Web shells – malicious scripts which enable the compromise of Web-based servers – have been exposed as the top threat in the Cisco Talos cybersecurity report for the first quarter of 2023 – comprising nearly 22% of incidents.
“Cybercriminals are gaining more experience exploiting security loopholes to spread their reach across corporate networks,” says Fady Younes, cybersecurity director, EMEA Service Providers and MEA at Cisco. “To stay ahead of the wide array of threats and be in a position to respond to risks in motion, cyberdefenders must scale their protection strategies. This means leveraging advanced technologies like automation, machine learning, and predictive intelligence to analyse vast amounts of data in realtime and identify potential threats before they can cause any damage.”
Some of the top threats recorded by the report include:
Web shell: This quarter, Web shell usage has made up nearly a fourth of the threats responded to in the first quarter of 2023. Although each Web shell had its own set of basic functions, threat actors often chained them together to provide a flexible toolkit for spreading access across the network.
Ransomware: Ransomware made up less than 10% of engagements, a significant decrease compared to the previous quarter’s ransomware engagements (20%). Ransomware and pre-ransomware incidents combined, however, made up nearly 22% of threats observed.
Qakbot commodity: The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files with malicious OneNote documents. Adversaries are increasingly relying on OneNote to spread their malware after Microsoft disabled macros by default in Office documents in July 2022.
Exploiting public-facing applications: Exploitation of public-facing applications was the top initial access vector this quarter, contributing to 45% of engagements, a significant increase compared to 15% in the previous quarter.
Additional Observations
* The report showed that 30% of engagements lacked multi-factor authentication, or only had it enabled on select accounts and services.
* Recent law enforcement efforts have disrupted major ransomware gangs such as Hive ransomware, but this has created space for new families to emerge or for new partnerships to form.
* Healthcare was targeted the most this quarter by adversaries, followed closely by retail and trade, real estate, food services, and accommodation sectors.
“As cyberthreats continue to rise, organisations must take proactive measures to protect themselves from potential breaches,” says Younes. “One of the most significant obstacles to enterprise security is the lack of Zero-Trust architecture deployments in many organisations.
“To prevent unauthorised access to sensitive data, businesses should implement some form of MFA,” Younes adds.