Trusted relationship attacks, in which threat actors gain access to corporate networks through third-party service providers, ranked second in frequency of use (28%). Their prevalence may be related to the fact that many of these providers serve a large number of organizations across other sectors. As a result, a breach of one of these providers can compromise client internal networks.
Publicly available remote services, such as VPN, RDP, and SSH, enabled attackers to gain initial access in 11% of all cases (External Remote Services).
In another 17 percent of cases, phishing emails served as the initial access vector. Specifically, CVE-2017-11882 was exploited, a remote code execution vulnerability in Microsoft Equation Editor, through a specially crafted document.
In one case, attackers gained access to a customer's infrastructure through a phishing email with a ZIP attachment containing an LNK file. When opened, the file launched a decoy document and a Node.js interpreter containing the payload. As a result, a DNS tunnel was established on the compromised host to communicate with the attacker infrastructure.
In another case the threat actors created a ticket in the Zendesk system and included a link to a malicious file, which was later opened by a technical support specialist. The attackers compromised credentials that were presumably used to access the CRM. In the CRM, they changed the user's email address, obtained a confirmation code to restore the account, and used that code to log in to the personal account and withdraw funds from it.
This year, we are seeing an increase in incidents involving compromised network devices, which often have outdated firmware or insecure configurations. Share of such incidents is 8%. For example, in one of our investigations, attackers compromised several Cisco network routers publicly accessible from the internet. This attack was made possible by a flaw in the SNMPv2 protocol configuration (the SNMP Community setting allowed all devices to read from and write to a nonexistent access list, which in turn allowed attackers to gain access by using the default password). The attackers used native Cisco IOS capabilities to configure GRE tunneling, conduct active reconnaissance of network devices, create privileged local accounts, and attempt to download data from a backup server. To conceal their activity, they used unique EEM applets that reset the device configuration when triggered by certain legitimate commands. As a result, the attackers were able to gain control over part of the network traffic, including SMTP, POP3, and IMAP traffic, and redirect data through their tunnels.
In some cases, attackers gain access through multiple vectors, for example when the initial vector does not allow privilege escalation or lateral movement.