Verizon: Espionage attacks dominate APAC cybersecurity landscape

Source: Verizon DBIR. Errors have become a significant driver of breaches in the APAC region while the number of social engineering attempts and system intrusions have taken up smaller proportions of the total.

Verizon Business' 17th Data Breach Investigations Report (DBIR) analysed a record high of 30,458 security incidents and 10,626 confirmed breaches in 2023—a two-fold increase over 2022.

While the exploitation of vulnerabilities has become one of the fastest growing threats to cybersecurity, data from the Asia-Pacific region found that 25% of attacks are motivated by espionage - significantly greater than the 6% and 4% in Europe and North America, respectively.

“Since so much of cyber espionage can be defined as an advanced persistent threat, it’s especially important for organisations in APAC to continuously refresh their security protocols in order to thwart the long-term collection of sensitive data by threat actors,” said Chris Novak, Sr Director of Cybersecurity Consulting, Verizon Business.

“It’s equally important to review one’s third-party network, since sensitive information with national security implications can sometimes be accessed via organisations with more lax cybersecurity practices, such as academic institutions and research facilities.”

Of the 2,130 security incidents and 523 confirmed breaches in the Asia-Pacific region, system intrusion, social engineering, and basic web application attacks represent 95% of breaches. The most common types of data compromised were credentials (69%), internal (37%), and secrets (24%).

Globally, the exploitation of vulnerabilities as an initial point of entry almost tripled since last year, now accounting for 14% of all breaches. This spike was driven primarily by the scope and increasing frequency of zero-day exploits by ransomware actors, most notably the MOVEit breach. MOVEit was one of the most widespread exploitations of a zero-day vulnerability in history, appearing first in the education sector and later spreading to finance and insurance industries.

Analysis of the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue revealed that on average it takes organisations 55 days to remediate 50% of critical vulnerabilities following the availability of patches. Meanwhile, the median time for detecting the mass exploitations of the CISA KEV on the Internet is five days.

Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. This metric—new for the 2024 DBIR— shows a 68% increase from the previous period described in the 2023 DBIR.

Most breaches (68%), whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to a social engineering attack. This percentage is about the same as last year. One potential countervailing force is the improvement of reporting practices: 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it.

“The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatises human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce,” said Robert Le Busque, Regional VP, Asia Pacific for Verizon Business.

In a possible relief to some anxieties, the rise of artificial intelligence (AI) was less of a culprit vs challenges in large-scale vulnerability management. “While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,” Novak said.

Other key findings include:

● Nearly one in three (32%) of all breaches involved some type of extortion technique, including ransomware.

● Over the past two years, roughly one-fourth (between 24% and 25%) of financially-motivated incidents involved pretexting. Pretexting refers to the creation of a situation that encourages the victim to share information they would not have otherwise.

● Over the past 10 years, the use of stolen credentials has appeared in almost one-third (31%) of all breaches.

The Cyber Security Agency of Singapore is featured in the DBIR and reported the results of a survey of the cyberhealth of organisations here covering more than 2,000 organisations across 23 industry sectors and more than seven charity sectors. 

The majority of the organisations had encountered at least one cyber incident, such as ransomware or social engineering attempts at phishing, in the year prior to being surveyed. The survey asked about the specific measures that these organisations adopted in five categories, such as using secure configuration settings for hardware and software, controlling access to data and services, and updating software on devices and systems. 

In each of the categories, on average, organisations adopted about 70% of the essential measures. However, almost 60% of both businesses and non-profits reported a lack of knowledge or experience to implement cybersecurity effectively.

Explore

View the 2024 Data Breach Investigations Report here.