IBM Security: Backdoor deployments are becoming easier and more lucrative for cybercriminals

Deployment of backdoors was the top action objective last year, occurring in more than one in five reported incidents worldwide.
24 February 2023

IBM Security: Backdoor deployments are becoming easier, more lucrative for cybercriminals

The deployment of backdoors, which allow remote access to systems, emerged as the top action by threat actors last year, according to the X-Force Threat Intelligence Index 2023 by IBM Security. The uptick in backdoor deployments can be partially attributed to their high market value. IBM Security observed threat actors selling existing backdoor access for as much as US$10,000, compared to stolen credit card data, which can sell for less than US$10 today.

“Deployment of backdoors on networks was the top action attackers made in almost a quarter of all incidents remediated in 2022. About 67% of those backdoor cases were related to ransomware attempts, where defenders could detect the backdoor before the ransomware was deployed,” the X-Force Threat Intelligence Index shows.

IBM Security also noted that backdoors led to a notable spike in Emotet–a Trojan that is primarily spread through spam emails–in February and March. “That spike inflated the ranking of backdoor cases significantly, as those deployed in this timeframe account for 47% of all backdoors identified globally throughout 2022,” the report noted.

Interestingly, following Emotet’s hiatus from July through November—after which it ramped back up for nearly two weeks at a much lower volume—the number of backdoor cases dropped significantly. On the other hand, despite a chaotic year for some of the most prolific ransomware syndicates, ransomware turned out to be only the second most common action on objective, following closely behind backdoor deployments.

“Ransomware’s share of incidents declined from 21% in 2021 to 17% in 2022. An IBM Security X-Force study revealed a 94% reduction in the average time for the deployment of ransomware attacks. What took attackers over two months in 2019 took just under four days in 2021. With attackers moving faster, organizations must take a proactive, threat-driven approach to cybersecurity,” IBM Security stated.

Regarding the effect of incidents to which X-Force responded, the analysis found that more than one in four incidents aimed to extort victim organizations—making it the top impact observed across incidents remediated by X-Force. “The observed extortion cases were most frequently achieved through ransomware or Business Email Compromise (BEC) and often included remote access tools, crypto miners, backdoors, downloaders, and web shells,” the report noted.

IBM Security: Geographic trends spotted by X-Force

For the second year, the Asia Pacific emerged as the most-attacked region, accounting for 31% of the incidents to which X-Force IR responded. Europe followed closely, with 28% of attacks, and North America saw 25% of incidents. “Asia-Pacific and Europe saw higher proportions of cases, increasing five percentage points and four percentage points respectively from 2021 figures, with a significant drop in the Middle East from 14% to 4%,” IBM Security said.

Europe also saw a significant uptick in the deployment of backdoors starting in March 2022, just after Russia invaded Ukraine. In terms of countries, the United Kingdom was the most attacked country in Europe, accounting for 43% of cases. In North America, X-Force observed a slight increase in incidents, from 23% of all claims in 2021 to 25% in 2022. 

Energy firms rose to the top of the victim list in North America, constituting 20% of all attacks to which X-Force responded in 2022. The United States accounted for 80% of the region’s attacks compared to Canada’s 20%.