• United States



Samira Sarraf
Regional Editor for Australia and New Zealand

Backdoor deployment overtakes ransomware as top attacker action

News Analysis
Feb 22, 20237 mins
CyberattacksMalwareNetwork Security

Thanks to the availability of malware such as Emotet, deploying backdoors on victims' networks is becoming easier and more lucrative for cybercriminals.

Computerworld - Scary Tech [Slide-05] - Encryption systems with backdoors
Credit: IDG / Thinkstock

Deployment of backdoors on networks was the top action attackers made in almost a quarter of all incidents remediated in 2022. “Backdoors led to a notable spike in Emotet cases in February and March. That spike inflated the ranking of backdoor cases significantly, as those deployed in this timeframe account for 47% of all backdoors identified globally throughout 2022,” according to the newly released IBM Security X-Force Threat Intelligence Index.

“Increased backdoor deployment may also be due to the amount of money this kind of access can generate on the dark web. Compromised corporate network access from an initial access broker typically sells for several thousands of US dollars,” stated the report.

Ransomware, which had been the number one attack in 2021, came as a close second with 17% and business email compromise (BEC) followed with 6%. The study found 19 ransomware variants in 2022. LockBit variants comprised 17% of total ransomware incidents observed, up from 7% in 2021. Phobos tied with WannaCry for second at 11%. Many WannaCry cases were the result of infections from three to five years ago, taking place on old, unpatched equipment.

The top impacts of cyberattacks

Extortion was the main impact at 21% of incidents observed by X-Force. Extortion cases were often achieved through ransomware or BEC and often include the use of remote access tools, cryptominers, backdoors, downloaders, and web shells.

One tactic observed in 2022 was attackers making stolen data more accessible to downstream victims. “By making it easier for second-hand victims to identify their data among a data leak, operators seek to increase the subsequent pressure on the organization targeted by the ransomware group or affiliate in the first place,” the report found.

In second place came data theft with 19% followed by credential harvesting with 11%. Data thefts have not all resulted in data leaks, which happened in 11% of all the cyberattacks.

What IBM X-Force observed in the malware landscape

A 17% spike in the Raspberry Robin malware between early June and early August was identified in the oil and gas, manufacturing, and transportation industries. X-Force advises ensuring security tools block known USB-based malware (such as Raspberry Robin), implementing security awareness training, and disabling autorun features for any removable media.

IBM X-Force also noticed an increase in popularity of the Rust programming language with developers releasing Rust versions of their malware including BlackCat, Hive, Zeon, and RansomExx.

A “sudden” influx of Vidar InfoStealer was noticed in June through to early 2023. Vidar can be used to retrieve device information such as credit card information, usernames, passwords, and files. It can also take screenshots of the user’s desktop or steal Bitcoin and Ethereum cryptocurrency wallets.

Manufacturing is the most targeted OT industry

Of the operational technology (OT) industries, manufacturing experienced 58% of incidents X-Force helped remediate. In line with the main findings of the report, deployment of backdoors was the top action on objective, identified in 28% of cases in the manufacturing sector. X-Force believes this to be a favorite of ransomware actors likely due to these organizations’ low tolerance for downtime.

Spear phishing accounted for 38% of initial access vectors in OT-related industries, including use of attachments (22%), use of links (14%) and spear phishing as a service (2%). This was followed by exploitation of public-facing applications followed with 24%, detection of backdoors with 20% and ransomware with 19%. The most popular impact of such attacks was extortion (29%) followed by data theft (24%).

For the second consecutive year, Asia-Pacific was the most attacked region in 2022 registering 31% of all incidents. This represents a 5% increase compared to 2021, according to the report. Japan was the epicenter of the Emotet spike in 2022.

Manufacturing was the most attacked industry in the region with 48% followed by finance and insurance with 18%. Other global trends also applied including spear phishing by attachment being the top infection vector at 40% and deployment of backdoors being the top action on objective at 31%.

Japan was the most targeted nation with 91% of the received attacks followed by the Philippines with 5%, and Australia, India, and Vietnam each at 1.5%. Europe was the second most targeted region with 28% of attacks. The region was the hardest hit by extortion, with 44% of all extortion cases observed. The top impact caused by attacks was extortion (38%) across the region. The United Kingdom was the most attacked country in Europe, accounting for 43% of cases. Germany accounted for 14%, Portugal 9%, Italy 8%, and France 7%.

The most attacked industries were professional, business, and consumer services, which tied with finance and insurance for the most-attacked industry, each ranking 25% of the cases to which X-Force responded. Manufacturing was second with 12% of cases, and energy and healthcare followed in third place at 10%.

X-Force saw no evidence of widespread state-sponsored cyber activity following the invasion of Ukraine. However, it did find that Russia has deployed an unprecedented number of wipers against targets in Ukraine. The wipers were mostly used against Ukraine’s networks from before the country’s invasion through to March 2022.

One of the most prolific self-proclaimed hacktivist groups observed was Killnet, a Russia-sympathetic group that has claimed DDoS attacks against public services, government ministries, airports, banks and energy companies based in North Atlantic Treaty Organization (NATO) member states, allied countries in Europe, as well as in Japan and the United States.

North America experienced a slight increase in the number of incidents with 25% in 2022 from 23% in 2021. The region’s most attacked industries were energy with 20% of attacks, manufacturing and retail-wholesale followed with 14% each, however manufacturing represents a 50% drop in cases when compared to 2021.

The US accounted for 80% of the region’s attacks and Canada 20%. The biggest impact in the region was credential harvesting (25%) and the top infection vectors were exploitation of public-facing applications at 35% and spear phishing attachments at 20%. Ransomware incidents accounted for 23% of cases.

In Latin America, retail-wholesale was the most attacked industry with 28% of cases followed by finance and insurance (24%) and energy (20%). Ransomware accounted for 32% of attacks and extortion was the most common impact at 27%. Brazil accounted for 67%, Colombia 17% and Mexico 8%. Peru and Chile split the remaining 8%.

Deployment of backdoors was detected in 27% of cases to which X-Force responded in the Middle East and Africa in 2022. Finance and insurance were the most targeted industries in the region, accounting for 44%. Saudi Arabia comprised two-thirds of the cases in the region to which X-Force responded. The remaining cases were split between Qatar, United Arab Emirates and South Africa.

What to do to secure your organization

X-Force makes six recommendations to help companies secure systems against malicious threats including those mentioned above.

Understand the data the company possesses. This is key to understanding what is being defended and the most critical data to the business. Managing assets has been, and still is, one of the biggest issues facing cybersecurity teams today, John Hendley, head of strategy at IBM Security X-Force tells CSO. “This is especially the case on the perimeter, where the presence of any vulnerabilities can introduce a foothold into your environment for threat actors. That’s why we’ve seen such a large shift in strategy for defenders, away from perfecting perimeter security and towards detection and response, including the principles behind zero trust.”

Know your adversary. Adopt a view that emphasizes the specific threat actors that are most likely to target your industry, organization, and geography. In Hendley’s words, CISOs need to adopt the hacker mindset. “Doing so makes you see your systems, your networks, and really the whole world in a new way. Red teaming your defenses—whether that be simply probing for vulnerabilities or misconfigurations, or more in-depth detection and response testing can help you get that understanding.”

Better understand how threat actors operate. Identify their level of sophistication and know which tactics, techniques, and procedures (TTP) attackers are most likely to employ. “For example, the actions and tactics of threat actors targeting pharmaceutical companies for intellectual property will be a world apart from cyber gangs that target elementary schools with ransomware. Being sharp on who your adversary is can push defender teams to that next level,” Hendley says.

Maintain visibility at key points throughout the enterprise. Ensure alerts are generated and acted on in a timely manner are critical to stopping attackers.

Assume compromise. This will ensure cybersecurity teams are constantly re-examining possible infiltration points, detection response capabilities and how difficult it can be for an attacker to access critical systems and data.

Apply threat intelligence. Analyze common attack paths and identify key opportunities for mitigating common attacks and be prepared by developing an incident response plan.