3 Ways Threat Actors Will Kick Off the New Year, According to Corvus Intel

Every few months we share a deep dive on cyber findings from our Claims and Threat Intel teams in the Corvus Risk Insights Index. (See last edition here). The CRII covers trends over the span of a year or more, which enables us to wait patiently for data to mature before we stake any claim — pun intended — about any cyber risk trends. 

But threat actors move faster than insurance claim cycles, so in our day-to-day we analyze a blend of recent (immature) claims data and external threat intelligence to find indicators of emerging trends that can help us make policyholders safer. As we head into the time of year that’s busiest for many organizations — and unfortunately, for threat actors, too — we thought we’d share a peek behind the curtain to those findings, in the form of some predictions. 

Which of these will make the cyber headlines of the future, and which will be merely blips on the radar screen? Grab a colleague, place your bets, and we’ll find out in a few months.

How threat actors will kick off the new year

We know threat actors will be active over the holidays (they tend to wait ‘til January to take PTO) but how will they focus their efforts? Here are three of our best guesses based on a blend of preliminary claims data and external threat intelligence. 

1. Going phishing (especially in Microsoft waters)

In recent months social engineering, the category that includes tactics like phishing and spearphishing, was the most frequently observed cause of claims cited in Corvus data. That’s not a surprise, since it’s been the leading cause in nearly every month for which we have data, going back several years. But the gap between social engineering and other causes of loss has been especially wide of late. 

Social engineering claims have risen as a share of claims to make up nearly half of all claims in recent months, after hovering around 35-38% for about a year prior. That gives social engineering nearly 3x the share of the next largest claim category. (That second category has in recent months been claims due to breaches at vendors or other third parties).

This gap has developed in spite of the wider adoption of anti-phishing training over the past few years. It seems that tried and true methods of exploiting human beings persist over time, even as security technologies and vulnerabilities come and go. 

An interesting wrinkle in this data is the prevalence of Microsoft products as the target for phishing efforts. What makes this interesting isn’t that Microsoft, the leader in the space with a market share somewhere between 40% and 50% of business email in the US, sees its customers targeted, but that there’s very little indication of this trend being present among organizations using the 2nd largest business email provider, Google.

In fact, Corvus has seen zero claims this year to date with social engineering as the cause of loss from organizations that were confirmed as customers of Gmail for their business email. Even though Microsoft is the most prevalent business email provider used by our policyholders, we would have expected to see 1 in 10 of our social engineering claims from Google Workspace organizations.

This finding is supported by external sources such as Expel’s Q3 Threat Report, which noted the prevalence of Business Email Compromise (BEC) within Microsoft email services: 

“All Q3 BEC attempts [among incidents we responded to] occurred in Microsoft 365 – we didn’t identify any incidents in Google Workspaces. We believe that’s due to Google Workspaces having more stringent security settings configured by default. We’re watching closely to see if that changes with the recent Basic Auth change for Microsoft 365.

Security configurations will change over time, but for now, we expect “success” on the part of the threat actors thus far will breed further exploits in social engineering of Microsoft organizations. Further investigation will be needed to understand the reason for such a wide discrepancy between the two largest cloud-based work tool companies. 

Are you more of a visual learner? Download the infographic instead!

2. Exploiting external vulnerabilities to gain initial access for extortion attacks 

While social engineering rules in terms of the frequency of claims, we can’t forget about ransomware and other forms of extortion attacks. These types of attacks are vastly more expensive — on average 20x the cost of the average social engineering claim* — and more traumatic for organizations than other types of cybercrime, so we take a keen interest in what’s coming next in ransomware, especially in periods when activity is rising. 

We look not only at trends in the types of ransomware used in attacks, but also the way attackers get into a victim’s system in the first place — the “method of initial access”. In some cases this can be difficult to determine through the fog of war, but whenever possible we collect it in order to form a more complete picture of attack trends and inform the risk prevention advice we provide our policyholders. 

According to Corvus data, back in 2022 the most common way ransomware threat actors gained initial entry into a victim’s system was through spearphishing, a form of phishing in which specific individuals are targeted with a specific message. Spearphishing via email attachments containing malware was the most common style. 

But this year there was a shift. If the trend holds, the leading method of initial entry for ransomware this year will be exploits of external vulnerabilities. Translated, this means attackers are getting access to systems by way of a vulnerability, such as a zero-day vulnerability. A zero-day is a security flaw in software or hardware that is unknown to the party responsible for the software’s security until after it is exploited by attackers. (Because of their inherent urgency zero day vulnerabilities are often the subject of threat alerts that Corvus sends to our policyholders — and very quickly we might add!)

These attacks comprise nearly a third of the extortion attacks for which we have data on the method of initial entry this year, up from near zero in the second half of 2022. Examples of vulnerabilities we’ve seen exploited this year include the one discovered in MOVEIt file transfer software in June, and one that Fortra discovered in its GoAnywhere file transfer solution. 

Given the success threat actors have found using zero-day vulnerabilities this year, especially in file transfer software, we’re looking out for their continued activity finding and exploiting vulnerabilities going forward.

*Sub-limits applied to social engineering and some ransomware claims affect the average incurred costs for each category, so this finding may differ when observed outside of the insurance context. 

3. Exploiting back-end systems through exposed keys 

Exchanges of information between organizations is the foundation of the modern web. It’s what enables cloud-based services to work, such as cloud hosting and storage, as well as front-end services like payment processing. Third-party services are critical to the function of millions of websites and web applications. 

A critical piece of these exchanges are “keys” (such as for API access) or security tokens (such as JSON Web Token). These are the equivalent of a “secret handshake” that proves both parties are allowed to exchange data. When handled properly, secrets are closely held, and remain (yes) secret. But with so many web and cloud services used by so many customers, there’s huge variation in the levels of skill, experience and support in their implementation and maintenance. Things can go awry. 

Sometimes keys are buried in code that ends up being put in a public repository, where a threat actor can use relatively simple search methods to identify these forgotten strings. In other cases threat actors will use specific tools designed to break into otherwise secure spaces and find keys. Exfiltrated data from ransomware victims is also a source. Threat actors who locate keys can put them to use for their own nefarious purposes, or sell access to them on dark web marketplaces where keys can fetch high prices because of the unique level of system access they can grant. 

This phenomenon has been observed by researchers for some time now. Our team believes that increased availability of tools and wider knowledge of the existence of so many relatively easy-to-obtain keys means that exposed keys may become more notable as a vector for attacks in the future. This area has been the subject of research by our teams and we’ve discovered a considerable number of critical keys available online. 

The overall incidence of this kind of exposure is fairly common, found in about 7% of the population we’ve searched. Some of the most common exposed secrets were Google API keys, JSON web tokens, Shopify domain keys, and keys for AWS s3 buckets. 

But not all exposures are equal. Some do not give threat actors much to work with, and may never pose a problem for the organizations that exposed them. For about 1% of the organizations we studied, however, we located exposed keys that our security experts consider to be “critical” and require immediate attention. These include AWS API keys, keys to cloud storage buckets (AWS s3 and Google Cloud Storage), and API keys from a bevy of non-cloud provider services, like LinkedIn, Okta, Slack, MailChimp, Facebook, New Relic, Stripe, and Sauce Labs.

Look out for more soon from Corvus on how we’re building this research into Corvus Signal™, our risk prevention solution.