Vulnerabilities Now Top Initial Access Route For Ransomware

Threat actors are switching tactics to compromise their victims with ransomware, with more attacks now exploiting vulnerabilities rather than using phishing emails, according to Corvus Insurance.

The insurer analyzed claims data from this year to better understand threat actor activity.

It claimed that vulnerability exploitation rose as an initial access method from nearly 0% of ransomware claims in H2 2022 to almost a third in the first half of 2023.

This data may have been skewed by major campaigns like the extortion attacks exploiting MOVEit and GoAnywhere file transfer software this year. However, they nonetheless point to an evolution in threat activity.

Corvus also highlighted exposed cryptographic keys as another increasingly popular way for threat actors to compromise organizations. It claimed 7% of organizations it studied had at least one exposed secret, with the most common being Google API keys, JSON web tokens, Shopify domain keys and keys for AWS S3 buckets.

Read more on insurance data: FFT and Ransomware Represent Over Half of Cyber Insurance Claims in 2022

“But not all exposures are equal. Some do not give threat actors much to work with, and may never pose a problem for the organizations that exposed them. For about 1% of the organizations we studied, however, we located exposed keys that our security experts consider to be ‘critical’ and require immediate attention,” the firm explained.

“These include AWS API keys, keys to cloud storage buckets (AWS S3 and Google Cloud Storage), and API keys from a bevy of non-cloud provider services, like LinkedIn, Okta, Slack, MailChimp, Facebook, New Relic, Stripe, and Sauce Labs.”

Elsewhere, Corvus said social engineering has risen as a cause of insurance claims over recent quarters to comprise nearly half of all claims, as of Q3 2023. The share a year previously was around 35-38%, it added.

This makes social engineering responsible for nearly three times more claims than the next largest category, which is breaches at vendors or other third parties.

Interestingly, there were no reports of any social engineering-related breaches of Google Workspace policyholders, while Microsoft accounted for the vast majority.

“Even though Microsoft is the most prevalent business email provider used by our policyholders, we would have expected to see one in 10 of our social engineering claims from Google Workspace organizations,” Corvus said.