The Rapid7 mid-year review of the threat landscape is not reassuring. Ransomware remains high, basic security defenses are not being used, security maturity is low, and the return on investment for criminality is potentially enormous.
The review is compiled from the observations of Rapid7’s researchers and its managed services teams. It finds there were more than 1500 ransomware victims worldwide in H1 2023. These included 526 LockBit victims, 212 Alphv/BlackCat victims, 178 ClOp victims, and 133 BianLian victims. The figures are compiled from leak site communications, public disclosures, and Rapid7 incident response data.
These figures should be seen as conservative. They won’t include organizations that quietly and successfully pay the ransom as if nothing happened. Furthermore, downstream victims are still being calculated – for example, notes the report, “The number of incidents attributed to Cl0p in this chart is likely to be (significantly) low, since the group is still actively claiming new victims from their May 2023 zero-day attack on MOVEit Transfer.”
Ransomware is successful for two reasons: the very high profit potential for the criminals, and the inadequate security posture of many potential targets. Three factors illustrate the latter. Firstly, nearly 40% of incidents were caused by missing or lax enforcement of MFA (multi factor authentication) – despite many years of exhortations to implement this basic defense.
Secondly, the general security posture remains low for many organizations. Rapid7 consultants have performed multiple security assessments for clients, “with only a single organization so far in 2023 meeting our minimum recommendations for security maturity, as measured against CIS and NIST benchmarks.”
While security for these companies may well improve after the assessment, the figures illustrate that a substantial number of organizations fail to meet minimum standards for security.
Thirdly, and reinforcing the second factor, old vulnerabilities remain successful for the attackers. “Two notable examples from 1H 2023 are CVE-2021-20038, a Rapid7-discovered vulnerability in SonicWall SMA 100 series devices, and CVE-2017-1000367, a vulnerability in the sudo command that allows for information disclosure and command execution,” says the report.
This doesn’t mean that new vulnerabilities haven’t been discovered and exploited in H1 2023. “Overall, more than a third of widespread threat vulnerabilities were used in zero-day attacks, which remain prevalent among exploited 2023 CVEs,” continues the report, adding, “Our team has also observed multiple instances of Adobe ColdFusion CVE-2023-26360 exploitation, which may indicate that the vulnerability is being exploited more broadly than the ‘very limited attacks’ Adobe disclosed in their advisory.”
However, organized crime (such as that behind the ransomware gangs) does not attack business simply because it can – it is driven by the profit motive. The Rapid7 report demonstrates just how profitable cybercrime can be.
Exploit brokers remain in demand on the dark web, selling numerous network device zero-day exploits for upward of $75,000. Rapid7 points out that even priced at ten times this amount, a single successful use in a ransomware attack would provide a sizable return on investment.
“In all likelihood, a threat actor like Cl0p would easily be able to afford a bevy of zero-day exploits for vulnerable enterprise software – enabling the group to hoard and hone proprietary capabilities while they conduct reconnaissance on high-revenue targets,” says Rapid7. “It’s not a theoretical use case, either; there are indications that Cl0p tested their zero-day exploit for MOVEit Transfer (CVE-2023-34362) for nearly two years before deploying it in a highly orchestrated attack over Memorial Day weekend this year.”
It is difficult to find much that is reassuring in this report. With huge financial incentive for cybercrime and continuing failure by organizations to implement even basic security defenses (such as MFA and patching) – and with increasing cloud complexity, shortage of skilled security labor, and economic uncertainty plaguing major cybersecurity investments, all complicating the picture – the overall cybersecurity landscape is likely to worsen before it improves.
SecurityWeek asked Caitlin Condon, head of vulnerability research at Rapid7, for her own takeaways from the report. “The fact that so many of the initial access vectors that our managed services team saw were the result of basic security hygiene not being present,” she replied.
“That’s not a number that we want to see. We don’t want to see so many preventable attacks when we know that there are so many complex attacks that organizations are also struggling with,” she continued. “But the good news is that, in theory, implementing something like MFA is a known quantity and a defined action that an organization is able to take if it wants to.”
Preventable attacks are succeeding, so the basics are still important. “Organizations are not powerless,” she added.