Cyberattacks Soar in Q2 2024: BEC and Ransomware Dominate

business email compromise

The second quarter of 2024 marked a period of heightened cyberattacks, with business email compromise (BEC) and ransomware emerging as the primary threats, according to a report by Cisco Talos Incident Response (Talos IR). These two types of attacks accounted for 60% of all recorded incidents.

Despite a decrease in the number of BEC attacks compared to the previous quarter, they remain a significant threat. At the same time, there was a slight increase in ransomware attacks, with the emergence of Mallox and Underground Team, alongside the previously known Black Basta and BlackSuit.

The predominant method of initial access was through the use of compromised credentials, which accounted for 60% of incidents, showing a 25% increase compared to the previous quarter.

Companies in the technology sector were the most targeted, representing 24% of all incidents, followed by healthcare, pharmaceuticals, and retail. The technology sector saw a 30% increase in attacks, attributed to the crucial role these companies play in supporting and servicing many other industries, making them an attractive target for cybercriminals.

There was also a noted rise in attacks on network devices, comprising 24% of cases. These attacks included password guessing, vulnerability scanning, and exploitation.

BEC attacks continue to gain momentum. Cybercriminals, by compromising business email, send phishing emails to obtain confidential information such as credentials. They often use fraudulent financial requests to alter payment details. In some cases, SMS phishing (“smishing”) was employed, where fake messages were sent to employees’ mobile devices.

Ransomware accounted for 30% of all attacks, a 22% increase from the previous quarter. Attacks from Mallox, Underground Team, Black Basta, and BlackSuit were recorded. In 80% of ransomware attacks, multifactor authentication (MFA) was absent on critical systems, facilitating unauthorized access.

In Mallox ransomware attacks, cybercriminals infected and encrypted Microsoft SQL servers, leaving no trace of data theft or lateral movement. Mallox employs double extortion techniques, making them particularly dangerous.

The Underground Team, a new ransomware group, used SSH for lateral movement and reactivated disabled Active Directory accounts to elevate their privileges and encrypt critical systems.

BlackSuit and Black Basta continued their activities, using compromised credentials to gain access and establish persistence within networks. These groups frequently use legitimate tools to carry out their attacks, complicating detection efforts.

An increase in attacks on network devices was also recorded, where cybercriminals exploited vulnerabilities such as CVE-2018-0296 and CVE-2020-3259 to gain unauthorized access to information.

The primary method of initial access remains the use of compromised credentials, linked to a 25% increase compared to the previous quarter.

Security weaknesses, such as vulnerable or improperly configured systems and the lack of MFA, were the main factors contributing to successful attacks. In one instance, cybercriminals exploited an outdated network switch, increasing the risk of failures and cyberattacks.

To mitigate risks, it is recommended to implement MFA on all critical systems and regularly update software and hardware. Additionally, it is important to train employees to recognize phishing attacks and enforce access control based on the analysis of risky login attempts.

Related Posts: