Business Email Compromise Doubles in 2022, Overtaking Ransomware As Cybercrime Tactic of Choice
Secureworks' Incident Response report highlights leading causes of real-world security incidents – showing it's “less ChatGPT, more Chad in IT”
ATLANTA, Ga. March 16 2023: With talk of advanced AI-driven threats dominating the cybersecurity industry, new research by the Secureworks® Counter Threat Unit™ (CTU) has revealed that most real-world security incidents have more humble beginnings – highlighting a need for businesses to focus on cyber hygiene to bolster their network defences.
Between January and December 2022, Secureworks helped contain and remediate over 500 real-world security incidents. The data from these incidents was analyzed by Secureworks CTU researchers to establish trends and emerging threats. Key findings include:
- The number of incidents involving business email compromise (BEC) has doubled, replacing ransomware as the most common type of financially motivated cyber threat to organizations.
- The growth in BEC was linked to a surge in successful phishing campaigns, accounting for 33% of incidents where the initial access vector (IAV) could be established, a near three-fold increase compared to 2021 (13%).
- An equally popular entry point for attackers – both nation state and cybercriminal – was to exploit vulnerabilities in internet-facing systems, representing a third of incidents where IAV could be established. Typically, threat actors did not need to use zero-day vulnerabilities, instead relying on publicly disclosed vulnerabilities – such as ProxyLogon, ProxyShell and Log4Shell – to target unpatched machines.
- Ransomware incidents fell by 57%, but remain a core threat. This reduction could be due as much to a change in tactics as it is to a reduction in the level of the threat following increased law enforcement activity around high-profile attacks, like Colonial Pipeline and Kaseya. Equally, gangs may be targeting smaller organizations, which are less likely to engage with incident responders (meaning they would fall outside the scope of this report).
“Business email compromise requires little to no technical skill but can be extremely lucrative. Attackers can simultaneously phish multiple organizations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models,” comments Mike McLellan, Director of Intelligence at Secureworks.
“Let's be clear, cybercriminals are opportunistic -- not targeted. Attackers are still going around the parking lot and seeing which doors are unlocked. Bulk scanners will quickly show an attacker which machines are not patched. If your internet-facing applications aren't secured, you're giving them the keys to the kingdom. Once they are in, the clock starts ticking to stop an attacker turning that intrusion to their advantage. Already in 2023, we've seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging,” McLellan continued.
Hostile state-sponsored activity increased to 9% of incidents analyzed, up from 6% in 2021. An overwhelming majority of which – 90% – were attributed to threat actors affiliated with China.
Financially motivated attacks accounted for most of the incidents investigated outside of state-sponsored activity, representing 79% of the total sample, which is lower than previous years. This could potentially be connected to the Russia / Ukraine conflict disturbing cybercrime supply chains. For instance, the leak of files connected to the Conti ransomware group took the group months to reconfigure and recover from, which could have influenced ransomware's overall decline.
“Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same. For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage. The intent is different, but the ransomware itself isn't. The same is true for the initial access vector (IAVs); it's all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to,” continues McLellan.
“Once a state-sponsored actor is through that door, they are very hard to detect and even harder to evict. As states such as China, Russia, Iran, and North Korea continue to use cyber to advance the economic and political goals of their countries, it is even more important that businesses get the right controls and resources in place to protect, detect, and remediate attacks.”
The report also showed that fundamental security controls in the cloud were either misconfigured or entirely absent, potentially because of a rushed moved to cloud during COVID-19. Multi-factor authentication (MFA) fatigue attacks – whereby an attacker bombards a user with access requests in an attempt to browbeat them into submission – were also on the rise.
To optimise security posture, Secureworks recommends that organizations ensure they have comprehensive visibility and intelligence-driven detection across their host, network, and cloud environments. Granular recommendations that facilitate preventing future reoccurrence include: centralized log retention and analysis across host, network and cloud resources and reputation-based web filtering and network detection for suspicious domains and IPs.
The full IR report can be downloaded here.
Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that secures human progress with Secureworks® Taegis™, a cloud-native security analytics platform built on 20+ years of real-world threat intelligence and research, improving customers' ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.
Connect with Secureworks via Twitter, LinkedIn and Facebook and
Read the Secureworks Blog