News

Verizon: Pandemic Ushers in ⅓ More Cyber-Misery

  • Lisa Vaas--Threatpost
  • published date: 2021-05-14 13:26:48 UTC

The DBIR – Verizon’s 2021 data breach report – shows spikes in sophisticated phishing, financially motivated cyberattacks and a criminal focus on web-application servers.

<div class="c-article__content js-reading-content"> <p>Thanks for just showing up, said the team that cranked out the <a href="https://www.verizon.com/business/resources/reports/dbir/2021/masters-guide/" target="_blank" rel="noopener">Verizon 2021 Data Breach Investigations Report</a> (DBIR). It’s quite the accomplishment that we all made it through the “often frightening and always unpredictable dystopian wasteland that was 2020,” the carrier noted, with cybersecurity practitioners still “having enough interest and energy to care about making the world a safer place.”</p> <p>This latest edition of the long-running DBIR couldn’t help waxing rueful about the past year, which saw sharp spikes in cyberattacks as <a href="https://threatpost.com/cyberattacks-fundamental-changes-covid-19/164775/" target="_blank" rel="noopener">COVID-19 gave rise</a> to <a href="https://threatpost.com/spearphishing-campaign-exploits-covid-19-to-spread-lokibot-infostealer/154432/" target="_blank" rel="noopener">pandemic-themed spear-phishing</a>, brute-force attacks on remote workers, and a focus on exploiting or abusing collaboration platforms.</p> <p>Plenty of others have observed the same: For example, in March, Kaspersky issued a <a href="https://securelist.com/covid-19-examining-the-threat-landscape-a-year-later/101154/" target="_blank" rel="noopener">report</a> finding that brute-force attacks (where attackers try random usernames and passwords against accounts) on <a href="https://threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/" target="_blank" rel="noopener">Remote Desktop Protocol (RDP) connections</a> ramped up globally, surging 197 percent from 93.1 million worldwide in February to 277.4 million in March.</p> <p>This year’s DBIR analyzed 5,258 breaches from 83 contributors in 88 countries: about a third more breaches than were <a href="https://threatpost.com/verizon-data-breach-report-dos-skyrockets-espionage-dips/155843/" target="_blank" rel="noopener">analyzed last year</a>. Phishing and ransomware attacks on remote workers were up 11 percent and 6 percent, respectively. Web applications meanwhile were targeted in 39 percent of breaches, reflecting the lickety-split uptake of cloud services as workers were suddenly ordered to go home and stay there.</p> <p><a href="https://threatpost.com/newsletter-sign/"><img loading="lazy" class="aligncenter wp-image-141989 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg" alt="" width="700" height="50"></a><br> As far as what motivated cyberattacks, there’s no surprise here: Just like in previous years, most threat actors were involved in financially motivated campaigns. As far as who’s doing the dirty work, threat actors categorized as organized crime were far and away the No.1 perpetrators.</p> <div id="attachment_166174" style="width: 510px" class="wp-caption aligncenter"><a href="https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/13234440/Figure-15-1-e1620963939359.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-166174" loading="lazy" class="wp-image-166174 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/13234440/Figure-15-1-e1620963939359.png" alt="" width="500" height="283"></a><p id="caption-attachment-166174" class="wp-caption-text">Source: Verizon</p></div> <p>Credentials were again the top data variety they were after. The DBIR noted however that since 2015, state-sponsored actors have also been after <em>el dinero</em>: Over the past six years, these actors’ financial motives have fluctuated between 6 and 16 percent of recorded breaches. No surprise then that the two most common cybercrime terms found on criminal forums are related to bank accounts and credit cards.</p> <h2>It’s Been a Phishing Phreak Show</h2> <div id="attachment_166176" style="width: 310px" class="wp-caption alignright"><a href="https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/13234448/Figure-17-e1620964125609.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-166176" loading="lazy" class="wp-image-166176 size-medium" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/13234448/Figure-17-300x182.png" alt="" width="300" height="182"></a><p id="caption-attachment-166176" class="wp-caption-text">A breakdown of most-used terms in underground forums. Click to enlarge. Source: Verizon.</p></div> <p>In last year’s report, DBIR forecast a possible increase in phishing, use of stolen credentials, ransomware and misconfiguration breaches. How did this (data-enriched) gut feeling pan out?</p> <p>Not so shabby, the 2021 DBIR concluded: Phishing is still one of the top breach varieties, just as it has been over the past two years. It’s gotten ambitious, though, or, to put it in DBIR-speak, phishing hasn’t been content just “to rest on its scaly laurels.”</p> <p>For instance, spear-phishers have jumped on the quarantined population to pump up the volume: Phishing frequency in the past year has played a part in 36 percent of breaches, up from 25 percent last year.</p> <p>“This increase correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect,” according to the DBIR. “Phishing is respo</p> <div id="attachment_166175" style="width: 179px" class="wp-caption alignright"><a href="https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/13234444/Figure-16-e1620964016499.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-166175" loading="lazy" class="wp-image-166175 size-medium" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/13234444/Figure-16-169x300.png" alt="" width="169" height="300"></a><p id="caption-attachment-166175" class="wp-caption-text">Types of threat actors behind cyberattacks. Click to enlarge. Source: Verizon.</p></div> <p>nsible for the vast majority of breaches in this pattern, with cloud-based email servers being a target of choice.”</p> <p>James McQuiggan, security awareness advocate at KnowBe4, noted that phishing or other social-engineering campaigns have turned up as the initial attack vector for breaches for the past several years. It’s getting more sophisticated, to boot, he told Threatpost via email on Thursday.</p> <p>“Cybercriminals are evolving their social-engineering attacks through creative means,” he said. “Whether it’s a password reset to a social-media account, or having kits that can automatically insert the logo of the target company, or even <a href="https://threatpost.com/colonial-pays-5m/166147/" target="_blank" rel="noopener">misinformation about the gas shortage</a> and where to find gas, all have caused people to fall for the phishing lures of curiosity, fear or greed.”</p> <p>Martin McKeay, security researcher and editorial director at Akamai – which is one of the many partners that contribute data to the DBIR – told Threatpost on Thursday that it shouldn’t surprise anyone that Akamai agrees with Verizon that there’s been a ” a huge increase” in the number of phishing-based compromises during the pandemic. Akamai itself has analyzed the effect of the pandemic on <a href="https://blogs.akamai.com/sitr/2020/04/the-building-wave-of-internet-traffic.html" target="_blank" rel="noopener">traffic</a> and <a href="https://blogs.akamai.com/sitr/2021/02/nhs-vaccine-scams-criminals-still-targeting-covid-19-anxiety.html" target="_blank" rel="noopener">attack</a> patterns multiple times in the last year, he noted via email on Thursday. Akamai itself has released a <a href="https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-research-adapting-to-the-unpredictable-report-2021.pdf" target="_blank" rel="noopener">SOTI/research report on how it affected Akamai’s own systems</a>.</p> <h2>Credential Rip-Offs Held Steady</h2> <p>The typical point of phishing, of course, is to rip off credentials. Understandably enough, the DBIR crew expected to see a jump in the use of stolen credentials in breaches due to the pandemic-induced growth in the remote workforce. Was that a correct prediction? Turns out, not so much: In fact, the numbers of stolen credentials used in breaches have held steady at around 25 percent of breaches – though, as the team pointed out, that’s still a significant number.</p> <p> </p> <h2>Sharing Your Desktop With Cyber-Crooks</h2> <p>Tim Erlin, vice president of product management and strategy at Tripwire, pointed out what he called the “meaningful” growth in exploiting desktop-sharing as an attack vector in 2020. That’s a trend that organizations should pay attention to, he told Threatpost via email on Thursday.</p> <p>“If you’re going to use desktop-sharing applications, you should ensure you can accurately inventory their use, assess their configurations and identify vulnerabilities in them,” Erlin said.</p> <p><a href="https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/13234454/Figure-22.png" target="_blank" rel="noopener"><img loading="lazy" class="aligncenter wp-image-166177 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/13234454/Figure-22.png" alt="" width="745" height="464"></a></p> <p>As far as targeted assets go, servers – specifically, web-application servers – dominated the field in terms of targeted assets. “If you’re going to focus your security controls on one type of asset, you’ll get the biggest bang for your buck with your web servers,” he said.</p> <h2>Yet More Bang for the Buck: Focusing on Old Bugs</h2> <p>Erlin said that it’s telling that the attackers continue to exploit older vulnerabilities, but that newer vulnerabilities are less of a problem. “If you’re responsible for vulnerability management in your organization, it’s worth examining how your prioritization tactics match up with the exploit data,” he suggested.</p> <p>“Misconfigurations make up the largest percentage of miscellaneous errors causing breaches. It might be more fun to spend resources on the latest AI-driven threat-hunting tool, but implementing configuration management and change detection will go a long way in maintaining the integrity of your digital assets,” Erlin said.</p> <p>Here are some more takeaways from this year’s DBIR:</p> <ul> <li style="font-weight: 400">85 percent of breaches involved a human element.</li> <li style="font-weight: 400">61 percent of breaches involved credentials.</li> <li style="font-weight: 400">13 percent of non-denial-of-service (non-DoS) incidents involved ransomware.</li> <li style="font-weight: 400">3 percent of breaches involved the exploitation of a vulnerability.</li> </ul> <p><b>Download our exclusive FREE Threatpost Insider eBook, </b><b><i>“</i></b><a href="https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&amp;utm_medium=ART&amp;utm_campaign=ART" target="_blank" rel="noopener"><b><i>2021: The Evolution of Ransomware</i></b></a><b><i>,”</i></b><b> to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and </b><a href="https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&amp;utm_medium=ART&amp;utm_campaign=ART" target="_blank" rel="noopener"><b>DOWNLOAD</b></a><b> the eBook now – on us!</b></p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Verizon: Pandemic Ushers in ⅓ More Cyber-Misery" data-url="https://threatpost.com/verizon-pandemic-cyber-misery/166168/" data-counters="no" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/breach/">Breach</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/hacks/">Hacks</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/malware-2/">Malware</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/most-recent-threatlists/">Most Recent ThreatLists</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/vulnerabilities/">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>