Tag Archive for: Continue

Impacts Continue to Grow Louder

/in


Was that major cyber incident a ransomware attack, a data breach or both? How many records were impacted? Did personally identifiable information (PII) get compromised? How long were they down? Were backups usable? Did the business survive? When was the business able to fully restore their operations? What did the incident cost?

I often get asked these questions (and more), and the answers can take months or years to be released after an event. In some instances, the specific details remain hidden from public view — concealed inside the databases of cyber insurance companies or classified files guarded by three-letter government agencies.

And yet, as the cyber attack headlines just keep pouring in from universities, banks, governments, hospitals, public utilities and more, the rising impacts to society increase — even as many have become almost numb to the overall affect.


Here are just a few of the recent incident headlines I am talking about:

No doubt, this is just a very small sampling of the number of cyber attacks that hit the mainstream and technology media every week. Critics oftentimes argue, “Show me the data. What are the trends? Are things getting better or worse?”To which I generally reply, “It depends.” (I know. A good lawyer’s answer.)

Allow me to first provide you with a plethora of recent information, data and trend reports before providing my take on what’s going on right now regarding global cyber attacks. After each of these headlines, I offer a brief excerpt to help.

Security Week: Cybersecurity Companies Report Surge in Ransomware Attacks
“Ransomware attacks continue to be highly profitable for cyber-crime groups and the recent reports released by various cybersecurity firms show that they are increasing both in terms of volume and sophistication.”

The HIPAA Journal: IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million
“The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48…

Source…

Suspected PRC Cyber Actors Continue to Globally Exploit Barracuda ESG Zero-Day Vulnerability

/in


As a part of the FBI investigation into the exploitation of CVE-2023-2868, a zero-day vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances, the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability. For more details regarding malware found to date related to this exploit and learn more about Barracuda backdoors, please visit CISA Releases Malware Analysis Reports on Barracuda Backdoors. The cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration. The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately. https://go.fbinet.fbi/news/Pages/Bringing-Private-Sector-to-the-Fight-Against-CyberAdversaries.aspx

CVE-2023-2868 is a remote command injection vulnerability that allows for unauthorized execution of system commands with administrator privileges on the ESG product. This vulnerability is present in the Barracuda ESG (appliance form factor only) versions 5.1.3.001- 9.2.0.006, and relates to a process that occurs when the appliance screens email attachments. The vulnerability allows cyber actors to format TAR file attachments in a particular manner and send them to an email address affiliated with a domain that has an ESG appliance connected to it. The malicious file’s formatting, when scanned, results in a command injection into the ESG that leads to system commands being executed with the privileges of the ESG. As the vulnerability exists in the scanning process, emails only need to be received by the ESG to trigger the vulnerability.

The earliest evidence of exploitation of Barracuda ESG appliances was observed in October 2022. Initially, suspected PRC cyber actors sent emails to victims containing TAR file attachments designed to exploit the vulnerability. In the earliest emails,…

Source…

Ransomware attacks continue to be prolific

/in


SecurityWeek reports that organizations impacted by ransomware attacks during the first six months of 2023 exceeded 1,500, most of which have been victimized by the LockBit ransomware operation, indicating the continued pervasiveness of ransomware attacks.

Lucrative business returns and organizations’ poor security posture have been driving the persistent growth of ransomware attacks, a report from Rapid7 revealed.

Absence or lax enforcement of multi-factor authentication has been linked to almost 40% of ransomware incidents during the first half of the year, while only one organization has adhered to minimum security maturity recommendations, according to researchers. Threat actors have also been achieving continued success in exploiting old vulnerabilities in their attacks.

“We don’t want to see so many preventable attacks when we know that there are so many complex attacks that organizations are also struggling with. But the good news is that, in theory, implementing something like MFA is a known quantity and a defined action that an organization is able to take if it wants to,” said Rapid7 Head of Vulnerability Research Caitlin Condon.

Source…

Attackers Continue to Leverage Signed Microsoft Drivers

/in


In December of last year, Microsoft worked with SentinelOne, Mandiant, and Sophos to respond to an issue in which drivers certified by Microsoft’s Windows Hardware Developer Program were being used to validate malware.

Unfortunately, the problem hasn’t gone away.

In a recent Mastodon post, security expert Kevin Beaumont observed, “Microsoft are still digitally signing malware kernel drivers, as they can’t identify malware (this comes up over and over again).”

Beaumont provided three examples of remote access trojans that had been verified by Microsoft as legitimate software, adding, “If you have Google’s VirusTotal (Microsoft do) you can run something like this to find them. signature:”Microsoft Windows Hardware Compatibility Publisher” p:5+ tag:signed name:.sys

In response to an email inquiry from eSecurity Planet, a Microsoft spokesperson acknowledged the ongoing issue, stating, “We have suspended the partners’ seller accounts. In addition, Microsoft Defender Antivirus provides blocking detection for these files.”

The essential challenge remains – and Microsoft has only been able to suspend individual offenders.

Microsoft’s Initial Response

In guidance first published on December 13, 2022, the company stated, “Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers.”

Microsoft was notified of the issue by SentinelOne, Mandiant, and Sophos in October 2022, and began an investigation. “This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature,” the company added. “A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October.”

Matching the Microsoft spokesperson’s more recent explanation above, the company stated at the time that Windows Security Updates were released revoking the…

Source…