Content, Content

Cyberattacks Gain Steam in Early ’22: Tetra Defense Report

Gauge or meter indicator. Speedometer icon with red, yellow, green scale and arrow. Progress performance chart. Vector illustration.

There appears to be no slowing down of cyberattacks during the first quarter of 2022, says Tetra Defense, an Arctic Wolf company, in its quarterly Incident Response Insights report.

“The first quarter of 2022 (January – March) was filled with unprecedented international geopolitical strife and economic uncertainty, but even with these global events, threat actors did not stop committing their cybercrimes against organizations of all sizes,” Tetra Defense says.

Known Vulnerabilities Exploited

Here are the key takeaways from the report:

  • 82% of incidents in which Tetra Defense responded were caused by the external exposure of a known vulnerability on the victim’s network a Remote Desktop Protocol (RDP).
  • Incidents caused by unpatched systems cost organizations 54% more than those caused by employee error.
  • Log4J/Log4Shell is still being actively exploited. However, significant global attention paid to the vulnerability has prevented ongoing widespread exploitation.
  • Compromised credentials still account for a number of incidents. That underscores the need for more organizations to adopt multi-factor authentication (MFA) and implement dark web monitoring, says Tetra Defense.

Tetra Defense’s “most notable" observations during Q1 include:

  • The Root Point of Compromise (RPOC) was often the initial entry point of a threat actor.
  • Despite widespread attention brought to Log4J/Log4Shell vulnerabilities, it was only the third most exploited external exposure in Q1, accounting for 22% of Tetra Defense’s total incident response cases.
  • Leading the way, and accounting for 33% of external exposure cases, was a series of Microsoft Exchange vulnerabilities known as ProxyShell.
  • “External Exposures" were the root cause of most incidents, but the action of an individual employee caused nearly one in five (18%) incidents.
  • An employee opening a malicious document was the root cause of more than half (54%) of the exposure incidents.
  • Compromised credentials (23%) was another major driver of “User Action” incidents. These incidents were from threat actors attacking username and password combinations. Employee password and user name reuse across multiple sites was a critical factor among incidents.

About the Report

The quarterly overview of the threat landscape allows Arctic Wolf and Tetra Defense to share knowledge with the security community and also inform how they build and enhance detections to anticipate future tactics, techniques and procedures.

Tetra Defense collects and analyzes data and insights from its incident response engagements in the United States. The information is a vital part of Tetra Defense’s assessment of the cyber threat landscape, helping guide underwriting strategies, loss prevention programs, broker advisement and client security priorities.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.