A new report out today from Cisco Talos finds that business email compromise and ransomware were the top threats in the second quarter of 2024, with technology companies becoming the most targeted sector.

The Cisco Talos Incident Response Trends Q2 2024 (April-June) report, based on incident response engagements undertaken by Cisco Talos, found that BEC and ransomware tied for the top observed threats, together accounting for 60% of all engagements. There was a small decline in BEC engagements from the previous quarter and a slight uptick in ransomware engagements.

Ransomware accounted for 30% of engagements in the quarter, up 22% from the previous quarter, with new ransomware gangs Mallox and Underground Team observed for the first time. The company also dealt with ongoing Black Basta and BlackSuit ransomware attacks, which were among the most prolific in the quarter.

Talso Incident Response also observed a slight increase in network device targeting in the quarter, accounting for 24% of all engagements. Network device targeting included password spraying, where attackers attempt to gain unauthorized access to a large number of accounts by trying a few commonly used passwords across many usernames, vulnerability scanning and exploitation.

For the third quarter in a row, to no surprise, the most observed means of gaining initial access was the use of compromised credentials on valid accounts. Sixty percent of all engagements by Cisco Talos involved involved compromised credentials, a 25% increase from the previous quarter.

Though many hackers are getting through the door using compromised credentials, misconfiguration and a lack of multifactor authentication then played a key role, with every engagement involving either no MFA or a server misconfiguration or both.

The report specifically calls out systems that are not up to date with the latest patches as being highly susceptible to vulnerabilities. Given that misconfigured systems are not configured with industry best practices for security in mind, they leave organizations exposed, such as a public-facing server that is only supposed to be accessed internally.

Other findings in the report include PowerShell being the top execution technique, observed in 41% of engagements, up a third from the previous quarter. Adversaries favored creating new accounts as a persistence technique, accounting for 18% of engagements, double the previous quarter.

The abuse of remote services such as RDP, SSH, SMB and WinRM was noted in 53% of engagements, a slight decrease from the previous quarter. Additionally, there was a 40% increase in the use of remote access software, with AnyDesk being the most observed, accounting for almost 30% of engagements.

Image: SiliconANGLE/Ideogram