Summary

This new pattern consists of more complex attacks, typically involving numerous steps. The majority of these attacks involve Malware (70%), usually of the Ransomware variety, but also of the Magecart attack type used to target payment card data in web applications. Hacking (40%) also appears in many attacks and most often consists of the Use of stolen credentials or Brute force attacks.

Frequency

3,710 incidents, 966 with confirmed data disclosure

Threat Actors

External (93%), Internal (8%), Multiple (1%) (breaches)

Actor Motives

Financial (95%), Espionage (6%) (breaches)

Data Compromised

Personal (48%), Other (35%), Credentials (33%), Payment (24%) (breaches)

Not only is this one of the “newer” patterns, it certainly is one of the more interesting ones to talk about, as you’ll see in a few. This pattern consists of the more complex attacks, often involving multiple steps as the attackers move through the environment to find the hidden stash of wealth.

In previous years, some of the incidents we discuss in this section would have fallen under the Cyber Espionage pattern, which would have captured most of the hijinks of Nation-states and their affiliated actors looking for Secrets. Still others would have been found in the Crimeware pattern, and lastly, the often-forgotten POS server attacks that target servers processing credit cards. Our new System Intrusion pattern is intended to capture those (sometimes only slightly) more elaborate “human-operated” attacks regardless of the motive the actors present. Without further ado, let’s get into the details.

Actors in chains

As “trained” data scientists when we’re presented with complex data and detailed charts like Figure 81, representing the event chains associated, we’ll go through and quickly triage potential key findings. We pull out gems like “there sure are a lot of colors” and “those lines definitely seem long” to see if they are indeed relevant or statistically significant. In this case, the lines are indeed long, indicating that a lot of the attacks within this pattern involve a variety of different actions done by actors until they finally achieve their goal. Only the Social Engineering pattern has a similar number of steps involved in both data breaches and incidents. In terms of colors, this pattern has a good combination of mostly Malware events, with some Hacking and a very small smattering of other Action types as a garnish.

Figure 82 describes this differently, and shows Malware being involved in over 70% of the cases and Hacking in over 40%. Lastly, at a very high level, we can tell that the vast majority of the incidents in this pattern are from Financially motivated External actors. The further we dig, the more interesting this pattern becomes.

When we did a deep dive into the data, we found that there are three main “components” that make up this pattern. The first is Ransomware, with 99% of the Ransomware cases falling into this one pattern. The second is Malware in general, and the third are Magecart attacks in which Web applications are compromised with a script to export data as it is processed. Let’s go over them.

We’re still writing about ransomware?

Unfortunately, this is a section that we’ve had to write consistently over the last few years and odds are that we’ll probably continue to write about this in subsequent reports. This year, we’re displeased to report that we’ve seen yet another increase in Ransomware cases, which has been continuing on an upward trend since 2016 and now accounts for 5% of our total incidents. The novel fact is that 9% of all breaches now involve Ransomware. This is because Actors have adopted the new tactic of stealing the data and publishing it instead of just encrypting it. These attacks have some variety in terms of how the Ransomware gets on the system, with Actors having strong preferences that can be broken into several vectors. The first vector is through the Use of stolen credentials or Brute force. We’ve seen 60% of the Ransomware cases involving direct install or installation through desktop sharing apps. The rest of the vectors that we saw were split between Email, Network propagation and Downloaded by other malware, which isn’t surprising as we found in our web proxy detections dataset that 7.8% of organizations attempted to download at least one piece of known Ransomware last year (Figure 83). For these types of incidents and breaches, we largely see servers being targeted, which makes sense considering that’s where the data is located.

Magecart attacks

The second attack type that we found in this pattern involved the targeting of Web applications processing payment cards. Now before you interrupt us and ask “but DBIR team, isn’t there a whole pattern dedicated to attacks against Web applications?” let us state that the incidents we discuss here are slightly different than those attacks based on a few key components. The biggest differentiator is the subsequent use of Malware to capture payment card data. In the System Intrusion pattern, we found that of the web servers targeted in this pattern, 60% had malware installed to capture app data and 65% of incidents involved payment cards. These types of attacks follow the trends of attack that we in the biz⁶⁹ have been calling Magecart-style attacks based on their original targets. For those who aren’t familiar with this attack archetype, attackers will exploit some vulnerability, then use stolen credentials or some other means to access the code of an e-commerce website that processes credit card data. By using that access to the code base or server, they will insert additional code that will ship off the payment data not only to the correct endpoint, but also to their own servers, thereby quietly siphoning off valuable data.

General malware

The final breakdown of this pattern involves the general use of Malware that is found on a system. In many of these situations, we may not necessarily know if that Malware would have been used to cause further damage down the road or if it was just there for the sake of being there, doing the kind of things Malware enjoys doing.⁷⁰ When we removed the Ransomware cases, we found that 40% of the Malware cases we had left involved the use of C2/Trojans/Downloaders. There was also an interesting split in terms of how the Malware arrived on the system. We found 30% of the malware was directly installed by the actor, 23% was sent there by email and 20% was dropped from a web application. While this probably doesn’t surprise many people, it does highlight the importance of having a robust defense to cover these three major entry paths for Malware.

When it comes down to the daily amount of malware incidents, Figure 84 shows that for the majority of organizations, this data has a whole lot of spikiness, which means some days it’s probably relatively quiet—until it’s not.

While we don’t necessarily know the severity of these malware events, we do know that data from botnet incidents we reviewed indicate that the majority of botnet infections only compromised three or fewer credentials. So, having malware in your environment, if properly cleaned and handled, probably isn’t the end of the world, but it’s best to not let it fester.

The big picture shifts.

In the last few iterations of this report, we have mentioned the decrease in the targeting of Payment data. We have continued to see this trend in this pattern and, as Figure 85 demonstrates – attackers are less likely to purely target Payment data and are more likely to broadly target any data that will impact the victim organization’s operations. This will increase the likelihood that the organization will pay up in a Ransomware incident. As we have often repeated, the monetization through Ransomware seems to have become the preferred method, and the targeting of data will shift to reflect that. The attacks that come out of this pattern impact all of the industries we track at some level, which shows the wide net that these Actors cast to turn a profit.

⁶⁹ There is no biz like Cyberbiz.

⁷⁰ Even Malware wants to live its best life.