Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
A sharp increase in threats of business email compromise and ransomware.
The second quarter of 2024 was a period of active cyberattacks, where business email compromise (BEC) and ransomware (ransomware) were the main threats, according to the Cisco Talos Incident Response (Talos IR) report. These two types of attacks accounted for 60% of all recorded cases.
Despite the decrease in the number of BEC attacks compared to the previous quarter, they still remain a significant threat. At the same time, a small increase in ransomware attacks was recorded, among which Mallox and Underground Team were first noticed, along with the previously known Black Basta and BlackSuit.
The main method of obtaining initial access was the use of compromised credentials, which accounted for 60% of cases, showing an increase of 25% compared to the previous quarter.
The largest number of attacks was carried out by companies in the technology sector, which accounted for 24% of all incidents, followed by healthcare, pharmaceuticals and retail. In the technology sector, the number of attacks increased by 30%, which is due to the important role of these companies in supporting and servicing many other industries, making them an attractive target for attackers.
There was also a slight increase in the number of attacks on network devices, which accounted for 24% of cases. These attacks included password matching, vulnerability scanning, and exploiting vulnerabilities.
BEC attacks continue to gain momentum. Attackers compromise business email by sending phishing emails to obtain sensitive information, such as credentials. They often use fake financial requests to change payment details. In some cases, the method of SMS phishing ("smizing") was used, when fake messages were sent to employees ' personal mobile devices.
Ransomware accounted for 30% of all attacks, up 22% from the previous quarter. Mallox, Underground Team, Black Basta and BlackSuit attacks were recorded. In 80% of ransomware attacks, multi-factor authentication (MFA) was missing on mission-critical systems, making it easier for attackers to gain access.
In the Mallox attacks, attackers infected and encrypted Microsoft SQL servers, leaving no trace of data theft or lateral movement. Mallox uses double extortion techniques, which makes them particularly dangerous.
The Underground Team, a new ransomware group, used SSH for lateral traffic and restored deactivated Active Directory accounts to increase their privileges and encrypt mission-critical systems.
BlackSuit and Black Basta continued their activity, using compromised credentials to gain access and establish a permanent presence in the networks. These groups often use legitimate tools to carry out their attacks, which makes them difficult to detect.
There was also an increase in the number of attacks on network devices, where attackers used vulnerabilities such as CVE-2018-0296 and CVE-2020-3259 to gain unauthorized access to information.
The main method of initial access remains the use of compromised credentials, which is associated with an increase of 25% compared to the previous quarter.
Security weaknesses, such as vulnerable or incorrectly configured systems and the lack of MFA, were the main factors contributing to successful attacks. In one case, the attackers used an outdated network switch, which increases the risk of failures and cyber attacks.
To mitigate these risks, we recommend implementing MFA on all mission-critical systems and regularly updating your software and hardware. It is also important to train employees to recognize phishing attacks and provide access control based on the analysis of risky login attempts.
Source
The second quarter of 2024 was a period of active cyberattacks, where business email compromise (BEC) and ransomware (ransomware) were the main threats, according to the Cisco Talos Incident Response (Talos IR) report. These two types of attacks accounted for 60% of all recorded cases.
Despite the decrease in the number of BEC attacks compared to the previous quarter, they still remain a significant threat. At the same time, a small increase in ransomware attacks was recorded, among which Mallox and Underground Team were first noticed, along with the previously known Black Basta and BlackSuit.
The main method of obtaining initial access was the use of compromised credentials, which accounted for 60% of cases, showing an increase of 25% compared to the previous quarter.
The largest number of attacks was carried out by companies in the technology sector, which accounted for 24% of all incidents, followed by healthcare, pharmaceuticals and retail. In the technology sector, the number of attacks increased by 30%, which is due to the important role of these companies in supporting and servicing many other industries, making them an attractive target for attackers.
There was also a slight increase in the number of attacks on network devices, which accounted for 24% of cases. These attacks included password matching, vulnerability scanning, and exploiting vulnerabilities.
BEC attacks continue to gain momentum. Attackers compromise business email by sending phishing emails to obtain sensitive information, such as credentials. They often use fake financial requests to change payment details. In some cases, the method of SMS phishing ("smizing") was used, when fake messages were sent to employees ' personal mobile devices.
Ransomware accounted for 30% of all attacks, up 22% from the previous quarter. Mallox, Underground Team, Black Basta and BlackSuit attacks were recorded. In 80% of ransomware attacks, multi-factor authentication (MFA) was missing on mission-critical systems, making it easier for attackers to gain access.
In the Mallox attacks, attackers infected and encrypted Microsoft SQL servers, leaving no trace of data theft or lateral movement. Mallox uses double extortion techniques, which makes them particularly dangerous.
The Underground Team, a new ransomware group, used SSH for lateral traffic and restored deactivated Active Directory accounts to increase their privileges and encrypt mission-critical systems.
BlackSuit and Black Basta continued their activity, using compromised credentials to gain access and establish a permanent presence in the networks. These groups often use legitimate tools to carry out their attacks, which makes them difficult to detect.
There was also an increase in the number of attacks on network devices, where attackers used vulnerabilities such as CVE-2018-0296 and CVE-2020-3259 to gain unauthorized access to information.
The main method of initial access remains the use of compromised credentials, which is associated with an increase of 25% compared to the previous quarter.
Security weaknesses, such as vulnerable or incorrectly configured systems and the lack of MFA, were the main factors contributing to successful attacks. In one case, the attackers used an outdated network switch, which increases the risk of failures and cyber attacks.
To mitigate these risks, we recommend implementing MFA on all mission-critical systems and regularly updating your software and hardware. It is also important to train employees to recognize phishing attacks and provide access control based on the analysis of risky login attempts.
Source
