Dive Brief:

• Threat groups deployed a range of web shells against vulnerable or unpatched web applications in 35% of incidents during the fourth quarter of 2024, according to a report by Cisco Talos. The deployments marked a sharp increase from the prior quarter, when the same activity was only seen in 10% of incidents.
• Meanwhile, hackers exploited public facing applications to gain initial access in 40% of incidents in which the means of access could be determined. This marks a major shift from prior quarters, where initial access primarily came from the use of valid accounts
• The report also showed remote access tools were leveraged in 100% of ransomware cases during the quarter, a huge increase from the prior quarter when those same tools were only seen in 13% of the cases. A remote desktop software called Splashtop was found in 75% of ransomware cases during the quarter.

Dive Insight: 

The report highlights several important changes in tactics and the deployment of tools used by threat groups.

Cisco Talos researchers noted the use of web shells often ebbs and flows based on the threat groups deploying them as well as the development of exploits for recently discovered vulnerabilities. 

“For example, in Q3 2023, attacks against web applications were the top-observed threat accounting for 30 percent of engagements,” Caitlin Huey, threat researcher at Cisco Talos, said via email. “After gaining initial access, adversaries leverage techniques such as launching web injection attacks, deploying web shells, and/or using commercial off-the-shelf frameworks that deploy web shells to maintain access to a system.”

Cisco Talos researchers also warned of a surge in password-spraying attacks that began in December, leading to account lockouts and VPN access being denied. In one case an organization reported 13 million attempts against known accounts in a 24 hour period, likely an indicator that attacks were automated.