Information Security

Backdoors Used in 21% of Cyberattacks

Cyber thieves' actions and objectives are changing as the business of cybercrime matures, according to IBM X-Force.
Vincent RyanMarch 8, 2023
Backdoors Used in 21% of Cyberattacks

Does your IT team still think the main objective of cyber criminals is to steal the personally identifiable information or credit card data of customers and sell it online? You may need to update your organization’s view of cyber threats.

According to the 2023 IBM X-Force Threat Intelligence Index, access to companies’ systems, networks, and applications is now the most valuable commodity in the dark marketplaces cyberattackers frequent. And that’s affecting how companies are being targeted by cybercriminals.

Cyber thieves still mostly use spear phishing and the exploitation of software vulnerabilities to infiltrate organizations — what the industry terms the “initial access vectors.” But according to incident response data from IBM X-Force Security Services, in 2022 the deployment of backdoors was the most common action taken by cyber thieves once systems were infiltrated. Backdoors — a method by which authorized and unauthorized users gain high-level remote user access — were deployed in 21% of all reported incidents last year. (See chart, Top Actions Once Systems are Infiltrated.)

Once inside a network, cybercriminals can steal personal and financial data, install additional malware, and hijack devices. Often, they deploy ransomware — a form of malware that locks a user out of their files or device and a strategy that many cybersecurity threats and activities are connected to.

There’s a whole ecosystem of “initial access brokers” who sell existing backdoor access to a targeted organization. X-Force said it has observed threat actors (persons intending to intentionally cause harm in the digital sphere) selling existing backdoor access to an organization for as much as $10,000, compared with stolen credit card data, which can now sell for less than $10. 

Effectively, what the business of ransomware has done is lower the barrier of entry for anyone to get into cybercrime. — John Dwyer, IBM Security X-Force

Compromised corporate network access is very profitable and requires less effort than a full-blown ransomware attack. That’s why cyber-criminal gangs specialize in it, John Dwyer, head of research, IBM Security X-Force, told CFO.

“Effectively, what the business of ransomware has done is lower the barrier of entry for anyone to get into cybercrime,” Dwyer said. “This is a multibillion-dollar global industry. [The criminals have] developed the business process that enables them to execute more attacks more efficiently by having standardized processes for attackers to follow.”

Extortion Tactics

A positive development evident in the X-Force data, which is generated from IBM X-Force engagements like incident response and managed security services, is that companies were better in 2022 at detecting and preventing ransomware attacks. About two-thirds of backdoor access incidents, for example, were related to ransomware attempts in which “defenders were able to detect the backdoor before the ransomware was deployed,” according to the X-Force report.

However, with criminals selling tools and standardized processes to other cyber attackers, the average time to complete a ransomware attack dropped from two months down to less than four days.

“The new element in the pressures of cybersecurity is that the window of opportunity to prevent an incident from becoming a crisis is closing,” Dwyer said. However, he added, companies have been improving detection and response — “clients are calling us faster, and they’re also able to detect the attacker faster than they were before.”

More and more, the point of all this is extortion, not stealing data to sell on the dark web.  Extortion was the most common impact of cyber attacks in 2022 (21% of incidents), followed by data theft (19%), and credential harvesting (11%), according to X-Force data. (See chart, Objectives of Cyberattackers.)

Extortion was primarily achieved through ransomware or business email compromise (BEC) attacks. But even extortion methods are changing, as cybercriminals seek the easiest and quickest path to payment, Dwyer said. 

While small and midsize businesses are still mostly pressured by the ransomware attacker taking a system offline and demanding payment, larger corporations face different tactics.  These businesses typically have the staff and the budget to recover from such a systems interruption, and they have data backed up (in the case data was stolen.) For them, the pressure to pay ransom-seekers, Dwyer said, relates to protecting the brand.

One of the latest tactics for getting large companies to pay up is to make stolen data accessible to “downstream victims,” business partners, and even regulators to “increase pressure on the breached organization,” according to IBM X-Force. 

A lot of the initial access or how these attacks kind of start are opportunistic, and that is through phishing and exploitation. — John Dwyer

Given self-reporting requirements (like those coming in the United States and Europe’s existing GDPR), “what the criminals are saying is, ‘I’m gonna steal your data. And if you don’t pay me in 24 hours, I’m going to report to all of your customers, all of your clients, and your government that you’ve been hacked and we’ve stolen your data, and you’ve lost sensitive information,’” Dwyer said. “That creates a force multiplier in pressures to pay to make them go away.”

Despite all the cybersecurity risks organizations face, they might take some comfort in that cybercrime is still largely a crime of opportunity, not one involving well-planned attacks by foreign governments.

“A lot of the initial access or how these attacks kind of start are opportunistic, and that is through phishing and exploitation,” Dwyer said. Shutting down the vulnerabilities, therefore, can be the start of a good defensive strategy.