Known vulnerabilities, increased ransoms and BEC: emerging trends in cyber crime

Jason Oehley, regional sales manager, Arctic Wolf Networks.
Jason Oehley, regional sales manager, Arctic Wolf Networks.

Ransom demands are soaring and the number of cyber attacks is increasing both globally and in South Africa.

This is according to Arctic Wolf cyber security experts, who unpacked the highlights of the 2024 Arctic Wolf Labs Threat Report during a webinar held in partnership with ITWeb this week.

Jason Oehley, regional sales director at Arctic Wolf, said: “Cyber crime is growing exponentially in our region, and cyber criminals are always innovating. But the good news is that so are we.”

Bigger ransoms

Highlighting key trends and shifts in the market, Oehley said: “The median initial ransom demand rose 20% year-over-year to $600,000 in 2023. However, there are key industries where we have seen massive growth – for example, ransom demands averaging $900,000 in the finance and insurance sector - almost double what they were last year. The Legal, Government, Retail, and Energy industries each saw median demands of $1 million or more.”

BEC

He said: “Business e-mail compromise (BEC) generates the second most revenue for threat actors and accounted for 29.7% of incident response cases last year. It is easy to execute, and BEC scams work. The five industries with the most Arctic Wolf incident response BEC investigations were finance and insurance, construction, education and nonprofits, manufacturing, and legal, government and healthcare.”

Oehley added that organisations don’t typically ask for help in the case of BEC. “These cases are often not investigated, and a lot of the time, will not result in an insurance claim,” he said.

Known vulnerabilities

Outlining the root causes of non-BEC incidents, Oehley said over 70% were due to external exposure. Only 3.4% of cases were due to Zero-day attacks, while 29% of non-BEC breaches took advantage of basic vulnerabilities, and 60% of those were vulnerabilities that were over two years old. Credential reuse was behind 46.3% of non-BEC breaches.

Andre den Hond, senior systems engineer at Arctic Wolf South Africa noted: “53% of incidents last year involved at least one of 10 specific vulnerabilities, with three of those 10 used in 25% of the intrusions. These were listed MoveIt transfer, a ManageEngine and Microsoft Exchange vulnerabilities. Of the top 10 exploited vulnerabilities in 2023, only one was a Zero-day vulnerability.”

He also highlighted the fact that NIST had published over 29 000 vulnerabilities in 2023 – another record-setting year. “5 180 of these were critical vulnerabilities and 11 650 were high vulnerabilities. This is a significant increase over the year before and I believe this increase could be related to open source code and code now being generated by AI,” den Hond said.

He outlined several of the top breaches of the past year, including the ransomware attack on MGM in the US, which caused over $100 million of lost revenue due to down time, and the leak of over 1.1 million patient records in an attack on the University of Manchester in the UK.

“In South Africa, the CIPC, part of the DTI, announced this year that it had been breached. This is quite scary because it houses all sensitive information for all companies – with usernames and passwords. It has far-reaching implications and the fallout and damages have yet to be determined,” he said. “If those directors use the same usernames and passwords on other accounts, they need to change those immediately. All financial directors are now potential targets for spear phishing attacks, because the attackers now have the information about them.”

Den Hond said threat actors preferred remote code execution (28%) and denial of service (28%) vulnerabilities over all other types, followed by information leak (17%), privilege escalation (16%) and authentication bypass (11%) vulnerabilities.

Mitigating risk

Arctic Wolf expected global elections to drive an increase in cyber risk this year, with ransomware and extortionware as a service a growing threat.

Den Hond said there was reason for optimism, however: “Core defences with a proactive approach work. Multifactor authentication is foundational to reducing risk, although it is still under-utilised. Security is a culture and user awareness training is critical. Vulnerability management is critical to patch holes in the perimeter, and security needs to be able to detect and respond to attacks and to operationalise this discipline. Organisations should also work to increase the costs to attackers and be prepared with an end-to-end incident response plan,” he said.

Oehley said: “South African organisations are starting to focus more on SOCs and 24/7 monitoring, and security standards are starting to be pushed to organisations. You need zero trust and proactive security management, because prevention is better than cure. Arctic Wolf has broad visibility and global intelligence which it provides back to every customer. We remove the requirement for highly skilled security resources by providing key intelligence and helping customers stay up to speed in terms of mitigating risk.”

Share