Orange Cyberdefense, the specialist arm of Orange Group dedicated to cybersecurity, has launched its annual security research report, the Security Navigator 2023. Among other things, the analysis examined 99,506 potential incidents that were investigated and triaged by the company’s CyberSOC teams, an increase of 5 per cent from the 2022 report. While this year’s report shows encouraging signs that the pace of incidents is slowing, several factors are still a cause for global concern.
The report suggests that cyberbattles are being won in some areas. However, a plethora of challenges remain. For example, our data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch. Indeed, our ethical hacking teams report a ‘serious’ (critical or high) issue in almost 50 per cent of all the tests they conduct.
The report sees cyber extortion (Cy-X) impact businesses of all sizes across the world. 82 per cent of observed Cy-X victims were small businesses, an increase from the 78 per cent we measured last year.
While some of the teams observed a marked slowdown in cybercrime during the onset of the Ukraine war, the intensity soon increased again. The company sees significant increases in cyber extortion also, over the last six months, for example, the number of Cy-X victims in East Asia and South East Asia grew by 30 per cent and 33 per cent respectively.
Cyber-extortion remains the dominant form of attack but victim location is clearly shifting from North America towards Europe, Asia and emerging markets.
Ransomware and cyber extortion attacks continue to prove a major threat to organisations globally, and as such featured regularly in Orange Cyberdefense’s World Watch threat advisories throughout the year. Notable spikes in news about ransomware occurred in March 2022 and April 2022, resulting from Lapsus$ activity and Conti leak events, as well as concerns about the war on Ukraine.
Simultaneously, 40 per cent of the incidents processed by Orange’s CyberSOCs involved malware.
There is also a clear and visible geographical shift occurring, illustrated by Cy-X victim volumes decreasing by 8 per cent in North America and 32 per cent in Canada, but increasing in Europe, Asia and emerging markets. From 2021 to 2022 victim volumes increased in the European Union by 18 per cent, in the UK by 21 per cent, and by 138 per cent in the Nordics. East Asia saw an increase of 44 per cent and Latin America 21 per cent.
The report also observes dramatic shifts in the makeup of active criminal groups. Of the top 20 actors observed in 2021, 14 are no longer in the top 20 in 2022. After Conti disbanded in the second quarter of 2022, the report observed Lockbit2 and Lockbit3 become the biggest Cy-X actors in 2022 with over 900 victims combined.
The report also notes that these actors strike opportunistically. Almost 90 per cent of all the actors we tracked claimed victims in the US for example. More than 50 per cent hit the UK. More than 20 per cent of actors even hit Japan – a country with one of the smallest numbers of observed victims in the dataset.
Impact of the war in Ukraine
It is worth highlighting that during the first weeks of the war against Ukraine, we observed a decrease of up to 50% in cybercriminal activities targeting Polish clients, apparently due to criminals being distracted by the war and needing to regroup. However, activity returned to normal after a few weeks.
Small-to-medium sized businesses
About 4.5x more small businesses fall victim to cyber extortion than medium and large businesses combined. As a proportion, however, large businesses are still being impacted much more heavily.
Small-to-medium-sized businesses are especially forced to deal with malware incidents, reflected in the 49 per cent of confirmed incidents for this group this year (compared to 10 per cent in 2019, 24 per cent in 2020 and 35 per cent in 2021). With average data breach costs estimated at $1.9 million for businesses with less than 500 employees, small and medium enterprises (SMEs) may face the risk of going under due to these breaches.
Public sector organisations
On a normalised basis, the public sector contributes the fifth highest portion of incidents the CyberSOCs deal with. This sector also records the largest proportion of social engineering incidents in the dataset.
For most industries, the majority of incidents detected are triggered internally, but for Orange’s clients in healthcare, it attributed an astonishing 76 per cent of incidents to external actors like criminal hackers and advanced persistent threats (state-backed threat actor groups).
Manufacturing industry remains the most impacted industry in terms of victim count
The manufacturing sector remains the number one industry in terms of Cy-X victim count, though our research shows it to rank only fifth amongst industries most willing to pay ransoms. Criminals are compromising ‘conventional’ information technology (IT) systems, rather than the more specialised operational technology, and attribute this high number of victims primarily to poor IT vulnerability management. Indeed, the data shows that businesses in this sector take an average of 232 days to patch reported vulnerabilities. On this metric, only four other industries ranked worse than manufacturing.
Critical vulnerabilities persist and delays in patching threaten security
Drawing on a brand-new dataset of vulnerability insights, researchers identified a concerning persistence of serious vulnerabilities in business IT systems, with 47 per cent of confirmed vulnerabilities identified as ‘critical’ or ‘high’ severity. Critical vulnerabilities still took organisations over half a year (184 days) to patch. Other vulnerabilities can persist for much longer, with data suggesting that many vulnerabilities, even critical, will never be patched.
IT vulnerabilities in manufacturing took an average of 235 days to be patched versus an average of 215 days across all other sectors. In hospitals (within the healthcare and social assistance sector), IT vulnerabilities took an average of 491 days to patch. In the transportation sector, patches took an average 473 days.
The average time taken by our ethical hackers to discover a confirmed serious (high or critical) finding was 7.7 days.
The human dilemma – Insider threat incidents outnumber external attacks across most industries while cybersecurity vacancies go unfilled
Organisations’ employees remain at the frontline of a company’s defence but can also represent their weakest link. For example, our report showed that:
- For the public administration, most incidents dealt with were attributed to internal sources, whether deliberate or accidental.
- For the company’s manufacturing clients, 58 per cent of the incidents dealt with were classified as originating internally. For its transportation and warehousing customers, the level is even higher – 64 per cent of the incidents have their origins internally. The report enumerates how higher levels of security monitoring improve the efficacy of controls, but also generate more false positives and may result in more strain on security professionals. This in an industry struggling to fill over 300,000 cybersecurity job vacancies in Europe, the Middle East and Africa (EMEA) alone.
Mobile security: iOS vs Android
For the first time, security navigator 2023 includes proprietary data on the patch levels of almost 5 million mobile devices that we interacted with between September 2021 and September 2022. Third-party research suggests that in 2021 both iOS and Android dealt with their fair share of vulnerabilities with 547 vulnerabilities reported for Android and 357 for iOS. 79 per cent of Android vulnerabilities were considered to have a low attack complexity (trivial for actors to exploit) compared with just 24 per cent for iOS. 45 iOS vulnerabilities received a critical common vulnerability scoring system (CVSS) score compared to just 18 on Android.
The navigator report examines serious vulnerabilities in both Apple and Android to determine how long it takes the ecosystem to deploy the required patch. In one iOS case we determine that it took 224 days for 90 per cent of the Apple ecosystem to upgrade to the patched version. For both Android and iOS it appears that about 10 per cent of the user base will never be properly patched.
Findings show that a higher proportion of iPhone users are at risk of being vulnerable when a security issue is first disclosed, due to the homogeneous nature of the ecosystem. Users migrate to a new version quickly, however, with 70 per cent updating within 51 days of the patch being released. The more fractured nature of the Android ecosystem means that devices are often left vulnerable to more old exploits, while fewer may be vulnerable to new exploits.
Commenting on the report, Hugues Foulon, chief executive officer, Orange Cyberdefense, said, “The last few months were particularly dense in terms of macroenvironmental events, nevertheless the cybersecurity ecosystem emerges more vigilant and united as a result. Cyberattacks are making headlines, and the war in Ukraine is a resounding reminder that our digitized world is also the field of virtual battles. The encouraging overall slowdown in the number of incidents for our most mature customers (+5 per cent compared to +13 per cent the previous year) shows that we are able to win battles against malicious actors. However, these successes should not slow down our efforts in the fight against cybercrime. This year’s results highlight the challenges faced by organisations of all sizes. Threats are evolving, becoming more complex, coming from all directions and underlining the importance of the work we will continue to do to adapt to the threat and support our customers in this fight.”
