Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10.

On the dark web — a veritable eBay for cybercriminals — threat actors can hold onto ill-gotten backdoor access (unbeknownst to victims) until the price is right, and then sell it to the highest bidder.

Backdoor access even outpaced ransomware in 2022, which was seen in 17% of the cases X-Force examined. But about 67% of those backdoors were failed ransomware attempts, where defenders disrupted the backdoor before ransomware was deployed.

Top attack impact: Extortion

An IBM Security X-Force study revealed a substantial 94% reduction in the average duration of ransomware attacks from 2019 to 2021, from over two months to just under four days.

While incidents involving ransomware declined from 21% in 2021 to 17% in 2022, it remains a clear and present danger that shows signs only of expanding, not slowing down.

Extortion is getting personal, and ransomware is just the tip of the arrow. When you think of extortion you usually think of ransomware — but extortion campaigns go far beyond ransomware today and include a variety of methods to apply pressure, including business email compromise and DDoS threats.

Cybercriminals are incorporating increasingly intense psychological pressure in their attacks, as well. Some of the latest extortion schemes turn customers and business partners into pawns. Attackers are contacting hospital patients and students to tell them their data has been accessed — magnifying pressure on the breached organization.

In more than one in four incidents examined, threat actors aimed to extort victim organizations — making it the top impact observed across incidents remediated by X-Force.

Download the Report

Phishing and vulnerability exploitation: The top initial access vectors in attacks

Phishing isn’t a new initial access vector by any stretch, but it remains a favored tactic of threat actors for an obvious reason: it works.

Phishing — whether through attachment, link or as a service — remains the lead infection vector in 2022, which comprised 41% of all incidents. Across incidents, spear phishing attachments were used in 62% of those attacks, spear phishing links in 33% and spear phishing via service in 5%. X-Force also witnessed threat actors use attachments alongside phishing as a service or links in some instances.

When it comes to vulnerabilities, cybercriminals already have access to thousands of them. And they don’t have to invest time and money to find new ones since many old ones are working just fine. In 2022, X-Force uncovered an 800% increase in infections resulting from exploits of the 2017 WannaCry vulnerability, reinforcing the need for organizations to refine their vulnerability management programs and prioritize critical patches.

Vulnerability exploitation — captured in the X-Force Threat Intelligence Index as exploitation of public-facing applications to align with the MITRE ATT&CK framework — placed second among top infection vectors, seen in 26% of incident response cases. The number of incidents resulting from vulnerability exploitation in 2022 decreased 19% from 2021, after rising 34% from 2020, a swing that was probably driven by the widespread Log4J vulnerability at the end of 2021.

Cyber-related developments of Russia’s first year of war in Ukraine

The conflict in Ukraine initiated by Russia was anticipated to be a showcase of the integration of cyber operations in modern warfare — a prediction made by many in the cybersecurity field. Although, as of early 2023, the most severe predictions of cyberattacks have not yet materialized, Russia has employed a vast number of wipers in their offensive against Ukraine, emphasizing its ongoing development of destructive malware. Additionally, the war has reignited the hacktivist threat — spawning pro-Russian groups with global target lists — and has reshaped the cybercrime landscape in Eastern Europe.

Importantly, defenders are adeptly employing the strides made in detection, response and information sharing that were developed over the last several years. Many of the early wiper attacks were quickly identified, analyzed and publicized, helping to protect others from becoming victims. These attacks include at least eight identified wipers and the discovery and disruption of a planned Russian cyberattack on Ukraine’s electric grid in April 2022.

Learn more in the X-Force Threat Intelligence Index

There’s much more to learn about the threat landscape in the X-Force Threat Intelligence Index.

  • Analysis of the top attack types and top infection vectors, from ransomware and BEC to phishing and vulnerability exploitation
  • This year’s top spoofed brands
  • The complexity and magnitude of the vulnerability problem organizations are facing
  • An examination of threats to operational technology (OT) and industrial control systems (ICS)
  • Geographic and industry trends identifying who’s being targeted — and where
  • And recommendations for risk mitigation based on the cumulative expertise of X-Force.

Download the full report and sign up to attend a webcast with the authors of this report. They’ll offer a detailed investigation of the findings and what they mean for organizations defending against threats. View the Threat Intelligence Index Action Guide for insights, recommendations and next steps.

More from Threat Intelligence

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today