Security operations · 2 MIN READ · AARON WALTON AND BEN BRIGIDA · AUG 29, 2023 · TAGS: MDR
Threat actors constantly innovate to stay ahead of defenders. Here are the latest trends we’re seeing.
When cyberattackers find something that works, they keep doing it until it doesn’t work anymore—then they move onto something new.
That “until it doesn’t work anymore” part is, of course, the cyberdefense community in action. We’re very good at diagnosing criminal activity and putting an end to it (or at least making it so hard that it’s no longer worth the effort). Then the cycle starts anew.
Which brings us to our Q2 2023 Quarterly Threat Report (QTR). From our perspective, it’s interesting to watch attack trends rise and fall. Sometimes our annual report (Great eXpeltations) and QTRs reveals attackers are sticking to the tried and true. And then, because defenders have adapted, the threat landscape changes significantly. The innovators on the other side have been prepping and introducing new tactics and all of a sudden our security operations centers (SOCs) begin seeing the next set of attack trends.
The Q2 report is one of those moments.
1: Phishing strategies have evolved.
Now that Microsoft has disabled legacy protocols, attackers are instead focusing on session cookie theft via adversary-in-the-middle (AiTM) attacks. Notably, AiTM (a relatively new tactic) tripled, accounting for 15% of all phishing attacks we identified in Q2.\
This fresh approach to phishing (a long-time scourge of SOCs everywhere) is more sophisticated, but the good news is that there are effective defenses your organization can bring to bear immediately.
2: Our SOC saw an increase in the use of commodity malware in Q2.
Your organization is statistically likely to employ one or more as-a-service offerings. The reason is simple: they provide significant value and minimize investment costs and hassle.
Criminals understand the value of the model, as well, which is why cybercrime-as-a-service (CaaS) grows more popular by the minute. CaaS lets people with limited technical expertise purchase tools, resources, services, and expertise, and this commodification of cybercrime lowers the entry barrier for criminals.
Commodity malware is annoyingly effective, and it dramatically increases the pool of potential attackers (as well as the sheer volume of attacks) because you no longer have to be a sophisticated developer to have sophisticated tools.
3: Server-side exploit incidents doubled in Q2 thanks to attackers targeting both new and old vulnerabilities (aka what was old is new again).
Just because a vulnerability isn’t new, that doesn’t mean it isn’t trouble. The MOVEit Transfer zero-day exploit—which is very new—topped our list for Q2. But here’s the rude awakening: #2 was the WinVerifyTrust Signature Validation vulnerability, which is 10 years old.
Yep. 2013. The top movies were Iron Man 3, The Hunger Games: Catching Fire, and Despicable Me 2. Barack Obama was inaugurated for his second term. Jason Isbell released his iconic Southeastern. House of Cards, Orange is the New Black, and Peaky Blinders debuted.
The number of vulnerabilities loose in the wild is staggering, and there are more all the time—26,000+ new ones turned up last year alone (with 11+% of all vulnerabilities having a Common Vulnerability Scoring System critical score). And more than 70% of SOCs have a hard time knowing which ones to tackle first.
Vulnerability prioritization is an idea whose time has come.
The Q2 QTR is available now, and it features details on these happenings and a lot more—including on-point advice for protecting your org. Download it, give it a read, and if you’d like to talk more about safe, guarding your business, drop us a line.
