Publicly Available Applications and Compromised Credentials Account for 90% of Ransomware Attacks
According to recent findings by Kaspersky, 90% of ransomware attacks can be attributed to two main factors: publicly available application attacks and compromised credentials. This alarming statistic highlights the need for a comprehensive understanding of these vulnerabilities and the steps that can be taken to mitigate them.
Publicly Available Application Compromise: The First Front
The first major contributor to ransomware attacks is the compromise of publicly available applications. These applications, accessible over the internet, are a prime target for cybercriminals. In 2023, Kaspersky reported that half of all ransomware attacks began with a publicly available application being compromised. Ransomware attacks that exploit vulnerabilities in publicly available applications have become increasingly common in recent years. Here are some key points about this type of attack:
- Attack Vector: Cybercriminals target widely used applications with known vulnerabilities, such as web browsers, office software, file transfer, email, administration, content management systems, and others. They exploit these vulnerabilities to infiltrate systems and deploy ransomware.
- Patch Management: Organizations that fail to keep their software up-to-date and apply security patches promptly are more susceptible to these attacks. Cybercriminals actively search for systems running outdated, unpatched applications.
- Supply Chain Risk: Attackers may also compromise software update mechanisms or use stolen digital certificates to sign malware, tricking users into installing malicious updates that appear legitimate.
- High-Profile Incidents: Notable ransomware attacks involving application compromise include the WannaCry attack in 2017, which exploited a vulnerability in Microsoft’s SMB protocol, and the Kaseya VSA attack in 2021, where attackers exploited a zero-day vulnerability in the IT management software.
Compromised Credentials: The Second Front
The second major contributor to ransomware attacks is compromised credentials. In 2023, compromised credential attacks were identified as the second leading cause of ransomware incidents, accounting for a significant portion of the incidents reported. This highlights the importance of cybersecurity training and awareness programs for employees. Compromised credential attacks are a common tactic used by cybercriminals to gain unauthorized access to systems and networks. In these attacks, an attacker obtains valid login credentials (username and password) through various means and uses them to access sensitive systems, applications, or data. Here are some key points about this type of attack:
- Credential Theft: Attackers may steal credentials through phishing emails, social engineering, keyloggers, or by exploiting vulnerabilities in websites or applications that store user credentials.
- Credential Reuse: Many users reuse the same password across multiple accounts, making it easier for attackers to gain access to various systems once they have obtained a set of valid credentials.
- Credential Stuffing: In this technique, attackers use large collections of stolen credentials to automatically attempt logins across multiple websites or applications, hoping that some users have reused passwords.
- Password Spraying: This attack involves trying a single common password (e.g., “password123”) against many user accounts, avoiding account lockouts that may be triggered by multiple failed login attempts on a single account.
- Breached Password Lists: Cybercriminals often share or sell large collections of compromised credentials on the dark web, making it easier for other attackers to conduct credential stuffing or password spraying attacks.
Mitigating the Dual Threat: A Comprehensive Approach
To effectively combat the threats posed by publicly available application attacks and compromised credentials, organizations must adopt a multi-faceted approach to cybersecurity. Here are some key strategies to consider:
- Robust Patch Management:
- Implement a comprehensive patch management program to ensure all software and applications are up-to-date with the latest security patches.
- Prioritize patching critical systems and applications, particularly those accessible over the internet.
- Automate patch management processes where possible to reduce the risk of human error.
- Application Security Testing:
- Conduct regular security assessments and penetration testing of publicly available applications to identify and address vulnerabilities.
- Implement secure coding practices and perform code reviews to catch potential security flaws early in the development process.
- Network Segmentation and Access Control:
- Segment networks to limit the spread of an attack in case of a breach.
- Implement strong access control policies, granting users only the permissions necessary to perform their roles.
- Use network monitoring tools to detect and respond to suspicious activity promptly.
- Multi-Factor Authentication (MFA):
- Implement MFA for all user accounts, especially those with access to sensitive systems or data.
- Encourage the use of hardware-based security tokens or mobile app-based MFA solutions.
- Regularly review and update MFA policies to ensure they align with best practices.
- Password Hygiene and Management:
- Educate employees on the importance of using strong, unique passwords for each account.
- Implement password policies that require a minimum level of complexity and regular password changes.
- Encourage the use of password management tools to securely store and generate complex passwords.
- Employee Training and Awareness:
- Provide regular cybersecurity training to employees, covering topics such as phishing, social engineering, and password best practices.
- Conduct simulated phishing exercises to test employee awareness and readiness.
- Foster a culture of cybersecurity awareness, encouraging employees to report suspicious activities.
- Incident Response and Disaster Recovery:
- Develop and regularly test incident response plans to ensure a swift and effective response to ransomware attacks.
- Maintain offline backups of critical data and systems to enable rapid recovery in the event of a successful attack.
- Engage with cybersecurity experts and law enforcement agencies to stay informed about the latest threats and best practices.
- Third-Party Risk Management:
- Assess the cybersecurity posture of third-party vendors and partners with access to sensitive systems or data.
- Contractually require vendors to adhere to specific cybersecurity standards and participate in regular security audits.
- Monitor third-party access to systems and data, and revoke access promptly when no longer needed.
By implementing these mitigation strategies, organizations can significantly reduce the risk of falling victim to ransomware attacks stemming from publicly available application compromises and compromised credentials. However, it is crucial to recognize that cybersecurity is an ongoing process that requires continuous monitoring, adaptation, and improvement to keep pace with the ever-evolving threat landscape.