A joint security advisory by the national cybersecurity agencies of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom has identified the top 10 initial access vectors routinely exploited by threat actors to break into an organization.
Initial access brokers are emerging figures in the cyber criminal ecosystem, and their work is fueling a plethora of targeted ransomware attacks that have characterized the last few months’ cyber attacks. The business model is pretty straightforward: poor security controls are routinely exploited by the initial access brokers and the resulting compromised credentials are sold or outsourced, generating a recurring revenue model. Similarly, buyers can focus their efforts on the execution rather than the initial access. A win-win situation for all the threat actors involved.
According to Alert (AA22-137A), the top routinely exploited weak security controls are:
- Multi-factor authentication (MFA) is not enforced
- Incorrectly applied privileges or permissions and errors within access control lists
- Software is not up to date
- Use of vendor-supplied default configurations or default login usernames and passwords
- Remote services, such as a virtual private network (VPN), lack sufficient controls