The latest report by cybersecurity firm, Sophos, has revealed that cybercriminals deployed ransomware more than any other form of attack in 2023, accounting for 70% of total hits on businesses.
According to the Sophos Active Adversary Report, which analyzes more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023, Network Breach retained its spot with a 19% occurrence rate in 2023.
While it could not be certain in all cases, Sophos said there was mounting evidence that many network breaches were indeed unsuccessful ransomware attacks.
“For example, we positively identified five network breaches (17%) that were the work of known ransomware brands.
“An interesting statistic emerged when comparing network breaches to ransomware attacks by quarter: During the quarters where ransomware was at its lowest prevalence – 67% in Q2 and 62% in Q3 – network breaches were considerably above the yearly average, 21% in Q2 and 28% in Q3,” Sophos stated in the report.
RDP on the rise
The report noted that cybercriminals abused remote desktop protocol (RDP)—a common method for establishing remote access on Windows systems—in 90% of attacks.
This came the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020.
In addition, external remote services such as RDP were the most common vector by which attackers initially breached networks; they were the method of initial access in 65% of IR cases in 2023.
It added that external remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020, and defenders should consider this a clear sign to prioritize the management of these services when assessing risk to the enterprise.
“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond.
“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side,” said John Shier, field CTO, Sophos.
Causes of attacks
The report noted that compromised credentials and exploiting vulnerabilities are still the two most common root causes of attacks. However, the 2023 Active Adversary Report for Tech Leaders, released last August, found that in the first half of that year, for the first time, compromised credentials surpassed vulnerabilities as the most frequent root cause of attacks.
“This trend continued through the rest of 2023, with compromised credentials representing the root cause of over 50% of IR cases for the entire year. When looking at Active Adversary data cumulatively over the years from 2020 through 2023, compromised credentials were also the number one all-time root cause of attacks, involved in nearly a third of all IR cases. Yet despite the historical prevalence of compromised credentials in cyberattacks, in 43% of IR cases in 2023, organizations did not have multi-factor-authentication configured,” Sophos said.
According to Sophos, the report covered organizations located in 23 different countries, including the United States, Canada, Mexico, Colombia, the United Kingdom, Sweden, Switzerland, Spain, Germany, Poland, Italy, Austria, Belgium, the Philippines, Singapore, Malaysia, India, Australia, Kuwait, the United Arab Emirates, Saudi Arabia, South Africa, and Botswana.
Nairametrics