The number of incidents involving business email compromise (BEC) has doubled, replacing ransomware as the most common type of financially motivated cyber threat to organisations, according to new research. 

The growth in BEC was linked to a surge in successful phishing campaigns, accounting for 33% of incidents where the initial access vector (IAV) could be established, a near three-fold increase compared to 2021 (13%). 

With talk of advanced AI-driven threats dominating the cybersecurity industry, new research by the Secureworks Counter Threat Unit has revealed that most real-world security incidents have more humble beginnings highlighting a need for businesses to focus on cyber hygiene to bolster their network defences.

Between January and December 2022, Secureworks helped contain and remediate over 500 real-world security incidents. The data from these incidents was analysed by Secureworks CTU researchers to establish trends and emerging threats. 

An equally popular entry point for attackers both nation state and cybercriminal was to exploit vulnerabilities in internet-facing systems, representing a third of incidents where IAV could be established. Typically, threat actors did not need to use zero-day vulnerabilities, instead relying on publicly disclosed vulnerabilities such as ProxyLogon, ProxyShell and Log4Shell to target unpatched machines. 

The research found ransomware incidents fell by 57%, but remain a core threat. This reduction could be due as much to a change in tactics as it is to a reduction in the level of the threat following increased law enforcement activity around high-profile attacks, like Colonial Pipeline and Kaseya. Equally, gangs may be targeting smaller organisations, which are less likely to engage with incident responders.

"Business email compromise requires little to no technical skill but can be extremely lucrative," says Mike McLellan, Director of Intelligence at Secureworks.

"Attackers can simultaneously phish multiple organisations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models," he says.

"Let's be clear, cybercriminals are opportunistic not targeted. Attackers are still going around the parking lot and seeing which doors are unlocked. Bulk scanners will quickly show an attacker which machines are not patched. If your internet-facing applications aren't secured, you're giving them the keys to the kingdom," McLellan says. 

"Once they are in, the clock starts ticking to stop an attacker turning that intrusion to their advantage. Already in 2023, we've seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging."

The report revealed hostile state-sponsored activity increased to 9% of incidents analysed, up from 6% in 2021. An overwhelming majority of which 90% were attributed to threat actors affiliated with China.

Financially motivated attacks accounted for most of the incidents investigated outside of state-sponsored activity, representing 79% of the total sample, which is lower than previous years. This could potentially be connected to the Russia / Ukraine conflict disturbing cybercrime supply chains. For instance, the leak of files connected to the Conti ransomware group took the group months to reconfigure and recover from, which could have influenced ransomware's overall decline.

"Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same," says McLellan. 

"For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage. 

"The intent is different, but the ransomware itself isn't. The same is true for the initial access vector (IAVs); its all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to," he says.

"Once a state-sponsored actor is through that door, they are very hard to detect and even harder to evict. As states such as China, Russia, Iran, and North Korea continue to use cyber to advance the economic and political goals of their countries, it is even more important that businesses get the right controls and resources in place to protect, detect, and remediate attacks."

The report also showed that fundamental security controls in the cloud were either misconfigured or entirely absent, potentially because of a rushed moved to cloud during COVID-19. Multi-factor authentication (MFA) fatigue attacks whereby an attacker bombards a user with access requests in an attempt to browbeat them into submission were also on the rise.

To optimise security posture, Secureworks recommends that organisations ensure they have comprehensive visibility and intelligence-driven detection across their host, network, and cloud environments. Granular recommendations that facilitate preventing future reoccurrence include: centralised log retention and analysis across host, network and cloud resources and reputation-based web filtering and network detection for suspicious domains and IPs.