As we learned in our annual spotlights on Germany and Spain, there are a variety of cyber threats currently targeting European organizations - from a multitude of directions. In this article, we explain some of the most common cyber attack vectors threatening businesses in 2022, and how malicious actors are utilizing them.
Social engineering is a broad term that we're using today to cover a variety of attack vectors. These include terms you will have likely heard before such as phishing or spear-phishing, but it also covers smishing, business email compromise (BEC), watering hole attacks and anything else that involves the manipulation of a person.
In fact, according to the Identity Theft Resource Center's 2021 Data Breach Report, smishing, phishing and BEC were the most common cause of cyber breaches in 2021 (33%), higher even than ransomware (22%).
They all work a little differently, but with the same objective. Social engineering attacks generally try to manipulate a person's actions by tricking them. Often attackers will put content in front of the target victim posing as genuine and trustworthy. The victim will have been lured into engaging with this content, clicking through to a website or downloading a file, allowing the attackers to either steal credentials (see below) or install malware onto the target device.
But social engineering isn't just scam emails and fake websites
Targeted social engineering campaigns can have long lead times, where attackers scope out potential victims, find vulnerable but valuable targets, build trust using a variety of techniques - such as fake social media profiles purporting to be journalists or industry peers - and then bait the victims into the trap. This process can take weeks, even months.
An attacker highly skilled in social engineering may not even need spoofed content, if they can convince someone via phone or private messaging to hand over their details willingly.
Before we move on, we need to warn you in a bit more detail about the threat of business email compromise (BEC).
Ransomware (see below) tends to grab most of the big media headlines, but it's not the top scam in terms of financial loss. BEC, which almost nobody really talks about, costs significantly more per year: in the US alone, the FBI noted that BEC cost organizations US$2.4 billion in 2021 - ransomware only cost $42 million.
It's where cyber criminals send company employees emails with a specific request, pretending to be from a legit source (such as someone else in the company, a known vendor, etc.). It could be a request for a money transfer, a fraudulent invoice with an urgent payment deadline, or perhaps an order to go and buy a bunch of gift cards that will be used as "employee rewards". Of course, all the money goes to the scammer.
Often BEC scammers use fake email addresses and hope no one will double check the name. Other times they use real email accounts - scamming a real employee out of their credentials, logging into their account, and sending compromised messages. This latter method is exceedingly dangerous, and hard to spot, because it means the scam comes from a trusted source.
There is another type of BEC called conversation hijacking, where a scammer using someone else's account will jump into an existing email chain with their financial request.
Misconfiguration is a term for the poor configuration of an organization's systems, of which cloud storage has become an increasingly common example. Due to the inherent accessibility of the cloud, it's quite easy to get the security settings wrong and so leave company data exposed to non-employees gaining full or partial access.
The big cloud providers like Amazon and Google do have highly secure servers, yes. Misconfiguration isn't a problem at their end but at the user's end, where incorrect settings can, for example, leave a private folder set to public so that anyone can get into it with just a link.
To put it into perspective: the cost of issues due to misconfigured cloud servers is 12 times higher than worldwide investment in cloud (DivvyCloud). Additionally, 80% of companies have experienced a cloud data breach within the past 18 months and the leading cause was misconfiguration (67%) (IDC).
Learn more: 5 multicloud strategies and how to address them
'Malware' is a general name used to describe infectious software that causes harm to, spies on or disrupts a system. Computer viruses are one type of malware, although there are many others.
Malware is the classic cyber attack vector, having been around basically since the dawn of the world wide web. Even now with all our advanced anti-malware software, it's still a huge issue - the German BSI noted there were about 394,000 new malware variants discovered per day last year in Germany alone.
Some other examples of malware include: ransomware, which we describe below; keyloggers, which can record keystrokes made by a computer; trojans, which enter systems in disguise; droppers, which can install other pieces of malware; bot infections, which can replicate and spread on their own; and then viruses designed purely for destruction - wipers.
Unfortunately, the ways that cyber groups use malware are as varied as malware itself, which is why it's so hard to stop. Groups often develop their own custom malware to help them attack companies and individuals through the channels of their preference (i.e. social engineering). But, they also often share malware with other groups and may compromise legitimate technology for their own purposes - Cobalt Strike, for example, is a tool that both legitimate and criminal groups use.
There are many different ways that attackers can inject malware into a system. Phishing is hugely common, but attackers may have other means such as trojanized files pretending to be something they are not (say, a PDF which is actually a virus), or perhaps spoofed websites that look real but which are out to steal your credentials or make you download infectious software. Macros in seemingly safe Word or Excel files are also popular.
Ransomware is one type of malware. When injected into a system, it can lock the entire thing up and encrypt it so that its users lose access. The attackers will then typically ask for a ransom in return for access (hence the name).
Bonus fact: Most (96%) of companies claimed in 2021 that they got their data back after a 'significant' attack. But, on average they could only restore 65% of it - meaning they were losing potentially just over a third of their data per attack (Sophos).
As you can see, the point of ransomware is to disrupt activity and force someone to pay up.
This is usually used as an act of cyber criminal activity as opposed to cyber terrorism, with the goal to make money rather than spy on or destroy key targets. Thus, it's often seen being done by independent cyber groups as opposed to state-backed actors.
One thing to note is that ransomware is often the final stage of a long string of activities, such as social engineering and vulnerability scanning (yes - attackers use the same thing companies do to look for vulnerabilities, but in this case to exploit rather than patch). This makes it critical to detect such activities in advance.
The world's supply chain is highly digital these days, with most modern companies utilizing digital services in at least some capacity. Indeed, it's quite rare to find a business in Europe that is not relying on a third-party vendor for some outsourced service or tool.
This reliance on another company's services means your system becomes connected to theirs - an attack on one side could now compromise the other. As such, supply chain compromise is also known as third-party vendor risk.
Today, attackers sometimes only need to attack one company to gain a foothold in a raft of others. If they were to compromise a software vendor, for example, they could theoretically piggy-back on that company's platform right into the heart of hundreds of clients (which has happened in real life more than a few times).
So, an attack up or down the digital supply chain isn't just a problem for the vendor, but for its partners. You could have the best security in the world but if they don't, you're at risk.
We've talked a lot so far about threats from without, but there's always going to be a risk that someone inside your company is themselves a potential threat. There is a very real risk that someone somewhere in the company is being radicalized - either by people they know in person, or via online forums.
The internet and social media has made this problem worse. There is an echo chamber effect online which can exacerbate the risk of radicalization, where algorithms designed to feed people content they should be interested in constantly offer them up radical messaging. They can quickly become trapped in this world.
Read more: "The echo chamber effect on social media"
There are any number of ways a cyber threat group could use someone on the inside; someone on the edge is ready to be pushed over. If an individual or group that wishes to do your company harm is able to set up an 'inside man', as it were (by cultivating and nurturing their viewpoint or emotional state), they are already in a position where they can directly compromise your business from the inside, bypassing common security measures.
They might ask that staff member to inject malware into the company computers, to send phishing attacks via their accounts so that they appear to come from a trusted source, or some other form of attack.
Anyone with a social media connection runs the risk of falling into an echo chamber, and anyone runs the risk of growing bold enough (or angry enough) to act on their changing beliefs. If this were to happen to someone with access to your business network, it could be hugely damaging.
Those are the most common cyber attack vectors we're seeing in 2022. But, there are many more potential entry points to a business that its IT team must be aware of. While these are not 'attack vectors' quite as we've categorized them above, they are common weak points in a business system that can be exploited by someone utilizing one of the vectors above.
At dig8ital, we're experts in cyber attack mitigation and have been working with some of Europe's biggest companies for years to help them digitally transform into modern, flexible, defensible enterprises. Contact us today for a free maturity consultation and let's talk about your unique needs.