The release of the 2022 Falcon OverWatch Threat Hunting Report from CrowdStrike has revealed the recent trends in cyber crime from July 2021 to June 2022. According to the report, the number of cyber crime campaigns has increased by 50% with financial crime accounting for 43% of all attacks.
According to CrowdStrike’s analysis cyber crime over the last 12 months can be categorised into:
eCrime (43%), performed by financially motivated attackers,
Targeted (18%), which are specifically destructive attacks that include espionage,
Hacktivist (1%), which is cause-driven to gain publicity for a movement, and
Unattributed (38%), where data to categorise the attacks is not sufficient.
While the proportions of attack types, such as targeted victims vs financially motivated attackers, remain incredibly similar between 2021 and 2022, the total number of attack campaigns have increased by 50% in this one year.
The top 3 industries most targeted by cyber crime remain the same in 2022 as they were in 2021, with technology companies in first place, followed by telecommunications organisations in second place, then manufacturing in third. Interestingly, the academic and healthcare sectors have been targeted more than the financial sector this year, which is a change from 2021. Retail, the government, pharmaceutical companies and the media are all also rated in the top 10 industries targeted globally. However, the industry breakdown changes when specific types of attacks are considered. For eCrime, technology is still the most targeted sector, making up 21% of attacks, however telecommunications do not appear in the top 5 industries targeted by eCrime. Telecommunications instead make up 37% of targeted intrusions, where technology takes second place, representing 14% of these types of attacks.
Most attacks used stolen credentials rather than malware to gain network access.
Of all the threats detected by OverWatch between July 2021 and June 2022, 71% were found to be malware-free, which reflects a continued trend away from the use of malware in attacks. The most common forms of attack instead take advantage of valid accounts, in cases of stolen credentials being used to access environments. This emphasises the need for individuals and organisations to enforce strict policies when it comes to the creation, use, and removal of user accounts. Multi-factor authentication (MFA) should be used as a standard on all user accounts with any privilege level to reduce the impact of credential harvesting by malicious actors. Highly privileged administrator accounts should only be used when necessary for a task, and not for other daily work activities.
Exploit of public-facing applications, command and scripting interpreters, Windows command shell, and remote desktop protocol are all also highly exploited areas for initial access, execution, persistence, privilege escalation, and lateral movement. The speed in which attackers can utilise these steps and move through a victim’s environment is recorded as being an average of 1 hour 24 minutes. In 30% of cases, lateral movement by attackers within victim environments was possible in just 30 minutes. Segregation of networks and other environments can help organisations prevent the movement of criminals from one host to another, thereby reducing the area of compromise. The principle of least privilege where users have access to just enough of the network to do their job and no more should also be used for further protection.
The number of zero-days and disclosed CVEs has continued to rise this year, and exploits have been discovered in the wild increasingly soon after initial disclosure. Although patching is very often the immediate result for vulnerabilities, CrowdStrike claim that many legacy vulnerabilities remain unpatched due to a continuous cycle of newly discovered vulnerabilities needing short term fixes, so there is not an opportunity to apply long term solutions. By the start of June 2022, over 10,000 new vulnerabilities had been reported, which is approximately half the total reported number for all of 2021. It is therefore very likely that the trend of an increasing number of vulnerabilities reported compared to any previous year will continue in the latter half of 2022.
Over the 12-month period covered in this report, attacks in cloud-based environments have increased. Two examples found in this research were attacks on Amazon Web Services (AWS) in Q4 of 2021 and Microsoft 365 Azure environments in Q1 of 2022. OverWatch suggest that as cloud workloads increase, criminals will continue to increasingly target these environments, for “intellectual property theft, data extortion, ransomware or simple destruction”. If this trend continues, then the future of cyber crime will be found in the cloud, and as a threat hunting company, they are also targeting their future resources to identifying these cloud-based threats.
Organisations can take steps to protect their cloud environments now to prevent future threats. Account hardening introduces tighter controls and allows for the organisation to manage access to cloud environments more securely. MFA should always be used when accessing cloud services, for accounts with any privilege levels including basic user accounts. Whatever access controls are put in place should be monitored regularly to ensure they are fit for purpose and continue to provide a sufficient level of protection. Organisations should also be proactive in their security, and not assume that the default security settings put in place by cloud service providers are suitable for their business needs. Instead, the available security controls should be investigated, and the most appropriate set up for the organisation should be implemented.