Cisco Talos is among the most comprehensive threat intelligence teams in the world, combining cutting-edge technologies with unmatched talent and expertise. And with the most extensive telemetry and partner network in the industry, it captures unique insights into the threats that could impact your organization.
So, what trends has Talos been seeing so far in 2022?
According to Cisco Talos Incident Response (CTIR) Q2 report, ransomware was unseated from the top perch for the first time in more than a year. The new contender? Commodity malware — that is, untargeted threats directed at a wide swath of users, often via free downloads off emails.
A key reason for commodity malware’s success is bad security practices — on both organizational and individual levels.
“You’d be correct in saying the commodity malware was the top threat this quarter,” said Talos’s Bruce E. Hennigar II. “Even though we’re two quarters into 2022 and what, 20 years into cybersecurity, people are still clicking on that phishing email.”
Commodity malware comprised 20 percent of all engagements CTIR investigated in Q2. Prominent commodity malware offenders included the Remcos RAT, Vidar information stealer, Redline Stealer, and the Qakbot banking trojan.
Meanwhile, from Q1, ransomware dropped from 25 percent to 15 percent of CTIR engagements. One reason for this fall from “grace” was the Ukraine war. According to Henninger, the Russian government co-opted many ransomware gangs to support the attack on Ukraine.
Of course, ransomware remains a serious threat. High-profile ransomware-as-a-service (RaaS) groups in Q2 included Conti and BlackCat, both of which sought big payouts from large organizations. The Conti group has apparently disbanded, though a new variant called Black Basta may be assuming its mantle. At the same time, LockBit ransomware has honed its extortion tactics in a new version, which also offers cryptocurrency as a payment option for victims.
As for top sectors targeted, the telecommunications industry led the pack once again within our engagements, followed by education and health care. And the United States is the top nation targeted.
So, what steps should organizations take in Q3?
In addition to shoring up obvious weaknesses, like not clicking on unfamiliar attachments, Hennigar warned organizations to be wary of new attacks that exploit previously unknown zero-day vulnerabilities in software.
“A lot of times, the ransomware groups will change how they initially get in,” he explained. “And usually, it’s based on vulnerabilities that pop up that people just don’t know about.”
Henningar’s — and Talos’s — advice is to deny attackers access to the “easy stuff” like phishing, once and for all, while staying abreast of the newest, more challenging developments.
Cisco Talos monitors global networks for emerging threats 24/7, 365 days a year, with real-time warnings and alerts to customers and the security community at large. And multi-factor authentication (MFA) — for example, Cisco Duo — is Talos’s top Q2 technology recommendation.
Other critical Cisco solutions include Cisco Secure Firewall and SNORT rules, which protect against many of the commodity malware and other threats outlined in Talos’s Q2 report. And Cisco Secure Endpoint detects malicious activity on organizations’ devices and beyond, into complex multicloud networks.
There are no simple solutions to cyberthreats, but Hennigar summed up his advice.
“My biggest recommendation is to research for your vertical and your revenues area,” he said. “What are the main things that are attacking? If it’s ransomware look at the ways that ransomware is being delivered through phishing, make sure you've got things like MFA, make sure you understand where your business-critical applications and storage are, and make sure that your protections for your network are on those things.”
Watch the Cisco Talos Incident Response team break down the top threats from the past quarter and deep dive into the top trends in this video.