Self Assessment

CYFIRMA INDUSTRY REPORT – PROFESSIONAL GOODS & SERVICES

Published On : 2024-04-23
Share :
CYFIRMA INDUSTRY REPORT – PROFESSIONAL GOODS & SERVICES

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the professional goods & services industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the professional goods and services industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the professional goods & services industry.We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. This is data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.

Each attack campaign may target multiple organizations across various countries.

Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.

Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.

Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.

In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.

During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.

Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Professional goods & services organizations featured in 2 out of the 10 observed campaigns, which is a presence in 20% of campaigns.

Observed Campaigns per Month

The first campaign was detected in January and the second in March. Due to overall lower detections in this 90-day period we can’t establish a reasonable trend.

Suspected Threat Actors

Both campaigns came with high confidence attributions, one by North Korean Lazarus group and the second by Chinese Mustang Panda.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 13 different countries. Japan and India recorded victims in both observed campaigns.

TOP ATTACKED TECHNOLOGY

Web Applications were targeted in both campaigns. Then each campaign focused on either Operations system or Infrastructure-as-a-Service.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

In the past 90 days, the professional goods and services industry has experienced a relatively low volume of detections. The overall presence of victims from this industry in observed campaigns has decreased from 42% to 20% since the last 90 days period.

The two campaigns were observed and were attributed with high confidence to the North Korean Lazarus group and the Chinese Mustang Panda APT.

Geographically, India and Japan recorded victims in both campaigns, with 11 other countries also recording victims. Specifically, the APAC region is the most affected.

Web applications remain the most frequently targeted technology across various industries and was attacked in both the observed campaigns. Additionally, each campaign focused on operating systems and Infrastructure-as-a-Service respectively.

PHISHING ATTACKS IN THE PROFESSIONAL GOODS & SERVICES INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry recorded 4,186 phishing campaigns out of a total of 337,214 that impersonated the professional goods & services industry organizations.

Due to a highly diversified nature of this industry, we do not track it as a category.

Global Distribution of Phishing Themes per Sector

Top Impersonated Brands

InterActiveCorp impersonation was behind the majority of detections. On the other side of the chart is the platform Agriaffaires, which focuses on farmer equipment trading.

Top Countries of Origin based on ASN

The US and Germany are the source of absolute majority of observed campaigns.

PHISHING EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

Similar to the manufacturing or materials industry, the professional goods and services sector is typically not a prime target for phishing campaigns, except for instances involving spear-phishing attacks by geopolitically motivated Advanced Persistent Threats (APTs) and ransomware affiliates. There are several reasons for this. Primarily, the intricacies of diverse business-to-business sectors such as law offices or accounting and consulting services, make them less comprehensible and potentially less valuable or easily monetizable for spam phishing compared to sectors like finance or healthcare.

Consequently, threat actors or more precisely cybercriminals responsible for the majority of phishing campaigns, focus on consumer brands and services rather than industrial organizations.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 253 verified ransomware victims within the Professional Goods & Services industry sectors. This accounts for 21.6% of the overall total of 1,168 ransomware incidents during the same period.

The Monthly Activity Chart

The monthly activity chart shows a spike in February, which stands out even when adding up the partial months of December and March. January is typically a lower activity month as even cybercrime takes holidays.

Breakdown of Monthly Activity by Gangs

A breakdown of the monthly activity provides insights into the February spike. LockBit3 and BlackBasta were highly active in February. We can also see a sharp decline in victims by LockBit3 after law enforcement action in February.

Ransomware Victims in the Manufacturing Industry per Group

In total 37 out of 50 active groups recorded professional goods & services organization victims in the past 90 days. The top 5 are responsible for half of them.

Comparison to All Ransomware Victims by Group

Comparing the professional good and services industry to all victims recorded, we can see for example second most active group BlackBasta has 37 out of 74 (50%) victims in the professional goods & services industry. This implies high focus on this industry.

Geographic Distribution of Victims

The heatmap of geographic distribution shows a truly global reach of ransomware

Total Victims per Country

In total 33 countries recorded ransomware victims with the US alone accounting for ~58% of all victims with identified geography, followed by the UK and Canada.

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Medium

The professional goods and services industry, encompassing a variety of sectors, faces the highest frequency of ransomware attacks due to the sheer number of businesses in this industry. In the last 90 days, victims from the professional goods and services industry accounted for 21.6% of all victims, marking an increase from the previous 18.5% share. Monthly activity recorded a spike in February (98 victims), following generally low volumes in January (59), and returning to numbers observed in the previous 90-day period.
Breaking down victimology by ransomware group, LockBit3 (42) emerges as the most active, primarily driving the February spike and responsible for 16.6% of the total 253 victims. Additionally, BlackBasta (37), the second most active gang, exhibits a notable focus on this industry, representing 50% of their respective total victims.
The trend of high involvement from mid- to small-sized ransomware groups continues, with 37 out of 50 active groups in the last 90 days having victims in this industry—a trend first noticed in September of the previous year and likely to increase after law enforcement disruption of LockBit.
Analyzing the 253 victims across 33 different countries, the United States bears the highest impact with 144 victims (58% of all), followed by the UK (27) and Canada (11).
Examining specific sectors reveals that Legal Services & Law Offices, Accounting Services, and Business Consulting & Management were the most frequent victims. Furthermore, highlighting the highly diversified nature of this industry, we have observed over 120 various types of businesses operating within the business-to-business domain.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the external threat landscape of the professional goods and services industry, we observe a high and low risk across monitored categories.

Observed Advanced Persistent Threat (APT) campaigns have decreased to a low risk level, as the past 90 days were relatively quiet, with professional goods and services victims detected in only 2 out of 10 campaigns (20%). Both campaigns were attributed with high confidence to the Chinese nation-state APT Mustang Panda and the North Korean Lazarus Group.

Regarding phishing, the complexity of this industry, comprising mostly of small to medium businesses with intricate connections between them, does not lend itself to spam-phishing campaigns. However, it is significantly targeted by spear-phishing attacks, often leading to ransomware incidents.

Ransomware remains a significant concern, with business-to-business companies and legal services comprising 21.6% of all victims in the last 90 days, a slight increase from 18.5% in the previous period. LockBit3 (42 victims) and BlackBasta (37 victims) were the two most active gangs. Specifically, BlackBasta recorded half of its victims from this industry.