In F5 Labs' 2022 Application Protection Report, malware accounts for 30% of known causes of data breaches in the U.S.
In terms of data breaches, the threat that has grown most significantly over the course of 2021 is malware, which is involved in 30.1% of breaches in 2021, compared to 17.4% in 2020 and 6.6% in 2019. This is revealed by the data of the new edition of the Application Protection Report by F5 Labs, which have returned to draw an overview of the cyber threat scenario documenting their evolution compared to the previous year, to clarify the relationship between the characteristics of the attacks, the objectives and the behavior of the attackers, so that security teams can optimize their defenses to adapt them and focus on the threats that affect most often organizations similar to theirs. The explosion of ransomware during the COVID-19 pandemic had been well documented by F5 Labs who hypothesized until early 2021 how monetization strategies were changing. Although ransomware has remained a common tactic in data breaches, its reporting has decreased slightly in the latest report compared to 2020. A trend that according to F5 Labs is due precisely to the evolution of malware tactics, but which also provides a clue as to why in general, compared to 2020, the numbers have decreased across the board. Many times during 2021, organizations have revealed the presence of malware in the system and a successful theft of data without specifying whether or not it was ransomware or an encryption event. This means that many incidents have a very low level of detail. In the previous edition of the report, 125 out of 728 breaches (17.2%) did not have characteristics that would allow them to be associated with ransomware or not due to lack of significant details in communication. This year 262 out of 980 violations (26.7%) did not show sufficient details. For this reason, the analysis considers as the most reliable indicators the trends that have the most significant variations, such as the overall growth of malware or declines related to web exploits, or the compromise of corporate emails. Lower incidence of web exploits Although the percentage of breaches attributable to web exploits decreased in 2021, formjacking has established itself as the predominant type of web exploit. The trend has been declining since 2019, when web exploits accounted for 19% of breaches, and has risen to 14.4% in 2020 and 10.4% in the last year, Formjacking attacks like Magecart continued to make up the majority of web exploits that led to the disclosure of breaches. Essentially, the exploits took two forms: formjacking attacks on skim payment cards and the exploitation of one of the four known vulnerabilities of Accellion FTA. The sector most affected by web exploits such as formjacking is confirmed as retail, a fact that is not surprising given that it is the type of target for which this type of attack was developed. Establish access violations A final obvious trend, after the decline in access breaches in 2019 and 2020, is how the percentage remained broadly unchanged in 2021. Unfortunately, this type of breach is often reported with very few details, apart from the fact that employee emails have been compromised, and leads to the consideration that the true weight of phishing and credential stuffing attacks is still underestimated today, if we also consider how the compromise of access is confirmed as the main entry point of breaches – 25.2% – for phishing attacks, brute force, or credential stuffing for example. The trend of access attacks remains strong and lasting, as a first step of compromise for many other attack chains. Sander Vinberg, Senior Threat Evangelist at F5 Labs, concluded in an official press release : "Our report is primarily based on successful attacks and analysis of public information about data breaches that organizations send to judicial bodies in the United States. This allowed us to draw a complete scenario highlighting the behaviors and characteristics of attacks that take place all over the world, in order to understand and suggest what are the cybersecurity mitigation measures that no organization can afford to ignore: from data back up to application isolation and sandboxing up to network segmentation, to the management of privileged accounts and more».