Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label threat report. Show all posts
threat report
malware Malware Strains RaaS Ransomware threat report

Malware-as-a-Service The Biggest Risk to Organizations Right Now

Malware-as-a-Service

A recent Darktrace analysis states that the largest threat to enterprises in the second half of 2023 was malware-as-a-service (MaaS) infections.

Many malware strains have become cross-functionally adaptive, as noted in the 2023 End of Year Threat Report. This comprises the combination of information-stealing malware with malware loaders like remote access trojans (RATs).

The menace of malware-as-a-service 

Researchers at Darktrace discovered that "malware strains are progressively developed with a minimum of two functions and are interoperable with a greater number of existing tools" through reverse engineering and detection analysis.

Because these malicious tools may gather passwords and data without compromising files, which makes detection more difficult, they pose a special risk to enterprises.

One well-known instance of this was the information-stealing and remote access Trojan (RAT) called ViperSoftX, which was designed to obtain sensitive data such as Bitcoin wallet addresses and passwords kept in password managers or browsers.

2020 saw the first recorded sighting of ViperSoftX in the wild, however, strains discovered in 2022 and 2023 have more advanced detection evasion strategies and capabilities.

Another instance is the ransomware known as Black Basta, which spreads the Qbot banking virus to steal credentials.

Additional Transition to Ransomware-as-a-Service (RaaS)

The research also noted a move away from traditional ransomware in 2023 with an increase in RaaS assaults.

It was reported that the ransomware market expanded after law enforcement dismantled the Hive ransomware gang in January 2023. Among these was the emergence of ScamClub, a malvertising actor that sends false virus alerts to well-known news websites, and AsyncRAT, which has been targeting US infrastructure workers lately.

According to Darktrace's prediction, an increasing number of ransomware attackers are expected to utilize multi-functional malware and double and triple extortion tactics in the upcoming year.

According to the company, in 2024 the MaaS and RaaS ecosystems should continue to flourish, hence reducing the entry barrier for cybercriminals.

Attackers Incorporating AI into Phishing Schemes

According to Darktrace, last year it saw threat actors use additional creative strategies to get beyond an organization's security measures.

This includes phishing and other increasingly successful email attacks that try to trick users into downloading dangerous payloads or divulging private information.

For instance, 58% of phishing emails that Darktrace saw last year were able to get past all security measures in place, while 65% of the emails were able to effectively evade Domain-based Message Authentication (DMARC) verification checks.

According to the researchers, a lot of attackers are using generative AI technologies to automate the creation of more realistic phishing operations.



Read more »
threat report
Business Security CISOs Cyber Security Data Safety threat report

CISOs in the Firing Line as Cybercriminals Continue to Target Firms

 

Businesses are feeling the effects of cyberattacks hard; a staggering 90% of CISOs report that their organisation has experienced one during the past year. 

In the latest research from Splunk, 83% of CISOs who responded to a poll stated they have paid out, with more than half paying more than $100,000. 

They fear that generative AI will become more prevalent and provide attackers an advantage. However, companies are testing out such tools in their cyber defences, with 93% of their processes utilising automation either moderately or intensively. 

Splunk claims that the so-called "tool sprawl" issue, which is "likely compounding existing visibility issues," is another issue that is now emerging. A whopping 88% of CISOs seek to stop the expansion using tools like security orchestration, automation, and response (SOAR) and security information and event management (SIEM). 

By using solutions like these, they seek to reduce the number of tools required and simplify defence through automation.

Nearly half of the CISOs who responded to the survey also stated that they now directly report to their CEO, with CISOs being increasingly in charge of directing cybersecurity strategy. They frequently take part in board meetings across all sectors. Additionally, 90% of CISOs reported that their board is now more concerned about cybersecurity than it was two years ago. 

As a result, 93% of CISOs anticipate an increase in their cybersecurity budget over the next year, whereas 83% anticipate decreases in other areas of the organisation. 80% of CISOs say their organisation has encountered additional dangers as the economy has deteriorated. 

Greater collaboration has also happened across the organisation, with 92% of CISOs reporting that cybersecurity collaboration between teams has increased moderately or significantly as a result of digital transformation projects and cloud native adoption. Although 42% of respondents felt there was room for improvement in terms of results, 77% reported that IT and development teams worked together to identify the underlying causes of issues. 

Splunk CISO Jason Lee stated that, "the C-Suite and board of directors are increasingly relying on CISOs for guidance across a sophisticated threat landscape and changing market conditions," further stating, "these relationships provide CISOs the opportunity to become champions who strengthen an organization's security culture and lead teams to become more cross-collaborative and resilient." 

"By communicating key security metrics, CISOs can also guide boards on adopting emerging technologies, such as generative AI, to help improve cyber defense management and prepare for the future," Lee concluded.
Read more »
threat report
cyber espionage Cyber Security Cyber Warfare Nation-State Attacks threat report

Microsoft Warns of Rise in Global Cyberespionage Operations

 

Government-sponsored cyberespionage campaigns and data operations are on the rise, and not just as a result of hacker spies deployed by typical suspects Russia and China.

So warns Microsoft in its annual Digital Defence Report, which evaluates nation-state and criminal behaviour recorded from July 2022 to June 2023. 

Ransomware attacks naturally draw attention due to their visible and immediate impact, but governments are doubling down on stealthy cyberespionage operations behind the scenes. 

"Nation states are becoming increasingly sophisticated and aggressive in their cyberespionage efforts, led by highly capable Chinese actors focused on the Asia-Pacific region in particular," Tom Burt, Microsoft's corporate vice president for customer security and trust, stated in an introduction to the report. 

Based on Microsoft's report, the US was the subject of the most cyberattacks last year, followed by Israel and Ukraine. It witnessed an increase in activity last spring that targeted Western organisations, of which 46% were based in NATO states, particularly the U.S., the United Kingdom, and Poland. 

The United States' intelligence agencies have frequently warned that Russia, China, Iran, and North Korea pose the greatest internet risks to national security and allies. According to Microsoft, the scale and sophistication of activities linked to each of those countries continues to improve, and their efforts to steal information and alter narratives target both adversaries and allies. 

"Russian intelligence agencies have refocused their cyberattacks on espionage activity in support of their war against Ukraine, while continuing destructive cyberattacks in Ukraine and broader espionage efforts," Burt wrote in a blog post. 

China is still a significant player, concentrating particularly on gathering intelligence - particularly from U.S. defence and vital sectors, as well as Taiwan and even its own partners - and conducting influence operations, Microsoft reported.

Beijing additionally "deploys a vast network of coordinated accounts across dozens of platforms to spread covert propaganda" that targets Chinese speakers worldwide and occasionally spreads anti-American narratives, the report further reads. The nation's influence operations also emphasise "promoting a positive image of China through hundreds of multilingual lifestyle influencers."

There is ample evidence that Russia is using cyberespionage more frequently. Western intelligence authorities continue to issue warnings that the real scope of such operations is still unknown because they are intended to be stealthy and at times highly targeted. Long-term attacks might not be seen right away. 

The White House blamed the Russian Foreign Intelligence Service, or SVR, for the SolarWinds supply chain attack, which involved the injection of a Trojan into the Orion software updater. It's possible that the effort started in September 2019, but it wasn't discovered until December 2020, giving the SVR months to secure covert access to a number of extremely sensitive systems. 

Microsoft reports that nominal allies attack one another while conducting cyber operations and acquiring intelligence. Despite the meeting between Russian President Vladimir Putin and North Korean hereditary dictator Kim Jong Un last month, Pyongyang continues to carry out Moscow-centered espionage activities, with a particular emphasis on "nuclear energy, defence, and government policy intelligence collection." 

The threat from criminal groups continues to rise in addition to the risk from nation-state organisations. "Ransomware‐as‐ a-service and phishing-as-a-service are key threats to businesses, and cybercriminals have conducted business email compromise and other cybercrimes, largely undeterred by the increasing commitment of global law enforcement resources," Burt added.
Read more »
victim statistics
Cyber Security Cyber Threats Data Extortion malware deployment ransomware attacks Secureworks threat report victim statistics

Cybercriminal Groups Unleashing Ransomware Within a Day of Target Breach

 

A recent threat report reveals a significant shift in cybercriminal tactics, indicating a noteworthy decline in the time it takes for them to deploy ransomware after initially infiltrating their targets. 

Last year's average of 4.5 days has now plummeted, with cybercriminals now striking within the first 24 hours of gaining access, according to findings by cybersecurity firm Secureworks. 

This alarming trend underscores the company's warning that 2023 may witness an unprecedented surge in ransomware attacks, with three times as many victims appearing on leak sites in May compared to the same period last year.

However, Secureworks highlights a caveat regarding leak sites as a metric for gauging the scale of the ransomware issue. Notably, the report emphasizes that leak sites may only represent around 10% of the total victims known to law enforcement. 

Consequently, it urges caution when interpreting leak site data. Despite this, the aggregate data undeniably underscores the enduring appeal of ransomware and data extortion as lucrative criminal enterprises, posing a substantial threat to businesses.

Secureworks further reveals a disturbing statistic: in over 50% of its incident response cases, hackers managed to unleash their malware within a mere 24 hours of infiltrating the victim's network. 

This marks a stark drop from the 4.5-day average observed last year. In 10% of cases, ransomware was deployed within a staggeringly short five-hour window from initial access.

Don Smith, VP Threat Intelligence at Secureworks Counter Threat Unit, sheds light on the driving force behind this reduction in dwell time. He posits that cybercriminals are motivated by a desire to minimize the chances of detection, as the cybersecurity industry has become more proficient at identifying precursors to ransomware attacks. 

Consequently, threat actors are shifting focus towards simpler and faster operations, forsaking larger-scale, complex encryption events that span multiple enterprise sites. However, the risk posed by these expedited attacks remains significantly high.

Smith adds a cautionary note, emphasizing that despite the prevalence of familiar threat actors, the emergence of new and highly active threat groups is contributing to a notable surge in both victims and data breaches. 

Even in the face of high-profile crackdowns and sanctions, cybercriminals exhibit a remarkable capacity for adaptation, ensuring that the threat continues to escalate at an alarming pace.
Read more »
threat report
Cyber Security Insider Threat Social Engineering Threat Landscape threat report

Report: Insider Cybersecurity Threats have Increased 40% Over the Past Four Years

 

A recent study disclosed that over the past four years, the average cost of an insider cybersecurity attack has increased dramatically by 40%. In addition, the average annual cost of these cyberthreats has increased over the past 12 months, reaching $16.2 million per incident. 

The highest costs arise after the attack has taken place, thus businesses globally should prepare their prospective responses now in order to incur the least amount of financial loss.

The new research states that "insider" attacks can be either malicious (espionage, IP threat, sabotage, or fraud) or non-malicious (when an insider is careless, mistaken, or outsmarted). The study titled '2023 Cost of Insider Risks Global' was released by the data privacy-focused Ponemon research centre and funded by insider cybersecurity company DTEX Systems. 

It reveals that insider risks are increasing, and not simply in terms of how much each attack costs. In 2023, there were a total of 7,343 insider incidents, up from just 6,803 the year before. 

The majority of the incidents (75%), frequently attributable to mistaken insiders (55%), were traced back to non-malicious insiders. The two expenses with the highest average costs per incident are containment and cleanup, which total respectively $179,209 and $125.221. A response's price increases with duration.

Why cyber budgets aren't spent wisely?

Insider threats are increasing. Or, to put it another way, the call is coming from inside the house. Businesses, meanwhile, have not made the necessary adjustments to their budgets. For controlling insider risk specifically, 88% of them still only allocate 10% or less of their IT security budget... in which external threats get 91.8% of budgetary resources. 

However, social engineering, which uses insiders as a target to phish or otherwise trick personnel into disclosing private information regarding their own firm, is still a major threat. Phishing assaults cost businesses nearly$6.9 billion in 2021, and the FBI recently identified phishing as the most frequent type of cyberattack. 

“This highlights a widespread misunderstanding of the types of insider risks and the failure to proactively protect customer data and IP [intellectual property],” Rajan Koo, chief technology officer of DTEX Systems, stated in a press release.
Read more »
WFH Employees
Business Safety Data Breach Remote Working threat report User Security WFH Employees

Fortinet: Remote Working has Resulted in Breaches for Two-Thirds of Businesses

 

When the COVID-19 global epidemic hit nearly three years ago, millions of people were compelled to complete their tasks away from their offices and coworkers. Due to this, there has been an unheard-of rise in the number of workers who complete the majority of their work online from any location with internet access—likely at home. Work-from-home (WFH) employees have been a thing for a while, but they have never made up the majority of a company's workforce. 

Organizations, particularly IT departments, had to quickly adapt as the situation changed after the 2020 coronavirus shutdowns and remote workers started to predominate. The phrase "hybrid workforce" became widely used to describe the occurrence after workers dispersed around the globe and subsequently returned to on-site workplaces for a few months, though many did so less frequently than before. 

In its "2023 Work-From-Anywhere Global Survey," Fortinet discovered that most of the 570 organisations polled are still willing to allow employees to work from home or are adopting a hybrid-work strategy for their staff. In the last two to three years, work-from-anywhere (WFA) employee vulnerabilities have been cited as a possible cause of data breaches by nearly two-thirds (62%) of the firms. 

According to Peter Newton, senior director of product and solutions at Fortinet, the report clearly calls out the personal use of office PCs, home network users, and other users as the main worries by the organisations. 

"That highlights the fact that vulnerabilities associated with home networks, personal applications, and personal devices all act as back-door into companies' networks, applications, and data, highlighting the need for continued security awareness training for employees as well as technologies like SASE, SD-WAN, on-prem security appliances, and [zero-trust network access]," he said in an interview with SDxCentral. 

The survey found that different businesses use very different security measures for protecting remote workers. Newton asserts that individuals who have suffered a breach associated with WFA are more inclined to invest in both conventional technologies, such as laptop antivirus and VPN, as well as cutting-edge techniques, such as SASE, SD-WAN, and zero-trust network access (ZTNA). 

94% of respondents intend to increase their security budget to account for WFA policies, with more than a third (37%) anticipating an increase of 10% or more, the report reads. 

“We see the organizations are still in their early stage when it comes to WFA strategy and solutions. Some just started and some ventured further along. Regardless, there is no one-size-fits-all solution, and securing WFA needs a layered-defense and a combination of solutions that work together,” Newton added.
Read more »
threat report
Adware Cyber Security Data Safety macOS security threat threat report

Top Cybersecurity Trends to Watch Out in 2023

 

The most recent research from Malwarebytes, which examines the situation of malware in 2023, has just been published. The research includes information on current significant security advancements, 5 cyber threat archetypes to watch out for this year, the most prevalent malware identified on Macs, and more. 

The 30-page 2023 State of Malware study was released earlier this week by Malwarebytes. The business states in its opening: 

"The traditional cybersecurity guidelines are obsolete. Your company can no longer only rely on the greatest security software to protect you from the most harmful malware used by your adversaries. The conflict is becoming more human; your best soldiers are up against their worst."

More than ever, malicious hackers are turning to social engineering as older assault routes have closed up. The report begins with six significant occasions from 2022 that had an impact on cybersecurity:

Conflict in Ukraine: The conflict in Ukraine was strategically significant, making it a good subject for social engineering lures. According to the Malwarebytes Threat Intelligence team, the war was a common theme in attacks against German targets by alleged Russian state actors and against Russian targets by alleged Chinese state actors. 

Ransomware: Throughout 2022, ransomware organisations tried out a variety of new strategies, but few of them were successful. Purchasing access to businesses through displeased employees is one strategy that might be more successful in 2023. Macros One of the most effective malware delivery mechanisms ever created was ultimately stopped in 2022 when Microsoft declared that it will prohibit macros in Office documents obtained from the Internet.

Authentication:  It has taken a while to find a truly viable replacement, but in May, Google, Apple, and Microsoft announced their strong support for FIDO2, an established, current, and widely used standard for password-free authentication.

Roe v. Wade: The US Supreme Court's decision to overrule Roe v. Wade in June 2022 represented the most significant shift to data privacy in that year. As previously innocuous data points—like whereabouts, purchasing preferences, search histories, and menstrual cycles—acquired a potentially life-altering meaning, worries about digital privacy suddenly became widespread. 

TikTok: Brendan Carr, a commissioner for the US Federal Communications Commission, called the social media app TikTok "an intolerable national security danger" in June due to its vast data collection and "Beijing's apparently unfettered access to that sensitive material." 

Mac malware that is most prevalent

Macs are not immune to malware, though they are less frequently attacked than Windows. Adware was the most typical detection on macOS in 2022, according to Malwarebytes. A single adware programme called OSX accounted for 10% of all detections on Mac. 

The "worst," according to the company, is Genio. Despite being categorised as adware, the report states that it exhibits malware-like behaviour in order to "dig deeper into the machines it's placed on, penetrating defences and compromising security in the name of making itself incredibly difficult to remove." 

OSX.Genio makes money by 'intercepting users' web searches and putting its own intrusive adverts into the results in order to work. 11% of the total came from malware detections, followed by 14% from adware operators and a variety of other sources.
Read more »
Vulnerabilities and Exploits
Old Flaws Ransomware ransomware attacks Security Bug threat report Vulnerabilities and Exploits

Most Ransomware Attacks in 2022 Took Advantage of Outdated Bugs

 

In the 2022 attacks, ransomware operators took advantage of a number of outdated vulnerabilities that allowed the attackers to become persistent and migrate laterally to complete their objectives. 

A report from Ivanti released last week stated that the flaws, which are prevalent in products from Microsoft, Oracle, VMware, F5, SonicWall, and several more companies, pose a clear and present danger to organisations who haven't yet remedied them. 

Old bugs are still popular

Ivanti's study is based on data analysis from teams at Securin, Cyber Security Works, and Cyware as well as from its own threat intelligence team. It provides a thorough examination of the flaws that criminals frequently used in ransomware attacks in 2022. 

In attacks last year, ransomware operators used a total of 344 different vulnerabilities, up 56 from 2021, according to Ivanti's analysis. A stunning 76% of these bugs were from 2019 or before. Three remote code execution (RCE) defects from 2012 in Oracle's products, CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment, were the oldest flaws in the group. 

Ivanti's chief product officer, Srinivas Mukkamala, claims that while the data indicates that ransomware operators leveraged new vulnerabilities quicker than ever last year, many still relied on older vulnerabilities that are still present on enterprise systems.

"Older flaws being exploited is a byproduct of the complexity and time-consuming nature of patches," Mukkamala stated. "This is why organisations need to take a risk-based vulnerability management approach to prioritise patches so that they can remediate vulnerabilities that pose the most risk to their organisation." 

Critical flaws 

Ivanti identified 57 vulnerabilities as affording threat actors the ability to complete their whole goal, making them among the vulnerabilities that pose the most risk. These flaws gave an attacker the ability to acquire initial access, maintain persistence, elevate privileges, get around security measures, access credentials, find resources they might be looking for, move laterally, gather information, and carry out the intended task. 

There were 25 vulnerabilities in this category that were dated 2019 or earlier, including the three Oracle flaws from 2012. Scanners are not presently picking up exploits against three of them (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in products made by ConnectWise, Zyxel, and QNAP, respectively. 

Inadequate input validation was the cause of the majority (11) of the vulnerabilities in the list that presented a full attack chain. Path traversal flaws, OS command injection, out-of-bounds write errors, and SQL injection were some more frequent causes of vulnerabilities. 

The most common flaws are broadly prevalent 

Moreover, ransomware authors have a tendency to favour defects that affect a variety of items. CVE-2018-3639, a form of speculative side-channel vulnerability that Intel disclosed in 2018, was one of the most well-known of them. According to Mukkamala, the flaw affects 345 goods from 26 vendors. Other instances include the famed Log4Shell hole, CVE-2021-4428, which at least six ransomware gangs are presently using as an attack vector. The weakness was one of many that Ivanti discovered threat actors were using as recently as December 2022. At least 176 products from 21 different manufacturers, including Oracle, Red Hat, Apache, Novell, and Amazon, contain it. 

The Linux kernel vulnerability CVE-2018-5391 and the critical elevation of privilege hole in Microsoft Netlogon CVE-2020-1472 are two further flaws that ransomware developers like to exploit because of their widespread availability. The vulnerability has been utilised by at least nine ransomware gangs, including those responsible for Babuk, CryptoMix, Conti, DarkSide, and Ryuk, and it is growing in popularity with other groups as well, according to Ivanti. 

A total of 118 vulnerabilities that were leveraged in ransomware attacks last year were discovered, according to the security research.

According to Mukkamala, "threat actors are particularly interested in defects that are present in most products." 

The closely watched Known Exploited Vulnerabilities (KEV) database maintained by the US Cybersecurity and Infrastructure Security Agency does not contain 131 of the 344 weaknesses that ransomware attackers exploited last year. The database includes information on software weaknesses that threat actors are actively exploiting and that CISA deems to be particularly hazardous. According to CISA, federal entities must prioritise and usually respond to vulnerabilities listed in the database within two weeks. 

Because many businesses use the KEV to prioritise patches, Mukkamala argues it's crucial that these aren't in the CISA KEV. This demonstrates that, although being a reliable resource, KEV does not give a comprehensive overview of all the vulnerabilities that are employed in ransomware attacks. 

57 vulnerabilities that were leveraged in ransomware attacks last year by organisations including LockBit, Conti, and BlackCat have low- and medium-severity rankings in the national vulnerability database, according to Ivanti. The risk, according to the security provider, is that enterprises who utilise the score to prioritise patching may get complacent as a result.
Read more »
User Security
Adware Cyber Fraud Cyber Scam Internet Fraud threat report User Security

Internet Users are Inundated With Adware and False Advise Frauds Thanks to Hackers

 


Avast, a leading provider of cybersecurity software, has released its Q4 2022 Threat Report, which closely examines the kinds of scams that prey on unsuspecting consumers. 

One of the most well-known scam types was social engineering, which highlights the human error, as well as techniques for refund and invoice fraud and purported tech support scams. Like in prior quarters, lottery-related adware campaigns were still widely used. In addition to scams, the business identified two zero-day exploits in Chrome and Windows, which have since been patched, underscoring consumers' need to maintain software updates. 

Widespread email fraud 

Jakub Kroustek, Director of Avast Virus Research, argued that hackers attribute a significant percentage of their success to human nature, which causes us to react with urgency, anxiety, and a desire to recover control of situations.

According to Kroustek, "at the end of 2022, we witnessed an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn’t order. It’s human nature to react to urgency, and fear and try to regain control of issues, and that’s where cybercriminals succeed.

When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it’s hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology.”

During the latter months of 2022 running up to Christmas, an alarming rise in the refund and invoice fraud was observed, with duped victims giving hostile actors access to their screens and online banking. Uncertain individuals may prefer to go directly to the platform's website and use a number they are sure of rather than dialing the number on the scam email. 

Along with the Arkei information stealer, which showed a startling 437% growth, other lottery-style popups and other sources of data theft also occurred. Among other places, Arkei is renowned for stealing data from autofill forms in browsers. Two zero-day vulnerabilities have also been discovered in Windows and Google Chrome. According to Avast, the risk to users was reduced because both businesses were alerted and responded quickly.
Read more »
threat report
Businesses Cyber Security cyber threat data security Ransomware threat report

Ransomware Remains a Major Cyber Threat for Organizations Worldwide

 

Trellix, the cybersecurity firm delivering the future of extended detection and response (XDR), has published 'The Threat Report: Fall 2022,' examining cybersecurity patterns and attack techniques from the first quarter of the year. 

The threat report includes evidence of malicious activity linked to ransomware and state-linked advanced persistent threat (APT) hackers. The researchers examined proprietary data from its sensor network, open-source intelligence, and investigations by the Trellix Advanced Research Center. Here are some of the report’s key findings: 

• Transportation was the second most active sector globally, following telecom. APTs were also detected in transportation more than in any other sector. 

• Ransomware attacks surged 32% in Germany in Q3 and contributed 27% of global activity. Germany also experienced the most threat detections related to malicious hackers in Q3, with 29% of observed activity. In the United States, ransomware activity increased 100 % quarter-over-quarter in the transportation and shipping industries for Q3 2022. 

• Mustang Panda, a China-linked APT group, had the most identified threat indicators in Q3, followed by Russian-associated APT29 and Pakistan-linked APT36. 

• Phobos, ransomware sold as a complete kit in the cybercriminal underground, accounted for 10% of global detected activity and was the second most used ransomware detected in the US. 

• The infamous LockBit remained the most propagated ransomware in the third quarter of 2022, generating over a fifth (22%) of detections 

• Years-old security loopholes continue to remain a perfect target spot for threat actors. Threat analysts detected Microsoft Equation Editor vulnerabilities CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to be the most abused among malicious emails received by users during Q3. 

• Cobalt Strike, an authentic third-party tool, was employed in 33% of detected global ransomware activity and in 18% of APT detections in Q3. 

“So far in 2022, we have seen unremitting activity out of Russia and other state-sponsored groups. This activity is compounded by a rise in politically motivated hacktivism and sustained ransomware attacks on healthcare and education. The need for increased inspection of cyber threat actors and their methods has never been greater,” John Fokker, Trellix head of threat intelligence, stated. 

Earlier this year, Trellix announced its partner program to include multiple latest features along with 10 new technology associates and technology integrations with its flagship platform. The partner additions bring Trellix’s ecosystem to some 800 partners associated with its XDR platform.
Read more »
User Security
Fake news Technology threat report User Security

Google TAG Takes Down Coordinated Influence Operation Spreading Fake Information

 

Google's Threat Analysis Group (TAG) in its latest published bulletin, provides an outline of the entire “coordinated influence operation” that its staff tracked in January 2022 involving multiple countries. 
 
According to Google TAG, four YouTube channels, two AdSense accounts, 1 Blogger blog, and 6 domains – used to generate revenue by displaying advertisements – were wiped out in coordinated influence operations linked to Belarus, Moldova, and Ukraine. The campaign "was sharing content in English that was about a variety of topics including US and European current events," threat analysts explained.   

To mitigate the spread of misinformation, Google TAG terminated 3 YouTube channels responsible for uploading content in Arabic that was critical of former Sudanese president Omar al-Bashir and supportive of the 2019 Sudanese coup d’état.   
 
Additionally, Google TAG also handled a relatively large "influence operation linked to China." Earlier this year in January, threat analysts terminated 4,361 YouTube channels for spreading Chinese spam content. However, some channels uploaded content in both English and Chinese languages concerning China and US foreign events.   
 
“We terminated 4361 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports,” says Google. 
 
Furthermore, Google TAG has banned YouTube channels, AdSense accounts, and Play developer accounts belonging to influence campaigns linked to Iraq, Turkey, and Libya's politics and current affairs.   
 
As the Russian-Ukraine conflict continues to escalate, Google has strengthened the safety measures for those in the region considered to be at higher risk of cyber assaults or attempted account compromise. This includes enabling two-factor authentication (2FA) and promoting the Advanced Protection Program.   
 
"Threat intel teams continue to look out for and disrupt disinfo campaigns, hacking, and financially motivated abuse, and are working with other companies and relevant government bodies to address these threats.,” Google said on Twitter.  
 
Last year, Google TAG blocked 3 YouTube channels used by Iranian attackers to publish content in Bosnian and Arabic condemning the actions of the U.S. and the People’s Mujahedin Organization of Iran (PMOI), a militant organization fighting against the official Iranian government.
Read more »
threat report
Cyber Security Darknet Forum Russian & Chinese Hackers threat report

Russian Hackers are Trying to Collaborate With Chinese Hackers

 

An attempt is being made to team up with Chinese attackers in a Russian-speaking, RAMP hacker forum. According to researchers from Flashpoint, high-level players and RAMP administrators are actively communicating with new forum members in machine-translated Chinese, requesting Mandarin-speaking players to participate in conversions, share suggestions, and coordinate on attacks. 

America on target 

The hacking forum has received at least thirty new user registrations from China, suggesting that this could be the launch of something significant. The most likely reason, according to security experts, is that Russian hackers are seeking to build partnerships with Chinese threat actors in order to launch cyber assaults against American targets, exchange vulnerabilities, or even recruit fresh talent for their Ransomware-as-a-Service (RaaS) operations. 

This initiative was launched by a RAMP admin named Kajit, who claims to have just spent time in China and speaks the language, according to a threat analyst who spoke to BleepingComputer earlier this month. He indicated in a previous version of RAMP that he’d invite Chinese attackers to the forum, which appears to be befalling now. 

However, Russian hackers attempting to interact with Chinese attackers isn’t confined to the RAMP hacking community as Flashpoint researchers have also observed similar collaboration on the XSS hacking forum. 

“In October, an XSS user replied to a thread with a Chinese-language ad looking for partners in a ransomware operation. Furthermore, in the wake of BlackMatter’s shutdown, the spokesperson of LockBit invited BlackMatter’s affiliates to move to China where the LockBit spokesperson claimed to be residing.

In the screenshot, XSS user “hoffman” greets two forum members who revealed themselves as Chinese. The threat actor asks them if they could provide information about ransomware and purchasing various kinds of system vulnerabilities. The language seems to be machine-translated Chinese,” explains the new research by Flashpoint. 

Last month, 'Orange' or 'boriselcin', RAMP admin who ran the "Groove" site, issued a post encouraging attackers to target the United States. After the media picked up on the story, the Groove actor claimed that the operation was fake from the beginning and was launched to troll and manipulate the media and security experts.

RAMP, a Russian-language forum emerged as recently as July this year and has garnered a lot of interest from researchers and cybercriminals alike. RAMP, named as a tribute to the now-defunct Russian drug marketplace, actually stands for Ransom Anon Market Place and is hosted on the same domain that previously hosted the Babuk ransomware data leak site and then the Payload.bin.
Read more »
threat report
BEC frauds Cyber Attacks Cybercriminal Tactics Phishing Attacks Tactics threat report

Zix: Attackers Increasingly Adopting New Techniques to Target Users

 

Cybercriminals are continuously expanding their toolkit by experimenting with new strategies and approaches in order to improve their effectiveness against both technological and human adversaries. 

According to research released by Zix, attackers are increasingly adopting new tactics to target users. The research covered several examples and also examined numerous consistent attack techniques and patterns that tend to affect organizations across the globe. 

“Cybercrime is exploding in 2021 and if there is anything that could be learned over the past year, it is that threat hunters are essential,” stated Troy Gill, Manager of Research at Zix. 

“Companies cannot wait for potential threats to emerge but must proactively identify security incidents that may go undetected by automated security tools. As we enter into the back half of the year, we will continue to see phishing, Business Email Compromise (BEC) and ransomware attackers become more sophisticated and bad actors asking for higher bounties to release data they have compromised.” 

The most common techniques employed by attackers: 

-Customized phishing attacks are on the upswing: Between Q1 and Q2, phishing assaults increased in frequency and sophistication, with campaigns becoming particularly tailored to specific users through the use of CAPTCHAs and web certificate data. Many websites, such as Spotify and DocuSign, were utilized to attract consumers. 

-New attack trends have surfaced: Email threats have grown in the first half of 2021, with 2.9 billion emails quarantined through June. URL and text-based cyberattacks increased steadily in the first half of the year, whereas email-based attacks dropped in the first five months before spiking in June.  

-BEC (business email compromise) attacks have become the most extensively employed technique: Businesses were determined to be the most susceptible and sought after by attackers, according to the research. Hackers have been seen eavesdropping in on discussions from inside a hacked account before delivering more personalized messages in an attempt to extract financial data or passwords.
Read more »
threat report
Amazon Cloud based services Corporate Networks Cyber Security threat report

Houdini Malware is Back, and Amazon Sidewalk has Affected Enterprise Risk Assessments

 

A secure access service edge (SASE) platform's nature allows it to see a significant number of internet data flows, and the larger the platform, the more dataflows can be evaluated. A review of over 263 billion network flows from Q2 2021 reveals rising dangers, new uses for old malware, and the expanding use of consumer devices in the workplace. 

According to the Cato Networks SASE Threat Research Report, a new version of the old Houdini malware is now being used to steal device information in order to circumvent access rules that looks at both the device and the user. Attackers have prioritized spoofing device IDs, which have evolved from simple point solutions to cloud-based services. As a result, verifying device identity has become critical for strong user authentication. 

The report also shows how Amazon Sidewalk and other consumer services run on many enterprise networks, making risk assessment difficult. “Cybersecurity risk assessment is based on visibility to threats as much as visibility to what is happening in the organization’s network,” says Etay Maor, senior director of security strategy at Cato Networks. 

Maor doubts that many firms would be comfortable with on-site networks that include a variety of home gadgets, including those that are automatically signed in by Sidewalk and belong to employees' neighbours. Just as concerning, he said, "How many companies are even aware that home devices have been brought into the corporate network and are sharing the corporate infrastructure." 

“With lines blurring between the home office and the corporate network – more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment,” Maor added. 

9.5 billion network scans were discovered across Cato's platforms in Q2. Maor is certain that the company's combination of AI-based danger identification and human help assures that these aren't researcher scans. Cato also discovered about 817 million security events caused by malware, as well as over 475 million events caused by incoming or outbound contact with domains with a negative reputation.  

There were nearly 400 million policy breaches, including 241 million vulnerability scans from scanners like OpenVAS, Nessus, and others that violated Cato's security policy or common best practices for network security. The most common exploit attempt (7,957,186 attempts) was against the CVE-2020-29047 vulnerability, a WordPress wp-hotel-booking vulnerability.
Read more »
threat report
acronis Cyber Security Malware. phishing threat report

Acronis reports India to be third highest in terms of Malware attacks, after US and Japan

Acronis, a Switzerland based IT and cybersecurity company surveyed 3,400 IT managers from 17 countries across four continents: Australia, Bulgaria, Canada, France, Germany, India, Italy, Japan, Netherlands, Singapore, South Africa, Spain, Sweden, Switzerland, UAE, UK, and the US from both private and public sector. Their report investigates the increase/decrease of cyber attacks and cyber readiness of companies during covid-19 as in their own words, "the COVID-19 pandemic has crippled businesses worldwide".

According to their report, India was the third highest country in the number of malware attacks, after the U.S and Japan between the months' March to November. Of 1000 clients, 1168 attacks were detected in India in a month. 

 Acronis found that during the switch from office to remote work, weak points in cybersecurity were revealed, mainly 1) exposed servers (RDP, VPN, Citrix, DNS, etc.), 2) weak authentication techniques, and 3) insufficient monitoring.

 The companies increased their expenditure on IT (72% of organizations reported increases in their IT expenditure) but still faced difficulties with adjustments from office to remote work. 

 When it comes to security concerns vast vulnerabilities were noticed in monitoring phishing problems, lack of expertise in a cloud solution, and video conferencing attacks as the cybersecurity protocols placed are just up to par but not really updated with the latest threats and needs. 

 “The cyber threat landscape has changed dramatically during the past few years, and in the last six months in particular. Traditional stand-alone antivirus and backup solutions are unable to protect against modern cyberthreats,” said Serguei “SB” Beloussov, founder and CEO of Acronis. 

 Most of the attacks faced by organizations were phishing (53.4%), DDoS (44.9%), Video Conferencing (39.5%), and Malware (22.2%). The rate of phishing attacks, the reports say is because of the lack of active action taken against them as only 2% of organizations use URL filtering protocols, and India, Switzerland, Canada, and the UK were among the most affected by video conferencing attacks.
Read more »
Subscribe to: Posts (Atom)