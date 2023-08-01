It’s always more cybersecurity alert for private and public organizations, with extortion for data theft which represents thehe main threat observed in the last quarter, pari al 30% of the total a which Cisco Talos Incident response (Talos IR) responded toin 25% increase compared to last quarter.

The data emerges from the Quarterly Report of Talos IR, the largest private intelligence organization in the world dedicated to cybersecurity. Extortion is one of the attacks in which cybercriminals usually steal data by threatening to spread it unless the victim agrees to pay a large sum of money, but without the need to use encryption.

A separate category is represented by incidents which also involved the encryption of the file or the use of the ransomware. This type of attack represents the 17% of the total commitments answered by Talos IR in the April-June period, up on the 10% of the previous quarter.

Healthcare is the principale target

Ransomware is divided into several families, including the 8Base and MoneyMessage ransomware operations have been observed for the first time this quarter and join previously seen ransomware operations LockBit and Royal. Clop, Karakurt and RansomHouse instead, they are the main ransomware groups that are moving away from encryption to pure extortion actions.

The sector of public and private health is the hardest hit this quarter, followed by financial services and utilities.

In most of the events that Talos IR responded to between April and June, cybercriminals gained initial access using compromised credentials to log into valid accounts. The use of valid accounts has been observed in almost the 40% of the total interventions, with a 22% increase compared to the first quarter of 2023.

In more than 50% of attacks this quarter, it was observed PowerShell, a dynamic command-line utility that continues to be a popular choice for cybercriminals for a variety of reasons including invisibility, convenience, and extensive IT management capabilities.

Security weaknesses

The lack or improper implementation of multi-factor authentication (Mfa) in critical services was rresponsible for more than 40% of the events that Cisco Talos responded to this quarter.

In nearly 40% of cases, cybercriminals used compromised credentials to access valid accounts, 90% of which lacked MFA. In other cases, the Mfa has been circumvented with burnout attacks which occur when the attacker tries to repeatedly authenticate to a user account with valid credentials to flood victims with Mfa push notifications, hoping they will eventually accept and then successfully authenticate.

From ransomware to extortion

The increase in data theft extortion incidents compared to previous quarters is consistent with public reporting from a growing number of ransomware groups that steal data and extort victims without encrypting files and distributing ransomware.

Data theft extortion is not a new phenomenon, but the number of incidents this quarter suggests that financially motivated threat actors see it increasingly as a viable means of receiving a final payment. Executing ransomware attacks is likely becoming more challenging due to global law enforcement and industry disruption efforts as well as the implementation of defenses such as increased behavioral detection capabilities and threat detection and response solutions. endpoints (EDR).

