Usually focused on going after cryptocurrency organizations, the threat actor has begun targeting defense companies around the world.

An operation within North Korea's notorious Lazarus Group that initially focused solely on coin-mining attacks has begun targeting defense sector organizations around the world.

The DeathNote cluster's shift in focus began in 2020 with attacks on automotive and academic organizations in Eastern Europe linked to the defense industry. Researchers from Kaspersky that have been tracking DeathNote's activities found the Lazarus subgroup following up on that attack with subsequent campaigns on defense and defense-related companies in Europe, Latin America, Africa, and South Korea.

**An Ongoing RAT Campaign**

Kaspersky observed DeathNote engaged in two campaigns against defense companies in 2022 alone. One of them is still ongoing and involves a defense sector organization in Africa. The security vendor discovered the campaign last July and found DeathNote initially breached the company via a Trojanized, open source PDF reader sent via Skype messenger. Once executed, the PDF reader created a legitimate file and a malicious file in the same directory on the infected machine. 

It then used a technique known as DLL side loading to install malware for stealing system information and downloaded a sophisticated second-stage remote access trojan (RAT) called Copperhedge from an attacker-controlled command-and-control server (C2). Copperhedge is malware that Lazarus Group clusters have used in other attacks, including one against a South Korean IT company in 2021.

Kaspersky's analysis of the attack showed the malware using numerous legitimate Windows commands and tools such as Mimikatz for everything from initial reconnaissance on a compromised host system and acquiring login credentials, to lateral movement and exfiltration. To acquire basic system info, for instance, the malware used Windows commands to find TCP and system info, or to query the saved server list from the registry.

To move laterally, the actor used a technique called ServiceMove which leverages Windows Perception Simulation Service to load arbitrary DLL files, Kaspersky said. "When the group completed its mission and began exfiltrating data, they mostly utilized the WinRAR utility to compress files and transmit them via C2 communication channels."

The tactics, techniques, and procedures (TTPs) that DeathNote employed in its campaign against the defense contractor in Africa were similar to those that Kaspersky observed in another 2022 campaign that hit a defense company in Latin America.

**A Broadening Range of Cyber Targets**

Kaspersky security researcher Seongsu Park says DeathNote's evolution from cryptocurrency mining attacks to defense sector espionage is consistent with the Lazarus Group's efforts to broaden its target list over the years.

"While they primarily attacked the defense sector in the past, as we recently published, they have also targeted think tanks and the medical sector," he explains. "This demonstrates the group's wide range of targets."

Lazarus Group, which many believe is an advanced persistent threat (APT) affiliated with the North Korean government, first grabbed attention with a 2014 attack on Sony Pictures over a satirical movie about North Korean leader Kim Jong-un. Over the years, researchers have tied the group to numerous other high-profile attacks, including the WannaCry ransomware outbreak, attacks that drained tens of millions of dollars from banks in Bangladesh, and attacks on major cryptocurrency companies.

The DeathNote cluster is just one of at least seven separate Lazarus malware clusters that are currently active. The others, according to Kaspersky, are ThreatNeedle, Bookcode, AppleJeus, Mata, CookieTime, and Manuscrypt. The Lazarus group operates several clusters simultaneously and each of these clusters operates in a sophisticated manner, using its own malware toolkit with sometimes overlapping features, Park says.

"Each of their clusters changes targets from time to time," Park notes. "We have observed that other clusters, for example, CookieTime and Bookcode, belonging to the Lazarus group, have also targeted the defense industry before."

DeathNote's typical TTPs have included using spear-phishing emails with weaponized Word or PDF reader apps. During the days when the cluster focused on coin mining, it used cryptocurrency-themed lures to try and get victims to execute the initial infection vector. Since switching to defense targets, the cluster has been using defense themed lures — including those that purport to be job advertisements — as phishing lures. Kaspersky said it found DeathNote only dropping the second-stage payload on systems belonging to victims it deemed valuable from a cyberespionage standpoint.

For the moment at least DeathNote's campaigns targeting the defense sector have not affected US organizations.

Lazarus Group's 'DeathNote' Cluster Pivots to Defense Sector

If attackers use your stolen login information or set up wire transfers, you might be out of luck.

Banking laws designed to protect Federal Deposit Insurance Corp. (FDIC)-insured accounts contain loopholes that strip consumers of coverage against certain cyberattacks.

Less than a month before the US Consumer Financial Protection Bureau hit Wells Fargo & Co. with the largest financial civil penalty ever for mismanagement of car loans, mortgages, and bank accounts In December 2022, a Wells Fargo customer suffered an account takeover of his consumer checking account that cost him $45,000. Well Fargo chose not to reimburse that customer, Kartik Gada, CFO and chief economist at a San Francisco-area company.

Documents show the attackers breached Gada's cell phone account, then accessed his bank login credentials from the phone's backup data. The attackers changed the bank login information, added the ability to send wire transfers and Zelle money transfers to the checking account, then used two traditional wire transfers to move $45,000 to a New York-based bank. The thieves then removed the funds from the other bank's account by the thieves. Wells Fargo maintained that since the attackers obtained Gada's valid bank login credentials, that was sufficient to deny reimbursing Gada.

Account takeovers are not uncommon. A Marina del Rey couple faced a similar attack but had their funds returned to them by Wells Fargo at roughly the same time as the Gada attack. However, the modus operandi of the attackers was different, as were the results.

Gada tells Dark Reading that Well Fargo denied his request to funds to be returned because the bank claims he "failed to protect his password security." Gada says a bank representative told him that while it acknowledged the attack, it still declined to reimburse him.

In the final resolution letter Wells Fargo sent to Gada, the bank wrote, "According to the Online Access Agreement, you are responsible for keeping your username and password confidential, and for actions taken by anyone using the Service after signing in with your username and password, or any other Wells Fargo approved authentication control, except as otherwise provided by law or regulation. We are entitled to rely and act upon instructions received under your username and password."

**Inadequate Bank Oversight**

Jay Hack, a partner at the New York law firm Gallet Dreyer & Berkey, LLP, says the bank's "procedures for due diligence with respect to customers is obviously failing and the filtering software to filter out suspicious transactions is obviously failing. This transaction has all of the conditions of being a theft."

Once the bank's systems recognized the change in how the customer had been using the personal checking account and the swift changes to the account the night of the account takeover, the bank's monitoring software should have alerted authorities, he asserts. There are two possible reasons why it might not have done so, he notes. The first is the software was misconfigured to not "kick out suspicious transactions." Another is that even if the alert was noted, it could have been ignored.

A major bank, Hack says, should have software that identifies account takeovers and unusual actions — such as changing passwords and then adding and immediately using wire transfer capabilities — and kicks out an alert.

**Finessed Legal Justifications**

Wells Fargo ignored multiple requests by Dark Reading to comment on its decision not to compensate Gada. It also would not comment on why the bank's security controls did not flag the anomalies occurring on the account and why no bank employee tried to confirm the unusual changes to the account before processing the transactions.

While the Comptroller of the Currency's office and the Consumer Financial Protection Bureau both declined to discuss the specifics of Gada's situation, both organizations directed Dark Reading to documents concerning the Electronic Fund Transfer Act and Regulation E. One carve-out that Wells Fargo used as a reason to deny compensating the customer is that the attackers implemented wire-transfer capabilities, which specifically is not covered under Regulation E.

Wells Fargo's response to the breach was to redefine the personal checking account as a brokerage account due to the attackers' actions and subsequently told the client different rules applied to the brokerage account, Gada said. The bank chose to follow Universal Commercial Code (UCC) 4A-202, which addresses wire transfers and has different "good faith" rules than does Regulation E. A short PowerPoint description of the regulations can be found on the FDIC's website.

Wells Fargo's position is that a customer is responsible for losses if the attackers use a wire transfer to steal money from the customer's checking account. Should the attackers have chosen a different approach, such as a money transfer application such as Zelle or PayPal or an Automated Clearing House (ACH) transfer, the FDIC would have required the bank to reimburse Gada under Regulation E.

The bank chose not to address why the victim of a crime would be subject to UCC 4A, which requires an agreement between the bank and the customer. As the attackers caused the change in account status and not Gada, this raised the question of whether this was a legal contract between the customer and bank.

Hack says that banks can get away with such denials because the cost of litigation is often far higher than the consumer's loss. It does not become profitable for specialty law firms to file lawsuits until the customer's losses are $1 million or more, he notes.

When Banking Laws Don't Protect Consumers From Cybertheft

**OSLO****, Norway** **,** **April 12, 2023** **/PRNewswire/ --** Opera (NASDAQ: OPRA) – the company behind the award-winning family of web browsers – is announcing the extension of its free browser VPN service to Opera Browser for iOS. Already available to some users for early access, the full rollout will be completed within the coming weeks. With this addition, Opera became the first web browser to offer a free built-in VPN across all major platforms, including Mac, Windows, Linux, Android, and iOS.

Staying private online is becoming increasingly challenging. When users browse the internet, they can be subject to data collection from websites and online services, many of which are not always transparent about how they store and use this data. Meanwhile, unsecure networks, such as some public Wi-Fi are vulnerable to attacks from bad actors, which can compromise sensitive personal data like web banking information or credit card details. VPNs, as a result, are an increasingly essential feature of life online – they help protect one's identity and activity so that users can peruse the internet privately, their personal information safe from prying eyes.

With the addition of its VPN service to iOS, Opera becomes the first browser company to offer a built-in, free VPN on every platform. Opera's VPN service requires no subscription, no logging into an account, and no additional extensions – users simply need to toggle a switch in the main menu to browse in peace, since the Opera Browser makes sure VPN traffic is encrypted and IP address is private.

"Opera has always been known for its unique feature set. We are proud to bring our free built-in VPN to all major platforms and to be the first browser company to do so. Our commitment to providing users with a secure browsing experience has led us to develop this feature over the years. We are excited to bring this vital tool to iOS users to ensure their online safety and privacy," said Jørgen Arnesen, EVP Mobile at Opera.

A no-log service, the VPN does not collect any personal data or information related to users' browsing history or originating network address, ensuring anonymity. Fast and secure, users have instant access to virtual locations around the world.

The Opera Browser for iOS is an award-winning browser that is enjoyed by millions of users worldwide. Featuring an interface that has garnered multiple design awards, the browser affords an unparalleled user experience. Designed to be used on the go, Opera's Fast Action Button gives users the full range of navigation tools within a thumb's reach. Users can additionally keep photos, articles, recipes, travel ideas, and links with them at all times with My Flow, which allows for seamless and secure file sharing between phones, tablets, and computers. The browser even integrates a native Crypto Wallet, enabling users to keep track of their digital assets at all times.

Apart from its convenience, the Opera Browser for iOS also offers unparalleled speed and security. It features, for example, a built-in ad blocker – speeding up the loading process as well as shielding users from unwanted advertisements – plus the Apple Intelligent Tracking Prevention, which blocks third party tracking cookies and cookie dialogue. The browser also boasts Opera's Cryptojacking Protection, which safeguards users from having their device's resources hijacked for crypto mining. The free VPN service will now complete the package, affording users protection as they browse the internet.

Concurrent with the ongoing rollout of the free VPN service, Opera Browser for iOS is also receiving a pair of additional upgrades. A Bookmarks feature will allow users to better organize their lives online, and coupled with Speed Dial ensure immediate access to what's most important. And for football fans, a new Live Scores feature lands on the browser's homepage. A scoreboard that displays the day's matches – whether they are upcoming, in progress, or the final whistle has already gone – Live Scores will help users stay on top of the action worldwide.

To start using the free VPN, users just need to download the Opera Browser for iOS and turn the VPN on in the app. The full rollout will be completed within the coming weeks, so VPN will become available for all users shortly. More information is available on the official website.

**About Opera for iOS**

Fast, safe and private, Opera Browser is a beautifully designed web browser with a Red Dot Award for its stunning user interface. Enjoyed by millions of fans across the world, it's built for people on the go and features a lightning fast web search for instant results. With built-in security features such as Apple Intelligent Tracking Prevention and Cryptojacking Protection – plus a native Crypto Wallet – Opera Browser offers users the optimal iOS experience. Opera Browser has a 4.7 star rating in the App Store and has been reviewed by more than 600,000 people worldwide.

**About Opera**

Opera is a web innovator building on more than 25 years of innovation that started with the Opera web browser. While Opera is leveraging its brand and engaged user base in order to grow and develop new products and services for people who seek a better internet experience, Opera's PC and mobile web browsers, content discovery platform Opera News, and apps dedicated to gaming, and Web3 are already the trusted choices of hundreds of millions of active and engaged users. Opera is headquartered in Oslo, Norway, and listed on the NASDAQ Stock Exchange under the OPRA ticker symbol. Download and access Opera's products and services from www.opera.com.

SOURCE Opera Limited

Opera Adds Free VPN to Opera for iOS

Hackers can compromise public charging hubs to steal data, install malware on phones, and more, threatening individuals and businesses alike.

US government agencies are warning that malware planted in public charging stations for phones and other electronics can sneak onto your device when you least expect it.

On April 6, the FBI Denver office published a morsel of advice. "Avoid using free charging stations in airports, hotels, or shopping centers," its tweet stated. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead."

The sentiment was echoed in an FCC notice about the phenomenon — known as "juice jacking." The commission added that, "in some cases, criminals may have intentionally left cables plugged in at charging stations." Also, "there have even been reports of infected cables being given away as promotional gifts."

Experts say that charging stations can carry risk, not just for individuals but also enterprises. Still, the risk is low and there are simple solutions for avoiding it altogether.

**How Hackers Can Poison Charging Stations**

"There are two different ways this happens," says Pete Nicoletti, field CISO at Check Point Software. "There are the people that actually own those stations. If they're looking for additional revenue, they might install malware on their charging stations."

This isn't the kind of scenario you'd run into at your local airport, though, he adds: "\[That's\] going to be the bad actors that compromise a legitimate station."

Ordinary outlets are immune, but USB ports in modern charging stations are different.

"There is some sort of computer or smart device behind these stations, connected to those USB charging outlets," explains Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry. And because there's a computer involved, the opportunity exists for back-and-forth data transfer.

"Imagine using a phone for charging," Bestuzhev continues. "You use the same USB cable for synchronizing data on your phone with a computer, such as photos, videos, and other information. Technically, a threat actor could poison the data transmission between the malicious station and your device to steal information or install malicious code."

Were this to occur, the FCC says, hackers could "maliciously access electronic devices while they are being charged. Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors."

And any risk to travelers can have a knock-on effect for their employers.

"Most people use their phones for a mix of work and personal time," Allan Liska, threat intelligence analyst at Recorded Future, points out. For a work-from-home employee accessing corporate data from a coffee shop or airport lounge, "a successful attack not only means a phone owner's personal data is compromised, it also means that any work data stored on that phone would be accessible by the attackers." In theory, hackers could also plant malware on a BYOD phone or laptop, or hijack an employee's access to enterprise networks for further attacks.

Whether any of this is likely is another matter. "One of the challenges with the FBI tweet is that they don't provide any real-world examples," Liska says. "So while the kind of attack the FBI laid out is certainly possible, the risk is relatively low."

**Simple Solutions for Charging Safely**

For anyone concerned with charging devices in public, there is one simple solution: don't use dedicated charging stations. Ordinary electrical outlets — of the kind you'd use at home — provide a perfectly safe alternative.

Even when you're searching around the airport terminal and can't find any outlets, there are other options. "Your readers can't see it, but this is what people should be carrying," Nicoletti says over a Zoom call, while holding up his wireless phone charger. "These are 15 bucks!"

And "if a socket isn't available and you're charging a device through a USB cable, use a data blocker," Bestuzhev recommends. Data blockers — colloquially referred to as "data condoms" — are inexpensive and widespread online.

"They're essentially designed on a hardware level to block any data transmission to or from your device," he explains. "So even when you connect to a malicious charging station, if you're using a data blocker, you'll still get the electric charge for your device but data won't flow. That's because, on a hardware level, the data blocker is designed to block the circuit of those parts of the cable to transfer data. So, your data can't be transferred in any direction — just electricity."

Jacked charging stations may be rare, but because the alternatives are so cheap and simple, it's easy enough to avoid the hassle altogether. "These tools," Bestuzhev concludes, "should really be part of any 'frequent flier' or 'frequent traveler' kit."

FBI & FCC Warn on 'Juice Jacking' at Public Chargers, but What's the Risk?

Open source media player Kodi still hasn't recovered its forum and plans to redeploy it on a new server with software update.

The Kodi forum (MyBB) is a place where about 400,000 users of the Kodi open source media player come together to share tips on customizing their home theater experience. But when a cache of MyBB user data popped up for sale on an Internet forum, team Kodi took a closer look and realized there had been a major breach.

Logs revealed that a former MyBB admin's account was hijacked to access the admin console on both Feb. 16 and Feb. 21, the Kodi Foundation said in a statement announcing the breach on April 8.

"The account was used to create database backups which were then downloaded and deleted. It also downloaded existing nightly full-backups of the database," the Kodi statement said.

That means all public forum posts, team forum posts, user-to-user messages, and user data, including username, email address, and hashed passwords were compromised, Kodi added.

An April 11 update on the breach by the Kodi Foundation said the forums were being migrated to new servers and will run on an updated version of MyBB software, and the forums will remain offline for several days during the migration.

"As part of the redeployment we will restrict and harden access to the MyBB admin console, revise admin roles to reduce privileges wherever possible, and improve audit logging and backup processes," the statement added.

    

In the meantime, Kodi Foundation has shared breach data with the haveibeenpwned disclosure site and vowed to share password reset information as soon as the forums are back up. Additionally, the forum wiki is being moved to a new host, the statement added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Data on 400K Kodi Forum Members Stolen and Put Up for Sale

Researchers at Microsoft have discovered links between a threat group tracked as DEV-0196 and an Israeli private-sector company, QuaDream, that sells a platform for exfiltrating data from mobile devices.

Microsoft has identified another Israel-based threat organization, similar to NSO Group, that is selling mobile spyware and other cyber espionage tools and services to international governments to monitor and spy on private individuals.

Microsoft Threat Intelligence researchers have discovered links between a threat group they've been tracking as DEV-0196, which offers iOS malware, and a private-sector company called QuaDream that sells a platform for exfiltrating data from mobile devices, researchers said in a blog post published April 11. Without explicitly stating so, the researchers suggested that DEV-0196 and QuaDream are actually one and the same.

"Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream," the researchers wrote. "We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the \[company's 'Reign' offering\]."

The parallels between the activity of the separately linked entities is eerily similar to that of Israel-based NSO Group, which has been widely condemned, blacklisted, and even sued for its role in selling the iOS-based spyware known as Pegasus to hostile governments to target journalists, activists, politicians, businesspeople, and other private citizens with unethical cyber espionage activity. The spyware notably targets zero-day flaws with exploits, making it difficult to mitigate or detect its nefarious activity.

**Suspicious QuaDream Activity**

Similarly, QuaDream's REIGN is a suite of exploits, malware, and infrastructure designed to extract data from mobile devices for allegedly legal purposes, however, the company suspiciously doesn't have a website, and a 2022 Reuters report suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group's ForcedEntry exploit.

According to the Israeli Corporations Authority, QuaDream, under the Israeli name קוודרים בע”מ, was incorporated in August 2016. A report by news outlet Haaretz, citing a QuaDream brochure, claimed that the government of Saudi Arabia — known for targeting journalists and others who speak out against its policies — was among QuaDream's clients, as was the government of Ghana.

A separate December 2022 report from Meta, which reportedly took down 250 accounts associated with QuaDream, also shed light on the activity of the company. That report claimed that QuaDream was testing its ability to exploit iOS and Android mobile devices with the intent "to exfiltrate various types of data including messages, images, video and audio files, and geolocation," the researchers said.

Meanwhile, Microsoft Threat Intelligence believes that DEV-0196 is selling both exploitation services and its KingsPawn iOS malware to governments to spy on and track members of civil society — including journalists, political opposition figures, and a non-government organization (NGO) worker — in locations across Europe, North America, the Middle East, and Southeast Asia.

Microsoft worked with several partners on the investigation of the links between QuaDream and DEV-0196, including Citizen Lab of the University of Toronto's Munk School, which identified at least five targets of DEV-0196 across the aforementioned geographies. It also identified operator locations for QuaDream systems in Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Citizen Lab has released its own separate report about the findings.

The behavior of DEV-0196 is consistent with that of "private sector offensive actors (PSOAs)" or "cyber mercenaries," according to Microsoft Threat Intelligence, which sell hacking tools or services through a variety of business models — including access as a service — to the highest bidder. They don't directly target individuals or run cyber espionage operations themselves.

**KingsPawn: A Custom Spyware**

Microsoft and its partners analyzed samples of the multi-component KingsPawn, which specifically targets iOS 14. However, it's possible that some of the code also could be used on Android devices, the researchers said. It's also likely that the threat group has already updated the malware to target versions of iOS newer than 14, as the latest version of Apple's operating system software is already up to iOS 16, the researchers said.

KingsPawn is comprised of two agents — a monitor agent in the form of a native Mach-O file written in Objective-C, and the main malware agent, a native Mach-O file written in GoLang, a language favored by threat actors for its portability, among other features, the researchers said.

The monitor agent is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations, as well as manage the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes.

Within the main agent of KingsPawn is the real gravy of the spyware where all of the capabilities to track victims and steal data lies, the researchers said.

Capabilities of the main agent include: obtaining device, Wi-Fi, cellular info, searching for and retrieving files, using the camera in the background, locating where the device is, monitoring phone calls, accessing the iOS keychain for passwords, and generating an iCloud one-time password that's time sensitive to retrieve stored data.

"The agent also creates a secure channel for XPC messaging by creating a nested app extension called _fud.appex_," the researchers wrote. "XPC messaging allows the agent to query various system binaries for sensitive device information, such as location details."

**Detection & Protection From Mobile Spyware**

Microsoft has developed unique network detections that could be used to fingerprint DEV-019's infrastructure on the Internet based on the group's heavy use of domain registrars and inexpensive cloud hosting providers that accept cryptocurrency as payment, the researchers said.

"They tended to only use a single domain per IP address and domains were very rarely reused across multiple IP addresses," they wrote in the post. "Many of the observed domains were deployed using free Let's Encrypt SSL certificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments."

The blog post includes network-based indicators that the researchers gleaned from their investigation to help potential victims identify if they've been compromised, including domains strongly associated with some countries that Citizen Lab has identified as locations of victims, countries where QuaDream platforms were operating, or both.

While acknowledging that preventing exploitation of mobile devices by threat actors who are exploiting zero-click vulnerabilities is difficult, there are ways to minimize the risk of mobile devices being compromised, the researchers said.

Following basic cyber hygiene and best practices to keep device software updated through automatic updates, the use of anti-malware software, and maintaining vigilance not to click on malicious links or suspicious messages can also help potential victims avoid compromise.

Researchers also suggested that if someone using an iOS device believes they may be a target of spyware, they can enable Lockdown Mode to enact advanced iOS security, thus reducing the attack surface for threat actors.

Microsoft: NSO Group-Like 'QuaDream' Actor Selling Mobile Spyware to Governments

A recent survey showed a surprising correlation between those who operate their businesses with risk and compliance data in silos and those who experienced data breaches in the last 24 months.

What are the consequences of operating your business with risk and compliance data in silos? Turns out, it might be more impactful than you think.

A recent 2023 survey of more than 1,000 IT risk, compliance, and security professionals found a correlation between data silos and breaches: namely, that companies operating with their risk management and compliance operations data in silos experienced a higher frequency of breaches.

Let's dig into the data.

**Risk Management Confidence Remains High, but Data Silos Persist**

First, let's start with risk. Survey respondents take risk management seriously, with a staggeringly high 93% of respondents feeling that they've done well in identifying and assessing risks. Additionally, 56% of infosec professionals are conducting annual security risk assessments, and 27% are conducting biannual assessments, meaning risk management is top priority for respondents. In short, confidence to address risk is high.

    

However, although respondents grasp the importance of risk management, according to the data, their processes for managing IT risks lag behind their intentions. Despite this overwhelming confidence respondents have about identifying and assessing risks, 51% said they struggle with identifying where the critical risks are to assess what remediations to prioritize. Thirty percent of respondents said their process to identify controls that can mitigate risks does not meet their company's objectives, and 39% of all respondents said they struggle with finding risk-related information when they need it.

    

Why are survey respondents so confident in their ability to address risks but still struggling to identify risk-related critical tasks? The answer is simple: 90% of surveyed organizations are managing risk management and compliance operations activities in silos, which is opening them up to vulnerabilities. Thirty-eight percent of respondents admitted that they switch between multiple systems throughout the risk management process and that they have separate places for risk assessments vs. tracking remediation efforts, such as multiple spreadsheets containing risk assessment results or multiple platforms tracking risk.

**The Connection Between Data Silos and Security Vulnerabilities**

The survey uncovered that only 10% of respondents have an integrated view on how to manage their unique set of risks and have aligned their risk and compliance activities, and organizations that managed risk in an ad hoc manner or only when a negative event happened were more likely to experience a breach.

    

Let's break these metrics down a little more:

Managing risk ad hoc or in siloed departments had negative impacts on those surveyed: One in two companies managing risk ad hoc or in siloed departments experienced a breach in 2022. Parsing this number further, we saw that 61% of companies that characterized their risk management approach as "ad hoc" experienced a breach, and 46% of those managing risk in siloed departments experienced a breach.

In contrast, only 36% of companies with an integrated approach and manual tools experienced a breach. Additionally, only 30% of companies with an integrated approach and automated tools experienced breaches.

    

The takeaway? Companies that unified their risk and compliance operations did not suffer the same frequency of breaches, indicating that operating in silos opens companies up to vulnerabilities.

**The Power of Unifying Risk and Compliance Data**

Although risk and compliance continues to operate in silos, respondents recognize the benefits of changing this reality. Fifty-seven percent of respondents said that having a solid compliance program helps them mitigate risks, even though risk management and compliance activities are typically conducted in response to separate events.

Taking an integrated approach to risk and compliance operations allows organizations to focus on their unique set of risks while avoiding duplicate activities across their risk and compliance management processes. Organizations that take this approach typically start the risk management process with conducting a risk assessment. From there, they create security policies and implement internal controls tailored to the results of their risk assessment. This allows for greater alignment throughout the organization by allowing for input from all stakeholders, not just a select few. Also, it helps create a compliance program that integrates directly with risk operations.

The survey results provided evidence that organizations taking an integrated approach have better security posture than their counterparts who view compliance solely as the function that enforces rules and regulations: On average, organizations that take an integrated approach to risk management experienced security breaches less often than those who view their compliance function as the enforcer of rules. Additionally, as a group, organizations that take an integrated approach spend less time on repetitive and administrative tasks compared to those who believe the compliance function's purpose is to enforce the rules.

To learn more, read the full survey report here.

**About the Author**

    

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

Survey Findings Show Link Between Data Silos and Security Vulnerabilities

In order to reduce cybersecurity risks and failures, organizations will need to focus on employees, management, and new operating models.

In order for cybersecurity initiatives to be effective in reducing security failures, Gartner, a research and consulting firm, finds that it will be essential for security and risk management leaders to turn to a human-centered approach.

A human-centric approach in cybersecurity practices prioritizes the individual employee and their experience, which ultimately encourages better practices while also reducing friction and risk. 

In the past, there has been a focus in improving the technology or the many different processes that uphold security practices. Going forward, having a "human-centric talent management approach" means focusing on the employees that require these kinds of updates to technology and program processes to be made in the first place, and shifting from external hiring to internal or "quiet hiring," according to Gartner.

In addition to a human-centric security design and enhancing people management in security programs, changing the cybersecurity operating model will also be amongst the top three trends in cybersecurity for 2023, according to the analyst firm. It will be necessary for employees to understand and manage a variety of different types of risks related not only to cybersecurity, but also "financial, reputational, competitive, and legal risks." 

Creating effective cybersecurity policies and initiatives is not a one and done deal, analysts stressed, but instead requires continuous management and integration into the model of the core business strategy.

"Business leaders now widely accept that cybersecurity risk is a top business risk to manage — not a technology problem to solve," Richard Addiscott, senior director analyst at Gartner, said in Gartner's announcement. "Supporting and accelerating business outcomes is a core cybersecurity priority yet remains a top challenge."

The additional six cybersecurity trends for 2023 noted in Gartner's rundown this week are:

*   Threat Exposure Management
*   Identity Fabric Immunity
*   Cybersecurity Validation
*   Cybersecurity Platform Consolidation
*   Composable Business Need Composable Security
*   Boards Expand Their Competency in Cybersecurity Oversight

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Gartner: Human-Centric Design Is Top Cybersecurity Trend for 2023

CrowdStrike Falcon Insight for IoT covers  Internet of Things, Industrial IoT, Operations Technology, as well as medical devices.

Cybersecurity vendor CrowdStrike introduced new extended detection and response (XDR) capabilities within its Falcon platform to secure “extended” internet of things (XIoT). CrowdStrike Falcon Insight for IoT delivers tailored threat prevention, rapid patch management, and interoperability across XIoT assets.

XIoT is a broader category of assets and encompasses the Internet of Things, Industrial IoT, Operations Technology, as well as medical devices.

The IT/OT convergence means security teams are now responsible for securing critical infrastructure systems. Gartner estimates 70% of organizations will have converged “security functions across both enterprise and operational environments” by 2025.

However, traditional IT security solutions don’t interoperate with XIoT assets, lack context for effective threat prevention and detection, and disrupt operations. CrowdStrike Falcon Insight for IoT collects asset-specific context such as device type, operating system version, and protocols and provides response actions, such as host/process containment and USB device control. Tailored, AI-based threat prevention stops threats at the source, and custom policy recommendations help organizations limit system burden and manage sensor updates.

With Falcon, organizations can use the same platform across IoT, IT endpoints, cloud workloads, identities, and data, CrowdStrike said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CrowdStrike Expands Falcon to Include IoT

Devastating cyberattacks often can be prevented with basic cybersecurity measures.

The LastPass breach will be remembered as paradigmatic. The blast radius from this August 2022 breach grew from bad to catastrophic during a six-month period. Initially, the LastPass CEO declared the breach contained. However, in November 2022, an unknown threat actor was discovered to have accessed the LastPass' cloud-based storage environment and encrypted password vaults using information obtained during the August incident. By the end of the year, LastPass confirmed that customer data, including encrypted passwords and usernames, had been compromised. 

On March 3, it was revealed that the root cause of the LastPass data breach was surprisingly basic. The attacker compromised a LastPass DevOps engineer's personal computer through an old vulnerability in a third-party media software package called Plex, which was apparently used by an employee for personal purposes. Consequently, the computer was infected with a keylogger, allowing threat actors to steal partially encrypted password vault data and customer information. 

The recently revealed details of the LastPass data breach provide important lessons for organizations, particularly security companies. 

**Adhere to Your BYOD Policy: A Must for Privileged Users**

It's concerning that four LastPass engineers with access to highly sensitive assets were able to use their personal devices, including personal applications, for work purposes. Personal devices often lack the same security protocols and patches as company-issued devices, and they may be used by family members or for non-work-related activities, which can significantly increase the risk of compromise. According to a survey by Action1, 43% of IT professionals reported that the top risky behavior remote workers are susceptible to is allowing family members to use corporate devices for activities unrelated to work.

To mitigate these risks, organizations should have strict security policies that apply to all users, particularly privileged ones. Issuing company-owned devices subject to regular security updates and protocols is the best practice. However, in situations where personal devices are used for work, it's essential to establish a robust bring-your-own-device (BYOD) policy, ensuring that personal machines follow the same security measures as company-issued devices, including regular updates, anti-malware software, and multifactor authentication (MFA). 

**Don't Let Legacy Vulnerabilities Put Your Endpoints at Risk**

In the LastPass breach, the attacker exploited a vulnerability in a third-party media software package called Plex. Although Plex had issued a patch for the vulnerability 75 versions ago, the employee's machine at LastPass had not been updated. This underscores the importance of companies remaining vigilant in their patch management, especially for third-party software. It's also essential to monitor the software installed on employees' machines and ensure that it adheres to corporate security policies. However, it's not just legacy security vulnerabilities that can be found in unapproved third-party software — they can also exist in commonly used apps like browsers. It’s hard to underestimate the importance of automated patch management for both OS and third-party applications in cybersecurity.

**Avoid Easily Bypassed MFA**

The LastPass breach highlights the limitations of MFA. In that incident, keylogging malware captured an employee's MFA token, allowing the attacker to bypass this security measure. This shows that not all MFA methods are equally secure. 

The thing is, despite the popularity of MFA, some organizations may have adopted it without fully understanding the nuances of different MFA methods. There are many services that provide authentication via SMS, email, or authentication applications. However, the reality is that MFA with hardware tokens is the most secure one. Hardware tokens generate unique passcodes that are difficult to intercept or replicate, and they do not rely on Internet or cellular connections and should be considered for securing access to services with highly sensitive assets. 

**Build Security Into Your Products and Infrastructure From the Start**

Although LastPass declared advanced security measures for their products, the breach revealed gaps in various areas. For example, LastPass stored MFA seeds and the split knowledge component (K2) key together, which allowed threat actors to access them after obtaining decryption keys for encrypted backups of the LastPass MFA/federation database. It would have been more prudent to store these highly sensitive assets separately. Additionally, although LastPass requires users to implement strong master passwords, these measures are not always enforced, and notifications may not be noticeable enough, as indicated by some experts. 

This suggests that a typical situation occurred where IT architecture develops in response to business demand for meeting the needs and capturing the market, and IT security is incorporated into the architecture only later on. As a result, it becomes difficult to incorporate security policies and redesign the architecture accordingly. Therefore, it's better to consider IT security from the outset of product development. 

**Conclusion**

Devastating cyberattacks often can be prevented with basic cybersecurity measures, yet even security companies can make mistakes. We should learn from these errors to improve our own security practices.

Source

DARKReading