Vulnerability exploitation accounted for 52% of ransomware incidents investigated by Secureworks over the past 12 months, making it the number one initial access vector for threat actors, the vendor claimed in a new report.
The security firm’s annual State of the Threat report is compiled from the insights of its Counter Threat Unit over the period.
It found that exploitation of bugs in internet-facing systems was most favored by ransomware actors last year, rather than use of credentials – often associated with remote desktop protocol (RDP) compromise – and malicious emails.
This shift in tactics may be down to a broader imbalance between threat actor and network defender capabilities, the report claimed.
“Threat actors continue to rapidly weaponize new vulnerabilities, while developers of offensive security tools (OSTs) are also incentivized – by the need to generate profit or keep their tools relevant – to promptly implement new exploit code,” it argued.
“Debates about responsible disclosure often miss the fact that even where a patch exists, the process of patching a vulnerability in an enterprise environment is far more complex and slower than the process for threat actors or OST developers of weaponizing publicly available exploit code.”
However, security teams must also guard against the persistent threat of credential-based attacks. Secureworks noted a 150% year-on-year increase in the use of info-stealers designed to grab credentials and gain a foothold on networks.
On a single day in June this year, the vendor claimed to have observed over 2.2 million credentials obtained by info-stealers, which were made available for sale on an underground marketplace.
Ransomware continues to be the number one threat for global organizations, accounting for more than a quarter of attacks analyzed by Secureworks. Most threats are linked to Russian cybercrime groups, it said.
The good news is that the median dwell-time for attackers fell from 22 days in 2021 to 11 days so far this year. However, that still leaves attackers with plenty of time to steal data and deploy ransomware payloads.