This week, we will summarize Verizon’s Data Breach Investigation report for 2022 and a critical severity vulnerability in Confluence currently being exploited in the wild.
Key findings from Verizon Data Breach Investigation Report 2022
Since 2008, Verizon has continued to conduct and publish the annual Data Breach Investigations Report (DBIR), and 2022 marks the report’s 15th anniversary. In the past 15 years, Verizon has collected nearly nine terabytes of data indicating close to 250,000 breaches and almost 1,000,000 unique security incidents. The beginning—that “nothing is certain”—points to the uncertainty of the security industry using credible analysis of data, including slanted bar charts, dot plots, pictograms, and spaghetti charts.
Verizon states: “There are four key paths leading to your estate: Credentials, Phishing, Exploiting vulnerabilities, and Botnets. All four are pervasive in all areas of the DBIR, and no organization is safe without a plan to handle each of them.”
This year, ransomware has continued its upward trend with an almost 13% rise. It’s important to remember that while ubiquitous and potentially devastating, ransomware is simply a way of monetizing an organization’s access. Blocking the four key paths mentioned above helps to block the common paths ransomware uses to penetrate your network.
While the ransomware threat has drastically increased, the top methods of delivery remain obvious: Desktop sharing software accounted for 40% of incidents, and email was at 35%, according to Verizon’s data. This growing threat may seem overwhelming, but the most important steps organizations can take against these attacks is still following the fundamentals: raising security awareness among end users on phishing attempts and maintaining security best practices. Refer to our documentation for Ransomware Attack: What It Is and How to Prevent It.
Supply Chain Threats
2021 showed how one key supply chain incident can lead to a wide range of consequences. Threat actors are more focused on compromising the right partner and vendors which may act as a force multiplier in impact.
Breaches from Kaseya to SolarWinds—not to mention the Log4j vulnerability—stressed on the fact that vendors’ systems are just as likely a vector of attack as our own. In fact, 62% of cyberattacks that follow the system intrusion pattern began with the threat actors exploiting vulnerabilities in a partner’s systems, the report states. While supply chain attacks still account for just under 10% of overall cybersecurity incidents, according to the Verizon data, the study authors point out that this vector continues to account for a considerable slice of all incidents each year. That means it is critical for companies to keep an eye on both their own and their vendors’ security posture.
The Human Element, Errors, and Misconfigurations
The human element continues to contribute to breaches. Social engineering became an overwhelming problem this past year, highlighting the surge in repeated cybercrime tactics “The human element continues to be a key driver of 82% of breaches and this pattern captures a large percentage of those breaches.” Error and misconfigurations are also a big trend and mostly influenced by misconfigured cloud storage. While this is the second year in a row that there is a slight leveling out for this pattern, the fallibility of employees should not be discounted.
Finally, the DBIR describes the following threat patterns that account for most security incidents and data breaches: system intrusion, social engineering, denial of services, lost and stolen assets, privilege misuse, miscellaneous errors.
Remote Code Execution in Atlassian’s Confluence
On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, which is an unauthenticated remote OGNL injection vulnerability resulting in code execution affecting the Confluence Server and Confluence Data Center products. This vulnerability is currently being exploited in the wild. All supported versions of Confluence Server and Data Center are affected.
Given the nature of the vulnerability, internet-facing Confluence servers are at very high risk. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available now. A full list of fixed versions is available in the advisory. A temporary workaround is also available—note that the workaround must be manually applied.