Retail and finance still head the list of most-targeted industries, but manufacturing has seen a surprise spike in attacks in Q2 2018, according to a new report.
Many attacks involved the use of credentials stolen from password dumps, in conjunction with impersonation or suspicious link attempts. In arguably bad news for the security industry, the cyber-threat report from security firm Rapid 7 found that attack patterns have returned to the same patterns as a year ago, potentially signalling that little progress has been made in these areas.
Interestingly, although the top threat for smaller organisations was remote entry, for larger organisations it was dangerous user behaviour.
"We observed that dangerous user behaviour is directly tied to the potential for attackers to attempt more remote entry attacks against these organisations moving forward, as users visit URLs designed to steal credentials. The majority of credential theft URLs were directed against large organisations", stated the report.
The top sectors hit by credential theft campaigns were information, finance, and manufacturing. Ross Rustici, senior director for Intelligence at Cybereason, told SC media UK why the manufacturing industry has become such an attractive target for adversaries:
"The manufacturing industry continues to be attacked at an alarmingly high rate and geographical dispersion increases the footprint of the attack surface, making it harder to secure. These attacks can cause major disruptions in assembly line downtime, physical damage and lead to defective products being produced.
"Today's manufacturers are also relying more and more on big data analytics and the cloud to improve their connectivity, increasing opportunities for hackers to steal patent information and IP, the lifeblood to any company. In manufacturing and assembly, you have entire IT networks that get infrequent or no security updates and generally do not have the same level of scrutiny because they are internal networks and behind firewalls."
"Manufacturing companies should have security analysts on staff that can increase visibility across the entire network and maintain an inventory of all machines connected to the Internet. Improving security hygiene is critical to exposing the cyber-criminal’s activities early in the process before it results in IP theft and loss."
The report also noted that cryptocurrency mining is alive and well, with an increase in cryptominers discovered on systems quarter on quarter, as well as one-off botnet attacks such as MikroTik, which compromised approximately 150,000 devices in Q2 despite the vulnerability being patched by the company back in April.
Rebekah Brown, Rapid7's threat intelligence lead and report author told SC Media UK: "Studying how adversaries are operating both on the micro (incident response) level as well as the macro (opendata.rapid7.com) level allows us to pick up on trends and understand how defenders should be posturing themselves to counter the threats. What we have seen over the past few quarters is adversaries leveraging a combination of familiar tactics such as credential theft and remote access, along with a push for rapid exploitation of router and IOT based vulnerabilities, and using them for newer goals, such as cryptocurrency mining or new extortion techniques."
Another small trend is attacks targeting backups and similar systems, with the top usernames attempted against RDP including examples like "backup" and "xerox," giving a clear indication of the systems attackers are targeting. "These are often systems that are easy for defenders to overlook", noted the report.
"Externally exposed RDP—even if it is just exposed for a short period of time—can have a devastating impact on an organisation, as we saw with several of the RDP-enabled ransomware attacks in Q2.
Exposure may not just impact your own organisation’s traditional IT infrastructure, but it can also mean your embedded systems, including cameras, doorbells, and motion sensors, are being added to botnets used to carry out additional attacks while zapping your own resources. Knowledge of threats, knowledge of your own environment, and an active approach to remediating threats and vulnerabilities will go a long way toward keeping you and your network above the fray", the authors summarised.