58% of Ransomware Attacks Involve Compromised Perimeter Security Appliances
A new report from the cyber insurance and security services provider Coalition has revealed the most common initial access vectors in ransomware attacks. Based on an analysis of claims, Coalition determined the most commonly exploited technology was compromised perimeter security devices such as a virtual private network or firewall, which were involved in almost 6 out of 10 ransomware attacks. The most commonly compromised products were perimeter security appliances from Fortinet, Cisco, SonicWall, and Palo Alto Networks. Around 2 out of 10 attacks involved remote desktop software, with Microsoft’s Remote Desktop Protocol (RDP) accounting for 80% of attacks involving this type of technology. Email was the third most exploited technology, with the majority of email-related compromises due to social engineering attempts such as phishing.
The most common attack vector was compromised credentials, typically for RDP and VPNs, which provide threat actors with privileged access to internal networks. An analysis of activity logs revealed 42% of attacks involved brute force tactics, where thousands of unsuccessful attempts were made before the attackers guessed the correct username and password combination. Credentials can be compromised in several ways, such as via phishing where employees are tricked into disclosing their credentials or through malware infections. While Coalition was unable to accurately determine how credentials were compromised in non-brute force attacks, recent reports from cybersecurity firms have highlighted the growing threat from infostealer malware. A recent report from Microsoft attributed an infostealer campaign to the threat group Storm-0408, which uses malvertising to redirect users to malware hosted on GitHub. Microsoft tracked one million infostealer infections from the campaign.
In order for compromised credentials to be used, there must be at least one Internet-exposed login panel. Data from customers applying for cyber insurance showed 65% had at least one exposed login panel, with the most commonly detected being Cisco VPN+ devices (10%), Sonicwall VPNs (9%), Microsoft email (8%), and VPNs and VPN+ devices from Palo Alto Networks, Fortinet and Citrix (6%-7%). Compromised credentials for a Citrix panel without multifactor authentication enabled a BlackCat ransomware to breach Change Healthcare’s network in February 2024. According to Coalition, misconfigured Citrix panels caused over $1 billion in losses in 2024, more than any other single CVE.
The second most common attack vector was vulnerability exploits. A wide range of vulnerabilities have been exploited for initial access, with the most common being CVEs in networking devices from Ivanti, Fortinet, and Cisco, as well as vulnerabilities in Microsoft’s Exchange Email Server. The third most common attack vector was social engineering, with contact most commonly made with employees via email. These attacks involved obtaining credentials using phishing, tricking employees into installing malware under the guise of legitimate software or through drive-by malware downloads, and tricking employees into installing remote access software, such as in tech support scams.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to Coalition, the best approach to defending against ransomware attacks is to focus on the riskiest security issues to reduce the likelihood of a breach. That means monitoring the attack surface to detect exposed login panels and services, patching zero-day vulnerabilities in Internet-facing technology promptly, educating the workforce about the risk of social engineering, implementing 24/7 monitoring of systems and networks, and responding rapidly to any potential compromise.
