Plaintext: The Next Attack Could Come Via Email

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Deloitte. In this issue of Plaintext, we take a look at email-based threats. We all get too many messages but our work depends on it...and attackers craft campaigns that take advantage of our email dependence. We also take a peek at the new CVSS v.4. If you enjoy Plaintext, please share with friends and colleagues!

Hello, Inbox. Email is still the heart of the organization. We joke how “that meeting could have been an email.” Teams pass project status updates and meeting summaries back-and-forth. Much of our online communications with other people, brands, and organizations still occur over email. It is no surprise, then, that email remains the top attack vector.

Attackers are targeting people’s inboxes with spam, messages booby-trapped with malicious attachments, and emails with phishing links. And sophisticated threat actors also rely on carefully-crafted email messages to trick victims into clicking on links or downloading malware. A recent Identity Defined Security Alliance (IDSA) report found that 93% of businesses suffered an email phishing attack in the past year.

According to the latest Data Breach Investigations Report – released last week – email was the initial attack vector for 98% of social engineering attacks analyzed in 2022. Verizon researchers also called out Business Email Compromise in the report, noting that BEC accounted for over half of incidents involving social engineering. BEC has turned out to be highly effective, with the FBI saying in its latest Internet Crime Complaint Center (IC3) report that US businesses have lost more than $17 billionv to these types of scams between October 2013 and December 2022. Global businesses had losses of nearly $51 billion for the same period, according to the report.

Attack groups are weaponizing the data stolen during ransomware attacks in follow-up BEC attacks.

Phishing – and spear phishing in particular – also affects enterprises around the world. Barracuda 's annual Spear-Phishing Trends Report for 2023 found that spear phishing attacks result in machines infected with malware (55%), sensitive data stolen (49%), stolen login credentials (48%), and direct monetary loss (39%). They are also highly successful – even though spear phishing attacks make up only 0.1% of all email-based attacks, they are responsible for 66% of all breaches. A typical organizations received 5 highly personalized spear-phishing emails per day, Barracuda said.

Dark Reading in Plaintext is brought to you by?Deloitte.

Deloitte Cybersecurity Threat Trends Report 2023

Deloitte Cyber Threat Intelligence (CTI) analysts analyzed trends impacting the cyberthreat landscape. Analysis of trends is useful for threat forecasting, improving processes to ensure we are equipped to provide indications and warnings of evolving tactics, conducting program reviews to ensure timeliness and accuracy, cataloging activity to track changes to analytic lines, and efficiently reviewing defensive posture measures (e.g., endpoint detection, alerting rules, operator analysis, security tools, and business processes. Download the?Deloitte Cybersecurity Threat Trends Report 2023?to learn more.

CVSS v4 in Public Preview. The Forum of Incident Response and Security Teams (FIRST) announced the public preview of the Common Vulnerability Scoring System v4.0 during its conference on June 8. The feedback period is open until July 31, and the official publication of the specification is expected sometime in the fourth quarter of 2023. CVSS 4.0 is significantly different from CVSS 3.1 (which was introduced in June 2019), as it focuses on using scoring metrics such as threat and environmental impact as well as the base score. Using the base score alone is not a good idea for prioritization because not enough real-time threat and supplemental impact details are represented. CVSS 4.0 also includes a supplemental metric, “Safety,” to reflect the vulnerability’s impact, the kind of tangible harm to humans it could cause. Scope, which exists in CVSS 3.1, is no longer a part of CVSS 4.0. Instead, Confidentiality, Integrity, and Availability scores will now be split into Vulnerable System and Subsequent System categories.

CVSS 4.0 also increases granularity, which means going from the older CVSS versions to the new ones will reduce the base score of currently known vulnerabilities. Under v3.1, scores published by vendors are often in the High or Critical range with scores above 7.0.

What We Are Reading

• [From?Deloitte]?Earning digital trust: Where to invest today and tomorrow
• Defending Against Supply Chain Attacks With Threat Hunting
• What's New? Automated SaaS Ransomware Extortion
• Defenders Buckle Up for a Future of Detecting Deepfakes
• Russia's War in Ukraine Shows Cyberattacks Can Be War Crimes

What We Heard On-Air

Tune in to our on-demand webinar?“Next-Generation Supply Chain Security” to hear how security teams have successfully implemented SBOMs into their overall security strategy.

"Why do these (supply chain attacks) keep happening? For me, it's about scope and scale." Evan Blair, general manager, North America, Searchlight Cyber

From Our Library

Check out some of the latest reports from our?Dark Reading Library.

• [From?Deloitte]?Lead Through Disruption: A guide for taking on cyber and business risk with confidence
• Dark Reading Research:?Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
• Tech Insights: How to Use Threat Intelligence to Mitigate Third-Party Risk
• Tech Insights:?Everything You Need to Know About DNS Attacks (But Were Afraid to Ask)
• Dark Reading Reports:?How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment

On That Note

On June 22, Dark Reading is hosting a full-day free virtual event looking at how missteps and vulnerabilities can lead to security incidents and breaches. You will hear from industry practitioners and experts about tools and best practices to protect your organization’s data from ransomware, cyber extortion and other threats. You will get insights on what to do when you’ve discovered a compromise and how to limit its impact. Register to attend the Anatomy of a Data Breach: And What to Do If it Happens to You Virtual Event on July 22.