Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organizations in other ways.
Researchers from Kroll recently analyzed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.
For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.
Multiple Attack Vectors
Kroll's analysis shows that attackers leveraged the initial foothold gained via phishing in multiple ways, including to drop ransomware and malware, and to extort without any ransomware or encryption.
In one incident that Kroll investigated during the first quarter, adversaries acquired an organization's global admin credentials after an IT employee at the company clicked on a phishing email they had sent. The adversaries used the credentials to take over multiple email accounts belonging to other members of the IT team as well as the C-suite, which in turn they used to download sensitive enterprise data. The attackers followed up with a demand seeking a ransom in exchange for the attack to stop.
In other instances, Kroll's researchers identified attackers breaking into a network by exploiting a vulnerability and then using that access to launch convincing-looking phishing campaigns. In one incident, the attackers exploited the ProxyShell vulnerability in Exchange Server to access the target network. Once inside, the attackers attempted to phish employees by attaching a malicious .zip file to a reply to a legacy internal email thread. The .zip file was disguised as an invoice, and appeared to be from a trusted internal source: Several users opened it and unknowingly downloaded IcedID on their systems. That organization was subsequently hit with the QuantumLocker ransomware two weeks later, Kroll said.
Phishing was not the only tactic that attackers used to try and gain initial access on a target system or network. In several incidents that Kroll investigated, threat actors exploited widely publicized vulnerabilities such as ProxyLogon and Log4Shell to gain a foothold from which to drop ransomware such as Conti, AvosLocker, and QuantumLocker on target networks.
Patrick Harr, CEO at SlashNext, a provider of anti-phishing services, says current organizations defenses are not fully designed to protect against attacks that appear to originate from inside the organization. "You can’t stop phishing that comes from legitimate services with employee awareness training," he says. "As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to prevent these threats."
The broader adoption of work-from-home models over the past two years has also made it easier for attackers to target employees in phishing campaigns — and get away with it. "Remote work certainly created more opportunities for threat actors to execute [business email compromise] and other phishing attacks," says Hank Schless, senior manager of security solutions at Lookout. "Without being able to walk over to another person’s desk in the office, employees have a much harder time validating unknown texts or emails."
The increased reliance on smartphones and tablets for internal communications has created several issues, he adds. Spear-phishing attacks on mobile devices, for instance, are much harder to catch than on a desktop. Users also cannot preview link destinations or verify the sender's identity. So, a lot of the things that employees are trained to recognize as part of their phishing awareness training are hard or almost impossible to spot on a mobile device, Schless says.
Temporary Ransomware Drop-off
Kroll's analysis showed that ransomware attacks — as a proportion of all attacks — dropped 20% between the fourth quarter of 2021 and the first quarter of 2022 and 30% between the third quarter of 2021 and the first quarter of 2022. At least some of the drop-off in attacks appears to have resulted from law enforcement's disruption of malicious activity by groups such as REvil, Kroll said. Another factor that likely contributed to the slowdown in ransomware attacks was the voluntary exit from the scene made by groups such as BlackMatter, Kroll added.
However, early data from the second quarter of 2022 suggests that ransomware actors are regrouping and preparing to resume their usual level of activity soon, according to Kroll.
An earlier report from Digital Shadows noted a similar drop-off in ransomware incidents in the first quarter of 2022 but pointed to emerging trends in the space that could have implications for enterprise organizations. One example is the growing trend by ransomware groups to align themselves for or against Russia in that country's war against Ukraine.
Like Kroll, researchers from Digital Shadows also observed incidents involving extortion, where no ransomware was deployed. One example cited by both companies was the attacks by a group identified as Lapsus$ (aka DEV-0537) that targeted several technology and security firms in the first quarter of 2022. In some of the incidents, the attackers defaced the websites of target organizations and claimed they had suffered a ransomware attack. In other instance, the group used stolen credentials to exfiltrate data and then threatened victims that it would release the data publicly unless paid a ransom.