Search This Blog

Showing posts with label Security. Show all posts

Undiscovered Attacks Against Middle Eastern Targets Conducted Since 2020


Over the last few years, companies in the Middle East have faced a series of targeted attacks using an open-source tool used by threat actors as kernel drivers. Fortinet researchers discovered a sample of the so-called Donut tool while scanning suspicious executables that used open-source technologies. 

This open-source shellcode-generation tool, as well as a variant of the Wintapix driver, were found to have been used in targeted cyberattacks against Saudi Arabia and other Middle Eastern countries. Fortinet researchers Geri Revay and Hossein Jazi stated in a blog post about their research that they believe this driver has been operational in the wild since at least mid-2020, was not reported until now, and has been employed in multiple campaigns over the previous few years.

In accordance with Fortinet's data, there is a noteworthy increase in the number of lookups — or peaks in activity — for this driver in August and September 2022, as well as again in February and March 2023. This could imply that the threat actor behind the driver was running large-scale campaigns these days. According to the data, 65% of the lookups for the driver were from Saudi Arabia, showing that it was a primary focus.

Jazi notes that other malware families have been identified employing similar attack methods (i.e., kernel drivers), but this was a detection of a new malicious driver.

"It has new functionalities such as targeting IIS [Internet Information Services] servers, which is unique in its own accord," Jazi says.

While Jazi cannot to provide any information on the exact verticals targeted, he does highlight that Iranian threat groups have a long history of attacking Saudi Arabia and other governments in the region.

According to Fortinet analysts, it is unclear how the driver was spread, and they have no idea who was behind this operation. "Observed telemetry shows that, while this driver has primarily targeted Saudi Arabia, it has also been detected in Jordan, Qatar, and the United Arab Emirates, which are classic targets of Iranian threat actors," according to the research.

Since Iranian threat actors have been known to use Microsoft Exchange Servers to distribute other malware, it is probable that this driver was used in conjunction with Exchange attacks. "To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities," the researchers stated.

At this point, it's unknown whose organizations were targeted or what the attackers were after. According to Ciarán Walsh, associate research engineer at Tenable, it is entirely possible for a campaign to go undetected for an extended period of time, as this one did. 

"APT1 (CommentCrew) has been noted as maintaining a presence on victim networks without detection for years during its cyberespionage campaigns," he says.

When asked if he believes the time spent undiscovered is indicative of an attacker's sophistication, Walsh answers it depends on a variety of things, including the campaign's aims.

"In espionage, the aim would be to go undetected for however long it takes to achieve those objectives," he says, "but in campaigns that aim to cause disruption such as Anonymous Sudan and its DDoS campaigns, being stealthy and maintaining a foothold in a target network is not a priority."

Walsh observes that open source tools are more likely to be identified because the security community is aware of them and countermeasures and remediation strategies to fight them have been created.

"Custom tooling is much more difficult to detect as automated systems have little, if any, information about the tool to use as part of their detection mechanisms," he says. "Attackers do sometimes adopt an approach of using tools already on target systems or within target networks."

Volt Typhoon, an APT ascribed to China that Microsoft reported last week had obtained access to telecom networks and other critical infrastructure targets in the US, took this strategy.

"Living-off-the-land allows for stealth as there is no execution of any suspicious programs or scripts, which would trigger an alert," Walsh says. "The attackers instead use tools built into operating systems, which are less likely to trigger an alert, or even be deemed suspicious."

Most CEOs Increasingly Prioritise Cybersecurity Over Economic Performance


In accordance with a new survey from Palo Alto Networks, an increasing proportion of CEOs are realizing that cyberattacks pose a greater existential danger than economic instability. 

Palo Alto Research discovered, based on a poll of 2,500 CEOs from the United Kingdom, Germany, France, Brazil, and the United Arab Emirates (UAE), that CEOs fear what they don't know, and many don't even believe they are accountable for their organization's cybersecurity posture. 

However, this has not resulted in a loss of confidence, since the majority of respondents say they are well-prepared for a cyberattack situation. According to the report, 51% of CEOs believe that as the dangers of cyberattacks increase, their capacity to keep their companies' endpoints secure keeps them awake at night.

According to the report, 51% of CEOs believe that as the dangers of cyberattacks increase, their capacity to keep their companies' endpoints secure keeps them awake at night. 

However, the vast majority believe they are well-equipped. Almost four in five (78%) are confident in their (full and tested) strategies for threat protection and recovery, and 74% believe their companies can quickly react to evolving threats. Simultaneously, only one-third (36%) would collaborate with an incident response team in the event of an attack, and 34% would pay the ransom in the event of a ransomware attack.

Cybersecurity experts and law enforcement agencies strongly oppose paying the ransom and instead recommend using backup options. Paying the ransom demand does not guarantee that the firm will receive its data back, nor does it guarantee that it will not be attacked (either by the same or a completely other threat actor) as soon as tomorrow. They are merely worsening the problem by sponsoring future ransomware activities. Nonetheless, many businesses do so because it is the quickest way to restore operations.

A Vulnerability in OAuth Exposed Social Media Logins to Account Takeover


As reported by security researchers, a new OAuth-related vulnerability in an open-source application development framework could allow Facebook, Google, Apple, and Twitter users to account takeover, personal data leaking, identity theft, financial fraud, and unauthorized actions on other online platforms. 

The security vulnerability was discovered in the Expo framework, which is used by numerous web businesses to implement the OAuth authentication protocol. CVE-2023-28131 has been assigned to the vulnerability, which is part of the software's social login capability. The vulnerability allows a bad actor to take activities on behalf of compromised online platform accounts. According to Salt Security's API Security Report, users witnessed a 117% rise in API attack traffic in 2016.

OAuth is a standard protocol that allows users to authorize access to private resources on one website or application to another without exposing their login credentials. This is a challenging procedure that can lead to security risks. Researchers from Salt Labs revealed that by altering some phases in the OAuth procedure on the Expo site, they could take control of other accounts and steal sensitive information such as credit card details, private messages, and health records - as well as perform operations online on behalf of other users.

Expo framework is an open-source platform for developing mobile and online applications. The Expo framework is utilized by 650,000 developers at a range of significant enterprises, according to Salt Security researchers.

The platform also enables developers to create native apps with a single codebase and offers a collection of tools, frameworks, and services to make the development process easier. "One of the included services is OAuth, which allows developers to easily integrate a social sign-in component into their website," according to the researchers.

Salt Labs researchers uncovered this vulnerability, which has the potential to compromise hundreds of firms using Expo, in a major online platform,, which offers free coding education in a dozen programming languages.

On January 24, Salt Security discovered the vulnerability. It was reported to Expo on February 18, and the company immediately produced a hotfix and provided mitigation, but it "recommends that customers update their deployment to deprecate this service to fully remove the risk."

As noted by Aviad Carmel, a Salt Security security researcher, this is the second OAuth vulnerability uncovered in a third-party framework used by hundreds of businesses, and it might have affected hundreds of websites and apps.

The OAuth vulnerability, according to Carmel, was part of the social sign-in process, in which Expo acts as an intermediary and sends user credentials to the destination website.

"Exploiting this vulnerability involves intercepting the flow mentioned above. By doing so, an attacker can manipulate Expo to send the user credentials to his own malicious domain instead of the intended destination," Carmel said.

Carmel recommends organizations understand how OAuth works and which endpoints can receive user inputs to avoid making similar mistakes when using OAuth. Many vendors are reporting an increase in API assaults and vulnerabilities in open-source software at a time when API traffic is quickly increasing as a result of digital transformation programs. The largest breach in 2022 was caused by an API hack at Twitter, which revealed 221 million users' email addresses and other personal information.

Email Scams v/s Phishing: Here's All You Need to Know


Becoming a victim of any crime can be emotionally distressing, financially burdensome, and socially humiliating. While some scams are easily recognizable, others are cleverly disguised, making it difficult to detect that you are being exploited. Scams exist in various aspects of life, encompassing business, taxation, and even identity theft, all driven by fraudulent intentions to take advantage of individuals. The primary motive behind these scams appears to be financial gain. 

Email scams and text scams have become abundant, especially with the widespread use of cell phones in recent times. It is evident that every single one of these scams falls under the category of phishing schemes. 

Phishing tactics are intended to fool you into submitting personal information that the cybercriminal will then use to get access to your financial accounts, steal your identity, download malware, or otherwise cause havoc. These schemes appear and sound like valid requests from legitimate sources, making it difficult to identify them as harmful.

Messages from a credible source urging you to reset your password, a supervisor or colleague asking you to help them out by sending them money, or a merchant offering a fantastic bargain on an item you want are all examples of email phishing. Some fraudsters have grown inventive, sending scary messages that appear to be from a tax collection agency, such as the IRS, with a deadline.

Email is an efficient method for phishing techniques to be exploited, but it is not the only location where they may be found. SMS phishing is currently used by scammers to deceive you into clicking over to a website or form in order to acquire information. Because it is more difficult to determine whether a text message is real than an email message, many individuals get duped in this manner.

Social networking platforms can also be used to spread phishing schemes. They appear to be fantastic deals and offers for cool new goods or services in your neighborhood. If you click the ad, you might be taken to a very professional-looking website. However, once your contact information is disclosed, your identity is jeopardized.

One of the greatest methods to prevent being a victim of an email or phishing scam is to avoid clicking on links or responding to communications from people you don't know. Check the sender's email address to ensure it is real. It never hurts to double-check because professional scammers will establish email addresses that look identical to legitimate ones.

Instead of clicking on a social network link to learn more about a new product, conduct a search on a trusted online shop such as Amazon, Newegg, or Walmart. If the product is decent, it will most likely be sold through legitimate channels.

Similarly, if you read about a company's sale or new subscription opportunity, go to the company's website first before committing to buy. The same deal will very certainly be offered there as well, so you may still take advantage of it.

Because phishing and email schemes are classified as malware, most antivirus programs contain anti-phishing capabilities or enhanced email security. You may enable Bitdefender's capabilities within your email program, whether it's a Google or Outlook account. This will help prevent scam communications from reaching your inbox.

The same can be said with text message fraud. Anti-phishing capabilities in Android antivirus apps reduce the number of SMS-based schemes. Mobile antivirus, like desktop antivirus, will block malware and sites with risks on them, ensuring that your device is not infected with malware and that you are not duped into providing sensitive information to an unknown solicitor.

If you open on a faulty link, the finest antivirus software will prevent you from reaching a harmful page. Furthermore, antivirus software will stop any dangerous file connected to a faulty link, preventing your machine from becoming infected with a bot, worm, or ransomware.

Malicious Windows Kernel Drivers Utlized in BlackCat Ransomware Attacks


Researchers have discovered an end-point security evasion mechanism used by the group known as BlackCat. The new technique conceals the gang's defensive measures when inside a network. The cybercrime group was discovered employing signed Microsoft kernel drivers to control and terminate security processes installed on protected machines. 

As per the analysis, this is expected to become a standard technique in the arsenal of cybercriminals. Then, Microsoft revoked multiple Microsoft hardware developer accounts used in these assaults. BlackCat ransomware's end-point security evasion mechanism has been discovered. 

Affiliates of BlackCat have been known to employ a variety of defense evasion techniques in order to remain undetected in a system for as long as possible. The most recent method is the use of malicious kernel drivers that have been signed through  Microsoft hardware developer accounts. According to Trend Micro research, this enables to impair defenses on a victimized computer by manipulating, halting, and killing numerous processes on target end-points associated to security agents.

A kernel-mode driver will not operate if it is not signed by a trustworthy certification authority. According to a Microsoft Build article, the operating system would not enable untrusted drivers to function, and conventional procedures such as kernel debugging and test signing will be prohibited.

Trend Micro's data shows that this strategy has been successful in prior attacks carried out by BlackCat this year. Typically, hackers can sign malicious kernel drivers by abusing Microsoft signing portals, ututilizingeaked and stolen certificates, or using underground servers, which can provide cybercriminals using these approaches an advantage.

According to the analysis, these new approaches will most likely become part of a cybercriminal's toolkit. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels). This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.”

BlackCat ransomware, also known as AlphaV, first appeared in November 2021, hitting targets in many countries including Australia, India, and the United States, seeking ransoms ranging from $400,000 to $3 million in cryptocurrencies Bitcoin or Monero.

The Russian group is reported to have ties to DarkSide, the group responsible for the legendary attack on the Colonial Pipeline in 2020, which crippled the oil supply system to the US Eastern Seaboard and prompted President Joe Biden to declare a national state of emergency. 

Hackers Utilise Azure Serial Console to Get Unauthorized Access to Virtual Machines


Mandiant has identified a financially driven cybergroup known as 'UNC3944' that is utilizing phishing and SIM swapping attacks to compromise Microsoft Azure admin credentials and get access to virtual machines. The attackers then use the Azure Serial Console to install remote management software and Azure Extensions for stealthy surveillance. 

As stated by Mandiant, UNC3944 has been active since at least May 2022, and their campaign tries to collect data from victims by leveraging Microsoft's cloud computing service. Previously, UNC3944 was credited with developing the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkits for terminating security applications.

To sign their kernel drivers, the threat actors used stolen Microsoft hardware developer accounts.
The initial access to the Azure administrator's account is made with stolen credentials obtained by SMS phishing, a frequent UNC3944 method.

The attackers then impersonate the administrator when calling help desk agents in order to deceive them into delivering a multi-factor reset code to the target's phone number via SMS.  However, because the attacker had previously SIM-swapped and copied the administrator's number to their device, they obtained the 2FA token without the victim being aware of the breach.

Mandiant is still investigating how the hackers carry out the SIM-changing part of their operation. Previous examples, however, have demonstrated that having the target's phone number and cooperating with dishonest telecom staff is sufficient to permit illegal number porting.

Once the attackers have gained access to the targeted organization's Azure infrastructure, they use their administrator credentials to gather information, alter existing Azure accounts, and create new ones as needed.  In the following attack phase, UNC3944 employs Azure Extensions to conduct surveillance and intelligence gathering, disguise its harmful operations as seemingly innocuous daily routines, and blend in with normal activity.

Azure Extensions are "add-on" features and services that may be added to an Azure Virtual Machine (VM) to help increase capabilities, automate operations, and so on.
These extensions are secretive and less suspicious because they are executed within the VM and are often utilized for legal purposes.

In this instance, the threat actor took advantage of built-in Azure diagnostic extensions such as "CollectGuestLogs," which was utilized to collect log files from the compromised endpoint.  
UNC3944 then employs Azure Serial Console to acquire administrator console access to VMs and execute commands via a command prompt via the serial port.

"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," explains Mandiant's report.

Mandiant discovered that the intruders use the command "whoami" to identify the presently logged-in user and obtain enough information to continue the exploitation. The reports appendix has more information on how to analyze logs for Azure Serial Console. The threat actors then use PowerShell to extend their persistence on the VM and install a slew of commercially accessible remote administrator tools that aren't mentioned in the report.

"To maintain presence on the VM, the attacker often deploys multiple commercially available remote administration tools via PowerShell," reads Mandiant's report.

"The advantage of using these tools is that they're legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms."
UNC3944's next move is to establish a reverse SSH tunnel to their C2 server in order to maintain covert and persistent access via a secure channel while bypassing network limits and security constraints.

The attacker configures the reverse tunnel with port forwarding, allowing the attacker to log in directly to the Azure VM through Remote Desktop. Any inbound connection to distant machine port 12345, for example, would be routed to local host port 3389 (distant Desktop Protocol Service Port).

Finally, the attackers utilize the credentials of a compromised user account to log in to the compromised Azure VM using the reverse shell, only then proceeding to increase their authority within the penetrated environment while stealing data.

Mandiant's attack demonstrates UNC3944's strong awareness of the Azure ecosystem and how it may use built-in capabilities to avoid detection. The risk is increased when this technical knowledge is combined with high-level social engineering abilities that assist the attackers in SIM changing.

At the same time, organizations that adopt insufficient security solutions, such as SMS-based multi-factor authentication, provide possibilities for these sophisticated threat actors due to a lack of understanding of cloud technology.

Police Blocked 20K+ Mobile Numbers Issued on Fake Papers


In accordance with a police officer, Haryana Police's cyber nodal unit has blocked 20,545 mobile phones issued on fraudulent and counterfeit paperwork. According to a Haryana police spokesman, the majority of the blocked SIM cards were issued in Andhra Pradesh, with West Bengal and Delhi following closely behind. 

Similarly, the police have detected and reported on the portal more than 34,000 cellphone numbers involved in cyber fraud operating across the state, including 40 hotspot villages in Nuh district. 

“At the same time, the remaining 14,000 mobile numbers involved in cyber fraud will also be blocked soon through the Department of Telecom, Government of India,” the police officials said.

A police official told reporters today that the state crime division is currently monitoring all mobile numbers implicated in cybercrime and is collecting reports from districts on a daily basis. He stated that 102 teams of 5000 Haryana Police officers recently stormed 14 cybercrime hotspot villages in the Nuh district.

“For this reason, at present, Haryana is at the top position in blocking mobile numbers used in cyber fraud. At present more attention is being given to such areas and villages from where cyber fraud incidents are being carried out. Recently, 102 teams of 5000 policemen of Haryana Police raided 14 cybercrime hotspots villages in Nuh district,” he added.

He further stated that Andhra Pradesh has issued the most cellphone numbers implicated in cybercrime, and that they are being used to commit cybercrime in the state.

“Currently, out of the total identified mobile numbers issued on Fake ID, a maximum of 12,822 mobile numbers have been issued from Andhra Pradesh, 4365 from West Bengal, 4338 from Delhi, 2322 from Assam, 2261 from North East states and 2490 from Haryana state. All the numbers are currently operating from different areas of Haryana and the same has been intimated to the Department of Telecom to block them,” he added.

OP Singh, Chief of the State Crime Branch and Additional Director General of Police, stated that the state crime branch, as the state nodal agency for cybercrime, has a team of 40 highly skilled cyber police personnel who have been deployed at helpline 1930 to quickly register reported incidents and collect relevant data.

Google Refuses to Disclose Reason for Withholding Bard AI in EU


While Google's AI helper Bard is presently available in 180 countries worldwide, the European Union and Canada have yet to be invited to the AI party. Almost two months after the launch of Google's friendly AI chatbot, Bard, the firm is still denying access to specific countries, although no formal comment has been issued. The best prediction is that Google will disagree with certain forthcoming requirements, not to mention that its methods may already be illegal under current GDPR restrictions.

The EU's forthcoming AI Act is now making its way through the European Parliament in an attempt to drive current and prospective AI developers to make their products more transparent and safe for the general public. According to Wired, after speaking with various experts on the subject, Google is secretly stamping its feet over the minutiae of the act.

Even in its current version, Bard does not quite fit the bill when it comes to the EU's internet safety standards. According to Daniel Leufer, a senior policy analyst at Access Now, in the Wired post, "There's a lingering question whether these very large data sets, that have been collected more or less by indiscriminate scraping, have a sufficient legal basis under the GDPR."

Aside from present legislation, the far more specific and stringent AI Act expected to be enacted in mid-June is likely to have a big impact on how Google's AI tool operates.

Once passed, the measure will impose even more limits on tools that could be "misused and provide novel and powerful tools for manipulative, exploitative, and social control practices," as stated in the official AI Act proposal. There are special references for specific human rights, such as the right to human dignity, respect for private and family life, personal data protection, and the right to an effective remedy... all of this and more will be taken into account when labeling an AI "high-risk."

Looking at today's AI tools, I can't think of any that don't have the potential to infringe on at least one of those rights. It's a terrible concept, but it makes sense why Google could be having problems with Bard.

After all, as The Register points out, Italy, Spain, France, Germany, and Canada have all expressed interest in ChatGPT (and probably a slew of other AI-based applications) due to privacy concerns around user data. The AIDA proposal from Canada, which will "come into force no sooner than 2025," clearly demands transparency in AI development as well.

According to Google's AI principles, the company will not pursue the following:
  • Technologies that cause or are likely to cause overall harm. Where there is a material risk of harm, we will proceed only where we believe that the benefits substantially outweigh the risks, and will incorporate appropriate safety constraints.
  • Weapons or other technologies whose principal purpose or implementation is to cause or directly facilitate injury to people.
  • Technologies that gather or use the information for surveillance violating internationally accepted norms.
  • Technologies whose purpose contravenes widely accepted principles of international law and human rights.
It's a brief list with some ambiguity, such as the usage of terms like "widely" and "internationally accepted norms." It's uncertain whether the backend will ever entirely conform to EU and Canadian law, but the phrase here could be a clever method of utilizing a little wiggle room.

So, is Google attempting to make a point by withholding Bard? Potentially. Nicolas Mos, The Future Society's European AI governance director, appears to believe so. According to Mos, Google may be attempting to "send a message to MEPs just before the AI Act is approved, hoping to steer votes and make policymakers think twice before attempting to govern foundation models." Mos also mentions that Meta has opted not to release their AI chatbot, BlenderBot, in the EU. So it's not only Google being cautious (or dishonest).

It's also possible that the big boys are hoarding their toys since getting sued isn't much fun. In any case, Europeans and Canadians alike will be stuck staring wistfully at Bard's list of accessible nations until Google issues an official comment.

Concerns Over NHS Data Privacy After a 'Stalker' Doctor Shared a Woman's Private Details


The anonymity of NHS medical records has been called into question after a "stalker" hospital doctor obtained and communicated very sensitive information about a lady who had begun dating her ex-boyfriend regardless the fact that he wasn't involved in her care. The victim was left in "fear, shock, and horror" after learning that the doctor had exploited her hospital's medical records system to look at the woman's GP records and read - and share - private data about her and her children accessible only to a few others. 

“I felt violated when I learned that this woman, who I didn’t know, had managed to access on a number of occasions details of my life that I had shared with my GP and only my family and very closest friends. It was about something sensitive involving myself and my children, about a family tragedy,” the woman said.

The case has spurred worries that any doctor in England could misuse their privileged access to confidential medical records for purposes other than clinical.

Sam Smith, of the health data privacy group MedConfidential, said: “This is an utterly appalling case. It’s an individual problem that the doctor did this. But it’s a systemic problem that they could do it, and that flaws in the way the NHS’s data management systems work meant that any doctor can do something like this to any patient. If you’re registered with the NHS in England, this could happen to you.”

The victim and the doctor,  consultant at Addenbrooke's Hospital in Cambridge, have not been named by the Guardian. The woman was originally perplexed as to how the doctor had obtained very intimate information about her, her sister, and her children, which the doctor then passed to her ex-boyfriend in the early stages of his new connection with the woman last July.

“The doctor said that she had got it from friends, or from people in her choir or parents at my children’s school. That left my sister and I wondering if some of our close friends had betrayed us as we knew that only a few people knew those details. She had an unhealthy interest in us.”

The mystery was answered when Addenbrooke's provided the woman with a full audit of all its staff members who had exposure to her medical information at her request. It was discovered that the doctor viewed her medical information seven times between August and September of last year. The clinician first accessed Epic, Addenbrooke's own hospital medical records system, three times.

She then navigated to a different records system known as GP Connect, which contained comprehensive notes of conversations her former partner's new girlfriend had with her GP regarding the tragic impact of the accident and the well-being of one of her children.

On one occasion, the doctor, whom the woman had never seen, called the victim, asked her name, provided it, and then hung up. The victim felt it was a planned effort by the doctor to demonstrate that she had obtained personal information about her

Addenbrooke's first disputed that its employees could access GP Connect via Epic. However, after a meeting with the victim, its deputy medical director, Dr. John Firth, acknowledged that her full GP records were available. Michelle Ellerbeck, the company's head of information governance, later emailed the woman to thank her for demonstrating that it was possible in case "this inquiry ever comes up again."

Dr. Nicola Byrne, the NHS national data protector for England, offers advice on how to keep patients' information safe and how to utilize it correctly. She stated that she was "concerned about the seriousness of the allegations" when the patient wrote to her about the inappropriate intrusion into her medical history.

Byrne identified the doctor's actions as "absolutely unacceptable" and attempted to comfort patients who may be concerned about the incident by emphasizing that it was the first time she had heard of a medic violating rules governing the secure handling of a patient's medical records in order to gather information about them. She did, however, left open the possibility that others were doing the same.

Hacker Marketplace Remains Operational Despite Police 'Takedown' Claim


A hacker marketplace notorious for stealing accounts from popular services such as Netflix and Amazon is still operational despite claims by authorities that it had been shut down. Last month, an international police operation declared that Genesis Market had been seized and removed from the regular internet. However, an identical version of the marketplace is still accessible on the darknet. 

Recently, a post on the unaffected darknet version of Genesis Market stated that it was fully functional. Genesis Market, characterized by law enforcement as a dangerous website, specializes in selling login credentials, IP addresses, and browsing cookie data that comprise victims' "digital fingerprints." Prior to the police operation, the service was regarded as one of the largest facilitators of criminal activities, with over two million stolen online identities available for sale. 

Dubbed Operation Cookie Monster, the initiative was led by the FBI and Dutch police and was publicly announced on April 5th. Multiple agencies worldwide celebrated the takedown of the website, revealing that 119 individuals had been apprehended and claiming that the criminal service had been dismantled. However, cybersecurity company Netacea has been closely monitoring the darknet version of Genesis Market and reports that the website experienced only a brief disruption of approximately two weeks.

"Taking down cyber-crime operations is a lot like dealing with weeds. If you leave any roots, they will resurface," says Cyril Noel-Tagoe, Netacea's principal security researcher.

"The roots of Genesis Market's operation, namely the administrators, darknet website and malicious software infrastructure, have survived," he said.

Since then, criminal administrators have updated the marketplace, stating that they have launched a new version of their specialist hacking browser, resumed data collection from hacked devices, and added over 2,000 new victim devices to the market. Trellix experts, who assisted authorities in disrupting some of the hacking tools provided on Genesis Market, concurred that the website's founders were still at large.

"It is true that the Genesis administrators quickly responded on Exploit [hacker] forums stating that they would be back online shortly with improvements," said John Fokker, head of threat intelligence at Trellix, adding that the darknet site was still accessible. 

An FBI spokesperson has told the BBC that efforts are being made to "ensure that users who use services like Genesis Marketplace face justice."

According to the UK's National Crime Agency, the operation struck a "huge blow" to cyber criminals. "Although a dark web version of the site remains active, the volume of stolen data and users has been significantly reduced. I have no doubt that the operation damaged criminal trust in Genesis Market," Paul Foster, deputy director of the NCA's National Cyber Crime Unit, told the BBC.

In addition to lowering the marketplace's exposure by removing it from the mainstream internet, authorities and many experts agree that the high number of arrests of users will have a chilling effect on hackers considering utilizing the site.

However, it is unclear how many of those arrested will face charges. According to the NCA, just one of the 30 people apprehended in the UK has been charged with any crime.

Research from Trellix and Netacea hacker forums indicates apprehension about the market following the operation, although it is unclear whether cyber-criminals have been deterred in the short term or permanently. User comments are still appearing on the marketplace's news page, but in limited numbers.

Taking down illicit websites hosted on the darknet is widely challenging since their servers are either difficult to locate or are located in places that do not respond to Western law enforcement requests, such as Russia.

Genesis Market has been sanctioned by the US Treasury, which believes it is run from Russia. It is unknown for certain, however, the website provides Russian and English translations. Over the previous year, police have been successful in completely eradicating some darknet markets, such as the drug websites Monopoly and Hydra. Website in Russian Hydra was the world's highest-grossing dark web market, supposed to be based in Russia but actually housed in Germany, allowing German law authorities to shut it down.

Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant,


A new hacking group has targeted the government, aviation, education, and telecom industries in South and Southeast Asia as part of a highly focused campaign that began in mid-2022 and extended into the first quarter of 2023. 

Broadcom Software's Symantec is monitoring the activity under the insect-themed moniker Lancefly, with the attacks employing a "powerful" backdoor called Merdoor. So far, data suggests that the personalized implant was used as early as 2018. Based on the instruments and the victimology pattern, the campaign's ultimate purpose is intelligence gathering.

"The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec said in an analysis shared with The Hacker News.

"The attackers in this campaign also have access to an updated version of the ZXShell rootkit."

While the precise initial intrusion vector is unknown, it is believed to have entailed the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers. The attack chains eventually lead to the distribution of ZXShell and Merdoor, fully-featured malware capable of communicating with an actor-controlled server for more commands and logging keystrokes.

ZXShell, first discovered by Cisco in October 2014, is a rootkit with several functionalities for harvesting sensitive data from affected hosts. In the past, the use of ZXShell has been linked to several Chinese actors such as APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda).

"The source code of this rootkit is publicly available so it may be used by multiple different groups," Symantec said. "The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable."

Another Chinese connection is that the ZXShell rootkit is signed by the certificate "Wemade Entertainment Co. Ltd," which Mandiant previously identified as being related to APT41 (aka Winnti) in August 2019.

Lancefly incursions have also been linked to the use of PlugX and its successor ShadowPad, the latter of which has been used by several Chinese state-sponsored entities since 2015. However, it is also known that certificate and tool sharing is common among Chinese state-sponsored groups, making identification to a specific known assault crew challenging.

"While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period," Symantec noted. "This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar."

Hackers Come up With Innovative Methods to Enforce Ransomware Payment


Ransomware is still one of the most serious cybersecurity risks that organizations and governments face. However, as organizations make a conscious decision to deny ransom payment demands, cybercriminals are devising new methods to recover ransom from their victims. 

The fall of the most known ransomware gang, Conti, in May 2022, was expected to result in a significant decrease in ransomware attacks. Tenable discovered that 35.5% of breaches in 2022 were caused by a ransomware assault, a slight 2.5% decline from 2021. Meanwhile, ransomware payouts are expected to fall by 38% in 2022, prompting hackers to embrace more professional and corporate approaches to assure larger returns, according to Trend Micro's Annual Cybersecurity Report.

“Cybercriminals increasingly have KPIs and targets to achieve. There are specific targets that they need to penetrate within a specific time period. It has become a very organized crime because of the business model that the ransomware groups follow because of which they have started increasing the pressure,” said Maheswaran S, country manager at Varonis Systems. 

Double extortion is a strategy that ransomware criminal groups are increasingly employing. The ransomware group, in addition to encrypting the files on the victim's devices, downloads private data from the victim's machine in the double extortion method.

“This gives them more leverage, since now the question is not only about decrypting the locked data but also about leaking it,” Mehardeep Singh Sawhney, a threat researcher at CloudSEK, said.

The BlackCat ransomware group is one example of this. According to CloudSEK, this ransomware gang can encrypt and steal data from victims' PCs as well as other assets operating on them, such as ESXi servers. 

According to cybersecurity firm Redacted, ransomware organization BianLian altered the focus of its assaults in March from encrypting victims' files to extortion as a means of extracting cash. Some ransomware criminals take the triple extortion strategy a step further. 

The ransomware gangs encrypt files, extract sensitive data, and then add distributed denial-of-service (DDoS) attacks to the mix in the triple extortion strategy. If the ransom is not paid, not only will the files stay locked, but regular services will be affected by DDoS. 

Another strategy used by ransomware groups to put pressure on target organizations is to contact the company being attacked's customers or stakeholders directly. Because this harms the victim organization's reputation and can often result in financial damages greater than the ransom, victim organizations tend to pay up, according to Maheswaran. 

According to Sawhney, the ransomware groups directly contact the victims' consumers via email or phone calls. The Cl0p ransomware organization, for example, emailed stakeholders and customers of their victims, alerting them that their data will be disclosed.

“Cl0p also maintained a website where a list of their victims and stakeholders was updated every day. This adds more pressure on the victim firm, making it seem like the fastest way to end the attack is to pay the ransom amount,” Sawhney said.

Lorenz ransomware and LockBit, in addition to contacting customers and stakeholders, released their ransom discussions with victim organizations on their leak site. "It can further damage the company's reputation and increase the perceived urgency of the ransom demand," cybersecurity firm Cyble stated in research.

According to Maheswaran, while organizations are deploying more controls to protect assets that store or access critical data, they do not essentially deploy the right controls around data, which is critical for making an attacker's job difficult in gaining access to or corrupting data.

To effectively respond to ransomware outbreaks, organizations' cybersecurity solutions must be responsive, agile, and easily scalable, which is best achieved through a combination of cloud and machine learning analytics, said Harshil Doshi, country director at Securonix.

“It is easier to avoid paying the ransom if you detect the risk before encryption occurs. Or you can avoid ransomware response workflows altogether by having an effective endpoint backup strategy,” Doshi added. 

To safeguard employees from clever attackers, organizations should take several measures, including restricting access to critical data to minimize the damage attackers could cause and identifying vulnerable data. Additionally, adopting multifactor authentication reduces the likelihood of being hacked by 99%, and monitoring user activity for any signs of suspicious behavior is critical. 

It is also essential to have standard operating procedures for responding to ransomware incidents and user awareness programs to identify and report breaches, according to Maheswaran. CloudSEK recommends backing up critical data in a secure location to restore it in case of a ransomware attack. Organizations must keep their operating system, software, and security tools up to date with the latest security patches and updates, using reliable antivirus and antimalware software regularly updated.

WhatsApp Users Alerted About Possible Scam Calls From International Numbers


As per experts, if you're receiving missed calls, messages, or WhatsApp calls from international numbers starting with +254, +84, +63, or others, it's advised to "report and block" them. The Indian Cybercrime Coordination Centre (I4C) of the Home Ministry is spreading this alert to protect people from falling prey to cybercrime. Forensics and data analysis experts, who are actively working to combat this issue for the government, have cautioned that these numbers may be originating from countries such as Singapore, Vietnam, and Malaysia. These international numbers may be used by malicious individuals to obtain financial information unlawfully.

"This is a new cybercrime trend. People across India irrespective of their profession have been receiving calls and missed calls on WhatsApp from +254, +84, +63, +1(218) or other international numbers, and some of them have become victims of cybercrime. It has become more frequent," an expert in cyber intelligence and digital forensics told ANI on condition of anonymity.

"Cyber awareness and hygiene are one of the important aspects in policing and it is a much-appreciated initiative," the official added.

"From early morning between 6 am to 7 am or late in the night, such calls are being received by people from all groups whether he or she is a private employee, businessman, retired government officer or even school and college boy or girl. We need to be just aware of such calls."

A message received from a number starting with +243 said: "Hello, my name is Allena, may I take a few minutes of your time?"

"Now that the 5G era of the Internet has arrived, there are already many people who make money through the Internet. I believe you know it too. I must be added to make money. If you don't speak, you may miss an opportunity at a turning point in your life. There are not many opportunities. I hope you see and then respond to my message," the message said.

If a person or organization is the victim of a cyber-attack, the situation can be reported on the website, according to the experts, who added that "focused work is being done by the central agencies with the help of I4C to curb the cyber menace."

In March, Union Home Minister Amit Shah visited the Indian Cyber Crime Coordination Centre (I4C) and stated that the wing is trying to realize Prime Minister Narendra Modi's goal of a cyber-success society. He went on to say that the I4C allows for effective and seamless cooperation among all agencies and states in the fight against cybercrime.

Since its inauguration in 2018, the Indian Cyber Crime Coordination Centre, a "special purpose unit" of the Centre, has saved over Rs 12 crore from cybercrime victims.

OpenAI's Regulatory Issues are Just Getting Started


Last week, OpenAI resolved issues with Italian data authorities and lifted the effective ban on ChatGPT in Italy. However, the company's troubles with European regulators are far from over. ChatGPT, a popular and controversial chatbot, faced allegations of violating EU data protection rules, resulting in a restriction of access to the service in Italy while OpenAI worked on fixing the problem. 

The chatbot has since returned to Italy after minor changes were made to address the concerns raised by the Italian Data Protection Authority. While the GPDP has welcomed these changes, OpenAI's legal battles and those of similar chatbot developers are likely just beginning. Regulators in multiple countries are investigating how these AI tools collect and produce information, citing concerns such as unlicensed training data collection and misinformation dissemination. 

The General Data Protection Regulation (GDPR) is one of the world's strongest legal privacy frameworks, and its application in the EU is expected to have global effects. Moreover, EU lawmakers are currently crafting a law tailored to AI, which could introduce a new era of regulation for systems like ChatGPT.

However, at least three EU countries — Germany, France, and Spain — have initiated their own investigations into ChatGPT since March. Meanwhile, Canada is assessing privacy concerns under the Personal Information Protection and Electronic Documents Act, or PIPEDA. The European Data Protection Board (EDPB) has even formed a task group to assist in the coordination of investigations. And if these agencies demand adjustments from OpenAI, it may have an impact on how the service operates for users all across the world. 

Regulators are concerned about two things: where ChatGPT's training data comes from and how OpenAI delivers information to its customers. The European Union's General Data Protection Regulation (GDPR) could present significant challenges for OpenAI due to concerns over the collection and processing of personal data from EU citizens without explicit consent. GDPR requires companies to obtain consent for personal data collection, provide legal justification for collection, and be transparent about data usage and storage. 

European regulators have raised concerns over OpenAI's training data and claim that the organization has "no legal basis" for collecting the data. This situation highlights a potential issue for future data scraping efforts. Additionally, GDPR's "right to be forgotten" allows users to demand corrections or removal of personal information, but this can be difficult to achieve given the complexity of separating specific data once it's integrated into large language models. OpenAI has updated its privacy policy to address these concerns.

OpenAI is known to collect various types of user data, including standard information like name, contact details, and card details, in addition to data on users' interactions with ChatGPT. This information is used to train future versions of the model and is accessible to OpenAI employees. However, the company's data collection policies have raised concerns, particularly regarding the potential collection of sensitive data from minors. While OpenAI claims not to knowingly collect information from children under 13, there is no strict age verification gate in place. The lack of age filters also means that minors may be exposed to inappropriate responses from ChatGPT. Additionally, storing this data poses a security risk, as evidenced by a serious data leak that occurred with ChatGPT.

Furthermore, GDPR regulations require personal data to be accurate, which may be a challenge for AI text generators like ChatGPT, which can produce inaccurate or irrelevant responses to queries. In fact, a regional Australian mayor has threatened to sue OpenAI for defamation after ChatGPT falsely claimed that he had served time in prison for bribery. These concerns have prompted some companies to ban the use of generative AI tools by their employees. Italy has even banned ChatGPT's use following the data leak incident.

ChatGPT's popularity and present market dominance make it an especially appealing target, but there's no reason why its competitors and collaborators, like Google with Bard or Microsoft with its OpenAI-powered Azure AI, won't be scrutinized as well. Prior to ChatGPT, Italy prohibited the chatbot platform Replika from gathering information on children – and it has remained prohibited to this day. 

While GDPR is a strong collection of regulations, it was not designed to solve AI-specific challenges. Rules that do, on the other hand, maybe on the horizon. The EU presented its first draught of the Artificial Intelligence Act (AIA) in 2021, legislation that will work in tandem with GDPR. The legislation oversees AI technologies based on their assessed danger, ranging from "minimal" (spam filters) to "high" (AI tools for law enforcement or education) or "unacceptable" and hence prohibited (such as a social credit system). Following the proliferation of large language models such as ChatGPT last year, lawmakers are now scrambling to establish rules for "foundation models" and "General Purpose AI Systems (GPAIs)" — two acronyms for large-scale AI systems that include LLMs — and potentially classifying them as "high risk" services.

The provisions of the AIA go beyond data protection. A recently proposed amendment would require businesses to disclose any copyrighted content utilized in the development of generative AI systems. This might expose previously confidential datasets and subject more corporations to infringement litigation, which is already affecting some services.

Laws governing artificial intelligence may not be implemented in Europe until late 2024. However, passing it may take some time. On April 27th, EU parliamentarians struck a tentative agreement on the AI Act. On May 11th, a committee will vote on the draught, and the final plan is due by mid-June. The European Council, Parliament, and Commission must then address any outstanding issues before the law can be implemented. If all goes well, it might be implemented by the second half of 2024, putting it somewhat behind the official objective of Europe's May 2024 elections.

For the time being, the spat between Italy and OpenAI provides an early indication of how authorities and AI businesses might negotiate. The GPDP recommended lifting the restriction provided OpenAI meets numerous proposed resolutions by April 30th. This includes educating users on how ChatGPT keeps and processes their data, requesting explicit agreement to use said data, facilitating requests to amend or remove the inaccurate personal information provided by ChatGPT, and requiring Italian users to confirm their age when signing up for an account. OpenAI did not meet all of the requirements, but it has done enough to satisfy Italian regulators and restore access to ChatGPT in Italy.

OpenAI still has goals to achieve. It has until September 30th to implement a stricter age gate to keep youngsters under the age of 13 out and to seek parental authorization for older underage teens. If it fails, it may find itself barred once more. However, it has served as an example of what Europe considers acceptable behavior for an AI business – at least until new rules are enacted.

This New Android FluHorse Malware Steals Passwords & 2FA Codes


A new Android malware known as 'FluHorse' has been uncovered, which targets users in Eastern Asia with fake applications that seem like legitimate versions. Check Point Research uncovered the malware, which has been targeting various regions of Eastern Asia since May 2022.

The FluHorse malware is delivered via email, and its purpose is to steal the target's account credentials and credit card details, as well as two-factor authentication (2FA) codes if necessary. Malicious emails are sent to high-profile targets, encouraging them to take fast action to remedy a payment issue.

Typically, the victim is directed to a phishing site via a link in the email, from which they download the bogus program APK (Android package file). The FluHorse carrier apps resemble 'ETC,' a Taiwanese toll-collection software, and 'VPBank Neo,' a Vietnamese banking app. On Google Play, both authorized versions of these apps have over a million downloads.

Check Point also discovered malware masquerading as transit software used by 100,000 people, although the name of the virus was not provided in the study.
Upon installation, all three bogus apps request SMS access in order to intercept incoming 2FA codes in case they are required to hijack the accounts.

According to the analysts, the fake apps mimic the originals' user interfaces but lack functionality beyond two to three windows that load forms that harvest the victim's information. As per CheckPoint, the malicious apps were written in Dart and used the Flutter platform, making reverse engineering and decompiling the virus difficult. The study was so difficult that CheckPoint ended up improving existing open-source tools like 'flutter-re-demo' and'reFlutter.'

"Flutter runtime for ARM uses its own stack pointer register (R15) instead of the built-in stack pointer (SP),"  reads Check Point's report.

"Which register is used as a stack pointer makes no difference in code execution or in the reverse-engineering process. However, it makes a big difference for the decompiler. Because of a non-standard register usage, a wrong and ugly pseudocode is generated."

Finally, the functionalities responsible for exfiltrating victims' credentials, credit card data, and the HTTP POST communication that transmitted the intercepted SMS messages to the C2 server were discovered. CheckPoint says that the FluHorse campaign is still active, with new infrastructure and malicious apps emerging every month, making this a live threat for Android users.

Fight over Kids Online Safety Act Sparks Debate, as Bill Gains Support in Congress


The Kids Online Safety Act, or KOSA, is a newly reintroduced legislation aimed at improving the mental health and safety of children by imposing restrictions on tech companies. Although it is gaining support in Congress, civil liberties groups are increasingly opposing it, arguing that the bill would undermine free speech and online privacy protections. 

Under KOSA, platforms would be required to prevent users under 17 from accessing content that promotes harmful behaviors like eating disorders and suicide. They would also need to provide parents with tools to monitor their children's platform use, including safety settings. Additionally, companies would have to allow independent audits and grant academic researchers access to data to better understand how social media is affecting young people. 

The latest version of KOSA, which was first introduced by Senators Richard Blumenthal of Connecticut and Marsha Blackburn of Tennessee last year, specifies the duty of care aspect to only apply to tech companies for harms such as eating disorders, suicide, and data collection. Furthermore, the bill includes explicit protections for support services like suicide help hotlines, schools, and educational software.

“I think our bill is clarified and improved,” Sen. Richard Blumenthal, D-Conn., said at a press conference Tuesday that also included groups and parents supporting the bill. “We’re not going to solve all of the problems of the world with a single bill but we are making a measurable, very significant start.”

Several advocacy groups, including the National Center on Sexual Exploitation, the American Academy of Pediatrics, and Fairplay, along with parent and youth advocates, have expressed their support for KOSA legislation. During a press conference, parents who lost their children in social media-related incidents also spoke in favor of the bill. However, some critics of the bill have argued that the proposed changes do not address their concerns. 

 “If an attorney general wants to argue that trans kids talking about going to a protest is making other kids depressed, they can do that,” says Fight for the Future director Evan Greer.

Additionally, the bill does not provide clear guidelines on what counts as mitigation or prevention resources, leaving companies at risk of liability or discouraging them from recommending content on that topic. In the past, companies have been shown to opt for the latter option in similar situations, as demonstrated by the passage of SESTA-FOSTA in 2018. 

“There are two fatal flaws in this bill,” said Greer. “One is a misunderstanding of how platforms will react to this liability and the other is a fundamental misunderstanding of how technology works.”
The group requested a meeting with Blumenthal's office to discuss their concerns, but their requests were ignored. Blumenthal's office did not respond to the question about the meeting requests. The ACLU, which Blumenthal said the lawmakers had met with, also still opposes the law. 

“KOSA’s core approach still threatens the privacy, security and free expression of both minors and adults by deputizing platforms of all stripes to police their users and censor their content under the guise of a ‘duty of care,'” said Cody Venzke, senior policy counsel at ACLU. “KOSA would be a step backwards in making the internet a safer place for children and minors.”

Despite its critics, the bill appears to be outpacing other online safety efforts in Congress. The bill now has over 30 cosponsors in the Senate, more than double the last time it was introduced. Blumenthal says that Senate Majority Leader Chuck Schumer, D-N.Y., backs the legislation and a vote is a question of timing. “I fully hope and expect to have a vote this session,” Blumenthal said.

“Giving extremist governors the power to decide what content is safe for kids online is a nonstarter,” Sen. Ron Wyden, D-Ore., wrote in a statement to CyberScoop. “However, I share the sponsors’ goal of making the internet safer for children and appreciate the bill’s effort to limit addictive design features targeted at children. I urge my colleagues to focus on elements that will truly protect kids, rather than handing MAGA Republicans more power to wage their culture war against kids.”

The proposed KOSA bill, which aims to enhance children's safety, does not have a counterpart in the House and may face opposition from younger and more progressive members. It is one of many bills focused on children's safety that has garnered attention from civil society groups, with KOSA receiving the most support. Meanwhile, the Senate Judiciary Committee is set to discuss another bill, the EARN IT Act, which seeks to prevent online exploitation of children but has raised concerns about its potential impact on free speech and encryption. 

A coalition of 132 organizations has written to Senate Judiciary Chair Dick Durbin and ranking member Lindsey Graham, urging them to reject the bill. Durbin has also introduced similar legislation, the STOP CSAM Act, but it is not expected to be discussed this week. 

Additionally, a new bill introduced by a Sens. Tom Cotton, R-Ark., Brian Schatz, D-Hawaii, Katie Britt, R-Ala., and Chris Murphy, D-Conn. would prohibit social media for children under 13 and require parental consent for those under 18.

Businesses Must Stay up With Cybercriminals, as They Become More Sophisticated


As much as we may want to tune out when we hear about cybersecurity, it is an issue that cannot be ignored. Cybercrime is a constant threat to businesses and individuals alike, and the risks are too great to simply accept and move on. While it may seem like we have already heard enough about it, the reality is that we can never be too vigilant when it comes to protecting ourselves against cyber threats. 

One of the biggest risks is the so-called "day zero attack," which exploits previously unknown weaknesses in software. These attacks can be incredibly damaging, especially if the software is widely used. That's why it's crucial that we make cybersecurity a top priority and stay vigilant in our efforts to identify and mitigate vulnerabilities. Unfortunately, many people take a "been there, done that" approach to cybersecurity, assuming that they've already taken all the necessary steps to protect themselves. 

But the truth is that new threats are constantly emerging, and unless we stay up to date and remain proactive in our approach to cybersecurity, we risk leaving ourselves open to attack. In short, we can never hear enough about cybersecurity. It is a constant and ever-evolving threat that requires constant attention and vigilance. By staying informed and proactive, we can better protect ourselves and our businesses from the damaging effects of cybercrime.

Some may argue that this type of warning seems overly dramatic and pessimistic, but consider the following scenario: An employee receives a notification on their laptop to update a software application with crucial security upgrades to mitigate against vulnerabilities. However, due to a looming deadline, they repeatedly ignore the notification. Eventually, a malicious actor finds an open door into the system and exploits the vulnerability, all because the employee didn't prioritize cybersecurity.

Sadly, this scenario is more common than we'd like to think. While South Africa has made significant progress in catching up with the rest of the world regarding cybersecurity, there are still challenges to overcome. One such challenge is the difficulty of convincing boards to invest in a non-revenue-generating department such as cybersecurity.

While it may be tempting to downplay the importance of cybersecurity and assume that we're doing enough to protect ourselves, the reality is that the threats are constantly evolving and require our ongoing attention and vigilance. By prioritizing cybersecurity and investing in the necessary resources and infrastructure, we can better safeguard our businesses and personal information from the ever-present dangers of cybercrime.

Even if a business decides to outsource its security needs, it still requires a certain level of expertise in-house. In the past, it was common to rely on instinct and hope for the best, but now there are industry standards and best practices that have been mandated for businesses in all sectors. Adhering to these standards requires significant time, money, and resources investments. While cybersecurity is not a revenue-generating department, failure to invest in it can put the entire business at risk.

Unfortunately, this is a hard pill to swallow for many local businesses, as the costs of implementing these measures can be significant. It may also be difficult to find and retain the necessary scarce skills. A small or medium-sized business may need to hire up to five new employees, while a larger organization may need closer to 10.

Furthermore, the concept of "zero trust" has become increasingly popular in recent years. While this approach may work well for large corporations, it can be challenging to strike a balance between security and usability. The only truly zero trust environment is an analog one, where air-gapped processes are completely out of reach of cybercriminals. Once a system is connected to the internet, there is always a risk of infection, no matter how many security measures are in place.

The majority of the exploits we read about are caused by a relatively small number of vulnerabilities. A well-publicized ransomware attack, for example, could be the end result, but it would most likely have been accomplished through one of a tiny group of vulnerabilities that had not yet been patched or fixed with an update.

Looking ahead to 2023 and beyond, the one certainty is that threat actors will continue to search for vulnerabilities. The criminal underworld's research and development teams are hard at work, sharing exploits and communicating broadly about the best ways to attack. This sophisticated collaboration feeds an ongoing increase in ransomware attacks.

The primary concern going forward is how we deal with an increase in sophistication, regardless of the means used by the criminal or the vulnerability they seek to exploit. While we have been fortunate so far in being able to differentiate between legitimate and scam emails, advances in technology, particularly artificial intelligence, could make this more difficult in the future.

To combat this, businesses and individuals need to understand their overall attack surface, including vulnerabilities in PCs, laptops, and mobile devices, as well as available VPNs and services. Once a business has a comprehensive understanding of its attack surface, it should use third parties to perform penetration tests and vulnerability scans and stay on top of its cloud security obligations.

Alongside investments like a dedicated Security team and the assistance of third-party partners, ongoing user cybercrime education and awareness strategies will remain one of the most important investments for any business. All organizations should also be moving along the continuum of a zero trust strategy, finding the balance between security and usability. Ultimately, each user is responsible for security.