SMEs hurt most as cyber extortion surges in Southeast Asia

Businesses are still taking 215 days to patch a reported vulnerability as a a plethora of challenges remain even if cyberbattles are being won in some areas, according to Orange Cyberdefense.

The specialist arm of Orange Group dedicated to cybersecurity said in its Security Navigator 2023 report incident volumes continue to rise though pace has slowed.

This year’s report examined 99,506 potential incidents that were investigated and triaged by our CyberSOC teams, an increase of 5% from the 2022 report. 

Even for critical vulnerabilities, it generally takes more than six months to patch. Orange Cyberdefense’s ethical hacking teams report a “serious” (critical or high) issue in almost half of all the tests they conduct. 

The company observed that cyber extortion impacts businesses of all sizes across the world. Among the victims that were observed, 82% were small businesses, an increase from the 78% they measured in 2022. 

And while there was a marked slow-down in cybercrime during the onset of Russia’s invasion of Ukraine, the intensity soon increased again. 

Orange Cyberdefense saw significant increases in cyber extortion. Over the last six months, the number of victims in East Asia and Southeast Asia grew by 30% and 33%, respectively. 

Ransomware and cyber extortion attacks continue to prove a major threat to organisations globally, and as such featured regularly in Orange Cyberdefense’s World Watch threat advisories throughout the year. 

Notable spikes in news about ransomware occurred in March and April 2022, resulting from Lapsus$ activity and Conti leak events, as well as concerns about the invasion of Ukraine. 

There is also a clear and visible geographical shift occurring, illustrated by cyber security victim volumes decreasing by 8% in North America and 32% in Canada, but increasing in Europe, Asia and emerging markets. 

From 2021 to 2022 victim volumes increased in the European Union by 18%, in the UK by 21%, and by 138% in the Nordics. East Asia saw an increase of 44% and Latin America 21%. 

“We also observe dramatic shifts in the makeup of active criminal groups,” Orange Cyberdefense said.

From the top 20 actors observed in 2021, 14 are no longer in the top 20 in 2022. 

“After Conti disbanded in the second quarter of 2022, we observed Lockbit2 and Lockbit3 become the biggest cyber extortion actors in 2022 with over 900 victims combined,” the company added. 

The manufacturing sector remained the top industry in terms of for cyber extortion victim count, although it ranked only 5th among industries most willing to pay ransoms. 

“We report that criminals are compromising ‘conventional’ IT systems, rather than the more specialized operational technology, and attribute this high number of victims primarily to poor IT vulnerability management,” Orange Cyberdefense said

Businesses in this sector take an average of 232 days to patch reported vulnerabilities. On this metric, only four other industries ranked worse than manufacturing. 

Drawing on a brand-new dataset of vulnerability insights, researchers identified a concerning persistence of serious vulnerabilities on business IT systems, with 47% of confirmed vulnerabilities identified as “critical” or “high” severity. 

Critical vulnerabilities still took organisations more than half a year (184 days) to patch. Other vulnerabilities can persist for much longer, with data suggesting that many vulnerabilities, even critical, will never be patched. 

IT vulnerabilities in manufacturing took an average of 235 days to be patched versus an average 215 days across all other sectors. 

In hospitals (within the healthcare and social assistance sector), IT vulnerabilities took an average of 491 days to patch. In the transportation sector, patches took an average 473 days. 

The average time taken by our ethical hackers to discover a confirmed Serious (High or Critical) Finding was 7.7 days.