Dive Brief:
- Threat actors used phishing links or attacks in 71% of all security incidents in 2023, according to ReliaQuest’s Annual Cyber-Threat Report released Tuesday.
- Most of the tactics, techniques and procedures threat actors used last year to achieve initial access to a compromised environment were linked to user interaction or error, the report said. “This indicates attackers overwhelmingly gained initial access by exploiting the trust and vulnerability of unsuspecting individuals.”
- Phishing remains the most common route threat actors use to achieve initial access, accounting for 70% of all initial access related incidents last year, ReliaQuest said.
Dive Insight:
Phishing is a classic that never goes out of style. Social engineering tactics, such as tricking individuals to divulge sensitive information or grant access to secure systems, are popular among threat actors because they work.
These lures take advantage of human behavior and turn trust into a weapon.
“Phishing is commonplace because it requires little output or sophistication from the attacker, and due to human curiosity, it works,” Michael McPherson, SVP of technical operations at ReliaQuest, said via email.
Scattered Spider, a collection of threat actors responsible for major attacks against MGM Resorts, Caesars Entertainment and Clorox, are experts in social engineering and among the most noteworthy and active ransomware groups using these tactics at scale. The group deploys AlphV ransomware in some of its attacks.
ReliaQuest said Scattered Spider used social engineering last September to dupe a help-desk employee into resetting credentials and performed a multifactor authentication attack with those valid credentials. The specific target of the attack was not identified.
That access allowed Scattered Spider to execute code in the compromised environment by using cloud administrative commands to modify configurations in the Microsoft Azure platform, the researchers said. The ransomware group then obtained and reset the master passwords for the victim organization’s CyberArk and LastPass credentials via email verification.
“Human interaction and MFA attacks propelled the Scattered Spider group to achieve initial access in most of its high-profile attacks of 2023,” ReliaQuest said.
To combat phishing, ReliaQuest encourages organizations to focus on authentication techniques, including biometrics and reducing session token lifetimes. “These measures can greatly improve resilience to phishing and other common social engineering attacks,” McPherson said.