**PRESS RELEASE**

**Woburn, MA – October 16, 2023 —** Kaspersky today announces the launch of a full-featured solution for containerized environments, Kaspersky Container Security (KCS). This solution offers secure containerized application at all stages, from development to operation. The product becomes active directly after installation, is low-cost, simple to deploy and easily integrates into the company’s IT infrastructure. Together with Kaspersky Hybrid Cloud Security, KCS forms a security ecosystem for hybrid and cloud infrastructures.  

Containerization is becoming an increasingly popular choice in software development as it helps developers to more rapidly create and deploy high-profile applications. The main advantage of the technology is its autonomy, which is reflected in its name. Like bagged cargo on a container ship, the container holds everything that is needed to develop, deliver and deploy an application (microservice), binary code, associated configurated files, libraries and dependencies. This allows containerized applications to be easily portable, highly reliable and capable of being run by distributed teams.

Containerized environments need protection, as the number of cyber incidents continues to grow. To counter this problem, Kaspersky launched Kaspersky Container Security, a specialized solution for containerized environments designed to protect businesses that already use or plan to implement containers. The product provides security for all stages of containerized application development. In addition to the development process, the solution protects runtime. For example, it controls the launch of only trusted containers, the operation of application and services inside the containers, and monitors the traffic.

There are three main components in Kaspersky Container Security: 'KCS scanner,' 'KCS agent,' and managing 'KCS server':

*   KCS scanner checks configuration files for misconfigurations, scans images for vulnerabilities, malware, sensitive data, and checks them for accordance with assurance policies within the image registry and CI/CD platforms.
*   KCS agent ensures protection from various attacks on the application in the container, monitors container and network interactions in clusters, and checks the whole system for compliance with security standards.
*   KCS server aggregates the data received from the scanner and the agent, allows customers to visualize data and to generate reports, and integrates with other security solutions (e.g., SIEMs like Kaspersky’s KUMA).

Kaspersky Container Security easily integrates into DevSecOps framework of organization, CI/CD\[1\] pipelines and infrastructure. It can strengthen DevOps protection both for companies with developed DevSecOps processes and for companies that only begin to implement them. The solution also allows predictable deadlines to be set for the application to be released due to the automation of security and compliance checks on all the stages.

_"Containerization is the new normal, but its risks are not covered by traditional endpoint or virtual machine security solutions as it requires specific solutions,"_ said Timofey Titkov, head of the cloud and network security product line at Kaspersky. "_This is why we launched Kaspersky Container Security (KCS), a solution that protects containerized application during its life cycle including runtime, the most vulnerable area. KCS helps our customers to build the DevSecOps process where security is ensured at every stage of development. This launch is an important step towards one of Kaspersky's key goals to provide comprehensive protection to all types of digital assets of our customers."_

To learn more about Kaspersky Container Security, please visit the website.

Kaspersky Launches Specialized Security Solution for Containerized Environments

No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.

Cisco is asking customers to immediately disable the HTTPS Server feature on all of their Internet-facing IOS XE devices to protect against a critical zero-day vulnerability in the Web User Interface of the operating system that an attacker is actively exploiting. 

Cisco IOS XE is the operating system that Cisco uses for its next-generation enterprise networking gear.

The flaw, assigned as CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled. No patch or other workaround is currently available for the flaw, which Cisco described as a privilege escalation issue that enables complete device takeover. Cisco has assigned the vulnerability a maximum possible severity rating of 10 out of 10 on the CVSS scale.

**CVE-2023-20198: Maximum-Severity Flaw**

"The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access," Cisco said in an advisory on Oct. 16 on the new zero-day bug. "The attacker can then use that account to gain control of the affected system." Privilege level 15 on a Cisco IOS system basically means having complete access to all commands including those for reloading the system and making configuration changes.

An unknown attacker has been exploiting the flaw, to access Cisco, Internet-facing IOS XE devices and drop a Lua-language implant that facilitates arbitrary command execution on affected systems. To drop the implant the threat actor has been leveraging another flaw — CVE-2021-1435 — a medium severity command injection vulnerability in the Web UI component of IOS XE, that Cisco patched in 2021. The threat actor has been able to deliver the implant successfully even on devices that are fully patched against CVE-2021-1435 via an as yet undetermined mechanism, Cisco Talos researchers said in an a separate advisory.

Cisco said it first got wind of the new vulnerability when responding to an incident involving unusual behavior on a customer device on Sept. 28. The company's subsequent investigation showed that malicious activity related to the vulnerability actually may have begun as early as Sept. 18. That first incident ended with the attacker leveraging the flaw to create a local user account with admin privileges from a suspicious IP address.

**Malicious Activity Cluster Targets Cisco Networking**

On October 12, Cisco's Talos Incident Response Team spotted another cluster of malicious activity related to the flaw. As with the first incident, the attacker initially created a local user account from a suspicious IP address. But this time around, the threat actor took several additional malicious actions including dropping the implant for arbitrary command injection.

"For the implant to become activity, the Web server must be restarted," Cisco Talos said. "In at least one observed case the server was not restarted so the implant never became active despite being installed," Cisco noted. The implant itself is not persistent, meaning that an organization can get rid of it via device reboot.

However, the local user accounts that attackers can create via CVE-2023-20198 are persistent and give attackers continued administrator level access on affected systems even after a device restart. Cisco Talos researchers urged organizations to be on the lookout for new or unexplained users on IOS XE devices as potential evidence that attackers have exploited the flaw. They also provided a command that organizations can use to determine if the implant is present on any affected device.

**Immediately Implement Guidance**

"We strongly recommend organizations that may be affected by the activity immediately implement the guidance outline in Cisco's Product Security Incident Response Team (PSIRT) advisory," the company said. Cisco has assessed the same threat actor is behind both clusters of malicious activity related to the new flaw.

Cisco IOS XE's Web UI component is a system management feature that allows administrators to provide the system. Cisco describes it as simplifying system deployment and manageability. CVE-2023-20198 is the second significant vulnerability that Cisco has disclosed in the same feature in recent weeks. In September, the company disclosed CVE-2023-20231, a command injection vulnerability that also allowed an attacker to obtain level 15 privileges on IOS XE devices.

Zero-day bugs — and any bugs that enable administrator level privileges — on network technologies such as those from Cisco are especially valuable for attackers. As the US Cybersecurity and Infrastructure Security Agency (CISA) and numerous others have noted, network routers switches, firewalls, load balancers, and other similar technologies are ideal targets because most or all traffic must flow through them.

Critical, Unpatched Cisco Zero-Day Bug Is Under Active Exploit

A threat group known as "Void Rabisu" used a spoofed Women Political Leaders Summit website to target attendees to the actual conference with espionage malware.

Attendees of August's Women Political Leaders Summit 2023 conference found themselves targeted by a spoofed event website loaded with a new cyber espionage malware variant called ROMCOM 4.0.

Leaders from all over the world attended the conference to explore the role of women in politics as well as prospects for peace in Ukraine. Specifically, the cyber espionage campaign targeted those helping to further gender equality in the European Union, according to a report from Trend Micro.

Just a year ago, Void Rabisu threat group was a a run-of-the-mill ransomware outfit, but the invasion of Ukraine offered an opportunity for the cybercriminals to get in on more nation-state, advanced persistent threat (APT) action, the Trend Micro report explained.

The group's primary malware strain has been updated to a new version, ROMCOM 4.0, and is used primarily to target politicians, the military, and government employees, Trend Micro observed.

"While we have no evidence that Void Rabisu is nation-state-sponsored, it's possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine," the report added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'RomCom' Cyber Campaign Targets Women Political Leaders

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Has this royal kingdom gone digital? Come up with a clever cybersecurity-related caption to describe the scene, above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 13, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading October Toon."
*   Via social media: X (formerly known as Twitter), Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

We received an impressive array of caption contenders for last month's "Somewhere in Sleepy Hollow" cartoon, but the one that ultimately made it's way to the top of our list came from Sumitra Rao, consulting director at Palo Alto Networks (Unit 42). Congratulations, Sumitra, and thank you to all who played!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Modern Monarchy

It's been a year since its last communication and attack on Iran — but the conflict with Hamas appears to have reactivated the group.

A pro-Israeli hacktivist group named Predatory Sparrow re-emerged in the past week.

Citing the current Gaza conflict, last week the group sent the first tweet in more than a year the group, saying: "You think this is scary? We're back. We hope you're following the events in Gaza" — with a link to a report on the US sending fighter planes and warships to support Israel.

Predatory Sparrow is a known threat that researchers believe to be a relatively sophisticated Israeli hacking operation. It has a history of destructive attacks in Iran, designed to embarrass the Iranian government.

According to Cyberscoop, in October 2021 an attack was carried out on an Iranian payment system linked to a national network of fuel pumps, while in June 2022 multiple attacks were carried out on steel facilities apparently in response to unspecified acts of "aggression" carried out by the Islamic Republic.

John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said at a press event last week that having taken credit for a series of attacks inside Iran, the group's timely reappearance makes it "certainly a player to watch."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears

By using data to drive policy underwriting, cyber-insurance companies can offer coverage without a price tag that drives customers away.

A flood or fire might have devastated a business in the mid-1990s when offices were filled with filing cabinets and paper records. Today, most of those assets are in the cloud, and business insurance must cover them in modern form. 

Cyber insurance should be a priority in this business landscape, yet too often it is an outlier. There is no other insurance product where so few have coverage but so many need it.

According to Fortune Business Insights, the global cyber-insurance market was $13.33 billion in 2022 and is forecast to grow to $84.62 billion by 2030. Many companies aren't sure how much cyber insurance they need, and, more critically, insurers aren't sure what the risk landscape looks like for an individual company that seeks coverage. 

This risk miscalculation has spurred huge losses and changed the landscape of the cyber-insurance market. In its latest report, the National Association of Insurance Commissioners (NAIC) shows the top 20 groups reporting on cyber supplements had direct loss ratios of up to 130.6%.

Insurance coverage isn't necessarily hard to obtain — a company with a mature security posture can likely get multiple quotes without a problem. However, specific sectors with historically poor security postures, like education, or highly targeted sectors, like software developers, may have a more challenging time. 

Let's look at how the market has changed and where it's heading.

**How the Market Hardened**

The cyber-insurance market has rapidly transitioned from a soft cycle, characterized by lower premiums and higher limits, to a hard cycle. This shift resulted in insurance premiums skyrocketing.

Some businesses have been surprised when their policies increased dramatically despite nothing changing on their end. But most insurance companies saw more demand than supply, and risk increased as more claims were filed. According to Verizon's "2023 Data Breach Investigations Report," ransomware accounted for roughly 5% of breaches in 2020 and soared to 24% in 2022 and 2023. Insurers raised rates accordingly.

Those rates finally dipped by 10% in June, partly because insurance companies mandated their customers implement better protections. Insurance companies must excel in risk management to offer competitive rates. This enables the insurer to accept risk and ensure prices don't have to jump to a point that makes the company noncompetitive. 

**Where SMBs Fit In**

When the market began less than a decade ago, only big businesses were looking for coverage. Underwriters want balanced books, with a few large risks and many smaller ones, but the market demanded half of that. Industrial-sized companies sought coverage, while small and midsized businesses (SMBs) were on the sidelines. 

Large tech companies had risk-management processes at the board level requiring them to seek cyber insurance. SMBs didn't know their threats, and their risks weren't considered imminent. The dynamic shifted when the threat landscape changed, and cyber insurance became more commercialized with offerings that made sense to SMBs. According to NetDiligence's 2022 Cyber Claims Study, large companies represented only 2% of cyber claims from 2017-2021, but those claims accounted for 51% of total incident costs. 

These days, large businesses require their smaller partners to carry cyber insurance, and brokers can be sued for negligence if they don't offer it to their clients. Some brokers have clients sign a waiver if they don't buy the policy, saying they at least offered it.

With these forces pushing the market, we're seeing more and more small businesses turning to cyber insurance.

**Where Things Are Going**

When insurance companies have limited capacity, they choose customers with lower risk. Low-risk companies take measures to minimize their exposure. Traditionally, it's been hard to prove where those exposures are, let alone if they've been mitigated. 

Technology is changing this. Companies now have better ways to understand where to harden their security posture, and insurance companies have new methods to determine how risky their potential client is. 

This data empowers underwriters to mitigate risk that would impact policies and offers mitigation strategies for companies seeking coverage. These efforts promote a hardened security posture, which means lower risk for insurance companies so that they can offer competitively priced premiums. This eventually translates into lower loss ratios and higher profitability for the whole industry. That in turn enables more affordable rates for businesses. 

In less than a decade, cyber insurance has grown from a niche product to a multibillion-dollar industry. By using data to drive policy underwriting, cyber-insurance companies can offer the coverage so many want without a price tag that will drive them away.

How Data Changes the Cyber-Insurance Market Outlook

SaaS security is broad, possibly confusing, but undeniably crucial. Make sure you have the basics in place: discovery, risk assessment, and user access management.

In today's fast-paced business world, software-as-a-service (SaaS) applications have transformed how we work. They offer unprecedented flexibility, collaboration, and efficiency, making them the go-to solution for most organizations. From project management to customer relationship management and file storage, SaaS applications touch nearly every aspect of daily business operations. With sensitive data and critical business processes housed in these platforms, the need for robust SaaS security has never been more pressing and clear.

SaaS security is multifaceted, covering many types of risks with tools offered by diverse vendors. SaaS security typically falls within SaaS security posture management (SSPM). While modern SSPM solutions provide automation and in-product remediation, they might be somewhat overwhelming at first, especially for smaller organizations that don't have large budgets or don't know where to start or what to prioritize.

During a career spanning two decades in the Israeli military serving various cyber-related roles, I learned the importance of breaking down large challenges into smaller pieces. Tackling a large problem starts with identifying the basic requirements. In this article, I will lay out three must-have SaaS security essentials that any organization can implement, regardless of budget or headcount. These are three steps you can introduce into your organization today.

**Step 1: Discover Your SaaS Usage**

After serving hundreds of SaaS-using companies, it is clear to me that most organizations have a serious SaaS shadow-IT problem. In fact, the average employee uses 28 SaaS applications at any given time. When you think about it, it makes sense: Most employees, when encountering a specific business need, will look up a fast and easy solution online. That solution is often a SaaS tool that requires permissions into the employee's work environment. Onboarding these SaaS applications often goes completely unnoticed by security and IT teams. So, before you can secure your SaaS environment, you must first have full visibility into every employee's SaaS usage, all the time.

**Step 2: Perform Risk Assessments on Each SaaS Application**

Now that you have a clear picture of your SaaS landscape, it's time to evaluate the security risks associated with each application. Not all SaaS applications are created equal, and some may pose a higher risk to your organization's data and operations. We should always be cautious as to where we keep or share sensitive data and who we trust with our most critical assets. There are several critical considerations for determining whether an application is risky or not. Here are a few:

*   The SaaS vendor's security and privacy compliances.
*   The SaaS vendor's size and location.
*   The SaaS app's marketplace presence: Has it been validated by others?
*   Is it a private or public company? Does it share its security status publicly?

This type of analysis is crucial not only for maintaining SaaS security; it is a significant factor in companies' vendor risk-assessment processes. SaaS is a third-party vendor, and assessment is part of how you manage a vendor's risk. Organizations cannot afford to turn a blind eye to their third-party risks of any size.

**Step 3: Ensure Users Have Only Necessary Permissions and Roles**

The third essential step is managing user permissions. Often, security breaches occur due to excessive permissions granted to users or that the users grant to certain applications. To mitigate this risk, follow these best practices:

*   **Least-privilege principle:** This means granting users only the permissions they absolutely need to perform their tasks. Avoid granting broad, blanket permissions that can lead to data exposure or unauthorized actions.
*   **Regular permission reviews:** Establish a process for regularly reviewing and updating user permissions and roles. This is especially true for your core business applications. Employees' roles and responsibilities can change over time, and permissions should be adjusted accordingly.
*   **Start with the admins:** Assessing all your employees and their roles and permissions across dozens of apps can be daunting and time consuming. I've learned that focusing on various admin roles and auto-approving low-permissions roles is a huge time saver.

**Why These Three?**

There are many ways to implement SaaS security practices. Some organizations prefer looking at sensitive files shared between these applications; others start with irregular user behaviors to tackle insider risks. These are all valid, and robust SSPM tools offer these capabilities. But for smaller organizations with tighter budgets or those that prefer to start small then expand, I firmly believe these three principles are the way to go. These are required by major compliance standards such as ISO 27001 and SOC 2 and fall under basic vendor risk-assessment and user-management requirements.

**Embrace SaaS Without Compromising Security**

By enforcing these three steps, you can make significant strides in protecting your digital workspace. Remember that security is an ongoing process, and continuous monitoring and adaptation are key to staying ahead of evolving threats in the SaaS landscape. By prioritizing security, you can ensure employees are free to fully embrace the advantages of SaaS while always keeping your organization safe from SaaS potential harm.

**About the Author**

    

A retired colonel from the elite 8200 Unit, Galit Lubetzky Sharon has vast, hands-on experience designing, developing, and deploying some of the Israeli Defense Forces' most vital defensive and offensive cyber platforms as well as leading large and strategic operations. She was an integral part of developing the IDF's first cyber capabilities and continued improving and enhancing these capabilities throughout her career. She is the recipient of numerous accolades, including the prestigious Israeli Defense Award.

3 Essential Steps to Strengthen SaaS Security

The security principle of zero trust is the cornerstone of robust cloud security.

In an era where data breaches and cyberattacks continue to dominate headlines, the importance of robust security measures has never been more evident. As organizations increasingly migrate their data and operations to the cloud, a paradigm shift in security strategy is essential. Enter zero trust, a security concept that has emerged as the cornerstone of cloud security. This article will explore why zero trust is crucial for safeguarding cloud environments.

**The Cloud Security Challenge**

Adopting cloud computing has brought unprecedented flexibility, scalability, and cost efficiency for businesses; however, migration to the cloud has also opened new avenues for cyber threats. The traditional security perimeter model — protecting the network perimeter — must change. Security must adapt to the challenges of this dynamic landscape with data residing in remote data centers and users accessing resources from anywhere.

**What Is Zero Trust?**

Zero trust is not just a technology but a holistic security approach that fundamentally shifts the security paradigm. The core tenet of zero trust is simple: "Never trust, always verify." In essence, zero trust means security teams should not inherently trust anyone or anything, regardless of whether they are inside or outside the network.

The fundamental principles of zero trust include:

1.  **Continuous verification:** Every access request is verified, regardless of the user's location or device. This principle includes strong multifactor authentication (MFA) and device health checks.
2.  **Least privilege access:** Security teams grant users and systems only the minimum access required to perform their tasks, reducing the attack surface and potential damage in case of a breach.
3.  **Micro-segmentation:** Networks are divided into small, isolated segments with access controls enforced between them, preventing lateral movement by attackers.
4.  **Data-centric security:** Zero trust prioritizes data protection, ensuring data is encrypted, classified, and rigorously access-controlled.

**Why Zero Trust for Cloud Security?**

Reasons zero trust is important for securing cloud environments include:

1.  **Perimeterless environments:** Cloud environments are inherently perimeterless. Traditional security models that rely on securing the network perimeter are ineffective when data and applications are dispersed across multiple cloud providers and accessed from anywhere. Zero trust, which focuses on continuous verification, addresses this challenge by securing access at the individual request level.
2.  **Evolving threat landscape:** Cyber threats are constantly evolving, becoming more sophisticated and persistent. Zero trust's continuous monitoring and verification principle helps organizations stay one step ahead of these threats by detecting and responding to anomalies and breaches in real time.
3.  **Remote workforce:** The rise of remote work has blurred the lines between corporate networks and the public Internet. With employees accessing cloud resources from various locations and devices, zero trust ensures access is granted based on user identity and device trustworthiness, not just network location.
4.  **Data protection:** In cloud environments, data is the crown jewel. Zero trust places data protection at its core, ensuring that even if a breach occurs, sensitive data remains encrypted and inaccessible to unauthorized parties.
5.  **Compliance and regulations:** Many industries are subject to strict data protection regulations. Zero trust helps organizations meet these compliance requirements by enforcing stringent access controls, monitoring activities, and maintaining an audit trail.

**Implementing Zero Trust in Cloud Environments**

To implement zero trust in cloud security, organizations should consider:

1.  **Identity and access management (IAM):** Implement strong authentication methods and access controls based on user identity.
2.  **Continuous monitoring:** Utilize threat detection and response tools to monitor activities and identify anomalies.
3.  **Least privilege access:** Grant minimal access permissions to users and systems based on their roles and responsibilities.
4.  **Data encryption:** Encrypt data at rest and in transit and classify data based on sensitivity.
5.  **Micro-segmentation:** Implement network segmentation to control lateral movement within cloud environments.

**Zero Trust Is Not Optional**

As organizations continue their digital transformation journey by embracing cloud technologies, zero trust emerges as the bedrock of cloud security. The principles of continuous verification, least privilege access, and data-centric security align perfectly with cloud environments' dynamic and distributed nature. Embracing zero trust is not merely an option; it's necessary to protect sensitive data, mitigate risks, and ensure the security of cloud-based operations in an ever-evolving threat landscape. Zero trust isn't just a buzzword; it's the future of cloud security. To learn more about zero trust, AI, and other topics in the ever-evolving threat landscape, log into the #AskCyderes webcast.

**About the Author**

    

Patrick Carter has 15 years of industry experience across security architecture, cloud security, security program management, and strategic consulting. He has a strong understanding of multicloud security architecture, working with both commercial and enterprise-level clients in Azure, AWS, and GCP. He has extensive experience in practice development and service optimization utilizing multiple disciplines. Having consulted enterprises of multiple industries, Patrick is passionate about developing cloud security programs that meet clients' specific needs and building strong relationships that enable them to secure their cloud journey.

Why Zero Trust Is the Cloud Security Imperative

Progress Software plans to collect millions in cyber insurance policy payouts after the MOVEit breaches, which will make getting coverage more expensive and harder to get for everyone else, experts say.

In its recent Security and Exchange Commission (SEC) filing, Progress Software, the company behind the MOVEit file transfer software that's been used to breach dozens of major organizations, says it plans to try and fully collect on its $15 million cyber insurance policy. But how is that fat $15 million payout likely to effect how insurers approach their own businesses?

Faced with class action lawsuits, fines, and a battered business brand, there's little question the company will need millions to cover its losses. And to boot, Progress Software was already collecting on a claim related to a previous incident in November 2022, unrelated to the MOVEit ransomware campaign, according to its most recent 10-Q filing with the SEC.

"As of August 31, 2023, we have recorded approximately $4.9 million in insurance recoveries, of which $3 million was related to the November 2022 cyber incident and $1.9 million was related to the MOVEit vulnerability, providing us with $10.1 million of additional cybersecurity insurance coverage (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies."

**Higher Premiums, Less Coverage**

Cyber insurers don't have the historical data or developed risk models that others do, like car or home insurers, which means they are constantly adjusting their "risk appetite," according to Mark Millender, senior advisor for global executive engagement at Tanium. He thinks payouts like the one Progress Software is seeking will both drive up premiums and ratchet up requirements for coverage across the cyber insurance ecosystem.

"As loss ratios increase and drive down profitability, risk tolerance recedes and the need to drive up revenues is reflected in premium charges," Millender says.

And, getting policies renewed in the wake of this Progress Software claim, and others, is going to get trickier, he predicts.

"At the same time, the insured submitting the claim will be under increased scrutiny at the time of renewal," according to Millender. "The insured's ability to renew with the same or another carrier will depend on many factors, including this claim experience, but also general cybersecurity defense posture and how the incident was addressed."

Cyber insurance policies are undoubtedly already getting more expensive and providing less coverage than before: Two-thirds of companies surveyed for a report from Delinea on the current state of the cyber insurance industry said they saw a 50% increase in cyber insurance premiums, with more narrow coverage over the past year. And, a full 80% of companies reported they submitted at least one claim in the past year.

"Three key factors are driving the growth of the cyber insurance market," Bud Broomhead, CEO at Viakoo says. "This includes the expanding liabilities from cyber breaches, boards and senior management holding more responsibility for breaches, and the 'forcing function' that cyber insurance provides to maintain their cyber security posture."

Broomhead adds that as the cyber insurance market matures, these factors will change, but the bottom-line result is likely to be a continuing trend towards more expensive policies with less coverage. But as cyber insurers refine their risk evaluations, premiums should stabilize, he adds.

**Cyber Insurers Communicating With Security Teams**

Cyber insurers are taking a closer look at the risk profiles of their clients, a trend that will be driven to new heights by the Progress situation. One of the outcomes of this increased scrutiny has been greater cooperation between cyber insurers and their policy holders, Dara Gibson, cyber insurance services leader with Optiv, explains.

"Cyber insurers are now communicating with cybersecurity teams," Gibson says. "It's going to become more of a collaborative effort between the insurers, cybersecurity and the insured because a greater understanding of what 'good' looks like is taking shape."

It's up to enterprise teams to do the same kinds of assessments, Broomhead advises.

"Risk assessment and cyber insurance will always be evolving in the same way that threat vectors themselves evolve," Broomhead says. "The most important thing is for an organization to do its own risk assessment and ensure that their internal policies address their entire attack surface."

How MOVEit Is Likely to Shift Cyber Insurance Calculus

CISA and FBI warn the RaaS provider's affiliates are striking critical industries, with more attacks expected to come from additional ransomware groups in the months ahead.

US authorities issued a warning this week about potential cyberattacks against critical infrastructure from ransomware-as-a-service (RaaS) operation AvosLocker.

In a joint security advisory, the Cybersecurity Infrastructure and Security Agency (CISA) and FBI warned that AvosLocker has targeted multiple critical industries across the US as recently as May, using a wide variety of tactics, techniques, and procedures (TTPs), including double extortion and the use of trusted native and open source software.

The AvosLocker advisory was issued against a backdrop of increasing ransomware attacks across multiple sectors. In a report published Oct. 13, cyber-insurance company Corvus found a nearly 80% increase in ransomware attacks over last year, as well as a more than 5% increase in activity month-over-month in September.

**What You Need to Know About AvosLocker Ransomware Group**

AvosLocker does not discriminate between operating systems. It has thus far compromised Windows, Linux, and VMWare ESXi environments in targeted organizations.

It's perhaps most notable for how many legitimate and open source tools it uses to compromise victims. These include RMMs like AnyDesk for remote access, Chisel for network tunneling, Cobalt Strike for command-and-control (C2), Mimikatz for stealing credentials, and the file archiver 7zip, among many more.

The group also likes to use living-off-the-land (LotL) tactics, making use of native Windows tools and functions such as Notepad++, PsExec, and Nltest for performing actions on remote hosts.

The FBI has also observed AvosLocker affiliates using custom Web shells to enable network access, and running PowerShell and bash scripts for lateral movement, privilege escalation, and disabling antivirus software. And just a few weeks ago, the agency warned that hackers have been double-dipping: using AvosLocker and other ransomware strains in tandem to stupefy their victims.

Post-compromise, AvosLocker both locks up and exfiltrates files in order to enable follow-on extortion, should its victim be less than cooperative.

"It's all kind of the same, to be honest, as what we've been seeing for the past year or so," Ryan Bell, threat intelligence manager at Corvus, says of AvosLocker and other RaaS groups' TTPs. "But they're becoming more deadly efficient. Through time they're getting better, quicker, faster."

**What Companies Can Do to Protect Against Ransomware**

To protect against AvosLocker and its ilk, CISA provided a long list of ways critical infrastructure providers can protect themselves, including implementing standard cybersecurity best practices — like network segmentation, multifactor authentication, and recovery plans. CISA added more specific restrictions, such as limiting or disabling remote desktop services, file and printer sharing services, and command-line and scripting activities and permissions.

Organizations would be smart to take action now, as ransomware groups will only grow more prolific in the months to come.

"Typically, ransomware groups take a little bit of a summer vacation. We forget that they are people, too," Bell says, citing lower-than-average ransomware numbers in recent months. September's 5.12% bump in ransomware cyberattacks, he says, is the canary in the coal mine.

"They will increase attacks through the fourth quarter. That's usually the highest we see throughout the year, as in both 2022 and 2021, and we're seeing that holds true even now," he warns. "Things are definitely climbing up all across the board."

Source

DARKReading