• For the first time since March 2021, healthcare was the most targeted vertical.
  • Web shells were the top observed threat, comprising nearly 22% of incidents.
  • 30% of engagements either did not have multi-factor authentication (MFA) enabled at all or only on limited services.

Dubai, United Arab Emirates – Cisco Talos released its cybersecurity report for the first quarter of 2023, highlighting the most common attacks, targets and other significant trends. The findings show that web shells were the top observed threat, comprising nearly 22 percent of incidents- a novel increase compared to previous quarters. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet.

Commenting on the report’s findings, Fady Younes, Cybersecurity Director, EMEA Service Providers and MEA, Cisco, said: “Cybercriminals are gaining more experience exploiting security loopholes to spread their reach across corporate networks. To stay ahead of the wide array of threats and be in a position to respond to risks in motion, cyber defenders must scale their protection strategies. This means leveraging advanced technologies like automation, machine learning and predictive intelligence to analyze vast amounts of data in real-time and identify potential threats before they can cause any damage.”

Compiled by Cisco Talos Intelligence Group, one of the largest commercial threat intelligence teams in the world, the report offers valuable information and recommendations to help organizations enhance their security posture and protect against potential cyber-attacks.

Top Threats observed in Q1 2023

Web shell: This quarter, web shell usage has made up nearly a fourth of the threats responded to in the first quarter of 2023. Although each web shell had its own set of basic functions, threat actors often chained them together to provide a flexible toolkit for spreading access across the network.

Ransomware: Ransomware made up less than 10 percent of engagements, a significant decrease compared to the previous quarter’s ransomware engagements (20 percent). Ransomware and pre-ransomware incidents combined, however, made up nearly 22 percent of threats observed.

Qakbot commodity: The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files with malicious OneNote documents. Adversaries are increasingly relying on OneNote to spread their malware after Microsoft disabled macros by default in Office documents in July 2022.

Exploiting public-facing applications: Exploitation of public-facing applications was the top initial access vector this quarter, contributing to 45 percent of engagements, a significant increase compared to 15 percent in the previous quarter.

Additional Observations

  • The report showed that 30 percent of engagements lacked multi-factor authentication or only had it enabled on select accounts and services.
  • Recent law enforcement efforts have disrupted major ransomware gangs, such as Hive ransomware, but this has created space for new families to emerge or for new partnerships to form.
  • Healthcare was targeted the most this quarter by adversaries, followed closely by retail and trade, real estate, food services, and accommodation sectors.

Way Forward

“As cyber threats continue to rise, organizations must take proactive measures to protect themselves from potential breaches. One of the most significant obstacles to enterprise security is the lack of f Zero-Trust architecture deployments in many organizations" in many organizations. To prevent unauthorized access to sensitive data, businesses should implement some form of MFA, such as Cisco Duo. Endpoint detection and response solutions like Cisco Secure Endpoint are also essential for detecting malicious activity on the network and devices,” added Younes.

For more details on Cisco Talos' Q1 2023 findings, click here.

About Cisco

Cisco (NASDAQ: CSCO) is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Discover more on The Newsroom and follow us on Twitter at @Cisco.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

Media Contacts

Farida Khalil 
Senior Account Executive
Hill+Knowlton Strategies
farida.khalil@hkstrategies.com

Rasha Zaki
Head of Communications – MEA
Cisco razaki@cisco.com