Despite growing awareness and heightened defenses against online threats, cyber attackers found new victims with more sophisticated and larger attacks, specifically through zero-day attacks and poor credential protection.
The use of zero-day and one-day vulnerabilities has caused a 204-per-cent year-on-year increase in Asia-Pacific ransomware victims in the first quarter of 2023, according to Akamai Technologies.
In a report released this week, the content distribution and security vendor attributed the spike in attacks to hackers shifting focus from phishing to vulnerability abuse. They are exploiting unknown security threats and infiltrating business internal networks to deploy ransomware, it stated.
Zero-day vulnerabilities are unknown security flaws or bugs in software, firmware, or hardware that the vendor does not know about. When a zero-day vulnerability becomes public, it is known as an n-day or one-day vulnerability.
Ransomware attacks remain a significant threat to organisations. A Fortinet survey released in April this year found that 78 per cent of organisations detected ransomware attacks early, but half still fell victim to them.
In addition, the Akamai report revealed that ransomware groups are increasingly targeting the exfiltration of files, where there is unauthorised extraction or transfer of sensitive information, which then becomes the primary source of extortion. This means that file backup solutions are no longer sufficient to protect against ransomware.
On top of that, victims of multiple ransomware attacks are more likely to experience a second attack within three months of the first.
Another insight from the report was that essential infrastructure in the Asia-Pacific region is being actively targeted. The top five critical industries that have been attacked by ransomware and are at further risk are manufacturing, business services, construction, retail, and energy.
LockBit is the most registered ransomware-as-a-service and currently dominates the region’s ransomware landscape, causing 51 per cent of attacks from Q3 2021 to Q2 2023, according to Akamai. Ransomware groups ALPHV and CL0P followed suit.
While all businesses risk ransomware attacks, attackers are launching attacks against smaller organisations, mirroring global trends. The majority of ransomware victims in Asia-Pacific are small-to-medium sized enterprises (SMEs) with a reported revenue of up to US$50 million.
The findings are similar to a recent report by the Singapore Cyber Security Authority that found that most of the reported ransomware victims in Singapore were SMEs in the manufacturing and retail space.
Organisations are not facing the ransomware threat alone. Governments are rallying to address this threat globally and in the region.
The International Counter Ransomware Task Force, a coalition of 36 member states and the European Union and chaired by Australia, was established earlier this year.
Singapore also set up its first multi-government, multi-agency commission, the Counter Ransomware Task Force (CRTF), in October 2022 to develop recommendations to protect businesses and critical infrastructure from the growing number of ransomware attacks.
Businesses, especially SMEs in the region, must work to adopt a zero-trust architecture starting with software-defined microsegmentation to mitigate new cyber attacks and Ransomware-as-a-Service, said Dean Houari, director of security technology and strategy at Akamai.
“By doing so, they can successfully protect their critical assets, business reputation, and ensure business continuity regardless of the type of attack tool deployed by cyber criminal gangs,” he added.
Poor credential protection
Another vulnerability abuse tactic used by hackers is to target accounts with credential issues such as weak or no passwords. This approach accounts for over 60 per cent of security breaches, according to Google Cloud’s incident response teams in the first quarter of 2023.
A new challenge noted was mobile apps that avoid being detected by Google Play’s security controls through versioning. This happens when the initial version of an app on the Google Play Store appears legitimate and bypasses security checks, but later updates may be able to change the code on the end user device for malicious purposes.
A common form of versioning is dynamic code loading (DCL), where an app downloads and loads code files from untrusted sources.
Another growing concern is identifying hacked client domains and IP addresses on Google Cloud. Google encourages all Google Cloud customers to examine their domains and IPs for malicious activity periodically.
The report also highlighted that geopolitical activity is likely driving state actors to target the telecom industry. In the last two years, the most targeted subsectors are wireless telecommunications, IT and telecom services, and data services. The threats can be addressed by cybersecurity measures such as zero-trust, Google Cloud recommended.
