Cybercriminals move fast to exploit zero day flaws
The final quarter of 2021 saw a 356 percent growth in the number of attacks where the infection vectors were CVE or zero day vulnerabilities compared to Q3.
The latest Threat Landscape report from Kroll shows CVE/zero day exploitation accounted for 26.9 percent of initial access cases over the period, indicating that attackers are becoming more adept at exploiting vulnerabilities, in some cases leveraging them on the same day that the proof-of-concept exploit appears.
The professional services sector has been the most targeted by attacks over the quarter, followed by technology/telecoms, healthcare, manufacturing, financial services and education.
Despite the rise in CVE and zero day attacks, phishing remains a popular infection vector, even with a 12 point reduction compared to the last quarter it was still responsible for 39 percent of all suspected initial access methods during the final quarter of 2021.
There has been a slight drop in the number of ransomware attacks in Q4, but it remains the most popular attack type, accounting for 40 percent of all threats in Q4. Conti and LockBit are the top ransomware variants observed. In addition splinter ransomware groups are emerging, in some cases selling on their initial access to other groups.
"It is no surprise that phishing and ransomware were heavily featured in the quarterly Kroll Threat Landscape Report, but the extent of regrouping and re-attacking done by cyber-criminal groups was unusual," Keith Wojcieszek, managing director for cyber risk at Kroll says. "While law enforcement made significant headway in disrupting attackers, the fact that we saw new ransomware variations and extortion sites, combined with splinter ransomware groups, demonstrates the agile operations and malicious intent of these criminal groups. Add this to the higher number of software vulnerabilities being exploited by ransomware operators and the speed at which they are compromised, and it underlines the importance of legislative action against attackers to take them out of operation completely."
The full report is available from the Kroll site.