As a former Gartner analyst, it was interesting to be on the other side, listening as others explored the impact of CEO and CIO priorities on security.

GARTNER SECURITY & RISK MANAGEMENT SUMMIT 2023 — National Harbor, Md. — At the opening keynote for the Gartner Security & Risk Management Summit 2023, Gartner distinguished VP analyst Leigh McMullen and senior director analyst Henrique Teixeira emphasized that cybersecurity can generate massive value for enterprises. However, professionals in this field must be willing to challenge misconceptions and move beyond obsolete practices.

This keynote discussed the importance of adopting a minimum effective mindset across business engagement, technology, and talent. This approach refers to the input, not the outcome, with a deliberate, ROI-driven strategy to lead cybersecurity into the future.

McMullen and Teixeira took aim at four prevalent myths in the cybersecurity field:

1.  **More data equals better protection:** Instead, they suggested pursuing the least amount of information needed, to draw a line between the funding of cybersecurity and the amount of vulnerability that funding addresses.
2.  **More technology equals better protection:** They warned against the mindset that some forthcoming technology will solve all problems, leading to the premature acquisition of solutions.
3.  **More cybersecurity pros equal better protection:** They argued that there's no way to scale services to match the enterprise pace merely by hiring more professionals.
4.  **More controls equal better protection:** They pointed out that controls that are circumvented are worse than no controls at all, highlighting the friction employees often experience with secure behavior.

Gene Alvarez, a distinguished VP analyst at Gartner, presented another keynote on the metaverse and digital twins — concepts that will become increasingly important as our thinking about identity management evolves.

In another session, Katell Thielemann, distinguished VP analyst at Gartner, presented on the current CIO and CEO agenda. She highlighted the top priorities of executive leaders and the implications for security. According to Thielemann, boards are willing to increase risks but want results, and CEOs want tangible growth from digital investments. CIOs, on the other hand, need to deliver outcomes by prioritizing the right digital initiatives. She emphasized that CISOs need to adopt a more rigorous approach to prioritizing security resources due to the accelerated enterprise demand for information security expertise caused by digitization.

Walking the vendor floor, I saw many solutions aimed at very familiar use cases, and I heard attendees comment how so many products appeared to replicate solutions to the same problems. Of course, many of the leading sector vendors were there, covering email and messaging security and endpoint protection. Some interesting vendors were taking a fresh look at secure browsers, which for a long time lacked effective enterprise controls despite being a key plank in the endpoint security posture. I must admit that I was somewhat relieved that no one tried to explain to me how GenAI was the source of, or the solution to, all of life's problems.

An Analyst View of Gartner Security & Risk Management Summit 2023

The tool trained on the company's investigative cybersecurity services data set, and provides natural language responses to client queries, to improve response and remediation efforts.

Managed detection and response (MDR) provider eSentire has announced eSentire AI Investigator, a machine learning-powered tool for querying asset and vulnerability data, security telemetry, and other sources of cybersecurity information. The goal? To improve security investigations, threat response, and threat hunting.

Even as novel vulnerabilities and new threat actors emerge, existing problems have a continuing presence. The growing pool of information, alongside the ongoing scarcity of human cybersecurity talent, drive the demand for automated tools for finding and fixing security issues. According to the company, eSentire AI Investigator uses generative AI (the same technology behind ChatGPT) to answer natural language queries from its MDR clients, providing information drawn from a variety of internal and external resources to show them how wider security events and trends could affect their businesses.

The eSentire services units also use eSentire AI Investigator to increase efficiency and reduce response time. The company said the tool is trained against eSentire's investigation data set of more than a million investigations and responses, shaped by human feedback from its Cyber Response Team, to find and suggest threat remediation measures quickly. Using eSentire AI Investigator, the company claimed a mean time to contain unknown threats of 15 minutes. The company also credited the tool for a global threat sweep that detected and defanged a recent Batloader malware campaign.

The eSentire AI Investigator tool is available in private preview through the eSentire Insight Portal.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

eSentire's AI Investigator Chatbot Aids Human Response to Security Incidents

New product provides customers with an attacker's view of their cyber resilience aligned to business context.

**NEW YORK – June 20, 2023 –** Cymulate, the leader in exposure management and security validation, today announced the release of a ground-breaking new solution for organizations to run an informed continuous threat exposure management (CTEM) program. The CTEM program, which was coined by Gartner, Inc. is designed to diagnose the severity of exposures, create an action plan for remediation and facilitate a common language for discussions between business and technical teams. Disparate data sources, point-in-time collection, and lack of business context create challenges for cybersecurity teams to ingest and contextualize exposure data and translate it from a security concern to a business impact. The new Cymulate Exposure Analytics solution bridges this gap by ingesting data from Cymulate products and other third-party data on vulnerabilities, risky assets, attack paths, threat intelligence, and other security controls to create a risk-informed defense with business context.

Unlike other programs that focus on reactive detection and response, the Gartner CTEM program is centered on proactively managing risk and resilience. By aligning with this program, organizations apply a repeatable framework to scope, discover, prioritize, validate, and mobilize their offensive cybersecurity initiatives. The Cymulate Exposure Analytics solution has a quantifiable impact across all five of the CTEM program pillars and on a business’s ability to reduce risk by understanding, tracking, and improving its security posture.

**CTEM Alignment**

*   **Scoping:** Understand by organizational segment, the risk posture of business systems and security tools and its risk to immediate and emergent threats to define the highest impact programs needed to reduce or manage risk scores and tolerance
*   **Discovery:** Correlated analysis from Cymulate and multi-vendor data that assesses on-premises and cloud attack surfaces, risky assets, attack paths, vulnerabilities, and business impact
*   **Prioritization:** Vulnerability prioritization & remediation guidance based on multi-vendor aggregated data that is normalized, contextualized, and evaluated against breach feasibility
*   **Validation:** Analyze exposure severity, security integrity, and effectiveness of remediation from security validation assessment data. Immediate threat and security control efficacy data can be used to answer questions such as “Are we at risk to this emergent threat?”, “Do we have the necessary capabilities to protect us when under attack?”.
*   **Mobilization:** Utilize Cymulate contextualized data to understand various response outcome options, and establish and track performance against baselines, benchmarks, and risk profiles

"Cymulate has always taken an attacker’s view on cybersecurity defense, and through our experience in breach and attack simulation we have carefully studied the ways attackers creatively exploit vulnerabilities and other exposures driven by human error, misconfiguration, or control weaknesses," said Avihai Ben-Yossef, chief technology officer and co-founder of Cymulate. "This latest announcement provides customers with a centralized tool that leverages data collected from the Cymulate platform and other third-party exposure data sources and contextualizes it for scoping security risk, prioritizing remediation, tracking the performance of cybersecurity initiatives, and effectively communicating risk."

**Cymulate Exposure Analytics Capabilities**

**Contextualized Vulnerability Management:** Integrates with common vulnerability scanners and cybersecurity validation solutions to continuously provide organizations visibility, context, and risk for each vulnerability. Rather than simply prioritizing based on CVSS scores, Cymulate Exposure Analytics provides a security data fabric for contextualized vulnerability prioritization, which correlates vulnerability findings with business context and security control effectiveness. By integrating with tools for breach and attack simulation and continuous automated red teaming, Cymulate Exposure Analytics creates a risk score that considers the exploitability and effectiveness of compensating security controls.

**Risk-Based Asset Profile:** Creates a consolidated view of assets with context to their risk. The product aggregates data from vulnerability management, attack surface management, configuration databases, Active Directory, cloud security posture management, and other systems and then applies its risk quantification to score each asset. This risk-profiled asset inventory contains a quantified risk score for every endpoint, system, cloud container, virtual machine, application, email address, web domain, IoT/OT device, and more. This data can also be aggregated by business or operational context. The inventory includes details for each asset, including existing security controls, currently enforced policies, known vulnerabilities, un-patchable vulnerabilities or security gaps, and mitigation status.

**Remediation Planning:** Applies its risk quantification and aggregated asset inventory to create a prioritized list of mitigations that deliver the most significant risk reduction and improvement in cyber resilience. When available, the remediation plan presents remediation options that consider urgency, severity, and compensating controls – as well as the forecasted outcomes by modeling the risk impact of the mitigation.

**Measure and Baseline Cyber Resilience:** Quantifies risk as a key metric of cyber resilience to understand security resilience and business risk in the context of business units, mission-critical systems, and business operations. Risk scoring considers the attack surface, business context, control efficacy, breach feasibility, and external data such as CVSS scores and threat intel. With dynamic reporting and dashboards for baselines and visualizations, security leaders gain insights to measure and communicate cyber resilience and risk to executives, boards, and their peers.

**Platform Alignment:** Complements the company’s current platform, which includes Attack Surface Management (ASM), Breach and Attack Simulation (BAS), and Continuous Automated Red Teaming (CART) solutions. Exposure management and control validation tools are consolidating as businesses need to simplify how they understand risk and resilience to emergent threats and a rapidly changing attack surface. With the Cymulate modular offering, customers can deploy aligned to their current cybersecurity maturity and grow to leverage the platform's additional capabilities as their needs change.

Deployed on its own, Cymulate Exposure Analytics creates centralized intelligence and visibility to security posture with business context essential to an exposure management program. When deployed as part of the Cymulate Exposure Management and Security Validation Platform, the total solution enables and optimizes CTEM programs by merging the traditional vulnerability-based view of risk with the “attacker’s view” of the attack surface.

**Resources**

*   Datasheet
*   Website

**About Cymulate**

Cymulate, the leader in exposure management and security validation, provides a modular platform for continuously assessing, testing, and improving cybersecurity resilience against emergent threats, evolving environments, and digital transformations. The solution has a quantifiable impact across all five continuous threat exposure management (CTEM) program pillars and on a business’s ability to reduce risk by understanding, tracking, and improving its security posture. Customers can choose from its Attack Surface Management (ASM) product for risk-based asset profiling and attack path validation, Breach and Attack Simulation (BAS) for simulated threat testing and security control validation, Continuous Automate Red Teaming (CART) for vulnerability assessment, scenario-based and custom testing, and Exposure Analytics for ingesting Cymulate and third-party data to understand and prioritize exposures in the context of business initiatives and cyber resilience communications to executives, boards, and stakeholders. For more information, visit www.cymulate.com.

Cymulate Announces Security Analytics for Continuous Threat Exposure Management

ChatGPT usage growing 25% monthly in enterprises, prompting key decisions to block or enable based on security, productivity concerns.

**SANTA CLARA, Calif. – June 20, 2023 –** Netskope, a leader in Secure Access Service Edge (SASE), today announced general availability of a comprehensive data protection solution to help enterprises securely manage employee use of ChatGPT and other generative AI applications, such as Google Bard and Jasper. As part of its award-winning Intelligent Security Service Edge (SSE) platform and decade-long commitment to data security innovation, Netskope today can successfully enable safe usage of generative AI thanks to unique, patented data protection techniques not found in other vendors’ SSE platforms.

Following incidents in 2023 of sensitive data exposure from generative AI, many enterprises are now prioritizing if and how to safely enable the use of these applications and support AI innovation without putting their businesses at risk. According to Netskope research, currently \[1\]:

*   About 10% of enterprise organizations are actively blocking ChatGPT use by teams
*   ChatGPT adoption is growing exponentially in enterprises, currently at a rate of 25% month over month
*   Approximately 1 out of 100 enterprise employees actively uses ChatGPT daily, with each user submitting, on average, 8 prompts per day

To address this challenge, Netskope Intelligent SSE combines longstanding, industry-recognized Netskope data protection features with newly released innovations specifically for classifying and dynamically controlling safe usage of generative AI applications. These are available to Netskope customers today as a unified solution offering from Netskope and its network of channel partners. (Click to get started right away: http://netskope.com/chatgpt)

"Enterprises today are faced with deciding whether to block access to ChatGPT and other generative AI apps to reduce security risk, or allow usage and reap the efficiencies and other benefits these apps can bring about. The safe enablement of these apps is ultimately an advanced data protection challenge—one Netskope is uniquely positioned to solve," said Krishna Narayanaswamy, Netskope Co-Founder and Chief Technology Officer. "Netskope helps all organizations encourage the responsible use of these increasingly popular applications using the right data protection controls in place that help keep the business safe and productive."

As part of Intelligent SSE, Netskope Zero Trust Engine capabilities for the safe enablement of generative AI applications include:

**Comprehensive Application Usage Visibility**

*   Instant access to specific ChatGPT usage and trends within the organization via industry’s broadest discovery of SaaS (using a dynamic database of 60,000+ applications) and Advanced Analytics dashboards
*   Best-in-class Cloud Confidence Index™ (CCI) that actively classifies new generative AI applications and evaluates their risks accordingly
*   Granular context and instance awareness via patented Cloud XD™ inspection, which discerns access levels and data flows through application accounts, such as corporate vs. personal accounts
*   Visibility via a new web category specially created for identifying generative AI domains, enabling teams to configure access control and real-time protection policies, and manage traffic destined specifically for generative AI applications

**Advanced Application Access Control**

*   The ability to dynamically perform granular access to ChatGPT and other generative AI applications
*   Visual coaching messages to alert users in real-time on potential data exposure and other risks every time generative AI applications are accessed— promoting responsible use of generative AI applications and training employees in real time, without stopping harmless queries

**Advanced Data Protection**

*   The ability to monitor, allow, or block enterprise sensitive data (such as source code) from being posted to AI chatbots
*   Support for regulatory compliance needs such as GDPR, CCPA, HIPAA, and many others, using advanced data classifiers and ML-based detection

**The Highest Performing Security Services**

*   With SSE services powered by NewEdge, the world’s largest security private cloud presence with data centers in 65+ regions globally, Netskope provides customers with unparalleled service coverage, performance, and resilience

**A History and Tradition of AI/ML Innovation in Data Protection and Beyond**

Since its founding in 2012, Netskope has been continuously lauded for its advanced data protection capabilities and the uses of AI and machine learning (ML) innovation in its platform. These innovations include in data security, embedded UEBA, threat protection, IoT security, Borderless SD-WAN, AIOps and other areas, with advanced techniques for personally identifiable information (PII) image classification, whiteboard image detection, sensitive document classification, IoT device detection, WAN access anomaly detection, encrypted file detection, and many other critical use cases.

In addition, Netskope AI Labs is recognized as an authority in solving security and fraud problems through the responsible use of AI/ML in different domains, developing large-scale AI/ML models for real-time SSE and SASE use cases. Netskope’s team also includes inventors listed on hundreds of patents worldwide.

"As a leader in the transformation of network, cloud, and data security, Netskope is committed to the responsible use of artificial intelligence and machine learning. We work with peers, academia, thought leaders, and governments alike to safely direct AI/ML efforts in a way that will benefit and not cause harm to our customers, partners, employees, and their families," said Dr. Yihua Liao, Head of Netskope AI Labs. "Netskope AI Labs is a critical component of Netskope product and service innovation. Even more importantly, we help drive the right outcomes regarding AI's role in security and networking and how we can all take advantage of innovation with the right protections in place, whether for generative AI applications or any other compelling use case."

Among other recent accolades, Netskope was named a Leader in the 2023 Gartner®  Magic Quadrant™  for Security Service Edge and was the only SSE Leader to also rank among the highest three scoring vendors for all Use Cases in the companion Critical Capabilities for SSE report. Those use cases include “Identify and Protect Sensitive Information,” a data protection category in which Netskope received the highest scores among any SSE vendor.

For more on Netskope AI innovations:

*   Get the Netskope for ChatGPT solution brief
*   Join Netskope at Infosecurity Europe at ExCEL London this week, June 20-22, where Netskope AI innovations will be featured as part of Netskope SASE and Intelligent SSE demonstrations at Stand Z60. Click here to register for free and get the full list of Netskope Infosecurity activities.
*   Join Netskope for a special LinkedIn Live discussion, **“ChatGPT: Fortifying Data Security in the AI App-ocalypse”** featuring Netskope experts Krishna Narayanaswamy, Neil Thacker, and Naveen Pallavalli, on Thursday, June 22, at 12:30pm ET / 9:30am PT. Click here to confirm attendance.
*   Read the latest Netskope AI and ML insights via the Netskope blog
*   Visit the Netskope AI Labs resources page

**Gartner Disclaimer**

Gartner, “Magic Quadrant for Security Service Edge,” Charlie Winckless, Aaron McQuaid, John Watts, Craig Lawson, Thomas Lintemuth, Dale Koeppen. Published 10 April 2023 – ID G00766751.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark, MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Enables Secure Enterprise Use of ChatGPT and Generative AI Applications

**GHENT,** **Belgium****,** **June 20, 2023** **/PRNewswire/ --** After raising $1.4 million in 2022 and successfully launching its product, award-winning Belgian access management start-up NineID announced raising another $1.2 million, successfully closing its $2.6 million seed round. The funding came from lead investor Pitchdrive, Comate Ventures, and several business angels (including Showpad's founders). NineID just opened a New York office and has customers like World Forum The Hague (who recently welcomed Ukrainian president Zelensky). The funds will be used to fuel internationalization and product expansion.

Organizations such as World Forum The Hague, PSA (world's largest port group), A.S. Watson (world's largest international health & beauty retailer), Alpro (part of Danone Group), and dozens of other multinationals joined NineID's client base in search of one thing: a modern access control solution. Other technologies are outdated and offer limited security. In addition, manual onboardings and check-ins are not user-friendly and can lead to administrative chaos.

The company offers a SaaS platform that centralizes user identification, certificates, and training documentation, making it easily accessible for audits. In addition, NineID provides hardware for on-site access management, utilizing QR codes, smartphone scans, or facial recognition.

The founders, Roy Jeunen and Frederik Keysers, built the solution while experiencing cumbersome security procedures themselves. "In previous roles we underwent long queues and countless security checks prior to getting site access via (RFID) badges. Anyone can pass on this badge, making the whole process useless," says Roy.

"Companies often lose sight of physical identity and access management when focusing entirely on cyber security," adds Roy. "Physical badges are often prone to sharing, copying, or theft — allowing hackers to gain access to unauthorized premises and use unattended computers or network ports. This opens the literal and figurative door for security breaches."

NineID put their theory to the test by successfully infiltrating an unknowing company and accessing all sensitive information within 15 minutes. "Physical breaches are responsible for over 10% of data breaches, according to sources like IBM. NineID's solution ensures that everyone entering a site is 100% security compliant," says Frederik.

To further expand internationally and enhance their solution, NineID secured additional funding from Pitchdrive and prominent figures in the Belgian technology landscape, such as Comate Ventures, the founders of Showpad, and Drupal CMS' founder.

For more information: nineid.com

SOURCE NineID

NineID Raises $2.6M to Build a Secure Bridge Between the Digital and Physical Worlds of Corporate Security

Infostealers are as alive as ever, wantonly sweeping up whatever business data might be of use to cybercriminals, including OpenAI credentials.

In the last year, at least 100,000 devices infected by various infostealer malwares have leaked ChatGPT credentials to the Dark Web.

Infostealers can collect just about anything: information about a target machine, cookies and browser histories, documents, and so on. More often than not, hackers profit off of this kind of bounty not just by utilizing it themselves, but by reselling it on the Dark Web. For example, online marketplaces regularly traffic in logs that contain victims' account credentials for popular applications.

From June 2022 through last month, cybersecurity firm Group-IB tracked how many of these for-sale logs expose ChatGPT accounts. In total, it counted 101,134.

The malware overwhelmingly responsible for these leaks was Raccoon, the infamous Russian-designed tool first discovered in 2019. The Raccoon operation briefly shut down early last year after the death of its creator, only to come back new and improved three months later. Since then, it has been responsible for at least 78,348 devices leaking ChatGPT credentials.

Besides Raccoon, the researchers tracked 12,984 GPT-laden logs attributed to Vidar and 6,773 to Redline.

In the entire sample size, less than 5,000 infected devices were traced to North America. A plurality originated in the Asia-Pacific, with the biggest offenders being India (12,632) and Pakistan (9,217). Other countries with many exposed ChatGPT credentials included Brazil (6,531), Vietnam (4,771), and Egypt (4,558).

**ChatGPT Logins the Tip of the Iceberg**

Last December — the first month ChatGPT was made available to the public — the researchers tracked 2,766 Dark Web stealer logs containing compromised accounts. That number surpassed 11,000 the following month and doubled two months after that. By May, the figure was up to 26,802.

In other words, the trendline is clearly only moving in one direction.

But ChatGPT credentials are almost beside the point, says Mike Parkin, senior technical engineer at Vulcan Cyber. "Infostealers can be an issue, at least in part, because they're not as outwardly destructive as, say, ransomware, which is hard to miss. A well obfuscated infostealer can be much harder to detect, precisely because it doesn't make itself known."

Because organizations can more easily miss infostealers than certain other kinds of malware, they're liable to realize their sensitive data is gone only after it's too late.

"Depending on the strain of information stealer, hackers can be gathering everything from application and Web credentials to personal information, stored files, and system configurations. Organizations that have these malware infections in their environment could face having intellectual property, company financials, and pretty much any other data that lands on infected systems exposed," Parkin says.

As long as infostealers continue to run rampant, ChatGPT credentials will be the least of anybody's worries. "The real question," Parkin asks, "is what kind of data isn't being leaked by these kinds of malware?"

100K+ Infected Devices Leak ChatGPT Accounts to the Dark Web

The nation of Jordan begins work on a national cybersecurity framework to align with international practices and better mitigate threats.

The National Cybersecurity Center of Jordan has issued a proposed draft for a national cybersecurity framework.

With the consultation period open, center spokesperson Bassam Maharmeh said the draft encompasses a collection of procedures, controls, mechanisms, and standards that institutions must adopt and implement.

The framework's intention is to keep pace with international practices to develop the defense system for cybersecurity at a national level for all public and private institutions. It will also act as a guide to confront cyber threats efficiently and effectively, and mitigate the impact "resulting from the realization of various cyber risks through the development of technical, human and administrative capabilities in institutions."

Its objective is to enhance the security of Jordan's cyber systems and elevate the level of information protection, according to Jordan News. While the framework will enforce mandatory standards, Maharmeh stated that the cybersecurity center actively participates in drafting legislation, controls, and regulatory frameworks to mitigate cyberattacks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Jordanian Cyber Leaders Kick Off Cybersecurity Framework Development

The ransomware landscape is energized with the emergence of smaller groups and new tactics, while established gangs like LockBit see fewer victims.

There was a rise in the number of ransomware victims in May compared to the previous month, although LockBit, the leading ransomware group, saw a 30% decrease in observed victims (110 to 77) from April to May.

Ransomware heavyweight AlphV also experienced a decline in posted victims, with 38 observed victims in May compared to 51 in April.

That drying up was offset by several new branded groups entering the scene, contributing to an overall increase in observed ransomware victims, according to GuidePoint Security's latest GRIT report.

The May GRIT report highlighted a diverse slate of active threat groups, with 28 observed groups claiming victims. There was a 13.57% increase in publicly posted ransomware victims from April to May, and 410 incidents total, led by victims in the United States — far and away the most targeted country.

The report noted that the fledgling Akira ransomware group has gained particular prominence just since April (the name a potential nod to the 1988 Japanese anime cult classic in which a biker is turned into a rampaging psychopath). The gang is primarily known for a unique data-leak site designed as an interactive command prompt using jQuery.

Educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims. The group follows the "double extortion" approach: stealing data from victims and threatening to leak it if the ransom is not paid.

While there isn't enough data to make a definitive hypothesis, GuidePoint Security threat intelligence consultant Nic Finn notes he has observed some of the new groups significantly lowering their initial ransomware demand.

"If this trend continues, it could indicate that ransomware groups are attempting to shorten the time between victimization and ransomware payment," he says.

Overall, though, the GRIT findings echoed the 2023 Verizon Data Breach Investigations Report in noting escalating ransomware costs.

**Emergence of New Ransomware Groups**

GRIT has also identified other fresh-faced ransomware groups on the scene, such as 8Base, Malas, Rancoz, and BlackSuit, each with its own distinct characteristics and targets.

8Base, which claimed 67 victims in the past year, has primarily targeted the banking and finance industry and is focused primarily on the US and Brazil, while the extortion group Malas was observed performing mass exploitation of business email and collaboration software Zimbra.

There is little known about Rancoz, which has posted just two victims so far — one in the tech sector and one in manufacturing — while BlackSuit was flagged for the maturity of its operations despite only one observed victim.

These emerging threat groups have deployed a combination of established and innovative tactics, aiming to blend in and profit amid the crowded ransomware landscape, explains Finn.

He notes one method that's been observed lately is a shift toward single extortion, focused around exfiltrated data — no encryption necessary.

"This is much more sustainable for ransomware groups because it involves less troubleshooting with victims when the decryptors fail," he says.

Finn explains the recent behavior of ransomware groups suggests they are following whatever tactics they believe to be more novel and successful.

"The trend back toward single extortion through the threat of data publication could be the result of perceived success by other groups, or it could be a determination they are making based on their interactions with victims," he says.

For example, if a good portion of their victims are asking to lower the ransom demand in exchange for just proof of deletion and guarantees not to attack them again, this may lead ransomware groups to assume that a good portion of their victims have backups in place, making it the effort of encrypting a victim network seem superfluous.

"Organizations following data backup best practices should remain diligent about developing detections and monitoring activity for any potential data exfiltration efforts, as this single extortion trend will definitely continue and likely grow throughout 2023," Finn says.

**Education Sector in the Sights**

As evidenced by Akira and older groups like Vice Society, ransomware groups are increasingly targeting educational institutions, from daycare centers to major universities. In total, ransomware groups posted 35 unique victims in the education industry in May.

"A recent influx in vulnerabilities affecting software commonly used in schools, such as the PaperCut MF/NG vulnerability," the report noted.

"It seems like the education sector is seeing heavy targeting because there is so much personally identifiable (PII) and sensitive student data available in the resulting data," Finn says. "Additionally, the number of individuals impacted is exponential to the size of the victim organization."

For example, a school system with just a thousand or so active students could still house records and data on thousands more former students, plus information relating to parents of the students who have data at risk.

"Another big factor is media attention," he adds. "Ransomware actors follow the trends that get them media coverage. The cyberattack against the LA Unified School District brought about a lot of media attention, so it's likely that more groups are matching that trend to replicate the coverage."

**MOVEit and Mass Exploitation**

Another factor in the recent growth of successful ransomware attacks is the phenomenon of ransomware groups are exploiting zero-day vulnerabilities _en masse_, the report noted, conducting exfiltration, and expecting victims to reach out to them to coordinate for ransoms.

The ongoing Cl0p attacks exploiting the MOVEit vulnerability against hundreds of organizations are emblematic of the trend, which is also seen with the DeadBolt ransomware variant and another recently exploited by a threat actor to deploy Nokoyawa ransomware.

"It appears that Cl0p has a team of highly technical hackers working on mass exploitation, especially of file transfer software," Finn adds.

Recent reporting indicates that the group began working on the MOVEit exploitation as far back as 2021, and even delayed the mass exploitation of the vulnerability until it completed a different mass exploitation campaign against the GoAnywhere MFT service earlier this year.

"This indicates a significant strategic planning capability, even down to the decision to begin exploitation of this MOVEit vulnerability over the Memorial Day weekend, when less staff is available to respond right away," he says.

While there has been a noted slowdown in ransomware activity over the summer for the past two years, which Finn adds may still occur this year, there's also "a good chance" that other ransomware groups attempt to mimic the behavior of groups like Cl0p and attempt mass exploitation, which could offset declines in activity elsewhere.

Fresh Ransomware Gangs Emerge as Market Leaders Decline

A severe security vulnerability allows credentials for the power meters to continuously transmit in cleartext, allowing device takeover.

INFOSEC23 – London – A security vulnerability in the Schneider Electric ION and PowerLogic power meters has been disclosed: They transmit a user ID and password in plaintext with every message.

Given a CVSS vulnerability-severity rating of 8.8 out of 10, the bug would allow an attacker with passive interception capabilities to obtain these credentials, authenticate to the ION/TCP engineering interface (as well as SSH and HTTP interfaces), and change configuration settings or potentially modify firmware.

"It's obviously not acceptable anymore for an operational technology (OT) product to transmit credentials in in cleartext because anybody that has access to the network and can sniff the traffic will be able to get them, and then do almost whatever they want with the device," says Daniel dos Santos, head of security research at Forescout. This could include controlling smart meter switches to cause load oscillations that could trigger shutdowns, with the demand (or load) then being passed on to other parts of the grid network. In a worst-case scenario, a domino effect could theoretically lead to a blackout.

Disclosed as part of the Forescout's Icefall OT research, this vulnerability is one of three announced today at Infosecurity Europe, the other two being denial-of-service (DoS) vulnerabilities in WAGO 740 controllers. Both of the DoS issues are given a severity rating of 4.9.

Schneider said in its advisory that the ION Protocol was created over 30 years ago to bring sophisticated data exchange to digital power meters, and as cybersecurity became a concern, the protocol was enhanced with support for authentication. 

But that doesn't mean there aren't still security holes, as there often are with legacy code. In fact, dos Santos says the Schneider vulnerability was originally due to be released as part of a bundle of 56 OT flaws in June 2022 but was held up due to patching processes.

"It's one of those examples of things that were designed at an earlier time, and Schneider definitely recognizes that \[this is a vulnerability\] and we worked with them to bring it up to the present, by finding the issue and fixing it," he says.

He adds, “Now this is a secure version of this protocol that has encryption where the credentials are not transmitted in plaintext anymore. So it's definitely a relevant enough issue that made them reevaluate the need for a secure version of the protocol for a product line that is older but still used a lot."

**Cybersecurity by Design is Still Missing for OT**

The Forescout research noted that this showcases that there's still a lack of fundamental understanding of security-by-design by OT vendors, with recurring design issues that demonstrate a lack of understanding of basic security control design, such as plaintext and/or hardcoded credentials, client-side authentication, stateful control on stateless protocols, missing critical steps in authentication, broken algorithms, and faulty implementations.

As dos Santos says: "Everybody knows that OT has almost no security built by design, right? That's a fact, but what we always wanted to stress around the fact was the fact that you need to measure how insecure it is. You cannot just say 'your whole OT is insecure'; you need to say there is insecure engineering, protocols, insecure firmware updates, and so on.”

Forescout used the release of these new vulnerabilities to call on vendors to improve their security testing procedures, and it said products and protocols must remain backward compatible with legacy designs.

Dos Santos says some vendors still have issues with backward compatibility, as legacy products have hardcoded credentials with insecure methods of delivery. "The main reason why things were designed insecurely at the time is because security wasn't a big concern, but now it's the need for for backward compatibility and the need for maintaining some product lines that are still used: but there are people still using those because the lifespan is 20 to 30 years."

Schneider Power Meter Vulnerability Opens Door to Power Outages

A criminal crowd-sourcing campaign has led to swift adoption of the stealer, which can pilfer key computer data, credentials from browsers and chat apps, and cryptocurrency from multiple wallets.

A stealthy stealer that can lift credentials from scores of Web browsers and extensions, and steal cryptocurrency, has quickly become a favorite of cybercriminals since it first appeared on underground marketplaces in April.

The Mystic Stealer has established a strong foothold in the threat landscape in only its first several months of existence thanks to a combination of advanced capabilities, pricing, and the crowdsourcing of recommendations that have led to ongoing updates and improvements. That's according to two simultaneously released reports, one by Cyfirma and the other a collaboration between Inquest and Zscaler.

The stealer — which typically goes for a subscription fee of $150 per month, or $390 for a three-month subscription — has similar capabilities to pilfer data from a victim's computer to other forms of this type of malware, paired with obfuscation techniques that make it, by design, capable of advanced evasion, the researchers said.

"It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion," Zscaler researchers wrote in their post.

Mystic Stealer can steal a wide array of information, ranging from computer data such as the system hostname, username, and GUID, to credentials from nearly 40 Web browsers and more than 70 browser extensions, they said. Additionally, it targets Bitcoin, DashCore, Exodus, or any other popular cryptocurrencies, and can steal Telegram and Steam credentials.

So far, the regions where researchers have found the most instances of attackers wielding Mystic Stealer are the US, Germany, Finland, France, and Russia, in that order.

**Commitment to Evasion & Malware Improvement**

Unique to Mystic Stealer compared to similar forms of malware is its inventors' vested interested in making it difficult to detect or analyze, as well as a commitment to continuously advancing its capabilities by appealing to its user base for feedback, the researchers said.

In terms of evasion, Mystic Stealer's code is heavily obfuscated, with its creators using polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants, as well as a custom binary protocol that is encrypted with RC4, according to InQuest and Zscaler.

But perhaps the key reason the malware has caught on so fast — with the researchers already discovering more than 50 actively operational command and control (C2) servers in only about two months — is that its creators did something unique soon after its release. That is, they made the stealer available for testing to underground forum veterans to verify its effectiveness and make suggestions for enhancement, which were incorporated into new versions of the stealer, noted Cyfirma researchers.

"The threat actor demonstrates an understanding of the significance of receiving validation from established members within the underground forum regarding the product," Cyfirma researchers wrote in their post. "Furthermore, the author of the product openly invites suggestions for additional improvements in the stealer, as is evident in the updated releases, which signifies an ongoing effort to enhance the product."

**Mystic Stealer De-Mystified: Technical Details**

On the technical side of things, Mystic Stealer is implemented in C for the client and Python for the control panel and is purported to target all Windows versions from XP to Windows 11, with support for both x86 and x64 architectures, according to Cyfirma.

It can evade detection by most AV products, operating in memory and using system calls for compromising targets, the researchers said. This ensures that no trace is left on the hard disk during the data exfiltration process.

"Once target data is identified, the malware compresses, encrypts, and transmits it," the Cyfirma researchers wrote. "Client authentication is not required; data is transmitted as it is received.

Moreover, its developers created the malware without reliance on third-party libraries for decrypting or in decoding target credentials, both reports noted, which is unique to stealer malware.

"Some leading stealer projects download DLL files post-install to implement functionality to extract credentials from files on the local system," the InQuest and Zscaler researchers wrote.

Instead, of doing this, Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the C2 server that handles parsing, they said.

"This is a different approach from many leading stealers and is likely an alternate design to keep the size of the stealer binary smaller and the intention less clear to file analyzers," the researchers wrote.

**Defending Against Infostealers**

With the quick spread of the particularly evasive Mystic Stealer — and the prevalence of stealer malware in general — the Cyfirma team recommends that organizations implement robust security measures to avoid compromise in the advent of an attack, the researchers said.

"Mystic Stealer poses substantial risks and potential impacts from the perspective of external threat landscape management," they wrote.

This should include a best-practices layered defense strategy that combines threat prevention technologies, up-to-date antivirus software, firewalls, intrusion detection systems, and regular security patching, which can significantly reduce the risk of Mystic Stealer infiltration, the researchers said.

Organizations should also put into place continuous monitoring of threat-intelligence sources by sharing threat information within security communities and leveraging threat-intelligence feeds so they can stay updated on the latest indicators of compromise associated with Mystic Stealer, the researchers said. "This allows for early detection, response, and mitigation efforts," they wrote.

Educating employees on security best practices, how to recognize phishing attempts — which may attempt to spread the stealer — and maintaining an overall culture of security awareness is also crucial to helping organizations avoid compromise, the researchers said.

Finally, every organization should have a strong incident-response plan in case of attack that includes communication protocols, forensics investigation processes, and backup and recovery strategies, they added.

Source

DARKReading