Expel Quarterly Threat Report Q3: Top 5 takeaways

· 3 MIN READ · BEN BRIGIDA · NOV 16, 2022 · TAGS: Cloud security / MDR / Tech tools

Hi, and welcome–it’s Quarterly Threat Report (QTR) time.

Our security operations center (SOC) sees hundreds of alerts each day, and the QTR series (this is the third installment) provides data and insight on what they are, how they work, how to spot them, what to do if you find them, as well as advice you can use to safeguard your organization.

The findings draw on our investigations into alerts, email submissions, and threat hunting leads from July 1 to September 30, 2022. We analyzed incidents across our customer base, spanning organizations of various shapes, sizes, and industries, and in the process, we distilled patterns and trends to help guide strategic decision-making and operational processes for your team. We employed a combination of time series analysis, statistics, customer input, and analyst instinct to identify key insights.

Our goal: by sharing how attackers got in (or tried to) and how we stopped them, we’ll translate our experiences into security strategies your organization can put into play today.

Here are our top findings for the quarter.

1: Identity is still the new endpoint, and it shows no signs of slowing down.

Identity-based attacks, which include credential theft, credential abuse, and long-term access key theft, accounted for nearly 60% of all incidents our SOC fielded in Q3. This is up three percentage points compared to Q2.

Business email compromise (BEC–unauthorized access into email apps) and business application compromise (BAC–unauthorized access into application data) combined for 55% of all incidents, an increase of four percentage points from Q2. Identity-based attacks in popular cloud environments like Amazon Web Services (AWS) decreased slightly (by two percentage points, for 3% of the total).

An interesting data point: 100% of BEC incidents occurred in Microsoft 365 (formerly Office 365) for the second quarter in a row. (We’re pretty sure this is the result of attackers preparing for Microsoft’s long-awaited disabling of Basic Auth for Exchange Online, which went into effect on October 1.)

2: Users increasingly let attackers in by approving fraudulent MFA pushes for BAC.

Only about half the BAC incidents our SOC encountered resulted in the attacker successfully accessing the account. The other half was stopped by multi-factor authentication (MFA) or conditional access policies.

The frustrating part is that MFA and conditional access were configured for more than 80% of the cases where the attackers were successful. Ideally, none of these hacks should have succeeded. However, the attacker tricked legitimate users into satisfying the MFA request by hitting them with a barrage of MFA requests, and eventually they accepted one. This number is up dramatically from last quarter, when only 14% of successful compromises came from repeated push notifications.

The takeaway? To stop MFA push notification fatigue attacks, organizations can disable them in favor of a PIN of a Fast Identity Online (FIDO) compliant solution. If that’s unrealistic, control push notifications using number matching—a setting that requires the user to enter numbers from the identity platform into their MFA app to approve the authentication request.

3: Attackers use IPs geolocated in the U.S. when targeting U.S.-based organizations.

If you’re in the U.S. and think you only need to closely monitor for IPs outside the country attempting to access your environment…here’s your wake-up call. Almost half of the BEC attempts and successful BEC compromises we see originate from U.S.-based IP addresses.

Also, all the authentication attempts originating from the U.S. came from an IP associated with a VPN or hosting provider. This tactic increases a hacker’s chances of bypassing conditional access policies for source countries that either force the user into an MFA challenge or even flat out block the login. If attackers gain access to the account by harvesting user credentials instead of brute force or another method, they can also harvest the user’s IP (and therefore geolocation). For authentications, it’s vital to have alerting based on the IP organization as well as VPN enrichment services.

4: Ransomware threat groups and their affiliates have abandoned visual basic for application (VBA) macros and Excel 4.0 macros in favor of zipped Javascript or ISO files to infiltrate Windows-based environments.

The top attack vectors used by ransomware groups to gain initial entry in Q3 were:

  1. Zipped JavaScript files (46% all pre-ransomware incidents)
  2. Zipped ISO files (26%)
  3. Removable media (10%)
  4. Excel 4.0 macros (8%)

In Q2, our SOC noted the trend of threat actors using zipped JavaScript and ISO files to deliver malware to gain initial access. Way back in Q1 (when Microsoft announced its plans to disable Excel 4.0 macros by default in Q3), a macro-enabled Microsoft Word document (VBA macro) or Excel 4.0 macro was the initial attack vector in 55% of all pre-ransomware incidents.

5: The top subject line theme for malicious emails was…no subject line at all (followed by “Invoice,” “Order confirmation,” “Payment,” and “Request”).

Sneaky, cheeky hackers. While the specific wording may change, our data shows that threat actors love a good theme when it comes to subject lines. The top malicious theme? No subject line. Nada. Blank. The rest are what you’d expect—invoice, order, payment, urgent, etc.

These high spots are just what a foodie would call an “amuse-bouche. There’s so much more (including a fun mystery that we’re working to unravel), and odds are pretty good the full QTR offers some insights and advice your team can make use of.

Download yours here, and if you have questions or comments, drop us a line.