Construction and transportation sectors most targeted by cybercriminals

ReliaQuest has launched its Annual Cyber Threat Report revealing the latest risks to organisations and how to guard against them – drawing attention to the construction sector as being the most targeted by cybercriminals. Mike McPherson, SVP of Technical Operations at ReliaQuest, offers his top tips for staying secure in an ever-evolving cyber landscape, but says there’s no ‘silver bullet’ to protecting the construction sector.

ReliaQuest, a force multiplier of security operations, has unveiled its Annual Cyber Threat Report. The report is based on data from February 1, 2022, to February 1, 2023, where it remediated 35,000 incidents affecting clients.

Key findings include: 

• The construction sector (with an average of 226 incidents annually) is the most targeted by cybercriminals closely followed by transportation (167), wholesale trade (138), manufacturing (116) and retailers (105). These sectors are highly vulnerable to outages which may explain why they are more targeted by criminals. 
• The most detected attack technique is the attempted exploitation of exposed remote services, such as Virtual Private Networks (VPNs) and remote desktop protocol (RDP).
• Initial Access Brokers (IAB) provide a route into the above and compromised remote desktop protocol (RDP) is the most commonly advertised on criminal forums with 24.4% of all listings with an average price of US$1,000 but can fetch up to US$2,700.
• Virtual Private Networks also allow attackers to gain access to organisations and commonly sold for an average of US$500. However, these prices can vary by vertical sector with access to banking entities trading on average for US$5,500 but can reach as high as US$23,000.
• The most common risk alert type is credential exposure – ReliaQuest alerted its customers to over 3 million exposed credentials over the period. However, marked document exposure, open ports, impersonating domains and subdomains remain a significant issue with approximately 400,000 incidents for each of these risk types remediated over the period.
• Ransomware remains the biggest risk facing business in 2023 – LockBit is overwhelmingly the most active ransomware group and using the SocGholish malware distribution framework is supercharging their efforts to gain access to networks.

The report reveals a close relationship between IAB listings and organisations subsequently falling victim to ransomware attacks. The manufacturing sector was the most targeted by IABs with 142 listings advertised and also the most claimed by ransomware groups with 614 victims. Similarly, professional, scientific and technical services was ranked second for both with 136 IABs listings versus 464 claimed by ransomware groups.

A trend first observed in 2022 and carrying on in recent months is the use of the SocGholish (aka FakeUpdates) malware distribution framework. This common initial access method deceives individuals into downloading a fake web-browser update which contains an archive file with an embedded SocGholish JavaScript payload. The use of SocGholish is helping criminals by providing a foothold for additional cybercrime groups to follow up after initial access is established.

Mike McPherson, SVP of Technical Operations at ReliaQuest, said: “Criminals are using any means at their disposal to infiltrate organisations and the exploitation of remote services continues to be the easiest way in. It’s essential for organisations to adequately monitor and secure these. Merging vulnerability intelligence with security operations is the best way to thwart the most prevalent cyber-risks.

McPherson continued: “Ransomware remains the biggest risk facing business in 2023 and the last quarter saw more victims than ever before. Utilising malware such as SocGholish has made their efforts more potent, which is why keeping abreast of the latest developments in tactics, techniques and procedures (TTPs) of ransomware activity, in addition to tracking groups known to be targeting your sector, is the best way to stay ahead of the curve from this pernicious activity.”

ReliaQuest further advises:

• Taking a patch-all approach to vulnerability management is an ineffective method of tackling vulnerability risk. Adding vulnerability intelligence can guide security teams in tackling the common vulnerabilities and exposures (CVEs) that represent the greatest chance of causing an impact to businesses. Getting a robust, consistent and repeatable vulnerability remediation programme in place can go a long way in raising overall cyber-resilience.
• Vulnerability management platforms discover known vulnerabilities and potential exploits, while breach and attack simulation capabilities highlight configuration weaknesses, detection and prevention gaps, and architectural issues. Organisations should ensure that an effective response and recovery plan is properly evaluated through tabletop exercises and is tested periodically and adjusted as the threat landscape, people, systems and business processes change. By combining threat and vulnerability management, organisations can increase their security confidence and decrease their overall risk.      
• Pay attention to email security controls – initial access malware continues to be delivered through the delivery of phishing emails. Increasing resilience to this form of malware is best accomplished through a combination of email security controls, group policy to minimise the chance of a malicious file being delivered/opened and user awareness programmes.
• Keep abreast of the latest developments in the tactics, techniques and procedures (TTPs) of ransomware activity, in addition to tracking groups known to be targeted targeting your sector, this is the best way to stay ahead of the curve from this pernicious activity.   
• Use the trends identified in this report to inform your own threat model and act accordingly. It’s always better to ‘stay left of boom’ and act in a proactive manner. Prevention is always a better approach than remediation.

Mike McPherson, SVP of Technical Operations at ReliaQuest, offers further commentary on the attacks to the construction sector and how it can prevent them.

The report findings reveal that the construction sector is the most targeted by cybercriminals – why do you think this is?

In the eyes of financially motivated cybercriminals, the construction sector is highly targeted due to the belief the industry is steeped in deadlines and not tolerant to delays or interruptions.   

Whether the construction sector is actually more intolerant of delays or interruptions than other sectors is irrelevant. Cybercriminals will strike wherever they perceive opportunity.

How frequent are ransomware attacks on the construction sector and how can this be prevented?

The only proven way to combat the scourge of ransomware attacks is to improve resilience by hardening defences and prevent the threat actors’ ability to gain initial access and establish persistence across the victim network. Common mitigation strategies include:

• Employees must be educated on the risks associated with phishing and social engineering. This must be combined with effective controls in place to detect and prevent malicious emails from reaching corporate inboxes.  
• Multi-Factor Authentication (MFA) must also be used on corporate accounts to minimise the risk from stolen credentials, which is one of the most common methods of facilitating access. 
• Identity and Access Management (IAM) processes must be hardened, with high-risk vulnerabilities promptly patched. 
• Secure remote services, such as remote desktop protocol (RDP) and virtual private networks (VPN), to prevent exploitation. 
• Ensure proper backups to corporate data. There are several methods of managing backup strategies, including the 3-2-1 method. The concept of the 3-2-1 backup strategy is that three copies are made of the data to be protected, the copies are stored on two different types of storage media and one copy of the data is sent off site.  

How can construction companies shape a ransomware resiliency strategy and deploy this effectively?

Table-top exercises are another essential practice to incorporate into strategic planning to counter the ransomware threat. These exercises provide a safe environment to practice and explore potential responses to a cyberattack.  

What does the future hold for security in construction?

The future for security in the construction sector, similar to most other sectors, will rely upon the ability to understand and adapt to the ever-shifting tactics, techniques and procedures (TTPs) of these criminal groups. The threat is not static and neither should a company’s defences. Table-top exercises which align against the adversary’s TTPs are critical steps which potential victims must conduct at regular intervals. If the tabletop exercise is treated like a compliance checklist, the company is bound to end up on a Dark Web listing of breached victims. These exercises must also be forward-looking and include areas such as the movement of Operational Technology (OT) systems being integrated with traditional Information Technology (IT). The trend of OT moving from older yet less susceptible technology — such as air-gapped or obscure operating systems — being bought in line with modern IT only increases the potential victim’s attack surface and makes it more susceptible to intrusion. 

There is no silver bullet to protecting the construction sector. Understand the threat. Understand your vulnerabilities against the threat. Enact a plan to mitigate your vulnerabilities. All of this is easy to say; none of it is easy to do on a consistent basis.