1-877-297-7816

Contact Sales

System Intrusion

2023

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

Summary

This pattern largely pertains to attacks perpetrated by more dedicated criminals who utilize their expertise in hacking and ready access to malware to breach and/or impact organizations of different sizes, frequently leveraging Ransomware as their means of getting a payday.

What is the same?

Ransomware continues to dominate this pattern as attackers leverage a bevy of different techniques to compromise an organization.

Frequency		3,966 incidents, 1,944 with confirmed data disclosure
Threat actors		External (96%), Internal (4%), Multiple (2%), Partner (1%) (breaches)
Actor motives		Financial (97%), Espionage (3%) (breaches)
Data compromised		Other (42%), Personal (34%), System (31%), Internal (24%) (breaches)

This is mine, and this is mine …

Imagine strolling into your office one morning only to discover an alarming desktop image from some criminal group with a cringeworthy name requesting Bitcoin (BTC) in exchange for the return of all your data. Hopefully, being the avid DBIR reader you are, you would have recent and well-tested backups to restore from. However, what if these criminals do not stop at only encrypting your data but also threaten to leak portions of your more sensitive information unless paid? Oftentimes it appears that no matter how fast our defenses and practices evolve, attackers adapt theirs just as quickly. This creates a perpetual arms race, and nowhere is it better represented than in the System Intrusion pattern.

We frequently think of the threat actors in this pattern as the “hands on keyboard” type of attackers. While they might leverage automation to gain a foothold, once they are inside the organization, they utilize finely honed skills to bypass controls and achieve their goals. As Figure 28 illustrates, this commonly includes Ransomware. They use a variety of tools to traverse your environment and then pivot, including using phishing and stolen credentials to obtain access and adding backdoors to maintain that access and leverage vulnerabilities to move laterally. We can see these attacks more clearly when we break them into three smaller, more consumable portions. Namely, the initial access phase, the breach escalation and the results. Figure 27 has a breakdown of the Action-Asset combinations that we see during different steps of the attack.

Relevant ATT&CK techniques

Jiggling locks

When looking at Figure 27, we see the clear leaders for the initial access—a great deal of hacking servers and an almost equal amount of unknown actions. In terms of hacking, 9% of incidents involve Exploiting vulnerabilities and 8% involve the Use of stolen credentials. When we examine only our incidents that contain the exploitation of vulnerabilities, we find those vulnerabilities are largely exploited via Web applications (Figure 29).

In addition, we see some User devices being directly targeted, and we also observe Phishing in roughly 6% of cases. Phishing provides just another means of ingress, either to get a set of usable credentials or to deploy a payload on a user system. Malware is largely distributed via email and often comes in the form of Microsoft Office documents (see Figure 30). This makes sense when you consider that most of these documents now have the ability to run code on the client system, which is extremely useful if you’re an attacker.

Admittedly, there are many cases in which we do not know the exact means of entry the attacker used. However, these pathways of Exploiting vulnerabilities, using stolen credentials and Phishing are very similar to previous years’ findings, and let’s face it, they are straight out of InfoSec 101. This again demonstrates the importance of the fundamentals.

Well, that escalated quickly.

Once attackers have access to your environment, they will typically look for ways to escalate privileges, maintain persistence and locate paths to move across the organization to achieve their ultimate goal, whatever that may be. For those ATT&CK aficionados out there, you may be thinking this sounds like we’re talking about a big chunk of that matrix. Well, we are. While we have a higher view of the incidents, we do not always have the telemetry required to find out exactly what techniques were used. However, below we discuss some of the additional hacking techniques and malware capabilities that we can track.

Malware that maintains command and control (C2) access to the system was witnessed in about 5% of incidents. Also present are the more typical types of malware that profile hosts, scan networks and (a local favorite) dump passwords. Lastly, just in case you thought the 2010s were behind us, we even found a handful of crypto miners in this dataset. There were not enough for us to confirm that they are back en vogue, but definitely enough to confirm that certain parties still consider compromised servers as free real-estate from which to mine.

Results

With such a high reliance upon the installation of malware across this pattern (either in the form of Ransomware, backdoors or payment card skimming malware) we shouldn’t be too surprised when we find servers that have illicit software installed as the most common combination of Attribute and Asset. The second most common is the exfiltration of data, and rounding out the trio is the loss of availability, aka rendering your data unreadable. These top three describe the final steps associated with many of these attacks quite well—attackers find a way to install their payload across the organization, steal data and then encrypt the systems on their way out.

Ransomware … seriously, we’re still doing this section?

Ransomware continues to be a major threat for organizations of all sizes and industries and is present in 24% of breaches. Of those cases, 94% fall within System Intrusion. While Ransomware has increased only slightly this year, it is so ubiquitous that it may simply be a threat that we will always have to protect against—91% of our industries have Ransomware as one of their top three actions.

To understand how these attacks occur, it is often useful to look at the top Vectors for the actions. In this case, the most common ways in are Email, Desktop sharing software and Web applications (Figure 31). Email as a vector isn’t going away any time soon. The convenience of sending your malware and having the user run it for you makes this technique timeless. The next most common vector, Desktop sharing software, makes sense, since these breaches and incidents frequently leverage some means of accessing a system. What better way to do that than by using a built-in tool such as RDP or a third-party version to provide the criminal mastermind a nice GUI?

Splitting the Log4j

As we DBIR authors groggily awoke from our hyperbolic slumber to start collecting and writing about all the major happenings in the cybersecurity world, we saw yet another major cybersecurity event had slowly played out after the cutoff of our data collection. This occurred first in 2020, with SolarWinds,³¹ and history has repeated itself in 2021 with Log4j,³² opening what seems to be a Pandora’s box of vulnerabilities. However, there is one advantage to waiting—we get to watch as the dust settles and provide an objective analysis as to what actually occurred. There was a great deal of uncertainty and complexity surrounding the incidents involving the Log4j vulnerability. One of which was the fact that no one really understood the full scope of the breach as it was not simply in one software product but was actually in a library used by numerous applications and programs (both purchased and open sourced.)

A quick recap of the event is perhaps warranted to refresh everyone’s memory. The vulnerability was disclosed in late November 2021, and within a few days the first exploitations began to appear. The vulnerability, given the designation of CVE-2021- 44228, was given a whopping criticality score of 10.³³ By the end of December, 0.003% of the scanning activity captured by honeypots were actively poking and prodding for this specific vulnerability. While that number might seem small, the velocity was rather striking, with more than 32% of all Log4j scanning activity over the course of the year happening within 30 days of its release (the biggest spike of activity occurred within 17 days, as Figure 32 shows). This velocity is an interesting comparison versus organizations’ median time to patch, which is currently 49 days for critical vulnerabilities, a number that has stayed relatively consistent over the years.

However, it may not have been as big of a disaster as many predicted. When examining the DBIR incident dataset, we actually saw a decrease, we actually saw a decrease of vulnerability exploitation leading to incidents and breaches, with Log4j being mentioned in 0.4% of our incidents (just under a hundred cases). However, when examining these cases, we found that Log4j was used by a variety of actors to achieve an assortment of different objectives, with 73% of our cases involving Espionage and 26% involving Organized crime. Given the nature of the vulnerability, allowing remote code execution, we predictably saw a lot of malware activity associated with it, such as Backdoors and Downloaders to pull in additional hosts. Finally, in about 26% of the cases, we saw the exploit of Log4j being leveraged as part of Ransomware attacks, which only goes to show that attackers will leverage whatever beachhead they can get.

Based on some of the vulnerability scanning data we analyzed (as in the good folks scanning for vulnerabilities, not the bad ones) we found that vulnerable Log4j showed up in 8% of organizations. And in other somewhat surprising news, we also found that there was a greater percentage of Log4j installations that were end of life (EOL) with 14% of organizations, even if they weren’t actually vulnerable to Log4j explicitly. Lastly, 22% of the organizations had multiple (i.e., more than one) instances of the Log4j vulnerability in their systems.

This underlying vulnerability in a dependency has brought back the discussion around having a software bill of materials (SBOM). You may think that SBOM is a term kids are throwing around in between their “no caps” and “bussin,” but its goal is to help organizations understand all the ingredients (software packages and libraries) that go into making the software their organization relies upon. Having a mature SBOM process across their ecosystem enables organizations to quickly identify vulnerabilities within the underlying libraries and help with future remediation processes for something like Log4j.

CIS Controls for consideration

Bearing in mind the breadth of activity found within this pattern and how actors leverage a wide collection of techniques and tactics, there are a lot of safeguards that organizations should consider implementing. A small subset—including the CIS Control Number—is below, which should serve as a starting point for building out your own risk assessments to determine what controls are appropriate to your organization’s risk profile.

Protecting devices

Secure Configuration of Enterprise Assets and Software [4]
– Establish and Maintain a Secure Configuration Process [4.1]
– Establish and Maintain a Secure Configuration Process for Network Infrastructure [4.2]
– Implement and Manage a Firewall on Servers [4.4]
– Implement and Manage a Firewall on End-User Devices [4.5]

Email and Web Browser Protection [9]
– Use DNS Filtering Services [9.2]

Malware Defenses [10]
– Deploy and Maintain Anti-Malware Software [10.1]
– Configure Automatic Anti-Malware Signature Updates [10.2]

Continuous Vulnerability Management [7]
– Establish and Maintain a Vulnerability Management Process [7.1]
– Establish and Maintain a Remediation Process [7.2]

Data Recovery [11]
– Establish and Maintain a Data Recovery Process [11.1]
– Perform Automated Backups [11.2]
– Protect Recovery Data [11.3]
– Establish and Maintain an Isolated Instance of Recovery Data [11.4]

Protecting accounts

Account Management [5]
– Establish and Maintain an Inventory of Accounts [5.1]
– Disable Dormant Accounts [5.3]

Access Control Management [6]
– Establish an Access Granting/ Revoking Protocol [6.1]
– Require MFA for Externally- Exposed Applications [6.3]
– Require MFA for Remote Network Access [6.4]

Security awareness programs

Security Awareness and Skills Training [14]

Just one more (Ransomware) note

Since we are hot on the subject of ransomware, we thought it would be interesting to revisit the breach impact data provided by our partner, the FBI Internet Crime Complaint Center (IC3).³⁴

When we last reviewed this data in the 2021 DBIR, we found that 90% of the incidents reported to the IC3 had no financial loss result, but for the remaining 10%, the median amount lost was $11,500, and the range of losses in 95% of the cases were between $70 and $1.2 million.

In reviewing Figure 33, of the incidents with loss, the calculated median more than doubled to $26,000, and the 95% range of losses expanded to sit between $1 and $2.25 million, putting that upper bound in scarier territory if you are a small business. The FBI did find that only 7% of the incidents had losses in this case, so it’s not all bad news.

Now, before any one of you makes a snarky quip about inflation and the base rate of the economy, here is the unusual part: When combining the paid-out transactions to the threat actors on the same time period, we get a much smaller median—$10,000 (Figure 34), and this median is actually less than the two previous years when the DBIR team has had access to this dataset.

What this suggests is that the overall costs of recovering from a ransomware incident are increasing³⁵ even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down. Even though the amounts requested by the threat actors would be smaller for those smaller companies—they want to get any money they can—the added costs of recovering their IT infrastructure under a backdrop of likely technical debt would spike their overall losses.

This is conjecture, as we don’t have the company size data and not all complaints have the associated transaction value data in this specific dataset. Even so, this is a result we have been expecting to see due to the increase of automation and efficiency of ransomware operators. Regardless, it’s fair to say that an ounce of prevention is worth a pound of cure,³⁶ so we cannot emphasize enough the need of having a plan and/or incident response resources at the ready ahead of your next unscheduled encryption event.

³¹ https://www.cisa.gov/news-events/news/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network

³² https://www.cisa.gov/news-events/news/cisa-issues-emergency-directive-requiring-federal-agencies-mitigate-apache-log4j

³³ Though insiders have indicated that it could have gone up to 11.

³⁴ https://www.ic3.gov

³⁵ Feel free to make that inflation joke now.

³⁶ This sentence was famously said by a man who flew a kite with a key in a thunderstorm. Makes you think.