Manufacturing was most attacked sector in Canada in 2021: IBM

Manufacturing was the top attacked industry in Canada last year, according to numbers compiled by IBM researchers.

In its annual Threat Intelligence Index, released Wednesday, the company said nearly one in three cyber attacks were against the manufacturing sector. That compares to 1 in 4 globally.

“An industry operating at a tipping point during the pandemic, attackers used the threat of ransomware to push them over the edge,” IBM said in a news release accompanying the report.

Vulnerability exploitation was the top initial attack vector in manufacturing, the report adds.

In other Canadian-specific data pulled from the numbers:

• Ransomware was still the number one threat type: Ransomware persisted as the top attack method here, but it only made up 25 per cent of attacks in 2021 compared to 57 per cent in 2020. It is now closely followed by Business Email Compromise (BEC) and Distributed Denial-of-service (DDoS) attacks, each accounting for 17 per cent of cyberattacks in Canada;
• Energy joined list of most vulnerable sectors in Canada: Energy organizations jumped to second-most attacked in Canada at 21 per cent, surpassing healthcare and finance and insurance industries (both receiving 16 per cent of attacks);
• Financial services’ efforts were rewarded: The financial services industry has long been a top target for cybercriminals. But because these organizations have some of the most advanced security controls in place, they were able to drop from 33 per cent of attacks in Canada in 2020 to 16 per cent in 2021.

The numbers came from data gathered by IBM network and endpoint detection devices, cyber incidents IBM responded to, domain name tracking, and more.

Global threats

Globally, ransomware was again the top attack type in 2021, although the
percentage of attacks IBM’s X-Force threat team remediated that were ransomware decreased nearly nine per cent compared to 2020. Law enforcement activity was probably the primary force driving down ransomware and IoT botnet attacks in 2021, the report says. But, it adds, this does not preclude a potential resurgence this year.

The suspected Iranian nation-state threat actor ITG17 (called MuddyWater by some researchers), cybercriminal group ITG23 (known as Trickbot), and Hive0109 (LemonDuck) were some of the most active threat groups X-Force intelligence analysts observed in 2021.

In general, threat groups worldwide sought to augment their prowess and infiltrate more organizations, the report notes. “Malware they used was embedded with greater defense-evasion techniques, in some cases hosted via cloud-based messaging and storage platforms to get through security controls,” the report says. “These platforms were abused to hide command and control communication in legitimate network traffic.

“Threat actors also continued to develop Linux versions of malware, to enable them to cross over to cloud environments more easily.”

Attack Statistics

Among the interesting statistics in the report:

• 41 per cent of attacks exploited phishing for initial access;
• the number of incidents caused by vulnerability exploits increased 33 per cent from 2020 to 2021. Four out of the top five vulnerabilities exploited in 2021 were new vulnerabilities, including the Log4j vulnerability (CVE-2021-44228) which was ranked number two, despite only being disclosed in December;
• the click rate by victims for the average targeted phishing campaign was 17.8 per cent. But targeted phishing campaigns that added phone calls (vishing or voice phishing) were three times more effective, netting a click from 53.2 per cent of victims.

While ransomware was the most common attack type remediated by IBM staff, what IBM calls server access attacks — where the attacker gained unauthorized access to a server, but the final end goal was unknown — was the second-most common attack type. It made up 11 per cent of all incidents the X-Force incident response team were called in for in 2021.

In many cases the threat actors were successful in deploying malware or employing penetration testing tools on a server, including China Chopper Webshells, Black Orifice malware, Printspoofer, and Mimikatz.

In some instances, the report adds, the threat actors exploited a known vulnerability, such as CVE-2020-7961, which would allow for remote code execution on a server. In multiple cases threat actors exploited vulnerabilities in Microsoft Exchange servers to gain unauthorized access to networks of interest.

Some of the server access attacks may have been failed attempts to steal data or deploy ransomware, the report said. “It’s likely that a high number of server access attacks indicates that organizations are identifying and eradicating attacks before they progress into more damaging operations.”

Mitigation tactics

The report also advises these threat mitigation tactics to combat cyber attacks:

• adopting a zero-trust framework, which includes implementing multifactor authentication and the principle of allowing users only the least access privileges needed;
• adding security automation tools, which allow software to do work that might take a human analyst or team hours;
• installing endpoint detection and response (EDR) or extended detection and response (XDR) solutions to endpoints.