Last Month in Security 004: DBIR 2024 and How Vulnerability Exploits Rule

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden fly solo and dig into the impact that vulnerability exploits are having on the threat landscape.

The latest Verizon DBIR is out, and the Halcyon team was excited to make our debut as contributors to the report, which was more focused on pathways to breaches - the ways attackers got into networks than prior reports.

Verizon Threat Research Advisory Center (VTRAC) looked at 30,458 incidents of which 10,626 were confirmed data breaches - the highest ever. And vulnerability exploitation was back big time with a 180% increase from the previous year.

The surge was mostly driven by MOVEit exploit leveraged by Cl0p to compromise thousands of organizations in just a matter of weeks - likely through automation – with the end result most often being extortion via ransomware.  

We made mention that Memorial weekend is the anniversary of the MOVEit campaign, where it is estimated that as many as 8,000 organizations were targeted over the last year.

The report also revealed that about one-third of all breaches involved ransomware or data extortion. More specifically, 9% of breaches involved straight data extortion while 23% included the detonation of ransomware payloads.  

Data exfiltration, ransomware payloads and subsequent extortion attempts were the number one attacker actions observed, while stolen credentials, phishing, privilege abuse etc. were much lower in frequency. Verizon also notes this “ramstortion” trend remains a top threat across 92% of industries.

Then we dug into the latest Power Rankings: Ransomware Malicious Quartile report which aligned with many of the DBIR findings – namely how automation of vulnerability exploits in Q1-2024 led to campaigns by ransomware groups leveraging misconfigured MSSQL servers, TeamViewer flaws, Fortra GoAnywhere (again), Citrix NetScaler (still), and even vulnerable Python libraries.

We also discussed how the data exfiltration issue may be bigger problem than ransomware payload, leading to further extortion opportunities for the attackers as well as a drastic increase on potential regulatory and liability for victim organizations, putting the C-level and BoDs at risk like never before.

Of note in the Ransomware MQ Q1-2024 report was the demise of BlackCat/ALPHV, which dropped out of the Frontrunners quadrant, while a new RaaS emerged dubbed RanomHub who is on the rise and very well may be a rebrand of BlackCat/ALPHV.

Other notable movements include LockBit slipping out of the top spot after reigning for quite some time following the identification of a 31-year-old Russian national named Dmitry Yuryevich Khoroshev as the developer and admin for the LockBit RaaS platform and a takedown of the LockBit leaks site and attack infrastructure.

Yet, despite all the LEO actions against these two formerly top-ranking groups, we noted that the attacks leveraging the LockBit payloads continue to be reported in addition to the possible rebrand of BlackCat/ALPHV, calling into question whether the criminal justice system is enough to combat these prolific groups.  

Your Hosts:

Anthony M. Freed, Halcyon Director of Research and Communications: Freed is a strategic communications leader, award-winning writer, publisher and podcast producer who was previously a freelance security journalist leading headline-making investigations that included the Symantec NAV source code leak, the mass compromise of US government agency account credentials, the denial-of-service attack that took down WikiLeaks, and more. Freed is also the principal researcher who produces the quarterly Halcyon report Power Rankings: Ransomware Malicious Quartile - Inside Data Extortion Attacks.  

Ben Carr, Halcyon Chief Information Security Officer (CISO): Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.  

Ryan Golden, Halcyon Chief Marketing Officer (CMO): Golden has a strong background in marketing and leadership roles across the security industry and vast experience in building successful brands, as demonstrated by his role as VP of Design & Creative at Cylance, Inc., where he led the disruptive Cylance brand from pre-revenue to a $1.4B acquisition By BlackBerry. Golden is a technical CMO with deep experience in defending organizations against ransomware operations and other advanced attack scenarios, and also served as the Vice President of Marketing at ShiftLeft, Inc. ‍

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.