iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Rapid7 has just released its Mid-year Threat Report, and we had the opportunity to ask a few questions about the company’s findings. Caitlin Condon, head of vulnerability research, and Christiaan Beek, senior director for threat analytics, were good enough to lend me their time.
Cyber Security Connect: I note a sense of ... almost disappointment in the results Rapid7 is seeing when it comes to cyber maturity and resilience. Why do you think companies and organisations are dragging their feet on this when cyber security incidents are now so prominently reported on?
Christiaan Beek: We’re certainly disappointed by the trends we’re seeing in this area, but that disappointment is not aimed all or even primarily at practitioners – clearly, we as a security industry and a technology ecosystem need to do more to make good security choices accessible and sustainable for many organisations.
We’re still seeing many businesses struggle with basic security hygiene, such as strong password policies and the use of multifactor authentication. Rapid7 incident responders found that nearly 40 per cent of incidents in the first half of this year were the result of missing or inadequate MFA. Attackers are quite quick to exploit these types of missing controls, and in today’s threat landscape, adversaries don’t need any additional advantages.
CSC: The report says that despite Rapid7’s overall caseload increasing by 69 per cent, ransomware operations remained largely stable. Can you expand on that a little bit?
Caitlin Condon: “Stable” was meant in the context of seeing the larger groups still operate as they did in the latter part of 2022. However, we’ve seen in the April/May time frame of this year new groups surfacing that are very active as we speak, for example, Akira and, recently, Rhysida.
CSC: Ah, understood! The report also points out that Clop’s MOVEit-related activities are ongoing – just how bad do you think that situation is going to get?
Caitlin: The Clop ransomware group announced a sub-selection of victims that were targeted during the MOVEit campaign. However, victims have customers, subcontractors, and partners whose data might have been compromised as well during these attacks. In other words, the impact is far larger than we have seen being reported.
CSC: Return on investment is something the report considers, but I’m curious about just how much money a successful operator may be making from ransomware attacks. How much a month, or a year, are these groups likely to be making?
Caitlin: First of all, it depends on which groups you would focus on, but let’s take a look at Clop ransomware.
It is publicly known that they targeted companies with revenue above US$5 million and had ransom amounts being paid out that exceeded US$20 million. The MOVEit Transfer campaign alone is estimated to have given them US$75–100 million. That is more budget than most malware or threat research departments would have, and we’re talking about a single campaign.
Coveware, a ransomware negotiation company, recently stated that the average paid global ransom in Q2 2023 is US$740,144. Whether they are a part of the main group or working as an affiliate/access broker, all associated cyber criminals make a huge profit off this model.
CSC: While this report looks back at the data of the last six months, what do you think the future holds? Can organisations get their act together and start to claw back some ground from malicious actors?
Christian: We certainly hope that this report will help organisations understand attack trends and provide context that allows them to strengthen their security programs. There is understandably a lot of emphasis on complex attacks and well-resourced adversaries in today’s security landscape, but the hyperfocus on flashy techniques and actors can obscure the fact that tried and true security controls like multifactor authentication are still highly effective at deterring common threats.
We are reporting on attacks that are successful, but there are also many cases where attacks were detected early and stopped. We will continue to see novel attacks and alarming threat campaigns, but malicious actors are always evolving their techniques in part because modern security controls have made many types of attacks more difficult.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
