The Cisco Talos Incident Response (CTIR) team, backed by the world’s largest commercial threat intelligence organization, has released its quarterly Threat Assessment Report. Cisco Talos observed a variety of attacks, with ransomware being the quarter’s most dominant threat.
According to CTIR, ransomware accounted for almost half of all incidents, and more than triple that of the next most common threat. Actors targeted a broad range of verticals, including transportation, utilities, health care, government, telecoms, technology, machinery, chemical distribution, manufacturing, education, real estate and agriculture. However, healthcare was targeted the most out of all verticals for the third quarter in a row, with government being the second most-targeted.
Commenting on Talos’s Threat Assessment Report, Fady Younes, Cybersecurity Director at Cisco Middle East and Africa said: “There are many reasons why actors are continuing to target the health care industry, including the COVID-19 pandemic incentivizing victims to pay to restore services as quickly as possible. On a positive note, there were several pre-ransomware events in which timely detection via Cisco Secure products, along with quick remediation led to containment of the incident before encryption could occur.”
Ransomware actors used commercial tools like Cobalt Strike, open-source tools and tools native on the victim’s device. Other observed threats included the exploitation of known vulnerabilities, cryptocurrency mining, and account compromise. Interestingly, there were multiple incidents involving trojanized USB drives, which is an older attack vector not seen in many years.
The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. CTIR frequently observes ransomware incidents that could have been prevented if MFA had been enabled on critical services. CTIR urges organizations to implement MFA wherever possible.