Poor cyber hygiene enabled nearly 30% of cyberattacks last quarter
Outdated software and virtual private network accounts with poor cyber hygiene, such as weak usernames and passwords, contributed to nearly 30% of ransomware attacks in the third quarter of 2024, according to a report published Wednesday by the cybersecurity insurance provider Corvus.
The report found that of the organizations that suffered cyberattacks last quarter — including in the government, construction and health care sectors — many were still using common usernames such as “admin” or “user” and that they frequently lacked multi-factor authentication. These inadequate cyber protections made their network accounts more susceptible to automated brute-force attacks, the report concludes.
“Attackers are focused on finding the path of least resistance into a business to launch an attack, and in Q3 that entry point was the VPN,” Jason Rebholz, the company’s chief information security officer, said in a press release.
The report also notes that the ransomware attacks have been dominated by a few prolific gangs in recent years, including RansomHub, PLAY, and LockBit 3.0, but that there’s a growing number of smaller ransomware groups.
“The overall number of active ransomware groups across the world rose to reach 59, reflecting an increasingly complex threat landscape and one that’s more competitive than ever before,” the report reads. “Law enforcement campaigns in late 2023 and early 2024 against LockBit and ALPHV may be transforming the ransomware ecosystem, resulting in more small-scale operations than before.”
Days after a 2023 cyberattack on the Municipal Water Authority in Aliquippa, Pennsylvania, federal investigators found the water utility was practicing the same poor cyber hygiene found in the Corvus report, still using a default ‘1111’ password, allowing hackers to infiltrate the system.
“A system cannot be considered secure if it is not reliable, and it cannot be considered reliable if it is not secure,” Colin Ahern, New York state’s chief cyber officer, one of four such positions in the country, said at a cybersecurity conference last March.
A recent study by the cybersecurity firm LevelBlue found inconsistencies in how state government, local government and higher education institutions prioritize cyber resilience issues. The report showed that 3 in 4 respondents believed investing in new technologies outweighed cybersecurity risks.
