Last Month in Security 004: DBIR 2024 and How Vulnerability Exploits Rule

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden fly solo and dig into the impact that vulnerability exploits are having on the threat landscape.

The latest Verizon DBIR is out, and the Halcyon team was excited to make our debut as contributors to the report, which was more focused on pathways to breaches - the ways attackers got into networks than prior reports.

Verizon Threat Research Advisory Center (VTRAC) looked at 30,458 incidents of which 10,626 were confirmed data breaches - the highest ever. And vulnerability exploitation was back big time with a 180% increase from the previous year.

The surge was mostly driven by MOVEit exploit leveraged by Cl0p to compromise thousands of organizations in just a matter of weeks - likely through automation – with the end result most often being extortion via ransomware.

We made mention that Memorial weekend is the anniversary of the MOVEit campaign, where it is estimated that as many as 8,000 organizations were targeted over the last year.

The report also revealed that about one-third of all breaches involved ransomware or data extortion. More specifically, 9% of breaches involved straight data extortion while 23% included the detonation of ransomware payloads.

Data exfiltration, ransomware payloads and subsequent extortion attempts were the number one attacker actions observed, while stolen credentials, phishing, privilege abuse etc. were much lower in frequency. Verizon also notes this “ramstortion” trend remains a top threat across 92% of industries.

Then we dug into the latest Power Rankings: Ransomware Malicious Quartile report which aligned with many of the DBIR findings – namely how automation of vulnerability exploits in Q1-2024 led to campaigns by ransomware groups leveraging misconfigured MSSQL servers, TeamViewer flaws, Fortra GoAnywhere (again), Citrix NetScaler (still), and even vulnerable Python libraries.

We also discussed how the data exfiltration issue may be bigger problem than ransomware payload, leading to further extortion opportunities for the attackers as well as a drastic increase on potential regulatory and liability for victim organizations, putting the C-level and BoDs at risk like never before.

Of note in the Ransomware MQ Q1-2024 report was the demise of BlackCat/ALPHV, which dropped out of the Frontrunners quadrant, while a new RaaS emerged dubbed RanomHub who is on the rise and very well may be a rebrand of BlackCat/ALPHV.

Other notable movements include LockBit slipping out of the top spot after reigning for quite some time following the identification of a 31-year-old Russian national named Dmitry Yuryevich Khoroshev as the developer and admin for the LockBit RaaS platform and a takedown of the LockBit leaks site and attack infrastructure.

Yet, despite all the LEO actions against these two formerly top-ranking groups, we noted that the attacks leveraging the LockBit payloads continue to be reported in addition to the possible rebrand of BlackCat/ALPHV, calling into question whether the criminal justice system is enough to combat these prolific groups.

Hosts:

Anthony M. Freed, Halcyon Director of Research and Communications

Ben Carr, Halcyon Chief Information Security Officer (CISO)

Ryan Golden, Halcyon Chief Marketing Officer (CMO)