BEC attacks doubled in 2022, overtaking ransomware

Business Email Compromise (BEC) attacks doubled last year, outstripping ransomware as the most common cyber threat to organisations, according to a new report from Secureworks.

Between January and December 2022, the US cyber security firm’s Counter Threat Unit (CTU) helped isolate and remediate over 500 security incidents. The data was analysed by CTU researchers to establish trends and emerging threats.

According to Secureworks’ Incidence Response report, the growth in BEC was linked to a surge in phishing campaigns, accounting for 33% of incidents where the initial access vector (IAV) could be established, a near three-fold increase compared to 2021 (13%).

An equally popular entry point for attackers – both nation state and cybercriminal – was to exploit vulnerabilities in internet-facing systems, representing a third of incidents where IAV could be established.

“Business email compromise requires little to no technical skill but can be extremely lucrative. Attackers can simultaneously phish multiple organisations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models,” said Mike McLellan, director of Intelligence at Secureworks.

Typically, threat actors did not need to use zero-day vulnerabilities, instead relying on publicly disclosed vulnerabilities – such as ProxyLogon, ProxyShell and Log4Shell – to target unpatched machines.

Alternatively, the report suggested ransomware incidents fell by 57%, yet stressed it remains a “core” threat.

This reduction could be due as much to a change in tactics as it is to a reduction in the level of the threat following increased law enforcement activity around high-profile attacks, the firm said, such as Colonial Pipeline and Kaseya.

Equally, gangs may be targeting smaller organisations, which are less likely to engage with incident responders (meaning they would fall outside the scope of the report).

“Let’s be clear,” McLellan continued, “cybercriminals are opportunistic – not targeted. Attackers are still going around the parking lot and seeing which doors are unlocked. If your internet-facing applications aren’t secured, you’re giving them the keys to the kingdom.”

Once they are in, the director said you’re working against the clock to stop an attacker turning that intrusion to their advantage.

“Already in 2023, we’ve seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging.”

The report also found hostile state-sponsored activity – legislations to counter state threats – increased to 9% up from 6% in 2021. A majority of which (90%) were attributed to threat actors affiliated with China.

Financially motivated attacks accounted for most of the incidents investigated outside of state-sponsored activity, representing 79% of the total sample, which is lower than previous years.

This could potentially be connected to the Russia / Ukraine conflict disturbing cybercrime supply chains, Secureworks said. For instance, the leak of files connected to the Conti ransomware group took the group months to reconfigure and recover from, which could have influenced ransomware’s overall decline.

To see what firms can do to mitigate ransomware attacks, click here to read TI’s special report on the malware.