Web shell attacks as new top threat
The number of attacks via web shells increased at an above-average rate in the first three months of 2023. According to analyses by Cisco Talos, this form of attack was responsible for a quarter of all incidents investigated by the Incident Response Team in the first quarter of 2023.
Threat intelligence company Cisco Talos has published its quarterly threat intelligence analysis for the first quarter of 2023. According to the report, publicly available web applications were a major target of threat actors during this period. Nearly half of all attacks (45 %) use such applications as an initial vector to gain access to systems. Compared to the previous quarter, this represents an increase of 15 %. Many of these attacks used web shells that compromised servers accessible via the Internet. Generally speaking, a web shell is a malicious script that masquerades as a legitimate file, opening a backdoor to the web server. Web shells are usually "left behind" for further attacks after an already successful infiltration. According to the Talos researchers, attackers benefited from the fact that many web application user accounts were only protected with weak passwords or single-factor authentication.
Strengthened ransomware defenses thwarted greater successes
The threat from ransomware remains high. Even though Cisco Talos observed a general decline in successful extortion cases in the first quarter of 2023, ransomware activity remains high overall. So-called "pre-ransomware" activities accounted for approximately one-fifth of all attacks, so a rise in successful attacks can be expected again in the coming months. Cisco Talos was able to attribute many of the preparatory attack activities to well-known ransomware groups such as Vice Society. According to the researchers, the quick intervention of security teams at victim companies helped contain attacks before encryption could take place. In the first quarter of 2023, healthcare was the primary target for criminals, followed closely by retail, real estate and hospitality.
OneNote documents as a weapon
So-called "commodity malware" was already on the rise last year. It is widespread and can be purchased or downloaded for free. Commodity malware is usually not customized and is used by threat actors at various stages of their activities. In the first quarter of 2023, previously sighted commodity loaders such as Qakbot now appeared again in greater numbers. Qakbot frequently made use of malicious OneNote documents in the process. The use of malicious OneNote attachments was also observed in other attack attempts. So, threat actors, according to Talos' analysis, continue to experiment with file types that do not rely on macros. Microsoft had begun disabling macros by default in its applications in July 2022. Other applications that carry and manage other files are also affected.
More results
The first quarter of 2023 brought further findings. For example, thirty percent of the observed attack cases either did not have multi-factor authentication (MFA) enabled or had it enabled for only a few accounts and critical services. Further, the open source toolkit Mimikatz was used in nearly 60 percent of ransomware and pre-ransomware deployments this quarter. Mimikatz is a widely used post-exploitation tool that steals login IDs, passwords, and authentication tokens from compromised Windows systems.
But there is also more encouraging news: Recent law enforcement successes in breaking up large ransomware gangs (e.g., Hive) are having an impact. However, this creates room for new families or the formation of new partnerships. For example, a new Ransomware-as-a-Service (RaaS) family appeared in Q1/2023 with Daixin Ransomware.
Source: Cisco
