Cisco Talos released its cybersecurity report for the first quarter of 2023, highlighting the most common attacks, targets and other significant trends. The findings show that web shells were the top observed threat, comprising nearly 22 percent of incidents- a novel increase compared to previous quarters. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet.
Commenting on the report’s findings, Fady Younes, Cybersecurity Director, EMEA Service Providers and MEA, Cisco, said: “Cybercriminals are gaining more experience exploiting security loopholes to spread their reach across corporate networks. To stay ahead of the wide array of threats and be in a position to respond to risks in motion, cyber defenders must scale their protection strategies. This means leveraging advanced technologies like automation, machine learning and predictive intelligence to analyse vast amounts of data in real-time and identify potential threats before they can cause any damage.”
Compiled by Cisco Talos Intelligence Group the report offers valuable information and recommendations to help organisations enhance their security posture and protect against potential cyber-attacks.
Top Threats Observed in Q1 2023
Web shell: This quarter, web shell usage has made up nearly a fourth of the threats responded to in the first quarter of 2023. Although each web shell had its own set of basic functions, threat actors often chained them together to provide a flexible toolkit for spreading access across the network.
Ransomware: Ransomware made up less than 10 percent of engagements, a significant decrease compared to the previous quarter’s ransomware engagements (20 percent). Ransomware and pre-ransomware incidents combined, however, made up nearly 22 percent of threats observed.
Qakbot commodity: The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files with malicious OneNote documents. Adversaries are increasingly relying on OneNote to spread their malware after Microsoft disabled macros by default in Office documents in July 2022.
Exploiting public-facing applications: Exploitation of public-facing applications was the top initial access vector this quarter, contributing to 45 percent of engagements, a significant increase compared to 15 percent in the previous quarter.
Additional Observations
- The report showed that 30 percent of engagements lacked multi-factor authentication or only had it enabled on select accounts and services.
- Recent law enforcement efforts have disrupted major ransomware gangs, such as Hive ransomware, but this has created space for new families to emerge or for new partnerships to form.
- Healthcare was targeted the most this quarter by adversaries, followed closely by retail and trade, real estate, food services, and accommodation sectors.