Unlike the analyses and trends discussed in previous chapters of this report, which are based on Check Point products anonymized data collected during routine preventative protection, this chapter offers the unique perspective of the Check Point Incident Response Team (CPIRT). CPIRT provides attack mitigation services in response to various types of active breaches and its work is vendor-agnostic, not exclusive to CP customers.
The CPIRT response usually follows the discovery of visible malicious activity, such as encrypted files (ransomware); malicious activity detected on mail servers; emails received without the knowledge of their sender (email compromise), or the presence of malware files or unknown processes on a computer system.
Sometimes the discovery is due to extensive malicious activity, affecting most of the critical assets in the organizational infrastructure (full network compromise). In some cases, the malware is discovered when the victim receives a ransom demand as part of a data leak that is followed by an extortion
The threat breakdown above is very different from what we routinely see in our product data. An analysis of cyber-attacks in the wild shows the top threats are multipurpose malware and cryptominers. However, CPIRT data shows that the actual risks – from a large corporate perspective - are full-blown ransomware attacks and full network compromises. Event logs that record multipurpose malware activity often just show the initial incursion. The more significant damage caused by cyber breaches is from extortion following encryption or data exfiltration, and various scams and BECs (business email compromise) conducted through various account takeovers.
Conti, Hive and Phobos are the most common ransomware families we have encountered in the analyzed period, but they are not responsible for the majority of attacks. Seventy-two percent of ransomware cases involved a ransomware family we encountered only once. This suggests that contrary to some assumptions, the ransomware landscape is not dominated by only a few large groups but is actually a fragmented ecosystem with multiple smaller players that are not as well-publicized as the larger groups.
Some strategies are shared by different actors; in approximately 40% of ransomware cases, the attackers succeeded in compromising the victim’s systems a month or more before they started encrypting the files. The time in between was spent scouting the victims’ networks in search of valuable assets.
Judging from our protection sensors, we have witnessed a growing tendency to use SMTP (over Web) as the initial attack vector, which reached a record 89% of attempted attacks in the first half of 2022. CPIRT analysis reveals that from successful attacks with a known initial entry vector, vulnerable servers are the most common vector leading to compromise.
The most widespread infection vector observed by CPIRT is the exploitation of vulnerable servers with exposed ports. These are mostly one-day vulnerabilities, which grant the attacker remote code execution options on some of the most valuable servers in the organization. This means that although the most frequent attack vector in the wild is SMTP, often mass-distributed by actors of various sophistication levels, the most effective attacks repeatedly rely on unpatched vulnerabilities.
The most common vulnerability of the first half of 2022, used in 69% of cases (where the initial infection vector is known), are the ProxyShell vulnerabilities, first reported in August 2021. ProxyShell is the name given to the exploitation of a chain of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in Microsoft Exchange servers.
In many cases the exploitations occurred months before they were discovered by the victim. Even though some of the organizations who were attacked have since patched their environment, their systems were already under the control of threat actors by the time the exploit was discovered. Although the majority of attacks attempt to leverage old vulnerabilities, it is crucial to patch and provide up-to-date protections for the most recently discovered CVEs.
Threat actors deploy a wide variety of tools in an attack. Some of these have only illicit uses, such as password stealing tools which serve only as malware. In other cases, hackers abuse otherwise legitimate tools, such as remote-control software.
Cobalt Strike Beacon is the most popular tool used by attackers. Its purpose is to establish a secure C2 communication with the attacker infrastructure. Another common tool is Mimikatz, which is used for password stealing and privilege escalation in the network.
Cryptominers are often installed at an initial stage to start generating profit. Attackers can later leverage their access to the network for other revenue-generating activities. This strategy is often used in non-targeted attacks, where the attacker might put less effort into stealth activity.
CPIRT data, collected from cases of compromised systems, gives a different perspective from our regular product data analyses. It emphasizes the dangers of fullblown cyber-attacks, those that can develop when preliminary incursions like infostealers and cryptominers are disregarded as only minor threats. The importance of regularly updated cyber security systems, that quickly integrate protections for reported vulnerabilities and changing attacks, is evident in light of this data. From the minute a CVE is revealed until a protection is released and deployed, every minute matters.