The attack highlights growing interest among threat actors to target data from software-as-a-service providers.

The 0mega ransomware group has successfully pulled off an extortion attack against a company's SharePoint Online environment without needing to use a compromised endpoint, which is how these attacks usually unfold. Instead, the threat group appears to have used a weakly secured administrator account to infiltrate the unnamed company's environment, elevate permissions, and eventually exfiltrate sensitive data from the victim's SharePoint libraries. The data was used to extort the victim to pay a ransom.

**Likely First of its Kind Attack**

The attack merits attention because most enterprise efforts to address the ransomware threat tend to focus on endpoint protection mechanisms, says Glenn Chisholm, cofounder and CPO at Obsidian, the security firm that discovered the attack.

"Companies have been trying to prevent or mitigate ransomware-group attacks entirely through endpoint security investments," Chisholm says. "This attack shows that endpoint security isn't enough, as many companies are now storing and accessing data in SaaS applications."

The attack that Obsidian observed began with an 0mega group actor obtaining a poorly secured service account credential belonging to one of the victim organization's Microsoft Global administrators. Not only was the breached account accessible from the public Internet, it also did not have multi-factor authentication (MFA) enabled — something that most security experts agree is a basic security necessity, especially for privileged accounts.

The threat actor used the compromised account to create an Active Directory user — somewhat brazenly — called "0mega" and then proceeded to grant the new account all the permissions needed to create havoc in the environment. These included permissions to be a Global Admin, SharePoint Admin, Exchange Admin, and Teams Administrator. For additional good measure, the threat actor used the compromised admin credential to grant the 0mega account with so-called site collection administrator capabilities within the organization's SharePoint Online environment and to remove all other existing administrators.

In SharePoint-speak, a site collection is a group of websites within a Web application that share administrative settings and have the same owner. Site collections tend to be more common in large organizations with multiple business functions and departments, or among organizations with very large data sets.

In the attack that Obsidian analyzed, 0mega threat actors used the compromised admin credential to remove some 200 administrator accounts within a two-hour period.

Armed with the self-assigned privileges, the threat actor then helped themselves to hundreds of files from the organization's SharePoint Online libraries and sent them off to a virtual private server (VPS) host associated with a Web hosting company in Russia. To facilitate the exfiltration, the threat actor used a publicly available Node.js module called "sppull" that, among other things, allows developers to interact with SharePoint resources using HTTP requests. As its maintainers describe the module, sppull is a "simple client to pull and download files from SharePoint."

Once the exfiltration was complete, the attackers used another node.js module called "got" to upload thousands of text files to the victim's SharePoint environment that basically informed the organization of what had just happened.

**No Endpoint Compromise**

Usually, in attacks targeting SaaS applications, ransomware groups compromise an endpoint and then encrypt or exfiltrate files, leveraging lateral movement as necessary, Chisholm says. "In this case, the attackers used compromised credentials to log into SharePoint Online granted administrative privileges to a newly created account, and then automated data exfiltration from that new account using scripts on a rented host provided by VDSinra.ru." The threat actor executed the whole attack without compromising an endpoint or using a ransomware executable. "To the best of our knowledge, this is the first publicly recorded instance of automated SaaS ransomware extortion occurring," he says.

Chisholm says Obsidian has observed more attacks targeting enterprise SaaS environments in the last six months than in the previous two years combined. Much of the growing attacker interest stems from the fact that organizations are increasingly putting regulated, confidential, and other sensitive information into SaaS applications without implementing the same kind of controls as they are on endpoint technologies, he says. "This is just the latest threat technique we're seeing from bad actors," he says. "Organizations need to be prepared and ensure they have the right proactive risk management tools in place across their entire SaaS environment."

Others have reported observing a similar trend. According to AppOmni there has been a 300% uptick in SaaS attacks just since March 1, 2023 on Salesforce Community Sites and other SaaS applications. The primary attack vectors have included excessive guest user permissions, excessive object and field permissions, lack of MFA, and overprivileged access to sensitive data. A study that Odaseva conducted last year had 48% of respondents saying their organization had experienced a ransomware attack over the preceding 12 months and SaaS data was the target in more than half (51%) of the attacks.

Researchers Report First Instance of Automated SaaS Ransomware Extortion

Sophisticated attackers are lacing malware into PNG image files in order to steal cryptocurrency and business information.

A sophisticated attack by Russian-language actors is using a novel loader and malware-laced PNG image file to drop malware for stealing cryptocurrency or business account information, researchers said. The multistage campaign appears to be primarily targeting entities in Europe, the United States, and Latin America, Kaspersky researchers wrote in a blog post published June 12.

The attack begins with "DoubleFinger," a multistage loader that drops a image file containing malicious code onto a victim's computer. The malware infects victims with "GreetingGhoul," a novel stealer specially designed to siphon off cryptocurrency credentials.

However, DoubleFinger isn't exclusive to cryptocurrency attacks, the Kaspersky researchers said, as researchers also observed it dropping Remcos RAT, a popular tool among financially motivated cybercriminals. Once the Remcos RAT gets into an enterprise network, stopping the malware and its follow-on attacks can be difficult for businesses.

Russian-speaking artifacts within the code suggest that the perpetrators of this campaign come from a Commonwealth of Independent States nation, though the researchers qualified that "the pieces of Russian text and the victimology are not enough to conclude that the ones behind this campaign are indeed from the post-Soviet space."

**Stenography for Cryptocurrency**

DoubleFinger attacks begin with a phishing email. If the victim clicks on the associated malicious program information file (.pif). This triggers a chain reaction leading to some malicious shellcode downloading a PNG image from imgur.com. The seemingly nondescript image utilizes steganography — hiding secret information within nonsecret data. The shellcode searches the PNG for a particular string in its code, 0xea79a5c6, which contains an encrypted payload.

_The PNG with embedded shellcode. Source: Kaspersky_

At the end of this attack chain, more often than not, is GreetingGhoul, an infostealer with two primary functions: It can detect victims' cryptocurrency wallet apps and steal the sensitive credentials associated with them. GreenGhoul uses MS WebView2 — a tool for embedding web code into desktop apps — to overlay phishing pages on top of legitimate crypto-wallet interfaces. It's a move that evokes banking Trojans of old, as users unwittingly type their sensitive wallet credentials into attacker-controlled fields.

The image below, for example, depicts an overlay mimicking Ledger, the world's most popular vendor for cryptocurrency hardware wallets. It prompts victims to enter their wallet's seed phrase — the ultrasensitive set of 12 or 24 words which generates their private key, and grants unfettered access to all contents of the wallet. This is why cryptocurrency investors are regularly reminded to never give up their seed phrases to access their wallets to anyone.

_Source: Kaspersky_

New Loader Delivering Spyware via Image Steals Cryptocurrency Info

Okta platform data-based study finds FastPass and WebAuthn offer far stronger security and faster, more reliable user experiences.

**SAN FRANCISCO, June 12, 2023 –** Okta, Inc. (NASDAQ: OKTA), the leading independent identity partner, today announced the release of its international Secure Sign-In Trends Report. The report, which analyzes billions of monthly workforce customer logins to Okta Workforce Identity Cloud across more than 16 industries around the world, reveals that the use of multi-factor authentication (MFA) has nearly doubled since 2020 and that phishing-resistant authenticators represent the best choice in terms of security and convenience for users.

“Okta is advancing our customers’ zero trust security strategies by helping them adopt innovations like phishing-resistant MFA and passwordless,” said Todd McKinnon, co-founder and CEO of Okta. “By sharing data on our customers’ adoption of these critical technologies, we can drive greater progress with governments, our partners, and our customers.”

The top takeaways include:

*   90% of Okta administrators and 64% of users signed in using MFA during the month of January 2023.
*   Sign-in methods that offer the highest phishing resistance (Okta FastPass and FIDO2 WebAuthn) also prove to offer the fastest, most reliable user experience.
*   The technology industry is best placed to move to a passwordless future, with 87% of account logins already using MFA. Insurance (77%), Professional Services (75%), Construction (74%), and Media & Communications (72%) round out the top five industry adopters. Surprisingly, highly-regulated industries tend to lag behind.
*   MFA adoption by Okta's workforce customers jumped from 35% to 50% in two months between February and March 2020.
*   Organizations with fewer than 300 employees (79%) exceed the MFA use of enterprises with more than 20,000 employees (54%).

MFA adds an extra layer of security on top of credentials like passwords, which are highly susceptible to abuse. More than 80 percent of Business Web Application Attacks and nearly half of all business email compromise attacks result from stolen username and passwords. MFA provides greater certainty that a user is who they claim to be before granting access to an application or online account. MFA verifies identities by asking users to provide different types of information or factors to gain access to an account or application. However, an increase in sophisticated MFA bypass attacks is prompting organizations to evaluate the need for phishing-resistant authentication flows.

According to the report, the use of phishing-resistant authentication such as Okta FastPass or FIDO2 WebAuthn offers the optimal mix of security and user experience. While it's frequently assumed that technology decision-makers must “trade off” security for user experience, Okta's research finds that on average, signing in with passwordless, phishing-resistant authenticators saves time and is less prone to failure when compared to using passwords.

**About the Okta Secure Sign-In Report**

The Secure Sign-In Trends Report was built from data of direct MFA authentication events in the Okta Workforce Identity Cloud (WIC). Analysts anonymized and aggregated data from billions of monthly authentications and veriﬁcations across countries worldwide. Okta enterprise customers and their employees, contractors, partners, and customers use Okta to securely log in to devices, websites, apps, and services and to leverage security features to protect their data. They span every major industry and vary in size, from small businesses to some of the world's largest organizations, with hundreds of thousands of employees and millions of customers. The full report can be found at: https://okta.com/the-secure-sign-in-trends-report.

**Okta**

The foundation for secure connections between people and technology

Okta is the World’s Identity Company. As the leading independent Identity partner, we free everyone to safely use any technology—anywhere, on any device or app. The most trusted brands trust Okta to enable secure access, authentication, and automation. With flexibility and neutrality at the core of our Okta Workforce Identity and Customer Identity Clouds, business leaders and developers can focus on innovation and accelerate digital transformation, thanks to customizable solutions and more than 7,000 pre-built integrations. We’re building a world where Identity belongs to you. Learn more at **okta.com**.

Use of Multifactor Authentication (MFA) Nearly Doubles Since 2020, Okta Secure Sign-in Trends Report Finds

The group appears to be targeting victims based on their proximity and involvement to and within pro-Ukraine organizations.

The threat actor known as RomCom has returned to the scene, targeting Ukrainian politicians and a healthcare organization in the United States involved with aiding refugees fleeing the war-torn country.

The deployment of this attack is through a trojanized version of Devolutions Remote Desktop Manager, which victims were likely encouraged to download after being directed to a cloned website through phishing tactics.

The threat group used a form of typosquatting to create a striking resemblance to the authentic site, according to the report from the BlackBerry Threat Research and Intelligence team.

By creating fake websites that closely resemble the legitimate software sites, RomCom can distribute malicious payloads to unsuspecting victims who download and install the compromised software, thinking it's legitimate.

The trojanized installer begins installing malware after the user is prompted to select the destination path where they’d like the files to be installed. It then begins systematically collecting essential host and user metadata from the infected system, which is subsequently transmitted to its command-and-control (C2) server.

**A Cyberattack With Geopolitical Motivations**

The campaign strongly suggests that the motivation of this threat actor is not money, but rather a geopolitical agenda that is guiding its attack strategy and targeting methods.

Recon on what software targets use in order to deliver fake update notifications was part of the process, according to Dmitry Bestuzhev, senior director, CTI, BlackBerry. "In other words, the threat actor behind RomCom RAT relies on previous information about each victim, such as what software they use, how they use it, and the social or political programs they're working on."

The endgame is the exfiltration of sensitive information. "We saw RomCom targeting military secrets, such as unit locations, defensive and offensive plans, arms, \[and\] military training programs," Bestuzhev notes.

He says with the US-based healthcare providing aid to the refugees from Ukraine, the targeted information included how that program works to determine who the refugees are — that includes the refugees' personal information, which can be used for further attacks.

**A RomCom You Haven't Seen Before**

Previous RomCom campaigns against the Ukraine military used fake Advanced IP Scanner software to deliver malware, and the group has also targeted English-speaking countries — especially the UK — with trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro.

Callie Guenther, cyber threat research senior manager at Critical Start, explains that in the most recent campaigns, along with using different software, RomCom also adapted its C2 infrastructure to blend in with legitimate network traffic.

"This could involve using communication protocols commonly associated with political campaigns or healthcare organizations, making it more challenging to detect their malicious activities," she says.

She adds that social media was an important part of the recent campaigns. "RomCom may employ phishing emails, spear-phishing, or other social engineering techniques tailored to the targeted individuals or organizations," she explains.

For politicians, they could craft email messages impersonating political colleagues or officials, and in the case of the healthcare company, they might send emails posing as healthcare regulatory authorities or vendors of medical equipment or software.

Guenther says RomCom's active development of new capabilities and techniques indicates a notable level of sophistication and adaptability.

"This suggests that their target selection may evolve as they refine their tactics and seek new opportunities for compromise," she says.

**How to Defend Against the RomCom APT**

Mike Parkin, senior technical engineer at Vulcan Cyber, says the standard defense tactics apply here as they do with any attacker, regardless of whether they are cybercriminal or state sponsored.

"Keep patches up to date. Deploy following industry best practices and vendor 'secure installation' recommendations," he says. "Make sure users are trained and cultivate a secure culture which makes them part of the solution rather than the most vulnerable part of the attack surface."

Bestuzhev says the threat actor behind RomCom relies on social engineering and trust. So, employee training on how to spot spear phishing is also important.

"Secondly, it's important to rely on a good cyber threat intelligence program providing contextual, anticipative, and actionable threat intelligence, such as behavior rules to detect RomCom's ops in the systems, network traffic, and files," he says. "With this context about RomCom, there is room for building an effective threat modeling based on the tactics, techniques, and procedures (TTP), and geopolitical developments."

RomCom Threat Actor Targets Ukrainian Politicians, US Healthcare

Time and money are valuable and finite, but some actions are well worth spending those resources on.

Most of us have benefited from the mistakes of others. While this may sound like an odd statement, it makes a lot of sense when you think about it. For those of us who have been fortunate enough to have others share their missteps with us and are smart enough to internalize and apply those lessons to our lives, we learn not to repeat their mistakes.

For example, most of us know not to buy a car or a home without having it inspected first. Obviously, this inspection takes time and costs money. But we know that skipping this important step could take much more time and cost much more money down the line. Likely, we know this because we've heard nightmare stories from people who thought they would save a little time and money by skipping this step.

If you have been reading my pieces for some time, it will come as no surprise that I believe that we can learn an important security lesson from this. How so? A number of security processes, procedures, best practices, and initiatives require a significant investment in time and money. Yet skipping them is a big mistake for security teams.

While not an exhaustive list, here are 10 items that require an investment in time and money yet pay huge dividends for security teams.

**1\. Formalizing Policy**

Policy isn't sexy or exciting, and it takes time to get right, but it is necessary. Having a formal policy codifies the rules of the game within an enterprise when it comes to security. Policy is an important basis for nearly everything that a security organization does. After all, the security team needs to have good answers when asked questions like, "Where does it say that is not allowed?" or, "Why can't I continue doing things the way I've always done them?"

**2\. Understanding Regulations**

Regulations and compliance with those regulations is cumbersome. Nonetheless, there is little choice but to excel at it — the risk of fines and other complications is simply too high not to make understanding regulations a priority. This applies globally to all the applicable regulations in all the locales that a business operates in. Not the easiest task to stay on top of, but an important one.

**3\. Staying the Course**

While it is difficult to stay on track and implement strategic initiatives despite tactical distractions that might arise, it is essential for a successful security program. Our strategic initiatives, if designed properly, ensure that we mitigate risk that has been prioritized and stay on track to meet our objectives and improve the state of security. As tempting as tactical distractions might be, they most often interfere with our strategic risk mitigation efforts — thus, in essence, lowering the security posture of the enterprise. Staying the course requires energy and determination, but it is important.

**4\. Nurturing Relationships**

As security leaders, our relationships with key stakeholders in the business, executives, board members, and others are extremely important. Building and nurturing these relationships takes time — time that we might otherwise want to spend on other tasks. Nonetheless, these are important relationships that merit the time investment. These are the partners who will help us improve the state of security within our organizations.

**5\. Architecting for the Future**

It is not easy to account for different possibilities that may arise in the future. Nonetheless, it is worth the time and energy. Consider a database schema — if we architect it only for the data we have available today, we may find ourselves in a conundrum in the future when we want to incorporate additional data into our workflow and processes. Then we would need to re-engineer or scrap solutions that were not architected for the future, which takes more time in the long run than getting it right in the first place does.

**6\. Resisting the Quick Fix**

When dealing with a challenge, it can be all too enticing to put a quick fix in place. For example, it might be tempting to write a quick script to move data around, rather than leveraging a formal extract, transform, and load (ETL) process. However, the odds that a repeatable solution can be reused are high, whereas Band-Aid solutions generally need to be rewritten everywhere they are applied. Maintaining band-aid solutions often becomes a major headache for organizations as well.

**7\. Implementing Useful Training**

Properly training staff requires a training budget and time away from other important tasks. It is well worth the investment for several reasons. Security professionals who are continually expanding and enhancing their knowledge and skill sets are less likely to leave for greener pastures. Well-trained staff also perform better. This directly influences the effectiveness of the security organization, which in turn directly influences the security posture of the enterprise.

**8\. Creating Proper Documentation**

I don't think I've ever met a security professional who loves documentation. It is certainly time consuming, and it can be tedious. Nonetheless, when it comes time to understand how to do something, documentation is the natural go-to. Further, having well-documented processes and procedures also provides a means to show stakeholders within the business exactly how certain things work under the hood.

**9\. Capturing Lessons Learned**

Documenting lessons learned in a way that they can be leveraged in the future takes effort. It is an effort that pays dividends, however, as only by learning from the past can security organizations really improve over time. As an example, consider a high-profile security incident that exposed some gaps and opportunities for improvement in the security program. Rather than covering these up, it pays huge dividends to painstakingly go through and capture each relevant point. Taking some time to log lessons in detail as they occur pays off later.

**10\. Applying Lessons Learned**

It may be difficult to comb through lessons learned and figure out how to apply them to improving the state of security. This is worth the time and money, however, as it is a way to directly mitigate risk. Mistakes that were made and lessons that were learned from them provide a view into where risk was improperly managed in the past. This is one of the biggest targets for improvement that has one of the greatest impacts on the overall security posture.

**Invest Your Time Wisely**

Although it is tempting to skip important things to save time or money, it isn't wise. The best security organizations understand the need to invest in important processes, procedures, best practices, and initiatives. History has shown that such investment goes a long way toward greatly improving the overall security posture of an enterprise.

10 Important Security Tasks You Shouldn't Skip

Surveillance malware targets Libyan government entities, with possible links to a 2019 Egypt attack campaign.

A wave of advanced persistent threat (APT) attacks aimed at Libyans has been detected, using malware that conducts surveillance functions.

Spotted by Check Point Research, the Stealth Soldier malware primarily conducts surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information. This malware also adds an undocumented, custom modular backdoor, with the researchers claiming the most recent version was likely to have been delivered in February.

Check Point researchers said the oldest version was compiled last October, and believe the command-and-control (C2) network is part of a larger set of infrastructure, used for spear-phishing campaigns against government entities.

There are indications that the malware C2 servers are related to a larger set of domains, the company noted, and these servers are likely used for phishing campaigns. Some of the domains also masquerade as sites belonging to the Libyan Foreign Affairs Ministry.

Sergey Shykevich, threat intelligence group manager at Check Point, says the delivery mechanism of the downloader is currently unknown, but phishing messages were the most likely tactic being used. Looking at the infrastructure, he says that the researchers “saw emphasis on targeting the Libyan government.”

**Links to the Past?**

The Stealth Soldier infrastructure has some overlaps with infrastructure used in the "Eye on the Nile" campaign, which operated against Egyptian targets in 2019. Researchers believe this is the first possible reappearance of this threat actor since then. Shykevich confirms there has been no detection of attacks on Egyptian users using the Stealth Soldier malware.

However, version 8 of the C2 in the Stealth Solder malware was also resolved by multiple Eye on the Nile domains, according to Check Point researchers, while several infrastructure overlaps with known Eye on the Nile domains were also spotted.

Asked if he believes that the Eye on the Nile and Stealth Soldier malware types are being used by the same attackers or if it's just the same potentially rented C2s and malware used, Shykevich says the evidence only "gives us medium confidence of the link between the current campaign to Eye on the Nile: Based just on the overlaps we saw, it is difficult to claim with 100% confidence that it is the same group, but there is a good chance it is."

The researchers acknowledged that Libya is not often the focus of APT reports, but the investigation suggests that the attackers behind this campaign are politically motivated and are utilizing the Stealth Soldier malware and the significant network of phishing domains to conduct surveillance and espionage operations against Libyan targets.

"Given the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future," the researchers said in the advisory.

'Stealth Soldier' Attacks Target Libyan Government Entities With Surveillance Malware

According to Microsoft and researchers, the state-sponsored threat actor could very well be setting up a contingency plan for disruptive attacks on the US in the wake of an armed conflict in the South China Sea.

China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.

That's according to a breaking investigation from Microsoft, which dubs the advanced persistent threat (APT) "Volt Typhoon." It's a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.

While espionage appears to be the goal for now, there could very well be a more sinister purpose at play. "Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," according to the analysis.

The first signs of compromise emerged in telecom networks in Guam, according to a New York Times report ahead of the findings being released. The National Security Agency discovered those intrusions around the same time that the Chinese spy balloon was making headlines for entering US airspace, according to the report. It then enlisted Microsoft to further investigate, eventually uncovering a widespread web of compromises across multiple sectors, with a particular focus on air, communications, maritime, and land transportation targets.

**A Shadow Goal? Laying Groundwork for Disruption**

The discovery of the activity is playing out against the backdrop of the US' frosty relations with Beijing; the two superpowers have stalled in their diplomacy since the shooting down of the balloon, and has worsened amidst fears that Russia's invasion of Ukraine could spur China to do the same in Taiwan.

In the event of a military crisis, a destructive cyberattack on US critical infrastructure could disrupt communications and hamper the country's ability to come to Taiwan's aid, the Times report pointed out. Or, according to John Hultquist, chief analyst at Mandiant Intelligence - Google Cloud, a disruptive attack could be used as a proxy for kinetic action.

"These operations are aggressive and potentially dangerous, but they don't necessarily indicate attacks are looming," he said in an emailed statement. "A far more reliable indicator for \[a\] destructive and disruptive cyberattack is a deteriorating geopolitical situation. A destructive and disruptive cyberattack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict."

Dubbing such preparations "contingency intrusions," he added that China is certainly not alone in conducting them — although notably, China-backed APTs are typically far more focused on cyber espionage than destruction.

"Over the last decade, Russia has targeted a variety of critical infrastructure sectors in operations that we do not believe were designed for immediate effect," Hultquist noted. "Chinese cyber threat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks. As a result, their capability is quite opaque."

**An Observed Focus on Stealth & Spying**

To achieve initial access, Volt Typhoon compromises Internet-facing Fortinet FortiGuard devices, a popular target for cyberattackers of all stripes (Microsoft is still examining how they're being breached in this case). Once inside the box, the APT uses the device's privileges to extract credentials from Active Directory account and authenticate to other devices on the network.

Once in, the state-sponsored actor uses the command line and living-off-the-land binaries "to find information on the system, discover additional devices on the network, and exfiltrate data," according to the analysis.

To cover its tracks, Volt Typhoon proxies its network traffic through compromised small office/home office (SOHO) routers and other edge devices from ASUS, Cisco, D-Link, NETGEAR, and Zyxel — that allows it to blend into normal network activity, Microsoft researchers noted.

The post also provides mitigation advice and indicators of compromise, and the NSA has published a tandem advisory on Volt Typhoon (PDF) with details on how to hunt for the threat.

'Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs

The new software-led solution enables organizations to defend against cybersecurity threats in their operational technology (OT) environments.

**ATLANTA, May 23, 2023 –** Honeywell (**Nasdaq: HON**) today announced the release of its operational technology (OT) cybersecurity solution, Honeywell Forge Cybersecurity+| Cyber Insights, to assist customers in improving the availability, reliability and safety of their industrial control systems and operations.

Cyber Insights is designed to integrate information from multiple OT data sources in order to provide a customer with actionable insights into their facility’s cybersecurity vulnerabilities and threats, allowing the customer to manage their compliance strategy, thereby helping reduce their overall cybersecurity risks.

Companies with OT systems face challenges in obtaining the necessary information to reduce the likelihood and impact of cyberattacks and to stay compliant with standards and regulations that may be applicable to them. These challenges are compounded by the shortage of available cybersecurity skills in operational technology, with a cyber security workforce gap of more than 3.4 million people.\[1\]Despite attempts to implement various solutions, success is difficult to achieve due to the complexity of the tools, the overwhelming volume of security data generated, and the lack of solutions specifically designed for OT.

“Organizations should leverage technology to address worker shortages, while at the same time gaining clear visibility into their OT facilities’ cybersecurity posture to help them make faster decisions and reduce cyber risk,” said Michael Ruiz, vice president and general manager, Honeywell OT Cybersecurity Innovation. “Cyber Insights is a tool designed to provide customers with detection and insights so that cybersecurity leaders can better understand and monitor their then current security profile, while also being able to detect and mitigate the latest threats.”

Cyber Insights brings a tailored approach by providing a purpose-built cybersecurity solution for OT environments and users. It is designed to offer a site-level view of a facility’s cybersecurity posture and provide insights into security events, vulnerabilities, active threats and to manage compliance. Cyber Insights is designed to help organizations strengthen their cyber resilience and to respond faster to incidents through access to critical information at the right time.

Cyber Insights is pre-configured for OT use, with already available customization options designed to address certain needs specific to different industrial environments, while being vendor agnostic so that it can be deployed on Honeywell control systems as well as many other systems. It is also deployed, supported and maintained by Honeywell Cyber Care services during the applicable subscription license term, to help customers maintain continuous tuning and optimization as required for any system to run in peak form.

“Honeywell has successfully positioned itself as a ‘one-stop shop’ system integrator and solution provider across different spectrums of operational technology (OT) cybersecurity for over 20 years,” said Avimanyu Basu, senior lead analyst at ISG. “Being vendor-agnostic, Honeywell is well-equipped to work on almost any device and provide the necessary services for assessment and remediation.”

To learn more about Honeywell OT Cybersecurity solutions, visit us at www.becybersecure.com.

**About Honeywell**

Honeywell (www.honeywell.com) delivers industry-specific solutions that include aerospace products and services; control technologies for buildings and industry; and performance materials globally. Our technologies help aircraft, buildings, manufacturing plants, supply chains, and workers become more connected to make our world smarter, safer, and more sustainable.

Honeywell Forge is intelligent operations software that connects assets, people, and processes, enabling operational performance, sustainability, and quality improvement.

For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

_This document may contain statements including future product direction and does not create any binding obligations on us to develop or sell any product, service or offering. Any descriptions of future product direction, intended updates or new or improved features or functions are intended for informational purposes only and are not binding commitments on us and the sale, development, release, locations of availability, or timing of any such products, updates, features or functions is at our sole discretion._

Honeywell Releases Cyber Insights to Better Identify Cybersecurity Threats and Vulnerabilities

**CANTON, Mass.****,** **May 23, 2023** **/PRNewswire/ --** On April 17, 2023, Point32Health, the parent organization of Harvard Pilgrim Health Care ("Harvard Pilgrim") and Tufts Health Plan, identified a cybersecurity ransomware incident on its computer systems and is working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation. 

Unfortunately, the investigation identified signs that data was copied and taken from Harvard Pilgrim systems between March 28, 2023, and April 17, 2023. Harvard Pilgrim is taking this incident extremely seriously and deeply regrets any inconvenience this incident may cause. 

Harvard Pilgrim determined that the files at issue may contain personal information and/or protected health information belonging to current and former subscribers and dependents, and current contracted providers. The investigation revealed that the following information could potentially be in the files at issue: names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information (e.g., medical history, diagnoses, treatment, dates of service, and provider names). At this point, Harvard Pilgrim is not aware of any misuse of personal information and protected health information as a result of this incident, but nonetheless has begun notifying potentially affected individuals to provide them with more information and resources.  

The notice includes information on steps individuals can take to protect themselves against potential fraud or identity theft. Harvard Pilgrim is also offering complimentary identity protection and access to two (2) years of credit monitoring services for potentially affected individuals. Harvard Pilgrim recommends that individuals regularly monitor their credit reports, account statements and benefit statements and promptly report any suspicious or fraudulent activity to the entity with which the account is maintained and the proper law enforcement authorities, including the police and their state attorney general.  

In response to this incident, Harvard Pilgrim is taking steps to implement additional data security enhancements and safeguards to better protect against similar events in the future. Harvard Pilgrim is, and has always been, committed to prioritizing the security of the data entrusted to it.  

Harvard Pilgrim has established a dedicated call center for individuals to contact with questions. The call center can be reached at (888) 220-5517 (toll free), Monday through Friday from 9:00 a.m. to 9:00 p.m. ET, excluding U.S. holidays. Additional information is also posted on Harvard Pilgrim's website at https://www.harvardpilgrim.org/. 

SOURCE Harvard Pilgrim Health Care

Harvard Pilgrim Health Care Notifies Individuals of Privacy Incident

DryRun security seeks to bridge the gap between developers and security professionals by automating security analysis in code reviews before deployment.

**Austin Texas, May 23, 2023 –** DryRun Security emerged from stealth with the mission to fix the disconnect between security and developers, with the premise being that all developers fundamentally care about security. The company, founded by technology veterans James Wickett and Ken Johnson, is creating a new security analysis tool  to find potential bugs sooner than any other security solution on the market while being better aligned to how developers actually work. 

Co-founders James Wickett and Ken Johnson created DryRun Security after observing that in the past 20 years software security has become misaligned with the way developers build.  The arc of the industry has created silos where legacy security solutions have  been geared towards security professionals rather than those who write the software.   

This leads to three significant gaps.  The first is testing for security issues after it’s been deployed leads to wasted developer and security team cycles when problems are discovered. The second is many of the bugs being identified are not even relevant,  resulting in false-positives. Finally, the third is application security teams lack an accurate picture of which code reviews require their expertise. This is further exacerbated by the sheer velocity and number of daily and weekly code updates. All of these problems lead to inaccurate, delayed, and often incorrectly prioritized security testing and ultimately , an overall less-secure codebase.   

DryRun Security fixes the disconnect between security and developers by performing Contextual Security Analysis which runs where developers work. As a developer writes code, they dry-run security testing and analysis  and get results back in near real time, which is where the name “DryRun” comes from.  This type of testing builds the security context of the code and provides feedback to developers whenever they make changes or write new code.

“The disconnect between engineers and security testers is due to a lack of security context making it back to developers” said James Wickett, CEO and Co-Founder of DryRun Security, “DryRun Security was created to address this fundamental disconnect under the assumption that developers truly care about the security of the products they are building. With that assumption, we believe that security should be an integral part of the software development process.  That’s why it’s our mission to provide engineers with a tool that makes it easy to identify and fix potential security bugs while the developer is working on that section of code.”

“At DryRun Security, we understand that once a developer can see the security context of their changes, they can make better decisions and create more secure applications. This is different from  the way that testing has been happening over the past two decades which has made fixing bugs inefficient, driving up costs and creating unnecessary hurdles for developers and security professionals.” Said Ken Johnson, Co-Founder and CTO of DryRun Security. “I experienced these headaches firsthand, which is why I started DryRun Security with James. Our belief is that the solution we provide will give developers the ability to integrate contextual security analysis into their development workflow and fix issues before they become bigger problems.”

DryRun Security is currently running a private beta for their product, and they are accepting signups to the list. Please visit https://dryrun.security to signup and join the early access list. 

**About DryRun Security**

DryRun Security is a software security company that provides automated security reviews for developers as they write code. Founded by James Wickett and Ken Johnson, the company takes a unique approach using Contextual Security Analysis, which is a proprietary approach they’ve developed by training over 10,000 developers on security testing and code reviews. Using this approach, developers and security teams are able to bridge the gaps of mainstream security testing approaches and fix potential bugs before deployment. For more information, please visit https://dryrun.security.

Source

DARKReading