So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.

Source: garagestock via Shutterstock

Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.

In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.

**A Thorough Overhaul**

"We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers," Abbott said, in his statement. "We have already begun applying learning from recent incidents to make immediate improvements to our own engineering and security practices."

Some of the specific steps include embedding security into every stage of the software development life cycle and integrating new isolation and anti-exploit features in its products to minimize the potential impact of software vulnerabilities. The company will also improve its internal vulnerability discovery and management process and increase incentives for third-party bug hunters, Abbott said.

In addition, Ivanti will make more resources available to customers for finding vulnerability information and associated documentation and is committed to greater transformation and information sharing with customers, he added.

How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.

The disclosure followed a similar incident less than two weeks ago that involved two bugs in Ivanti's Standalone Sentry and Neuron's for ITSM products. Ivanti so far has disclosed a total of 11 vulnerabilities — including the four this week — in its technologies since Jan. 1. Many of them have been critical flaws — at least two were zero-days — in the company's remote access products, which attackers, including advanced persistent threat actors such as "Magnet Goblin," have exploited in mass fashion. Concern over the potential for major breaches from some of these bugs prompted the US Cybersecurity and Infrastructure Security Agency (CISA) in January to order all civilian federal agencies to take their Ivanti systems offline and not reconnect the devices until fully remediated.

Security researcher and IANS Research faculty member Jake Williams says the vulnerability disclosures have prompted serious questions from Ivanti's customers. "Based on conversations I'm having, especially with Fortune 500 clients, I honestly think it's a bit of too little, too late," he says. "The time to publicly make this commitment was more than a month ago." There is no question that the issues with the Ivanti VPN appliance (formerly Pulse) are making CISOs question the security of Ivanti's many other products, he says.

**A Fresh Set of 4 Bugs**

The four new bugs Ivanti disclosed this week included two heap overflow vulnerabilities in the IPSec component of Connect Secure and Policy Secure, both of which the company characterized as high-severity risk for customers. One of the vulnerabilities, tracked as CVE-2024-21894, gives unauthenticated attackers a way to run arbitrary code on affected systems. The other, assigned as CVE-2024-22053, allows an unauthenticated remote attacker to read the contents from system memory under certain conditions. Ivanti described both vulnerabilities as allowing attackers to send maliciously crafted requests to trigger denial of service conditions.

The other two flaws — CVE-2024-22052 and CVE-2024-22023 — are two medium-severity vulnerabilities that attackers can exploit to cause denial-of-service conditions on affected systems. Ivanti said that as of April 2, it was not aware of any exploit activity in the wild targeting the vulnerabilities.

The steady stream of bug disclosures has raised questions about the risk that Ivanti's products pose to more than 40,000 customers worldwide, with some expressing their frustration on forums such as Reddit. Just two years ago, Ivanti's press releases claimed 96 of the Fortune 100 companies as its customers. In the latest release that number has declined nearly 12% to 85 companies. While the attrition might have to do with factors other than just security, some Ivanti rivals have begun to sense an opportunity. Cisco, for instance, has begun offering incentives — including a 90-day free trial — to try and get Ivanti VPN customers to migrate to its Secure Access platform so they can "mitigate risk" from Ivanti's products.

**Acquisition Related Problems?**

Eric Parizo, an analyst with Omdia, says at least some of Ivanti's challenges have to do with the fact that the company's product portfolio is the sum of numerous past acquisitions. "The original products were developed at different times by different companies for different purposes using varying methods. This means the software quality, in particular with regard to software security, can be dramatically uneven," he says.

 Parizo says what Ivanti is doing now with its commitment towards improving security processes and procedures across the board is a step in the right direction. "I would also like to see the vendor indemnify its customers for damages directly resulting from these vulnerabilities, as that will help restore confidence in future purchases," he says. "Perhaps the one saving grace for Ivanti is that customers are so used to this sort of event, with cybersecurity vendors suffering countless similar incidents in recent years, that customers are more likely to forgive and forget."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

Initial access brokers are using the new downloader malware, which emerged just after QBot's 2023 disruption.

Source: Yuri Arcurs via Alamy Stock Photo

At first, analysts thought the downloader was a variant of well-known malware IcedID — but it turns out Latrodectus is something new altogether.

The malware is being used by initial access brokers (IABs) in email threat campaigns, and researchers behind the discovery at Proofpoint and Team Cymru S2 Threat Research Team predict Latrodectus will continue gaining momentum among threat actors. That's due in large part to its ability to evade sandbox detection, the researchers said.

"After initialization the malware will check its environment to confirm that it is not running in a sandbox by confirming the amount of running processes on the device, then checking to make sure it is running on a 64-bit host, and lastly the malware looks to see if the host has a valid MAC address," according to a statement from Adam Neel, threat detection engineer at Critical Start. "These sandbox evasion techniques can slow down researchers and defenders from analyzing samples of Latrodectus."

First discovered in late 2023, there's been a distinct uptick in threat activity using the new loader throughout February and March, the report warned.

Although it's not a variant of IcedID, the researchers found Latrodectus — named after a string of code found during analysis — does have similar characteristics, leading the team to conclude both were created by the same developers.

The first group using Latrodectus in November 2023 was TA577, and it has been relying on it almost exclusively since mid-January 2024, the report said. Prior to picking up Latrodectus, the adversary group was using IcedID, it added.

In February, researchers discovered another group, TA578, was distributing Latrodectus in a campaign that sent threats of legal action for copyright infringement as phishing lures.

**Is Latrodectus Downloader the New QBot?**

The new Latrodectus downloader is positioned to fill the void left by the takedown of QBot malware (also known as Qakbot) in the summer of 2023, according to a statement by Ken Dunham, cyber threat director at Qualys Threat Research Unit.

"TA577 and other actors are affiliated with Qbot and now, a new malware campaign, Latrodectus," Dunham explained. "It appears likely that actors behind QBot felt the heat from takedowns last year, migrating to this new code base and infrastructure in the fall of 2023."

Awareness of Latrodectus actively being used in email campaigns, along with vigilance, will help enterprises defend against the upgraded downloader, experts advise. The new Latrodectus report provides tactics, techniques, and procedures to help.

"It is possible that this is not the last form of Latrodectus and it could continue to grow and differentiate itself from IcedID more in the future," Neel added. "Latrodectus is currently being distributed via email campaigns, so the need for phishing awareness continues to be incredibly important."

Malicious Latrodectus Downloader Picks Up Where QBot Left Off

Latest campaign underscores wide-ranging functionality and staying power of a decade-old piece of information-stealing malware.

Source: David Chapman via Alamy

More than 11,000 Australian companies were targeted in a recent wave of cyberattacks that rely on an aging but still dangerous malware strain dubbed Agent Tesla.

Prospective victims were bombarded by booby-trapped emails with lures about purchasing goods and order delivery inquiries that came with a malicious attachment. Victims who were tricked into opening the attachment exposed their Windows PCs to Agent Tesla infections.

Agent Tesla is a remote access Trojan (RAT) that first surfaced in 2014. The malware is widely distributed and frequently used by a variety of threat actors, including cybercriminals and spies, according to researchers at Check Point Software.

Alexander Chailytko, cybersecurity, research, and innovation manager at Check Point, says threat actors have "developed a level of trust" in Agent Tesla's capabilities.

"Its reliability, coupled with its diverse range of functionalities for data exfiltration and information theft, makes it a preferred choice among cybercriminals," Chailytko explains.

The malware offers a range of data exfiltration methods and stealing capabilities that target the most commonly used software, ranging from browsers to FTP clients. Recent updates to the malware offer tighter integration with platforms such as Telegram and Discord, which makes it easier for crooks to run hacking campaigns.

Agent Tesla was in the news last year, when cybercriminals exploited a 6-year-old Microsoft Office remote execution flaw to sling Agent Tesla.

**Anatomy of an Agent Tesla Hack**

An analysis by security researchers from Check Point published in a blog post this week offered one of the most detailed inspections of the methodology of an Agent Tesla-based phishing campaign to date. Their work offers a postmortem on a high-volume series of attacks launched in November 2023 against mostly Australian and American targets.

Check Point said a threat actor dubbed "Bignosa" first installed Plesk (for hosting) and Round Cube (email client) onto a hosted server. The attackers then disguised the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.

Cassandra Protector bundles a variety of options that allow cybercriminals to configure sleep time before execution. Among other functions, it controls the text in the fake dialogue box that appears when victims open a malicious file.

Once Agent Tesla was "protected" this way, Bignosa converted the malicious .NET code into an ISO file with a ".img" extension before attaching the resulting file to the spam emails.

Next, Bignosa connected to the newly configured machine via a remote access network protocol connection, created an email address, logged in to webmail, and launched the spam run using a pre-prepared target list. According to Check Point, "a few successful infections" hit Australia in a first wave of the attack.

**Down Under**

The threat actors behind the Agent Tesla malware campaign were primarily targeting Australian businesses, as shown by the presence of a mailing list file named "AU B2B Lead.txt" on their machines.

"This suggests a deliberate effort to compile and target email addresses linked to Australian business entities, potentially for the purpose of infiltrating corporate networks with the goal of extracting valuable information for financial exploitation," Check Point's Chailytko says.

Bignosa also worked with another more proficient cybercriminal, who immodestly goes by "Gods," in a campaign to hack into Australian and US-based businesses, the researchers found.

Gods offered advice to Bignosa on the content of malicious spam text, according to Jabber chat logs uncovered by the security researchers.

Like with other cybercriminals, the duo struggled with elements of their cybercrime campaign, according to evidence uncovered by Check Point.

In multiple instances, Bignosa wasn't able to clean his machine from the Agent Tesla test infections, so the hapless hacker had to call on remote access from Gods for assistance.

Check Point said it believes that Bignosa is Kenyan and Gods is a Nigerian with a day job as a Web developer.

**How to Block Agent Tesla Infections**

The Agent Tesla-based spear-phishing campaign highlighted by Check Point underscores the still-prevalent threat posed by the mature malware.

Businesses should maintain up-to-date operating systems and applications by promptly installing patches and utilizing other security measures. Commercial spam filtering and blocklist tools can help minimize the volume of junk traffic that appears in user inboxes, according to Check Point.

Even so, end users must exercise caution when encountering unexpected emails containing links, particularly from unfamiliar senders. According to Check Point, that's where regular employee training and education programs can bolster cybersecurity awareness.

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Thousands of Australian Businesses Targeted With 'Reliable' Agent Tesla RAT

PRESS RELEASE

Houston, Texas, April 04, 2024 (GLOBE NEWSWIRE) -- Action1 Corporation, a provider of the integrated real-time vulnerability discovery and patch management automation solution, today introduced the ‘School Defense’ program aimed at improving cybersecurity at small US educational institutions. The program will offer free access to the Action1 services and other resources to help IT teams at public schools and community colleges streamline vulnerability remediation and enhance their skills.

Small educational institutions that serve our local communities and play a pivotal role in shaping the future of our society are on the front lines of the fight and are up against sophisticated threat actors when it comes to defending against cyberattacks. In addition to ensuring daily operational reliability, small IT teams at these taxpayer-funded organizations are now navigating national security issues and cyber threats, while wearing multiple hats.

“Securing schools is not only about protecting sensitive data and systems; it's about safeguarding the education and well-being of the nation's citizens," said Mike Walters, President and co-founder of Action1. “As a cybersecurity company, it's our responsibility to step up and provide support."

According to statistics, 29% of attacks on educational institutions result from vulnerability exploitation, with an additional 30% originating from phishing campaigns targeting K-12 schools in 2023 alone. On average, there are 2300 reported attacks against educational organizations each week, highlighting the urgent need for improved cybersecurity measures. At the same time, studies show that an average school spends less than 8% of its budget on cybersecurity.

Jonathan Kim, Director of Technology at the Woodland Hills School District, emphasized the significance of tailored cybersecurity offerings for public schools and community colleges: "Unlike businesses, educational institutions often lack the opportunities to develop cybersecurity skills and resources. Therefore, having a cybersecurity vendor introduce school-specific initiatives is incredibly valuable, as it addresses the specific challenges schools face and provides much-needed support." 

The 'School Defense' program will include:

*   Free Action1 platform for the first 100 endpoints, empowering small schools to streamline remediation of security vulnerabilities in OS and third-party apps in a single solution deployable in less than five minutes.
    
*   Access to educational resources to help understaffed IT teams at small schools improve their expertise and skills, both tailored to education specifics and generally cybersecurity focused.
    

Eligible organizations are US-based K-12 public schools and community colleges. By empowering these organizations with the necessary tools and knowledge, Action1 aims to enhance their defense against cyber threats, safeguard educational operations, and mitigate potential impact of cyberattacks on local communities.

For more information about the Action1 ‘School Defense' program, visit this link: www.action1.com/patch-management-for-education/.

About Action1 Corporation   
Action1 reinvents patch management with an infinitely scalable and highly secure platform configurable in 5 minutes that just works. With integrated real-time vulnerability discovery and automated remediation for both third-party software and OS, peer-to-peer patch distribution, and IT ecosystem integrations, it ensures continuous patch compliance and reduces security and ransomware risks – all while lowering costs. Action1 is certified for SOC 2/ISO 27001 and is trusted by thousands of enterprises managing millions of endpoints globally.    
Action1 was founded by cybersecurity veterans Alex Vovk and Mike Walters, who previously founded Netwrix, which was acquired by TA Associates. 

Learn more at: www.action1.com.

Action1 Unveils 'School Defense' Program To Help Small Educational Institutions Thwart Cyberattacks

A researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a million active installations.

Source: Primakov via Shutterstock

Attackers can exploit a critical SQL injection vulnerability found in a widely used WordPress plug-in to compromise more than 1 million sites and extract sensitive data such as password hashes from associated databases.

A security researcher called AmrAwad (aka 1337\_Wannabe) discovered the bug in the LayerSlider, a plug-in for creating animated Web content. The security flaw, tracked as CVE-2024-2879, has a rating of 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, and is associated with the "ls\_get\_popup\_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. The vulnerability is due to "insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query," according to Wordfence.

"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database," the company said.

Wordfence awarded the researcher a bounty of $5,500 — the company's highest bounty to date — for the discovery, according to a blog post by Wordfence. AmrAwad's March 25 submission came as part of Wordfence's second Bug Bounty Extravaganza, and the company contacted the Kreatura Team, developers of the plug-in, the same day to notify them of the flaw. The team responded the next day and delivered a patch in version 7.10.1 of LayerSlider on March 27.

**Exploiting the LayerSlider SQL Injection Flaw**

The potential for exploitation of the vulnerability lies in the insecure implementation of the LayerSlider plug-in's slider popup markup query functionality, which has an "id" parameter, according to Wordfence.

According to the firm, "if the 'id' parameter is not a number, it is passed without sanitization to the find() function in the LS\_Sliders class," which "queries the sliders in a way that constructs a statement without the prepare() function."  

Since that function would "parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks," its absence creates a vulnerable scenario, according to Wordfence.

However, to exploit the flaw requires a "a time-based blind approach" on the part of attackers to extract database information, which is "an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities," according to Wordfence.

"This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database," the company explained.

**Secure WordPress, Secure the Web**

Vulnerable WordPress sites are a popular target for attackers given the content management system's widespread use across the Internet, and often vulnerabilities exist in plug-ins that independent developers create for adding functionality to sites using the platform.

Indeed, at least 43% of websites on the entire Internet use WordPress to power their sites, e-commerce applications, and communities. Further, the wealth of sensitive data such as user passwords and payment info often stored within their pages represents a significant opportunity for threat actors who seek to misuse it.

Making "the WordPress ecosystem more secure ... ultimately makes the entire web more secure," WordPress noted.

Wordfence advised that WordPress users with LayerSlider installed on sites verify immediately that they are updated to the latest, patched version of the plug-in to ensure it isn't vulnerable to exploit.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Critical Security Flaw Exposes 1 Million WordPress Sites to SQL Injection

Tokyo-based eyeglass and medical lens-maker Hoya said the attack has halted production processes in some locations as well as an ordering system for some of its products.

Source: ronstik via Alamy Stock Photo

Japanese lens manufacturer Hoya is investigating a cyber incident that has disrupted several manufacturing sites as well as an ordering system this week.

Hoya, one of the world's largest lens-makers, manufactures eyeglasses lenses, contact lenses, intraocular lenses, and endoscopic and other medical equipment lenses.

In an update posted on its website today, the company disclosed that it spotted the incident affecting central IT operations and several facilities on March 30 after a system failure. While Hoya did not identify the type of cyberattack, the company said it was likely the result of "unauthorized access" to its systems.

"While the full effects, extent and nature of the incident continue to be investigated, the systems for some production plants and the ordering system for several products have been affected," Hoya said in a statement issued today. "We are also investigating whether any confidential or personal information held by the Company has been compromised or accessed by third parties, but the full analysis is expected to take a considerable number of days."

**About the Author(s)**

Cyberattack Shutters Some Operations at Japanese Lens Manufacturer

Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned.

Source: Lev Dolgachov via Alamy Stock Photo

COMMENTARY

Cybersecurity has never been more critical for responsible corporate governance, as cyberattacks are among the gravest threats to companies' customers, operations, and reputations. 

Boards must invest in cybersecurity-awareness training programs to prepare the entire workforce for evolving cyber threats, and chief information security officer’s (CISO) have to champion this effort.

CISOs play a vital role in building stakeholder support for cybersecurity across the company — particularly on the board. Board members often lack the necessary knowledge to make informed decisions about the company's cybersecurity posture, and it's the CISO's job to educate them in a clear and compelling way. CISOs must demonstrate how much damage cyberattacks can cause, the ways employees can be equipped to identify and prevent these attacks, and how to maintain accountability for their risk-mitigation program.

**5 Top CISO Communication Strategies**

There are several strategies that will help CISOs earn long-term support for awareness training from their boards, from communicating cybersecurity concepts in an engaging and non-technical way to showing board members that cybersecurity programs offer significant ROI. Let's take a closer look at the top five ways CISOs can show boards that it's time to prioritize cybersecurity.

**1\. Know how to communicate with non-technical audiences.**

While almost three-quarters of CISOs say they have "adequate exposure to the board," a majority of CISOs report that their board lacks "knowledge or expertise to respond effectively to their presentations." CISOs must do more to address this disconnect — a process that begins with evaluating how they communicate with board members.

Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, revealing how cybercriminals deceive and manipulate their victims, and explaining that the right behavioral interventions can enable all employees to resist cyberattacks. CISOs can also highlight concrete examples of cyberattacks.

With boards planning to increase their cybersecurity investments, it's essential for CISOs to clearly highlight the value of risk mitigation strategies like awareness training.

**2\. Focus on the entire cyber-impact chain.**

According to IBM, the average cost of a data breach surged to $4.45 million in 2023. Cyberattacks can also lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce. This is known as the cyber-impact chain — a crucial concept for CISOs to discuss with board members.

Boards need to be aware that the effects of cyberattacks extend well beyond immediate financial burdens. At a time when 86% of consumers are worried about data privacy, a major cyberattack can undermine trust for years. As data regulations become increasingly strict, companies will be held accountable for compromised customer information.

CISOs have all the information they need to educate boards about the consequences of cyberattacks. They just have to present that information in a way that will hold board members' attention.

**3\. Stress the human element.**

CISOs have the knowledge to explain how prominent cybercriminal tactics are thwarted. For example, 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.

There are several ways for CISOs to productively discuss the threat of social engineering with their boards. They can provide hard evidence for the impact of social engineering attacks, explain how awareness training arms the company to prevent these attacks, and emphasize the most effective ways to educate employees. Cybersecurity is everyone's responsibility, which is why CISOs must make the case for fully engaging employees with consistent, entertaining, and relevant awareness training content.

Awareness training is one of the best ways to mitigate the financial impact of data breaches as it can help companies keep pace with emerging cyber threats and be personalized to account for individual psychological susceptibilities and learning styles. As long as social engineering remains integral to the majority of cyberattacks, CISOs will need to prioritize human-oriented cybersecurity.

**4\. Outline how awareness-training programs can be measured.**

As investments in cybersecurity rise, CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.

CISOs must make sure employees are learning what they need to know about the most urgent cyberthreats and tactics. Companies can use assessments such as simulated phishing to expose vulnerabilities and determine whether employees are able to apply what they've learned in real-world scenarios. These tests are especially valuable considering that phishing is the most frequent and second-costliest initial attack vector, according to IBM.

Beyond simulated phishing, CISOs can outline other forms of accountability to the board: employee-specific behavioral risk profiles, organizationwide security evaluations, and proactive incident reporting. These are all ways to reassure the board that resources allocated to cybersecurity are being put to good use.

**5\. Secure long-term support.**

Despite the growing concern about cyberattacks, too many companies still treat cybersecurity as a check-the-box exercise. They rely on a few email PSAs or perfunctory cybersecurity presentations a couple times a year, which fail to provide employees with consistent and engaging content that will secure sustainable behavioral change.

Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale. Consistency is also necessary to reinforce what employees learn and identify weaknesses, such as the psychological vulnerabilities cybercriminals exploit. The goal of a security-awareness training program is to create a culture of cybersecurity at every level of the organization which can adapt to these challenges.

Cybercriminals are constantly developing increasingly sophisticated and effective ways to infiltrate companies by manipulating employees. This is why CISOs must secure long-term support for effective cybersecurity initiatives like a customer-satisfaction score (CSAT) from their boards — the threat is only becoming more dire, and companies have a responsibility to be prepared.

**About the Author(s)**

CEO, NINJIO

Dr. Shaun McAlmont is CEO of NINJIO Cybersecurity Awareness Training, and is one of the nation's leading education and training executives. Prior to NINJIO he served as President of Career and Workforce Training at Stride, Inc., had a decade-long tenure at Lincoln Educational Services, where he was President and CEO, and also served as CEO of Neumont College of Computer Science. His workforce and ed tech experience is supported by early student development roles at Stanford and Brigham Young Universities. He is a former NCAA and international athlete, and serves on the BorgWarner and Lee Enterprises boards of directors. He earned his doctoral degree in higher education, with distinction, from the University of Pennsylvania, a master's degree from the University of San Francisco, and his bachelor's degree from BYU.

How CISOs Can Make Cybersecurity a Long-Term Priority for Boards

Cybercriminals are using AI to impersonate small businesses. Security architects are using it to help small businesses fight back.

Source: Bulat Silvia via Alamy Stock Photo

Artificial intelligence (AI) is simultaneously making it easier for adversaries to pull off brand spoofing and easier for organizations to block spoofing and other threats. Both usages have significant implications for small to midsize businesses (SMBs).

Brand impersonation is typically associated with major brand names that are widely recognizable, but any brand, large or small, can be targeted. In fact, it's arguably easier and potentially more effective for adversaries to impersonate a small local credit union than a large entity like Bank of America. That's becoming even more likely with AI making it easier to collect and generate fake content.

However, AI is not just a tool in the attacker arsenal. Security architects are fighting back by designing security tools that use AI to detect and block impersonation attacks. This gives organizations, especially SMBs with limited budgets and resources, a boost in their abilities to fight back.

**Impersonating SMBs Online**

According to data provided to Dark Reading by Check Point Software, businesses with 100 or fewer employees have faced an average of 255 cyberattacks per week this year. Among them, brand spoofing is one of the most pernicious. That spoofing campaign against Bank of America won't even dent the banking giant's bottom line, but the same attack against a tiny credit union could cause serious and lasting damage.

"There's the potential degradation of trust and reputation, as consumers may feel the brand isn't reliable or safe," explains Jeremy Fuchs, Harmony Email analyst at Check Point. "There's also the potential loss of funds. Take a small clothing company. If someone wants to buy a T-shirt but instead 'buys it' from a spoof, the business is losing out on money. Finally, when a brand is spoofed, it can lead to email providers, like Google or Yahoo, blocking legitimate messages, such as for email marketing."

This is especially worrisome because a smaller brand — whether it's a local bank, doctor, law firm, or anything else — is actually easier for hackers to spoof than a larger one, Fuchs explains. Not only do they lack time, money, and personnel to invest in cybersecurity, but oftentimes "small businesses just aren't expecting it," he says. Both small businesses and customers assume that the target is going to be on the larger organization's back. Customers, if they're aware of the threat at all, may assume they are safer because they are using a smaller bank.  

Historically, SMBs have had one thing going for them: Phishing campaigns took time and effort to craft so, from an attacker's perspective, it might have felt like a bigger bang for their buck to target larger organizations with wider audiences. This is no longer the case, however, thanks to generative AI. Hackers can now use chatbots to whip up convincing emails mimicking any business in minutes flat.

**Preventing Brand Spoofing**

While attackers were able to quickly start using AI to improve the quality and efficiency of impersonation attacks, it's taking a little longer for security engineers to harness the same technology for their defenses.

Imagine, for example, that you want to use AI to detect spoofing attacks against Microsoft. You'd need to train an algorithm to distinguish legitimate and fake URLs, iconography, content, and other elements associated not just with the company as a whole, but also all of its various products, subsidiaries, the public figures behind them, and so on. It would be an involved project, even though Microsoft would be considered an easy one due to the amount of training data and content available.

"The real challenge is how to identify small businesses," explains Dan Karpati, Check Point's vice president of AI technologies. "Everyone's familiar with the big ones — the top sites in the US and other major countries — but how do we know about a store in a small village in Spain or Lisbon?"

Microsoft researchers made early inroads into the problem back in 2021, training a neural network on 1,000 brand impersonation attacks and generating mathematical representations of brand identities based on nearest neighbor classifications.

The system Karpati designed works in a similar fashion, first by automatically gathering data from a URL and the content of a legitimate Web page.

"It can be the URL, favicon, \[data\] inside of the HTML, copyrights, links in the sites, pictures — a lot of features," he explains. "Each time that we collect telemetry about a site, we open a new cluster. And if you mark it as benign, OK, now we have some sense of how benign looks for this brand. \[Then\], every time that we observe new access to a site, we extract its features and we ask — automatically — 'Is this access with these features that we extracted from the browser or on the network aligned with what we recorded about the cluster?'"

In other words, with a model for what a brand's domain structure, iconography, and content should look like, new sites that pop up with largely similar but slightly different features can be flagged as spoofs.

Because the system is cloud-based and AI-driven, it can apply this same process across just about any company with an online presence. According to Check Point, this system protects thousands of organizations in hundreds of countries every month.

**Non-AI Ways to Fight Back**

Besides AI, there are other solutions companies can implement to make the job of impersonating them more difficult and less profitable for hackers.

For example, there's Domain-based Message Authentication, Reporting & Conformance (DMARC), the email verification protocol often required of larger organizations but which smaller ones tend to overlook. Ironically, it's far easier for a small business to be DMARC-compliant than a larger one.

"You have to be able to track all your domains, and for some companies that have hundreds, it can be difficult. If you have one domain, it takes like 20 minutes," Fuchs points out. "DMARC can be a huge undertaking depending on how many domains you have, but it is a worthwhile project. It's a huge step in making sure that when somebody gets an email from you, it's coming from you or not from somebody who appears just like you."

And simply communicating with customers and vendors always helps, whether it be through helpful cyber hygiene tips and resources, or regular notices: "We'll never ask you for this code," "We'll never send you an email like this," and the like.

"Having both of those measures, and having that kind of open and honest culture — like, 'This is a problem, we're trying to fix it, here's how we're doing it, and here's how you can help us' — makes you a candidate for better outcomes," Fuchs says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

AI's Dual Role in SMB Brand Spoofing

While Singaporean organizations have adopted the majority of their government's cybersecurity recommendations, they aren't immune: More than eight in 10 experienced a cybersecurity incident over the course of the year.

Source: Cristophe Coat via Alamy Stock Photo

Singapore is leaving other countries in the dust when it comes to cybersecurity preparedness, according to a new government survey.

The Cyber Security Agency of Singapore's (CSA) Cybersecurity Health Report 2023 polled 2,036 small, medium, and large organizations, across 23 sectors, about various aspects of their cybersecurity — breaches faced, business impacts, measures implemented, and the like. It found that, on average, organizations have implemented just over 70% of the requirements necessary to obtain a "Cyber Essentials" certification. The certification includes five categories of national cybersecurity standards: "Assets," "Secure/Protect," "Update," "Backup," and "Respond."

Seventy percent is far from perfect, CSA emphasized, and some of its other results were a cause for further concern. But if graded on a curve, Singapore's organizations are doing quite well compared with the rest of the world.

"Governments and companies can take a page from Singapore's playbook and focus on proactive protection, education of the public, and discussion of cybersecurity initiatives at the highest levels of government," says Stephanie Boo, the Singapore-based senior vice president at Menlo Security.

**Why Singapore Is Ahead**

In contrast to the CSA's results, consider Cisco's 2024 Cybersecurity Readiness Index, released last week.

In a poll of 8,000 cybersecurity and business leaders across 30 countries, Cisco assessed that only 3% of organizations have a "mature" level of security readiness "needed to be resilient against modern cybersecurity risks." Seventy-one percent of organizations were graded as either in the "formative" stage (below average) or "beginner" (only just beginning to deploy security solutions).

When it comes to Singapore's vastly better results, Boo says, "Great government policies and ability to implement them across a small country are a couple contributing factors."

"However, credit also goes to a very computer-savvy population with a highly digitized economy, and a thoughtful, problem-solving approach to breaches. When the country experienced a breach in 2018, rather than continue business as usual, the government instituted an Internet separation where computers connecting to business applications are air-gapped from the Internet," she says. "For the many headline-grabbing breaches we have seen in the US, we have not seen a coordinated solution or mandate from other governments."

**Now the Bad News**

CSA's report also included some concerning results, however.

More than eight in 10 Singaporean organizations experienced a cybersecurity incident over the course of the year, and half experienced several. Among those, 99% experienced a business impact, with the most common consequences being business disruption, data loss, and reputational damage.

Singaporean business leaders were also found to suffer from the same recurring mental blocks that cyber professionals rail against no matter where they are in the world. When it came to why they haven't implemented security measures, besides a lack of knowledge and experience, respondents — 46% of businesses, 49% of nonprofits — most often expressed the belief that they were unlikely to be a target of a cyberattack. They also admitted that cybersecurity is a low priority at their organizations (38% and 44%, respectively), and cited a perceived lack of return on investment (36% and 31%).

CSA highlighted the irony in these arguments in a fact sheet, noting that the cost of meeting Singapore's Cyber Essentials threshold for a small business ranges from around $1,800 to $4,500.

"The amount is typically a small fraction of the cost of business disruptions or recovery procedures due to cyber incidents, the impact of which may also be extended beyond affected organizations to their customers and suppliers," according to the agency.

Boo notes that, in general, small businesses lack the resources to approach security from the business-case perspective.

"Small businesses focus on the must-haves to run their business and don’t have the bandwidth or forethought to look at business enablers from security," Boo says. "The best way to educate small businesses is to deliver the education through channels they already use — like their bank, credit card company, or their telecommunications provider. It is also important to keep it simple and focus on the business benefits rather than the complexity of cyber threats."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Singapore Sets High Bar in Cybersecurity Preparedness

Nearly three months after Operation Cronos, it's clear the gang is not bouncing back from the innovative law-enforcement action. RaaS operators are on notice, and businesses should pay attention.

Source: Jan Zwoliński via Alamy Stock Photo

Despite the LockBit ransomware-as-a-service (RaaS) gang claiming to be back after a high-profile takedown in mid-February, an analysis reveals significant, ongoing disruption to the group's activities — along with ripple effects throughout the cybercrime underground, with implications for business risk.

LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, according to Trend Micro, easily making it the biggest financial threat actor group of the last year. Since it emerged in 2020, it has claimed thousands of victims and millions in ransom, including cynical hits on hospitals during the pandemic.

The Operation Cronos effort, involving multiple law enforcement agencies around the world, led to outages on LockBit-affiliated platforms, and a takeover of its leak site by the UK's National Crime Agency (NCA). Authorities then used the latter to make arrests, impose sanctions, seize cryptocurrency, and more activities related to the inner workings of the group. They also publicized the LockBit admin panel and exposed the names of affiliates working with the group.

Further, they noted that decryption keys would be made available, and revealed that LockBit, contrary to its promises to victims, never deleted victim data after payments were made.

In all it was a savvy show of force and access from the policing community, spooking others in the ecosystem in the immediate aftermath and leading to wariness when it comes to working with any re-emergent version of LockBit and its ringleader, who goes by the handle "LockBitSupp."

Researchers from Trend Micro noted that, two and a half months after Operation Cronos, there's precious little evidence that things are turning around for the group — despite LockBitSupp's claims that the group is clawing its way back into normal operations.

**A Different Kind of Cybercrime Takedown**

Operation Cronos was initially met with skepticism by researchers, who pointed out that other recent, high-profile takedowns of RaaS groups like Black Basta, Conti, Hive, and Royal (not to mention the infrastructure for initial access trojans like Emotet, Qakbot, and TrickBot), have resulted in only temporary setbacks for their operators.

However, the LockBit strike is different: The sheer amount of information that law enforcement was able to access and make public has permanently damaged the group's standing in Dark Web circles.

"While they often focus on taking out command and control infrastructure, this effort went further," Trend Micro researchers explained in an analysis released today. "It saw police manage to compromise LockBit's admin panel, expose affiliates, and access information and conversations between affiliates and victims. This cumulative effort has helped to tarnish the reputation of LockBit among affiliates and the cybercrime community in general, which will make it harder to come back from."

Indeed, the fallout from the cybercrime community was swift, Trend Micro observed. For one, LockBitSupp has been banned from two popular underground forums, XSS and Exploit, hampering the admin's ability to garner support and rebuild.

Shortly after, a user on X (formerly Twitter) called "Loxbit" meanwhile claimed in a public post to have been cheated by LockBitSupp, while another presumed affiliate called "michon" opened up a forum arbitration thread against LockBitSupp for nonpayment. One initial-access broker using the handle "dealfixer" advertised its wares but specifically mentioned that they did not want to work with anybody from LockBit. And another IAB, "n30n," opened a claim on the ramp\_v2 forum about loss of payment surrounding the disruption.

Perhaps worse, some forum commentators were extremely concerned by the sheer amount of information that police were able to compile, and some speculated that LockBitSupp may even have worked with law enforcement on the operation. LockBitSupp quickly announced that a vulnerability in PHP was to blame for the ability of law enforcement to infiltrate the gang's information; Dark Web denizens simply pointed out that the bug is months old and criticized LockBit's security practices and lack of protection for affiliates.

"The sentiments of the cybercrime community to LockBit's disruption ranged from satisfaction to speculation about the group's future, hinting at the significant impact of the incident on the RaaS industry," according to Trend Micro's analysis, released today.

**LockBit Disruption's Chilling Effect on the RaaS Industry**

Indeed, the disruption has sparked some self-reflection among other active RaaS groups: A Snatch RaaS operator pointed out on its Telegram channel that they were all at risk.

"Disrupting and undermining the business model seem to have had a far more cumulative effect than executing a technical takedown," according to Trend Micro. "Reputation and trust are key to attracting affiliates, and when these are lost, it's harder to get people to return. Operation Cronos succeeded in striking against one element of its business that was most important: its brand."

Jon Clay, Trend Micro's vice president of threat intelligence, tells Dark Reading that LockBit's defanging and the disruption's chilling effect on RaaS groups in general present an opportunity for business risk management.

"This can be a time for businesses to reassess their defense models as we may see a slowdown in attacks while these other groups assess their own operational security," he notes. "This is also a time to review a business incident response plan to make sure you have all aspects of a breach covered, including business operation continuity, cyber insurance, and the response — to pay or not pay."

**LockBit Signs of Life Are Greatly Exaggerated**

LockBitSupp is nonetheless attempting to bounce back, Trend Micro found — though with few positive results.

New Tor leak sites launched a week after the operation, and LockBitSupp said on ramp\_v2 forum that the gang is actively seeking out IABs with access to .gov, .edu, and .org domains, indicating a thirst for revenge. It wasn't long before scores of supposed victims started appearing on the leak site, starting with the FBI.

However, when the ransom payment deadline came and went, instead of sensitive FBI data appearing on the site, LockBitSupp posted a lengthy declaration that it would continue to operate. In addition, more than two-thirds of the victims consisted of reuploaded attacks that occurred prior to Operation Cronos. Of the others, the victims belonged to other groups, such as ALPHV. In all, Trend Micro's telemetry revealed just one small true LockBit activity cluster after Cronos, from an affiliate in southeast Asia that carried a low, $2,800 ransom demand.

Perhaps more concerningly, the group has also been developing a new version of ransomware — Lockbit-NG-Dev. Trend Micro found it to have a new .NET core, which allows it to be more platform-agnostic; it also removes self-propagating capabilities and the ability to print ransom notes via the user's printers.

"The code base is completely new in relation to the move to this new language, which means that new security patterns will likely be needed to detect it. It's still a functional and powerful piece of ransomware," researchers warned.

Still, these are anemic sign of life at best for LockBit, and Clay notes that its unclear where it or its affiliates may go next. In general, he warns, defenders will need to be prepared for shifts in ransomware gang tactics going forward as those participating in the ecosystem assess the state of play.

"RaaS groups are likely looking at their own weaknesses being caught by law enforcement," he explains. "They may review what types of businesses/organizations they target so as to not give much attention to their attacks. Affiliates may look at how they can rapidly shift from one group to another in case their main RaaS group gets taken down."

He adds, "shifting towards data exfiltration only versus ransomware deployments may increase as these don't disrupt a business, but can still allow profits. We could also see RaaS groups shift entirely towards other attack types, like business email compromise (BEC), which don't seem to cause as much disruption, but are still very lucrative for their bottom lines."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Source

DARKReading