1Password's annual State of Access report reveals that distracted employees are twice as likely to do the bare minimum for security at work.

**TORONTO****,** **Dec. 13, 2022** **/PRNewswire/ —** 1Password, the leader in human-centric security and privacy, today released its annual State of Access Report, Distraction on overdrive: Security in a time of permacrisis. Based on a survey of 2,000 North American workers, the report explores employees' sentiments and behaviors around cybersecurity and other critical aspects of modern work amid persistent global crises this year, coined 'permacrisis.' The findings reveal that sustained burnout, now paired with high levels of distraction, has critical implications for workplace security.

"While we hope the worst of the pandemic is behind us, world events continue to unsettle and distract employees. Mishaps are inevitable – it's not a case of if world distractions will make employees more vulnerable to human error, it's a matter of when," said Jeff Shiner, CEO of 1Password. "That's why it's vital that businesses take security off people's plates by implementing seamless systems that eliminate the need for human action. The easier we can make security, the less it will become yet another distraction. It's a win-win for employees and companies."

**The Distraction Vortex**  
Workers have faced what can feel like an avalanche of crises and concerns over the past year. From the COVID-19 pandemic to the whipsawing financial markets and inflation, workers conveyed a vivid picture of their distraction on overdrive, with 53% related to economic or monetary concerns.

*   **Unprecedented stress:** 4 in 5 employees (79%) feel distracted on a typical work day, with 1 in 3 employees (32%) saying they're the most stressed they've ever been in their lives.
*   **A perfect storm:** Top distractions include the Covid-19 pandemic (44%), recession/inflation (42%), economic uncertainty (38%), gas prices (34%), and personal relationships (29%).
*   **Missing motivation:** More than 1 in 4 employees (26%) say that distractions from world events make it hard to care about their job. This has major repercussions for enterprise security, with distracted workers more than twice as likely as others to do only the bare minimum for security at work (24% vs. 10%).

**Security is Sinking In**  
Despite high-profile breaches and ransomware attacks generating splashy media headlines weekly, silver linings are evident amid the chaos. Awareness of cyberthreats is increasing, and security automation and systems are making headway, counterbalancing human shortcomings around security.

*   **Rising awareness:** 3 in 4 employees (76%) are aware their individual actions have an impact on their company's overall security, and 82% would care if they caused a security breach.
*   **Trusted tools:** Nearly 9 in 10 employees (89%) now use authentication products or services such as two-factor (2FA) or multi-factor authentication (MFA), biometrics, password managers and single sign-on.
*   **Mythbusting: complexity** **≠ security:** There's a misperception that if security is too easy, it's not safe. Employees are three times as likely to trust two-factor or multi-factor authentication as they are to trust single sign-on (65% vs. 19%).

**Security Slippage**  
Notable security improvements have been made in recent years, but our research shows that bad security hygiene persists in the modern workplace. Poor password habits are still prevalent, and 50% of employees say the biggest threat their company faces is the prospect of employees falling for scams or phishing attempts.

*   **Senior security snafus:** Poor password hygiene is notably worse among employees at the level of director and above, with 49% using personal identifiers in their passwords.
*   **Password reuse:** Despite knowing the risks associated, 1 in 3 employees (34%) reuse passwords.
*   **Same device, different gig:** One in 10 workers (10%) have used their work computers or devices for a side gig or another job – and tech workers are even worse (19%) – making companies increasingly vulnerable to security risks.

**Tech Industry Trouble**  
Workers in the tech, IT and telecom industries reported being far more distracted compared to their non-tech counterparts. Tech workers are nearly twice as likely as others to say distractions make it hard to care about their jobs, and are more than three times as likely to do the bare minimum around security.

*   **Domino effect:** Nearly half (46%) of tech industry workers say that distractions from world events make it hard to care about their jobs – compared to 23% of other employees in other industries.
*   **Distraction dependency:** 39% of tech industry workers say their coworkers are less productive at work because they're distracted by world events – nearly twice as much as workers in other industries (20%).
*   **Phoning it in with workplace security:** 36% of tech industry workers say they only do the bare minimum when it comes to security at work – compared to 11% of employees in other industries.

"Every crisis creates an opportunity for criminals to exploit victims via social engineering as they take advantage of psychological weaknesses. Many of the traditional human vulnerabilities are at greater risk in a time of permacrisis; curiosity, the power of authority figures, manufactured urgency, greed and other weaknesses will continue to be used to the attackers' advantage," said Troy Hunt, strategic advisor at 1Password and founder of Have I Been Pwned. "As the level of sophistication increases, even the most tech-savvy of us can fall victim to a well-crafted attack, and it's our job in the industry to build more resilient systems and tools."

For more information, read the full report.  

**About 1Password**  
1Password's human-centric approach to security keeps people safe, at work and at home. Our solution is built from the ground up to enable anyone – no matter the level of technical proficiency – to navigate the digital world without fear or friction. The company's award-winning credentials management security platform is re-shaping the future of authentication and is trusted by over 100,000 businesses, including IBM, Slack, Snowflake, Shopify and Under Armour. 1Password protects the most sensitive information of millions of individuals and families across the globe, helping consumers and businesses get more done in less time – with security and privacy as a given. Learn more at 1Password.com.

**Methodology**  
1Password conducted this research using an online survey prepared by Method Research and distributed by Dynata among n\=2,000 adults ages 18+ in North America (n\=1,400 U.S. + n\=600 Canada) who work full-time primarily at a computer. The sample consisted of respondents from any department and title within their company. The sample was equally split between gender groups with a balanced spread across age groups. Data was collected from October 14 to October 24, 2022.

Report: 79% of Employees Are Distracted at Work Amid a Year of Permacrisis

Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.

Security researchers and hackers demonstrated 63 zero-day vulnerabilities in popular devices at the latest Pwn2Own, exploiting printers from Canon, HP, and Lexmark, and routers and network-attached storage device from Synology and Netgear.

According to Trend Micro's Zero Day Initiative (ZDI), which organized the competition last week, the collection of vulnerabilities earned $989,750 for the offensive cybersecurity specialists competing in the contest. While some attacks chained together a series of exploits to take control of the remote devices, including one that used five vulnerabilities, others found a single security weakness to target, such as the Pentest Limited team, which found a reliable single-click exploit in the Samsung Galaxy S22 mobile phone that required less than a minute to attack.

The Samsung exploit highlighted that significant vulnerabilities are out there to find, says Dustin Child, head of threat awareness at Trend Micro's Zero Day Initiative.

"Just click a link on an affected device and you get owned," he says. "It's a very reliable bug, too. Very impressive research and quite the effective demonstration of why clicking unknown links can be dangerous."

**Focusing on IoT and Mobile**

Pwn2Own started in 2007 as an annual contest connected with the annual CanSecWest conference, but has since branched out into two contests: one focused on computer operating systems and applications, and the other — which includes the latest contest — focused on devices and the Internet of Things.

Over the four days of the contest, offensive cybersecurity specialists discovered a significant number of vulnerabilities in printers and routers from major brands, but also targeted Bluetooth speakers and network-attached storage, ZDI stated in a summary of the contest results.

Because many of the devices are commonly used by small and medium-sized businesses (SMBs), companies should take the results of the competition as a warning, Child says.

"If anything, SMBs should understand that, while they may feel they aren't large enough to be a target, their devices can and will be targeted by threat actors," he says. "At \[this\] time, the attackers are just looking to add nodes to their botnet, but regardless of intent, the devices we rely on for business can be compromised if left undefended."

**Buffer Overflows Continue to Creep In**

Unfortunately, one of the classes of vulnerabilities that continues to represent a fertile field of exploitation for attackers is memory safety vulnerabilities, such as buffer overflows. While major software companies have begun using memory-safe programming languages to prevent memory-related issues, many device-makers are still behind the curve.

Many of the vulnerabilities discovered during the contest were buffer overflows, Child says.

"This form of memory corruption has been known for some time, so we were a bit surprised to see it still prevalent in multiple devices," he says.

Among the most targeted devices were printers, with Lexmark, HP, and Canon printers among those favored by participants. While routers also made up a significant share of targeted devices, they would have seen more abuse this year, except that last-minute patches from Netgear and TP-Link eliminated targeted weaknesses, forcing competitors to withdraw from the competition, Child says.

**Playing the Mario Theme on a Lexmark**

Some of the printer exploits showed additional creativity. In the past, hackers would settle for exploiting a system and forcing it to run Microsoft Paint or call up a calculator application as a demonstration of their potential to run arbitrary code. In the latest Pwn2Own, however, successful hackers displayed Pokemon or another anime character on the small printer control display. 

Perhaps most impressively, the Horizon3 AI team used the system alert sound on a Lexmark printer to play the theme from Mario, even though the device does not have that functionality.

"Since the printer doesn't have a speaker, we didn’t expect it to play a song, but they modulated the frequency of the beep to add the musical function," Child says.

Data management providers Synology and online giant Google both co-sponsored the contest.

Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest

Organizations need servant leaders to step forward and make their teams' professional effectiveness and happiness a priority.

Around the world, employees have been experiencing extreme stress due to the ongoing pandemic, business disruption, and the faster pace of work. 

This is a mental state and lived reality that cybersecurity staffers experience day in and day out. When new hires start work on Day 1, they know what they are signing up for. Most organizations today face an unrelenting fusillade due to the accelerated pace of digital transformation. New threat patterns are emerging, credential compromise is raging, and cybercriminals are cooperating on strategies. 

So, for analysts in security operations centers (SOCs), there's a thrill of the chase and rewards that come with stopping would-be attackers from damaging a company and its customers. However, there are also thousands of alerts to review each day, as well as the agony of defeat when a data breach occurs on their watch. 

**Processes and Technologies Are Improving. Why Are We Still Talking About Stress in Cybersecurity? **

Despite this reality, many teams have best-of-breed platforms at the ready. So, it's actually getting easier for cybersecurity professionals to do their work. Behavioral analytics detect attackers rapidly and separate the noise from signals of malicious behavior, so that analysts can triage alerts faster. With automated workflows, analysts can focus on higher-level duties. A survey conducted by Chartered Institute of Information Security (CIISec) in 2020/2021 found that 53% of analysts said their organization is getting better at protecting the network and recovering from attacks, while 56% said their team was more adept at responding to cybersecurity incidents and breaches. 

**The Many Factors of on-the-Job Stress for Analysts**

First, it's important to acknowledge that working within the cybersecurity industry is inherently stressful. Some 51% of analysts said they're kept up at night by job stress and challenges. Factors include forced cancelation of education events due to the pandemic (66%), overwork (47% work more than 41 hours per week), insufficient budgets (53%), and increased difficulty executing key security processes such as reviews and audits due to remote work. 

Survey results don't capture the distinction between good stress and bad stress. Good stress includes learning new skills, problem-solving on the job, collaborating with teams to track adversaries and respond to threats, and gaining new professional opportunities. Bad stress includes feeling unsupported by organizations and leaders, not having the tools needed to do the job, and experiencing a poor work-life balance. And then there's situational stress, such as trying to execute processes remotely that are better done onsite, such as performing audits. 

**Servant Leaders Can Make a Difference**

Many of the cybersecurity issues raised in the CIISec survey point to a need for strong leadership that proactively identifies and resolves issues. But cybersecurity teams need servant leaders, not those who lead by establishing command and control structures. 

Servant leaders create authority by — you guessed it — serving their employees. Cybersecurity executives of this ilk are concerned about the well-being of the team, regularly checking in with team members on how they are doing, and removing roadblocks that harm operational performance. They'll go to bat with upper management to get an increased budget for new tools and additional staff to smooth out workloads for teams. Servant leaders take turns serving on call to understand work conditions from analysts' perspectives and hold regular team meetings to discuss key trends and issues. They're also likely to look ahead to anticipate market and business developments and reposition their organization to get ready to meet them. As a result, these leaders' teams feel supported. Analysts are not afraid to share problems or new ideas, as they know their leaders will listen, consider them carefully and, most importantly, respond.

Further, servant leaders develop their teams. They understand that cybersecurity analysts want to develop their knowledge and skills to progress their careers. Analysts cited job growth as the No. 1 reason they leave their existing roles and the No. 2 reason they take new jobs; right behind compensation. Respondents named taking training, cross-training across other technical and business areas, and working with experienced staff as high on their wish list for accelerating their careers. 

**Looking Ahead and Prioritizing Growth**

Given that professional development took a back-seat to fighting threats during the pandemic, cybersecurity leaders should push forward with career planning for their teams this year. Some 41% of analysts say their career development plans are only partially planned, while 11% say they aren't planned at all. As a result, firms that excel in these areas can poach staff from less development-oriented firms, building their teams at a time when competition is keen for top talent.

The events of the past two years have put an undeniable strain on cybersecurity teams. Risks have grown, increasing teams' workloads and weakening their sense of control. In addition, budgets haven't kept pace with hiring, training, and tool requirements. 

What organizations need now is for servant leaders to step forward and make their cybersecurity teams' professional effectiveness and personal happiness an important priority. Whether it is simply listening to analysts' concerns, making strategic investments in improving operations, or fostering career growth, servant leaders gain authority by putting others first. With humility, accountability, and consistency, servant leaders create greater organizational cohesiveness, break down barriers to execution, and help their teams outperform, even in the most challenging market and business environments.

The Cybersecurity Industry Doesn't Have a Stress Problem — It Has a Leadership Problem

SIEM and XDE made a lot of promises, but they don't quite live up to the SOC team's standards.

One might think that security teams are automating various phases of the SOC lifecycle, looking forward to saving time and speeding up mean time to detection (MTTD) and mean time to response (MTTR). But in reality, security teams don't have confidence in automation because of too many false positives, poor detection, a lack of complete analytics, and the fact that the analytics available to them are siloed between different detection tools and not linked together effectively.

These factors lead to poor-quality response playbooks from threat detection, investigation, and response (TDIR) solutions that can't be trusted. Without confidence that the response will eliminate the threat without disrupting other important business processes, security teams won't be comfortable with automation in the SOC.

Most TDIR solutions fall short of this confidence threshold because they don't gather enough contextual information around a threat and thus don't customize their response playbook to the situation and their environment. The security analyst will need to manually gather contextual information and decide how to tailor the playbook before passing it off to the appropriate team to implement. That all takes time, which further reduces MTTD and MTTR.

So, what is missing from TDIR solutions that causes this lack of confidence? Let's explore four ways that current SIEM and XDR solutions fail to live up to the SOC team's standards for confidence and context, and some ways they could do better.

**Problem: Can't Automatically Scale to Accept a High Volume of Data**

Being able to ingest as much data from as many sources as possible means the system can provide more context along with alerts and make remediations more targeted. Without this extra data, the response usually is not specific enough for the SOC team to be comfortable proceeding without re-checking everything manually.

Unfortunately, many SIEMs charge based on the volume of data the solution takes in, which creates a trade-off between cost and data. In this situation, getting enough data to help the analyst might be too expensive!

**Solution:** Choose a solution with a different pricing plan, like charging per user and/or per device rather than by data volume. This ensures the cost will stay relatively consistent even if data volumes change significantly (which they often do).

**Problem: Can't Automatically Ingest and Interpret Data from Many Different Sources**

Now that we've established that a high intake of data is essential for increasing the SOC team's confidence in responses, being able to process and sort that data is the second half of the equation. The SIEM must be able to process both structured and unstructured data with some type of data interpretation engine. The more integrations the SIEM has out of the box, the better.

**Solution:** The ability to ingest unstructured data, parse it, and extract useful information from it significantly increases a SIEM's threat detection capabilities. For example, data from HR systems can help identify insider threats and potentially disgruntled employees, but this is generally not structured in a format a SIEM can process.

**Problem: Can't Execute True Machine Learning and Advanced Security Analytics**

True machine learning (ML) capabilities — as in trained ML rather than rule-based ML — make threat detection more accurate, which in turn makes response playbooks more targeted and customized. Threat detection based on trained ML can better detect new and unknown attacks and adjust to changing network behavior without needing to be updated. Rule-based ML is like a flowchart; its inputs and outputs are fixed, and therefore it is limited in its findings and relatively poor in accuracy. When a new, never-before-seen cyberattack appears in the wild, a rule-based detection solution won't be able to detect it until the definitions get updated, which can take days or even weeks depending on how responsive the vendor is.

**Solution:** An ML program should recognize and flag the attack as a potential threat based on contextual data. Better accuracy means the SOC team will be more confident, which means they'll need to do less manual investigating.

**Problem: Can't Automatically Validate Findings and Create Detailed Risk Scores**

The ability to prioritize responses based on risk is the final piece of the puzzle for improving the SOC team's confidence. Many SIEM or XDR products give a generic risk score based on CVE and CVSS scores (if they provide one at all). These scores generally aren't customized to their environment.

**Solution:** More advanced solutions will generate a risk score based on data from vulnerability scanning tools, user access info, HR applications, etc. For example, take a user talking to an unknown external site for the first time. How risky is this? If that external site is known to host malware (identified via reputational services) or that user that was recently put on a performance plan and might have a grudge against the company, the risk is high. On the other hand, a user logging into company resources from an unknown IP address is less risky if that user is working remotely.

Assessing risk in this way is difficult and requires a lot of contextual data, but it allows the SIEM to automatically identify high-risk attacks and helps the SOC team to trust that decision, which means a more streamlined and effective process.

**Improve the Process**

Fast responses are desired in cases with a high-risk security event and a low-impact response. Automating parts of the SOC process and getting better quality data from the SIEM helps the security team assess the context and risk score quickly and confidently. In turn, this means faster responses and a safer organization. But until TDIR solutions can improve in these four areas, security teams will continue to lack confidence in automation in the SOC.

Improve Confidence and Context to Sell the SOC on Automating

Research from Marlin Hawk also shows a 15% increase in CISOs holding STEM-related degrees year-over-year, diversifying the succession talent pool.

**NEW YORK****,** **Dec. 13, 2022** **/PRNewswire/ —** Marlin Hawk—a global executive search and leadership advisory partner—today announced the company's third annual Global CISO Research Report, which provides insights and data based on conversations with CISOs across several industries. Marlin Hawk has tracked and analyzed the profiles of 470 Chief Information Security Officers year-over-year to understand the changing dynamics in this critical leadership position.

Marlin Hawk's research shows the CISO seat to be relatively industry-agnostic—with 84% of CISOs having a career history of working across multiple sectors—with today's CISOs expected to bring more breadth of leadership to their role as they move away from being technical experts.

"Today's CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO, which is to act as the primary gateway from the tech department into the wider business and the outside marketplace," said James Larkin, Managing Partner at Marlin Hawk. "This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the 'softer' skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow."

Key findings from the report include:

*   **CISO profiles have changed dramatically**—36% of CISOs analyzed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
*   **More CISOs are being hired internally**—Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% hired internally compared to 36% in 2021), but a large gap remains in appropriate successors.
*   **CISO turnover rates have declined**—but still remain high with 45% of global CISOs having been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-over-year.

**CISO roles continue to expand beyond technical expertise**

"I would say that you shouldn't have the CISO title if you're not actively defending your organization; you have to be in the trenches," said Yonsy Núñez, Chief Information Security Officer, Jack Henry Associates. "I also feel that over the last eight to 10 years, the CISO role has become a CISO plus role: CISO plus engineering, CISO plus physical security, CISO plus operational resiliency, or CISO plus product security. As a result, we've seen multiple CISOs that have done a great job with cybersecurity, fusion centers, SOC, and leadership. This has paved the way for the CISO office to become a business enabler and also a transformational technology function."

Kevin Brown, a seasoned cybersecurity executive, added, "We have over 100 countries at this point with their own data privacy legislation that makes doing global business in a compliant manner trickier than it used to be. As a result, in most organizations we're seeing a tighter connection and collaborative spirit between data officers, CISOs, legal teams and marketing. CISOs have to be in the know on all priorities for these different sectors of the business so they can take them into account when writing policies—it's a more complex job than it ever used to be."

**More organizations are appointing CISOs from within**

Marlin Hawk's research shows a decrease in the percentage of CISOs hired externally (62%) in the last year, compared to 2021 (64%), indicating a potential shift towards an organization's next CISO already operating inside the business.

Marlin Hawk's James Larkin went on to say, "As the importance of information security has grown, boards of directors, regulators, and shareholders have demanded greater controls, better risk management as well as more people and departments focusing on defending a company and its assets. Fortunately, this has had the positive side effect of creating more internal succession for the CISO position—organizations can look for risk and control focused talent in more places than just the office of the CISO."

"Now candidates are being internally promoted to the role of CISO from IT Risk, Operational Risk Management, IT Audit, Technology Risk & Controls, among others," Larkin added. "Not only does this give regulators more comfort that there are multiple sets of eyes on this at the leadership level, but it has also vastly increased the size of the succession talent pool and is helping to future proof the information security industry as a whole."

**CISO turnover rates are still high for several reasons**

"The not-so-secret secret is that no CISO can accomplish much in one or two years. Most CISOs change roles because of one of three reasons," shares Shamoun Siddiqui, Chief Information Security Officer at Neiman Marcus Group.

"First, their skillset is not up to par, and they get quietly pushed out by the company. Due to the extremely high demand for security leaders, often individual contributors get elevated to the role of CISO, and they get overwhelmed within months. Second, they have an insurmountable task with unrealistic expectations, and there is a lack of support from their peers and from the leadership of the company. The company may be paying lip service to cybersecurity but may not be forward-thinking enough to make it a priority. Third, they just get enticed by a better offer from somewhere else. There is such a shortage of security professionals and security leaders that companies keep offering increasingly high salaries and benefits to CISOs."

Another factor leading to high turnover is poor hiring decisions that are a result of a lack of scrutiny and due diligence in the recruiting process. While the immediate need may outweigh a more thorough vetting, fast tracking a CISO hire can have adverse effects if there are other, more suitable candidates out there.

For more information on the changing CISO landscape, please read the full report here: Marlin Hawk Global Snapshot: The CISO in 2022

**About Marlin Hawk**

For over 15 years, Marlin Hawk has been helping organizations around the world to secure their new generation of leaders. The company uses innovative, disruptive approaches to placing the world's leading and most desirable transformative talent that are based in strategic intelligence and unrivaled research. With a focus on executive search, interim management, strategic intelligence, succession planning and talent planning, the company is the boutique partner of choice at the forefront of transformational change and placing the most positively disruptive talent. Marlin Hawk has experience in financial services, healthcare, consumer products, retail, media, entertainment, sports, industrials, private equity, professional services, and technology sectors. The company has offices in London, New York, Denver, Chicago, Toronto, Dubai, Singapore, and Hong Kong.

Third Annual Global CISO Report Identifies Significant Shifts in Hiring and Retaining Security Talent

Threat actors leak employee email addresses, corporate reports, and IT asset information on a hacker forum after an attack on an Uber technology partner.

Uber has suffered yet another high-profile data leak that exposed sensitive employee and company data. This time, attackers breached the company by compromising an Amazon Web Services (AWS) cloud server used by a third party that provides Uber with asset management and tracking services.

The incident happened over the weekend, when a threat actor named "UberLeaks" began posting data they claimed was stolen from Uber and Uber Eats. The data turned up on the BreachForums hacking forum, the successor of now-defunct RaidForums, media outlets reported, and included employee email addresses, corporate reports, and IT asset information stolen.

Hackers posted a number of archives that they said are source-code associated with various mobile device management (MDM) platforms used by Uber, as well as by Uber Eats and third-party vendor services, according to reports. While no user information appears to have been compromised in the breach — which appears to entirely have affected corporate assets — the personal information of 77,000 Uber employees was leaked.

**Hacker Breaches Tequivity AWS Server **

Uber acknowledged the incident and pointed the media to a breach notification by a company called Tequivity, which it uses for asset management and tracking services.

Tequivity explained that "customer data was compromised" due to "unauthorized access" to the company's systems by "a malicious third party," according Tequivity's release. Specifically, attackers gained access to the company's AWS backup server, which houses code and data files related to Teqtivity customers, the company said.

It's unclear if that access was due to a misconfiguration of the cloud bucket, or if there was an actual compromise to blame.

Information exposed by the attack included information housed on various Uber employees' IT devices, including serial number, make, models, and technical specifications, as well as employee information, including first and last names, work email addresses, and work location details, according to Teqtivity.

Teqtivity has notified affected customers and is currently investigating as well as working to contain the incident, according to the notification. It's unclear if the breach affects other companies beyond Uber.

**Ongoing Security Issues**

This latest incident is indeed not Uber's first rodeo when it comes to data breaches, as the company has experienced several highly publicized incidents over the past several years that have had significant ramifications for the company.

In fact, a previous third-party breach that occurred in 2016 and exposed the data of some 57 million customers and drivers turned into an absolute public-relations nightmare for Uber, the effects of which are still being felt.

That incident — in which attackers also gained access to Uber data stored in third-party cloud storage — resulted in the firing of its now-former CISO Joe Sullivan after it was discovered that the company engaged in a cover-up of the incident. Sullivan was even found guilty in federal court on charges related to the incident in October.

Uber also experienced a significant breach in September and was forced to take some of its operations offline due to the compromise of its own internal systems, when an attacker socially engineered his way into an employee's VPN account before pivoting deeper into the network.

**Is the Lapsus$ Gang Responsible for the Uber Breach?**

While no particular threat group has claimed responsibility or has yet been found to be the guilty party behind the latest breach, there are some initial clues that tie the incident to the well-known cybercriminal extortion group Lapsus$.

The post on BreachForums about the Uber leak reportedly mentions the threat group, while Lapsus$ is believed to be responsible for the Uber September breach as well, Robert Ames, threat researcher from SecurityScorecard, tells Dark Reading.

Ames also notes the responsibility of Lapsus$ for a January incident at Okta, another "major third-party service for many firms," as a potential clue that the threat group also is at play here. That incident was determined to have affected about 366 Okta customers, the company acknowledged.

Lapsus$ went quiet around July after a spate of incidents earlier in the year including not only the one against Okta, but also attacks on Microsoft and Nvidia. Its responsibility for the September attack on Uber could be a sign of another flurry of activity from the threat group, experts say.

**Time to Manage Third-Party and Cloud Cybersecurity Risk**

No matter who's responsible, the latest Uber incident, like the one in 2016, once again highlights the third-party risk that all enterprises face when partner companies are responsible for or have access to corporate data and assets, security experts say.

A core issue is that many organizations don't secure third-party access to internal data in the same way they secure it within organization IT assets, which leaves that data unnecessarily exposed to outside threats, Ames says.

"Vendors and other third-parties are often granted the same access as employees but with fewer security measures, making them a weak link and therefore a popular target for threat actors," he says. "When hackers access a third party’s systems, they can access whatever data that system stores, even if it belongs to other organizations."

Indeed, this is an issue not unique to Uber, but one that demonstrates that "companies everywhere must better prioritize their cybersecurity measures," especially when it comes to third parties, Stephan Chenette, co-founder and CTO at AttackIQ, says.

Some ways companies can do this include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent, and respond to these threats, he says.

"They should also continuously evaluate their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses," Chenette says.

Enterprises also should be continuously monitoring their specific third-party cybersecurity posture to reduce the likelihood of attacks, Ames says. This will help give them a more complete picture of their entire attack surface as they seek ways to gain visibility into potential and existing vulnerabilities.

Ames adds that participating in tabletop exercises and threat emulation to ensure that security administrators and employees alike are familiar with countering and responding to threat actors also can help organizations better respond to third-party threats.

Uber Breached, Again, After Attackers Compromise Third-Party Cloud

Vohuk, ScareCrow, and AESRT add to the ransomware chaos that organizations have to contend with on a daily basis.

Enterprise security teams can add three more ransomware variants to the constantly growing list of ransomware threats for which they need to monitor.

The three variants — Vohuk, ScareCrow, and AESRT — like most ransomware tools, target Windows systems and appear to be proliferating relatively rapidly on systems belonging to users in multiple countries. Security researchers at Fortinet's FortiGuard Labs who are tracking the threats this week described the ransomware samples as gaining traction within the company's ransomware database.

Fortinet's analysis of the three threats showed them to be standard ransomware tools of the sort that nevertheless have been very effective at encrypting data on compromised systems. Fortinet's alert did not identify how the operators of the new ransomware samples are distributing their malware, but it noted that phishing email has typically been the most common vector for ransomware infections.

**A Growing Number of Variants**

"If the growth of ransomware in 2022 indicates what the future holds, security teams everywhere should expect to see this attack vector become even more popular in 2023," says Fred Gutierrez, senior security engineer, at Fortinet’s FortiGuard Labs.

In just the first half of 2022, the number of new ransomware variants that FortiGuard Labs identified increased by nearly 100% compared with the previous six-month period, he says. The FortiGuard Labs team documented 10,666 new ransomware variants in the first half of 2022 compared with just 5,400 in second half of 2021.

"This growth in new ransomware variants is primarily thanks to more attackers taking advantage of ransomware-as-a-service (RaaS) on the Dark Web," he says.

He adds: "In addition, perhaps the most disturbing aspect is that we are seeing an increase in more destructive ransomware attacks at scale and across virtually all sector types, which we expect to continue into 2023."

**Standard but Effective Ransomware Strains**

The Vohuk ransomware variant that Fortinet researchers analyzed appeared to be in its third iteration, indicating that its authors are actively developing it. 

The malware drops a ransom note, "README.txt," on compromised systems that asks victims to contact the attacker via email with a unique ID, Fortinet said. The note informs the victim that the attacker is not politically motivated but is only interested in financial gain — presumably to reassure victims they would get their data back if they paid the demanded ransom.

Meanwhile, "ScareCrow is another typical ransomware that encrypts files on victims’ machines," Fortinet said. "Its ransom note, also entitled 'readme.txt,' contains three Telegram channels that victims can use to speak with the attacker." 

Though the ransom note does not contain any specific financial demands, it's safe to assume that victims will need to pay a ransom to recover files that were encrypted, Fortinet said.

The security vendor's research also showed some overlap between ScareCrow and the infamous Conti ransomware variant, one of the most prolific ransomware tools ever. Both, for instance, use the same algorithm to encrypt files, and just like Conti, ScareCrow deletes shadow copies using the WMI command line utility (wmic) to make data irrecoverable on infected systems. 

Submissions to VirusTotal suggest that ScareCrow has infected systems in the United States, Germany, Italy, India, the Philippines, and Russia.

And finally, AESRT, the third new ransomware family that Fortinet recently spotted in the wild, has functionality that's similar to the other two threats. The main difference is that instead of leaving a ransom note, the malware delivers a popup window with the attacker's email address, and a field that displays a key for decrypting encrypted files once the victim has paid up the demanded ransom.

**Will Crypto-Collapse Slow the Ransomware Threat?**

The fresh variants add to the long — and constantly growing — list of ransomware threats that organizations now have to deal with on a daily basis, as ransomware operators keep relentlessly hammering away at enterprise organizations. 

Data on ransomware attacks that LookingGlass analyzed earlier this year showed there were some 1,133 confirmed ransomware attacks in the first half of 2022 alone — more than half (52%) of which affected US companies. LookingGlass found the most active ransomware group was that behind the LockBit variant, followed by groups behind Conti, Black Basta, and Alphy ransomware.

However, the rate of activity isn't steady. Some security vendors reported observing a slight slowdown in ransomware activity during certain parts of the year.

In a midyear report, SecureWorks, for example, said its incident response engagements in May and June suggested the rate at which successful new ransomware attacks were happening had slowed down a bit.

SecureWorks identified the trend as likely having to do, at least in part, with the disruption of the Conti RaaS operation this year and other factors such as the disruptive effect of the war in Ukraine on ransomware gangs.

Another report, from the Identity Theft Resource Center (ITRC), reported a 20% decline in ransomware attacks that resulted in a breach during second quarter of 2022 compared with the first quarter of the year. ITRC, like SecureWorks, identified the decline as having to do with the war in Ukraine and, significantly, with the collapse of cryptocurrencies that ransomware operators favor for payments.

Bryan Ware, CEO of LookingGlass, says he believes the crypto-collapse could hinder ransomware operators in 2023. 

"The recent FTX scandal has cryptocurrencies tanking, and this affects the monetization of ransomware and essentially makes it unpredictable," he says. "This does not bode well for ransomware operators as they are going to have to consider other forms of monetization over the long term."

Ware says the trends around cryptocurrencies has some ransomware groups considering using their own cryptocurrencies: "We’re unsure that this will materialize, but overall, ransomware groups are worried about how they will monetize and maintain some level of anonymity going forward."

Rash of New Ransomware Variants Springs Up in the Wild

Sophos research unveiled at Black Hat Europe details a thriving subeconomy of fraud on the cybercrime underground, aimed at Dark Web forum users.

Cybercriminals are often seen as parasites, feeding off a wide swath of victims of every size and stripe. But as it turns out, they've become targets in their own right, with a host of bottom-feeding "metaparasites" flocking to Dark Web marketplaces to find their own set of marks.

It's a phenomenon that has the happy side effect of exposing a rich vein of threat intelligence to researchers, including contact and location details of cybercriminals.

Sophos senior threat researcher Matt Wixey took to the stage at Black Hat Europe 2022 to discuss the metaparasite ecosystem, in a session entitled "Scammers Who Scam Scammers, Hackers Who Hack Hackers." According to research he did with fellow researcher Angela Gunn, the underground economy is riddled with a wide variety of fraudsters, who successfully extract millions of dollars per year from their fellow cybercriminals.

The pair examined 12 months of data across three Dark Web forums (Russian-speaking Exploit and XSS, and English-speaking Breach Forums), and uncovered thousands of successful scam efforts.

"It's pretty rich pickings," Wixey said. "Scammers scammed users of these forums out of about $2.5 million US dollars over the course of 12 months. The amounts per scam can be as little as $2 on up to the low six figures."

    

Source: Sophos

The tactics vary, but one of the most common — and the most crude — is a gambit known as the "rip and run." This refers to one of two "rip" variants: A buyer receives goods (an exploit, sensitive data, valid credentials, credit-card numbers, etc.) but doesn't pay for them; or, a seller is paid and never delivers what's been promised. The "run" portion refers to the scammer disappearing from the marketplace and refusing to answer any enquiries. Consider it a Dark Web version of the dine-and-dash.

There are also plenty of scammers hawking fake goods — such as nonexistent crypto accounts, macro builders that build nothing nefarious, fake data, or databases that are either already publicly available or have previously been leaked.

Some of these can get creative, Wixey explained.

"We found a service claiming to be able to bind an .EXE text to a PDF, so that when the victim clicked on the PDF, it would load while in the background, the .EXE would run silently," he said. "What the scammer actually did was just sent them back a document with a PDF icon, which wasn't actually a PDF nor did it contain an .EXE. They were hoping that the buyer didn't really know what they're asking for or how to check it."

Also common are scams where a seller offers legitimate goods that aren't quite of the quality that has been advertised — like credit card data claiming to be 30% valid, when in reality only 10% of the cards work. Or the databases are real but being advertised as "exclusive" while the seller is actually reselling them to multiple takers.

In some cases, fraudsters work in tandem in more of a long-con fashion, he added. Sites tend to be exclusive, which foments "a degree of intrinsic trust" that they can play upon, according to Wixey.

"One will build a rapport with a target and offer to provide a service; they'll then say that they actually know someone else who can do this work much better, who's an expert on the subject," Wixey explained. "They will often point them to a fake forum that a second person works and operates, which requires some sort of deposit or registration fee. The victim pays the registration fee, and then both scammers just disappear."

**How Forums Fight Back**

The activity has an adverse effect on the use of Dark Web forums — acting as an "effective tax on criminal marketplaces, making it more expensive and more dangerous for everyone else," Wixey noted. As such, ironically, many markets are implementing security measures to help curb the tide of fraud.

Forums face several challenges when it comes to putting in safeguards: There's no recourse to law enforcement or regulatory authorities for one; and it's a semianonymous culture, making it difficult to track culprits. So, the anti-fraud controls that have been put in place tend to focus on tracking the activity and issuing warnings.

For instance, some sites offer plug-ins that will check a URL to make sure it links to a verified cybercrime forum, not a fake site where users are defrauded via a bogus "joining fee." Others might run a "blacklist" of confirmed scammer tools and user names. And most have a dedicated arbitration process, where users can file a scam report.

"If you've been scammed by another user on the forum, you go to one of these arbitration rooms and you start a new thread and you supply some information," according to Wixey. That may consist of the username and contact details of the alleged scammer, proof of purchase or wallet transfer details, and as many details of the scam — including screenshots and chat logs — as possible.

"A moderator reviews the report, they ask for more information as it's needed, and they will then tag the accused person and give them somewhere between 12 and 72 hours to respond, depending on the forum," Wixey said. "The accused might make restitution, but that's pretty rare. What more commonly happens is that the scammer will dispute the report and claim it's due to a misunderstanding of the terms of the sale."

Some just don't respond, and in that case, they're either temporarily or permanently banned.

Another security option for forum users is the use of a guarantor — a site-verified resource that acts as an escrow account. The money to be exchanged is parked there until the goods or services are confirmed as being legitimate. However, guarantors themselves are often impersonated by fraudsters.

**A Treasure Trove of Threat Intelligence**

While the research offers a view into the inner workings of an interesting subsliver of the Dark Web world, Wixey also noted that the arbitration process in particular gives researchers a fantastic source of threat intelligence.

"Forums demand proof when a scam is alleged, and that includes things like screenshots and chat logs — and victims are typically only too happy to oblige," he explained. "A minority of them redact that evidence or restrict it, so it's only visible to a moderator, but most don't. They will post unredacted screenshots and chat logs, which often contain a treasure trove of cryptocurrency addresses, transaction IDs, email addresses, IP addresses, victim names, source code, and other information. And that's in contrast to most other areas of criminal marketplaces where OpSec is normally pretty good."

Some scam reports also include full screenshots of a person's desktop, including date, time, the weather, the language, and the applications — offering breadcrumbs to location.

In other words, normal precautions go out the window. A Sophos analysis of the most recent 250 scam reports on the three forums found that almost 40% of them included some kind of screenshot; only 8% restricted access to evidence or offered to submit it privately.

"In general, scam reports can be useful both for technical intelligence and for strategic intelligence," Wixey concluded.

"The big takeaway here is that threat actors don't seem to be immune to deception, social engineering or fraud," he added. "In fact, they seem to be as vulnerable as anyone else. Which is kind of interesting because these are exactly the kinds of techniques that they're using against other users."

Metaparasites & the Dark Web: Scammers Turn on Their Own

More than 10 days after a ransomware attack, affected Rackspace customers are being told the incident had a "limited impact," and have been invited to a webinar for additional details.

Customers affected by a ransomware attack on Rackspace's Hosted Exchange Email have experienced service outages and a forced transition to Microsoft 365 — and have widely expressed outrage about an overall lack of transparency from the company about the breach.

But Rackspace's latest email to them, provided to Dark Reading by a reader, tries to put a positive spin on the company's response.

"As you know, on Friday, December 2, 2022, Rackspace experienced a ransomware incident in its Hosted Exchange Email business, a managed email solution provided to small and medium businesses," the Rackspace email to customers said. "Due to swift action on the Company's part in disconnecting its network and following its incident response plans, industry-leading global cybersecurity firm CrowdStrike has confirmed the incident was quickly contained and limited solely to the Hosted Exchange Email business."

It then invites them to attend a webinar on Tuesday hosted by a panel of Rackspace leadership, including its CISO Ed Pawlowski, for additional information and an opportunity to ask questions.

"This was an incident with limited impact," according to the email — a claim that customers are begging to differ on. Users have already filed suit against Rackspace for negligence and have complained bitterly about a lack of customer support with the transition to Microsoft 365, a lack of access to their data, and limited communications with the company.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Amid Outrage, Rackspace Sends Users Email Touting Its Incident Response

Shopify Plus stores can now easily implement passwordless login with Passkeys support to help reduce drop rate and increase conversion using the free OwnID plug-in.

**NEW YORK****,** **Dec. 12, 2022** **/PRNewswire/ --** OwnID, the passwordless infrastructure for the internet, announced today the release of Passkeys support for all Shopify Plus stores. The new plugin is a low-code way to add passwordless authentication to your store. By eliminating the need to create and remember passwords, it allows users to register and log in with a single click on any device. OwnID offers the technology at no cost, up to 10,000 logins per month. The news comes following OwnID's release of a no-code WordPress plugin.

With Passkeys support, Shopify Plus site owners can eliminate the dependency on passwords, improve the conversion rate by 20% or more, and reduce user drop-offs by 35%. This is based on actual case studies showing improved metrics following the deployment of the OwnID solution. Streamlining the purchase flow and reducing the user drop-off rate are crucial for store owners and marketers. Both can be achieved by eliminating passwords.

Shopify Plus store owners who wish to add passwordless support to their website, will simply follow 4 easy steps to enable multipass login in their store, and connect the Shopify plugin to the OwnID console using a API key. The implementation process was designed to be as simple and easy as possible.

Earlier this year, Apple, Google and Microsoft joined hands with the FIDO Alliance and the World Wide Web Consortium to work on removing passwords for user authentication across the platforms. Apple announced its own implementation of this standard called Passkey. Microsoft and Google released similar statements announcing their own Passkeys implementation.

OwnID is a revolutionary authentication solution that offers a frictionless, faster, and cheaper way to verify a user's identity. It delivers a secure, seamless, and personalized experience for the user. The OwnID solution is a complete end-to-end platform that can be utilized by any application or website to significantly reduce the drop-off rate, improve user experience, and protect users from fraud. It supports Passkeys out of the box. This means that the OwnID solution works for all users, regardless of device type – Apple, Samsung, Google, Microsoft, or any other.

Named as "Best Passwordless technology" by the 2022 CISO Choice Awards, OwnID has helped many top brands adopt a passwordless solution, including Carrefour, Delonghi, Nestle, Carnival Cruise Line and more.

To get started visit ownid.com. 

For more information about Passkeys visit passkeys.com.

**About OwnID**

Helping businesses connect better with their customers online. Dor Shany and Rooly Eliezerov founded OwnID believing that if a business identifies a customer, it will better understand that customer's needs and serve them better. Exceptional service and personalized experiences pave the way for long-term relationships between your business and your customers. But traditional registration and login are cumbersome and get in the way of these relationships. OwnID is here to offer a more friendly and secure authentication experience that keeps you connected to your customers.

Learn more on OwnID.com.

Source

DARKReading