Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10.

On the dark web — a veritable eBay for cybercriminals — threat actors can hold onto ill-gotten backdoor access (unbeknownst to victims) until the price is right, and then sell it to the highest bidder.

Backdoor access even outpaced ransomware in 2022, which was seen in 17% of the cases X-Force examined. But about 67% of those backdoors were failed ransomware attempts, where defenders disrupted the backdoor before ransomware was deployed.

Top attack impact: Extortion

An IBM Security X-Force study revealed a substantial 94% reduction in the average duration of ransomware attacks from 2019 to 2021, from over two months to just under four days.

While incidents involving ransomware declined from 21% in 2021 to 17% in 2022, it remains a clear and present danger that shows signs only of expanding, not slowing down.

Extortion is getting personal, and ransomware is just the tip of the arrow. When you think of extortion you usually think of ransomware — but extortion campaigns go far beyond ransomware today and include a variety of methods to apply pressure, including business email compromise and DDoS threats.

Cybercriminals are incorporating increasingly intense psychological pressure in their attacks, as well. Some of the latest extortion schemes turn customers and business partners into pawns. Attackers are contacting hospital patients and students to tell them their data has been accessed — magnifying pressure on the breached organization.

In more than one in four incidents examined, threat actors aimed to extort victim organizations — making it the top impact observed across incidents remediated by X-Force.

Download the Report

Phishing and vulnerability exploitation: The top initial access vectors in attacks

Phishing isn’t a new initial access vector by any stretch, but it remains a favored tactic of threat actors for an obvious reason: it works.

Phishing — whether through attachment, link or as a service — remains the lead infection vector in 2022, which comprised 41% of all incidents. Across incidents, spear phishing attachments were used in 62% of those attacks, spear phishing links in 33% and spear phishing via service in 5%. X-Force also witnessed threat actors use attachments alongside phishing as a service or links in some instances.

When it comes to vulnerabilities, cybercriminals already have access to thousands of them. And they don’t have to invest time and money to find new ones since many old ones are working just fine. In 2022, X-Force uncovered an 800% increase in infections resulting from exploits of the 2017 WannaCry vulnerability, reinforcing the need for organizations to refine their vulnerability management programs and prioritize critical patches.

Vulnerability exploitation — captured in the X-Force Threat Intelligence Index as exploitation of public-facing applications to align with the MITRE ATT&CK framework — placed second among top infection vectors, seen in 26% of incident response cases. The number of incidents resulting from vulnerability exploitation in 2022 decreased 19% from 2021, after rising 34% from 2020, a swing that was probably driven by the widespread Log4J vulnerability at the end of 2021.

Cyber-related developments of Russia’s first year of war in Ukraine

The conflict in Ukraine initiated by Russia was anticipated to be a showcase of the integration of cyber operations in modern warfare — a prediction made by many in the cybersecurity field. Although, as of early 2023, the most severe predictions of cyberattacks have not yet materialized, Russia has employed a vast number of wipers in their offensive against Ukraine, emphasizing its ongoing development of destructive malware. Additionally, the war has reignited the hacktivist threat — spawning pro-Russian groups with global target lists — and has reshaped the cybercrime landscape in Eastern Europe.

Importantly, defenders are adeptly employing the strides made in detection, response and information sharing that were developed over the last several years. Many of the early wiper attacks were quickly identified, analyzed and publicized, helping to protect others from becoming victims. These attacks include at least eight identified wipers and the discovery and disruption of a planned Russian cyberattack on Ukraine’s electric grid in April 2022.

Learn more in the X-Force Threat Intelligence Index

There’s much more to learn about the threat landscape in the X-Force Threat Intelligence Index.

  • Analysis of the top attack types and top infection vectors, from ransomware and BEC to phishing and vulnerability exploitation
  • This year’s top spoofed brands
  • The complexity and magnitude of the vulnerability problem organizations are facing
  • An examination of threats to operational technology (OT) and industrial control systems (ICS)
  • Geographic and industry trends identifying who’s being targeted — and where
  • And recommendations for risk mitigation based on the cumulative expertise of X-Force.

Download the full report and sign up to attend a webcast with the authors of this report. They’ll offer a detailed investigation of the findings and what they mean for organizations defending against threats. View the Threat Intelligence Index Action Guide for insights, recommendations and next steps.

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today