Cisco: Healthcare Remains The Most Targeted Vertical

Cisco Talos Intelligence Group has released its report for the second quarter of 2023, highlighting the most common attacks, targets, and other significant trends. The findings show how a lack of multi-factor authentication (MFA) remains one of the biggest impediments to enterprise security.

Carrying out ransomware attacks is likely becoming more challenging for hackers due to global law enforcement and industry disruption efforts, though it still saw a rise to 17 percent of engagements. The biggest – and a growing – threat responded to by Talos Incident Response (IR) in Q2, however, was data theft extortion incidents that did not encrypt files or deploy ransomware.

The findings also show that, continuing a trend from first quarter, healthcare remains the most-targeted vertical, accounting for almost a quarter of all incident response engagements, closely followed by financial services. In a reverse of Q1 trends, web-shells engagement – malicious scripts that enable threat actors to compromise web-based servers exposed to the internet – declined.

Commenting on the report’s findings, Fady Younes, Cybersecurity Director, EMEA Service Providers and MEA, Cisco, said: “People are often the prime target for any cyber-attack, they are the gateway to the central infrastructure of a company or organization. Fortunately, the vast majority of cyber threats can be overcome with awareness, common sense and a critical approach to security when moving in cyberspace. We can also stay ahead of the game by leveraging advanced technologies to analyze vast amounts of data in real-time and identify potential threats before they can cause any damage.”

Top Threats Observed in Q2 2023

Data theft: Data theft extortion was the top observed threat this quarter, accounting for 30 percent of Cisco Talos Incident Response (Talos IR) engagements this quarter, overtaking web-shells and still ranking above ransomware. The rise in data theft extortion incidents compared to previous quarters is consistent with public reporting on a growing number of ransomware groups stealing data and extorting victims without encrypting files and deploying ransomware.

Ransomware: Ransomware is the second most observed threat for Q2. The Clop ransomware group exploited a major vulnerability in the MOVEit file transfer software. This has led to many follow-on instances of data theft, with more than 200 companies affected as of early July.

Exploiting public-facing applications: Exploitation of public-facing applications has seen a significant decrease – down to 22 percent (from 45 percent last quarter) of engagements.

Additional Observations

  • The report showed that 30 percent of engagements lacked multi-factor authentication or only had it enabled on select accounts and services.
  • Observed in over 50 percent of engagements this quarter, PowerShell is a dynamic command line utility that continues to be a popular utility of choice for adversaries.