Technology Sector Faces 24% of Cyberattacks in Q2 2024

In Q2 2024, technology companies emerged as the most targeted sector for cyberattacks, accounting for 24% of incidents - a 30% increase from the previous quarter. Additionally, ransomware and business email compromise (BEC) dominated the threat landscape, together comprising 60% of cyber incidents during this period, with ransomware attacks showing a significant rise. 

"Technology companies, by providing essential services and maintaining critical systems for other organizations, become strategic targets for cybercriminals," notes the Talos Incident Response report by Cisco. "The importance of these digital services and the potential impact of any disruption to their operation makes them more likely to pay ransom to avoid prolonged downtime."

The extensive digital assets managed by technology firms make them attractive to attackers. The report highlights that vulnerabilities in these systems can jeopardize not only the companies’ data but also access wider networks of clients and services. This strategic access allows cybercriminals to use tech companies as entry points to target other organizations, amplifying the impact of their attacks.

Ransomware and Email Compromise

The report notes that ransomware BEC were the leading methods of cyberattacks.Ransomware attacks, which represented 30% of the total incidents, saw a 22% increase compared to the previous quarter. Ransomware groups have adopted new tactics, including using legitimate tools for persistence and lateral movement. Key ransomware groups mentioned in the report include:

• Clandestine Team: Utilized Secure Shell (SSH) to move laterally within networks, reactivated disabled Active Directory account, and sent harassing messages to employees' personal emails to coerce compliance.

• BlackSuit: Gained access through a VPN lacking multifactor authentication (MFA), used AnyDesk for persistence, and moved laterally using legitimate binaries.

• Black Basta: Accessed systems via compromised credentials on a non-MFA-protected Remote Desktop Protocol (RDP) account and employed tools like PowerShell and Rclone for data exfiltration.

BEC attacks comprised 30% of the cyber incidents in Q2, down from 50% in the previous quarter. BEC typically involves compromising legitimate business email accounts to send phishing emails, gather confidential information, and make fraudulent financial requests. Notable techniques include:

Techniques observed include:

• Smishing: Sending fraudulent text messages to extract personal information or credentials.

• Phishing via personal emails: Using fake emails sent to personal addresses to capture credentials.

• Modifying mailbox rules in Microsoft Outlook: Creating rules to redirect emails to hidden folders and send phishing messages from compromised accounts.

The report highlights common vulnerabilities, such as misconfigured systems and insufficient MFA implementation. These issues, which saw a 46% increase compared to the previous quarter, have facilitated both initial access and persistence by attackers.

In particular, the report notes that 80% of ransomware attacks were facilitated by inadequate MFA on critical systems like VPNs. Cisco recommends implementing MFA across all critical services, including remote access and identity management (IAM), as it is one of the most effective measures to prevent remote compromises.