Ransomware attacks surged significantly in 2023, fueled by the exploitation of vulnerabilities (CVEs) and stolen login credentials.

Ransomware attacks surged significantly in 2023, fueled by the exploitation of vulnerabilities (CVEs) and stolen login credentials.

In a recent report, cybersecurity firm Mandiant has shed light on the common initial access vectors for ransomware attacks in 2023. The findings suggest a shift towards using legitimate tools and known vulnerabilities by attackers to gain initial access to victim environments.

Legacy and Decommissioned Infrastructure as Easy Targets

According to Mandiant's research, exploitation of legacy or decommissioned infrastructure, stolen credentials tied to orphaned or unmanaged devices, and vulnerabilities in remote access technologies such as SSL VPN appliances are the most common initial access vectors for ransomware attacks. Attackers often gain initial access by leveraging exposed or poorly secured assets that organizations have failed to fully decommission or monitor.

Remote Access Infrastructure Exploits

Exploits against remote access infrastructure, like SonicWall Secure Mobile Access appliances, have been used to establish initial footholds via administrator credentials and unknown vulnerabilities. The observed increasing reliance on legitimate tools by attackers likely reflects efforts to conceal operations from detection mechanisms and reduce time and resources required.

Stolen Credentials: A Common Thread

Stolen credentials, sometimes linked to disabled or previously managed endpoints, also enable attackers to move laterally and escalate privileges after initial access. In almost 40% of incidents where the initial access vector was identified, threat actors used compromised legitimate credentials to gain access to victim environments.

Exploited Vulnerabilities on the Rise

Exploited vulnerabilities accounted for almost 30% of ransomware attacks last year, up from 24% in 2022. This trend indicates a shift towards using less sophisticated methods like stolen credentials and known vulnerabilities, potentially making it harder for security measures to detect and prevent attacks.

Data Leak Sites as Pressure Tactics

Threat groups use data leak sites to make claims and ramp up pressure on alleged victims. There were 4,520 posts on data leak sites last year, a 75% increase from 2022. The highest volume of data leak site posts since Mandiant began tracking shaming sites in 2020 was observed last year.

Global Impact of Ransomware Attacks

The alleged victim organizations named on data leak sites spanned more than 110 countries last year, highlighting the global impact of these attacks. The number of posts on data leak sites surged to more than 1,300 in the third quarter, setting a quarterly record.

Mandiant's Investigations on the Rise

Mandiant led 20% more investigations involving ransomware in 2023 compared to the previous year. The firm attributes the surge in ransomware attacks to attackers using legitimate remote access tools to break into enterprise networks.

In summary, Mandiant's 2023 findings highlight initial access vectors primarily through legacy or abandoned IT assets, credential theft, and exploitation of remote access vulnerabilities as the most common entry points leveraged by ransomware operators. The report indicates a trend of attackers using less sophisticated methods, potentially making it harder for security measures to detect and prevent attacks.

[1]: Mandiant's Report on Ransomware Activity in 2023 [2]: CISA's Warning on Legacy Devices as Ransomware Entry Points [3]: Mandiant's Blog Post on Ransomware Trends in 2023 [4]: Mandiant's Analysis of Malware Families and Lateral Movement in Ransomware Campaigns

1. The use of legitimate tools and known vulnerabilities by attackers to gain initial access to victim environments is a shift noticed in the 2023 ransomware attacks, according to Mandiant's report.
2. Attackers are exploiting vulnerabilities in remote access technologies such as SSL VPN appliances and administrator credentials to establish an initial foothold in ransomware attacks, the report indicates.
3. Stolen credentials, linked to disabled or previously managed endpoints, have been frequently observed as a method used by threat actors to move laterally and escalate privileges in ransomware incidents.
4. Exploited vulnerabilities accounted for nearly 30% of ransomware attacks last year, a significant increase from 24% in 2022, according to Mandiant's research.

Read also: