Cybercrime , Fraud Management & Cybercrime

Tracking Data Breaches: Targeting of Vulnerabilities Surges

Ransomware, Pretexting, Stolen Credentials Loom Large in Latest Verizon DBIR
Tracking Data Breaches: Targeting of Vulnerabilities Surges
Hackers are getting better and using zero days and known vulnerabilities to steal data. (Image: Shutterstock)

Data breach watchers are tracking a surge in hackers gaining initial access to a victim's network by exploiting critical vulnerabilities in widely deployed software and hardware.

See Also: How to Build Your Cyber Recovery Playbook

So says the 2024 Verizon Data Breach Investigations Report, based on 30,458 real-world security incidents, of which 10,626 were confirmed data breaches - a record high - and featuring victims located across 94 countries.

Reviewing incidents that took place between Nov. 1, 2022, and Oct. 31, 2023, the report ties numerous data breaches to:

  • Vulnerabilities: Exploiting zero-day and known bugs to gain initial access to a victim's network surged, in no small part due to the campaign targeting MOVEit.
  • Stolen credentials: Over the past 10 years, the use of stolen credentials has featured in 31% of all known breaches, and in the 2024 report it accounted for 77% of attacks against web applications.
  • Ransomware: About one-third of all breaches involved crypto-locking malware, while 9% involved data theft and extortion but no encryption.
  • Human element: About two-thirds of breaches traced to attackers targeting humans, rather than purely systems.
  • Error: Human error was a factor in 28% of breaches.
  • Third parties: Fifteen percent of breaches involved a third party or supply chain, including vulnerabilities in shared infrastructure or widely used software.

The latest version of the long-running annual report draws on data shared by a bevy of private cybersecurity and incident response organizations as well as the FBI's Internet Crime Complaint Center, the U.S. Secret Service and the Cybersecurity and Infrastructure Security Agency, Britain's Information Commissioner's Office and the National Crime Agency, numerous national computer emergency response teams and more.

What's changed from the 2023 report? For starters, researchers in the 2024 report charted a 180% increase in the successful targeting of zero-day or known flaws to gain initial access to a victim's network.

Some of that surge traces to the Clop ransomware group's rapid, mass exploitation of a zero-day flaw in Progress Software's MOVEit secure file transfer tool in late May 2023 (see: On the Increase: Zero-Days Being Exploited in the Wild).

That attack marked the fourth time Clop - aka Cl0p - ran a mass hacking campaign targeting a flaw in a file transfer tool. Which tool they might hit next, and if other groups will try to follow Clop's lead, remain open questions. "Even if they just concentrate on the file transfer vendors, they're going to get a big bang for their buck," said Suzanne Widup, a threat intelligence engineer at Verizon Business.

Verizon researchers in last year's report predicted this type of scenario would occur because of the Log4j vulnerabilities, but that didn't come to pass. Instead, "that anticipated worst case scenario discussed in the last report materialized this year with this lesser known - but widely deployed - product," they said.

More Pretexting, Less Phishing

Another change is a rise - now involving one-quarter of all financially motivated attacks - in the use of pretexting, which refers to "actors targeting users with existing email chains and context." The majority of successful pretexting attacks involve business email compromise, and victims report a median loss of $50,000 per transaction, Verizon said.

Pretexting appears to be displacing generic phishing attacks. "To me, that's good, because that means that they're having to work harder, because they wouldn't go to that kind of effort if a straight-up phish was working," Verizon's Widup told Information Security Media Group.

This has implications for training users - and with turnover, continuing to train new users - to recognize the latest tactics being used by attackers. "A suspicious user base is a better-protected user base, and that's really what you want," she said.

Data collected by Verizon from organizations that use phishing simulation as part of their security awareness programs shows a steady increase in the number of users who report such attacks, rising to 20% in 2023. But the number of users who click on the phishing email but also submit a report also rose, to 11%.

Another challenge remains the speed with which a successful phishing attack can unfold. "The median time for users to fall for phishing emails is less than 60 seconds," Verizon said.

Cloud Applications Under Fire

To penetrate corporate networks, hackers most often gained unauthorized access to a victim's web applications, including cloud-based email or collaboration tools, Verizon said. The next most common ways that attackers broke in involved phishing emails, followed by exploiting vulnerabilities in web applications, stealing credentials for desktop sharing software, and using stolen VPN credentials.

For the first time, Verizon's annual report counts software vulnerabilities - such as the widely exploited MOVEit bug - as a supply chain security metric. "We want to give organizations the ability to see what they can effect in their environment by choosing vendors who follow 'secure by design' practices," Widup said.

The Clop campaign targeting MOVEit was notable in part because it seemed to run for only two or three days. While vendor Progress Software quickly issued a patch, the latest count from security firm Emsisoft is that Clop's blitzkrieg tactics directly or indirectly affected 2,770 organizations and exposed data pertaining to 95 million individuals.

'Patch or Perish' Problems

The speed with which exploits are wielded remains a problem for many organizations - and not just with zero-day vulnerabilities.

Verizon said that based on sound risk management principles, most enterprises seek to install patches 30 to 60 days after they are published - and within 15 days for critical vulnerabilities of the type featured in CISA's Known Exploited Vulnerabilities Catalog.

"Sadly, this does not seem to keep pace with the growing speed of threat actor scanning and exploitation of vulnerabilities," Verizon said.

Attackers on average take just five days to start scanning for critical vulnerabilities - meaning they feature in the KEV catalog - and 68 days for other types of flaws. For defenders, Verizon "found that it takes around 55 days to remediate 50% of those critical vulnerabilities once their patches are available," and patch activity really starts to pick up around the 30-day mark. After 180 days, 20% of KEV catalog vulnerabilities remained unresolved, and 8% still persisted after 365 days.

These statistics were reported to Verizon by organizations "with resources to at least hire a vulnerability management vendor," meaning "they care about the risk and are taking measures to address it," the report says. But "the overall reality is much worse," given the dangerous blend of slower patching and ransomware groups in particular often targeting the latest, critical vulnerabilities because of the relative ease with which many such flaws can be exploited.

AI Homework Help

To what extent have artificial intelligence tools been affecting the threat landscape? Widup said that's not clear, except that they're likely being used by non-native language speakers to craft better phishing lures. "We wouldn't know that AI was used, because of course it's very hard to tell, and it's not something that the actors are disclosing," she said.

Beyond that, she questions the need for criminal uptake of AI, simply because "the tried-and-true" tactics continue to succeed, "and you don't have to jump through extra hoops if what you've got is working well."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.