-hand victims to identify their data among a data leak, operators seek to increase the subsequent pressure on the organisation targeted by the ransomware group or affiliate in the first place,” the report found.

In second place came data theft with 19 per cent followed by credential harvesting with 11 per cent. Data thefts have not all resulted in data leaks, which happened in 11 per cent of all cyberattacks.

What IBM X-Force observed in the malware landscape

A 17 per cent spike in the Raspberry Robin malware between early June and early August was identified in the oil and gas, manufacturing, and transportation industries. X-Force advises ensuring security tools block known USB-based malware (such as Raspberry Robin), implementing security awareness training, and disabling autorun features for any removable media.

IBM X-Force also noticed an increase in the popularity of the Rust programming language with developers releasing Rust versions of their malware including BlackCat, Hive, Zeon, and RansomExx.

A “sudden” influx of Vidar InfoStealer was noticed in June through to early 2023. Vidar can be used to retrieve device information such as credit card information, usernames, passwords, and files. It can also take screenshots of the user’s desktop or steal Bitcoin and Ethereum cryptocurrency wallets.

Manufacturing is the most targeted OT industry

Of the operational technology (OT) industries, manufacturing experienced 58 per cent of incidents X-Force helped remediate. In line with the main findings of the report, the deployment of backdoors was the top action objective, identified in 28 per cent of cases in the manufacturing sector. X-Force believes this to be a favourite of ransomware actors likely due to these organisations’ low tolerance for downtime.

Spear phishing accounted for 38 per cent of initial access vectors in OT-related industries, including the use of attachments (22 per cent), the use of links (14 per cent) and spear phishing as a service (2 per cent). This was followed by the exploitation of public-facing applications followed with 24 per cent, the detection of backdoors at 20 per cent and ransomware at 19 per cent. The most popular impact of such attacks was extortion (29 per cent) followed by data theft (24 per cent).

Cyberattacks trends by geography

For the second consecutive year, Asia-Pacific was the most attacked region in 2022 registering 31 per cent of all incidents. This represents a 5 per cent increase compared to 2021, according to the report. Japan was the epicentre of the Emotet spike in 2022.

Manufacturing was the most attacked industry in the region with 48 per cent followed by finance and insurance with 18 per cent. Other global trends also applied including spear phishing by attachment being the top infection vector at 40 per cent and deployment of backdoors being the top action on the objective at 31 per cent.

Japan was the most targeted nation with 91 per cent of the received attacks followed by the Philippines with 5 per cent, and Australia, India, and Vietnam each at 1.5 per cent. Europe was the second most targeted region with 28 per cent of attacks. The region was the hardest hit by extortion, with 44 per cent of all extortion cases observed. The top impact caused by attacks was extortion (38 per cent) across the region. The United Kingdom was the most attacked country in Europe, accounting for 43 per cent of cases. Germany accounted for 14 per cent, Portugal 9 per cent, Italy per cent, and France 7 per cent.

The most attacked industries were professional, business, and consumer services, which tied with finance and insurance for the most-attacked industry, each ranking 25 per cent of the cases to which X-Force responded. Manufacturing was second with 12 per cent of cases, and energy and healthcare followed in third place at 10%.

X-Force saw no evidence of widespread state-sponsored cyber activity following the invasion of Ukraine. However, it did find that Russia has deployed an unprecedented number of wipers against targets in Ukraine. The wipers were mostly used against Ukraine’s networks from before the country’s invasion through to March 2022.

One of the most prolific self-proclaimed hacktivist groups observed was Killnet, a Russia-sympathetic group that has claimed DDoS attacks against public services, government ministries, airports, banks and energy companies based in North Atlantic Treaty Organisation (NATO) member states, allied countries in Europe, as well as in Japan and the United States.

North America experienced a slight increase in the number of incidents with 25 per cent in 2022 from 23 per cent in 2021. The region’s most attacked industries were energy with 20 per cent of attacks, manufacturing and retail-wholesale followed with 14 per cent each, however, manufacturing represents a 50 per cent drop in cases when compared to 2021.

The US accounted for 80 per cent of the region’s attacks and Canada 20 per cent. The biggest impact in the region was credential harvesting (25 per cent) and the top infection vectors were the exploitation of public-facing applications at 35 per cent and spear phishing attachments at 20 per cent. Ransomware incidents accounted for 23 per cent of cases.

In Latin America, retail wholesale was the most attacked industry with 28 per cent of cases followed by finance and insurance (24 per cent) and energy (20 per cent). Ransomware accounted for 32 per cent of attacks and extortion was the most common impact at 27 per cent. Brazil accounted for 67 per cent, Colombia 17 per cent and Mexico 8 per cent. Peru and Chile split the remaining 8 per cent.

Deployment of backdoors was detected in 27 per cent of cases to which X-Force responded in the Middle East and Africa in 2022. Finance and insurance were the most targeted industries in the region, accounting for 44%. Saudi Arabia comprised two-thirds of the cases in the region to which X-Force responded. The remaining cases were split between Qatar, United Arab Emirates and South Africa.

What to do to secure your organization

X-Force makes six recommendations to help companies secure systems against malicious threats including those mentioned above.

Understand the data the company possesses. This is key to understanding what is being defended and the most critical data to the business. Managing assets has been, and still is, one of the biggest issues facing cybersecurity teams today, John Hendley, head of strategy at IBM Security X-Force tells CSO. “This is especially the case on the perimeter, where the presence of any vulnerabilities can introduce a foothold into your environment for threat actors. That’s why we’ve seen such a large shift in strategy for defenders, away from perfecting perimeter security and towards detection and response, including the principles behind zero trust.”

Know your adversary. Adopt a view that emphasises the specific threat actors that are most likely to target your industry, organisation, and geography. In Hendley’s words, CISOs need to adopt the hacker mindset. “Doing so makes you see your systems, your networks, and really the whole world in a new way. Red teaming your defences—whether that be simply probing for vulnerabilities or misconfigurations, or more in-depth detection and response testing can help you get that understanding.”

Better understand how threat actors operate. Identify their level of sophistication and know which tactics, techniques, and procedures (TTP) attackers are most likely to employ. “For example, the actions and tactics of threat actors targeting pharmaceutical companies for intellectual property will be a world apart from cyber gangs that target elementary schools with ransomware. Being sharp on who your adversary is can push defender teams to that next level,” Hendley says.

Maintain visibility at key points throughout the enterprise. Ensuring alerts are generated and acted on in a timely manner is critical to stopping attackers.

Assume compromise. This will ensure cybersecurity teams are constantly re-examining possible infiltration points, detection response capabilities and how difficult it can be for an attacker to access critical systems and data.

Apply threat intelligence. Analyse common attack paths and identify key opportunities for mitigating common attacks and be prepared by developing an incident response plan.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments