Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label threat report. Show all posts
Vulnerabilities and Exploits
Critical Flaw Fortinet IT Flaw Security Patch threat report Vulnerabilities and Exploits

New Flaws in Fortinet, SonicWall, and Grafana Pose Significant Threats

 

Cyble Research and Intelligence Labs (CRIL) has discovered new IT vulnerabilities that affect Fortinet, SonicWall, Grafana Labs, and CyberPanel, among others. 

The report for the week of October 23-29 identifies seven security flaws that require immediate attention from security teams, especially given the large number of exposed devices. The most recent discoveries show that vulnerabilities in Fortinet, SonicWall, and Grafana Labs affect over 1 million web-facing assets.

Notably, two critical vulnerabilities in CyberPanel have already been exploited in huge ransomware assaults. Organisations are recommended to quickly investigate their environments for these vulnerabilities and apply the relevant fixes and mitigations. 

Cyble's researchers have detailed the following top vulnerabilities, emphasising their potential impact on IT security: 

CVE-2024-40766: SonicWall SonicOS 

CVE-2024-40766 indicates an improper access control flaw within the administrative interface of SonicWall's SonicOS, with a severity rating of 9.8. This vulnerability has piqued the interest of managed security organisations such as Arctic Wolf, who report that ransomware gangs such as Fog and Akira are exploiting it in SSL VPN setups to breach networks. 

CVE-2024-9264: Grafana labs 

The 9.4-rated vulnerability, CVE-2024-9264, affects Grafana Labs' open-source analytics and monitoring platform's SQL Expressions capability. This flaw allows for command injection and local file inclusion since user input in 'duckdb' queries is not properly sanitised. 

CVE-2024-46483: Xlight FTP server

This critical integer overflow bug impacts the Xlight FTP Server, allowing hackers to exploit packet parsing logic and cause heap overflows. With the accessibility of public Proof of Concepts (PoCs), this vulnerability could be used in a variety of attack tactics. 

Prevention tips 

  • Ensure that all software and hardware systems receive the most recent patches from official vendors. 
  • Use an organised approach to inventory management, patch assessment, testing, deployment, and verification. 
  • To reduce the attack surface, isolate key assets with firewalls, VLANs, and access controls. 
  • Establish and maintain an incident response strategy, which should be evaluated on a regular basis to respond to emerging threats. 
  • Employ complete monitoring technologies to discover and analyse suspicious actions in real time. Keep up with vendor, CERT, and other sources' alerts to promptly fix issues.
Read more »
User Security
Cyber Attacks Healthcare Sector ransomware attacks threat report User Security

Microsoft: Healthcare Sector Sees 300% Surge in Ransomware Assaults

 

A Microsoft investigation published earlier this week revealed that ransomware attacks on the healthcare sector are rising and threatening lives. 

The report, which uses both internal corporate data and external data, shows a 300% spike in ransomware attacks on the health sector since 2015, as well as an increase in stroke and cardiac arrest cases at hospitals receiving patients from nearby facilities that have been paralysed by similar assaults.

It all amounts to a worrisome pattern that began during the peak of the COVID-19 pandemic, when certain ransomware gangs pledged not to attack the healthcare industry. 

“That [pledge has] been shoved off the table, unfortunately, and we are seeing a broader targeting of everything that has to do with health care, from hospital systems to clinics to doctors’ offices — really, anything where patient care can be impacted,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, stated. “Threat actors know people’s lives are at stake, and therefore the organization is more likely to pay.” 

According to Microsoft's second-quarter 2024 data, health care is one of the top ten most targeted sectors, with an average payment of $4.4 million reported in a survey of health care organisations. Additionally, Microsoft analysts believe Iranian gangs are mostly targeting healthcare organisations. 

A research published last year discovered that ransomware attacks on hospitals have a spillover effect, with unaffected institutions seeing an increase in patients, resulting in stroke cases soaring by 113% and cardiac arrest cases reaching 81%. Those cardiac arrest instances also had lower survival rates. 

“We know that these types of incidents have impacts on many of the technologies, such as CT scanners or laboratory machines that are used to take care of patients suffering from things like heart attack, stroke or sepsis,” Jeff Tully, co-director and of the University of California San Diego Center for Healthcare Cybersecurity and co-author of that study, noted. “And we know that there are delays in our ability to care for these patients during these types of down times.” 

Tully stated that the centre was working on developing a ransomware response playbook for health care organisations, but DeGrippo emphasised the need of creating resilience to survive an assault when it occurs.
Read more »
threat report
AI Tool Artificial Intelligence AsyncRAT Generative AI malware threat report

AI-Generated Malware Discovered in the Wild

 

Researchers found malicious code that they suspect was developed with the aid of generative artificial intelligence services to deploy the AsyncRAT malware in an email campaign that was directed towards French users. 

While threat actors have employed generative AI technology to design convincing emails, government agencies have cautioned regarding the potential exploit of AI tools to create malicious software, despite the precautions and restrictions that vendors implemented. 

Suspected cases of AI-created malware have been spotted in real attacks. The malicious PowerShell script that was uncovered earlier this year by cybersecurity firm Proofpoint was most likely generated by an AI system. 

As less technical threat actors depend more on AI to develop malware, HP security experts discovered a malicious campaign in early June that employed code commented in the same manner a generative AI system would. 

The VBScript established persistence on the compromised PC by generating scheduled activities and writing new keys to the Windows Registry. The researchers add that some of the indicators pointing to AI-generated malicious code include the framework of the scripts, the comments that explain each line, and the use of native language for function names and variables. 

AsyncRAT, an open-source, publicly available malware that can record keystrokes on the victim device and establish an encrypted connection for remote monitoring and control, is later downloaded and executed by the attacker. The malware can also deliver additional payloads. 

The HP Wolf Security research also states that, in terms of visibility, archives were the most popular delivery option in the first half of the year. Lower-level threat actors can use generative AI to create malware in minutes and customise it for assaults targeting different areas and platforms (Linux, macOS). 

Even if they do not use AI to create fully functional malware, hackers rely on it to accelerate their labour while developing sophisticated threats.
Read more »
threat report
AI Threat Artificial Intelligence Business Security Technology threat report

Nearly Half of Security Experts Believe AI is Risky

 

AI is viewed by 48% of security experts as a major security threat to their organisation, according to a new HackerOne security research platform survey of 500 security professionals. 

Their main worries about AI include the following: 

  • Leaked training data (35%)
  • Unauthorized usage (33%)
  • The hacking of AI models by outsiders (32%) 

These concerns emphasise how vital it is for businesses to review their AI security plans in order to address shortcomings before it becomes a major issue. 

While the full Hacker Powered Security Report will not be available until later this fall, further study from a HackerOne-sponsored SANS Institute report disclosed that 58% of security experts believe that security teams and threat actors could be in a "arms race" to use generative AI tactics and techniques in their work. 

According to the SANS poll, 71% of security professionals have successfully used AI to automate routine jobs. However, the same participants admitted that threat actors could employ AI to improve their operations' efficiency. Specifically, the participants "were most concerned with AI-powered phishing campaigns (79%) and automated vulnerability exploitation (74%).” 

“Security teams must find the best applications for AI to keep up with adversaries while also considering its existing limitations — or risk creating more work for themselves,” Matt Bromiley, an analyst at the SANS Institute, stated in a press release. 

So what is the solution? External assessment of AI implementations is advised. More than two-thirds of those polled (68%) said "external review" is the most effective technique to identify AI safety and security risks.

“Teams are now more realistic about AI’s current limitations” than they were last year, noted HackerOne Senior Solutions Architect Dane Sherrets. “Humans bring a lot of important context to both defensive and offensive security that AI can’t replicate quite yet. Problems like hallucinations have also made teams hesitant to deploy the technology in critical systems. However, AI is still great for increasing productivity and performing tasks that don’t require deep context.”
Read more »
threat report
Construction Firm Cyber Attacks Data Leak Data Privacy threat report

Construction Firms Targeted in Brute Force Assaults on Accounting Software

 

Unidentified hackers have targeted construction firms using Foundation accounting software, security experts revealed earlier this week. 

According to cybersecurity firm Huntress, the hackers hunt for publicly available Foundation installations on the internet and then test combinations of default usernames and passwords that allow for administrative access.

Huntress claimed it has detected active software breaches from organisations in the plumbing, concrete, and heating, ventilation, and air conditioning (HVAC) industries. The researchers did not specify whether the attacks were effective or what their purpose was. 

Foundation Software, the platform's Ohio-based developer, stated that it was working with Huntress to clarify some of the report's information. 

“The event potentially impacted a small subset of on-premise FOUNDATION users. It did not at all impact the bulk of our accounting users, which are under our secure, cloud-based [software-as-a-service] offering. It also did not impact our internal systems or any of our other product offerings through our subsidiary companies,” Foundation stated. 

The Huntress analysts stated they noticed the malicious behaviour targeting Foundation last week. On one host, the researchers discovered approximately 35,000 brute-force login attempts against the Microsoft SQL Server (MSSQL) used by the organisation to manage its database operations. 

Typically, such databases are kept secret and secure behind a firewall or virtual private network (VPN), but Foundation "features connectivity and access by a mobile app," researchers noted. This means that a specific TCP port, which is designed to regulate and identify network traffic on a computer, may be made open to the public, allowing direct access to the Microsoft SQL database. 

According to the report, Foundation users often used default, easy-to-guess passwords to protect high-privilege database accounts.

“As a result of not following recommendations and security best practices that were provided (one example being not resetting the default credentials), this small subset of on-premise users might face possible vulnerabilities,” Foundation noted. “We have been communicating and providing technical support to these users to mitigate this.” 

Huntress stated it detected 500 hosts running the Foundation software, and nearly 33 of them were publicly exposed with unchanged default credentials. 

“In addition to notifying those where we saw suspicious activity, we also sent out a precautionary advisory notification to any of our customers and partners who have the FOUNDATION software in their environment,” Huntress concluded.
Read more »
threat report
Business Security Chinese Hackers Cyber Security Mexico threat report

Here's How Criminals Are Targeting Users and Enterprises in Mexico

 

A recent Mandiant report highlighted the increasing cyber threats that Mexico is facing, including a sophisticated blend of domestic and global cybercrime that targets both individuals and businesses. 

Mexico's economy, ranked 12th largest in the world, makes it an appealing target for both financially driven hackers and cyber criminals from countries like North Korea, China, and Russia.

Since 2020, cyber espionage groups from over ten nations have been identified attempting to breach Mexican organisations. Among these, attackers affiliated with the People's Republic of China (PRC), North Korea, and Russia have been the most active, with China accounting for one-third of government-sponsored phishing activity.

Chinese actors are focussing specifically on news, education, and government organisations in Mexico; this is consistent with similar targeting strategies observed in regions where China has made large investments. 

Since the start of the war in Ukraine, North Korean outfits have focused on financial technology and cryptocurrency firms, while Russian cyber espionage activities have fallen substantially as resources have been diverted to other areas. The use of commercial spyware in Mexico is also highlighted in the report, with politicians, human rights advocates, and journalists being among the targets.

These tools are frequently sold to governments or attackers and are used to detect and exploit vulnerabilities in consumer devices. While spyware attacks only affect a few people at a time, they have significant implications for Mexico's press freedom and political integrity. 

Mandiant's report highlights a significant increase in ransomware and extortion operations in Mexico. From January 2023 to July 2024, Mexico ranked second in Latin America in terms of data leak site (DLS) listings following ransomware attacks, trailing only Brazil. LockBit, ALPHV, and 8BASE have been the most active in Mexico, concentrating on industries including manufacturing, technology, and financial services.

Threats from financial malware distribution efforts persist in Mexico, as attackers use lures related to taxes and finance to trick unsuspecting victims into downloading malicious software. UNC4984 and other groups have been seen distributing malware to Mexican banks via spoofed Mexican government websites, including the Mexican Tax Administration Service (SAT).
Read more »
threat report
Cyber Crime Extortion Scheme Ransomware Ransomware Actors threat report

Ransomware Extortion Demands Increase to $5.2 Million Per Attack

 

Ransomware demands are skyrocketing in 2024, with the average extortion demand per ransomware attack exceeding $5.2 million per incident in the first half of the year. 

Following an attack on India's Regional Cancer Centre (RCC) on April 20, a review of 56 ransom demands from January to June of this year revealed that the highest demand was $100 million. The second and third highest extortion demands were issued to Synnovis, a UK pathology supplier, and London Drugs, a Canadian retailer, at $50 million and $25 million, respectively. 

Even though there were 421 ransomware attacks in the first half of 2024 as opposed to 704 attacks in the same time of 2023, the numbers for 2024 are probably going to rise as long as there are more SEC-mandated breach disclosures. In terms of how much data has been stolen in these attacks, private companies have had 29.7 million records compromised thus far, whilst governments have had 52,390, and the healthcare industry has had a startling 5.4 million exposed records. 

Prevention tips 

Maintain backups: The researchers recommend that backing up critical information is the single most effective strategy to recover from a ransomware outbreak. There are a few things to consider, however. Backup files should be securely safeguarded and stored offline or out-of-band to prevent attackers from targeting them. 

Using cloud services may help alleviate a ransomware outbreak as many retain previous versions of files, allowing you to restore to an unencrypted version.Regularly test backups for efficacy. In the case of an attack, be sure your backups aren't infected before rolling back. 

Develop strategies and policies: Create an incident response strategy so that your IT security personnel knows what to do in the case of a ransomware attack. The plan should include the roles and communications to be shared during an assault. 

You should also include a list of contacts, such as any partners or vendors that need to be informed. Do you have a "suspicious email" policy? If not, try implementing a company-wide policy. This will help instruct employees on what to do if they receive an email that they don't understand. It may be as simple as forwarding the email to the IT security staff. 

Keep systems up-to-date: Make sure that all of your organization's operating systems, apps, and software are constantly updated. Applying the most recent updates will help close the security gaps that attackers are attempting to exploit. Wherever possible, enable auto-updates so that you always have the most recent security fixes.
Read more »
threat report
Cyber Crime Microsoft Moonstone North Korea threat report

Unmasking Moonstone Sleet: A Deep Dive into North Korea’s Latest Cyber Threat

Moonstone Sleet: A New North Korean Threat Actor

Moonstone Sleet: A New North Korean Threat Actor

Microsoft discovered a new North Korean threat actor, Moonstone Sleet (formerly Storm-1789), who targets companies with a combination of tried-and-true techniques used by other North Korean threat actors as well as unique attack methodologies for financial and cyber espionage purposes. 

Moonstone Sleet has been detected setting up phony firms and job chances to engage with potential targets, using trojanized copies of legitimate tools, developing a fully complete malicious game, and delivering a new unique ransomware.

About Moonstone Sleet 

Moonstone Sleet is a threat actor behind a series of malicious acts that Microsoft believes is North Korean state-aligned. It employs tried-and-true techniques other North Korean threat actors utilize and novel attack methodologies. 

When Microsoft first discovered Moonstone Sleet activity, the actor showed strong similarities to Diamond Sleet, reusing code from known Diamond Sleet malware such as Comebacker and employing well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. 

However, Moonstone Sleet swiftly adopted its own unique infrastructure and attacks. Microsoft has since observed Moonstone Sleet and Diamond Sleet operating concurrently, with Diamond Sleet continuing to use much of its well-known, established tradecraft.

Moonstone Sleet has a diverse collection of operations that serve its financial and cyberespionage goals. These include delivering proprietary ransomware, building a malicious game, establishing bogus firms, and employing IT personnel.

Why should organizations be concerned?

Moonstone Sleet’s emergence highlights the need for organizations to remain vigilant. Here’s why:

  • Financial Gain: Moonstone Sleet primarily targets financial institutions, seeking monetary gains through cybercrime. Their deceptive tactics make it challenging to detect their presence until it’s too late.
  • Cyberespionage: Beyond financial motives, Moonstone Sleet engages in cyber espionage. They aim to steal sensitive data, trade secrets, and intellectual property, posing a significant risk to organizations.
  • Overlapping TTPs: Moonstone Sleet’s TTPs overlap with other North Korean threat actors. Organizations must recognize these patterns and enhance their defenses accordingly.

Defending against Moonstone Sleet

  • User Awareness: Educate employees about the risks of downloading files from unverified sources. Encourage skepticism when encountering job offers or software downloads.
  • Network Segmentation: Implement network segmentation to limit lateral movement within the organization. Isolate critical systems from less secure areas.
  • Behavioral Analytics: Leverage behavioral analytics to detect unusual activity. Monitor for signs of trojanized tools or suspicious game downloads.
  • Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence. Stay informed about emerging threat actors and their TTPs.

Read more »
threat report
AI Attacks AI Phishing Cyber Attacks Cyber Phishing Deepfake Phishing Phishing Attacks SEG threat report

Modern Phishing Attacks: Insights from the Egress Phishing Threat Trends Report

 

Phishing attacks have long been a significant threat in the cybersecurity landscape, but as technology evolves, so do the tactics employed by cybercriminals. The latest insights from the Egress Phishing Threat Trends Report shed light on the sophistication and evolution of these attacks, offering valuable insights into the current threat landscape. 

One notable trend highlighted in the report is the proliferation of QR code payloads in phishing emails. While QR code payloads were relatively rare in previous years, they have seen a significant increase, accounting for 12.4% of attacks in 2023 and remaining at 10.8% in 2024. This shift underscores the adaptability of cybercriminals and their ability to leverage emerging technologies to perpetrate attacks. 

In addition to QR code payloads, social engineering tactics have also become increasingly prevalent in phishing attacks. These tactics, which involve manipulating individuals into divulging sensitive information, now represent 19% of phishing attacks. 

Moreover, phishing emails have become over three times longer since 2021, likely due to the use of generative AI to craft more convincing messages. Multi-channel attacks have also emerged as a prominent threat, with platforms like Microsoft Teams and Slack being utilized as the second step in these attacks. Microsoft Teams, in particular, has experienced a significant increase in usage, with a 104.4% rise in 2024 compared to the previous year. This trend highlights the importance of securing not just email communications but also other communication channels within organizations. 

Another concerning development is the use of deepfakes in phishing attacks. These AI-generated audio and video manipulations have become increasingly sophisticated and are being used to deceive victims into disclosing sensitive information. The report predicts that the use of deepfakes in cyberattacks will continue to rise in the coming years, posing a significant challenge for defenders. Despite advancements in email security, many phishing attacks still successfully bypass Secure Email Gateways (SEGs). Obfuscation techniques, such as hijacking legitimate hyperlinks and masking phishing URLs within image attachments, are commonly used to evade detection. This highlights the need for organizations to implement robust security measures beyond traditional email filtering solutions. 

Furthermore, the report identifies millennials as the top targets for phishing attacks, receiving 37.5% of phishing emails. Industries such as finance, legal, and healthcare are among the most targeted, with individuals in accounting and finance roles receiving the highest volume of phishing emails. As cybercriminals continue to innovate and adapt their tactics, organizations must remain vigilant and proactive in their approach to cybersecurity. 

This includes implementing comprehensive security awareness training programs, leveraging advanced threat detection technologies, and regularly updating security policies and procedures. 

The Egress Phishing Threat Trends Report provides valuable insights into the evolving nature of phishing attacks and underscores the importance of a multi-layered approach to cybersecurity in today's threat landscape. By staying informed and proactive, organizations can better protect themselves against the growing threat of phishing attacks.
Read more »
threat report
malware Malware Strains RaaS Ransomware threat report

Malware-as-a-Service The Biggest Risk to Organizations Right Now

Malware-as-a-Service

A recent Darktrace analysis states that the largest threat to enterprises in the second half of 2023 was malware-as-a-service (MaaS) infections.

Many malware strains have become cross-functionally adaptive, as noted in the 2023 End of Year Threat Report. This comprises the combination of information-stealing malware with malware loaders like remote access trojans (RATs).

The menace of malware-as-a-service 

Researchers at Darktrace discovered that "malware strains are progressively developed with a minimum of two functions and are interoperable with a greater number of existing tools" through reverse engineering and detection analysis.

Because these malicious tools may gather passwords and data without compromising files, which makes detection more difficult, they pose a special risk to enterprises.

One well-known instance of this was the information-stealing and remote access Trojan (RAT) called ViperSoftX, which was designed to obtain sensitive data such as Bitcoin wallet addresses and passwords kept in password managers or browsers.

2020 saw the first recorded sighting of ViperSoftX in the wild, however, strains discovered in 2022 and 2023 have more advanced detection evasion strategies and capabilities.

Another instance is the ransomware known as Black Basta, which spreads the Qbot banking virus to steal credentials.

Additional Transition to Ransomware-as-a-Service (RaaS)

The research also noted a move away from traditional ransomware in 2023 with an increase in RaaS assaults.

It was reported that the ransomware market expanded after law enforcement dismantled the Hive ransomware gang in January 2023. Among these was the emergence of ScamClub, a malvertising actor that sends false virus alerts to well-known news websites, and AsyncRAT, which has been targeting US infrastructure workers lately.

According to Darktrace's prediction, an increasing number of ransomware attackers are expected to utilize multi-functional malware and double and triple extortion tactics in the upcoming year.

According to the company, in 2024 the MaaS and RaaS ecosystems should continue to flourish, hence reducing the entry barrier for cybercriminals.

Attackers Incorporating AI into Phishing Schemes

According to Darktrace, last year it saw threat actors use additional creative strategies to get beyond an organization's security measures.

This includes phishing and other increasingly successful email attacks that try to trick users into downloading dangerous payloads or divulging private information.

For instance, 58% of phishing emails that Darktrace saw last year were able to get past all security measures in place, while 65% of the emails were able to effectively evade Domain-based Message Authentication (DMARC) verification checks.

According to the researchers, a lot of attackers are using generative AI technologies to automate the creation of more realistic phishing operations.



Read more »
threat report
Business Security CISOs Cyber Security Data Safety threat report

CISOs in the Firing Line as Cybercriminals Continue to Target Firms

 

Businesses are feeling the effects of cyberattacks hard; a staggering 90% of CISOs report that their organisation has experienced one during the past year. 

In the latest research from Splunk, 83% of CISOs who responded to a poll stated they have paid out, with more than half paying more than $100,000. 

They fear that generative AI will become more prevalent and provide attackers an advantage. However, companies are testing out such tools in their cyber defences, with 93% of their processes utilising automation either moderately or intensively. 

Splunk claims that the so-called "tool sprawl" issue, which is "likely compounding existing visibility issues," is another issue that is now emerging. A whopping 88% of CISOs seek to stop the expansion using tools like security orchestration, automation, and response (SOAR) and security information and event management (SIEM). 

By using solutions like these, they seek to reduce the number of tools required and simplify defence through automation.

Nearly half of the CISOs who responded to the survey also stated that they now directly report to their CEO, with CISOs being increasingly in charge of directing cybersecurity strategy. They frequently take part in board meetings across all sectors. Additionally, 90% of CISOs reported that their board is now more concerned about cybersecurity than it was two years ago. 

As a result, 93% of CISOs anticipate an increase in their cybersecurity budget over the next year, whereas 83% anticipate decreases in other areas of the organisation. 80% of CISOs say their organisation has encountered additional dangers as the economy has deteriorated. 

Greater collaboration has also happened across the organisation, with 92% of CISOs reporting that cybersecurity collaboration between teams has increased moderately or significantly as a result of digital transformation projects and cloud native adoption. Although 42% of respondents felt there was room for improvement in terms of results, 77% reported that IT and development teams worked together to identify the underlying causes of issues. 

Splunk CISO Jason Lee stated that, "the C-Suite and board of directors are increasingly relying on CISOs for guidance across a sophisticated threat landscape and changing market conditions," further stating, "these relationships provide CISOs the opportunity to become champions who strengthen an organization's security culture and lead teams to become more cross-collaborative and resilient." 

"By communicating key security metrics, CISOs can also guide boards on adopting emerging technologies, such as generative AI, to help improve cyber defense management and prepare for the future," Lee concluded.
Read more »
threat report
cyber espionage Cyber Security Cyber Warfare Nation-State Attacks threat report

Microsoft Warns of Rise in Global Cyberespionage Operations

 

Government-sponsored cyberespionage campaigns and data operations are on the rise, and not just as a result of hacker spies deployed by typical suspects Russia and China.

So warns Microsoft in its annual Digital Defence Report, which evaluates nation-state and criminal behaviour recorded from July 2022 to June 2023. 

Ransomware attacks naturally draw attention due to their visible and immediate impact, but governments are doubling down on stealthy cyberespionage operations behind the scenes. 

"Nation states are becoming increasingly sophisticated and aggressive in their cyberespionage efforts, led by highly capable Chinese actors focused on the Asia-Pacific region in particular," Tom Burt, Microsoft's corporate vice president for customer security and trust, stated in an introduction to the report. 

Based on Microsoft's report, the US was the subject of the most cyberattacks last year, followed by Israel and Ukraine. It witnessed an increase in activity last spring that targeted Western organisations, of which 46% were based in NATO states, particularly the U.S., the United Kingdom, and Poland. 

The United States' intelligence agencies have frequently warned that Russia, China, Iran, and North Korea pose the greatest internet risks to national security and allies. According to Microsoft, the scale and sophistication of activities linked to each of those countries continues to improve, and their efforts to steal information and alter narratives target both adversaries and allies. 

"Russian intelligence agencies have refocused their cyberattacks on espionage activity in support of their war against Ukraine, while continuing destructive cyberattacks in Ukraine and broader espionage efforts," Burt wrote in a blog post. 

China is still a significant player, concentrating particularly on gathering intelligence - particularly from U.S. defence and vital sectors, as well as Taiwan and even its own partners - and conducting influence operations, Microsoft reported.

Beijing additionally "deploys a vast network of coordinated accounts across dozens of platforms to spread covert propaganda" that targets Chinese speakers worldwide and occasionally spreads anti-American narratives, the report further reads. The nation's influence operations also emphasise "promoting a positive image of China through hundreds of multilingual lifestyle influencers."

There is ample evidence that Russia is using cyberespionage more frequently. Western intelligence authorities continue to issue warnings that the real scope of such operations is still unknown because they are intended to be stealthy and at times highly targeted. Long-term attacks might not be seen right away. 

The White House blamed the Russian Foreign Intelligence Service, or SVR, for the SolarWinds supply chain attack, which involved the injection of a Trojan into the Orion software updater. It's possible that the effort started in September 2019, but it wasn't discovered until December 2020, giving the SVR months to secure covert access to a number of extremely sensitive systems. 

Microsoft reports that nominal allies attack one another while conducting cyber operations and acquiring intelligence. Despite the meeting between Russian President Vladimir Putin and North Korean hereditary dictator Kim Jong Un last month, Pyongyang continues to carry out Moscow-centered espionage activities, with a particular emphasis on "nuclear energy, defence, and government policy intelligence collection." 

The threat from criminal groups continues to rise in addition to the risk from nation-state organisations. "Ransomware‐as‐ a-service and phishing-as-a-service are key threats to businesses, and cybercriminals have conducted business email compromise and other cybercrimes, largely undeterred by the increasing commitment of global law enforcement resources," Burt added.
Read more »
victim statistics
Cyber Security Cyber Threats Data Extortion malware deployment ransomware attacks Secureworks threat report victim statistics

Cybercriminal Groups Unleashing Ransomware Within a Day of Target Breach

 

A recent threat report reveals a significant shift in cybercriminal tactics, indicating a noteworthy decline in the time it takes for them to deploy ransomware after initially infiltrating their targets. 

Last year's average of 4.5 days has now plummeted, with cybercriminals now striking within the first 24 hours of gaining access, according to findings by cybersecurity firm Secureworks. 

This alarming trend underscores the company's warning that 2023 may witness an unprecedented surge in ransomware attacks, with three times as many victims appearing on leak sites in May compared to the same period last year.

However, Secureworks highlights a caveat regarding leak sites as a metric for gauging the scale of the ransomware issue. Notably, the report emphasizes that leak sites may only represent around 10% of the total victims known to law enforcement. 

Consequently, it urges caution when interpreting leak site data. Despite this, the aggregate data undeniably underscores the enduring appeal of ransomware and data extortion as lucrative criminal enterprises, posing a substantial threat to businesses.

Secureworks further reveals a disturbing statistic: in over 50% of its incident response cases, hackers managed to unleash their malware within a mere 24 hours of infiltrating the victim's network. 

This marks a stark drop from the 4.5-day average observed last year. In 10% of cases, ransomware was deployed within a staggeringly short five-hour window from initial access.

Don Smith, VP Threat Intelligence at Secureworks Counter Threat Unit, sheds light on the driving force behind this reduction in dwell time. He posits that cybercriminals are motivated by a desire to minimize the chances of detection, as the cybersecurity industry has become more proficient at identifying precursors to ransomware attacks. 

Consequently, threat actors are shifting focus towards simpler and faster operations, forsaking larger-scale, complex encryption events that span multiple enterprise sites. However, the risk posed by these expedited attacks remains significantly high.

Smith adds a cautionary note, emphasizing that despite the prevalence of familiar threat actors, the emergence of new and highly active threat groups is contributing to a notable surge in both victims and data breaches. 

Even in the face of high-profile crackdowns and sanctions, cybercriminals exhibit a remarkable capacity for adaptation, ensuring that the threat continues to escalate at an alarming pace.
Read more »
threat report
Cyber Security Insider Threat Social Engineering Threat Landscape threat report

Report: Insider Cybersecurity Threats have Increased 40% Over the Past Four Years

 

A recent study disclosed that over the past four years, the average cost of an insider cybersecurity attack has increased dramatically by 40%. In addition, the average annual cost of these cyberthreats has increased over the past 12 months, reaching $16.2 million per incident. 

The highest costs arise after the attack has taken place, thus businesses globally should prepare their prospective responses now in order to incur the least amount of financial loss.

The new research states that "insider" attacks can be either malicious (espionage, IP threat, sabotage, or fraud) or non-malicious (when an insider is careless, mistaken, or outsmarted). The study titled '2023 Cost of Insider Risks Global' was released by the data privacy-focused Ponemon research centre and funded by insider cybersecurity company DTEX Systems. 

It reveals that insider risks are increasing, and not simply in terms of how much each attack costs. In 2023, there were a total of 7,343 insider incidents, up from just 6,803 the year before. 

The majority of the incidents (75%), frequently attributable to mistaken insiders (55%), were traced back to non-malicious insiders. The two expenses with the highest average costs per incident are containment and cleanup, which total respectively $179,209 and $125.221. A response's price increases with duration.

Why cyber budgets aren't spent wisely?

Insider threats are increasing. Or, to put it another way, the call is coming from inside the house. Businesses, meanwhile, have not made the necessary adjustments to their budgets. For controlling insider risk specifically, 88% of them still only allocate 10% or less of their IT security budget... in which external threats get 91.8% of budgetary resources. 

However, social engineering, which uses insiders as a target to phish or otherwise trick personnel into disclosing private information regarding their own firm, is still a major threat. Phishing assaults cost businesses nearly$6.9 billion in 2021, and the FBI recently identified phishing as the most frequent type of cyberattack. 

“This highlights a widespread misunderstanding of the types of insider risks and the failure to proactively protect customer data and IP [intellectual property],” Rajan Koo, chief technology officer of DTEX Systems, stated in a press release.
Read more »
WFH Employees
Business Safety Data Breach Remote Working threat report User Security WFH Employees

Fortinet: Remote Working has Resulted in Breaches for Two-Thirds of Businesses

 

When the COVID-19 global epidemic hit nearly three years ago, millions of people were compelled to complete their tasks away from their offices and coworkers. Due to this, there has been an unheard-of rise in the number of workers who complete the majority of their work online from any location with internet access—likely at home. Work-from-home (WFH) employees have been a thing for a while, but they have never made up the majority of a company's workforce. 

Organizations, particularly IT departments, had to quickly adapt as the situation changed after the 2020 coronavirus shutdowns and remote workers started to predominate. The phrase "hybrid workforce" became widely used to describe the occurrence after workers dispersed around the globe and subsequently returned to on-site workplaces for a few months, though many did so less frequently than before. 

In its "2023 Work-From-Anywhere Global Survey," Fortinet discovered that most of the 570 organisations polled are still willing to allow employees to work from home or are adopting a hybrid-work strategy for their staff. In the last two to three years, work-from-anywhere (WFA) employee vulnerabilities have been cited as a possible cause of data breaches by nearly two-thirds (62%) of the firms. 

According to Peter Newton, senior director of product and solutions at Fortinet, the report clearly calls out the personal use of office PCs, home network users, and other users as the main worries by the organisations. 

"That highlights the fact that vulnerabilities associated with home networks, personal applications, and personal devices all act as back-door into companies' networks, applications, and data, highlighting the need for continued security awareness training for employees as well as technologies like SASE, SD-WAN, on-prem security appliances, and [zero-trust network access]," he said in an interview with SDxCentral. 

The survey found that different businesses use very different security measures for protecting remote workers. Newton asserts that individuals who have suffered a breach associated with WFA are more inclined to invest in both conventional technologies, such as laptop antivirus and VPN, as well as cutting-edge techniques, such as SASE, SD-WAN, and zero-trust network access (ZTNA). 

94% of respondents intend to increase their security budget to account for WFA policies, with more than a third (37%) anticipating an increase of 10% or more, the report reads. 

“We see the organizations are still in their early stage when it comes to WFA strategy and solutions. Some just started and some ventured further along. Regardless, there is no one-size-fits-all solution, and securing WFA needs a layered-defense and a combination of solutions that work together,” Newton added.
Read more »
threat report
Adware Cyber Security Data Safety macOS security threat threat report

Top Cybersecurity Trends to Watch Out in 2023

 

The most recent research from Malwarebytes, which examines the situation of malware in 2023, has just been published. The research includes information on current significant security advancements, 5 cyber threat archetypes to watch out for this year, the most prevalent malware identified on Macs, and more. 

The 30-page 2023 State of Malware study was released earlier this week by Malwarebytes. The business states in its opening: 

"The traditional cybersecurity guidelines are obsolete. Your company can no longer only rely on the greatest security software to protect you from the most harmful malware used by your adversaries. The conflict is becoming more human; your best soldiers are up against their worst."

More than ever, malicious hackers are turning to social engineering as older assault routes have closed up. The report begins with six significant occasions from 2022 that had an impact on cybersecurity:

Conflict in Ukraine: The conflict in Ukraine was strategically significant, making it a good subject for social engineering lures. According to the Malwarebytes Threat Intelligence team, the war was a common theme in attacks against German targets by alleged Russian state actors and against Russian targets by alleged Chinese state actors. 

Ransomware: Throughout 2022, ransomware organisations tried out a variety of new strategies, but few of them were successful. Purchasing access to businesses through displeased employees is one strategy that might be more successful in 2023. Macros One of the most effective malware delivery mechanisms ever created was ultimately stopped in 2022 when Microsoft declared that it will prohibit macros in Office documents obtained from the Internet.

Authentication:  It has taken a while to find a truly viable replacement, but in May, Google, Apple, and Microsoft announced their strong support for FIDO2, an established, current, and widely used standard for password-free authentication.

Roe v. Wade: The US Supreme Court's decision to overrule Roe v. Wade in June 2022 represented the most significant shift to data privacy in that year. As previously innocuous data points—like whereabouts, purchasing preferences, search histories, and menstrual cycles—acquired a potentially life-altering meaning, worries about digital privacy suddenly became widespread. 

TikTok: Brendan Carr, a commissioner for the US Federal Communications Commission, called the social media app TikTok "an intolerable national security danger" in June due to its vast data collection and "Beijing's apparently unfettered access to that sensitive material." 

Mac malware that is most prevalent

Macs are not immune to malware, though they are less frequently attacked than Windows. Adware was the most typical detection on macOS in 2022, according to Malwarebytes. A single adware programme called OSX accounted for 10% of all detections on Mac. 

The "worst," according to the company, is Genio. Despite being categorised as adware, the report states that it exhibits malware-like behaviour in order to "dig deeper into the machines it's placed on, penetrating defences and compromising security in the name of making itself incredibly difficult to remove." 

OSX.Genio makes money by 'intercepting users' web searches and putting its own intrusive adverts into the results in order to work. 11% of the total came from malware detections, followed by 14% from adware operators and a variety of other sources.
Read more »
Vulnerabilities and Exploits
Old Flaws Ransomware ransomware attacks Security Bug threat report Vulnerabilities and Exploits

Most Ransomware Attacks in 2022 Took Advantage of Outdated Bugs

 

In the 2022 attacks, ransomware operators took advantage of a number of outdated vulnerabilities that allowed the attackers to become persistent and migrate laterally to complete their objectives. 

A report from Ivanti released last week stated that the flaws, which are prevalent in products from Microsoft, Oracle, VMware, F5, SonicWall, and several more companies, pose a clear and present danger to organisations who haven't yet remedied them. 

Old bugs are still popular

Ivanti's study is based on data analysis from teams at Securin, Cyber Security Works, and Cyware as well as from its own threat intelligence team. It provides a thorough examination of the flaws that criminals frequently used in ransomware attacks in 2022. 

In attacks last year, ransomware operators used a total of 344 different vulnerabilities, up 56 from 2021, according to Ivanti's analysis. A stunning 76% of these bugs were from 2019 or before. Three remote code execution (RCE) defects from 2012 in Oracle's products, CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment, were the oldest flaws in the group. 

Ivanti's chief product officer, Srinivas Mukkamala, claims that while the data indicates that ransomware operators leveraged new vulnerabilities quicker than ever last year, many still relied on older vulnerabilities that are still present on enterprise systems.

"Older flaws being exploited is a byproduct of the complexity and time-consuming nature of patches," Mukkamala stated. "This is why organisations need to take a risk-based vulnerability management approach to prioritise patches so that they can remediate vulnerabilities that pose the most risk to their organisation." 

Critical flaws 

Ivanti identified 57 vulnerabilities as affording threat actors the ability to complete their whole goal, making them among the vulnerabilities that pose the most risk. These flaws gave an attacker the ability to acquire initial access, maintain persistence, elevate privileges, get around security measures, access credentials, find resources they might be looking for, move laterally, gather information, and carry out the intended task. 

There were 25 vulnerabilities in this category that were dated 2019 or earlier, including the three Oracle flaws from 2012. Scanners are not presently picking up exploits against three of them (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in products made by ConnectWise, Zyxel, and QNAP, respectively. 

Inadequate input validation was the cause of the majority (11) of the vulnerabilities in the list that presented a full attack chain. Path traversal flaws, OS command injection, out-of-bounds write errors, and SQL injection were some more frequent causes of vulnerabilities. 

The most common flaws are broadly prevalent 

Moreover, ransomware authors have a tendency to favour defects that affect a variety of items. CVE-2018-3639, a form of speculative side-channel vulnerability that Intel disclosed in 2018, was one of the most well-known of them. According to Mukkamala, the flaw affects 345 goods from 26 vendors. Other instances include the famed Log4Shell hole, CVE-2021-4428, which at least six ransomware gangs are presently using as an attack vector. The weakness was one of many that Ivanti discovered threat actors were using as recently as December 2022. At least 176 products from 21 different manufacturers, including Oracle, Red Hat, Apache, Novell, and Amazon, contain it. 

The Linux kernel vulnerability CVE-2018-5391 and the critical elevation of privilege hole in Microsoft Netlogon CVE-2020-1472 are two further flaws that ransomware developers like to exploit because of their widespread availability. The vulnerability has been utilised by at least nine ransomware gangs, including those responsible for Babuk, CryptoMix, Conti, DarkSide, and Ryuk, and it is growing in popularity with other groups as well, according to Ivanti. 

A total of 118 vulnerabilities that were leveraged in ransomware attacks last year were discovered, according to the security research.

According to Mukkamala, "threat actors are particularly interested in defects that are present in most products." 

The closely watched Known Exploited Vulnerabilities (KEV) database maintained by the US Cybersecurity and Infrastructure Security Agency does not contain 131 of the 344 weaknesses that ransomware attackers exploited last year. The database includes information on software weaknesses that threat actors are actively exploiting and that CISA deems to be particularly hazardous. According to CISA, federal entities must prioritise and usually respond to vulnerabilities listed in the database within two weeks. 

Because many businesses use the KEV to prioritise patches, Mukkamala argues it's crucial that these aren't in the CISA KEV. This demonstrates that, although being a reliable resource, KEV does not give a comprehensive overview of all the vulnerabilities that are employed in ransomware attacks. 

57 vulnerabilities that were leveraged in ransomware attacks last year by organisations including LockBit, Conti, and BlackCat have low- and medium-severity rankings in the national vulnerability database, according to Ivanti. The risk, according to the security provider, is that enterprises who utilise the score to prioritise patching may get complacent as a result.
Read more »
User Security
Adware Cyber Fraud Cyber Scam Internet Fraud threat report User Security

Internet Users are Inundated With Adware and False Advise Frauds Thanks to Hackers

 


Avast, a leading provider of cybersecurity software, has released its Q4 2022 Threat Report, which closely examines the kinds of scams that prey on unsuspecting consumers. 

One of the most well-known scam types was social engineering, which highlights the human error, as well as techniques for refund and invoice fraud and purported tech support scams. Like in prior quarters, lottery-related adware campaigns were still widely used. In addition to scams, the business identified two zero-day exploits in Chrome and Windows, which have since been patched, underscoring consumers' need to maintain software updates. 

Widespread email fraud 

Jakub Kroustek, Director of Avast Virus Research, argued that hackers attribute a significant percentage of their success to human nature, which causes us to react with urgency, anxiety, and a desire to recover control of situations.

According to Kroustek, "at the end of 2022, we witnessed an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn’t order. It’s human nature to react to urgency, and fear and try to regain control of issues, and that’s where cybercriminals succeed.

When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it’s hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology.”

During the latter months of 2022 running up to Christmas, an alarming rise in the refund and invoice fraud was observed, with duped victims giving hostile actors access to their screens and online banking. Uncertain individuals may prefer to go directly to the platform's website and use a number they are sure of rather than dialing the number on the scam email. 

Along with the Arkei information stealer, which showed a startling 437% growth, other lottery-style popups and other sources of data theft also occurred. Among other places, Arkei is renowned for stealing data from autofill forms in browsers. Two zero-day vulnerabilities have also been discovered in Windows and Google Chrome. According to Avast, the risk to users was reduced because both businesses were alerted and responded quickly.
Read more »
threat report
Businesses Cyber Security cyber threat data security Ransomware threat report

Ransomware Remains a Major Cyber Threat for Organizations Worldwide

 

Trellix, the cybersecurity firm delivering the future of extended detection and response (XDR), has published 'The Threat Report: Fall 2022,' examining cybersecurity patterns and attack techniques from the first quarter of the year. 

The threat report includes evidence of malicious activity linked to ransomware and state-linked advanced persistent threat (APT) hackers. The researchers examined proprietary data from its sensor network, open-source intelligence, and investigations by the Trellix Advanced Research Center. Here are some of the report’s key findings: 

• Transportation was the second most active sector globally, following telecom. APTs were also detected in transportation more than in any other sector. 

• Ransomware attacks surged 32% in Germany in Q3 and contributed 27% of global activity. Germany also experienced the most threat detections related to malicious hackers in Q3, with 29% of observed activity. In the United States, ransomware activity increased 100 % quarter-over-quarter in the transportation and shipping industries for Q3 2022. 

• Mustang Panda, a China-linked APT group, had the most identified threat indicators in Q3, followed by Russian-associated APT29 and Pakistan-linked APT36. 

• Phobos, ransomware sold as a complete kit in the cybercriminal underground, accounted for 10% of global detected activity and was the second most used ransomware detected in the US. 

• The infamous LockBit remained the most propagated ransomware in the third quarter of 2022, generating over a fifth (22%) of detections 

• Years-old security loopholes continue to remain a perfect target spot for threat actors. Threat analysts detected Microsoft Equation Editor vulnerabilities CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to be the most abused among malicious emails received by users during Q3. 

• Cobalt Strike, an authentic third-party tool, was employed in 33% of detected global ransomware activity and in 18% of APT detections in Q3. 

“So far in 2022, we have seen unremitting activity out of Russia and other state-sponsored groups. This activity is compounded by a rise in politically motivated hacktivism and sustained ransomware attacks on healthcare and education. The need for increased inspection of cyber threat actors and their methods has never been greater,” John Fokker, Trellix head of threat intelligence, stated. 

Earlier this year, Trellix announced its partner program to include multiple latest features along with 10 new technology associates and technology integrations with its flagship platform. The partner additions bring Trellix’s ecosystem to some 800 partners associated with its XDR platform.
Read more »
User Security
Fake news Technology threat report User Security

Google TAG Takes Down Coordinated Influence Operation Spreading Fake Information

 

Google's Threat Analysis Group (TAG) in its latest published bulletin, provides an outline of the entire “coordinated influence operation” that its staff tracked in January 2022 involving multiple countries. 
 
According to Google TAG, four YouTube channels, two AdSense accounts, 1 Blogger blog, and 6 domains – used to generate revenue by displaying advertisements – were wiped out in coordinated influence operations linked to Belarus, Moldova, and Ukraine. The campaign "was sharing content in English that was about a variety of topics including US and European current events," threat analysts explained.   

To mitigate the spread of misinformation, Google TAG terminated 3 YouTube channels responsible for uploading content in Arabic that was critical of former Sudanese president Omar al-Bashir and supportive of the 2019 Sudanese coup d’état.   
 
Additionally, Google TAG also handled a relatively large "influence operation linked to China." Earlier this year in January, threat analysts terminated 4,361 YouTube channels for spreading Chinese spam content. However, some channels uploaded content in both English and Chinese languages concerning China and US foreign events.   
 
“We terminated 4361 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports,” says Google. 
 
Furthermore, Google TAG has banned YouTube channels, AdSense accounts, and Play developer accounts belonging to influence campaigns linked to Iraq, Turkey, and Libya's politics and current affairs.   
 
As the Russian-Ukraine conflict continues to escalate, Google has strengthened the safety measures for those in the region considered to be at higher risk of cyber assaults or attempted account compromise. This includes enabling two-factor authentication (2FA) and promoting the Advanced Protection Program.   
 
"Threat intel teams continue to look out for and disrupt disinfo campaigns, hacking, and financially motivated abuse, and are working with other companies and relevant government bodies to address these threats.,” Google said on Twitter.  
 
Last year, Google TAG blocked 3 YouTube channels used by Iranian attackers to publish content in Bosnian and Arabic condemning the actions of the U.S. and the People’s Mujahedin Organization of Iran (PMOI), a militant organization fighting against the official Iranian government.
Read more »
Subscribe to: Posts (Atom)