Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10.

On the dark web — a veritable eBay for cybercriminals — threat actors can hold onto ill-gotten backdoor access (unbeknownst to victims) until the price is right, and then sell it to the highest bidder.

Backdoor access even outpaced ransomware in 2022, which was seen in 17% of the cases X-Force examined. But about 67% of those backdoors were failed ransomware attempts, where defenders disrupted the backdoor before ransomware was deployed.

Top Attack Impact: Extortion

An IBM Security X-Force study revealed a substantial 94% reduction in the average duration of ransomware attacks from 2019 to 2021, from over two months to just under four days.

While incidents involving ransomware declined from 21% in 2021 to 17% in 2022, it remains a clear and present danger that shows signs only of expanding, not slowing down.

Extortion is getting personal, and ransomware is just the tip of the arrow. When you think of extortion you usually think of ransomware — but extortion campaigns go far beyond ransomware today and include a variety of methods to apply pressure, including business email compromise and DDoS threats.

Cybercriminals are incorporating increasingly intense psychological pressure in their attacks, as well. Some of the latest extortion schemes turn customers and business partners into pawns. Attackers are contacting hospital patients and students to tell them their data has been accessed — magnifying pressure on the breached organization.

In more than one in four incidents examined, threat actors aimed to extort victim organizations — making it the top impact observed across incidents remediated by X-Force.

Download the Report

Phishing and Vulnerability Exploitation: The Top Initial Access Vectors in Attacks

Phishing isn’t a new initial access vector by any stretch, but it remains a favored tactic of threat actors for an obvious reason: it works.

Phishing — whether through attachment, link or as a service — remains the lead infection vector in 2022, which comprised 41% of all incidents. Across incidents, spear phishing attachments were used in 62% of those attacks, spear phishing links in 33% and spear phishing via service in 5%. X-Force also witnessed threat actors use attachments alongside phishing as a service or links in some instances.

When it comes to vulnerabilities, cybercriminals already have access to thousands of them. And they don’t have to invest time and money to find new ones since many old ones are working just fine. In 2022, X-Force uncovered an 800% increase in infections resulting from exploits of the 2017 WannaCry vulnerability, reinforcing the need for organizations to refine their vulnerability management programs and prioritize critical patches.

Vulnerability exploitation — captured in the X-Force Threat Intelligence Index as exploitation of public-facing applications to align with the MITRE ATT&CK framework — placed second among top infection vectors, seen in 26% of incident response cases. The number of incidents resulting from vulnerability exploitation in 2022 decreased 19% from 2021, after rising 34% from 2020, a swing that was probably driven by the widespread Log4J vulnerability at the end of 2021.

Cyber-Related Developments of Russia’s First Year of War in Ukraine

The conflict in Ukraine initiated by Russia was anticipated to be a showcase of the integration of cyber operations in modern warfare — a prediction made by many in the cybersecurity field. Although, as of early 2023, the most severe predictions of cyberattacks have not yet materialized, Russia has employed a vast number of wipers in their offensive against Ukraine, emphasizing its ongoing development of destructive malware. Additionally, the war has reignited the hacktivist threat — spawning pro-Russian groups with global target lists — and has reshaped the cybercrime landscape in Eastern Europe.

Importantly, defenders are adeptly employing the strides made in detection, response and information sharing that were developed over the last several years. Many of the early wiper attacks were quickly identified, analyzed and publicized, helping to protect others from becoming victims. These attacks include at least eight identified wipers and the discovery and disruption of a planned Russian cyberattack on Ukraine’s electric grid in April 2022.

Learn More in the X-Force Threat Intelligence Index

There’s much more to learn about the threat landscape in the X-Force Threat Intelligence Index.

  • Analysis of the top attack types and top infection vectors, from ransomware and BEC to phishing and vulnerability exploitation
  • This year’s top spoofed brands
  • The complexity and magnitude of the vulnerability problem organizations are facing
  • An examination of threats to operational technology (OT) and industrial control systems (ICS)
  • Geographic and industry trends identifying who’s being targeted — and where
  • And recommendations for risk mitigation based on the cumulative expertise of X-Force.

Download the full report and sign up to attend a webcast with the authors of this report. They’ll offer a detailed investigation of the findings and what they mean for organizations defending against threats. View the Threat Intelligence Index Action Guide for insights, recommendations and next steps.

More from Threat Intelligence

The Trickbot/Conti Crypters: Where Are They Now?

23 min read - Despite Conti shutdown, operators remain active and collaborative in new factions In IBM Security X-Force, we have been following the crypters used by the Trickbot/Conti syndicate, who we refer to as ITG23, since 2021 and demonstrated the intelligence that can be revealed through tracking their use in a blog we published last May. One year on, ITG23 has experienced many organizational changes, splintering into factions and forging new relationships. Despite these events, ITG23 crypters remain fundamental to tracking post-ITG23 factions…

23 min read

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read