Three months, and 3.3 million thwarted cyberattacks—that’s the count from the recent BlackBerry Global Threat Intelligence report.
The report details an interesting spread of data covering the ransomware landscape, country- and industry-specific attack patterns, and a summary of actionable intelligence. Within the material are mentions of specific threat actor groups, related exploitable CVEs, and affected verticals like the healthcare and financial sectors. What sets the report apart is the global perspective; the data covers geographic regions marked by recent and ongoing conflicts.
Despite the magnitude of data, the question lurking around every corner of 2024 is about prevention at the ground level. Data theft and nation-state attacks are still happening due to weak passwords in Active Directory. The BlackBerry Global Threat Intelligence report is additional proof that businesses of all sizes need proactive defensive strategies in place.
Key Takeaways from the Report:
1. Security Isn’t Improving
The BlackBerry Threat Research and Intelligence team recorded 2.9 unique malware samples per minute over the quarter. Despite increased attention paid to compliance and regulations in several countries and an increasingly challenging threat landscape, we aren’t keeping up.
The number of attacks that BlackBerry customers are facing has substantially increased over the past three months and demonstrates an even wider diversification of attacks and types of tools deployed to bypass defensive controls, especially those used in legacy, signature-based solutions.
Healthcare and education are two sectors with prevalent legacy systems, as well as many government offices. Given the global nature of the report, and the state of the current threat landscape, understanding the interaction between international organizations becomes crucial if we seek to truly improve security on a worldwide scale. The report details one successful take-down of a threat organization, stating that it “highlighted the importance of collaboration among international law enforcement agencies in combating these types of threats.”
2. The Healthcare Sector Remains Vulnerable
The financial sector is one of the most targeted, according to the report, but in recent months the healthcare sector has ranked among the top targets for threat actors due to its pivotal role in delivering essential services—especially in locations and times of conflict—meaning there’s an understood higher likelihood of the victim paying a ransom request.
In the report, healthcare ranked “second in our list of most attacks stopped, but ranks first in terms of how many unique hashes we observed being used against the industry in this reporting period.” This indicates that healthcare organizations are receiving more targeted attacks.
Due to the combination of vital services (including reliance on uninterrupted power and internet connectivity) and the potential access of sensitive patient data (including names, dates of birth, credentials, identity numbers, insurance information, and so on) makes it a juicy, and frequent, target for ransomware groups. Personally identifiable information (PII) is highly lucrative as cybercriminals can use this data to commit fraud, blackmail patients, or simply sell it on the dark web.
3. Ransomware Attacks are Spreading
The emergence of Malware as a Service (MaaS) and Ransomware as a Service (RaaS) have significantly lowered the barrier to entry for cybercriminals. At the same time, ongoing releases and sales of credential data continue to spawn on the Dark Web. The mix of cheap and available services and credential availability have led to a perfect storm of ransomware. Sophisticated threat actor groups build custom tools to exploit devices, install malware, and move laterally.
The report also described what is now a ransomware double-hitter. Known as ‘double extortion schemes,’ threat actors will deploy ransomware and force organizations to pay twice—first to unlock their data to achieve business continuity, and again to prevent the attacker from selling the same data on to other cybercriminals.
Unfortunately, the report also noted that “it is becoming increasingly common to see reports of triple or even quadruple-extortion attacks.” The average cost of a ransomware attack in 2023 resulting in a data breach has been calculated at an astounding $4.45 million USD.
4. Credentials are a Consistent Culprit
Under the uncomfortable statistics of unpatched CVEs and vulnerable legacy systems is a constant, if simple, cause for concern. The report mentions several devastating examples of successful threat actor behavior that leveraged stolen credentials as an initial entry point into a system. For example, Volt Typhoon—a threat actor group based in China—achieves initial access through remote and hybrid employee devices to reach targeted organizations:
Volt Typhoon exploits Internet-connected small office and home office devices (SOHO) that often expose HTTP or SSH (Secure Shell) management interfaces to the Internet. The threat actor attempts to abuse any privileges afforded by a device by first extracting credentials to a Microsoft Active Directory account used by a compromised device, and then attempting to gain authenticated access to other devices on the network with those same credentials.
As security efforts grow more complex, and more internationally connected, the need to solve for the basics remains a constant.
The World Economic Forum’s 2023 Global Risk Report ranks the threat of cybercrime as one of the “most severe risks facing businesses, governments, and people.” To combat the rising threats, the BlackBerry report includes sections on common MITRE techniques, applied countermeasures, and remediation including a list of countermeasures for the observed techniques available on the public GitHub repository.