<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

3 Ways Threat Actors Will Kick Off the New Year, According to Corvus Intel

Every few months we share a deep dive on cyber findings from our Claims and Threat Intel teams in the Corvus Risk Insights Index. (See last edition here). The CRII covers trends over the span of a year or more, which enables us to wait patiently for data to mature before we stake any claim — pun intended — about any cyber risk trends. 

But threat actors move faster than insurance claim cycles, so in our day-to-day we analyze a blend of recent (immature) claims data and external threat intelligence to find indicators of emerging trends that can help us make policyholders safer. As we head into the time of year that’s busiest for many organizations — and unfortunately, for threat actors, too — we thought we’d share a peek behind the curtain to those findings, in the form of some predictions. 

Which of these will make the cyber headlines of the future, and which will be merely blips on the radar screen? Grab a colleague, place your bets, and we’ll find out in a few months.

How threat actors will kick off the new year

We know threat actors will be active over the holidays (they tend to wait ‘til January to take PTO) but how will they focus their efforts? Here are three of our best guesses based on a blend of preliminary claims data and external threat intelligence. 

1. Going phishing (especially in Microsoft waters)

In recent months social engineering, the category that includes tactics like phishing and spearphishing, was the most frequently observed cause of claims cited in Corvus data. That’s not a surprise, since it’s been the leading cause in nearly every month for which we have data, going back several years. But the gap between social engineering and other causes of loss has been especially wide of late. 

Social engineering claims have risen as a share of claims to make up nearly half of all claims in recent months, after hovering around 35-38% for about a year prior. That gives social engineering nearly 3x the share of the next largest claim category. (That second category has in recent months been claims due to breaches at vendors or other third parties).

[BAR GRAPH] Caused of Loss in Corvus Claims from Social Engineering and All Other Attacks from  Q4 2022 to Q3 2023

This gap has developed in spite of the wider adoption of anti-phishing training over the past few years. It seems that tried and true methods of exploiting human beings persist over time, even as security technologies and vulnerabilities come and go. 

An interesting wrinkle in this data is the prevalence of Microsoft products as the target for phishing efforts. What makes this interesting isn’t that Microsoft, the leader in the space with a market share somewhere between 40% and 50% of business email in the US, sees its customers targeted, but that there’s very little indication of this trend being present among organizations using the 2nd largest business email provider, Google.

In fact, Corvus has seen zero claims this year to date with social engineering as the cause of loss from organizations that were confirmed as customers of Gmail for their business email. Even though Microsoft is the most prevalent business email provider used by our policyholders, we would have expected to see 1 in 10 of our social engineering claims from Google Workspace organizations.

This finding is supported by external sources such as Expel’s Q3 Threat Report, which noted the prevalence of Business Email Compromise (BEC) within Microsoft email services: 

“All Q3 BEC attempts [among incidents we responded to] occurred in Microsoft 365 – we didn’t identify any incidents in Google Workspaces. We believe that’s due to Google Workspaces having more stringent security settings configured by default. We’re watching closely to see if that changes with the recent Basic Auth change for Microsoft 365.

Security configurations will change over time, but for now, we expect “success” on the part of the threat actors thus far will breed further exploits in social engineering of Microsoft organizations. Further investigation will be needed to understand the reason for such a wide discrepancy between the two largest cloud-based work tool companies. 

Key Indicators: Social Engineering

  • In recent months, the rate of claims with Social Engineering as the cause was 3x higher than the rate of the next-highest cause — a higher ratio than we’ve seen in the past

  • In our preliminary claims data for 2023, Corvus has seen no claims to date with a social engineering cause of loss on policyholders using Google Workspace as their email provider. 

    • While there are relatively few Google Workspace organizations among our policyholder base overall, the ratio would suggest that we should see at least 1 in 10 of our social engineering claims from Google Workspace organizations if they occurred at the same rate as other email providers. 

 

Are you more of a visual learner? Download the infographic instead!

 

Download the Infographic

 

2. Exploiting external vulnerabilities to gain initial access for extortion attacks 

While social engineering rules in terms of the frequency of claims, we can’t forget about ransomware and other forms of extortion attacks. These types of attacks are vastly more expensive — on average 20x the cost of the average social engineering claim* — and more traumatic for organizations than other types of cybercrime, so we take a keen interest in what’s coming next in ransomware, especially in periods when activity is rising

We look not only at trends in the types of ransomware used in attacks, but also the way attackers get into a victim’s system in the first place — the “method of initial access”. In some cases this can be difficult to determine through the fog of war, but whenever possible we collect it in order to form a more complete picture of attack trends and inform the risk prevention advice we provide our policyholders. 

According to Corvus data, back in 2022 the most common way ransomware threat actors gained initial entry into a victim’s system was through spearphishing, a form of phishing in which specific individuals are targeted with a specific message. Spearphishing via email attachments containing malware was the most common style. 

But this year there was a shift. If the trend holds, the leading method of initial entry for ransomware this year will be exploits of external vulnerabilities. Translated, this means attackers are getting access to systems by way of a vulnerability, such as a zero-day vulnerability. A zero-day is a security flaw in software or hardware that is unknown to the party responsible for the software’s security until after it is exploited by attackers. (Because of their inherent urgency zero day vulnerabilities are often the subject of threat alerts that Corvus sends to our policyholders — and very quickly we might add!)

[BAR GRAPH] The two methods of initial entry leading to an extortion attack in H2 2022 and H1 2023

These attacks comprise nearly a third of the extortion attacks for which we have data on the method of initial entry this year, up from near zero in the second half of 2022. Examples of vulnerabilities we’ve seen exploited this year include the one discovered in MOVEIt file transfer software in June, and one that Fortra discovered in its GoAnywhere file transfer solution. 

Given the success threat actors have found using zero-day vulnerabilities this year, especially in file transfer software, we’re looking out for their continued activity finding and exploiting vulnerabilities going forward.

Key Indicators: Initial Access Methods

  • Ransomware attacks, while much rarer than Social Engineering, cost 20x more on average

  • Spearphishing efforts were for a long period the most common way threat actors gained access to systems to deploy ransomware

  • Recently, exploits of external software vulnerabilities have spiked, now being the method of initial entry for 1 in 3 ransomware attacks (among those for which we were able to determine the method)

 

*Sub-limits applied to social engineering and some ransomware claims affect the average incurred costs for each category, so this finding may differ when observed outside of the insurance context. 

3. Exploiting back-end systems through exposed keys 

Exchanges of information between organizations is the foundation of the modern web. It’s what enables cloud-based services to work, such as cloud hosting and storage, as well as front-end services like payment processing. Third-party services are critical to the function of millions of websites and web applications. 

A critical piece of these exchanges are “keys” (such as for API access) or security tokens (such as JSON Web Token). These are the equivalent of a “secret handshake” that proves both parties are allowed to exchange data. When handled properly, secrets are closely held, and remain (yes) secret. But with so many web and cloud services used by so many customers, there’s huge variation in the levels of skill, experience and support in their implementation and maintenance. Things can go awry. 

Sometimes keys are buried in code that ends up being put in a public repository, where a threat actor can use relatively simple search methods to identify these forgotten strings. In other cases threat actors will use specific tools designed to break into otherwise secure spaces and find keys. Exfiltrated data from ransomware victims is also a source. Threat actors who locate keys can put them to use for their own nefarious purposes, or sell access to them on dark web marketplaces where keys can fetch high prices because of the unique level of system access they can grant. 

This phenomenon has been observed by researchers for some time now. Our team believes that increased availability of tools and wider knowledge of the existence of so many relatively easy-to-obtain keys means that exposed keys may become more notable as a vector for attacks in the future. This area has been the subject of research by our teams and we’ve discovered a considerable number of critical keys available online. 

[CHART] Most common exposed secrets and most critical exposed secrets of organizations who experienced a cyber attack

The overall incidence of this kind of exposure is fairly common, found in about 7% of the population we’ve searched. Some of the most common exposed secrets were Google API keys, JSON web tokens, Shopify domain keys, and keys for AWS s3 buckets. 

But not all exposures are equal. Some do not give threat actors much to work with, and may never pose a problem for the organizations that exposed them. For about 1% of the organizations we studied, however, we located exposed keys that our security experts consider to be “critical” and require immediate attention. These include AWS API keys, keys to cloud storage buckets (AWS s3 and Google Cloud Storage), and API keys from a bevy of non-cloud provider services, like LinkedIn, Okta, Slack, MailChimp, Facebook, New Relic, Stripe, and Sauce Labs.

Look out for more soon from Corvus on how we’re building this research into Corvus Signal™, our risk prevention solution.

Key Indicators: Secret Key Exposure

  • Corvus research indicates 7% of organizations we scanned have secret keys exposed with potential for exploit

  • One percent of organizations have critical exposures, such as AWS API or s3 storage bucket keys exposed

 

Recent Articles

The Crucial First 48 Hours: Navigating Business Continuity and Disaster Recovery


The actions you take in the first 48 hours of a business disruption set the stage for recovery. Our guide to BCDR can help get you started.

Keep It Real: Avoid Falling for the Rise of Deepfake Phishing Scams


What if you suspected a phishing email, but your CFO confirmed it was legitimate? We'll explore the recent deepfake phishing attack and how to prevent it.

Q4 Ransomware Report: 2023 Ends as a Record-Breaking Year


In this report, we will highlight some more of our findings from Q4 2023 and also look at trends across 2023.