Risk quantification research finds healthcare, manufacturing, and utilities suffer long-term financial impact from major cyberattacks.

**ARLINGTON, Va. – April 18, 2023 –** **ThreatConnect, Inc**, maker of leading threat intelligence operations (TI Ops) and risk quantification solutions, announced today the release of the company's first risk quantification report, which assessed the financial impact of ransomware attacks on small ($500M), medium ($1.5B) and large ($15B) organizations within healthcare, manufacturing, and utilities. 

"With the National Cyber Strategy coming out of the White House focusing on decreasing cyber risk from critical infrastructure and the new SEC Cyber Proposals, organizations across industries are now being tasked with reporting on cyber risk," said Jerry Caponera, GM of Risk Quantification, ThreatConnect. "Organizations are finally waking up to the fact that the impact of ransomware and other cyber attacks is more than just a moment in time. The financial implications are far-reaching and create barriers for companies to continue operations after these attacks."

In this new report, ThreatConnect examined thousands of companies in the healthcare, manufacturing, and utility industries.  Analyzing tens of thousands of losses from around the world, ThreatConnect estimated median hits to operating incomes. Cyber losses can impact a current fiscal year but can also linger and impact current and future fiscal years as costs, including legal fees, settlements, and brand damage, can take time to materialize. 

The staggering results point to the need to continuously quantify cyber risk and prioritize investments in monetary terms. Potential losses due to cyber attacks shift on a regular basis based on changes in attack surface, investments in security defenses, and an evolving business landscape. Because of these changes, it’s important to measure enterprise risk on a continuous basis.

**Healthcare:** 

Healthcare organizations are under constant threat of attack as ransomware groups target the industry in an effort to reap quick financial gain. Due to public backlash, some ransomware threat groups stated that they would avoid conducting similar attacks in the future on hospitals and healthcare facilities that put patients’ lives in jeopardy. Despite these claims, healthcare facilities are still highly targeted by ransomware groups, stopping operations and putting patient lives in danger.  As one of the most highly regulated industries, healthcare is still behind the curve when it comes to having a solid cybersecurity posture. 

**Manufacturing:**

According to a recent IBM report, manufacturing was the most targeted sector for ransomware cyber-attacks and the most extorted industry in 2022. Ensuring that systems and processes are running optimally is critical to the success of manufacturing companies, the economic success of nations, and consumers who depend on the goods produced for everyday life. Ransomware attacks on manufacturing companies tend to cause operational disruptions, which can cascade through supply chains and into the broader economy. 

**Utilities:**

Hackers are increasingly exploiting utility companies that provide the energy needed to power our economies and enable most of what we use daily.  Ransomware attacks, such as that on Colonial Pipeline in the US and Volue ASA in Norway, show an increasing trend where hackers target the smaller and medium-sized utility companies they perceive as easier targets. President Biden’s National Cyber Strategy will increase regulation on utility companies in an attempt to mitigate the increasing threat of a catastrophic cyber attack.

Read the full report at:  

**About ThreatConnect**

ThreatConnect enables security operations and threat intelligence teams to work together for more efficient, effective, and collaborative cyber defense and protection. With ThreatConnect, organizations infuse threat intelligence and cyber risk quantification into their work, allowing them to orchestrate and automate processes to respond faster and more confidently than ever before. More than 200 enterprises and thousands of security operations professionals rely on ThreatConnect every day to protect their most critical systems. Learn more at

Cyberattacks Can Cost Enterprises Up to 30% of Operating Income According to ThreatConnect

1Password research reveals consumers are fed up with passwords; education, access, and validation will drive passwordless adoption.

**TORONTO****,** **April** **18,** **2023** **/PRNewswire/** **—** 1Password, the leader in human-centric security and privacy, today released its _Preparing for a Passwordless Future_ report. The report revealed a strong consumer appetite for easier-to-use login experiences. Despite relatively low awareness of passwordless technology—which aims to relegate passwords to a thing of the past—65% of consumers report they'd be open to using new technology that makes their lives simpler. Passkeys, the newest and most secure passwordless technology, are poised to do just that, transforming our online lives by making logging in simpler to navigate and far more secure.

"Convenience shouldn't come at the expense of security," said Jeff Shiner, CEO of 1Password. "Technology should make our lives easier, but logging into the apps and services we use daily has become extremely complicated. It's time to push for solutions that provide great user experience without sacrificing security. People are already interested in passwordless technology; ongoing education on how passkeys are good for security, revenue, and usability will unlock a new, safer, and more enjoyable passwordless era."

**Fed Up with Passwords**  
Four in five consumers (80%) say they care about their online privacy and actively take measures to protect it. It's clear that they also believe we can do better than passwords for both security and ease.

*   **Safety first:** 77% of consumers would love a more secure way to log in to accounts.
*   **Login exhaustion:** 70% say having to remember or reset their passwords is a regular annoyance.

**Beleaguered by Breaches**  
Bad password hygiene is responsible for the countless security breaches. In fact, 82% of breaches **involve a human element** — including phishing attacks, stolen credentials, and errors. However, the transition to passkeys will render these types of attacks obsolete and help reassure the nine in 10 consumers (91%) worried about data breaches.

*   **Pervasive phishing:** Phishing attacks, or fake texts and emails that bait consumers into sharing their credentials with hackers, affect all of us. Everyone (100% of consumers) either received phishing messages or know someone who did in the past year.
*   **Fake friends:** People say they're most susceptible to phishing attacks purporting to come from their bank (43%), a friend (41%), or their spouse (39%). Just 25% say they're likely to fall for a phishing message that looks like it's coming from their boss.

**Passwordless Curious**

Despite just a quarter of consumers (25%) reporting that they've heard the term 'passwordless', they're intrigued by the concept, with 58% signaling interest in signing in without a password.

*   **Preference for passkeys:** When shown an example of passkeys, three in four (75%) indicate they'd consider using them—with nearly one in five (19%) saying they'd start using passkeys as soon as they're available.
*   **Calibrating comfort:** Consumers are at least somewhat open to trying passwordless logins for less risky accounts—rising to 82% for one-time "throwaway" accounts, 81% for workplace accounts, and 77% for retail accounts. Conversely, 58% are at least somewhat open to using passwordless logins for financial accounts.
*   **Biometrics boom:** 87% of those already using biometrics are open to using passkeys, compared to 57% of those not using biometrics.

"Passwordless technology brings great benefits for companies and their customers alike—making it easier to securely access online services while greatly reducing fraud and user frustration," said Andrew Shikiar, executive director and CMO of the FIDO Alliance. "This has been the mission of the FIDO Alliance since day one, with authentication experts from hundreds of companies, including 1Password, collaborating to make this vision a reality with passkey sign-ins."

To see the full report from 1Password, visit our website. For more information on the websites, apps, and services that offer passkeys support, visit https://passkeys.directory.

**About 1Password**

1Password's human-centric security keeps people safe, at work and at home. Our solution is built from the ground up to enable anyone – no matter their level of technical proficiency – to navigate the digital world without fear or friction. The company's award-winning security platform is reshaping the future of authentication, including passwordless. 1Password is trusted by over 100,000 businesses such as IBM, Slack, Snowflake, Shopify, and Under Armour and protects the most sensitive information of millions of individuals and families across the globe. The company's ultimate goal is to help consumers and businesses get more done in less time – with security and privacy as a given. Learn more at 1Password.com.

**Survey Methodology**

1Password conducted this research using an online survey prepared by Method Research and distributed by Dynata among n=2,000 adults ages 18+ in North America (n=1,400 US + n=600 Canada). The sample was equally split between gender groups with a balanced spread across age groups. A spread of geographies and race groups were included. Data was collected from January 25 to 31, 2023.

SOURCE 1Password

Report: Over Half of North American Consumers Are Open to Passwordless

The most common consequences were unplanned expenses, loss of competitive edge, and decreased sales.

**FRISCO, Texas, April 18, 2023** – Netwrix, a cybersecurity vendor that makes data security easy, today announced the release of its annual global 2023 Hybrid Security Trends Report. It reveals that 68% of organizations experienced a known cyberattack within the last 12 months. Nearly 1 in 6 (16%) of those organizations estimated the financial damage to be at least $50,000. What’s more, 40% of the breached organizations incurred unplanned expenses and 10% suffered other serious consequences, such as loss of competitive edge, decreased sales or customer churn.

To mitigate the risk of financial loss from data breach, organizations often opt to purchase cyber insurance. Indeed, the study found that 44% of organizations are insured and 15% plan to purchase a policy within the next 12 months. Nearly 1 in 4 (22%) of the organizations with a policy had to improve their security posture to even be eligible for the policy. 

“While cyber insurance has value, it’s vital to remember that it is no substitute for a strong security posture. After all, while an insurance payout can defray the financial impact of a security incident, no policy can restore an organization’s data, operations or reputation,” says Dirk Schrader, VP of Security Research at Netwrix.

The survey also reveals that on-premises infrastructures suffer more cyberattacks than the cloud. The starkest difference was for ransomware and other malware attacks, which were reported by nearly twice as many respondents for on-premises environments (37%) as for the cloud (19%). 

“On-prem environments are more vulnerable to attacks than software-as-a-service (SaaS) systems because they often have sprawling privileges on the infrastructure level. For example, users might have administrative rights on their computers and service accounts often have elevated rights. Malicious actors can abuse these standing privileges to spread malware quickly across on-premises systems,” says Dmitry Sotnikov, VP of Product Management at Netwrix.

Other survey findings include:

*   81% of organizations now use at least one cloud environment and more than a third (37%) of the remainder plan to adopt cloud technologies within 12 months.
*   Phishing is the most common attack vector: 73% of respondents suffered this type of cyberattack on premises and 58% experienced it in the cloud.
*   Account compromise attacks in the cloud continue to intensify, with 39% of respondents reporting it in 2023 compared to 31% in 2022 and just 16% in 2020.
*   Risk associated with an organization’s own employees was the top data security concern, cited by 58% of respondents.
*   The three main IT priorities for 2023 have remained the same since 2019: data security, network security and cybersecurity training.

“Understaffing of IT teams is the biggest challenge to ensuring data security, cited by half of respondents. Therefore, it is crucial to build a security architecture that reduces the workload for IT and security pros. Automating routine tasks, choosing mature security products that produce fewer false positive alerts, and relying on a select group of trusted vendors that have an extensive portfolio and a unified support team can help mitigate the shortage of security personnel,” says Dmitry Sotnikov.

**About Netwrix** 

Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors: data, identity, and infrastructure.  

For more information, visit www.netwrix.com.

Netwrix Annual Security Survey: 68% of Organizations Experienced a Cyberattack Within the Last 12 Months

KnowBe4 releases Q1 2023 global phishing report and finds that more IT and online services related email subjects are utilized as a phishing strategy.

**Tampa Bay, FL (April 18, 2023) –** KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced the results of its Q1 2023 top-clicked phishing report. The results include the top email subjects clicked on in phishing tests and reflect the shift to IT and online service notifications such as laptop refresh or account suspension notifications that can affect end users’ daily work. 

Phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations around the globe. Cybercriminals are always refining their strategies to stay one step ahead of end users and organizations by changing phishing email subjects to be more believable. They prey on emotions and aim to cause distress or confusion in order to entice someone to click. Phishing tactics are changing with the increasing trend of cybercriminals using email subjects related to IT and online services such as password change requirements, Zoom meeting invitations, security alerts and more. These are effective because they would impact an end users’ daily workday and subsequent tasks to be completed.  

Holiday phishing email subjects were also utilized this quarter with incentives such as a change in schedule, gift card and spa package giveaway used as bait for unsuspecting end users. Tax-related email subjects became more popular as the U.S. prepared for tax season in Q1. 

"Cybercriminals are constantly increasing the damage they cause to organizations by luring unsuspecting employees into clicking on malicious links or downloading fake attachments that seem realistic," said Stu Sjouwerman, CEO, KnowBe4. "Emails that are disguised as coming from an internal source such as the IT department are especially dangerous because they appear to come from a more trusted, familiar place where an employee would not necessarily question it or be as skeptical. Building up an organization’s human firewall by fostering a strong security culture is essential to outsmart bad actors."

To download a copy of the Q1 2023 KnowBe4 Phishing Report infographic, visit here.  

**About KnowBe4**

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 56,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

KnowBe4 Phishing Test Results Reveal IT and Online Services  Emails Drive Dangerous Attack Trend

**ANNAPOLIS, Md.****,** **April 18, 2023** **/PRNewswire/ --** Marlinspike Partners, a venture capital investment firm focusing on disruptive dual-use technology companies advancing national security and commercial interests of the United States, today announced that Charles Carmakal has joined its Advisory Board.

With over 20 years of professional experience in cybersecurity, Charles is a one of the world's pre-eminent cybersecurity experts. He is currently CTO for Mandiant Consulting, where he oversees a team of incidence responders, analysts, and consultants that have helped thousands of organizations respond to complex security breaches orchestrated by foreign governments and organized criminals. Charles led the teams that discovered and responded to some of the most impactful security events, including the SolarWinds supply chain attack and the Colonial Pipeline cyber disruption. Charles provides strategic security guidance to executive leadership and boards of directors, helping Fortune 500 organizations build and enhance security programs to combat advanced cyberattacks.

"I am very excited to be joining Marlinspike's Advisory Board. Cybersecurity is an integral part of our nation's defense strategy. Marlinspike is investing in technologies that provide the United States with a technological edge and national security, and I am excited to contribute to the mission," said Carmakal.

"Cybersecurity challenges continue to be one of the most pressing issues for our nation's public and private sectors. We are very pleased to have world-class expert like Charles join our Advisory Board," said Mislav Tolusic, Managing Partner and CIO of Marlinspike. Neil Keegan, Managing Partner and CEO of Marlinspike, emphasized Carmakal's onboarding as part of a broader strategy to continue growing the Marlinspike Advisory Board with world-class experts.

**About Marlinspike**

Marlinspike is a venture capital investment firm, focusing on investing in disruptive dual-use technology companies advancing national security and commercial interests of the United States.

Marlinspike uses a private equity approach to investing, focusing on adding value and driving growth post-investment. A unique approach, an experienced management team, and dedication to the mission makes Marlinspike a preeminent dual-use technology investment firm.

SOURCE Marlinspike Partners LLC

Marlinspike Adds Charles Carmakal to its Advisory Board

An investigation concludes that NSO Group was hired in 2022 to deploy Pegasus spyware against human rights workers in Mexico and other targets.

Israeli spyware firm NSO Group is back with at least three new iOS 15 and iOS 16 zero-click exploit chains, which were used against human rights activists in Mexico and elsewhere across the world in 2022.

The Citizen Lab, an interdisciplinary research organization in Toronto focused on communications technologies, human rights, and global security, recently released the results of its investigation into NSO Group's recent activities.

The Citizen Lab team reported finding evidence that NSO Group was hired to use the exploit chains (known as PWNYOURHOME, FINDMYPWN, and LATENTIMAGE) to deploy Pegasus spyware against human rights groups in Mexico, including Centro PRODH, which represents families accusing the country's military of abuses.

"Our ensuing investigation led us to conclude that, in 2022, NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world," Citizen Lab's report said.

Apple has since issued a HomeKit security update in iOS.16.3.1, the The Citizen Lab added.

Citizen Lab recommends high-risk users use the iOS 16 feature known as "Lockdown Mode." With Lockdown Mode engaged, targets of PWNYOURHOME exploit chain were provided with real-time alerts.

"Although NSO Group may have later devised a workaround for this real-time warning, we have not seen PWNYOURHOME successfully used against any devices on which Lockdown Mode is enabled," Citizen Lab said.

The revelations come on the heels of Citizen Lab and Microsoft outing another Israel-based spyware organization, dubbed QuaDream, which was offering cyber espionage tools and services to international governments to monitor and spy on private individuals. Shortly after the expose, QuaDream said it was closing up shop.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NSO Group Is Back in Business With 3 New iOS Zero-Click Exploits

The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers.

Using Telegram as its command-and-control (C2) mechanism, a new strain of malware, a bot dubbed Zaraza, is capable of extracting login credentials from a victim's open browser and saving them to a file, as well as taking screenshots of open windows to be saved in a JPG file.

First identified by the Uptycs threat research team, the new bot is capable of stealing credentials from 38 Web browsers, including Google Chrome, Microsoft Edge, and Opera, among others. Once it successfully infects a victim's computer, it sends the information to a Telegram server, where it becomes accessible to potential threat actors. It's believed that the Zaraza bot is linked to Russian hackers, evidenced by the use of the name "Zaraza" which means "infection" in Russian, the researchers said in their report outlining the malware.

The type of login credentials that it steals range from bank accounts to email accounts to online wallets, as well as other sensitive and valuable website targets. This information can provide attackers with the opportunity to commit severe crimes such as identity theft and financial fraud, as well as grant access to personal identifiable information (PII) and, especially in the era of remote work, business accounts. This variant of malware and what it allows attackers to do potentially opens the floodgates to financial loss and "reputational damage," according to the analysis.

"To protect yourself against this malware," the Uptycs researchers wrote, "you should update your passwords regularly, follow online security best practices such as using strong passwords and multi-factor authentication, and ensure regular software and security system updates."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Zaraza' Bot Targets Google Chrome to Extract Login Credentials

The infamous Trojan's operators are switching up tactics with the use of simulated business correspondence, which helps instill trust with intended victims, and a stealthier payload.

A recent surge in QBot Trojan attacks has been observed, spreading via malicious emails written in various languages, including English, German, Italian, and French. The emails are crafted using genuine business letters obtained by the attackers and urge the recipient to open an attached PDF file, which contains several layers of obfuscation that make its maliciousness less detectable by security tools.

According to an analysis by Kaspersky this week, the campaign also uses the method of using reply-chain emails to make it more difficult for soon-to-be-victims to flag as malicious. As the name suggests, reply chain is the practice of accessing existing email exchanges from a listserv (or any location) and replying to them, making the interloping messages look legit, less suspicious, and believable.

The campaign represents a change in tactics for the operators of QBot (aka QakBot or Pinkslipbot), who maintain an access-as-a-service offering that other cybercriminals use to deliver a range of second-stage malware to already-compromised targets. Initially discovered in 2007, QBot has undergone numerous modifications and enhancements over the years, resulting in its widespread distribution as one of the most actively propagated malware strains in 2020. 

These latest improvements help boost stealth and legitimacy, according to security researchers. For instance, the emails are crafted to change only minimal parts of the stolen documents; they may contain links or attachments that contain links to malicious sites.

"The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own," the Kaspersky report noted.

**QBot's Many Layers of Obfuscation**

As for attack flow, the PDF file contains a Windows Script File (WSF) that harbors an obfuscated PowerShell script encoded into a Base64 line. Once the PowerShell script is covertly executed on the computer, it utilizes the wget utility to retrieve a DLL file from a remote server, which is used to deliver the QBot malware to the victim's computer. This is an existing tactic: Last year, QBot operators began using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection. 

The group has recently ramped up its operations and improved their offerings, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

"The WSF is obfuscated to evade detection which will download further payloads," explains Timothy Morris, chief security adviser at Tanium. "The attack 'chaining', or using multiple steps, helps get past some protections since the full context of the nefarious behavior can't be observed as a single activity."

**How to Protect the Business From QBot Attacks**

Morris notes that the multiple phases in the attack flow, from the initial emails to payloads being downloaded to data exfiltration and theft requires a range of cybersecurity strategies to defend against.

"It is important to have a defense-in-depth strategy that includes detection, monitoring, and protection technologies at the endpoint, as well as Web, network, and email security that is up to date," he says. "Also, training users to these types of threats is important."

Darren Guccione, CEO and co-founder at Keeper Security, says potential targets should also be trained to recognize that, unlike phishing attempts that appear to come from random businesses or the government, the malicious file containing malware will appear to come from someone you've had past email conversations with.

"The threat actors hope to piggyback on your relationship and level of trust to get these contacts to download the files," he explains. "Employees should avoid making risky clicks. Suspicious links should not be clicked and untrusted software should not be installed."

Other email security best practices include verifying the email sender and content before downloading attachments, and hovering over embedded links to see the actual target URL. Also, defenders also should focus on making sure antivirus and anti-malware solutions are deployed and up to date, and secure endpoints, including PCs, servers, routers, and so on, keeping them patched.

Guccione says the latest resurgence of QBot, along with new modules and evasion techniques being added, indicates active development of the malware, so companies should be vigilant when it comes to being prepared for the latest changes.

"It’s still a very capable adversary tool that defenders need to protect against," Guccione explains.

QBot Expands Initial Access Malware Strategy With PDF-WSF Combo

In targeting Apple users, LockBit is going where no major ransomware gang has gone before. But it's a warning shot, and Mac users need not worry yet.

The infamous LockBit ransomware gang has developed a version of their malware for macOS devices — the first ever foray into Apple's territory by a major ransomware group.

LockBit is one of the world's most prolific ransomware-as-a-service (RaaS) operations, known for its ivolvement in high-profile attacks, sophisticated malicious offerings, and some grade-A PR.

The first evidence that the gang has been experimenting with macOS was published by the MalwareHunterTeam ransomware repository on April 15. "As much as I can tell," a tweet read, "this is the first Apple's Mac devices-targeting build of LockBit ransomware sample seen ... Also is this a first for the 'big name' gangs?"

Shortly thereafter, vx-underground — a malware research site — added a wrinkle to the story. "It appears we are late to the game," it tweeted. "The macOS variant has been available since November 11th, 2022."

Ransomware for Mac may raise alarm bells, though a closer examination of the binary reveals that it's not quite ready for prime time.

"For now, the impact to the average Mac user in the enterprise is essentially zero," Patrick Wardle, founder of the Objective-See Foundation, tells Dark Reading. He pulled a sample apart in an analysis published April 16.

However, he adds, "I think this should be looked at as a harbinger of things to come. You have a very well funded and motivated, large ransomware group that's saying: 'Hey, we're setting our sights on on macOS.'"

Will Mac users be ready when ransomware finally comes for them?

**LockBit on Mac**

Saturday's discovery may be best characterized as Windows malware with macOS lipstick.

In unpacking the code, Wardle discovered multiple strings related to Windows artifacts — like autorun.inf, ntuser.dat.log, and so on. The lone component indicating its OS intentions was a variable called "apple\_config."

"This is the only instance (I found) of any macOS specific references/customizations," Wardle noted in the analysis, appending that "(The rest of the malware's binary simply looks like Linux code, compiled for macOS)."

There were other signs, too, that the developers hadn't yet completed their project. For example, the code was signed "ad-hoc" — a stand-in for, say, a stolen Apple Developer ID. This could be a placeholder for future RaaS customers, but for now, Wardle explains, "this means if downloaded to a macOS system (i.e. deployed by the attackers) macOS won't let it run."

Suffice it to say: LockBit hasn't breached the Apple dam just yet. But that doesn't mean Mac users can relax.

**Ransomware Is Headed for Macs**

Never before has one of the big name ransomware outfits — Conti, Clop, Hive, et al — developed ransomware for Mac computers. There may be one reason, above all, for why that is.

"Look at, traditionally, who the targets are for large ransomware attacks. It's the enterprises: hospitals, packaging facilities, these more traditional companies," Wardle points out. "They are generally Windows-based."

Slowly, though, Apple devices have been spreading in enterprise environments. A 2021 survey data from JAMF indicated that Apple's tablets are the go-to choice for businesses, iPhones represent about half of all smartphones in business settings, and the "average penetration" of macOS devices in the enterprise was around 23%, as compared with 17% two years prior.

"The pandemic and the work from home really spurred that," Wardle postulates. "A lot of people have Mac computers. And as the younger generation enters the workforce — they are more comfortable with the Apple ecosystem."

Following from that, he adds, "hackers who are very opportunistic are realizing that a lot of their potential victims are now transitioning, and thus they need to evolve their malicious creations."

So the question may not be whether ransomware groups will jump into macOS, but how soon. "This," Wardle thinks, "is really the million-dollar question."

**Are Apple Devices Prepared for Ransomware?**

Luckily for Mac users, Apple has anticipated this ransomware D-Day, and has proactively gotten ahead of it. Wardle points to two primary defenses already built into the operating system.

Firstly, he says, "system files are under read-only conditions. So even if ransomware gets root access on a computer, it's still not going to be able to modify those critical files and lock or render the system inoperable."

Second is TCC — short for Transparency, Consent, and Control.

"The idea is that certain directories — for example, the user's document directory, desktop, downloads, their browser folders, and cookies — are actually protected by the operating system," Wardle explains. If ransomware finds its way onto the system, "it's going to run into TCC and it's not going to be able to access the files it wants to encrypt, without either another exploit or getting the user to explicitly approve the access."

There's a caveat to that happy news though. "Apple has done a great job implementing security mechanisms, but," Wardle warns, "these features haven't been really tried and tested yet. Maybe hackers will start poking and find some flaws. TCC, for example, has been riddled with bypasses basically since day one."

"It would be naive to think that the attackers aren't going to improve their techniques and create more effective ransomware," he concludes. "So, I think it's really great to be talking about this now."

Researchers Discover First-Ever Major Ransomware Targeting macOS

How can we build security back into software development in a low-code/no-code environment?

We’ve come to rely heavily on the software development life cycle (SDLC) as the go-to method for getting security ingrained into development processes. In fact, the assumption of a comprehensive continuous integration/continuous delivery (CI/CD) has become so fundamental that we as an industry spent most of last year focused on addressing one of its derivatives: security of the CI/CD pipeline as the centerpiece of the software supply chain. This is good news, of course. A proper SDLC and its operational manifestation, the CI/CD, has allowed us to embed security controls where they are most useful — while developers are building and testing their software.

With the continued soar of low-code/no-code and citizen development in the enterprise, many AppSec teams have been occupied with creating secure development guidelines for these new business applications. Cross-industry collaborations have emerged to provide a security risk framework. The real challenge, however, is bringing this new wave of business users becoming developers under the security umbrella.

Business users are best at knowing what the business needs, and so they are best positioned to address those needs when empowered with low-code/no-code tools that allow them to build their own applications. On the other hand, trying to discuss security risks or development practices with business users can prove challenging.

Embedding security in the SDLC works because it is where it is more comfortable for developers to consume it, making it less costly to fix a security vulnerability. In order to do the same for business users, we must understand how their process for building applications works.

**R.I.P. to the SDLC**

A boilerplate version of the SDLC shows how software goes from articulating a need by the business; to planning, development, and testing by engineering and Q&A teams; to deployment, monitoring, and management by the operations teams. This, of course, varies widely across organizations. The important point for our discussion is that the responsibility is shifted among different teams and perhaps different departments throughout the development life cycle. Every transition can also be harnessed as a quality or security assurance gate, whether automated, like SAST/DAST/IAST tools, or manually, like threat modeling or security review.

In contrast, consider the low-code/no-code development process. A business user articulates their needs, moves on to creating their application or automation with an intuitive drag and drop interface, clicks save, and ... that’s it! Sometimes even the save step is skipped with a helpful autosave. Although not all low-code/no-code applications are built this way by the person who envisioned them, many are. Note how much faster the development process can be now — no exchange of responsibility or convincing someone else to align with your goals, and everyone can address their own business needs as they are spotted, on their own. This is the power of business-led development and mature citizen-development initiatives.

Unfortunately, it comes at the cost of skipping those security and quality gates we’ve baked into the development life cycle. These gates were critical, especially in an enterprise that needs to enforce values that are just as important as business productivity: security, compliance, and privacy, to name a few.

**Meeting Developers Where They Are**

Business users are building and will continue to build more applications than we’ve ever seen before. To bring them under the security umbrella, we must meet them where they are and speak their language. Instead of relying on the existence of a CI/CD pipeline and introducing business users to concepts like production versus test environments, we should accept reality and focus on making it easy to create secure applications and difficult to create risky ones.

To do this, we must understand the low-code/no-code platforms they use to build applications and the ways in which these applications are built and adopted by others. We must embrace our responsibility to guide these new developers, apply security best practices to the applications they create according to our organization's risk appetite, and take a retroactive approach to address critical issues swiftly.

Source

DARKReading