2024 IBM X-Force Threat Intelligence Index Report Flashcards
Summary of the report
The biggest shift the IBM® X-Force® team observed in 2023 was a pronounced surge in cyberthreats targeting identities. The focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns. Lack of Identity protections was corroborated by IBM X-Force penetration testing data for 2023, which ranked identification and authentication failures as the second most common finding.
Additionally, X-Force observed a 100% increase in “Kerberoasting” during incident response engagements. Kerberoasting is a technique focused on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technique shift in how attackers are acquiring identities to carry out their operations.
The prominence of valid accounts as a preferred initial access technique among cybercriminals—tying with phishing for the first time—was another notable development.
30/03/24
Last year will also go down in history as a generative artificial intelligence (gen AI) breakout year. Policy makers, business executives and cybersecurity professionals are all feeling the pressure to adopt AI within their operations. And the rush to adopt gen AI is currently outpacing the industry’s ability to understand the security risks these new capabilities will introduce.
X-Force predicts threat actors will begin to target AI broadly once the market
coalesces around common deployment models and a small number of vendors. Once a single AI technology approaches 50% market share,
or when the market consolidates to three or less technologies, the cybercriminal ecosystem will be incentivized to invest in developing tools and attack paths targeting AI technologies.
Although X-Force observed a notable drop in ransomware attacks
on enterprises in 2023, extortion-based attacks continue to be a driving force of cybercrime this past year. These extortionbased attacks were only surpassed by data theft and leak as the most common impact globally.
84% of critical infrastructure incidents where initial access vector
could have been mitigated.
Manufacturing was once again the top attacked industry in 2023 for the third year in a row, representing 25.7% of incidents within the top 10 attacked industries. Malware was the top action on objective observed at 45%. Ransomware accounted for 17% of incidents.
Europe experienced the highest percentage of incidents (32%) out of the
five geographic regions. Malware was the most observed action on objective accounting for 44% of incidents.
We identified a concerning trend in the rise of infostealers and ransomware groups pivoting to infostealing malware. These shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector.
Phishing, whether through an attachment, link or as a service, also comprised 30% of all incidents remediated by X-Force in 2023. Although tied for first place in 2023, the volume of phishing is down by 44% from 2022.
The significant drop in observed compromises through phishing is likely
a reflection of both continued adoption and revaluation of phishing mitigation techniques and strategies, as well as attackers shifting to the use of valid credentials to gain initial access.
The IBM X-Force Red data indicates that human-crafted phishing emails are time-intensive, requiring on average 16 hours to craft one. The X-Force assesses that phishing is expected to be one of the first malicious use cases
of AI that cybercriminals will invest in. The X-Force data shows that AI can
generate a deceptive phish in 5 minutes, a potential time savings of nearly 2 days for attackers.
In third place, exploitation of public-facing applications—defined as adversaries taking advantage of a weakness in an internetfacing computer or program—was identified in 29% of incidents, which is slightly higher than what we observed in 2022.
The most observed risk across client environments globally was security misconfigurations, accounting for 30% of total findings. Of this category, penetration testers found more than 140 findings of ways that attackers can exploit misconfigurations. In second place, identification and authentication failures made up 21% of the most observed web application security risks. Of these findings, the top offenses were weak password policies.
Every year there are a few vulnerabilities that catch enterprises by surprise and cause widespread damage. In 2023, the CL0P ransomware group exploited a vulnerability in the file transfer application MOVEit, common vulnerabilities and exposures (CVE)-2023-34362, to expose information on millions of individuals.
The X-Force Vulnerability Database is one of the oldest and largest vulnerability databases in the world and reached its 30-year anniversary in 2023.
According to IBM X-Force Incident Response data, deployment of malware was the most common action threat actors took on victim networks, occurring in 43% of all reported incidents. Of the total incidents, 20% were ransomware cases.
Threat actors have reacted to changes in the security environment by introducing increasingly complex infection chains and attempting new methods of malware delivery, eg PDF files containing malicious links and OneNote files with embedded scripts.
There has also been an observed uptick in email campaigns using Microsoft Office documents to deliver malware through exploits rather than malicious macros. In addition, threat actors have increasingly turned to malware delivery vectors beyond email, the most noteworthy of which is the use of fraudulent Google and Bing Ads, also known as malvertising, to distribute malware through fake software downloads.
One example of a complex execution chain discovered and analyzed by X-Force in 2023 is the infection chain for WailingCrab malware. Although this infection chain is initialized through an email campaign with a PDF attachment, the final payload isn’t executed until 7 additional steps
take place.
The top impact to organizations was data theft and leak, making up 32% of the incidents X-Force responded to— accounting for 19% of the incidents in 2022. Furthermore, extortion incidents more than doubled in 2023, and the share of all incidents that were extortion increased from 21% in 2022 to 24% in 2023.
The past year has seen a significant rise in the number of and threat actor interest in infostealers. Infostealers have long been a staple of the criminal underground marketplace, and many operate as a malware-as-a-service (MaaS) model. Intezer found that infostealers topped the list in 2023 for most unique malware samples targeting Microsoft
Windows.
Threat actors continue to abuse a wide range of public and private cloud services for malware distribution and operation. Discord and Telegram in particular have attracted significant threat actor attention, as multiple aspects of the platforms’ functionality can be abused in service of malicious activity.
Throughout the course of 2023, X-Force has actively monitored countless Russian state-sponsored attacks, leveraging evolving tools and TTPs to carry out offensive operations against Ukraine and its allies. In 2023, X-Force observed criminal threat actors leveraging the ongoing conflict
in Ukraine to craft well-manufactured phishing campaigns. Since Russia’s invasion of its neighbor, the theme of the conflict has been used as lure material. A Microsoft outage that took place in the summer of 2023 was linked by a spokesperson to Anonymous Sudan, a DDoS group that does not claim pro-Russian sentiment but is linked to the Russia-sympathetic group Killnet.
In response to the war between Hamas and Israel, X-Force has observed various claimed hacktivism operations related to the crisis in the region. Most targets were in the financial sector, government, travel and transportation industries, and the preponderance of observed activity originated from pro-Palestinian groups targeting Israel.
Generative AI: A new cyberthreat frontier
X-Force hasn’t been able to confirm the use of gen AI in current malicious campaigns. However, there are some threat actors paying attention to the marketing value of AI and showing it in the services they allegedly offer.
In August 2023, WormGPT developers released a statement that they would
be shutting down the project, claiming that it gained unforeseen popularity, and that news reporting mischaracterized it.
In 2016, Microsoft 365, then known as Office 365, was in use by 8.5% of
Fortune 500 companies. 2016 was the year when the FBI warned about the dramatic increase in BEC scams targeting businesses, resulting in significant
financial losses.18 That same year multiple ransomware19 and phishing20, 21 attacks exploiting Microsoft 365 were reported.
Losses from BEC scams saw a sharp upward climb once Microsoft 365
neared 50% market share adoption. In 2019, Office 365 (now Microsoft 365) represented 48% of the market share when losses from BEC (Business Email Compromise) scams exceeded USD 1.7 billion and 25% of phishing attacks bypassed Microsoft’s security mechanisms. Within a year, the FBI issued a warning that attackers were abusing Office 365 in BEC attacks using phishing kits designed to mimic cloudbased email services. Microsoft 365 is officially the most targeted platform for hackers. Fake Office 365 used for phishing attacks on C-suite targets.
Nation-state actors target at least 12 multinational oil, gas, and petrochemical companies in Kazakhstan, Taiwan, Greece, and the United States, by exploiting Active Directory domain administrator accounts.
In 2011, French security researcher Benjamin Delpy released the credential harvesting tool Mimikatz,6 significantly reducing the technical capability requirements to steal domain credentials. Nation-state and financially motivated attackers quickly adopted the tool to carry out their operations.
Cryptojacking became a feature of the cyberthreat landscape shortly after the introduction of cryptocurrency. Reporting by Kaspersky Labs indicates a steady rise in cryptojacking malware.
Additionally, increased observations of cryptojacking in 2017–2018 coincided with unprecedented prices for cryptocurrencies Bitcoin, Ethereum and Monero that same year, which likely further incentivized this activity.
Geographic trends
In 2023, Europe earned the number one spot as the most-impacted
region, accounting for 32% of incidents to which X-Force responded. North America represented 26% of incidents, while Asia-Pacific saw 23%, Latin America 12% and the Middle East and Africa 7%.
Europe’s high use of cloud platforms may also result in a potentially larger attack surface compared to other regions, especially if attackers are able to obtain valid cloud accounts to gain initial access.
The United Kingdom was the most attacked country in Europe, accounting for 27% of cases. Germany accounted for 15%, Denmark 14%.
Manufacturing moved from second place in 2022 to the most-attacked industry in Europe, accounting for 28% of incidents. Professional, business and consumer services placed second with 25% of cases and in third place was finance and insurance at 16%, surpassing energy, which held fourth place at 14%.
Professional, business and consumer services rose from third place in 2022 to the most-targeted industry in North America in 2023, accounting for 22% of cases. The United States accounted for 86% of the region’s attacks compared to Canada’s 14%.
Manufacturing, represented in 46% of the incidents, was the most-attacked
industry in Asia-Pacific for the second year in a row. The finance and insurance, and transportation industries tied for second, accounting for 12% of cases each, while education was third at 8%. Japan accounted for 80% of Asia-Pacific cases, and Australia 11%.
Brazil remained the most attacked country in Latin America, making up 68% of all the cases that X-Force responded to. Saudi Arabia remained the most targeted country in this region, comprising 40% of incidents, with United Arab Emirates at 30%.
For the third year in a row, manufacturing was the top-attacked industry globally, according to X-Force incident response data. The finance and insurance industry was in second place again for the third year in a row. Notably, 70% of attacks that X-Force responded to in 2023 were against critical infrastructure organizations. Attackers exploited public-facing applications in 30% of incidents, making it the most common cause of attacks on critical infrastructure,
The professional, business and consumer services sector was the third most attacked industry, accounting for 15% of cases. The professional services industry includes consultancies, management companies and law firms. These services make up 34% of victims in this segment. X-Force responded to 49% of cases in Europe, 36% in North America.
In 2023, government entities, though representing a small fraction of reported incidents, witnessed an uptick in cersecurity threats, according to X-Force, compared to 2022. Despite being the least likely to meet ransom demands, governments remain attractive targets for criminal threat actors. X-Force responded to 64% of cases in North America, 26% in the Asia-Pacific and 9% in the Middle East and Africa.
