Retail and finance top cyber targets

The retail, finance, professional and information sectors had the highest volume and most variety of malicious activity in the second quarter, according to the latest cyber threat report from security firm Rapid 7.

Retail and finance continued to top the list of vulnerable industries, with both being increasingly targeted with credential threat campaigns.

The manufacturing sector also had a high number of events, with more attackers targeting organisations via breached network access, which the report said is consistent with the steady rise in targeting seen toward that industry in the past few quarters.

Other common threat vectors included account leaks and impersonation or suspicious link attempts, with more incidents expected in the coming months across all industries.

“We continued to see high levels of activities aimed at identifying and compromising systems of interest, whether the attackers’ plan was to steal financial information or – as we see more and more – steal other sensitive information, such as credentials that can be used for a variety of information-based operations,” the report said.

Overall, the report said attacks returned to expected patterns of activity, with adversaries focusing on the sectors and data types that they have traditionally targeted.

The report notes that illicit cryptocurrency mining is “becoming a time-honored tradition” among actors as well, with an increase in cryptominers on systems each quarter, as well as new bot-based campaigns such as the recent MikroTik and WebLogic activities.

During the second quarter, data shows that remote access was the top method for stealing information and mining cryptocurrency, while credential theft, credential dumping and brute-force tactics were all used for gaining access to systems.

Remote entry accounted for more than half of the activity in the second quarter targeting small organisations with fewer than 1,000 employees, Rapid 7 data shows.

In the past year, Rapid 7 has seen a steady increase in activity targeting Microsoft’s server message block (SMB) protocol.

“A potential side effect of realising that there is far more SMB open to the internet is that adversaries have started becoming more interested in older protocols. [This includes those] we collectively thought would be long gone from modern networks, including Microsoft’s remote desktop protocol [RDP],” the report said, noting that daily RDP incidents skyrocketed in May, with attackers going for backups in most cases.

Unlike the steadily increasing attacks against SMB, the report said there is a consistent level of activity with RDP with peaks of activity, such as one in May that saw more than one million probes.

“Monitoring for brute-force activity, suspicious multi-country authentication and multi-organisation authentication helps to identify this type of activity, and implementing multi-factor authentication and monitoring for leaked credentials can help organisations actively protect themselves from these threats,” the report said.

Understanding exposures is another critical aspect to combating the threats, the report said, noting that externally exposed RDP – even for a short period of time – can have a devastating effect on an organisation, as shown by several of the RDP-enabled ransomware attacks in the second quarter.

“Exposure may not just impact your own organisation’s traditional IT infrastructure, but it can also mean your embedded systems – including cameras, doorbells and motion sensors – are being added to botnets used to carry out additional attacks while zapping your own resources,” the report said.

It added that “knowledge of threats, knowledge of your own environment, and an active approach to remediating threats and vulnerabilities will go a long way toward keeping you and your network above the fray”.