Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10.

On the dark web — a veritable eBay for cybercriminals — threat actors can hold onto ill-gotten backdoor access (unbeknownst to victims) until the price is right, and then sell it to the highest bidder.

Backdoor access even outpaced ransomware in 2022, which was seen in 17% of the cases X-Force examined. But about 67% of those backdoors were failed ransomware attempts, where defenders disrupted the backdoor before ransomware was deployed.

Top attack impact: Extortion

An IBM Security X-Force study revealed a substantial 94% reduction in the average duration of ransomware attacks from 2019 to 2021, from over two months to just under four days.

While incidents involving ransomware declined from 21% in 2021 to 17% in 2022, it remains a clear and present danger that shows signs only of expanding, not slowing down.

Extortion is getting personal, and ransomware is just the tip of the arrow. When you think of extortion you usually think of ransomware — but extortion campaigns go far beyond ransomware today and include a variety of methods to apply pressure, including business email compromise and DDoS threats.

Cybercriminals are incorporating increasingly intense psychological pressure in their attacks, as well. Some of the latest extortion schemes turn customers and business partners into pawns. Attackers are contacting hospital patients and students to tell them their data has been accessed — magnifying pressure on the breached organization.

In more than one in four incidents examined, threat actors aimed to extort victim organizations — making it the top impact observed across incidents remediated by X-Force.

Download the Report

Phishing and vulnerability exploitation: The top initial access vectors in attacks

Phishing isn’t a new initial access vector by any stretch, but it remains a favored tactic of threat actors for an obvious reason: it works.

Phishing — whether through attachment, link or as a service — remains the lead infection vector in 2022, which comprised 41% of all incidents. Across incidents, spear phishing attachments were used in 62% of those attacks, spear phishing links in 33% and spear phishing via service in 5%. X-Force also witnessed threat actors use attachments alongside phishing as a service or links in some instances.

When it comes to vulnerabilities, cybercriminals already have access to thousands of them. And they don’t have to invest time and money to find new ones since many old ones are working just fine. In 2022, X-Force uncovered an 800% increase in infections resulting from exploits of the 2017 WannaCry vulnerability, reinforcing the need for organizations to refine their vulnerability management programs and prioritize critical patches.

Vulnerability exploitation — captured in the X-Force Threat Intelligence Index as exploitation of public-facing applications to align with the MITRE ATT&CK framework — placed second among top infection vectors, seen in 26% of incident response cases. The number of incidents resulting from vulnerability exploitation in 2022 decreased 19% from 2021, after rising 34% from 2020, a swing that was probably driven by the widespread Log4J vulnerability at the end of 2021.

Cyber-related developments of Russia’s first year of war in Ukraine

The conflict in Ukraine initiated by Russia was anticipated to be a showcase of the integration of cyber operations in modern warfare — a prediction made by many in the cybersecurity field. Although, as of early 2023, the most severe predictions of cyberattacks have not yet materialized, Russia has employed a vast number of wipers in their offensive against Ukraine, emphasizing its ongoing development of destructive malware. Additionally, the war has reignited the hacktivist threat — spawning pro-Russian groups with global target lists — and has reshaped the cybercrime landscape in Eastern Europe.

Importantly, defenders are adeptly employing the strides made in detection, response and information sharing that were developed over the last several years. Many of the early wiper attacks were quickly identified, analyzed and publicized, helping to protect others from becoming victims. These attacks include at least eight identified wipers and the discovery and disruption of a planned Russian cyberattack on Ukraine’s electric grid in April 2022.

Learn more in the X-Force Threat Intelligence Index

There’s much more to learn about the threat landscape in the X-Force Threat Intelligence Index.

  • Analysis of the top attack types and top infection vectors, from ransomware and BEC to phishing and vulnerability exploitation
  • This year’s top spoofed brands
  • The complexity and magnitude of the vulnerability problem organizations are facing
  • An examination of threats to operational technology (OT) and industrial control systems (ICS)
  • Geographic and industry trends identifying who’s being targeted — and where
  • And recommendations for risk mitigation based on the cumulative expertise of X-Force.

Download the full report and sign up to attend a webcast with the authors of this report. They’ll offer a detailed investigation of the findings and what they mean for organizations defending against threats. View the Threat Intelligence Index Action Guide for insights, recommendations and next steps.

More from Threat Intelligence

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today