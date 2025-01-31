Threat Actors Target Public-Facing Apps for Initial Access

News

Threat actors are increasing their focus on exploiting public-facing applications to achieve initial access, according to Cisco Talos’ Incident Response Trends in Q4 2024 report.

The exploitation of public-facing applications was the most common method of gaining initial access in Q4 2024, making up 40% of incidents.

The researchers said this marked a “notable shift” in initial access techniques. Prior to this quarter, account compromise had been their most observed method of initial access for over a year.

The growing use of web shells was a major driver for this trend. Web shells were deployed against vulnerable or unpatched web applications in 35% of incidents analyzed by Cisco Talos in Q4. This represents a significant increase from the previous quarter, when web shells were deployed in less than 10% of cases.

Threat actors utilized a range of open-source and publicly available web shells. The functionality of the web shells and targeted web applications varied across incidents, providing attackers with multiple ways to leverage vulnerable web servers as a gateway into a victim’s environment.

Decline in Ransomware Incidents

Ransomware and data theft extortion accounted for 30% of incidents Cisco Talos engaged with in Q4. This represents a fall from 40% in Q3 2024.

Attackers’ dwell times varied significantly in this quarter, ranging from 17 to 44 days. The longer dwell times indicated that an adversary is seeking to move laterally, evade defenses and/or identify data of interest for exfiltration.

In one observed RansomHub incident, operators had access to the compromised network for over a month before executing the ransomware and performed actions such as internal network scanning, accessing passwords for backups and credential harvesting.

Attackers compromised valid accounts in 75% of ransomware incidents in order to obtain initial access and/or execute ransomware on targeted systems.

For example, RansomHub affiliates were seen leveraging a compromised administrator account to execute the ransomware, dump credentials and run scans using a commercial network scanning tool.

Cisco Talos observed the use of remote access tools in 100% of ransomware engagements in Q4. This represented a rise from the previous quarter, when it was only seen in 13% of incidents.

Splashtop was the most commonly used remote access tool, involved in 75% of ransomware cases.

Need for Properly Implemented MFA

Cisco Talos said its findings emphasize the importance of enforcing multi-factor authentication (MFA) on all critical services, including all remote access and identity and access management (IAM) services.

Despite the surge in exploitation of public-facing applications, account compromise continues to be an important tactic for initial access and post compromise activities.

The researchers found that 40% of all compromises in Q4 involved misconfigured, weak or lack of MFA. Additionally, all organizations impacted by ransomware did not have MFA properly implemented or it was bypassed via social engineering.  

