National response team attributes reduction to a cyber workforce with better training.

Kenya has attributed an 11% decrease in cyber threats to increased training of its frontline cybersecurity personnel, along with greater cybersecurity awareness.

According to the July-September 2023 report from the Kenya Computer Incident Response Team Coordination Centre (KE-CIRT/CC), nearly 124 million cyber threat events were detected — a 11.36% decrease from the 139.7 million threat events detected the previous quarter.

Christopher Wambua, spokesman for the Communications Authority of Kenya, said Kenya's critical information infrastructure was the target for more than 855 million cyber threats between July 2022 and June 2023, making Kenya the third most targeted country in the region, behind South Africa and Nigeria.

Statistics from the report showed that system attacks accounted for over 100 million of the detections. A DDoS attack on its e-citizen digital platform in July was specifically named, as it was briefly inaccessible following a hit claimed by Anonymous Sudan.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattacks on Kenya Drop in Third Quarter

As the conflict in the Middle East rages, malicious actors look to exploit the situation with bogus charity sites encouraging donations.

Researchers have uncovered hundreds of cyber scams leveraging the Israeli-Hamas conflict, including more than 500 scam emails and fraudulent websites capitalizing on people's willingness to aid those affected by the war.

Many of these emails contain links to scam websites that provide information about the ongoing situation and encourage individuals to make contributions, with the added convenience of various cryptocurrency payment options, according to Kaspersky researchers.

By tracking the wallet addresses used, security experts found additional fraudulent Web pages claiming to collect aid for various groups within the conflict area.

Andrey Kovtun, security expert at Kaspersky, says attackers often attempt to intimidate recipients by threatening severe consequences, such as financial losses, account suspensions, or even legal action, if the potential victims fail to click links, open attachments, or call specified phone numbers.

"Urgency often compels recipients to act swiftly," he adds. "In some instances, such as the recent campaign exploiting the Israeli-Hamas conflict, scammers try to appeal to sympathy, soliciting funds while presenting their actions as noble endeavors."

Callie Guenther, senior manager of cyber threat research at Critical Start, says threat actors have an uncanny ability to adapt their tactics based on current events and societal concerns. This emotional appeal, rooted in compassion and moral responsibility, often overshadows rational decision-making, rendering potential victims more susceptible.

**A Multitude of Tactics**

Fake charity scams often emerge during real disasters, with scammers posing as charitable organizations and using emotional language to lure users in. Tactics include the common methods of multiple text variations to evade spam filters or altered links and sender addresses.

"During conflicts or emergencies, situations can change rapidly, and news travels quickly," Kovtun says. "Fraudulent pages may adapt to the latest developments, such as incorporating current facts or photos to appear more credible."

They can also evolve with more sophisticated designs, aiming to resemble legitimate organizations — for example, they may replicate the visual layout of other well known charities or humanitarian organizations. "Additionally, scammers could add content to the fraudulent websites, for example, news updates, and more, to diversify it with pages other than a money transfer one," Kovtun adds.

**Ferreting Out the Fraud**

To protect against such scams, users are urged to thoroughly scrutinize websites before donating, as fake sites often lack essential information about the organizers, recipients, legitimacy, or transparency regarding fund usage.

"Apart from the simple use of a search engine to find reports of an organization being a scam, look up the provenance of the domain names involved using whois.com or another domain registrar's records," Hamilton advises. "If domains were recently registered it is less likely that the organizations are legitimate."

He also recommends looking for the owner of the IP address space used by the Web properties involved and the country where the hosting service originates.

"Legitimate charity organizations' websites rarely consist of a single page," Kovtun points outs. "Encountering such a landing page should prompt a search for the organization's name to explore the search results."

Upon discovering additional information in the search results, it is advisable to cross-reference the recipient's details on the website received in the email with the information on the official site from search results.

"Spelling or grammar errors often serve as indicators of fraudulent pages," Kovtun says. "If there is still uncertainty about the organizations you have checked, it is better to donate to well-known humanitarian support organizations."

Guenther says it's also beneficial to remember that while the guise may change — be it the Israeli-Hamas conflict, the Haiti earthquake, or the Syrian Refugee Crisis — the underlying strategies remain consistent. "Being informed and maintaining a healthy skepticism can be our strongest defenses against these opportunistic scams," she notes.

Israeli-Hamas Conflict Spells Opportunity for Online Scammers

Cybercriminals already operate across borders. Nations must do the same to protect their critical infrastructure, people, and technology from threats foreign and domestic.

Despite an onslaught of media coverage on cyberattacks and the impact of cybercrime on businesses and governments around the world, most people and, worse, most countries still don't view cybercrime as a national security issue.

Unlike some other areas of organized crime, cybercrime poses a direct threat to national security and the everyday lives of citizens. These malicious actors can target critical infrastructure like hospitals, pipelines, the financial system, energy facilities, shipping ports, and airports. One of the most well-known examples of the impact cybercrime can have on critical infrastructure and how quickly things can go wrong is the Colonial Pipeline ransomware attack and its aftermath, which disrupted economic activity.

**National Intelligence Agencies Are Focused Elsewhere**

However, even as the damages inflicted by cybercrime increase every year, national intelligence agencies remain focused on other national entities and terrorist groups. This leaves private organizations on their own, unarmed and incapable of dealing with malicious actors' growing sophistication and resources.

This is a colossal mistake that could lead to catastrophic consequences. Cybercrime is the central threat in cyberspace. To effectively combat it, nation-states must recognize the harm it can do and take proactive steps to lay the foundation for an international alliance for cybersecurity. Picture it as the NATO of cybersecurity. By coming together as a group, these nation-states can better protect their people, critical infrastructure, and proprietary technology from cyber threats, while also strengthening international relations.

To date, countries have failed to rise to the occasion. Some would even venture to say that we're moving backward, as international tensions rise as a result of the war in Ukraine and other conflicts. Additionally, the ever-growing patchwork of data privacy laws has created new roadblocks for information sharing and response times. In order to shift the narrative and get on the right course to establishing a new international organization geared to the mitigation of, protection against, and punishment of cybercriminals, we first must establish three overarching branches of enforcement.

1.  **The intelligence branch:** Whether you're in Asia, Europe, Latin America, or North America, cybercriminals use the same methods and tactics to conduct attacks. However, today, each country deals with cybercriminal activities independently, negatively impacting information sharing, resources, and expertise. Establishing an intelligence branch would serve as a hub that collects and centralizes information on malicious actors, and their methods, tools, and attacks. By developing a comprehensive database on cybercriminals, each member of this international cyber alliance would benefit from shared knowledge, enabling them to enhance their ability to prevent and respond to cyber threats effectively.
2.  **The policy and strategy branch:** Using the information and data collected by the intelligence branch, a policy and strategy team would be able to develop best practices, guidelines, and regulations that serve as the bedrock for a robust national cyber environment. By sharing and implementing these policies, the alliance can create a common framework that enhances cybersecurity measures and minimizes vulnerabilities across borders.
    
3.  **The** **operations branch:** Lastly, any new international cybersecurity alliance will need an operations branch. This branch would be responsible for implementing, executing, and enforcing laws, as well as taking actions to deter cybercriminals and legally pursuing them. By collectively responding to cyber threats, the alliance can demonstrate a unified front against cybercriminals, making it more challenging for them to exploit vulnerabilities across member countries.
    

In addition to establishing the three branches of the alliance, there are several other key components that are necessary. These include infrastructure, a host country, and like-minded member countries:

*   **Infrastructure:** An undertaking on this scale would require a robust physical and virtual presence to facilitate seamless information sharing, collaboration, and coordinated responses. Without this, nations and industries would continue to struggle with information sharing, mitigation, and enforcement.
*   **Host country:** Similar to other international organizations, it is advisable for the alliance to have a host country that can facilitate the organization's operations. The United States is the most obvious choice. Given the country's technological capabilities, innovative culture, and history of leadership in cybersecurity, it would be the ideal candidate for hosting the international alliance for cybersecurity.
*   **Like-minded member countries:** The success of the international alliance depends on member countries sharing common values such as liberal principles, a free market, democratic governance, and the protection of human rights. As in other military alliances, the member countries would form a unified attack surface, and operate together to fight attacks.

Cybercriminals already operate across borders, sharing knowledge and collaborating on a global scale. It's time for nations to do the same to protect their critical infrastructure, people, and technology from threats foreign and domestic.

It's Time to Establish the NATO of Cybersecurity

Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.

Flaws in the implementation of the Open Authorization (OAuth) standard across three prominent online services could have allowed attackers to take over hundreds of millions of user accounts on dozens of websites, exposing people to credential theft, financial fraud, and other cybercriminal activity. 

Researchers from Salt Labs discovered critical API misconfigurations on the sites of several online companies — artificial intelligence (AI)-powered writing tool Grammarly, online streaming platform Vidio, and Indonesian e-commerce site Bukalapak — that lead them to believe that dozens of other sites are likely compromised in the same way, they revealed in a report published Oct. 24.

OAuth is a widely implemented standard for allowing for cross-platform authentication, familiar to most as the option to log in to an online site with another social media account, such as "Log in with Facebook" or "Log in with Google." 

The recently-discovered implementation flaws are among a series of issues in OAuth that the researchers have discovered in recent months, stretching across prominent online platforms that put users at risk. Salt researchers already had discovered similar OAuth flaws in the Booking.com website and Expo — an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase — that could have allowed account takeover and full visibility into user personal or payment-card data. The Booking.com flaw also could have allowed log-in access to the website's sister platform, Kayak.com.

The researchers refer broadly to the latest issue found in Vidio, Grammarly, and Bukalapak as a "Pass-The-Token" flaw, in which an attacker may use a token — the unique, secret site identifier used to verify the handoff — from a third party site typically owned by the attacker himself to login to another service.

"For example, if a user logged in to a site called mytimeplanner.com, which is owned by the attacker, the attacker could then use the users token and log in on his behalf to other sites, like Grammarly for instance," Yaniv Balmas, vice president of research at Salt, explains to Dark Reading.

The researchers found the latest issues in Vidio, Bukalapak, and Grammarly between February and April, respectively, and notified the three companies in turn, which all responded in a timely way. The misconfigurations all have since been resolved in these particular services, but that's not the end of the story. 

"Just these three sites are enough for us to prove our point, and we decided to not look for additional targets," according to the report, "but we expect that thousands of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day,"

**Various Ways to Misconfigure OAuth**

The issue manifests itself uniquely on each of the three sites. On Vidio, an online streaming platform with 100 million monthly active users, the researchers found that when logging into the site through Facebook, the site did not verify the token — which the website developers and not OAuth must do. Because of this, an attacker could manipulate the API calls to insert an access token generated for a different application, the researchers found.

"This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts," the researchers wrote in the report.

Like Vidio, Bukalapak — which has more than 150 million monthly users — also didn't verify the access token when users registered using a social login. In a similar way, the researchers could insert a token from another website to access a user's credentials and completely take over that user's account.

The OAuth issue discovered on Grammarly — which helps more than 30 million daily users improve their writing by offering grammar, punctuation, spelling checks, and other writing tips — manifested itself slightly differently.

The researchers found that by doing reconnaissance on the API calls and learning the terminology the Grammarly site uses to send the code, they could manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user's account and achieve full account takeover.

**Secure OAuth From the Start**

OAuth itself is well-designed, and the major OAuth providers such as Google and Facebook have secure servers protecting them on the back end. However, those developing the services and sites that leverage the standard to perform the authentication handoff often create issues that render the exchange inherently insecure even if the site appears to function properly, Balmas says.

"It is very easy for anyone to add social-login functionality to his website … and everything will actually work quite fine," he says. "However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users."

For this reason, it's essential to the security of sites and services that leverage OAuth to be secure from an implementation standpoint, which may require that developers do some homework before building the standard into the site.

"Web services who wish to implement social login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused," he says.

Developers can also use third-party tools that monitor for anomalies and deviations from typical behavior and which may identify as-yet unknown attacks, providing a safety net for the site and thus all of its users, Balmas adds.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.

In the latest in the saga of compromise involving a max-critical Cisco bug that has been exploited as a zero-day as users waited for patches, several security researchers reported observing a sharp decline in the number of infected Cisco IOS XE systems visible to them over the weekend. 

The drop sparked a range of theories as to why, but researchers from Fox-IT on Oct. 23 identified the real reason as having to do with the attacker simply altering the implant, so it is no longer visible via previous fingerprinting methods.

By way of background: The main bug being used in the exploit chain exists in the Web UI of IOS XE (CVE-2023-20198). It ranks 10 out of 10 on the CVSS vulnerability-severity scale, and gives unauthenticated, remote attackers a way to gain initial access to affected devices and create persistent local user accounts on them. 

The exploit method also involves a second zero-day (CVE-2023-20273), which Cisco only discovered while investigating the first one, which allows the attacker to elevate privileges to root and write an implant on the file system. Cisco released updated versions of IOS XE addressing the flaws on Oct. 22, days after disclosure, giving cyberattackers ample opportunity to go after legions of unpatched systems.

**Sudden Decline in Compromised Systems**

And go after them they did. Security researchers using Shodan, Censys, and other tools last week reported observing what appeared to be a single threat actor infecting tens of thousands of affected Cisco IOS XE devices with an implant for arbitrary code execution. The implants are not persistent, meaning they won't survive a device reboot.

A sudden and dramatic drop over the weekend in the number of compromised systems visible to researchers caused some to speculate if an unknown grey-hat hacker was quietly removing the attacker's implant from infected systems. Others wondered if the attacker had moved to another exploit phase, or was doing some sort of clean-up operation to conceal the implant. Another theory was that the attacker was using the implant to reboot systems to get rid of the implant.

But it turns out that nearly 38,000 remain compromised via the two recently disclosed zero-day bugs in the operating system, if one knows where to look.

**Altered Cisco Implant**

"We have observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding," the Fox-IT researchers said on X, the platform formerly known as Twitter. "This explains the much-discussed plummet of identified compromised systems in recent days." 

By using another fingerprinting method to look for compromised systems, Fox-IT said it identified 37,890 devices with the attackers implant still on them. 

"We strongly advise everyone that has (had) a Cisco IOS XE WebUI exposed to the Internet to perform a forensic triage," the company added, pointing to its advisory on GitHub for identifying compromised systems.

Researchers from VulnCheck who last week reported seeing thousands of infected systems, were among those who found the compromised devices suddenly disappearing from view over the weekend. CTO Jacob Baines, who initially was among those unsure about what might have happened, says Fox-IT's take on what happened is correct.

"Over the weekend the attackers changed the way the implant is accessed so the old scanning method was no longer usable," Baines says. "We've just recently altered our scanner to use the new method demonstrated by Fox-IT, and we are seeing essentially what we saw last week: thousands of implanted devices."

Cisco updated its guidance for detecting the implant on October 23. In a statement to Dark Reading, the company said it released the new indicators of compromise after uncovering a variant of the implant that hinders the identification of compromised systems. "We strongly urge customers to implement the guidance and install the security fix outlined in Cisco’s updated security advisory and Talos blog," the company said.

**Puzzling Cyberattacker Motivations**

Baines says the attacker's motivation for altering the implant is puzzling and completely unexpected. "I think normally, when an attacker is caught, they go quiet and revisit the affected systems when the dust has settled."

In this case, the attacker is attempting to maintain access to implants that dozens of security companies now know exist. 

"To me, it seems like a game they can't win," Baines says. "It seems this username/password update must be a short-term fix so that they can either hold on to the systems for a few more days — and accomplish whatever goal — or just a stopgap until they can insert a more stealthy implant."

Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices

Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.

Following a spate of attacks targeting independent developers on its Steam game-distribution platform, game maker Valve last week said that it will require developers to provide their phone numbers so the company can use SMS for two-factor authentication (2FA) starting Oct. 24. 

"As part of a security update, any Steamworks account setting that builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing," the company stated in its notification. "We also plan on adding this requirement for other Steamworks actions in the future."

But since SMS-based two-factor authentication can be circumvented by persistent attackers using a variety of methods, the move raises the question: Why are consumer-facing online services still making SMS the go-to second factor, both internally and for customers?

**SMS-Based 2FA: Not Really Secure**

Getting around SMS two-factor authentication has become a priority among attackers, and indeed, it has been defeated using everything from machine-in-the-middle attacks to social engineering — including, in the infamous Uber breach case, through 2FA fatigue attacks. 

In 2022, for example, a banking Trojan known as Xenomorph compromised more than 50,000 Android devices after the cybercriminal group behind the malware disguised it as a performance utility, according to Tony Anscombe, chief security evangelist for digital security firm ESET.

"In reality, it was stealing the user’s login credentials for banking, payment, social media, cryptocurrency and other apps that have valuable personal information," he says. "The malware abused more than 50 apps, including PayPal and Coinbase, and included the ability to intercept messages and notifications, giving the cybercriminal the ability to bypass two-factor authentication codes.

But even the low-tech approach of just walking into a cellular store (SIM-swapping) or finding a corrupt technician works well, says David Richardson, vice president of endpoint and threat intelligence at cloud security platform Lookout. All an attacker has to do is know the targeted individual's phone number to attack the channel.

"The whole system is basically built on an assumption of trust — I could walk into any store and easily cancel my contract and port my phone number ... to pretty much any carrier," he says. "Basically \[an attacker could\] take over any phone number and start to receive the phone calls and, most importantly in these cases, the SMS messages that are that are going to those to those numbers."

And cellphone numbers are some of the most commonly leaked information on the Internet. The recent compromises of MGM Resorts and Caesars Entertainment, for example, exposed millions of records of business professionals and individual consumers, including phone numbers, which could be used by attackers for further attacks. 

**2FA Is Better Than Nothing**

SMS-based 2FA persists in the face of the insecurity for the simple reason that it's a relatively painless security mechanism for end users: A company merely needs to know is the customer's phone number to text a one-time passcode for authentication. For consumer-facing companies, reducing friction is the name of the game.

At the same time, making attackers' jobs even just a little bit more difficult helps protect developers — and the players of their games.

"Any MFA is better than no MFA — like, vastly superior," Lookout's Richardson says. "You're 10 times harder to hack if you've got an SMS-based MFA, so ... you're way better off having some form of multifactor authentication versus no form of multifactor authentication."

An SMS code could have protected Benoît Freslon, the independent developer behind the game NanoWar: Cells VS Virus, for example. Freslon fell prey to a social engineering scam, apparently when cybercriminals posing as another developer sent him a direct message with malicious content, according to a statement posted on Steam's Community forums.

"I was hacked, all my social networks accounts including Discord and Steam were compromised ... \[t\]he hacker uploaded a malware with \[sic\] my account," a developer stated on Steam's forums. "Be careful when a friend ask you to test his game on private message on Discord. ... It was the most stressfull days \[sic\] of my indie developer life."

Valve removed the game from Steam on Aug. 25, a day after the group behind the hacks published the infected version from the developer's account. The game developer stressed that a safe version of the game has been available since Sept. 15, uploaded from a "totally clean machine."

**SMS: A Good First Step, but...**

Companies focused on consumers and worried that the additional friction posed by 2FA security could use app-based factors that are already widely adopted, such as Google's or Microsoft's authenticators, says ESET's Anscombe.

"Many consumer-focused companies already provide the option to use either Microsoft or Google authenticator apps, this reduces the barrier to adoption as consumers may already have these apps installed," he says. 

"An app is not subject to SIM cloning nor malware that uses the operating systems permissions system to read SMS messages," he says. "The app itself should be protected by a passkey or biometrics adding an additional layer of security."

Boosting security has become important for game companies, as users have more digital in-game assets stored in online accounts that cybercriminals aim to monetize, and while cheaters look to access other gamers' accounts to gain advantage. Steam expects to roll out more security measures in the future to better protect, not only the developers but its customers and reputation.

Valve's 2FA Mandate for Game Developers Shows SMS Stickiness

Brasileiro cybercrime has been on the rise. Now, one campaign targeting bank customers has reached beyond the Americas, into Europe.

The Brazilian banking malware known as "Grandoreiro" has crossed the pond, with a new campaign from TA2725 targeting customers in Spain, as well as Brazil and Mexico. 

Dark Web activity in Latin America has surged in the last two years, and it's largely concentrated in two countries. According to SOCRadar, 360 billion attempted cyberattacks peppered the region in 2022, with 187 billion and 103 billion affecting Mexico and Brazil, respectively.

Now there's increasing evidence that Latin American cybercrime is extending outwards.

Proofpoint has tracked TA2725 since March 2022. It's been known to hide bank account and credit card-sniffing malware inside of phishing emails, primarily directed to organizations either in its home country or Mexico. And according to a new blog post by Jared Peck, senior threat researcher at Proofpoint, the group has recently upgraded its signature malware to include institutions on both sides of the Atlantic.

**Brazilian Malware in Spain**

Grandoreiro attacks begin with a malicious URL in a phishing email. Lures may come in the form of a fake shared document, utility bill, tax form, etc. The URL leads to a ZIP file containing a loader which, when run, downloads a legitimate but vulnerable application. The application is exploited with some DLL sideloading, and then comes the final payload.

Grandoreiro can harvest data via a keylogger, screen grabber, or an old-fashioned overlay on top of an online banking login page. These overlays mimic popular Brazilian and Mexican banks plus, in two campaigns observed late in August, banks located in Spain. (TA2725's phishing lures were also diversified, to mimic Spain-based organizations.)

This isn't the first time Brazilian Trojans have spanned the Atlantic. Earlier this year, for example, threat actors pulled a reverse Pedro Cabal, subjugating Portuguese bank customers in a campaign called "Operation Magalenha." This latest activity only furthers an emerging trend — that Brazilian malware is no longer contained to one continent.

**Why Brazilian Cybercrime Is Having a Moment**

Where once they seemed solely the domain of the northern hemisphere, banking trojans have thrived in Brazil in recent years. According to Peck, there are a few reasons why.

"The general population in many parts of the world, like Brazil and other parts of South America and Latin America, may not have been afforded the same access to cybersecurity education and protection technology as other parts of the world, but continue to grow their online presence. This situation leads to a lack of user awareness around phishing and malware threats, which, in turn, leads to a higher number of victims who click and are affected," he explains, adding that "this general population is upwardly mobile, leading to a larger middle class, so there is more opportunity to victimize a larger pool of a population."

According to Proofpoint, the most common malware families — including Grandoreiro but also, Casabeniero, Javali, and Mekotio — possess a shared lineage: a Delphi-based ancestor from which source code components have been passed down and modified through generations.

Organizations in affected countries can look out for suspicious programs with these same elements. Or, as Peck emphasizes, they can focus on the human side of such compromises.

"Today's cyber threats rely on human interaction, not just technical exploits, so it is essential that organizations incorporate localized user security awareness training on identifying malicious phishing and threat actor tactics, techniques, and procedures while also empowering users to feel comfortable reporting their suspicions even after they may have fallen victim to an attack," he advises.

Hola Espana: 'Grandoreiro' Trojan Targets Global Banking Customers

The investigation is ongoing, and the city will contact those who may have potentially been affected by the breach, it said.

Five months after a cyber incident occurred, the city of Philadelphia is now releasing a notice regarding the investigation of a data breach, which involved personal health information.

Officials came across suspicious email activity, and after launching an investigation to determine the scope of the incident, found that a threat actor gained access to the city's email accounts between May 26 and July 28 of this year. The investigation is ongoing.

In a privacy incident notice, the city of Philadelphia wrote that "the types of information impacted vary by individual. However, the types of information impacted could include: demographic information, such as name, address, date of birth, social security number, and other contact information; medical information, such as diagnosis and other treatment related information; and limited financial information, such as claims information."

The city has reported the cyber breach to the US Department of Health and Human Services, and recommends that individuals remain vigilant by reviewing account statements, credits reports, and any unusual activity.

"Any suspicious activity should be reported promptly to your insurance company, health care provider, or applicable financial institution," the city stated in its notice. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

City of Philadelphia Releases Cyber-Breach Notice

The top 10 priorities of state CIOs underscore the importance of securing applications and APIs in complex environments.

The US National Association of State Chief Information Officers (NASCIO) released its set of State CIO Top Ten Policy and Technology Priorities for 2023 back in December 2022. I'd like to examine these priorities now as they relate to developing, delivering, and securing the applications and application programming interfaces (APIs) that help make state and local governments run — as well as how the complexity of hybrid and multicloud environments factors into the priorities.

**1\. Cybersecurity and Risk Management**

Over time, infrastructure has become significantly more complex and distributed. Most enterprises, including state and local governments, are managing hybrid and multicloud environments. By exposing more touch points, these more complex environments create an expanded threat landscape. State and local governments face intense pressure to continue improving their applications and APIs. However, this fast pace of innovation opens up the potential for vulnerabilities and security issues and necessitates protecting those applications and APIs. Thus, it is no surprise that cybersecurity and risk management are this year's top priority.

**2\. Digital Government/Digital Services**

Now more than ever, state and local governments are tasked with providing digital services to their citizens. Ensuring that services are provided to the appropriate and intended individuals is of the utmost importance. So is ensuring that digital services give citizens the best possible experience. This requires simplifying and optimizing how environments in which we deploy our applications and APIs are managed, as well as having those environments perform properly. Simplifying complexity improves security by removing the potential for human error, as does ensuring that APIs are served to the right citizens in a timely manner.

**3\. Workforce**

New environments require new skills. As state and local government infrastructures have evolved, so have the skills required to manage, operate, maintain, and secure them. This means training the workforce and equipping workers for today's challenges — including securing hybrid and multicloud environments and detecting, analyzing, and responding to security incidents wherever they occur, even in one or more cloud environments.

**4\. Legacy Modernization**

The migration of some applications and APIs to hybrid and multicloud environments has become an integral part of legacy modernization. As states and local governments go through these modernization efforts, their cloud strategies have been and will remain an important piece of the overall picture. Environments will need to be properly secured as they are modernized, regardless of where those environments reside.

**5\. Identity and Access Management**

Applications and APIs connect to (and potentially expose) back-end systems and data. In many cases, they are also the public face of the enterprise. As such, properly controlling access to applications and APIs is a significant challenge for any enterprise, including state and local governments. While identity and access management (IAM) is a broad topic, it has specific applicability to applications and APIs running in hybrid and multicloud environments.

**6\. Cloud Services**

As noted above in point 4, cloud strategy is an important piece of the overall picture within state and local governments. Citizens have grown to expect services to be delivered quickly and efficiently. They also expect significant innovation. This has necessitated that state and local governments move quickly and adapt. Such nimbleness is a key component of any cloud strategy, and an organization's cloud security efforts need to be equally nimble.

**7\. Consolidation/Optimization**

Simplifying and optimizing the management, operations, maintenance, and security of a variety of environments remains an important priority for two main reasons: In many enterprises, entire teams are dedicated to operating and maintaining infrastructure, development, security, and other technology stacks at each different environment. As the number of environments grows, this approach does not scale (it is an _n_\-squared problem, for those who enjoy algorithms).

In addition, as the saying goes: Complexity is the enemy of security. The complexity that hybrid and multicloud environments introduce makes it difficult to universally and consistently apply security policies. It also opens up the potential for human error and oversights that can lead to vulnerabilities. Simplifying this complexity by consolidating and centralizing the management of different environments becomes a necessity.

**8\. Data and Information Management**

Properly securing APIs, which expose back-end systems and data, is an essential piece of protecting data. API security includes a variety of important topics, including ensuring APIs conform to security policy and schema requirements.

While API security is a big focus area, so is API discovery. After all, if an API is not known, it can't be properly inventoried, managed, and secured. When thinking about data and information management, it is important to consider the security of APIs as an important part of that.

**9\. Broadband/Wireless Connectivity**

Part of providing services to citizens involves bringing state and local networks closer to the constituents. Efforts to improve broadband and wireless connectivity have many moving parts, and cloud and edge environments play a role in these efforts. Protecting those networks from unauthorized access is paramount to security.

**10\. Customer Relationship Management**

Citizens have come to expect that state and local governments will provide services within acceptable time frames. This requires serving applications and APIs quickly and efficiently. Service-level agreements (SLAs) will need to be met. A well-designed cloud security strategy is an essential part of achieving these goals and properly managing the relationship with citizens.

**In Short: Applications Are Key**

State and local government CIOs and their teams face no shortage of challenges. Generally, there are more issues needing attention than there are resources to do them. As such, simplifying the management, operations, maintenance, and security of complex environments becomes key.

In the era of hybrid and multicloud environments, state and local governments will generally see good returns on investments by more efficiently and effectively developing, delivering, and securing the applications and APIs that help make state and local governments run.

How State and Local Governments Can Serve Citizens More Securely

Cops track down ransomware developer and seize Ragnar Locker infrastructure and data-leak site, Europol says.

Law enforcement agencies have arrested the suspected developer of the Ragnar Locker ransomware group, tracking the person down in Paris.

The arrest is part of a coordinated policing effort from 11 separate countries. Agents swarmed on operators of the prolific group, seizing its cybercrime infrastructure.

Europol released some details of the takedown on Oct. 20 after Ragnar Locker's Tor data-leak site was replaced with a vague notice of a "coordinated international law enforcement action" just days earlier; now, more details are forthcoming.

The person arrested is identified by Europol as the "main perpetrator suspected of being a developer of the Ragnar group." Five additional suspects were interviewed in Spain and Latvia, the statement added.

Ragnar Locker ransomware group has been active since 2019, targeting infrastructure including the energy sector, hospitals, airports, and more.

The group often used double extortion tactics, mounting pressure on victims to pay ransoms, Europol pointed out in its announcement, which added "The threat level of Ragnar Locker was considered as high, given the group’s inclination to attack critical infrastructure."

The following countries cooperated in the operation: Czech Republic, France, Germany, Italy, Japan, Latvia, Netherlands, Spain, Sweden, Ukraine, and the United States, Europol said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading