Backdoors were king in 2022, but ransomware not far behind

While Mark Twain might be long gone, the rumors of ransomware’s death have been greatly exaggerated. Threat actor interest in backdoor deployment surged in 2022, but reports of ransomware’s demise are premature, IBM Security X-Force found in its 2023 Threat Intelligence Index.

According to the report, the number one “action on objective” taken by attackers in 2022 was deploying backdoors in target systems (21%). That’s in part because the perpetrators in question may have intended to wait to resell access to those backdoors to other cybercriminals on dark-net markets. X-Force researchers wrote that auction prices for these backdoors tend to start at between $5,000 and $10,000, although the final sales price may be lower.

Backdoors outpaced ransomware, which was the top action on objective in 17% of cases. However, X-Force concluded that many of those backdoors were incidents where successful intervention by security prevented the attacker from carrying out “additional plans when the backdoor was operationalized.” Around two-thirds of those cases had indicators of intent to deploy ransomware, according to the report.

Defenders “are getting faster at identifying and stopping those threat actors at those initial stages,” John Hendley, head of strategy at X-Force, told IT Brew. “Attackers have always followed the money. And right now, backdoors are actually a pretty profitable commodity for cyber criminals.”

Hendley warned that despite increased success warding off ransomware, it’s not time to hang up “Mission Accomplished” banners. He pointed to X-Force research showing a 94% decrease in the duration of ransomware attacks from 2019 to 2021, which threat actors achieved largely via experience and cooperation.

“They’ve just gotten so much better at that operationalization of their practices, and a big piece of that plays into this affiliate model system that they’ve been using,” Hendley said.

The authors wrote that “observed extortion cases were most frequently achieved through ransomware or BEC [business email compromise], and often included the use of remote-access tools, cryptominers, backdoors, downloaders, and web shells.” Attackers also demanded payments to halt DDoS attacks or to prevent them from notifying the extortion target’s users and customers their data had been compromised, according to X-Force.

Unsurprisingly, human error continues to be a major cause of cyberattacks. X-Force found that spear phishing via attachments, links, or services was the initial access vector in 41% of observed attacks. Exploitation of public-facing applications (vulnerabilities) came in second at 26%, while external remote services came in third at 12%.

While X-Force tracked a continual upwards trend in new vulnerabilities discovered from year to year, the researchers also wrote the proportion of known and viable exploits to those vulnerabilities has been dropping (to 26% in 2022). The report attributed that trend to a mix of factors, including the rise of bug bounty programs and the simple fact that cybercriminals already have access to a plethora of widely known and well-established vulnerabilities to go after. However, it noted an upward trend in the severity of new vulnerabilities.

“Within some of the telemetry data that we monitor, we observed WannaCry ransomware traffic jumped 800% since April of last year,” Hendley said. X-Force continues to see older malware, like WannaCry and Conficker, released in 2017 and 2008 respectively, being fielded in large numbers.

“Cybercriminals already have access to thousands of exploits,” Hendley added. “You just don’t have to invest as much time or money to find new ones when the old ones are working really just fine.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.