Cisco Talos Report: More and more attacks on web applications
According to the new Cisco Talos analysis of global threat vectors, attacks on web applications increased sharply in the third quarter of 2023. The sectors most affected by attacks were telecommunications and education. The lack of multi-factor authentication remains one of the biggest vulnerabilities.
Cisco Talos has presented its quarterly threat analysis for the third quarter of 2023. During this period, 30 percent of all incidents were attacks on web applications. A notable increase compared to 8 percent in the previous quarter. These activities involved injection attacks, including SQL injection, and the use of web shells.
Ransomware remains a constant threat and accounted for 10 percent of incidents. During Q3, which covered the months of July, August and September, the LockBit and BlackByte ransomware families were active as in previous quarters. However, for the first time, the Talos team observed a new variant of BlackByte ransomware, which appeared under the name BlackByte NT.
The analysis shows that misconfigured applications and the lack of multi-factor authentication (MFA) are the two most important security vulnerabilities. "All organizations should implement some form of MFA as it is an effective protection mechanism to prevent unauthorized access to systems and data," says Roman Stefanov, Head of Cyber Security Sales at Cisco Switzerland. However, he points out that you still need to be careful. "Attackers try to trick users with so-called exhaustion attacks, i.e. many push messages at the same time. It is crucial to remain vigilant."
Telecommunications and education in focus
According to Talos, the telecommunications and education sectors were targeted the most. Each of these sectors accounted for 20 percent of incidents. Both individual threat actors and groups with different motives and expertise were active.
Telecommunications companies are attractive targets due to their control over multiple critical infrastructure assets. They serve as an entry point for attackers to access other companies, subscribers or third-party providers. These organizations often hold large amounts of customer data that are frequently targeted by financially motivated cybercriminals such as ransomware groups.
Educational institutions are attractive to cybercriminals because they hold large amounts of personally identifiable student data, as well as research institutes with valuable intellectual property. Many educational organizations have a limited budget for cybersecurity, which can limit their ability to defend themselves.
The previously unknown APT (Advanced Persistent Threats) group "ShroudedSnooper" was also newly discovered in the third quarter of 2023. It is targeting telecommunications companies and is thus following a trend towards highly sophisticated attacks in this sector. As part of this activity, ShroudedSnooper deployed two new backdoor implants called "HTTPSnoop" and "PipeSnoop". These backdoors interact with Windows HTTP core drivers and devices to monitor incoming requests for specific HTTP(S) URLs and execute the contained content on the infected endpoint.
Source: www.cisco.com
