According to Corvus Insurance, threat actors are changing tactics and using ransomware to compromise their victims, and now more attacks are exploiting vulnerabilities than using phishing emails.
The insurer analyzed this year's claims data to better understand the activities of threat actors.
The company claims that exploits, as an initial access method, rose from nearly 0% of ransomware claims in the second half of 2022 to nearly one-third in the first half of 2023.
This data could be affected by significant campaigns such as this year's ransom attacks using MoveIt and GoAnywhere file transfer software. However, they still point to the evolution of threatening activity.
Corvus also highlighted that exposed encryption keys are another increasingly popular way for threat actors to compromise organizations. The company claims that 7% of the organizations it studied had at least one exposed secret, the most common being Google API keys, JSON network tokens, Shopify domain keys, and AWS S3 bucket keys.
"But not all exposures are created equal," the company explains. Some of them don't give threat actors much opportunity to collaborate and may never cause problems for the organization that exposes them. However, in about 1% of the organizations we studied, we found exposure keys that security experts considered critical and required immediate attention. ”
This includes AWS API keys, keys for cloud buckets (AWS S3 and Google Cloud Storage), and API keys from non-cloud provider services such as LinkedIn, OKTA, Slack, Mailchimp, Facebook, New Relic, Stripe, and Sauce Labs.
Elsewhere, social work as a cause of insurance claims has risen in recent quarters, accounting for nearly half of all claims as of the third quarter of 2023, Corvus said. This compares to about 35-38% a year ago.
This makes claims from social engineering almost three times as high as in the second largest category (non-compliance by merchants or other third parties).
Interestingly, there haven't been any reports of leaks related to the social engineering of Google Workspace policyholders, with Microsoft accounting for the vast majority.
"Although Microsoft is the most commonly used business email provider for our policyholders, we expect that one in 10 of our social engineering claims comes from the Google Workspace organization," Corvus said. “