- Business leaders are embracing AI, but their employees are not so sure
- Is your live TV streaming service still worth it? I review options for every budget
- Evaluating Security Risk in DeepSeek and Other Frontier Reasoning Models
- What is NaaS? Providers, delivery models, and benefits explained
- VMware Product Release Tracker (vTracker)
Threat Actors Target Public-Facing Apps for Initial Access
Threat actors are increasing their focus on exploiting public-facing applications to achieve initial access, according to Cisco Talos’ Incident Response Trends in Q4 2024 report.
The exploitation of public-facing applications was the most common method of gaining initial access in Q4 2024, making up 40% of incidents.
The researchers said this marked a “notable shift” in initial access techniques. Prior to this quarter, account compromise had been their most observed method of initial access for over a year.
The growing use of web shells was a major driver for this trend. Web shells were deployed against vulnerable or unpatched web applications in 35% of incidents analyzed by Cisco Talos in Q4. This represents a significant increase from the previous quarter, when web shells were deployed in less than 10% of cases.
Threat actors utilized a range of open-source and publicly available web shells. The functionality of the web shells and targeted web applications varied across incidents, providing attackers with multiple ways to leverage vulnerable web servers as a gateway into a victim’s environment.
Decline in Ransomware Incidents
Ransomware and data theft extortion accounted for 30% of incidents Cisco Talos engaged with in Q4. This represents a fall from 40% in Q3 2024.
Attackers’ dwell times varied significantly in this quarter, ranging from 17 to 44 days. The longer dwell times indicated that an adversary is seeking to move laterally, evade defenses and/or identify data of interest for exfiltration.
In one observed RansomHub incident, operators had access to the compromised network for over a month before executing the ransomware and performed actions such as internal network scanning, accessing passwords for backups and credential harvesting.
Attackers compromised valid accounts in 75% of ransomware incidents in order to obtain initial access and/or execute ransomware on targeted systems.
For example, RansomHub affiliates were seen leveraging a compromised administrator account to execute the ransomware, dump credentials and run scans using a commercial network scanning tool.
Cisco Talos observed the use of remote access tools in 100% of ransomware engagements in Q4. This represented a rise from the previous quarter, when it was only seen in 13% of incidents.
Splashtop was the most commonly used remote access tool, involved in 75% of ransomware cases.
Read now: RansomHub Overtakes LockBit as Most Prolific Ransomware Group
Need for Properly Implemented MFA
Cisco Talos said its findings emphasize the importance of enforcing multi-factor authentication (MFA) on all critical services, including all remote access and identity and access management (IAM) services.
Despite the surge in exploitation of public-facing applications, account compromise continues to be an important tactic for initial access and post compromise activities.
The researchers found that 40% of all compromises in Q4 involved misconfigured, weak or lack of MFA. Additionally, all organizations impacted by ransomware did not have MFA properly implemented or it was bypassed via social engineering.
