Introduction
In recent times, threat actors have increasingly targeted vulnerable or unpatched public-facing applications to gain initial access to systems [1]. This shift in tactics marks a departure from previous trends, where account compromise was the predominant method. The growing use of web shells and remote access tools has further facilitated these attacks, necessitating enhanced security measures.
Description
Threat actors are increasingly exploiting vulnerable or unpatched public-facing applications to gain initial access [1] [2] [3], with this method accounting for 40% of incidents in Q4 2024 [2] [3]. This represents a significant shift from previous trends [2] [3], where account compromise was the most common technique observed for over a year [2] [3]. The rise in this trend surpasses the use of valid accounts for the first time in more than 12 months. A key factor in this shift is the rising use of web shells [2] [3], which were deployed in 35% of analyzed incidents, marking a substantial increase from less than 10% in the prior quarter [2] [3]. Attackers utilized various open-source and publicly available web shells [2] [3], with their functionality and targeted applications differing across incidents [2], allowing for multiple avenues to exploit vulnerable web servers and gain entry into victims’ environments.
Additionally, remote access tools such as Splashtop and AteraAgent were involved in nearly 40% of engagements [1], a significant rise from 5% in the previous quarter [1]. These tools played a crucial role in 100% of the ransomware incidents observed in Q4, further emphasizing the evolving tactics among threat actors [1]. Once attackers gain access [4], they often utilize these remote access tools for lateral movement [4], contributing to increased dwell times as they map networks and access sensitive resources [4]. To counter this [4], organizations are encouraged to adopt zero trust principles [4], implementing a Zero Trust Network Access (ZTNA) architecture that restricts application access. Secure Private Access enables ZTNA deployment [4], ensuring users only access necessary resources and preventing lateral movement [4].
Furthermore, the web fuzzer Fuzz Faster U Fool was employed to conduct brute force attacks against web applications [1], highlighting the diverse methods used to compromise systems. Organizations can enhance their defenses by incorporating solutions like Cisco’s User Protection Suite, which offers Secure Access [4], including Secure Internet Access and ZTNA capabilities. Secure Internet Access protects users from malicious content through an Intrusion Prevention System (IPS) that analyzes network traffic to identify and mitigate threats in real time [4], while Remote Browser Isolation (RBI) allows users to browse the internet safely by isolating their activity in the cloud, thus preventing exposure to malicious applications [4].
Conclusion
The evolving tactics of threat actors, characterized by the increased exploitation of vulnerable applications and the use of web shells and remote access tools, underscore the need for robust security measures. Organizations must adopt zero trust principles and deploy advanced security solutions to mitigate these threats effectively. By doing so, they can safeguard their systems against current and future cyber threats, ensuring the integrity and security of their networks.
References
[1] https://blog.talosintelligence.com/talos-ir-trends-q4-2024/
[2] https://ciso2ciso.com/threat-actors-target-public-facing-apps-for-initial-access-source-www-infosecurity-magazine-com/
[3] https://www.infosecurity-magazine.com/news/threat-actors-public-apps-initial/
[4] https://blogs.cisco.com/security/top-threat-tactics-and-how-to-address-them
