Today is National Comic Sans Day – we will not be participating, and we hope you won’t either. We hope you will read the 2023 Cyber Threat Report.
In industry news, Bleeping Computer has details on a ransomware attack that disrupted operations at the largest shipping port in Japan. Dark Reading has the lowdown on a Microsoft Teams vulnerability that could let outsiders send malware directly to internal users. TechCrunch breaks down new information about the MOVEit file transfer tool hacks. Hacker News reports on the takedown of OPERA1ER’s leader.
Remember to keep your passwords close and your eyes peeled – cybersecurity is everyone’s responsibility.
TrendMicro, SonicWall News: According to the 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase. To shed light on the significance malware can carry, it’s important to look at how recent breaches could’ve been circumvented by abiding to the HIPAA rules and safeguards.
VentureBeat, SonicWall News: Malicious objects were blocked on more than 40% of OT systems. SonicWall Capture Labs threat researchers recorded 112.3 million instances of IoT malware in 2022, an 87% increase over 2021.
StateTech, SonicWall News: According to SonicWall’s 2023 Cyber Threat Report, ransomware has “been on a tear” for the past few years, growing 105 percent year over year in 2021. While the report found that attacks were down in 2022, ransomware targets still reported very large number of attacks compared to levels in 2018, 2019 and 2020.
ComputerWeekly, SonicWall News: At the time of writing, no data had yet been published, and SonicWall EMEA vice-president Spencer Starkey urged victims to hold the line in the face of the gang’s threats and grandstanding.
As the clock ticks closer, businesses impacted by the MOVEit hack may be tempted to pay off the hackers and move on. While this appears as the fastest way to resolve this, in fact, it actually feeds the monster, encouraging more attacks, said Starkey. On the other hand, not paying might lead to potential data loss and the cost of restoring systems, but it also helps starve these criminal operations and may discourage future attacks. At this stage, the key is customer and employee communication. The companies impacted must always strive to keep those channels flowing both ways, to reassure those who may be affected that they are doing everything possible to recover from and resolve the incident.
Health Tech, SonicWall News: Healthcare was the second most targeted industry for malware last year, according to SonicWall’s 2023 Cyber Threat Report. Internet of Things (IoT) malware attacks in healthcare increased 33 percent.
Verdict, SonicWall News: Immanuel Chavoya from SonicWall told Verdict the recent data breach happened due to an exposed “Amazon S3 bucket”.
Chavoya explains that they are able to be “accessed, altered, or even deleted by anyone who knows where to look and that breaks the core tenants of confidentiality integrity, and availability. However, sometimes, in the process of configuring a bucket, someone might unintentionally set the permissions to allow public access,” Chavoya said.
“For example, they might be trying to make it easier for a team to share files, or they might not realize the implications of making a bucket public,” Chavoya explained. “Unfortunately if sensitive data is stored in the bucket – which it was in this case, this can lead to a data breach. Therefore, it’s crucial to properly configure S3 bucket permissions and regularly review them to ensure they are still appropriately configured.”
eSecurity Planet, SonicWall News: There are the potential data privacy concerns arising due to the collection and storage of sensitive data by these models,” said Peter Burke, who is the Chief Product Officer at SonicWall. Those concerns have caused companies like JPMorgan, Citi, Wells Fargo and Samsung to ban or limit the use of LLMs. There are also some major technical challenges limiting LLM use.
“Another factor to consider is the requirement for robust network connectivity, which might pose a challenge for remote or mobile devices,” said Burke. “Besides, there may be compatibility issues with legacy systems that need to be addressed. Additionally, these technologies may require ongoing maintenance to ensure optimal performance and protection against emerging threats.”
CIO Influence, SonicWall News: According to Glair, a company will never be able to train every person to spot every threat. That comes down to the sheer volume of novel threats being created. In fact, in the first half of 2022, SonicWall detected 270,228 never-before-seen malware variants. That’s an average of 1,500 new variants per day.
Security Boulevard, SonicWall News: Immanuel Chavoya, SonicWall’s emerging threat expert, noted that the accord ushered in a new approach to cybersecurity that is based on cooperation and information sharing. “The introduction of a U.S./South Korea ‘Strategic Cybersecurity Cooperation Framework’ fundamentally alters the global cybersecurity landscape. It exemplifies a shift from siloed defenses to collective global security, fortifying the digital ecosystem against threats by pooling resources, intelligence and expertise,” Chavoya said. “This sends a message to nation-state actors like DPRK: The world’s cyberdefenders are uniting against threat actors who leverage our digital interconnectedness to disrupt our daily lives, making every digital interaction a new front line in this asymmetric war. As we often say, the best offense is a good defense—and in this case, it’s a defense extending traditional alliances across continents and cyberspace alike.”
CRN, SonicWall News: In many cases, these “extortion-only” attacks are a more lucrative and easier alternative to the process of encryption and negotiation that’s involved in a typical ransomware attack, CrowdStrike’s threat intelligence head told CRN recently. SonicWall, meanwhile, cited extortion-only groups including Lapsus$ and Karakurt as further evidence of the trend.
The Record, SonicWall News: Despite falling digital asset prices, cryptojacking reached record levels in 2022, according to research from cybersecurity firm SonicWall.
Rouble Malik Sheds Light On The Rising Threat Of Cybersecurity Attacks On Smes And Advocates Stronger Protective Measures
TechBullion, SonicWall News: The 2022 Cybersecurity Threat Report by SonicWall indicates a 62% increase in global ransomware attacks, demonstrating the evolving sophistication and prevalence of malware-based threats.
Ransomware Gang Attacks Largest Port in Japan, Targets NUTS
Operations at the largest and most busy port in Japan have been disrupted following a ransomware attack. The Port of Nagoya, which accounts for approximately 10% of Japan’s total trade volume, handles 165 million tons of cargo every year. The automaker Toyota also uses the port to export almost all of its vehicles. The attack has disrupted multiple operations at the port, and the Port of Nagoya’s administrative authority released a notice about issues with the Nagoya Port Unified Terminal System (NUTS). The port authority is working tirelessly to fix the system and plans to resume normal functions this week. Until the system is fixed, all loading and unloading operations at terminals using trailers have been canceled. While no ransomware gang has publicly taken credit for the attack, it’s speculated that the attack was committed by the notorious LockBit ransomware gang.
TeamsPhisher Tool Lets Threat Actors Auto-Deliver Malware to Microsoft Teams Users
Threat actors and pen testers alike can obtain a new tool on GitHub that exploits a recently discovered Microsoft Teams vulnerability. The tool is called “TeamsPhisher” and can be abused in organizations where communication is allowed between internal and external Teams users. This means cyber criminals can simply send malware directly through a Teams message rather than jump through the hoops of social engineering or phishing scams. The tool was developed by Alex Reid, who is a member of the U.S. Navy’s Red Team. Reid used multiple techniques to develop the tool including one discovered by researchers at JUMPSEC Labs. Reid said that the tool works by first enumerating a target and then ensuring they can receive external messages. Once verified, the tool opens a new message thread with the user and sends a message that does not trigger the typical “Someone outside your organization messaged you” warning. The message can include malware or other dangerous files, and, since Teams doesn’t warn the users, it makes it more likely for unsuspecting users to open messages and download the files. The researchers at JUMPSEC have urged organizations using Teams to review whether they need to allow communications between internal and external users.
MOVEit Breach Continues to Claim More Victims
More organizations have been impacted by the MOVEit file transfer tool mass attacks with energy giant Shell and First Merchants Bank confirming that the attackers obtained sensitive data from them. According to a threat analyst at Emsisoft, the attacks have now affected more than 200 organizations and 17.5 million people. Shell did not say exactly what type of data the hackers had stolen from them, but the company did say some of it was personal information relating to employees. The attacks were orchestrated by the Russian hacking group known as Cl0p. The gang claimed that it had published Shell’s data on its website, but the links to the stolen data appear to be broken at this time according to TechCrunch. First Merchants Bank on the other hand said that Cl0p accessed customers’ addresses, Social Security Numbers, online banking usernames, payee information, and even account and routing numbers. The true extent of the MOVEit attacks won’t be known for quite some time. As of now, more and more victims are being revealed week by week.
OPERA1ER Leader Arrested by Interpol
Interpol has announced that an international operation codenamed ‘Nervone’ has resulted in the arrest of a high-ranking member of the hacking group called ‘OPERA1ER.’ The agency stated that the French-speaking gang has stolen anywhere from $11 million to $30 million in more than 30 attacks across multiple continents. The criminal organization has also gone by the names ‘Common Raven,’ ‘DESKTOP-GROUP’ and ‘NX$M$.’ According to Hacker News, the group’s attack chains typically involve spear-phishing lures that create a domino effect leading to tools like Cobalt Strike and Metasploit being deployed in order to steal sensitive data. Operation Nervone involved heavy cooperation between Interpol, AFRIPOL, Group-IB and Côte d’Ivoire’s Direction de l’Information et des Traces Technologiques. The CEO of Group-IB stated that they’ve been tracking OPERA1ER’s activities since 2019. This arrest will hopefully slow down the gang’s operations if not halt them entirely.
Monthly Firewall Services Option for Simplicity and Scalability – Sorosh Faqiri
Monitoring and Controlling Internet Usage with Productivity Reports – Ashutosh Maheshwari
SonicWall NSM 2.3.5 Brings Enhanced Alerting Capabilities – Suriti Singh
Is Red/Blue Teaming Right for Your Network? – Stephan Kaiser
The RSA Report: Boots on the Ground – Amber Wolff
The RSA Report – New Tactics, New Technologies – Amber Wolff
The RSA Report: The Road to RSA – Amber Wolff