Amid all the NFL playoff action, FanDuel has sent an email warning to gamblers that their data was exposed in its third-party breach, putting them at risk for phishing attacks.

The FanDuel online sportsbook has told its users to be on the lookout for phishing cyberattacks in the wake of a breach of its email marketing contractor, Mailchimp.

Mailchimp announced its systems were breached on Jan. 11 using stolen employee credentials, allowing threat actors to access 133 accounts on the email marketing platform. One of those compromised accounts was FanDuel, according to an email sent to users and made public by security researcher Graham Cluley, who identified the breached company as Mailchimp.

"On Sunday evening, the vendor confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor," the FanDuel email said.

Cluley pointed out that although nothing more than emails and names were exposed, that's plenty of information for threat actors to launch future phishing attacks.

"I would recommend that FanDuel customers be on their guard and — if they haven't already done so — enable two-factor authentication on their FanDuel accounts," Cluley wrote in his blog post about the FanDuel email to customers. "It was kind of FanDuel, in its notification to affected customers, not to mention Mailchimp as the company."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

FanDuel Sportsbook Bettors Exposed in Mailchimp Breach

Here's how a security team can present itself to citizen developers as a valuable resource rather than a bureaucratic roadblock.

Amid volatile times and gloomy predictions for 2023, low-code/no-code (LCNC) adoption continues to grow rapidly. A recent forecast published by analyst firm Gartner predicts that low-code markets will grow 20% in 2023, with citizen development in particular growing 30%. While business units continue to go all-in on LCNC, security teams were mainly out of the loop until not long ago. This reality is quickly changing as LCNC becomes a business-critical infrastructure, and as business developers build critical applications. Now security teams have to ensure that things were built correctly. This is a recipe for conflict.

As security teams we can't cover everything, so we make tough choices and focus on the business-critical. The byproduct of that is that some business units get used to working without us. In many cases, that's fine. They go about their daily business; security is not involved because they aren't doing anything risky or critical enough. But then, one day, they succeed in creating critical applications. They make a big splash, and are rewarded with the attention of the organization. Of course, this also comes with heightened security attention.

While this is a challenging situation, it's important to notice the fact that it's a good problem to have! Your organization has been successful, and you are getting a chance to build an entirely new security pillar from scratch and introduce new types of developers to working with the security team. You have the opportunity to establish things the right way. But how?

**1\. Start With Learning**

First, understand the fundamental security challenges LCNC poses. Learn why other security teams are concerned about LCNC, and focus your attention on the most common risks to target first. By familiarizing yourself with the risks specific to LCNC, you will arrive to the conversation with business teams armed with knowledge that is highly relevant to the challenges they are having and be able to speak in a language that they will understand and relate to. You will also be able to focus on and drive the conversation toward the risks that are more relevant for your organization.

**2\. Understand the Business Context**

Acknowledge the fact that the business units have been successful in bringing in this new technology and using it to generate meaningful value. Make sure they are aware that your involvement is itself an acknowledgement of their success.

Take the time required to learn what they have been doing so far. How are they addressing operations and management of the platforms? How do they handle application lifecycle management? While they might have been able to succeed on grit and perseverance, when problems become complex enough, they will encounter areas where your expertise as a security professional would be tremendously helpful. Learning about their operations and struggles could help you find ways in which they could really use your guidance to solve critical issues or change a fundamental concept they got wrong.

**3\. Identify Opportunities to Help**

Once you've identified areas where they could use your expertise, think about how you and the security organization could help address those challenges. Could you offer a security risk assessment? Could you help them figure out configurations? Permission management?

By identifying areas where you can help, you will also identify areas where you can apply controls. These challenges, which are much better addressed by a central security team with the right skills, will help the business solve problems that prevent them from moving forward while also allowing you to put guardrails in place.

**4\. Map Risk Hotspots**

While learning about existing challenges, you must also build an independent understanding of the current risks in your environments. Use threat modeling and security assessments to gain visibility into security risk in the existing environment and its applications. Review existing development processes and assess their adherence to secure SDLC. Identify and treat cases that need urgent attention or security risks that could easily manifest into significant harm. With a clear distinction of the areas where risk is most acute, you will be able to focus your attention — and that of the business leaders — and get results faster.

**5\. Lay a Path Toward Enablement**

Everybody worries about security, and in a big organization in particular, people are always concerned even if they don't actually do something about it. Business teams that have brought in and built upon new technology without relying on central IT / security teams know that some risk is involved. They might have even made choices to restrict access, or prevent usage of this or that useful platform feature, in fear of what might happen. One clear way to win the business' heart and mind is to help them unblock usage. Allow more people to build applications, or use advanced and potentially risky features. With your security expertise, you can evaluate the security risk, identify compensating controls, and provide a path for them to expand usage, while elevating their feeling of responsibility and easing fear of a security issue.

**Moving Forward Together**

Change is never easy and will cause friction. With LCNC continuing to soar and business relying more and more on applications produced outside of IT on the one hand, and hackers targeting business on the other, security teams must assume their role as a guide that can help business teams innovate while not introducing new security risks.

By taking the time to consider the business' perspective, its previous success, and its challenges, security teams will be able to build mutual trust and articulate a way forward that demonstrates a win-win for business innovation and security guarantees.

No One Wants to Be Governed, Everyone Wants to Be Helped

A Swiss hacker poking around in an unprotected Jenkins development server belonging to CommuteAir accessed the names and birthdates of some 1.5 million people on a TSA no-fly list from 2019.

A recent incident where a bored hacker found a list of 1.5 million individuals on TSA's no-fly list sitting unprotected on an Internet-exposed server has highlighted, once again, the risky practice of using production data and sensitive information in development environments.

Swiss hacker "maia arson crimew" recently discovered the TSA list on a Jenkins open source automation server belonging to CommuteAir, an Ohio-based airline company that supports United Airlines operations on regional flights. In comments to Daily Dot — the first to report on the incident — she said she found the no-fly list while searching for Internet-exposed Jenkins servers using the Shodan search engine, and notified the company of the issue.

**Openly Accessible**

The list — housed in a text file named "NoFly.csv" — contained the names of more than 1.5 million individuals that the US government has barred from flying because of security concerns. The TSA makes the list available to airlines around the world so they can screen passengers intending to fly from, to, or over the US.

Daily Dot quoted maia arson crimew — who describes herself as a "security researcher" — as saying she had also found credentials to some 40 Amazon S3 buckets belonging to CommuteAir on the same server. One of those credentials led her to a database containing sensitive information — such as passport numbers, phone numbers, and postal addresses—belonging to some 900 CommuteAir employees.

Erik Kane, corporate communications manager at CommuteAir, in a media statement described the leak as resulting from a misconfigured development server. 

"The researcher accessed files including an outdated 2019 version of the federal no-fly list that included first and last name and date of birth," Kane said. "Additionally, through information found on the server, the researcher discovered access to a database containing personal identifiable information of CommuteAir employees."

An initial investigation has shown that no other customer data was exposed, adding that CommuteAir immediately took the affected server offline after the hacker had informed the company about the issue, Kane noted.

"CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees," the statement read.

**Using Sensitive Data for Test & Development**

The incident is an example of the things that can go wrong when organizations permit the use of production data, or sensitive information, in development and testing environments — in this case, a Jenkins server. 

Quality assurance teams and developers often cut and paste raw production data into their environments when testing, developing, or staging apps because it offers a less expensive, faster, and more valid way to do things compared to using test data. However, security experts have long warned about the practice being fraught with risks, because development and test environments typically lack the security controls that are present in a live, production setting. 

Common issues include over-permissions, lack of network segmentation, poor patch management, and a general lack of awareness of data-privacy requirements.

Concerns over the security, privacy, and compliance issues related to the practice have, in fact, pushed many organizations into taking additional precautions such as masking, obfuscating, or encrypting sensitive and live production data before using it for testing or development. Many simply use dummy data as a stand in for the real thing when testing or staging software. Even so, the practice of using raw production data and sensitive information in development and test settings continues to be quite rampant according to security experts.

"Sadly, testing with production data is very common," says John Bambenek, principal threat hunter at Netenrich. "Quite simply, creating credible and at-scale test data is often complicated especially when dealing with unique data sets." Testing teams often want their tests to represent the real world as much as possible, so it's a very natural temptation to use production data, he says.

Patrick Tiquet, vice president of security and architecture at Keeper Security says that DevOps servers often tend to be prime targets for attackers because they are usually less protected than live, production servers. He advocates that organizations avoid using production data in non-production environments no matter how benign the data might appear. 

"The use of production data in development systems increases the risk of disclosure of that information, because in many organizations, development systems may not be as protected as their production systems," Tiquet says.

Organizations that permit the practice need to recognize the fact that many data-privacy regulations require covered entities to apply specific controls for protecting sensitive data, regardless of where it might exist in the environment or how it is used. Using production data in a development environment could violate those requirements, Tiquet says.

"Exposing sensitive data can not only open an organization to litigation or government-related trouble depending on the data, but it can also lead to an erosion of customer trust," he warns. "While there are many steps organizations can take to protect their test environments, such as data masking and encryption, the most important will be including the security teams in the setup and continuous management of DevOps servers."

TSA No-Fly List Snafu Highlights Risk of Keeping Sensitive Data in Dev Environments

Use threat intelligence to reduce chance of success for malicious insider and Dark Web threats.

Insider threats are a serious and growing problem. According to recent research, malicious employees contribute to 20% of incidents and the attacks that insiders are involved in are, on average, 10 times larger than those conducted by external actors. Further data (PDF) has shown an increase in insider threat attacks over the past two years, as the risk has been exacerbated by the remote working through the pandemic.

To minimize insider threats, all organizations should monitor marketplaces, forums, and social media channels for chatter about their company. This helps them to spot the early warning signs of an imminent attack, such as cybercriminals looking for insider knowledge, or disgruntled employees making unsavory comments. This monitoring must also extend to the Dark Web, as this is a gold mine for cybercriminal reconnaissance on organizations, because threat actors believe that they're out of the reach of law enforcement and cybersecurity teams.

**Types of Insider Threat**

When we talk about insider threats it is important to understand that there is more than one type of malicious insider. Broadly, you can categorize them in three groups:

**Insiders motivated by financial gains****:** In the current economic climate, employees can be nudged into malicious activity by threat groups. For example, the threat group Lapsus$ infamously posted a recruitment call for help from employees in telecom companies, software and gaming corporations, and call centers — offering money in exchange for information.

    

Ad that Lapsus$ ran.

**Loners and opportunistic threat actors:** These are hard-to-spot insiders who use their privileged position in the network to harm the company. While they're statistically less common, they can have a severe impact on an organization when they do strike. For example, the New York Post employee who took an ax to the company's reputation recently by posting offensive messages on its corporate Twitter account. Dark Web analysis can help to spot these malicious actors if and when they publish an inquiry or ask for help on specific issues they face when navigating around the corporate environment. They can also be spotted offering to sell insider information on the Dark Web.

**Innocent insiders:** These can also unwittingly harm the company by being involved in threat activity without their consent or knowledge. According to research, employees are more than twice as likely to make an error and click malicious links, rather than to maliciously misuse their access.

That's who you're up against, but it's also important to understand what malicious actors could be looking for, inquiring about, or selling.

**Threat Modeling for Insider Threat**

Companies threat modeling for malicious insiders need to identify where their infrastructure is the most insecure, what assets they have that are the highest value, and which tactics are most regularly used by threat actors. Insight into the Dark Web can help the organization establish how criminals go about their reconnaissance and use malicious insiders, which can help inform their defenses.

The most popular method used to gain access to a company's environment is obtaining and utilizing leaked credentials. But apart from basic "password and username" sales, businesses also need to look out for cookie-session leaks for apps such as Slack and Teams, which threat actors can use to socially engineer their way into the company and abuse the trust of an employee.

Another aspect that companies need to be conscious of are trigger events that increase the likelihood of a company being targeted for attack. For example, if an oil company is set to announce its annual revenue during a cost-of-living crisis, the organization must assess the animosity level from employees, ex-employees, and outsiders reacting to the announcement. The revenue reveal, in this example, is a potential trigger event, requiring the business to be particularly diligent in monitoring the Dark Web for any chatter around the company before, during, and after the event. In cases like these, companies must ask themselves whether they should implement extra defenses or apportion additional resources.

During trigger events, companies could potentially spot malicious insiders by monitoring an uptick in alerts or irregular online activity. Connections between a company device and the Tor network are a very reliable data point for discovering an insider threat, because there is virtually no good reason why an employee would be connecting to the Dark Web in most organizations.

**Shifting Left in the Cyber Kill Chain**

As with any incident, time is always of the essence. Where possible, organizations need to pinpoint insider threat activity during reconnaissance, the first stage of the cyber kill chain, to successfully mitigate against a malicious actor. Logic dictates that the earlier, or further to the left in the kill chain, that threat actors can be identified, then the less likely they are to be successful in their attack.

Organizations understand the need for preparedness, shielding their borders, and educating their employees. However, these are simply a solid foundation of security infrastructure that requires augmenting with intelligence to stop threats earlier. Dark Web threat intelligence should be considered as an integral component to enhancing an organizations' security posture. As most cybercriminals rely on Dark Web infrastructure to conduct their operations, cutting off this channel can vastly reduce the chance of insider threats taking hold and disrupting business operations.

Hunting Insider Threats on the Dark Web

**STAMFORD,** **Conn.,** **January** **23,** **2023** **—** Zero trust is top of mind for most organizations as a critical strategy to reduce risk, but few organizations have actually completed zero-trust implementations.Gartner, Inc. predicts thatby 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place, up from less than 1% today.

Gartner defines zero trust as a security paradigm that explicitly identifies users and devices and grants them just the right amount of access so the business can operate with minimal friction while risks are reduced.

“Many organizations established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads. Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives,” said John Watts, VP Analyst at Gartner. “Zero trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices, and resources.”

To help organizations complete the scope of their zero-trust implementations, it is critical that chief information security officers (CISOs) and risk management leaders start by developing an effective zero-trust strategy which balances the need for security with the need to run the business.

“It means starting with an organization’s strategy and defining a scope for zero-trust programs,” said Watts. “Once the strategy is defined, CISOs and risk management leaders must start with identity - it is foundational to zero trust. They also need to improve not only technology, but the people and processes to build and manage those identities.

“However, CISOs and risk managementleaders should not assume that zero trust will eliminate cyberthreats. Rather, zero trust reduces risk and limits impacts of an attack.”

Gartner analysts predict thatthrough 2026, more than half of cyberattacks will be aimed at areas that zero- trust controls don’t cover and cannot mitigate.

“The enterprise attack surface is expanding faster and attackers will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero-trust architectures (ZTAs),”said Jeremy D’Hoinne, VP Analyst at Gartner.”This can take the form ofscanning and exploiting of public-facing APIs or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own “bypass” to avoid stringent zero-trust policies.”

Gartner recommends that organizations implement zero trust to improve risk mitigation for the most critical assets first, as this is where the greatest return on risk mitigation will occur. However, zero trust does not solve all security needs. CISOs and risk management leaders must also run a continuous threat exposure management (CTEM) program to better inventory and optimize their exposure to threats beyond the scope of ZTA.

Gartner clients can learn more in “Predicts 2023: Zero Trust Moves Past Marketing Hype Into Reality.”

Learn how to prepare for any cybersecurity attack in the complimentary Gartner ebook 3 Must-Haves in Your Cybersecurity Incident Response Plan.

**About Gartner Security & Risk Management Summit** 

Gartner analysts present the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summits 2023, taking place February 13-14 in India, February 27-28 in Dubai, June 5-7 in National Harbor, MD, March 28-29 in Sydney, July 26-28 in Tokyo and September 26-28 in London. Follow news and updates from the conferences on Twitter using #GartnerSEC.

**About Gartner for Information Technology Executives**

Gartner for Information Technology Executives provides actionable, objective insight to CIOs and IT leaders to help them drive their organizations through digital transformation and lead business growth. Additional information is available at www.gartner.com/en/information-technology.

Follow news and updates from Gartner for IT Executives on Twitter and LinkedIn. Visit the IT Newsroom for more information and insights. 

**About Gartner**

Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission critical priorities. To learn more, visit gartner.com.

Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026

S-RM reports show that cybersecurity concerns surrounding hybrid work prevail for 37% of organizations.

**23rd January 2023 – LONDON –** Leading global intelligence and cyber security consultancy S-RM has today revealed in its _Cyber Security Insights Report_ that there has been a drop in concern around the cyber security threats posed by hybrid working. However, a significant proportion (35%) of IT leaders say they are concerned over a cyber skills gap among employees. 

The report, which draws on data from 600 C-suite and IT budget holders from organisations with revenue over USD $500m, found that 37% of organisations reported concerns around hybrid working – a drop from 46% in 2021. This may be in part due to growing awareness of cyber security threats among employees. When asked about the biggest cyber security challenges their organisation faced, just 31% of respondents'perceived lack of importance from employees in 2022'. While there is still a way to go, this figure is down from 36% in 2021. 

Despite growing awareness among employees, the cyber skills gap still remains an area of vulnerability. Over a third of senior IT leaders and C-suite holders in 2022 (35%) highlighted a lack of cyber skills and expertise as a key challenge facing their business when it comes to cyber security defence and incident management – a figure that rose to 42% within the financial services industry. These statistics support the ongoing industry discussion about the difficulties of attracting and retaining the best talent.

The report also illustrated that businesses with more mature cyber security policies prioritise different challenges than less experienced companies. Businesses where senior leaders viewed the company’s cyber security as ‘very mature’ were more likely to consider compliance and unsophisticated or outdated cyber security tools as their key challenges (37% and 33%). 

Comparatively, companies describing themselves as 'somewhat mature' were less likely to identify these as key challenges (25% and 26%) but rather identified a lack of skills and expertise (38%) as well as a lack of internal training (33%) as their main issues to their business – highlighting again the worries over the skills gap amongst decision makers .

**Jamie Smith, Board Director at S-RM said:**

_“While we have found that more companies are now adjusting to hybrid working and viewing it as less of a risk, it is clear that cyber security challenges are continuously evolving and2023 will bring fresh risks to consider._ 

_“One of the biggest protective measures companies can take over cyber security threats is to build a resilient workforce, and a positive takeaway from our report is that we are seeing more employees take more notice of security threats.”_ 

**Paul Caron, Head of Cyber Security, at S-RM said:**

_“Our report finds some great progress in cyber security maturity across a slew of industries but there is still asignificant skills gap evident in the workforce. This is a perennial problem for the sector: how to attract and retain the best talent, to win the knowledge, skills, and technology arms race between threat actors and private businesses._ 

_“It is crucial, for businesses to continue to invest in high quality cyber security training in order to both attract this talent and firm up their own defences by closing this skills gap.”_  

Further detail on the full report can be accessed on the S-RM website, here: https://www.s-rminform.com/cyber-security-insights-report

Cybersecurity Worries Around Hybrid Working Drop, but Many IT Leaders Still Concerned Over Cyber-Skills Gap

**DUBLIN****,** **Jan. 23, 2023** **/PRNewswire/ --** The "Supply Chain Security Market by Component (Hardware, Software, Services), Security Type (Data Locality & Protection, Data Visibility & Governance), Organization Size, Application (Healthcare & Pharmaceuticals, FMCG) and Region - Global Forecast to 2027" report has been added to  **ResearchAndMarkets.com's** offering.

The publisher forecasts that the global supply chain security market will grow from an estimated USD 2.0 billion in 2022 to USD 3.5 billion by 2027 at a compound annual growth rate (CAGR) of 11.0%. One of the factors driving the market growth is the increasing need for supply chain transparency.

**By components, services segment is to grow at the highest CAGR during the forecast period**

Supply chain security is an important supply chain management (SCM) segment. It primarily manages the risks of transportation, logistics, vendors, and suppliers. Professional security analysts ensure support with incident response and remote client assistance during suspicious activities. Professional services such as support and maintenance, training, and education are a part of this segment. With the increased adoption of supply chain security, there is an increased demand for these services, further boosting the market growth. The services segment includes numerous services required to deploy, execute, and maintain supply chain security solutions in organizations. This supply chain security market segment is classified into training and consultation, integration and deployment, and support and maintenance.

**By services, integration, and deployment services to grow at highest CAGR during forecast period**

Tailored supply chain security deployment and integration services are offered by integration and deployment service providers. These services are used by highly qualified industry experts, domain experts, and security professionals that assist organizations in formulating and implementing supply chain security strategies, preventing revenue losses, minimizing risks, understanding cybersecurity solutions, and enhancing security in the existing information system.

In system integration, the vendor's security services are integrated with the client's security system without hampering the existing client's system. Benefits, such as reduced risks and complexity, are offered by design and integration services. This enhances security and enables resiliency to cyberattacks by identifying vulnerable or potentially exploited components at all supply chain stages.

**Market Dynamics**

Drivers

*   Rising Incidences of Cyberattacks Across Supply Chains
*   Growing Need for Supply Chain Transparency
*   Increasing Demand for Enhanced Security of Supply Chain Transactions

Restraints

*   Budgetary Constraints Among Small and Emerging Startups in Developing Economies

Opportunities

*   Improving Risk Prediction and Management
*   Widespread Adoption of Automation Technology Across Value Chain
*   Increasing IoT Devices in Supply Chain

Challenges

*   Limited Awareness About Supply Chain Security Among Organizations

Key Topics Covered: 

1\. Introduction

2\. Research Methodology

3\. Executive Summary

4\. Premium Insights

5\. Market Overview and Industry Trends

6\. Supply Chain Security Market, by Component

7\. Market, by Security Type

8\. Market, by Organization Size

9\. Market, by Application

10\. Market, by Region

11\. Competitive Landscape

12\. Company Profiles

13\. Adjacent Markets

14\. Appendix

**Companies Mentioned**

*   Altana Ai
*   Berlinger & Co. Ag
*   C2A Security
*   Cold Chain Technologies
*   Controlant
*   Dickson
*   Elpro
*   Emerson
*   Fourkites
*   Hanwell Solutions
*   Ibm
*   Logtag Recorders
*   Monnit
*   Nxp Semiconductors
*   Omega Compliance
*   Oracle
*   Orbcomm
*   Roambee
*   Rotronic
*   Safetraces
*   Sensitech
*   Signatrol
*   Tagbox Solutions
*   Testo
*   Tive

For more information about this report visit https://www.researchandmarkets.com/r/cok35b

**About ResearchAndMarkets.com**

ResearchAndMarkets.com is the world's leading source for international market research reports and market data. We provide you with the latest data on international and regional markets, key industries, the top companies, new products and the latest trends.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Supply Chain Security Global Market Report 2022: Sector to Reach $3.5 Billion by 2027 at an 11% CAGR

This time around, weak API security allowed a threat actor to access account information, the mobile phone giant reported.

T-Mobile has disclosed a new, enormous breach that occurred in November, which was the result of the compromise of a single application programming interface (API). The result? The exposure of the personal data of more than 37 million prepaid and postpaid customer accounts.

For those keeping track, this latest disclosure marks the second sprawling T-Mobile data breach in two years and more than a half-dozen in the past five years.

And they've been expensive.

Last November, T-Mobile was fined $2.5 million for a 2015 data breach by the Massachusetts attorney general. Another 2021 data leak cost the carrier $500 million; $350 million in payouts to affected customers, and another $150 million pledged toward upgrading security through 2023.

Now the telecom giant is mired in yet another cybersecurity incident.

**T-Mobile's Cybersecurity Snafu**

The threat actor who claimed to be behind the 2021 breach of 54 million T-Mobile customers, past, present and prospective, John Binns, bragged in an interview with the Wall Street Journal that T-Mobile's "awful" security made his job easy.

But an infrastructure like T-Mobile's means it's tough to cover the entire attack surface, making their systems particularly complicated to shore up, Justin Fier, senior vice president for red-team operations with Darktrace, tells Dark Reading.

"Like most big brands, T-Mobile has a very complex and sprawling digital estate," Fier explains. "It is becoming harder by the day to gain visibility into every aspect of that estate and make sense of the data, which is why we’re increasingly seeing firms lean on technology to perform that role."

However, he adds that breaching a vulnerable API doesn't require much know-how on the part of an attacker.

Besides weak API security, Mike Hamilton CISO of Critical Insight, tells Dark Reading that this latest compromise also demonstrates a lack of network visibility and ability to detect abnormal behavior.

"Details are scant, and there has been no attribution of the 'bad actor,' who apparently had access to data for about 10 days before being stopped," Hamilton says.

**T-Mobile's Next Regulator Bout**

In the disclosure of the cybersecurity incident, T-Mobile downplayed the stolen account information, adding the data was "basic," and "widely available in marketing databases." While it might read like a glib dismissal of the impact on its customers, the distinction could protect the company from state regulators, Hamilton adds.

"The data may be monetized by selling in bulk, although it's of little actual value," Hamilton says. "Most of the data in the theft can be found in public sources and is unlikely to cause legal action from state privacy statutes like the CCPA (California Consumer Privacy Act)."

However, T-Mo might have more trouble in Europe with GDPR and Information Commissioner's Office (ICO) regulators in the UK, Tim Cope, CISO of NextDLP, explains to Dark Reading. Penalties like these ultimately will drive investment in the necessary cybersecurity protections, he adds.

"The regulatory oversight of the ICO and GDPR should hopefully bring a large series of fines along with these privacy breaches," Cope says, "which should in turn feed more investment into security teams to help build better controls to guard APIs against the current and future attacks."

T-Mobile Breached Again, This Time Exposing 37M Customers' Data

Two new reports show ransomware revenues for threat actors dropped sharply in 2022 as more victims ignored ransom demands.

In another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.

If the trend continues, analysts expect ransomware actors will start demanding bigger ransoms from larger victims to try and compensate for falling revenues, while also increasingly going after smaller targets that are more likely to pay (but which represent potentially smaller payoffs).

**A Combination of Security Factors**

"Our findings suggest that a combination of factors and best practices — such as security preparedness, sanctions, more stringent insurance policies, and the continued work of researchers — are effective in curbing payments," says Jackie Koven, head of cyber-threat intelligence at Chainanalysis.

Chainanalysis said its research showed ransomware attackers extorted some $456.8 million from victims in 2022, down nearly 40% from the $765.6 million they had extracted from victims the year before. The actual number is likely to be much higher considering factors like underreporting by victims and incomplete visibility over ransomware addresses, Chainanalysis conceded. Even so, there is little doubt that ransomware payments were down last year because of an increasing unwillingness by victims to pay their attackers, the company said.

"Enterprise organizations investing in cybersecurity defenses and ransomware preparedness are making a difference in the ransomware landscape," Koven says. "As more organizations are prepared, fewer need to pay ransoms, ultimately disincentivizing ransomware cybercriminals."

Other researchers agree. "The businesses that are most inclined not to pay are those that are well prepared for a ransomware attack," Scott Scher, senior cyber-intelligence analyst at Intel471, tells Dark Reading. "Organizations that tend to have better data backup and recovery capabilities are definitely better prepared when it comes to resiliency to a ransomware incident and this highly likely decreases their need to pay ransom."

Another factor, according to Chainanalysis, is that paying a ransom has become legally riskier for many organizations. In recent years, the US government has imposed sanctions on many ransomware entities operating out of other countries. 

In 2020, for instance, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) made it clear that organizations — or those working on their behalf — risk violating US rules if they make ransom payments to entities on the sanctions list. The outcome is that organizations have become increasingly leery of paying a ransom "if there’s even a hint of connection to a sanctioned entity," Chainanalysis said.

"Because of the challenges threat actors have had in extorting larger enterprises, it is possible that ransomware groups may look more toward smaller, easier targets lacking robust cybersecurity resources in exchange for lower ransom demands," Koven says.

**Declining Ransom Payments: A Continuing Trend**

Coveware also released a report this week that highlighted the same downward trend among those making ransom payments. The company said its data showed that just 41% of ransomware victims in 2022 paid a ransom, compared with 50% in 2021, 70% in 2020, and 76% in 2019. Like Chainanalysis, Coveware also attributed one reason for the decline to better preparedness among organizations to deal with ransomware attacks. Specifically, high-profile attacks like the one on Colonial Pipeline were very effective in catalyzing fresh enterprise investments in new security and business continuity capabilities.

Attacks becoming less lucrative is another factor in the mix, Coveware said. Law enforcement efforts continue to make ransomware attacks more costly to pull off. And with fewer victims paying, gangs are seeing less overall profit, so the average payoff per attack is lower. The end result is that a smaller number of cybercriminals are able to make a living off ransomware, Coverware said.

Bill Siegel, CEO and co-founder of Coveware, says that insurance companies have influenced proactive enterprise security and incident response preparedness in a positive manner in recent years. After cyber-insurance firms sustained substantial losses in 2019 and 2020, many have tightened their underwriting and renewal terms and now require insured entities to have minimum standards like MFA, backups, and incident response training. 

At the same time, he believes that insurance companies have had negligible influence in enterprise decisions on whether to pay or not. "It is unfortunate, but the common misconception is that somehow insurance companies make this decision. Impacted companies make the decision," and file a claim after the incident, he says.

**Saying "No" to Exorbitant Ransomware Demands**

Allan Liska, intelligence analyst at Recorded Future, points to exorbitant ransom demands over the past two years as driving the growing reticence among victims to pay up. For many organizations, a cost-benefit analysis often indicates that not paying is the better option, he says. 

"When ransom demands were \[in the\] five or low six figures, some organizations might have been more inclined to pay, even if they didn't like idea," he says. "But a seven or eight-figure ransom demand changes that analysis, and it is often cheaper to deal with recovery costs plus any lawsuits that may stem from the attack," he says.

The consequences for nonpayment can vary. Mostly, when threat actors don't receive payment, they tend to leak or sell any data they might have exfiltrated during the attack. Victim organizations also have to contend with potentially longer down times due to recovery efforts, potential expenses released to purchasing new systems, and other costs, Intel471's Scher says.

To organizations in the front lines of the ransomware scourge, news of the reported decline in ransom payments is likely to be of little consolation. Just this week, Yum Brands, the parent of Taco Bell, KFC, and Pizza Hut, had to close nearly 300 restaurants in the UK for a day following a ransomware attack. In another incident, a ransomware attack on Norwegian maritime fleet management software company DNV affected some 1,000 vessels belonging to around 70 operators.

**Declining Revenues Spur Gangs in New Directions**

Such attacks continued unabated through 2022 and most expect little respite from attack volumes in 2023 either. Chainanalysis' research, for instance, showed that despite falling ransomware revenues, the number of unique ransomware strains that threat operators deployed last year surged to over 10,000 just in the first half of 2022.

In many instances, individual groups deployed multiple strains at the same time to improve their chances of generating revenue from these attacks. Ransomware operators also kept cycling through different strains faster than ever before — the average new ransomware strain was active just for 70 days — likely in an effort to obfuscate their activity.

There are signs that falling ransomware revenues are putting pressure on ransomware operators.

Coveware, for instance, found that average ransom payments in the last quarter of 2022 surged 58% over the previous quarter to $408,644 while the median payment skyrocketed 342% to $185.972 over the same period. The company attributed the increase to attempts by cyberattackers to compensate for broader revenue declines through the year. 

"As the expected profitability of a given ransomware attack declines for cybercriminals, they have attempted to compensate by adjusting their own tactics," Coveware said. "Threat actors are moving slightly up the market to try and justify larger initial demands in the hopes that they result in large ransom payments, even as their own success rate declines."

Another sign is that many ransomware operators began re-extorting victims after extracting money from them the first time, Coveware said. Re-extortion has traditionally been a tactic reserved for small business victims. But in 2022, groups that have traditionally targeted mid- to large-size companies began employing the tactic as well, likely as a result of financial pressures, Coveware said.

Ransomware Profits Decline as Victims Dig In, Refuse to Pay

Zendesk has alerted customers to a successful SMS phishing campaign that has exposed "service data," but details remain scarce.

It has come to light that the Zendesk software-as-a-service (SaaS) company for customer relationship management (CRM) was compromised in October, exposing client account data to a threat actor, according to an email sent to affected accounts on Jan. 13, 2023.

The email from Zendesk with the details of the security incident was made public by Coinigy, which provides virtual wallet services and "felt the need to disclose it to our customers," Coinigy's post about the compromise explained.

Zendesk explained in the email to Coinigy that the breach was the result of an SMS phishing campaign targeting Zendesk employees.

"Zendesk determined that Service Data belonging to your coiningy.zendesk.com account may have been in the (exposed) unstructured logging platform data," the email from Zendesk explained. "There is no evidence suggesting the threat actor accessed the Zendesk instance of your coiningy.zendesk.com account at any time."

Besides applauding Coinigy's decision to publicly share the compromise details, security researcher Jake Williams was not as encouraged by Zendesk's response.

"The disclosure is vague and references 'unstructured data from a logging platform' which could be just about anything," Williams tells Dark Reading. "The disclosure simply doesn't give enough information for any organization to evaluate what (if anything) they need to do in response."

There's been no word yet as to whether other customers of Zendesk beyond Coinigy are affected.

Zendesk did not respond to Dark Reading's request for comment.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading