Palo Alto Networks Unit 42 report: Phishing and software vulnerabilities account for almost 70% of cyber incidents

The widespread exploitation of software vulnerabilities is a reflection of the opportunistic behavior of attackers who scour the Internet for exploitable vulnerabilities and weaknesses, according to a new report from Palo Alto Networks. The 2022 Unit 42 Teams report offers a very broad range of insights from Palo Alto Networks’ extensive incident response work. Drawing on a sample of more than 600 incident response cases investigated by Division 42, the report is designed to help CIOs and security teams understand the top security risks they face and prioritize resource allocation to mitigate those risks.

In this report, Unit 42 determined that the finance and real estate sectors were among those that received the highest average ransom demands, averaging around $8 million and $5.2 million, respectively. Overall, ransomware and business email compromise (BEC) were the two main types of incidents that the incident response team had to deal with in the last 12 months. They account for approximately 70% of incident response cases.

“Cybercrime is an easy business today due to its low cost and often high profitability. In this context, novice and unskilled attackers can get started with tools such as hack as a service, which are growing in popularity and available on the dark web,” said Wendy Whitmore, senior vice president and head of Unit 42, Palo Alto. Networks. “Ransomware attackers have further enhanced their organization by offering customer service and satisfaction surveys when interacting with cybercriminals and victim organizations. »

The report looks at the following key trends:


The name of a new ransomware victim is published on leak sites every four hours. Detecting ransomware activity early is vital for businesses. Typically, attackers are discovered only after the files are encrypted and the victim company receives a ransom demand. Group 42 found that the average penetration time, i.e. the time that threat actors spend in the target environment before they are detected, for ransomware attacks was 28 days. The ransom demands have reached $30 million, and the record amount of actual payments to victims is $8 million, which is steadily rising compared to the findings of the 2022 Unit 42 Ransomware report. Increasingly, affected businesses can also expect attackers to use double extortion by threatening to publicly disclose their sensitive information if they refuse to pay the ransom.

BEC (Business Email Compromise)

Cybercriminals have used various methods to compromise company email for mail fraud and email fraud. Forms of social engineering, such as phishing, are an easy, cost-effective way to gain secret access with a low risk of detection. According to the report, in many cases, cybercriminals simply ask their unwitting targets for their credentials, which they do. Once accessed, the average penetration time for BEC attacks is 38 days and the average amount stolen is $286,000.

Affected sectors

Attackers target lucrative business sectors. However, many attackers act opportunistically and simply scan the Internet for systems that allow them to exploit known vulnerabilities. Division 42 identified the most affected sectors among its incident response cases: finance, professional and legal services, manufacturing, healthcare, high tech, wholesale and retail. Organizations in these industries store, transmit, and process large amounts of sensitive, tradable information that attracts attackers.

The report also provides a few statistics that cyber attackers are happy to keep quiet about:

The top three initial access vectors used by attackers are phishing, exploiting known software vulnerabilities, and brute-force attacks to steal credentials, primarily targeting Remote Desktop Protocol (RDP). Together, these three attack vectors account for 77% of the estimated top causes of hacks.

ProxyShell accounts for more than half of all vulnerabilities used for initial access (55%), followed by Log4J (14%), SonicWall (7%), ProxyLogon (5%) and Zoho ManageEngine ADSelfService Plus (4%).

In half of the incident response cases, Unit 42 teams found that organizations had not implemented multi-factor authentication on mission-critical systems connected to the Internet, such as corporate webmail, VPN (virtual private network) solutions, or other remote access solutions. In 13% of cases, they did not have any mitigation measures in place to ensure that accounts were locked out in the event of credential brute force attacks. In 28% of cases, poor patch management procedures made it easier for attackers. In 44% of cases, organizations did not have an endpoint detection and response (EDR) or advanced detection and response (XDR) security solution. And even if they were equipped, these solutions were not fully deployed on the affected systems initially, unable to detect and respond to malicious activities. 75% of insider threat cases involve a former employee.


Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.