LOUISVILLE, Ky., Oct. 11, 2022 /PRNewswire/ — Deloitte and the National Association of State Chief Information Officers (NASCIO) today released their 2022 Cybersecurity Study, "State Cybersecurity in a Heightened Risk Environment." The survey captures responses from chief information security officers (CISOs) in all 50 states and three territories about current cybersecurity trends, challenges and opportunities.

The survey found that state CISOs throughout the U.S. gained considerable strength and authority over the past few years, as they rapidly migrated government operations and services to a virtual environment and expedited digital transformations to meet the immediate needs of individuals and families. Due to the dedicated efforts of these CISOs, state agencies were able to continue providing high-quality service to their constituents, despite the challenges imposed by a global pandemic.  

Additional highlights from the 2022 Deloitte/NASCIO survey include:

*   **Addressing the talent gap**: In 2022, the demand for high-skilled workers has grown even more acute for public and private sector employers. In this environment, the lack of cybersecurity professionals and other staff remains among the top five barriers cited by state CISOs.
    *   Despite CISOs' growing responsibilities and the increasing sophistication of both technology and threats, **headcounts for state cybersecurity professionals remain about the same as in 2020, and more than 6 in 10 CISOs report gaps in competencies among their staffs**.
*   **Embracing the entire state**: It is an imperative to provide for greater security across the entire state through a tighter collaboration with local governments and state higher education institutions. CISOs made significant progress in enhancing their stature and visibility at the state executive and legislative levels, and they are continuing to get the institutional support and resources they need.
    *   All 50 states now have a CISO, and many are establishing new positions for chief privacy officers, chief risk officers and identity program directors.
    *   More state legislators are codifying the role of the CISO into state law and funding the position. They are also codifying several cyber initiatives into state law, such as enterprise risk management frameworks, cybersecurity legislative councils and cybersecurity training.
    *   More states now require CISOs to provide periodic reports to senior state officials, such as the governor, legislature and agency secretaries.
    *   CISOs are looking to establish and activate a shared security services approach to enable a whole-of-state approach to protecting local governments and public higher education institutions.
*   **Emerging technologies present new opportunities**: In the post-pandemic digital landscape, CISOs have an even more critical role to play in guiding the evaluation and implementation of new technologies.
    *   State CISOs confirm that many applications have migrated to the cloud. With remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate and transact.
    *   **States have taken a big step forward to provide digital identities for citizen services**. Capabilities, such as cloud computing, artificial intelligence and robotic process automation, enable states to further enhance digital modernization in service of their missions and constituents.

"The complexity of cyber challenges that the state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders," said Srini Subramanian, principal, Deloitte & Touche LLP, and Deloitte's global risk advisory leader for government and public services. "To address these challenges, state CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next-generation of highly capable cyber talent."

"State CISOs played critical roles helping the country successfully navigate the twists and turns of the pandemic, and this year's survey identifies the steps needed to grow this increasingly public role and meet the current and future challenges faced by state agencies," said Meredith Ward, director of policy and research at NASCIO and a co-author of the 2022 Deloitte/NASCIO Cybersecurity Study. "We're proud to again bring the perspectives of state CISOs to the forefront of conversations around cybersecurity."

Additional takeaways from the 2022 Deloitte/NASCIO survey include:

*   Thirty states increased their cybersecurity budgets from 2021 to 2022. And for the first time, CISOs report that a handful of states are allocating more than 10% of their IT budgets to cybersecurity, in alignment with federal government levels. However, most states still only allocate between 2% and 10% of their budgets to cybersecurity efforts.
*   Many state CISOs identified the drafting and implementation of the Zero Trust framework as a key initiative.
*   CISOs say that malware, ransomware and phishing attempts continue to present security challenges. Concern among CISOs about foreign state-sponsored espionage has also risen significantly, while the perceived threat from third parties and social engineering has declined.
*   CISOs found that the three leading causes of cyber incidents remain web applications, malicious code and financial fraud. However, CISOs note a rise in cyber incidents involving foreign state-sponsored espionage, zero-day attacks and attacks against cloud platforms.
*   Nearly one-third of state CISOs say that state agencies manage cyber incidents on their own, rather than working with a central state IT security group.
*   CISOs are increasingly contracting cybersecurity professionals and states are demonstrating more interest in outsourcing specific cybersecurity functions to managed service providers. In fact, more than half of CISOs report outsourcing security operations center tasks, which require 24x7 monitoring, and more than 60% of CISOs report having confidence in the cybersecurity services of third-party vendors.
*   State CISOs are starting to incorporate diversity, equity and inclusion (DEI) practices, such as designating a DEI leadership position or teams to foster a culture of inclusion. However, many CISOs say they do not know if they have such practices in place.

See here for the full survey results.

See here for learn more about Deloitte's cyber risk practice.

**About Deloitte**

Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today's marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's approximately 415,000 people worldwide connect for impact at www.deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Cybersecurity Survey of State CISOs Identifies Many Positive Trends

Killnet calls on other groups to launch similar attacks against US civilian infrastructure, including marine terminals and logistics facilities, weather monitoring centers, and healthcare systems.

UPDATE 

Hot on the heels of attacks against US state government websites, pro-Russian threat group Killnet on Monday disrupted the websites of multiple US airports in a series of distributed denial-of-service (DDoS) attacks.

It also called on similarly aligned groups and individuals to carry out DDoS attacks on other US infrastructure targets, in what appears to be an escalation of a recent campaign protesting the US government's support for Ukraine in its war with Russia.

Airport websites that were affected by Killnet's DDoS attacks included Los Angeles International Airport (LAX), Chicago O'Hare, and the Hartsfield-Jackson Atlanta International Airport, among others. While the DDoS attacks made some of the sites inaccessible for several hours, they do not appear to have had any impact on airport operations.

Researchers from Mandiant who have been tracking the attacks said they observed a total of 15 US airport websites being impacted.

**Mostly Brief Interruptions**

In a statement to Dark Reading, airport authorities at LAX confirmed the attack.

"Early this morning, the FlyLAX.com website was partially disrupted," an LAX spokesperson noted in an emailed statement. LAX officials described the service interruption as being limited to portions of the public-facing FlyLAX.com website only. "No internal airport systems were compromised and there were no operational disruptions," according to the statement, adding that the airport's IT team has restored services and that the airport has notified the FBI and the Transportation Security Administration (TSA).

In an emailed statement to Dark Reading, the Chicago Department of Aviation (CDA) noted that its flychicago.com and related websites for O'Hare and Midway international airports went offline, but confirmed that airport operations were affected. 

"City of Chicago IT staff worked diligently to restore the website's functionality shortly after noon Central Time, and they continue to vigilantly monitor the situation," the statement said.

Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, says Killnet has also asked its supporters to join in on the airport attacks and posted a list of domains to be targeted on its Telegram channel. In total, the group mentioned 49 domains belonging to airports across the US, he says. Killnet's target list includes airports in some two dozen states including California, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, and Michigan.

"At this time, it is unknown how successful these attacks were, but Killnet attacks are known to take websites down for short periods," Righi says. The attacks began with a DDoS attack on O'Hare, where the group stated its motivation to target US civilian network sector, which the group deemed to be not secure, he says.  

**Calls for Broader Attacks**

Vlad Cuiujuclu, team lead for global intel at Flashpoint, says the DDoS attack on O'Hare International Airport came shortly after Killnet announced new rounds of DDoS attacks against domains that belong to the civilian infrastructure of the United States. Among the targets it is urging supporters to attack are marine terminals and logistics facilities, weather monitoring centers, healthcare systems, ticketing systems for public transit, exchanges, and online trading systems, Cuiujuclu says.

Killnet's post urging other pro-Russian groups to launch DDoS attacks against domains that belong to the US civilian infrastructure was shared by other Russian-speaking cyber-collectives, including Anonymous | Russia, Phoenix, and We Are Clowns, Cuiujuclu noted.

Killnet has been among the more active pro-Russian cyberthreat groups in recent months. Just last week it claimed credit for DDoS attacks on the government websites of Mississippi, Kentucky, and Colorado. In July, the group claimed credit for a DDoS attack on the website of the US Congress, which briefly affected public access.

In August, Killnet said it planned to attack Lockheed Martin, the company manufacturing the US-made rocket launchers that the Ukrainian military has been using in the conflict. The group claimed it had compromised Lockheed Martin's identity authorization infrastructure, but Flashpoint, which tracked the campaign, said it was unable to find any verifiable evidence of the supposed attack. "This is possible, but Killnet has this far shown little verifiable evidence of this beyond a video and a spreadsheet allegedly containing employee data, the authenticity of which could not be determined," Flashpoint said at the time.

**An Especially Active Threat Actor**

Almost since the beginning of the Russian invasion of Ukraine, Killnet has been continuously posting alleged evidence of DDoS attacks against organizations in NATO member states and those it perceives as supporting Ukraine in the conflict. Flashpoint has previously described Killnet as a media-savvy threat group with a tendency to try to inflate its profile by bragging about attacks. "While Killnet’s threats are often grandiose and ambitious, the tangible effects of their recent DDoS attacks have so far appeared to be negligible."

Killnet's attacks — and those it is urging others to carry out — are examples of what security experts say is the tendency in recent years for geopolitical conflicts to spill over into the cyber domain. The threat group's apparent escalation of its campaign against US and other NATO countries, for instance, comes just days after an explosion destroyed a section of a critical bridge connecting Russia to the Crimean Peninsula.

So far, most of the cyberattacks by pro-Russian groups that impacted US organizations have not been nearly as disruptive as attacks by Russian groups against Ukrainian entities. Some of those attacks — including many going back to Russia's annexation of Crimea — were designed to destroy systems and degrade power and other critical infrastructure in support of Russian military objectives.

**_This story was updated at 11:30 a.m. ET to include a statement from the Chicago Department of Aviation, and to reflect that the Indianapolis airport was not affected._**

US Airports in Cyberattack Crosshairs for Pro-Russian Group Killnet

An analysis of the malware and its infection strategies finds nearly 21,000 minor and 139 major variations on the malware — complexity that helps it dodge analysis.

The threat group behind the Emotet malware-delivery botnet has resurrected the malware-as-a-service offering with more sophisticated countermeasures to foil takedowns.

According to a 68-page analysis on Oct. 10 from VMware's Threat Analysis Unit — based on data collected from several new Emotet campaigns in early 2022 — the group has learned lessons from the 2021 law enforcement takedown of the group's infrastructure. That includes creating more complex and subtle chains of execution, hiding its configurations, and hardening its command-and-control (C2) infrastructure. In addition, the group recently updated two of the eight modules to improve credit-card stealing functionality and its capabilities for spreading laterally through a network.

Overall, the research suggests that Emotet is continuously changing to make it more difficult for defenders to adapt and block the malware, Chad Skipper, global security technologist at VMware, stated in a press briefing.

"Emotet \[has\] embraced its role as a malware distributor, focusing more on advancing its technique for initial infection and relying on waves of spam emails that entice users to open up documents and click on links," he said.

The analysis of Emotet completes the malware-as-a-service group's resurrection, following a takedown in January 2021 by international law enforcement. Just the month before the takedown, Check Point Software Technologies had estimated that 7% of companies had been affected by the botnet. Law enforcement agencies gained control of the infrastructure and disrupted Emotet's infection and payload-delivery capabilities.

In late 2021, however, updated versions of Emotet and Conti began being distributed by another group, Trickbot, bootstrapping the once-defunct malware network and bringing it back from the dead.

The group behind Emotet — often referred to as Mummy Spider, MealyBug, or TA542, depending on different security firm nomenclature — typically uses waves of spam email messages and specially crafted messages to convince users to click on malicious links or open malicious documents. Access to the compromised machines is then sold to interested groups, who then steal data, install ransomware, or find other ways to monetize access.

VMware's TAU group analyzed data collected from the spam messages, URLs, and malicious attachments to classify the attacks into different waves, map the attacker's C2 infrastructure, and reverse engineer any delivered malware to gain insight into the attacker's activities.

    

The top execution clusters for the Emotet malware. Source: VMware's Emotet Exposed report

The two waves analyzed by VMware in the report both used a malicious Excel document to infect systems, with the first — and smaller — wave using XL4 macro, while the second wave paired that with PowerShell. The researchers deconstructed the attacks into initial invocation variations and into execution flows finding 139 unique program chains and 20,955 unique invocation chains, which are variants made to make the infection look unique.

"Based on a new similarity metric, \[the research group\] was able to identify various stages of Emotet attacks with a number of initial infection waves that change the way in which the malware is delivered," VMware stated in its analysis.

Other recent updates include a module that targets Google's Chrome browsers to steal credit card information, and a second module that spread the infection to other computers using the Server Message Block (SMB) protocol, a common technique for hackers.

The threat actors also use significant anti-analysis countermeasures to attempt to hide the details of their C2 infrastructure, the report stated. The post-recovery version of Emotet has two major sets of infrastructure, which VMware calls Epoch 4 and Epoch 5, which have only a single common IP address between them. In addition, the malware could be executed using any of 139 different program chains, although 80% of the samples analyzed belonged to one of four different chains.

The most popular chain involved "a simple three-stage attack involving the execution of Excel and regsvr32.exe," the report stated. "The second most popular chain shows the same attack chain as the first but with an additional stage."

VMware found that the attackers' infrastructure led back to 328 different IP addresses, 18% of which were in the United States, with Germany and France accounting for a significant share as well. However, the servers hosting modules, updates and other payloads came from a different set of IP addresses, with the largest share (26%) hosted in India.

"\[T\]he IP addresses of the servers hosting the Emotet modules can be different from the IP addresses extracted from the initial Emotet payload configuration," the report stated. "\[M\]ost of the IP addresses extracted from the configuration were likely to be compromised legitimate servers used to proxy the actual servers that hosted the Emotet modules."

Emotet Rises Again With More Sophistication, Evasion

A flaw in unpatched Zimbra email servers could allow attackers to obtain remote code execution by pushing malicious files past filters.

Administrators running Zimbra servers are being warned to update their systems with the "pax" utility by researchers, who have observed cyberattackers actively attempting to exploit a known flaw.

Zimbra is a cloud-hosted email and employee collaboration platform. The bug, being tracked as CVE-2022-41352, exists in the virus-scan process for incoming emails; it could allow malicious files to get through, ultimately leading to remote code execution (RCE).

Synacor, the development company behind Zimbra, issued an alert to users on Sept. 14, warning admins they needed to install the pax package against the vulnerability,

Now, Rapid7 researchers said in a blog post that they have observed active exploitation of the flaw in the wild, and urged administrators who haven't already, to update their systems. 

Synacor added that Ubuntu users should have already had the pax package installed automatically.

"The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails," the Rapid7 team explained in an Oct. 6 blog post. "Zimbra has provided a workaround, which is to install the pax utility and restart the Zimbra services."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Zimbra RCE Bug Under Active Attack

A CISO's responsibilities have evolved immensely in recent years, so their first three months on the job should look a different today than they might have several years ago.

Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company's business strategy and operations.

The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.

Given this evolution in responsibilities, a CISO's first 90 days on the job should look a lot different today than it did even several years ago.

**The First 90 Days**

While many CISOs want to immediately demonstrate value by jumping in with big ideas and projects on day one, they will be able to make much more of a long-term impact if they first take the time to understand the company's mission, values, and business objectives. They also need to get up to speed on core activities, products, services, research and development, intellectual property, and merger and acquisition plans. And they need to understand all potential issues, previous breaches, regulatory or external obligations, and existing technical debt.

With this in mind, here are a few recommendations on what a CISO's focus should be during their first 90 days on the job.

**Gain An Understanding of the Organization's Larger Mission and Culture**

The very first day, begin to deploy a collection of interview and interrogation techniques with a goal of understanding the business, its purposes and its priorities. Interview your employees, midlevel business leaders, and customers to get a sense of all key stakeholders, initial pain points, and how mature the cybersecurity culture is within the organization. Finally, gently interrogate your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help build a 90-day action plan and road map.

**Identify the Crown Jewels**

Determine which data and systems underpin the company's strategic mission and core competencies, represent intellectual property, differentiate the enterprise from its competitors, or support major customer segments or revenue lines. These crown jewels are the digital assets that are most likely to be targeted by threat actors, and thus must have their cyber-hygiene efforts accelerated. If the C-suite and board understand these critical areas, they can tell you their risk appetite, and you can implement security strategies accordingly.

**Develop a Plan Based on the Company's Current IT and Business Landscape**

Once assets are identified and prioritized, develop a written risk management plan with checklists for deliverables, structure and communication between key internal and external stakeholders. On this latter point, the CISO always must act as an information broker and as a partner to all the key organizational decision-makers. One effective way to do this is to establish formal and informal communication with these roles, so the organization can move forward strategically.

**Master the Basics**

There are many technologies needed to secure the modern company, but there are a few must-haves that should be implemented right away, if they aren't already. These are baseline controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multifactor authentication, sensitive data encryption, application whitelisting, 24/7 security monitoring, file integrity monitoring, privileged access management, network segmentation, data loss prevention, and a rigorous assessment and audit function connected to vulnerability and patching strategies.

**Implement Benchmarks**

Prove the value of security plans, processes, and technologies to the C-suite, business unit executives, and the board by implementing benchmarks and maturity assessments that show how the company stacks up against competitors, how security strategies stack up against industry best practices and frameworks, and how security initiatives are enabling the business with secure operations.

**Always Treat Security as a Business Problem**

Security incidents can result in myriad consequences on the business, and conversely, strong security can help the business succeed in a secure fashion. This is why it's so important that IT and security teams always remain integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executive leaders, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they'll be more apt to pay attention and participate in security efforts.

At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? What is our capability maturity against industry standard frameworks? What are our most critical vulnerabilities and cyber-risk scenarios? What data is most important to the organization? What data risks could have the most significant negative impact on the organization? And what will it take to improve the organization's security posture, and do we have a road map?

While this may seem like a lot to get to the bottom of in a three-month timespan, following these six steps will set your company up for both short- and long-term security and business success.

6 Things Every CISO Should Do the First 90 Days on the Job

About 1 in 5 phishing email messages reach workers' inboxes, as attackers get better at dodging Microsoft's platform defenses and defenders run into processing limitations.

This week's report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.

Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.

As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defenses and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.

The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.

"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content."

Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organizations had been targeted during one AiTM campaign.

Check Point is not the only vendor to warn that phishing attacks are getting better. In a survey, email security firm Proofpoint found that 83% of organizations experienced a successful email-based phishing attack, nearly half again as many as suffered such an attack in 2020. Cybersecurity firm Trend Micro saw the number of phishing attacks more than double, growing 137% in the first half of 2022 compared to the same period in 2021, according to the firm's 2022 Mid-year Cybersecurity report.

Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.

**Research & Recon Inform Phishing**

Attackers are improving too because of the effort that cyberattackers make in collecting intel for targeting victims with social engineering. For one, they're utilizing the vast amounts of information that can be harvested online, says Jon Clay, vice president of threat intelligence for cybersecurity firm Trend Micro.

"The actors investigate their victims using open source intelligence to obtain lots of information about their victim \[and\] craft very realistic phishing emails to get them to click a URL, open an attachment, or simply do what the email tells them to do, like in the case of business e-mail compromise (BEC) attacks," he says.

The data suggests that attackers are also getting better at analyzing defensive technologies and determining their limitations. To get around systems that detect malicious URLs, for example, cybercriminals are increasingly using dynamic websites that may appear legitimate when an email is sent at 2 a.m., for example, but will present a different site at 8 a.m., when the worker opens the message.

**Improvements in Defense**

Such techniques not only deceive, but take advantage of asymmetries in defending versus attacking. Scanning every URL sent in an email is not a scalable defense, says Check Point's Friedrich. Running URLs in a full sandbox, analyzing the links to a specific depth, and using image processing to determine sites that are trying to mimic a brand requires a lot of computational power.

Instead, email security firms are deploying "click-time" analysis to tackle the problem.

"There are some algorithms or tests that you can't run on every URL, because the compute is huge, it eventually become price prohibited," he says. "Doing that at click time, we only need to do the tests on the URLs that users actually click on, which is a fraction, so 1% of the total links in e-mail."

In addition, defenses increasing rely on machine learning and artificial intelligence to classify malicious URLs and files in ways that rules-based systems cannot, says Trend Micro's Clay.

"Dealing with weaponized attachments can be difficult for those security controls that still rely on signatures only and don’t have advanced technologies that can scan the file using ML or a sandbox, both of which could detect many of these malware files," he says.

In addition, previous statements from Microsoft have noted that Office 365 includes many of the email protection capabilities discussed by other vendors, including protection from impersonation, visibility into attack campaigns, and using advanced heuristics and machine learning to recognize phishing attacks affecting an entire organization or industry.

Email Defenses Under Siege: Phishing Attacks Dramatically Improve

Why bother with new tactics and exploits when the old tricks are still effective?

Cybercriminals targeting the retail and hospitality industry are sticking to tried and tested threat vectors, such as credential harvesting and phishing, according to analysis by the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).

An ISAC is an industry-specific organization that acts as a centralized repository of information on threats affecting a specific industry sector. Member organizations share threat intelligence and mitigation information, with the idea that organizations can prepare their defenses better if they know the kinds of attacks their peers are experiencing.

The "RH-ISAC Intelligence Trends Summary," which encompasses information shared by member organizations from May to August, highlights shifts in the threat landscape for the retail, hospitality, and travel sectors. Credential harvesting was "by far the most prevalent reported threat," at 63%, according to the report. Suspicious domains were the second most prevalent, at 16%. Other threat indicators reported by members include malicious domains (3%), botnets (3%), and adversary-in-the-middle attacks (4%).

Ten malware families made up 81% of total reports the RH-ISAC tracked during the four-month period, of which Emotet was the most prevalent. While it's possible that the rise in Emotet-related reports could be connected to member organizations' focusing more on Emotet defense, it also suggests that Emotet activity is "once again steady after the group's reemergence earlier this year," the report says.

RH-ISAC isn't just about reporting threat indicators — member organizations also share information about specific threat topics. The "Top Sharing Trends" graph is an indicator of what kinds of threats organizations are most concerned about.

    

Credential harvesting remains the most common threat shared by members, at 43%, followed by phishing, at 16%. Information about malware attacks — namely Agent Tesla, Formbook, and Emotet — made up 31% of the threats shared by members.

The "Top Sharing Trends" graph outlines the frequency of sharing regarding a threat topic, while the "Top Reported Trends" graph shows the volume of threat indicators shared related to a given topic, according to RH-ISAC.

Credential Harvesting Is Retail Industry's Top Threat

A boom in artificial intelligence-powered detection and remediation tools pushes security spending to the top of the AI market, according to Forrester.

By 2025, the artificial intelligence (AI) software market will expand from 2021's $33 billion to $64 billion, according to a new report. And cybersecurity is the fastest-growing category of AI spend, experiencing a rise in spending of 22.3% compound annual growth rate (CAGR).

That's according to the "Global AI Software Forecast 2022" from Forrester Research. "Cybersecurity is the fastest AI software growth category, with a focus on the real-time monitoring of and response to attacks," the report states. The next two categories, customer and human capital management (22%) and process optimization, knowledge, and data intelligence (18.3%), also have cybersecurity elements, so the impact on security tool makers could be even more significant.

This comports with the emphasis companies have placed on their AI-enhanced software and services. For example, credit behemoth Visa revealed it has spent a half-billion dollars on data analytics and AI in the past five years. It's using those tools, along with conventional cybersecurity measures, to keep the fraud rate at what Visa calls historic lows despite e-commerce growth.

Organizations can deploy AI for cybersecurity anywhere there's repetitive actions and expected behavior, including attack surface management, extended detection and response (XDR), and user and entity behavior analytics (UEBA). Forrester calls out SentinelOne as a prime example of an XDR success story, pointing out the company's 120% year-over-year revenue growth in fiscal 2022. In March, SentinelOne added identity threat detection and response to its platform when it acquired Attivo Networks.

An AI tool can learn what normal activity from a particular device or account is and then flag when that endpoint is acting outside of the norm. Such automated detection is invaluable, considering the impossibility of staffing sufficiently to have human eyes watching every part of the network. And researchers are finding ways to apply large language models like GPT-3 to practical tasks, such as tracing networks of exploit forums. To provide some perspective on such developments, Dark Reading released a report in September, "How Machine Learning, AI & Deep Learning Improve Cybersecurity," about how to assess a vendor's AI claims and define its success criteria.

One hitch in AI's gallop is the challenge of setting up a system so that it flags what is necessary for human analysts to assess without creating alert fatigue. A survey earlier in 2022 revealed that almost half (46%) of IT security staff said their AI systems created too many false-positive alerts for them to address. An optimist would see the false-positive problem as an opportunity for growth, however, opening up a new market for fine-tuning services.

For more insights, visit the Forrester Research blog entry about the report.

Cybersecurity Will Account for Nearly One-Quarter of AI Software Market Through 2025

Current and former employees and members are being offered complimentary credit monitoring and
identity protection services as some personal information may have been accessed.

**ATLANTA, Oct. 7, 2022 /PRNewswire/** — The State Bar of Georgia announces that it  
experienced a cybersecurity incident that resulted in unauthorized access to its  
systems. Since learning of the incident, the State Bar worked to restore its  
systems safely and resume normal operations.

The State Bar investigated the incident, and a third-party cybersecurity firm  
was engaged to assist in that investigation. Law enforcement and regulators were  
notified. The investigation revealed that an unauthorized person gained access  
to the State Bar systems. Through its investigation, the State Bar determined  
that some personal information of its current and former employees as well as  
its members may have been subject to unauthorized access. Although the State Bar  
had security protocols and technology in place to help prevent unauthorized  
access, the unauthorized person was able to evade some of these defenses. The  
State Bar determined that the following personal information may have been  
accessed by an unauthorized person during the incident: name, address, date of  
birth, Social Security number, driver's license number, direct deposit  
information, or name change information.

The State Bar understands the concern this incident may cause for individuals  
whose personal information was involved. As a result, current and former  
employees and members are being offered complimentary credit monitoring and  
identity protection services through TransUnion. These identity protection  
services include credit bureau monitoring and $1,000,000 in identity theft  
insurance. For more information on TransUnion, including instructions on how to  
activate the complimentary membership, as well as some additional steps  
individuals may take to protect their personal information, please visit the  
State Bar website and look for the link to "Cybersecurity Incident":  
https://www.gabar.org/ . The deadline to enroll in the complimentary monitoring program is Jan. 31, 2023.

The State Bar encourages everyone to remain vigilant by reviewing their account  
statements and credit reports for any unauthorized activity. If individuals see  
charges or activity they did not authorize, please contact the relevant  
financial institution or the credit bureau reporting the activity immediately.

The State Bar has established a dedicated call center to help answer any  
questions customers may have about the incident or how to sign up for these  
services. Please call (844) 565-0052, Monday through Friday, between 8:00 a.m.  
and 8:00 p.m. Eastern Time (excluding major U.S. holidays) for more information.

The State Bar regrets any inconvenience or concern this incident may have caused  
and looks forward to continuing to serve its members. The State Bar takes its  
responsibility to safeguard the information entrusted to it seriously. Since  
learning of this incident, the State Bar has enhanced its security protocols and  
technology to prevent unauthorized access to its systems.

**About the State Bar of Georgia**

The State Bar of Georgia exists to foster among the members of the Bar of the  
State of Georgia the principles of duty and service to the public; to improve  
the administration of justice; and to advance the science of law. All persons  
authorized to practice law in the State of Georgia are required to be members.  
The State Bar has strict codes of ethics and discipline that are enforced by the  
Supreme Court of Georgia through the State Bar's Office of the General Counsel.  
Membership license fees and other contributions help the State Bar provide  
programs that are mutually beneficial to its members and the public.

**SOURCE:** State Bar of Georgia

State Bar of Georgia Notifies Members and Employees of Cybersecurity Incident

The bug is under active exploitation; Fortinet issued a customer advisory urging customers to apply its update immediately.

UPDATE

A Fortinet bug disclosed last week is now under active exploitation. 

Fortinet on Friday warned that users of its FortGate firewall and FortiProxy Web proxies should apply the latest updates to their products ASAP due to a critical vulnerability that could allow an attacker to bypass authentication to the products' administration interfaces. 

On Monday, the security firm updated the advisory to note that it's now aware of instances of the bug being exploited in the wild.

An exploit would in effect give an attacker administrative control of the network devices. The flaw, CVE-2022-40684, affects FortiOS versions 7.0.0 to 7.06 and 7.20 to 7.2.1, and FortiProxy versions 7.0.0 to 7.0.6 and 7.2.0, and could allow an attacker to use "specially crafted HTTP or HTTPS requests" to execute admin operations, according to Fortinet.

"Due to the ability to exploit this issue remotely Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," Fortinet said in its advisory, which was cited on Twitter.

SANS Internet Storm Center (ISC), which reported the advisory, provided additional advice: "If you have Fortinet products managed by a 3rd party, we also recommended you to cross-check with them to ensure the upgrade will be performed," SANS Interior Storm Center handler Xavier Mertens said in a post in the ISC Diary.

“We are committed to the security of our customers. Fortinet recently distributed a PSIRT advisory (FG-IR-22-377) that details mitigation guidance for customers and recommended next steps," according to a Fortinet media statement. "We continue to monitor the situation and have been proactively communicating to customers, strongly urging them to immediately follow the guidance provided in connection with CVE-2022-40684.”  

**_This article was updated at 2 p.m. on Oct. 10 to include information on the bug's active exploitation in the wild, and at 11 a.m. Oct. 11 to include Fortinet's media statement._**

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading