Palo Alto Networks – Software Vulnerabilities and Phishing Cause Nearly 70% of Cyber Incidents

Key findings: 

• Ransomware and business email compromise (BEC) were the top incident types accounting for nearly 70% of incident response cases over the past 12 months
• Ransom demands have been as high as US$30 million (RM 133.6 million); average amount stolen from BEC attacks was US$286,000 (RM 1.27 million)
• Finance and real estate received the highest average ransom demands, with an average demand of nearly US$8 million (RM 35.6 million) and US$5.2 million (RM 23.2 million)

According to a new report from Palo Alto Networks, the global cybersecurity leader, the heavy use of software vulnerabilities matches the opportunistic behaviour of threat actors who scour the internet for vulnerabilities and weak points on which to focus. 

The 2022 Unit 42 Incident Response Report offers a multitude of insights gleaned from Unit 42 by Palo Alto Networks extensive incident response (IR) work, leveraging a sampling of over 600 Unit 42 IR cases, to help CISOs and security teams understand the greatest security risks they face, and where to prioritise resources to reduce them.

In the report, Unit 42 identified the top three initial access vectors used by threat actors were phishing, exploitation of known software vulnerabilities and brute-force credential attacks focused primarily on remote desktop protocol (RDP)¹. Combined, these attack vectors make up 77% of the suspected root causes for intrusions.

Among the software vulnerabilities, ProxyShell accounted for more than half of the exploitation for initial access at 55%, followed by Log4J (14%), SonicWall (7%), ProxyLogon (5%) and Zoho ManageEngine ADSelfService Plus (4%).

Ransomware and business email compromise (BEC) were the top incident types accounting for nearly 70% of incident response cases over the past 12 months.

Every four hours, a new ransomware victim is posted on leak sites. The ransom demands have been as high as $30 million, and actual payouts have been as high as $8 million, a steady increase compared to the findings of the 2022 Unit 42 Ransomware Report. 

Business email compromise (BEC) is a wire-fraud scheme that comes with a variety forms of social engineering, such as phishing. It offers hackers an easy and cost-effective way to gain covert access while maintaining a low risk of discovery. In many BEC cases, cybercriminals are simply asking their unwitting targets to hand over their credentials and getting them. Once they have the access, the median dwell time² for BEC attacks was 38 days, and the average amount stolen was $286,000 according to the report.

“Right now, cybercrime is an easy business to get into because of its low cost and often high returns. As such, unskilled, novice threat actors can get started with access to tools like hacking-as-a-service becoming more popular and available on the dark web,” said Wendi Whitmore, SVP and head of Unit 42 at Palo Alto Networks. “Ransomware attackers are also becoming more organised with their customer service and satisfaction surveys as they engage with cybercriminals and the victimised organisations.”

² Dwell time is the time of threat actors spend in a targeted environment before being detected.

(Source: Cybersecurity Malaysia)

Similarly in Malaysia, fraud remains the top and growing incident, followed by malware and intrusion, accounting for 95% of cyber incidents in the first half of 2022. Notably, malware incidents grew more than 300% among types of incident, compared to the first half of 2020 (3.56% in 1H 2020; 14.67% in 1H 2022).

“Identifying threat actors’ activity at their early stage is critical for organisations, especially those involved in heavy financial transactions. With increasing digital activity and unmonitored connected devices, 69% of the organisations in Malaysia are planning to increase their cybersecurity budget for 2022³.” said Suk Hua Lim, country manager, Palo Alto Networks, Malaysia. “It is vital for organisations to have complete visibility of their network and adopt a Zero Trust approach – “Never trust, Always verify”, upskill employees with cyber hygiene knowledge, and implement the updated cybersecurity resilience products.”

³ Palo Alto Networks State of Cybersecurity ASEAN Report

Affected Industries 

In the report, Unit 42 identified that finance and real estate were among the industries that received the highest average ransom demands, with an average demand of nearly $8 million and $5.2 million, respectively. Attackers follow the money when it comes to targeting industries; however, many attackers are opportunistic, simply scanning the internet in search of systems where they can leverage known vulnerabilities. 

Unit 42 also identified the top affected industries in incident response cases as finance, professional and legal services, manufacturing, healthcare, high tech, and wholesale and retail. Organisations within these industries store, transmit and process high volumes of monetizable sensitive information that attracts threat actors. 

The report also reveals some statistics from IR cases that cyberattackers don’t want you to know: 

• In half of all IR cases, our investigators discovered that organisations lacked multifactor authentication on critical internet-facing systems, such as corporate webmail, virtual private network (VPN) solutions or other remote access solutions.
• In 13% of cases, organisations had no mitigations in place to ensure account lockout for brute-force credential attacks.
• In 28% of cases, having poor patch management procedures contributed to threat actor success. 
• In 44% of cases, organisations did not have an endpoint detection and response (EDR) or extended detection and response (XDR) security solution, or it was not fully deployed on the initially impacted systems to detect and respond to malicious activities.
• 75% of insider threat cases involved a former employee 

Six things to start to defend your organisation

1. Conduct phishing prevention and recurring employee and contractor security training.  
2. Disable any direct external Remote Desktop Protocol access: ensure all external remote administration is conducted through an enterprise-grade multifactor authentication VPN. 
3. Patch internet-exposed systems as quickly as possible (given best practices for testing and responsible deployment) to prevent vulnerability exploitation. 
4. Implement multifactor authentication as a technical control and security policy for all users. 
5. Require that all payment verification takes place outside of email to ensure a multi-step verification process. 

Consider a credential breach detection service and/or attack surface management solution to help track vulnerable systems and potential breaches.