www.corvusinsurance.com Open in urlscan Pro
2606:2c40::c73c:671d  Public Scan

Form analysis
1 forms found in the DOM

/hs-search-results

<form data-hs-do-not-collect="true" action="/hs-search-results">
  <input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Search" style="height: 97px;">
  <input type="hidden" name="type" value="SITE_PAGE">
  <input type="hidden" name="type" value="BLOG_POST">
  <input type="hidden" name="type" value="LISTING_PAGE">
</form>

Text Content

Cookie Policy
This website uses cookies to ensure you get the best experience on our website.
Learn more
Allow CookiesDismiss Cookie Preferences


Submit a Claim
 * Insurance
   * Smart Cyber Insurance®
   * Smart Tech E+O®
     Ransomware Report | Q3 2023
 * The Corvus Solution
   * Cyber Underwriting
   * Corvus Signal™ Risk Prevention
   * Claims Management
     Ransomware Report | Q3 2023
 * Broker Hub
   * Broker Resources
   * London Markets
   * Corvus Germany
   * Distribution Partnerships
     Ransomware Report | Q3 2023
 * Resources
   * Cyber Resources
   * Blog
   * Threat Updates
   * Knowledge Nest
     Ransomware Report | Q3 2023
 * Company
   * About Us
   * Careers
   * Pressroom
     Ransomware Report | Q3 2023

Contact Us
Contact Us


Contact Us
Contact Us


3 WAYS THREAT ACTORS WILL KICK OFF THE NEW YEAR, ACCORDING TO CORVUS INTEL

Corvus Team • December 13, 2023

Every few months we share a deep dive on cyber findings from our Claims and
Threat Intel teams in the Corvus Risk Insights Index. (See last edition here).
The CRII covers trends over the span of a year or more, which enables us to wait
patiently for data to mature before we stake any claim — pun intended — about
any cyber risk trends. 



But threat actors move faster than insurance claim cycles, so in our day-to-day
we analyze a blend of recent (immature) claims data and external threat
intelligence to find indicators of emerging trends that can help us make
policyholders safer. As we head into the time of year that’s busiest for many
organizations — and unfortunately, for threat actors, too — we thought we’d
share a peek behind the curtain to those findings, in the form of some
predictions. 

Which of these will make the cyber headlines of the future, and which will be
merely blips on the radar screen? Grab a colleague, place your bets, and we’ll
find out in a few months. 


HOW THREAT ACTORS WILL KICK OFF THE NEW YEAR

We know threat actors will be active over the holidays (they tend to wait ‘til
January to take PTO) but how will they focus their efforts? Here’s three of our
best guesses based on a blend of preliminary claims data and external threat
intelligence. 


1. GOING PHISHING (ESPECIALLY IN MICROSOFT WATERS)

In recent months social engineering, the category that includes tactics like
phishing and spearphishing, was the most frequently observed cause of claims
cited in Corvus data. That’s not a surprise, since it’s been the leading cause
in nearly every month for which we have data, going back several years. But the
gap between social engineering and other causes of loss has been especially wide
of late. 

Social engineering claims have risen as a share of claims to make up nearly half
of all claims in recent months, after hovering around 35-38% for about a year
prior. That gives social engineering nearly 3x the share of the next largest
claim category. (That second category has in recent months been claims due to
breaches at vendors or other third parties).



This gap has developed in spite of the wider adoption of anti-phishing training
over the past few years. It seems that tried and true methods of exploiting
human beings persist over time, even as security technologies and
vulnerabilities come and go. 

An interesting wrinkle in this data is the prevalence of Microsoft products as
the target for phishing efforts. What makes this interesting isn’t that
Microsoft, the leader in the space with a market share somewhere between 40% and
50% of business email in the US, sees its customers targeted, but that there’s
very little indication of this trend being present among organizations using the
2nd largest business email provider, Google.

In fact, Corvus has seen zero claims this year to date with social engineering
as the cause of loss from organizations that were confirmed as customers of
Gmail for their business email. Even though Microsoft is the most prevalent
business email provider used by our policyholders, we would have expected to see
1 in 10 of our social engineering claims from Google Workspace organizations.

This finding is supported by external sources such as Expel’s Q3 Threat Report,
which noted the prevalence of Business Email Compromise (BEC) within Microsoft
email services: 

“All Q3 BEC attempts [among incidents we responded to] occurred in Microsoft 365
– we didn’t identify any incidents in Google Workspaces. We believe that’s due
to Google Workspaces having more stringent security settings configured by
default. We’re watching closely to see if that changes with the recent Basic
Auth change for Microsoft 365.

Security configurations will change over time, but for now, we expect “success”
on the part of the threat actors thus far will breed further exploits in social
engineering of Microsoft organizations. Further investigation will be needed to
understand the reason for such a wide discrepancy between the two largest
cloud-based work tool companies. 

KEY INDICATORS: SOCIAL ENGINEERING

 * In recent months, the rate of claims with Social Engineering as the cause was
   3x higher than the rate of the next-highest cause — a higher ratio than we’ve
   seen in the past

 * In our preliminary claims data for 2023, Corvus has seen no claims to date
   with a social engineering cause of loss on policyholders using Google
   Workspace as their email provider. 
   
   * While there are relatively few Google Workspace organizations among our
     policyholder base overall, the ratio would suggest that we should see at
     least 1 in 10 of our social engineering claims from Google Workspace
     organizations if they occurred at the same rate as other email providers. 

 


2. EXPLOITING EXTERNAL VULNERABILITIES TO GAIN INITIAL ACCESS FOR EXTORTION
ATTACKS 

While social engineering rules in terms of the frequency of claims, we can’t
forget about ransomware and other forms of extortion attacks. These types of
attacks are vastly more expensive — on average 20x the cost of the average
social engineering claim* — and more traumatic for organizations than other
types of cybercrime, so we take a keen interest in what’s coming next in
ransomware, especially in periods when activity is rising. 

We look not only at trends in the types of ransomware used in attacks, but also
the way attackers get into a victim’s system in the first place — the “method of
initial access”. In some cases this can be difficult to determine through the
fog of war, but whenever possible we collect it in order to form a more complete
picture of attack trends and inform the risk prevention advice we provide our
policyholders. 

According to Corvus data, back in 2022 the most common way ransomware threat
actors gained initial entry into a victim’s system was through spearphishing, a
form of phishing in which specific individuals are targeted with a specific
message. Spearphishing via email attachments containing malware was the most
common style. 

But this year there was a shift. If the trend holds, the leading method of
initial entry for ransomware this year will be exploits of external
vulnerabilities. Translated, this means attackers are getting access to systems
by way of a vulnerability, such as a zero-day vulnerability. A zero-day is a
security flaw in software or hardware that is unknown to the party responsible
for the software’s security until after it is exploited by attackers. (Because
of their inherent urgency zero day vulnerabilities are often the subject of
threat alerts that Corvus sends to our policyholders — and very quickly we might
add!)



These attacks comprise nearly a third of the extortion attacks for which we have
data on the method of initial entry this year, up from near zero in the second
half of 2022. Examples of vulnerabilities we’ve seen exploited this year include
the one discovered in MOVEIt file transfer software in June, and one that Fortra
discovered in its GoAnywhere file transfer solution. 

Given the success threat actors have found using zero-day vulnerabilities this
year, especially in file transfer software, we’re looking out for their
continued activity finding and exploiting vulnerabilities going forward.

KEY INDICATORS: INITIAL ACCESS METHODS


 * Ransomware attacks, while much rarer than Social Engineering, cost 20x more
   on average

 * Spearphishing efforts were for a long period the most common way threat
   actors gained access to systems to deploy ransomware

 * Recently, exploits of external software vulnerabilities have spiked, now
   being the method of initial entry for 1 in 3 ransomware attacks (among those
   for which we were able to determine the method)

 

*Sub-limits applied to social engineering and some ransomware claims affect the
average incurred costs for each category, so this finding may differ when
observed outside of the insurance context. 


3. EXPLOITING BACK-END SYSTEMS THROUGH EXPOSED KEYS 

Exchanges of information between organizations is the foundation of the modern
web. It’s what enables cloud-based services to work, such as cloud hosting and
storage, as well as front-end services like payment processing. Third-party
services are critical to the function of millions of websites and web
applications. 

A critical piece of these exchanges are “keys” (such as for API access) or
security tokens (such as JSON Web Token). These are the equivalent of a “secret
handshake” that proves both parties are allowed to exchange data. When handled
properly, secrets are closely held, and remain (yes) secret. But with so many
web and cloud services used by so many customers, there’s huge variation in the
levels of skill, experience and support in their implementation and maintenance.
Things can go awry. 

Sometimes keys are buried in code that ends up being put in a public repository,
where a threat actor can use relatively simple search methods to identify these
forgotten strings. In other cases threat actors will use specific tools designed
to break into otherwise secure spaces and find keys. Exfiltrated data from
ransomware victims is also a source. Threat actors who locate keys can put them
to use for their own nefarious purposes, or sell access to them on dark web
marketplaces where keys can fetch high prices because of the unique level of
system access they can grant. 

This phenomenon has been observed by researchers for some time now. Our team
believes that increased availability of tools and wider knowledge of the
existence of so many relatively easy-to-obtain keys means that exposed keys may
become more notable as a vector for attacks in the future. This area has been
the subject of research by our teams and we’ve discovered a considerable number
of critical keys available online. 



The overall incidence of this kind of exposure is fairly common, found in about
7% of the population we’ve searched. Some of the most common exposed secrets
were Google API keys, JSON web tokens, Shopify domain keys, and keys for AWS s3
buckets. 

But not all exposures are equal. Some do not give threat actors much to work
with, and may never pose a problem for the organizations that exposed them. For
about 1% of the organizations we studied, however, we located exposed keys that
our security experts consider to be “critical” and require immediate attention.
These include AWS API keys, keys to cloud storage buckets (AWS s3 and Google
Cloud Storage), and API keys from a bevy of non-cloud provider services, like
LinkedIn, Okta, Slack, MailChimp, Facebook, New Relic, Stripe, and Sauce Labs. 

Look out for more soon from Corvus on how we’re building this research into
Corvus Signal™, our risk prevention solution.

KEY INDICATORS: SECRET KEY EXPOSURE


 * Corvus research indicates 7% of organizations we scanned have secret keys
   exposed with potential for exploit

 * One percent of organizations have critical exposures, such as AWS API or s3
   storage bucket keys exposed

 


RECOMMENDED BLOGS FOR YOU

5 High-Impact Cybersecurity Practices for Tech Companies
4 Ways Cyber Brokers Are Embracing Digital Transformation
Corvus Interview: Modern Cyber Warfare with John Hultquist
Keeping up with Cybercriminals: The Future of Online Threats
Your Survival Guide to the DDoS Resurgence


RECENT ARTICLES

3 WAYS THREAT ACTORS WILL KICK OFF THE NEW YEAR, ACCORDING TO CORVUS INTEL


Indicators of emerging threats drawn from a blend of claims data and external
threat intelligence

CYBER AND FINANCIAL SERVICES: LIVING WITH A TARGET ON YOUR BACK


The number of victims in the financial services sector is up 230%. We're
unpacking attack methods and threat intel data to understand what they face —
and...

BLACK BASTA RANSOMWARE HAS EXTRACTED OVER $100 MILLION FROM ITS VICTIMS


Joint research by Elliptic and Corvus Insurance has identified at least $107
million in Bitcoin ransom payments to the Black Basta ransomware group.



©2023 Corvus Insurance Holdings Inc., Corvus Insurance Agency, LLC CA Lic No.
0M20816, Corvus Agency Limited, Corvus Underwriting GmbH. Nothing on this
website constitutes an indictment, offer, or contract of insurance. Material on
this website is intended for licensed insurance agent or producer use. This is
not intended for business owner or insured use. Please disregard this
communication if you are not a licensed agent or producer.

Corvus Headquarters:
100 Summer St.
Boston, MA 02110

Telephone Number:
(857) 259-3995

Insurance

Smart Cyber Insurance®

Smart Tech E+O®

Corvus Signal™

Cyber Underwriting

Claims Management

London Markets

Deutschland und Österreich 

Distribution Partnerships

Company

About Us

Careers

Cyber Underwriting

Pressroom

Privacy Policy

Legal Documentation

Resources

Blog

Broker Hub

Cyber Resources

Threat Updates

Knowledge Nest

Contact Us

Sign In