A recent report by Cisco Talos highlights the increasing trend of threat actors targeting public-facing applications to gain initial access. According to the Incident Response Trends in Q4 2024 report, exploiting public-facing applications accounted for 40% of incidents in the last quarter of 2024, marking a significant shift from previous methods such as account compromise.
The rise in the use of web shells played a key role in this trend, with 35% of incidents in Q4 involving the deployment of web shells against vulnerable or unpatched web applications. This represents a substantial increase from the previous quarter, where web shells were only utilized in less than 10% of cases. Threat actors took advantage of various open-source and publicly available web shells to exploit vulnerable web servers and gain access to victims’ environments through targeted web applications.
In contrast, ransomware incidents and data theft extortion saw a decline, accounting for 30% of incidents in Q4 compared to 40% in Q3 2024. Dwell times for attackers varied between 17 to 44 days, indicating a strategic approach to move laterally, evade defenses, and identify valuable data for exfiltration. In one observed RansomHub incident, operators spent over a month within the compromised network before executing the ransomware, engaging in activities such as internal network scanning, accessing backup passwords, and harvesting credentials.
Compromised valid accounts were used in 75% of ransomware incidents to gain initial access and execute ransomware on targeted systems. For instance, RansomHub affiliates leveraged a compromised administrator account to carry out ransomware attacks, extract credentials, and conduct scans using a commercial network scanning tool. Remote access tools were employed in all ransomware engagements in Q4, with Splashtop being the most commonly used tool in 75% of cases.
The report also underscores the importance of implementing multi-factor authentication (MFA) on critical services, including remote access and identity and access management (IAM) services. Despite the focus on exploiting public-facing applications, account compromise remains a significant tactic for initial access and post-compromise activities. In Q4, 40% of compromises involved misconfigured, weak, or lack of MFA, and organizations impacted by ransomware lacked properly implemented MFA or fell victim to social engineering tactics.
Overall, the findings from Cisco Talos’ report shed light on the evolving tactics of threat actors, emphasizing the need for robust security measures such as MFA to protect against growing cyber threats targeting public-facing applications and account compromise.