Phishing Attacks, Vulnerability Exploitations on the Rise

Recent figures indicate that there were over 50 significant data breaches in 2023 and there have already been nine major breaches reported in the first quarter of 2024.

According to the Verizon 2024 Data Breach Investigations Report:

• 14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year’s report.
• 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error; ransomware was a top threat across 92% of industries.
• There was a 180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach.

With such a significant increase in the exploitation of known vulnerabilities, proactive measures must be taken to prevent cyber incidents.

Yet the very agency responsible for keeping end users safer on the web, and who have helped promote the Cybersecurity Awareness Month campaigns each October, have fallen victim to a cyberattack. It was found that Ivanti vulnerabilities in the systems of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) left them susceptible to the attack.

Detecting Vulnerabilities Before Cybercriminals Do

A 180% increase in exploited vulnerabilities is alarming, and while there were major zero-day vulnerabilities that contributed to the dramatic rise, the fact remains that organizations must stay a step ahead. The best way to do that is to find the vulnerabilities in your system – unpatched software, weak passwords, known vulnerabilities – before cybercriminals do.

Blue Bastion, a division of Ideal Integrations, specializes in defensive and offensive cybersecurity operations. They employ a comprehensive managed detection and response service that includes vulnerability scanning and penetration testing. These and similar aggressive efforts help identify and remediate vulnerabilities quickly and effectively.

Phishing Attacks Are Becoming More Difficult to Identify

It is becoming increasingly difficult to distinguish legitimate emails from phishing emails, and generative AI will continue to make it even worse. For instance, investigators observed that a phishing campaign targeting the United States Postal Service (USPS) directed nearly as much traffic to spoofed websites as it did to the legitimate sites, through the use of phishing emails and text messages.

As cybercriminals begin to take advantage of AI, phishing attacks are becoming nearly impossible to detect, reveals Infosecurity Magazine. “AI detectors cannot tell whether a phishing email has been written by a chatbot or a human in three cases out of four.” Users of LastPass, a popular password manager, were targeted in early 2024 by attackers who launched an AI-driven phishing campaign that convincingly tricked users into divulging their master passwords.

Common Phishing Tactics

According to Phishing for Dummies^®, Cisco Special Edition, the top five tactics business leaders need to watch for are:

1. The use of AI to make phishing attacks more successful. AI helps cybercriminals craft more convincing messages, including the use of enriched grammar and language, which can make it more difficult to detect phishing.
2. The leveraging socio-political strife, such as the Russian invasion of Ukraine, to play on the emotions of the recipient and plead for donations or offer information about the situation.
3. The exploitation of known vulnerabilities.
4. Politically motivated attacks on infrastructure that either directly or indirectly impact business operations.
5. Directed attacks on work-from-home and remote employees, whose level of security is often not as robust. These employees often have access to some of the most sensitive data in your organization.

How to Fight Phishing Attacks

In addition to having comprehensive cybersecurity measures in place that include threat detection, penetration testing, 24/7/365 monitoring, and vulnerability patching, one of the most critical steps every organization can take to combat phishing threats is to provide ongoing awareness training to every employee.

As phishing attacks become more sophisticated, keeping the potential threat top of mind for all employees is essential. An employee may not think twice about a request to update a password for a commonly used website or to submit private information to what appears to be a reliable vendor. Employees blindly trust that an antivirus program will weed out the spam in their digital mailboxes, without considering that an email could be a phishing attack.

Your training needs to be more than a brief presentation or a handout. Cybersecurity training should be comprehensive and provided on a regular basis, to communicate updates and reinforce these best practices:

• Secure personal information – Do not use the same password on multiple devices and at multiple sites; this includes personal networks. Hackers can target specific individuals and explore social media platforms and other networks to gain information. Passwords should be complex and changed periodically, and double authentication should be applied whenever possible.
• Use available malware and virus protection programs – If professional devices are prompting for updates, make sure employees are not ignoring reminders. Also encourage employees to digitally secure their personal devices and provide accessible security options. By incorporating best security practices into their personal lives, employees are more likely to implement these practices in their professional realms.
• Use secure networks only – It can be tempting for employees to login to an office network from home, even if it is simply to check an email. Unsecured access, however, can give hackers the opportunity they need to infiltrate secure networks.
• Be aware of threats – Train employees to be suspicious of emails requesting private information, such as credit card details. If an email requests immediate action, then a moment should be taken to confirm the request. Nothing is so immediate that your employees can’t take the time to verify a request with a supervisor.

Your employees can be your biggest risk, but they can also become a strong defense against phishing attacks. Knowledge is the first step in preventing data breaches, and by educating employees regularly, you can establish a culture of best security practices.

In addition to providing employee training, companies must develop a zero-trust culture with policies that prohibit employees from clicking links, opening files, or conducting any financial transactions through email communications. Redundant verification processes should be required for any action, and internal file sharing should be accomplished through a company’s secure, shared drive.

Learn more from Ideal Integrations.