Make sure cybersecurity is taken seriously and consistently across the board. Educate the ecosystem beyond your own organization to mitigate security risks for everyone.

There's been a lot of speculation about how this year will unfold. Many economic authorities, such as the US Federal Reserve, the European Central Bank, the Swiss government, and Morgan Stanley are predicting a macroeconomic slowdown as the year progresses. Whether a temporary pause in growth or a full-blown recession emerges, the fact is organizations are increasingly critically eyeing their budgets and, at minimum, trying to do more with what they have, or going down the path of fiscal reduction.

The fact is, regardless of the financial environment, cyber threats will continue evolving, and threat actors will only get more innovative in how they attempt to manipulate their targets. Therefore, the cybersecurity attack surface is certain to expand. There's simply no room to stand still, regardless of whether we're facing an economic downturn. Everyone reading this article understands the financial damage cyberattacks can cause and how they can serve to further heighten economic damage in an already challenging scenario.

**The Importance of Unifying Security Investments**

A key consideration for organizations in this climate is to examine the value of unifying their existing security investments to streamline their security operations. Typically, this can be done even in a period of stagnating budgets while still bolstering proactive defenses.

Questions to ask include: Is there overlap between elements of the security stack? As stated in the NIST Cybersecurity Framework (PDF), security applications need to cohesively and mutually support an organization's security posture by ensuring identification, protection, detection, response, and recovery are fully supported.

All these elements are, of course, interconnected. Security professionals need to keep that in mind, rather than introduce and/or manage the chaos of a siloed collection of point tools. We're long past the era of having to deal with disparate security systems. Rather, platforms, applications, and tools must be interoperable and interconnected, for comprehensive management, monitoring, and measurement.

**Evolving Beyond "Code Warrior" Silos**

Another key consideration in recession-proofing security operations is the importance of empowering more than "code warriors" when it comes to contributing to managing cybersecurity deployments. In 2023, it needs to be "all hands on deck," and it can't just be a tiny group of people responsible for large-scale enterprise security. Enterprise security management tools can play a major role in empowering a wider group of people to protect organizations.

Why does this matter? Because part of maximizing value involves security processes that focus on shared responsibilities, in which employees, R&D, DevOps, and IT are true partners and collaborators in protecting their organizations. An example of this is how security automation is now moving toward validating end users' identities and enabling them to have temporary security clearances to engage in system updates, credential retrieval, and remote access, with dramatically minimized risk. This is enabled through integration across communications and project management tools, anchored by workflows that ensure accurate verification and access controls.

**Empowering Your Customers and Partners**

There's another element that is rarely discussed when it comes to an optimal cybersecurity posture and managing costs: educating customers and partners about their own cybersecurity standards. After all, cybersecurity is an end-to-end multiorganization ecosystem. Cybersecurity problems that affect one company can come home to roost in another. The fewer issues that occur with customers and partners, the fewer problems your organization must deal with.

Developing a customer and partner awareness campaign can be crucial here. It's very important to educate the ecosystem beyond your own organization to mitigate risk for everyone. Organizations can deploy best practices via their own emails, newsletters, social media, customer and partner portals, and account managers. The best approach is to use multiple elements to get the word out about ensuring cybersecurity is taken seriously and consistently across the board.

In general, cybersecurity companies need to emphasize their proactive capabilities and philosophies over the historic reactive element in current economic circumstances. If they position themselves as a critical, protective layer and consultative presence, it will go a long way to cementing the essential nature of their offerings.

The Importance of Recession-Proofing Security Operations

The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.

A high-severity authentication bypass vulnerability in a widely used open source Java framework is under active exploit by threat actors, who are using the flaw to deploy backdoors to unpatched servers, the US Cybersecurity and Infrastructure Security Agency (CISA) and security researchers are warning.

The scenario could pose a significant supplychain threat for any unpatched software that uses the affected Java library, which is found in the ZK Java Web Framework, experts said.

The CISA has added CVE-2022-36537, which affects ZK Java Web Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, to its catalog of Known Exploited Vulnerabilities (KEV).

The flaw, found in ZK Framework AuUploader servlets, could allow an attacker "to retrieve the content of a file located in the Web context," and thus steal sensitive information, according to the KEV listing. "This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager," CISA said.

Indeed, the flaw first drew widespread attention in October 2022 when ConnectWise sounded an alarm over its existence in its products — specifically, ConnectWise Recover and R1Soft server backup manager technologies. Senior security researchers John Hammond and Caleb Stewart at Huntress subsequently published a blogpost about how the flaw can be exploited.

In an update to that blog post published concurrent with the CISA's advisory, Huntress warned that "the vulnerability discovered last year in ConnectWise's R1Soft Server Backup Manager software has now been seen exploited in the wild to deploy backdoors on hundreds of servers via CVE-2022-36537."

CISA and Huntress both based their warnings on research from Fox-IT published Feb. 22 that found evidence of a threat actor using a vulnerable version of ConnectWise R1Soft Server Backup Manager software "as an initial point of access _and_ as a platform to control downstream systems connected via the R1Soft Backup Agent," the researchers wrote in a blog post.

"This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges," according to the post. "This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent connected to this R1Soft server."

**History of the Flaw**

For its part, ConnectWise moved swiftly to patch the products in October, pushing out an automatic update to both the cloud and client instances of ConnectWise Server Backup Manager (SBM), and urging customers of the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4.

A researcher from Germany-based security vendor Code White GmbH was the first to identify CVE-2022-36537 and report it to the maintainers of the ZK Java Web Framework in May 2022. They fixed the issue in version 9.6.2 of the framework.

ConnectWise became aware of the flaw in its products when another researcher from the same company discovered that ConnectWise's R1Soft SBM technology was using the vulnerable version of the ZK library and reported the issue to the company, according to the Huntress blog post.

When the company did not respond in 90 days, the researcher teased a few details on how the flaw could be exploited on Twitter, which researchers from Huntress used to replicate the vulnerability and refine a proof-of-concept (PoC) exploit.

Huntress researchers ultimately demonstrated they could leverage the vulnerability to leak server private keys, software license information, and system configuration files and eventually gain remote code execution in the context of a system superuser.

At the time, researchers identified "upwards of 5,000 exposed server manager backup instances via Shodan — all of which had the potential to be exploited by threat actors, along with their registered hosts," they said. But they surmised that the vulnerability had the potential to impact significantly more machines than that.

**Supply Chain at Risk**

When Huntress did its analysis of the flaw, there was no evidence of active exploit. Now, with that scenario changed, any unpatched versions of the ZK Java Web Framework found not only in ConnectWise but also other products are fair game for threat actors, which could create significant risk for the supply chain.

Fox-IT's research indicates that worldwide exploitation of ConnectWise's R1Soft server software started around the end of November, soon after Huntress released its PoC.

"With the help of fingerprinting, we have identified multiple compromised hosting providers globally," the researchers wrote.

In fact, Fox-IT researchers said on Jan. 9 that they had identified a "total of 286 servers running R1Soft server software with a specific backdoor."

CISA is urging that any organizations still using unpatched versions of the affected ConnectWise products update their products "per vendor instructions," according to the KEV listing. And while, so far, the existence of the flaw is known only in the ConnectWise products, other software using unpatched versions of the framework would be vulnerable as well.

CISA: ZK Java Framework RCE Flaw Under Active Exploit

The open authentication standard addresses existing multifactor authentication security vulnerabilities.

Remember when multifactor authentication (MFA) gave security professionals that nice, warm feeling that their data and users were protected? Those days are over. Traditional approaches to MFA don't cut it anymore, as attackers have developed effective workarounds for cracking that door wide open. For proof, consider last year's headline-grabbing breaches at Okta, Uber, and Cisco, just to name a few. A better approach is urgently needed — and it starts with the FIDO2 user authentication specifications.

**MFA Weaknesses**

Why do we need a new approach to authentication? Bypassing existing MFA techniques to garner employee credentials or to take over employee accounts has become child's play for attackers. There are even videos on YouTube explaining how to do it. Techniques range from simple phishing to push bombing — where attackers send push notifications until the employee accepts one — to more complex SS7 communications protocol exploits to obtain texted MFA codes.

For example, take the common MFA technique of using a push notification as the second factor.

One common approach the attackers use is to create a fake company login page, then send out phishing emails to drive employees to that page. When an employee enters their username and password into the fake page, the attacker simply takes the credentials and enters them into the real login page. When the employee receives the MFA request (the push notification), they are likely to treat it as genuine and click "Yes." With that simple approach, the attacker has now compromised the employee's account and has a beachhead into the company's network that can allow them to move laterally and install malware or ransomware.

**People as a Point of Failure**

Not all vulnerabilities are technical. Social engineering is becoming more sophisticated, with attackers using texts and voice calls targeted at specific employees to add credibility and urgency to that phishing email. The attackers pose as IT technicians or other trusted authorities to create that trust with the targeted employee. These techniques can be very effective, as hapless users willingly will do as asked, assuming they are speaking with a trusted person from their own organization.

**Enter the FIDO2 Standard**

So, what is FIDO2, and how can it help address these MFA vulnerabilities? Developed by the Fast Identity Online (FIDO) Alliance, FIDO2is an authentication method containing two components: WebAuthn (W3C) and CTAP (FIDO Alliance), which together eliminate the security gaps in standard MFA services.

With FIDO2, the site requesting authentication constructs the authentication challenge, encrypts it with the registered authenticator's public key, and sends it to the user by way of the user agent (browser) that originally requested access. The browser adds some context and forwards to the attached authenticator. The authenticator decrypts the challenge with its private key and compares it with its own registration records and the context provided by the browser. By nature of this process, attackers using stolen credentials are blocked (they receive the challenge but can't do anything, as they don't have the authenticator). Attackers who are actively man-in-the-middle are detected and blocked as well (they can replay the bidirectional traffic, but they cannot construct a challenge that would be accepted by the authenticator). This method makes it virtually impossible to compromise MFA. The key features of FIDO2 are:

*   Authentication credentials are based on private/public key pairs.

*   No shared secrets — the private key is generated by the FIDO2 authenticator, is stored in secure hardware on the authenticator, and cannot be exported or tampered with. Only the public key is sent to the server-side (website) when registering.

*   Authentication challenges are delivered to the user agent (the browser), which adds context about the challenge and then delivers it to the attached FIDO2 authenticator, which allows detection of a man-in-the-middle.

*   Platform authenticators (tied to the platform and only usable on that device) and roaming authenticators (that can be used across any device).

**Why Isn't Everyone Using FIDO2 MFA?**

Security professionals recognize the value that FIDO2-based MFA provides. However, because companies need to buy, distribute, and manage physical FIDO2 security keys, the added cost and complexity has slowed down adoption. In addition, users really dislike using a physical security key — it's yet another piece of hardware they have to carry around. Because of these factors, many companies will deploy FIDO2 for high-risk employees but use standard MFA for other employees.

**Phish-Proof Protection**

Authentication methods based on FIDO2 are the closest thing there is to a "phish-proof" solution, and the security community has taken note. The Cybersecurity and Infrastructure Security Agency (CISA) recently called FIDO "the gold standard" for authentication, urging corporate leaders to make it part of their MFA strategy. US federal agencies are also moving to FIDO2 to address the vulnerabilities of existing MFA techniques.

As it becomes more widely recognized, expect to see FIDO2 as a recommended or even required standard for online interactions/transactions where critical data must be protected. Currently, most underwriters of cyber insurance require MFA implementation to qualify for coverage. It's not a stretch to imagine that requirement expanding to include FIDO2.

**Time to Up Your Game**

For any organization concerned about cybercrime — and the economic and reputational risk it poses — proactively adopting FIDO2 authentication seems like a smart business move. For organizations that rely on vendors or partners for their online employee and/or customer interactions, now is a good time to find out whether they have adopted FIDO2.

As cybercriminals continue to up their game, organizations must do likewise. Don't wait until an attacker finds your weakness. Now is the time to take a critical look at your authentication protocols and see how FIDO2 can address MFA deficiencies and close that door.

Without FIDO2, MFA Falls Short

As companies increasingly adopt MFA, cybercriminals are developing a variety of strategies to steal credentials and gain access to high-value accounts anyway.

As companies increasingly require stronger versions of security for their employees and customers, attackers are getting better at bypassing multifactor authentication (MFA), resulting in a steady stream of compromises, such as this week's announcement of a data leak at cybersecurity firm LastPass and the announced breach at social media service Reddit earlier in February. 

While multiple ways exist to bypass the flawed security of two-factor authentication (2FA) that uses one-time passwords (OTPs) sent through short message service (SMS) texts, systems protected by push notifications or using hardware tokens are considered much harder to compromise. Yet attackers have landed on a trio of techniques to get around the additional security: MFA flooding, proxy attacks, and session hijacking — focused on the user, the network, and the browser, respectively. 

"Most of the time, attackers are getting around weaker forms of MFA, especially those that use SMS, \[but\] there are plenty of techniques attackers use to circumvent MFA, including MFA flooding, SIM-swapping, and attacker-in-the-middle attacks," says Matt Caulfield, CEO of Oort, an identity-security provider.  

    

MFA bypass attacks increased in 2020 (green) compared with previous years. Source: Okta

**MFA Flooding & Fatigue**

The first target for attackers is often the human behind the keyboard. Overall, 82% of breaches involved the "human element," and more than 80% of Web application breaches are attributed to the use of stolen credentials, according to Verizon's "2022 Data Breach Investigations Report (DBIR)." 

MFA flooding, where an attacker will repeatedly attempt to log in using stolen credentials to create a deluge of push notifications, aims at taking advantage of users' fatigue for security warnings. "Push notifications are a step up from SMS, but are susceptible to MFA flooding and MFA fatigue attacks, bombarding the victim with notifications in the hope they will click 'Allow' on one of them," Caulfield says. 

Another popular tactic — the account reset attack — aims to fool tech support into giving attackers control of a targeted account, an approach that led to the successful compromise of the developer Slack channel for Take-Two Interactive's Rockstar Games, the maker of the Grand Theft Auto franchise.

"An attacker will compromise a user’s credentials, and then pose as a vendor or IT employee and ask the user for a verification code or to approve an MFA prompt on their phone," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Attackers will often use the information they’ve already compromised as part of the social engineering attack to lull users into a false sense of security."

**Session Hijacking & Pass-the-Cookie Attacks**

After a worker logs in to an online account or cloud service, a session cookie containing the user’s authentication credentials is typically set and remains active until the user ends the session by logging out. A common post-compromise tactic is for the attacker to harvest every cookie in the browser cache for potential use as a session hijack or pass-the-cookie attack. Malware such as Emotet has this functionality as a regular feature.

Other variants of this attack use cross-site scripting or malicious browser extensions to take control of a user's session after they pass the MFA barrier, says NCC Group's LaRose.

"The ultimate goal of this technique is to attack the user’s session indirectly, and therefore not interact with the stronger security controls in the login flow," he says.

**Proxy Attacks & AitM**

Finally, attackers can try to compromise infrastructure between the users device and a cloud service or online site. Using a compromised or malicious server to intercept requests from the user and destination server, a proxy attack — or adversary-in-the-middle (AitM) attack — allows cyberattackers to harvest the authentication mechanism in real time.

"This allows the attackers to bypass most available methods of MFA, since the user is providing the site, and the hacker, with both the username and password and additional authentication," Drew Trumbull, incident response team lead with the Information Security Office at the University of North Carolina, said in a review of the technique.

The technique may have contributed to the breach at LastPass, where "the threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA," according to the company's statement.

**Resetting the Matrix**

To defend against the latest attacks, companies should deploy phishing-resistant MFA, which consists of something you own, such as a hardware key, and something you are, such as a biometric. Common hardware key solutions, such as Yubikey, have made phishing-resistant MFA more easy to deploy, says NCC Group's LaRose.

Unfortunately, there are still hurdles for companies in adopting hardware keys, making it difficult to attain complete coverage, says Oort's Caulfield.

"Just the logistics of shipping hardware-based security keys to every employee and managing the process when they lose them can be a nightmare," he says. "Shipping laptops and security keys to contractors is even harder."

And with the increased overhead to manage the devices comes another in-road for attackers — resetting an account following a lost or stolen device. By pretending to be the victim, an attacker can claim to have lost a device, allowing them to enroll a new factor upon sign-in or act during a reset grace period, says Oort's Caulfield. 

"MFA resets are a massive challenge," he says. "It’s likely we’ll see attackers shifting from the factor as a weakness to the registration and reset process."

And indeed, rather than use a hardware token, workers and consumers are far more likely to subscribe to a security question or use a time-based OTP (TOTP) received through email or SMS. Nearly 80% of users polled at identity-provider Okta, for example, use email as a second factor — and nearly 40% have a TOTP pushed to them through an application — while only about 5% use a token or Yubikey, according to Oort's "2023 State of Identity Security" report. Users of Azure AD and Duo Security show similar preferences, the report noted, with security questions and SMS passcodes dominating enrollment numbers.

Cyberattackers Double Down on Bypassing MFA

The biggest dilemmas in running a modern cybersecurity team are not all about software, said CISOs from HSBC, Citi, and Sepio.

Managing risk on a global scale has always been challenging, but in the aftermath of the COVID pandemic, CISOs have had to become even more agile. The shift to hybrid work, the rapid deployment of cloud applications, and the move to continuous integration and continuous development (CI/CD) have emboldened threat actors with new and broader targets.

Meanwhile, the number of devices and endpoints on organizations' networks have increased exponentially. Two veteran CISOs lamented the challenges these changes have imposed during a webinar last week organized by Sepio, an asset detection and risk management startup. Sepio's CISO Ilan Kaplan moderated an hour-long discussion with HSBC CISO Monique Shivanandan and Carl Froggett, who was CISO at Citi for 17 years before joining startup Deep Instinct last summer as CIO.

Shivanandan and Froggett shared with Kaplan what they see as three of the most significant challenges the rapidly changing cybersecurity and risk landscape presents.

**1\. Maintaining Visibility of All Network Assets**

Cybersecurity professionals have historically struggled to gain complete visibility into what's on their networks and threats directed at them. Froggett noted that newer cloud-native technologies, such as container-based applications and SaaS, offer better visibility than traditional software because modern apps were built to be more secure.

But overshadowing that benefit is the sheer scale of all the components associated with modern applications. "An asset used to survive 5, 6, 7 years, or longer if you include the underlying operating systems, whereas now the lifetime of the container can be measured in seconds or maybe minutes," Froggett said. That creates "a whole new set of \[visibility\] challenges from that perspective."

Shivanandan noted that traditional methods of capturing inventories, keeping them up to date, and tracking them were predicated on the notion of adding assets to a network manually. But with modern applications, that doesn't work, she said, because of the scale and the speed by which devices and software are deployed. "One of the biggest challenges that every CIO and every CISO faces is having that visibility and making sure that visibility is up to date," Shivanandan said.

**2\. Avoiding New Risks When Adding Apps**

Besides addressing the mounds of existing regulatory risks and the current threat landscape, security teams must also avoid being the source of new risks. Asked how they ensure that, Shivanandan said that, while reviewing the source code of every component added to the infrastructure is impossible, HSBC has rigorous processes around onboarding a new technology, which includes "a lot of pen testing and red teaming."

"Unfortunately, with the number of parties we have, we cannot do it for everyone," she added. "We do it for a select few." The problem is "every software change and every new release can knowingly or unknowingly introduce something new. It's a constant battle that we're facing."

Froggett said that Citi has strict processes around onboarding new technology, including pen testing and red teaming, but with the current release cadences, enforcement has become challenging. "Ultimately, you can't usually do source code reviews" of everything that comes in, he said.

**3\. Recruiting and Retaining Skilled Talent**

The shortage of experienced cybersecurity specialists is nothing new, but Shivanandan said it remains one of her top challenges. "All the technology in the world is only as good as the people there to make sure that we install \[everything\] correctly and keep it up to date," she said.

Shivanandan said despite considerable progress, it remains difficult for women to break the glass ceiling. She believes men have an outsized presence in senior cybersecurity roles compared to the entire IT industry.

"When you start out at the lower levels, there's \[an\] equal \[proportion of\] men and women, 50-50, sometimes even 60-40 women," she said. "Then, as you go through the progression, the women drop out, and the men continue to progress from a seniority level."

Nevertheless, Shivanandan said women face fewer barriers today compared with when she started out. She said, "When I was starting out, they wanted to pat you on the head and say, 'dear, don't worry your pretty little head, I'll take care of technical things.' But not anymore. There's no ceiling for a woman to get into any position now. It's a matter of just perseverance."

Shivanandan considers herself fortunate at HSBC, where 40% of her leadership team is women. "The women and the men are both fantastic, and that's the thing that you really want to look for," she said.

Froggett said during his nearly 25 years at Citi, most of his bosses were women. "The job's not done for sure, but there is definitely more of a balance \[of men and women in senior leadership roles than\] I saw five or 10 years ago."

Shivanandan emphasized that creating a diverse team goes beyond gender. A large portion of her team has some sort of neurodiversity, she said. According to research, an estimated 15%-20% of people have some form of neurodivergence such as autism, attention deficit hyperactivity disorder (ADHD), mental health conditions, or learning disabilities.

Shivanandan said those conditions are often assets: "That's what makes them fabulous in the job." But she added, "I think that's probably harder to overcome from a career progression standpoint, from a leadership versus a technical perspective."

CISOs Share Their 3 Top Challenges for Cybersecurity Management

The data protection capability is now available across multiple Workspace applications: Gmail, Calendar, Drive, Docs, Slides, Sheets, and Meet.

Google is rolling out client-side encryption Gmail and Calendar, which would allow users to create meeting events as well as send and receive emails which have been encrypted before being sent to Google servers. Client-side encryption will be available to organizations with Google Workspace Enterprise Plus, Education Standard, and Education Plus plans. All other types of Google Workspace accounts and personal Gmail accounts will not get client-side encryption.

Google enabled client-side encryption for Google Drive, Docs, Slides, Sheets, and Meet last year, so with the latest update, client-side encryption is now available across Workspace applications. Workspace administrators have to enable client-side encryption before users can use it.

Client-side encryption means the data is encrypted within the user’s browser before it is transmitted or stored on Google servers. Because the client-side decryption keys are created by a cloud-based key management service, organizations retain control over who has access to their data. For example, if there is a government request for Google Workspace data, Google will not be able to provide the information because Google doesn’t have the decryption keys. Adversaries would have to target the organization’s specific key to access the data. For some organizations, this level of control is necessary to meet regulatory compliance requirements.

Media giant Groupe Le Monde rely on client-side encryption across Workspace to ensure journalists’ safety by protecting communications, appointments, and files from potential leaks, Ganesh Chilakapati, a Google Workspace group product manager, and Andy Wen, director of product management for Google Workspace Security, wrote in a Google Workspace blog post.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Adds Client-Side Encryption to Gmail, Calendar

Platform uniquely designed to facilitate automated compliance, security behavior change.

**MINNEAPOLIS****,** **Feb. 28, 2023** **/PRNewswire/ --** Hoxhunt, the leading cybersecurity behavior change software company, today announced the availability of the industry's foremost Human Risk Management Platform and three new products. For the first time, cybersecurity leaders can now focus on true visibility and measurable outcomes, not just regulatory and audit compliance.

According to the World Economic Forum, 95 percent of data breaches can be traced back to human error, mostly from clicking on targeted phishing attacks. Hoxhunt delivers high-ROI resilience with minimal resources by automating the transition of employees from being the greatest security risk to the most valuable resource. Hoxhunt's Human Risk Management Platform enables human threat intelligence—which is the only way to catch the millions of sophisticated phishing attacks that evade technical filters each year--into the security stack.

The AI-enabled platform offers three new products that can be aligned with an organization's security maturity state.

*   The new Comply product enables security awareness programs to be delivered automatically. From choosing the curriculum to customizing training content, Hoxhunt Comply enables security leaders to build a comprehensive program at the click of a button.
*   The Hoxhunt Change product adds capabilities to the market leading security behavior change solution. The advanced AI engine and machine learning algorithms transform employees into a global network of threat detection sensors that protect themselves and their organizations from threats that have infiltrated the perimeter. The AI platform delivers individualized, adaptive training experiences for employees at the edge of their skill levels at scale, resulting in lasting and measurable improvement. Even real phishing attacks are transformed into vital learning experiences when employees detect them. The platform assesses and expands individual abilities with quick micro-training nudges based on in-the-moment responses to both real and simulated phishing attacks, which in turn creates long-term engagement and optimal online behavior for employees.
*   Respond helps make sense of the threat feed to the SOC and automatically pinpoints the incidents that need attention. The Hoxhunt platform analyzes over 93,000 newly reported threats every day that have bypassed traditional security technology layers. Now organizations can harness the power of a global network of 1.5M human threat sensors to prevent the most malicious ransomware and BEC attacks.

Hoxhunt was established to take a people-first approach, going beyond traditional, compliance-based security awareness training and enabling a risk-based security strategy via measurable security behavior change.

"As bad actors refine their tactics, searching for gaps in security controls, employees have become the largest attack vector for cybercriminals looking to penetrate into corporate networks," said Mika Aalto, Co-Founder and CEO at Hoxhunt. "Employees are often overlooked as a part of an organization's security posture and attackers continue to exploit this. In most organizations, at best, employees receive generic awareness training in order to meet corporate compliance goals, initiatives which fail to alter employee cyber behavior or create the ability to detect and respond to social engineering attacks. Hoxhunt was established to solve this uncontrolled issue. With our human risk platform, organizations can significantly alter their employees' security skill levels to create a strong human detection engine when attackers surpass technical layers."

Hoxhunt's full-stack, AI-driven platform delivers:

*   **Increased Visibility:** Provides visibility into the true risk of an organization's human layer and the threats that have (or could have) infiltrated their systems.
*   **Measurable Risk Reduction:** Hoxhunt transforms employees into security assets, creating a global human threat sensor network to detect and eliminate email threats that slip past your technical protections. Hoxhunt drives the failure rate to just 2%, compared to 25% when using alternative phishing tools.
*   **Streamlined** **Reporting:** Maintains full control and visibility of employee training progress across departments, automatically generating reports that CISOs can utilize to translate improvements in organizational security posture.

Since its inception, Hoxhunt has helped some of the world's leading companies graduate from security awareness training into security behavior change and human risk management, including Airbus, DocuSign, Kaercher, and Victorinox. The company has also received numerous accolades in recent months. Hoxhunt was named a Best Software Company (EMEA) by G2 and received three awards from TrustRadius for security excellence.

To learn more about Hoxhunt and to request a demo, please visit: https://www.hoxhunt.com/.

**About Hoxhunt**

Hoxhunt helps security leaders and employees join forces to prevent data breaches. Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Employees learn to detect and report advanced phishing attacks. Operations teams respond fast with limited resources. And security leaders gain outcome-driven metrics to document reduced cybersecurity risk.

Hoxhunt Launches Human Risk Management Platform

**MIAMI****,** **Feb. 28, 2023** **/PRNewswire/ --** Network Assured shared the results of a recent study on cyberattacks against U.S. healthcare organizations. It looked at the total number of data breaches historically, the number of individuals affected, and the financial cost of each breach. One of the more stark findings of the report was that two of the worst healthcare data breaches in U.S. history happened in the past 12 months.

**Is Healthcare Cybersecurity Getting Worse?**

Despite a minor decrease in the number of attacks against healthcare organizations from 2021 (715 breaches) to 2022 (707 breaches) the severity of attacks by records compromised, continued to increase.

The breach of OneTouchPoint Inc. saw 4,112,892 records compromised. It was the largest healthcare data breach of 2022 and the 9th largest of all time. The breach of Advocate Aurora Health saw more than 3 million patients' data compromised. It was the 2nd largest healthcare breach of 2022 and the 10th largest of all time.

Other study results indicated that:

*   **The healthcare data of minors was a particular focus of 2022 cyberattacks.** The 2022 breach of Connexin Software, that provides management software for pediatric practices, saw the healthcare records of more than 2 million minors compromised.
*   **Ransomware, malware, and phishing emails were involved** in the majority of the year's worst data breaches.
*   **A higher volume of smaller healthcare organizations are being affected:** While the largest breach of all time was in 2014, the latest year saw more individual organizations affected by data breaches than ever before.

**Third-party Vendors a Primary Cause of Healthcare Data Breaches**

The report found that insecure third party vendors were a consistent cause of high impact data breaches. Both the worst healthcare breach of 2022, and the second worst of all-time came as a result of Business Associates failing to properly secure patient information.

**Dark Web Incentivizing Healthcare Cyberattackers**

The report found that patients healthcare data obtained through cyberattacks is most commonly sold. On the dark web, an individual healthcare record can be worth as much as $250. According to the report's author Aaron Weissman, _"A complete medical record contains all of a someone's personal identifying information. That information can be used to register identification documents or apply for credit cards. Even incomplete medical records can be aggregated with other stolen information to create a complete individual identity profile."_

**Basic Cybersecurity Practices Lacking in Healthcare**

The report challenges the narrative that the increasing severity of cyberattacks is a result of the increasing sophistication of malicious actors. In many of the worst data breaches on record, investigators found that even basic cybersecurity practices were lacking.

In the worst healthcare breach of all time, investigators cited "a lax credential management policy and a lack of a risk management program" as a causal factor in the attack. The second largest healthcare data breach of all time, was "determined to have occurred because of the lack of a cybersecurity program."

To see the complete findings, including a full breakdown of the largest healthcare breaches by records stolen, and damage incurred, with full color charts, please see visit the study here.

**About Network Assured**

Network Assured is a free, independent advisory that helps businesses price cybersecurity services, perform due diligence, and find better vendors. Learn more at www.NetworkAssured.com.

Two of The Worst Healthcare Data Breaches in US History Happened Last Year

The adversaries obtained a decryption key to a LastPass database containing multifactor authentication and federation information as well as customer vault data, company says.

The threat actors who broke into password management firm LastPass's development environment last August used information gathered from that incident for a follow-on attack, the company confirmed. The cyberattackers were able to access and exfiltrate data from an encrypted cloud storage service housing a backup of LastPass customer and vault data.

To pull off the heist, the adversaries targeted a home computer belonging to one of four DevOps engineers at LastPass who had the decryption keys needed to access a broader set of LastPass customer and encrypted vault data housed in encrypted Amazon S3 cloud storage buckets. 

The engineer's machine had a vulnerable third-party media player that the attacker exploited to gain access to the computer and install a keylogger on it. The malware eventually enabled the threat actor to gain access to the DevOps engineer's corporate vault and to export the decryption keys needed to access the AWS S3 LastPass production backups, LastPass said.

**Attacker Had Access to Broad Range of Data**

The DevOps engineer's credentials and keys allowed the threat actor to access a broad range of encrypted and unencrypted data — including password vault data — housed in the AWS S3 storage environment, LastPass announced this week. The backup data included configuration information, API and third-party integration secrets, customer metadata, and backups of all customer vault data. However, LastPass described most of the sensitive data in the customer vaults as encrypted and readable only with a unique decryption key derived from each end user's master passwords. 

"As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass — therefore, they were not included in the exfiltrated data," the company said.

In addition, the attacker also accessed a backup of a database containing LastPass multifactor authentication (MFA) and federation information. The database included MFA seeds assigned to users when they first registered their MFA authenticator with LastPass, hashes of customer generated one-time passwords (OTPs), and so-called split knowledge components or K2 keys associated with business customers. The secrets that business customers use to integrate third-party MFA vendors such as Duo Security with LastPass were also affected. 

"This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor," LastPass said, which has offered up a complete description of all affected data.

**Latest Twist in Unfolding Tale**

The update sent out Feb. 27 is the latest twist in a breach tale that has been slowly growing in scope since last August, when LastPass disclosed that it had spotted unusual activity on its network. At the time, the password management firm said threat actors had broken into its cloud development environment via a compromised software engineer's laptop and stolen some source code and other proprietary technical information. In updates in November and December, LastPass said the same threat actors had used information obtained in the August incident to access and decrypt a limited number of storage volumes within the cloud-based storage service.

LastPass' most recent update is unlikely to win the company any new fans in the security industry, especially because of how the scope of the incident has kept changing with each disclosure. When it first reported the breach last August, company CEO Karim Toubba described it as limited to the company's development environment and claimed the company had "achieved a state of containment." In its subsequent updates, the company reassured users about the separation between its development and production environments and why their information was therefore safe. With this week's announcement, LastPass said the attack on its cloud storage environment had overlapped with the attack on the development environment.

"The company now has a history of breaches and, depending on how you count, this is the third in less than a year," says Eric Noonan, CEO of CyberSheath. At a tactical level, it's hard to know what they might have done better, because information about the breaches have been relatively scant, he says. "In the bigger scheme of things this is what CISA, and other accountable government agencies are talking about when they say product companies have a responsibility to build security and safety into their products prior to unleashing them on the public," Noonan says.

**Review Master Passwords**

The company has advocated that business customers and individual customers review their master passwords and change them if necessary. Users who have followed the company's previous recommendations for setting a master password should be safe from brute-force guessing methods.

The attack is further proof of how inextricably linked enterprise security has become with the security of the networks and devices that employees use at home, security experts say.

CISOs must understand the implications of a personal device compromise, a home network being wide open, or personal compromise impacting the company, says Chris Pierson, CEO and founder of BlackCloak. "The risks are no longer theoretical and never have been," Pierson says. "Because corporate environments have become so well fortified, cybercriminals are moving to the lowest-hanging fruit," which are often are the personal devices of key employees and executives, he says.

A survey that BlackCloak conducted recently found that the personal desktops, mobile, and tablet computing devices that key corporate executives use often are vulnerable and lack basic protections. BlackCloak's data showed, for instance, that 76% of executives' personal devices leak data actively, 87% of executives' personal devices have no security installed on them, and 23% of executives have open ports at home. The survey showed that 87% of executives use passwords that are currently leaked on the Dark Web, 54% do not use a password manager, and social media sites and data brokers have a lot of information that attackers can use to social engineer them.

**Focusing on Home Users & Devices**

Attacks like the one LastPass disclosed this week highlight why security teams need to focus more on protecting employees from account takeover attacks wherever they are and whatever device they might be using, says Avi Turgeman, CEO and co-founder of IronVest. 

"They need to take a more holistic approach to protecting \[employees against\] all critical vulnerabilities," Turgeman tells Dark Reading. This includes implementing measures such as identity authentication, access management, post-login protection, 2FA/MFA protection, and phishing. "Eighty percent of data breaches are a result of compromised credentials," he notes.

LastPass DevOps Engineer Targeted for Cloud Decryption Keys in Latest Breach Revelation

The framework-as-a-service signals an intensification of the cat-and-mouse game between defenders detecting lateral movement, and cybercriminals looking to go unnoticed.

The post-exploitation tools market has chalked up a newcomer with the emergence of Exfiltrator-22. An upstart alternative to Cobalt Strike, the Exfiltrator-22 framework-as-a-service (FaaS) tool set, first seen in December, was "likely" developed by ex-affiliates of the notorious LockBit ransomware gang, according to researchers.

According to a Cyfirma report on Feb. 28, Ex-22 possesses advanced post-exploit capabilities that include elevated reverse shell, remote file download and upload, screenshot and live session monitoring of infected devices, privilege elevation capabilities and LSASS credential dumping, and persistence capabilities. Buyers get access to an administration panel through a $1,000 monthly subscription. The researchers say they're moderately certain this crew is operating out of Asian countries and engaged in an ambitious buildout of its own affiliate program, along with an "aggressive" marketing campaign. 

Meanwhile, recent samples of LockBit 3.0 campaigns show they utilize the same command-and-control (C2) infrastructure as Exiltration-22.

The Ex-22 creators claim their framework is "fully undetectable" by every antivirus and endpoint detection and response (EDR) vendor. While that's not totally true, "as of 13th February 2023, the malware still has 5/70 detections on Online Sandboxes, even after multiple dynamic scans being performed," the report explains. "This tells us that the threat actors are skilled at anti-analysis and defense evasion techniques."

The analysis points to what some security pundits see as a slight shift in the winds of post-exploit activity. While Cobalt Strike still remains the dominant tooling of choice for the bad guys, security tooling capable of picking up on activity stemming from this framework is mounting, and the criminal marketplace is spinning up to provide a more stealthy alternative. Last year's most notable example of this movement was the increased adoption of Brute Ratel C4 for malicious post-exploit activity.

"With continuous improvements and support, Ex-22 becomes a go-to alternative for any threat actors planning to purchase tools for the post exploitation phase but do not want to go with the traditional tools due to high detection rates," the report explained.

**Post-Exploitation Options Proliferate**

Interestingly, Ex-22 is actually the second high-profile, highly evasive post-exploitation framework uncovered by security researchers this month. Earlier in February, researchers with Zscaler ThreatLabZ published an analysis of a campaign they observed targeting a government organization using a C2 framework called Havoc.

"While C2 frameworks are prolific, the open source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques, such as indirect syscalls and sleep obfuscation," wrote Zscaler researchers Niraj Shivtarkar and Shatak Jain in a Feb. 14 analysis.

Meantime, in January researchers with Cybereason detailed recent campaigns utilizing the C2 framework Sliver for post-exploitation activity. This follows up on work done by Microsoft and Team Cymru tracking the rise of Sliver. An open source alternative, Sliver is also cross-platform, offering support for action on OS X, Linux, and Windows.

Source

DARKReading