Survey of over 2,000 IT pros revealed that a quarter either don't know or don't think Microsoft 365 data can be affected by ransomware.

PITTSBURGH, Sept. 26, 2022 /PRNewswire/ -- Nearly a quarter of businesses have suffered a ransomware attack, with a fifth occurring in the past 12 months, according to a latest annual report from cybersecurity specialist Hornetsecurity.

The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with one in five (20%) attacks happening in the last year.

**Hornetsecurity**

Cyberattacks are happening more frequently. Last year's ransomware survey revealed one in five (21%) companies experienced an attack; this year it rose by three percent to 24%.

Hornetsecurity CEO, Daniel Hofmann said: _"Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world."_

Microsoft 365 users targeted by attackers  
The 2022 Ransomware Report highlighted a lack of knowledge on the security available to businesses. A quarter (25%) of IT professionals either don't know or don't think that Microsoft 365 data can be impacted by a ransomware attack.

Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organization admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.

Hofmann added: _"Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can back up their Microsoft 365 data securely and protect themselves from such attacks."_

Lack of business preparedness  
Industry responses showed the widespread lack of preparedness from IT professionals and businesses. There has been an increase in businesses not having a disaster recovery plan in place if they do succumb to the heightened threat of a cyberattack.

In 2021, 16% of respondents reported having no disaster recovery plan in place. In 2022, this grew to 19%, despite the rise in attacks.

The survey also showed that more than one in five businesses (21%) that were attacked either paid up or lost data. Hackers have an incentive to run these ransomware attacks because there's a decent chance that they'll get a payday - 7% of IT professionals whose organization was attacked paid the ransom, while 14% admitted that they lost data to an attack.

Hofmann concluded: _"Interestingly, 97% of pros are moderately to extremely confident in their primary protection method, even if they don't use many of the most effective security measures available, such as immutable storage and air-gapped off-site storage. This tells us that more education is needed in the field, and we're committed to this cause."_

**Next steps for IT Pros**  
Read more about Hornetsecurity's Ransomware Attacks Survey.

These findings will directly influence an educational webinar on October 5, **Ransomware Attack Survey: One Year Later**. Colin Wright, Hornetsecurity VP of EMEA and Andy Syrewicze, Microsoft MVP will break down the results of this survey and explore the current trends, threats, and news from the industry. Register for the ransomware attack webinar here.

**About Hornetsecurity Group**

Hornetsecurity is the leading security and backup solution provider for Microsoft 365. Its flagship product is the most extensive cloud security solution for Microsoft 365 on the market, providing robust, comprehensive, award-winning protection: Spam and virus filtering, protection against phishing and ransomware, legally compliant archiving and encryption, advanced threat protection, email continuity, signatures and disclaimers. It's an all-in-one security package that even includes backup and recovery for all data in Microsoft 365 and users' endpoints.

Hornetsecurity Inc. is based in Pittsburgh, PA with other North America offices in Washington D.C. and Montreal, Canada. Globally, Hornetsecurity operates in more than 30 countries through its international distribution network. Its premium services are used by 50,000+ customers including Swisscom, Telefónica, KONICA MINOLTA, LVM Versicherung, and CLAAS.

Ransomware Attacks Continue Increasing: 20% of All Reported Attacks Occurred in the Last 12 Months - New Survey

Call it cross-border enlightened self-interest: As one of the US's premier trade partners and closest neighbors, what's bad for Mexico is bad for the US.

In August 2020, the US and Mexico established a working group and conducted a first-of-its-kind dialogue regarding mutual cybersecurity concerns. While the two countries have been partnering to counter illicit drug trafficking for decades, only recently has real progress been made related to cybersecurity, as described in the State Department's recent joint statement. Given the evolving threat landscape in recent years, it is remarkable it has taken so long for this partnership to mature. What may be quicker to evolve is the private sector's reaction to this new partnership as cybersecurity service providers recognize this bilateral cooperation as a lucrative commercial opportunity.

**Reliance on Cross-Border Critical Infrastructure**

Perhaps the most significant strategic focus of this collaboration is the commitment to strengthening coordination and response to cyber incidents affecting critical infrastructures. Mexico and the US share interdependent economies, as well as the risk of closely related critical infrastructure. Mexico consistently ranks among the top trade partners for the US and in 2021 supplied 8% of US oil (by comparison, Saudi Arabia provided 5%), according to the US Energy Information Administration. US dependency on Mexican oil would thus, naturally, justify the protection and security of that resource as a US national security interest.

Similar to the US's own Colonial Pipeline compromise in 2021, Pemex (Mexico's state-owned petroleum company) experienced a ransom event in 2019. Fortunately, the Pemex incident did not result in the same disruption to services as the Colonial matter did. Pemex's incident does highlight that Mexico's infrastructure is a target and that it is also vulnerable. Though the Pemex incident did not make significant waves for the US, a more significant incident could cause far greater economic consequences for Mexico and the US alike.

**Benefits of Closing Vulnerabilities as Trade Partners**

As one of the US's premier trade partners and boundary sharing geographic neighbors, what is bad for Mexico is bad for the US. Be it in telecom, the financial sector, or any aspect of critical infrastructure and key resources, a disruption in Mexico would likely cross over and impact the US. One of the most effective and self-beneficial ways for the US to protect against this is to invest in Mexico's cybersecurity capabilities. In many cases, nation-state offensive operations view Mexico as a less secure technological gateway into targeting the US. The relatively weak cybersecurity posture in Mexico enables criminals to either exploit entities there or use compromised systems as proxies to target US entities.

Mexico is also seeing an increase in overseas factories relocating and setting up production within its borders. The Chinese in particular view this as a strategic advantage as it reduces their overall cost in shipping expenses as well as export tariffs. Chinese investment in this way will undoubtedly require additional bandwidth, expansion of IT related infrastructure, and efficient connectivity back to China. Aside from its implications to US national security, Mexico's cybersecurity capabilities and related infrastructure will need to mature to keep pace with this industrial and economic development.

With growing, increasingly complex internal cyber demands, Mexico is likely incapable of meeting these needs on its own and would benefit from able and experienced partners. US investment, both from the government and private sector, in Mexico is more a matter of investing in US interests, yielding benefits both economically and security-wise.

The US would be served well if it benchmarked the mission and vision of the Cybersecurity and Infrastructure Security Agency (CISA) and invested in Mexico's ability to "understand, manage, and reduce risk" to Mexico’s cyber and physical infrastructure. The near-term security priorities investment should be maturing capability delivery, vulnerability management, and cyber-defense education, and training. 

Additionally, forward-thinking cybersecurity vendors will undoubtedly see this opportunity as a chance to capitalize on private sector demand, and possibly government contracts as well. It should come as no surprise if the industry sees a flurry of activity around establishing capabilities and resources to serve the market in Mexico. And by treating Mexico's cybersecurity posture as important as countering illicit drugs, the US will enhance its own security in the long run.

Why the US Should Help Secure Mexican Infrastructure — and What It Gets in Return

Literacy, levels of personal freedom, and other macro-social factors help determine how strong average passwords are in a given locale, researchers have found.

When it comes to choosing passwords, it turns out that a person's country of residence has an impact on the strength of their choice.

Researchers from GoSecure have uncovered four primary macro-social factors that strongly correlate to positive password performance (measured by the time it takes to crack the credential, in seconds). Those are:

*   Level of human rights in-country and its degree of free society;
*   Literacy level of a population;
*   Country's placement in the Global Cybersecurity Index (GCI); and
*   Level of data-breach exposure and victimization.

    

Source: GoSecure

"Countries have an impact on the level of protection of their users," according to the report, released this week. "A user’s country of origin and/or residence necessarily has an impact on their social identity. It means that our social identity, which can be influenced by several levels (e.g., macro and micro), might have an impact on password choice."

**4 Correlations of Society's Impact on Password Performance**

To arrive at these conclusions, the researchers started with the mean time needed to crack the 200 most common passwords by country, as determined by NordPass. According to the most recent data set (last November), the mean time to crack passwords globally is about 9.6 hours, spanning a range from 0 hours to more than 10 years. That said, the majority of passwords (61%) included in the list can be cracked in less than a minute, according to the findings, which dovetail with other analysis.

GoSecure then took this dataset and cross-referenced it with 29 different social variables, eventually finding that four of them were strongly correlated indicators of password strength.

**1\. Support for Civil Society**

Interestingly, the level of democracy and freedom within a country posed a strong correlation to password strength, the firm found.

"Countries in which citizens participate in selecting their government and have freedom increase password strength performance," according to GoSecure researcher Andréanne Bergeron, writing in the analysis. "This might be explained by the fact that democratic countries also have greater access to the Internet."

The firm used Voice & Accountability as a cross-referenced data point, which is one of six components of governance indicators as stipulated by the World Bank. Voice & Accountability reflects perceptions of the extent to which a country’s citizens are able to participate in selecting their government, as well as freedom of expression, freedom of association, and a free media.

"Since the Internet is synonymous with access to information and freedom, undemocratic countries are resistant to the widespread use of Internet by their citizens," Bergeron said. "When the Internet is widely accessible, people learn how to use it and structures can be developed."

**2\. Basic Education**

Literacy is a predictive benchmark for better password practices because it's directly connected to the use of technologies and the ability to educate oneself, according to GoSecure. When a user’s level of cybersecurity knowledge increases, their cybersecurity behaviors improve. The firm cross-referenced publicly available data on literacy rates with the password-cracking data to bear this out.

"To seek, evaluate, and use information found on the Internet, users must navigate via largely text-based menus and links, as well as reading large volumes of text," Bergeron said. "The challenges faced by low-literacy users when creating and managing passwords are documented and research indicates that they are more prevalent than in the literate population."

**3\. Global Cybersecurity Index**

Unsurprisingly, the level of government commitment to and funding in cybersecurity also matters. Bergeron said, "The commitment of countries to fight against online crime is beneficial economically. The present analysis goes further suggesting this type of investment predicts better password strength performance."

Researchers found the correlation by cross-referencing the ITU's Global Cybersecurity Index (GCI) with the NordVPN numbers. The GCI is a comprehensive measure of the cybersecurity commitment of individual countries, gleaned from 25 indicators across five pillars (Legal Measures, Technical Measures, Organizational Measures, Capacity Development, and Cooperation).

**4\. Cybersecurity Exposure Index**

It makes sense that people might be more sensitive to the importance of protecting data with strong passwords when they are exposed to more cybersecurity incidents — in fact, GoSecure noted that the level at which countries are targeted (as determined by the Cyber Exposure Index) had the strongest correlation to better password hygiene in its analysis.

The CEI is based on data about sensitive disclosures, exposed credentials, and hacker-group activity against companies, collected from publicly available sources in the Dark Web and Deep Web and from data breaches.

"Users are aware of the meaning of a data breach, and it influences their behavior and password formation strategies," according to the report. "This demonstrates the resilience of users when they live in a hostile environment."

The Country Where You Live Impacts Password Choices

China-based threat actor used poisoned vSphere Installation Bundles to deliver multiple backdoors on systems, security vendor says.

VMware issued urgent new mitigation measures and guidance on Sept. 29 for customers of its vSphere virtualization technology after Mandiant reported detecting a China-based threat actor using a troubling new technique to install multiple persistent backdoors on ESXi hypervisors.

The technique that Mandiant observed involves the threat actor — tracked as UNC3886 — using malicious vSphere Installation Bundles (VIBs) to sneak their malware onto target systems. To do so, the attackers required admin-level privileges to the ESXi hypervisor. But there was no evidence that they needed to exploit any vulnerability in VMware's products to deploy the malware, Mandiant said.

**Wide Range of Malicious Capabilities**

The backdoors, which Mandiant has dubbed VIRTUALPITA and VIRTUALPIE, enable the attackers to carry out a range of malicious activities. This includes maintaining persistent admin access to the ESXi hypervisor; sending malicious commands to the guest VM via the hypervisor; transferring files between the ESXi hypervisor and guest machines; tampering with logging services; and executing arbitrary commands between VM guests on the same hypervisor.

"Using the malware ecosystem, it is possible for an attacker to remotely access a hypervisor and send arbitrary commands that will be executed on a guest virtual machine," says Alex Marvi, a security consultant at Mandiant. "The backdoors Mandiant observed, VIRTUALPITA and VIRTUALPIE, allow attackers interactive access to the hypervisors themselves. They allow attackers to pass the commands from host to guest." 

Marvi says Mandiant observed a separate Python script specifying which commands to run and which guest machine to run them on.

Mandiant said it was aware of fewer than 10 organizations where the threat actors had managed to compromise ESXi hypervisors in this manner. But expect more incidents to surface, the security vendor warned in its report: "While we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMware's virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities."

VMware describes a VIB as a "collection of files packaged into a single archive to facilitate distribution." They are designed to help administrators manage virtual systems, distribute custom binaries and updates across the environment, and create startup tasks and custom firewall rules on ESXi system restart.

**Tricky New Tactic**

VMware has designated four so-called acceptance levels for VIBs: VMwareCertified VIBs that are VMware created, tested, and signed; VMwareAccepted VIBs that are created and signed by approved VMware partners; PartnerSupported VIBs from trusted VMware partners; and CommunitySupported VIBs created by individuals or partners outside the VMware partner program. CommunitySupported VIBs are not VMware- or partner-tested or supported.

When an ESXi image is created, it is assigned one of these acceptance levels, Mandiant said. "Any VIBs added to the image must be at the same acceptance level or higher," the security vendor said. "This helps ensure that non-supported VIBs don't get mixed in with supported VIBs when creating and maintaining ESXi images." 

VMware's default minimum acceptance level for a VIB is PartnerSupported. But administrators can change the level manually and force a profile to ignore minimum acceptance level requirements when installing a VIB, Mandiant said.

In the incidents that Mandiant observed, the attackers appear to have used this fact to their advantage by first creating a CommunitySupport-level VIB and then modifying its descriptor file to make it appear that the VIB was PartnerSupported. They then used a so-called force flag parameter associated with VIB use to install the malicious VIB on the target ESXi hypervisors. Marvi pointed Dark Reading to VMware when asked whether the force parameter should be considered a weakness considering that it gives administrators a way to override minimum VIB acceptance requirements.

**Operation Security Lapse?**

A VMware spokeswoman denied the issue was a weakness. The company recommends Secure Boot because it disables this force command, she says. "The attacker had to have full access to ESXi to run the force command, and a second layer of security in Secure Boot is necessary to disable this command," she says. 

She also notes that mechanisms are available that would allow organizations to identify when a VIB might have been tampered with. In a blog post that VMWare published at the same time as Mandiant's report, VMware identified the attacks as likely the result of operational security weaknesses on the part of the victim organizations. The company outlined specific ways organizations can configure their environments to protect against VIB misuse and other threats.

VMware recommends that organizations implement Secure Boot, Trusted Platform Modules, and Host Attestation to validate software drivers and other components. "When Secure Boot is enabled the use of the 'CommunitySupported' acceptance level will be blocked, preventing attackers from installing unsigned and improperly signed VIBs (even with the --force parameter as noted in the report)," VMware said.

The company also said organizations should implement robust patching and life-cycle management practices and use technologies such as its VMware Carbon Black Endpoint and VMware NSX suite to harden workloads.

Mandiant also published a separate second blog post on Sept. 29 that detailed how organizations can detect threats like the one they observed and how to harden their ESXi environments against them. Among the defenses are network isolation, strong identity and access management, and proper services management practices.

Mike Parkin, senior technical engineer at Vulcan Cyber, says the attack demonstrates a very interesting technique for attackers to retain persistence and expand their presence in a targeted environment. "It looks more like something a well-resourced state- or state-sponsored threat would use, versus what a common criminal APT group would deploy," he says.

Parkin says VMware technologies can be very robust and resilient when deployed using the company's recommended configurations and industry best practices. "However, things become much more challenging when the threat actor is logging in with administrative credentials. As an attacker, if you can get root you have the keys to the kingdom, so to speak."

Dangerous New Attack Technique Compromising VMware ESXi Hypervisors

Identity verification could be the key to fighting back and building trust in an industry beset with high-stakes fraud.

Business email compromise (BEC) scams are some of the most potent threats to cybersecurity around the globe — and the threat is not letting up anytime soon. While ransomware attacks often grab the headlines, BEC scams are just as pervasive. Cybercriminals carry out BEC scams by "either spoofing an email account or website, sending spear-phishing emails, or using malware," according to the FBI.

Real estate is one of the industries significantly hit by BEC scams. Data from the FBI's Internet Crime Report 2021 revealed that "about 13,638 people were victims of wire fraud in the real estate and rental sector in 2020 — a 17% increase over 2019 — with losses of over $213 million." As a result, real estate and rental wire fraud were ranked No. 7 out of over 30 types of fraud monitored and reported by the IC3.

Another report, by the National Association of Realtors, showed that the real estate industry saw $6.9 billion in victim losses in 2021, with more than an estimated 2,300 average complaints daily. Undoubtedly, real estate wire fraud is one of the most common types of cybercrimes in the US today.

There are several reasons why BEC scams work. Tyler Adams, CEO and co-founder of Texas-based SaaS platform CertifID, recently discussed with Dark Reading three major ones and how to get ahead of them.

**1\. Information on Real Estate Transactions Is Public**

Whether they are targeting Fortune 500 companies or small real estate offices, BEC scam actors gather information to soften the target and make it more vulnerable to attacks. Usually, BEC scam victims receive a spoofed email on behalf of a party involved in a real estate transaction, with instructions directing them to change a payment type or location to a fraudulent account. Once the funds are deposited, they're rapidly withdrawn, making recovery difficult or impossible.

According to Adams, a major reason why attackers can successfully gather information on their targets is because all the information for real estate transactions is public.

"With a simple search online, you can see every house that's for sale, who the real estate agent is — and sometimes the seller themselves — and even the title/escrow companies that service the local market," he said.

Adams noted that information like the one above leads to targeted phishing attacks that result in BEC. "This makes it easy for fraudsters to impersonate mortgage lenders as part of a real estate closing, in hopes of having the payoff wire transfer redirected to the fraudster's bank account," he said.

In addition, the two parties involved in real estate transactions are expected to trust each other, and there's often a lot of information divulged in that process. Malicious actors exploit that trust by weaponizing the public information against unsuspecting businesses and individuals.

**2\. Many Communications Are Electronic**

Adams pointed out that lots of different people communicate electronically in the real estate industry. The average real estate transaction has six different people or parties, all communicating electronically to align on the details of the closing and transfer of funds, he noted. This often presents several loopholes that threat actors can exploit.

One of the ways attackers leverage electronic communications in real estate is through impersonation, Adams said.

"Sometimes it's realtor impersonation — such as a first-time home buyer getting an email from what appears to be their real estate agent but is instead a fraudster with details for where and when to send the money," Adams said. "Oftentimes it's lender impersonation."

He noted that a common fraud is impersonating a mortgage lender, fooling a buyer into sending their wire transfer to the scam artist instead of their lender.

**3\. Transactions Are Temptingly Big**

The payday for fraudsters is huge, Adams said. Measured by revenue, the market size of the US real estate sales and brokerage industry is $226.8 billion in 2022 alone, according to research firm IbisWorld. That's a per-year average growth of 4.9% from 2017 to 2022, the report states. The large volume of daily transactions in real estate makes the industry a juicy target for attackers.

This is why one of CertifID's major areas of practice is the small and midsize business (SMB) space, according to Adams. SMBs often lack the infrastructure to effectively monitor the daily volume of real estate transactions and the resources to recover from an incident when it occurs.

"There are millions of small and medium-sized businesses all across the United States that don't know how to leverage advanced API-based platforms to stay protected against cyberthreats. And one payoff from any of these cybercrimes can put such companies out of business," he said.

**Restoring Trust by Verifying Identity**

CertifID says it has developed the technology and expertise needed to track how money moves across the real estate industry, with the aim to restore trust in the industry. In an intricate system that involves knowing all the parties involved in every transaction, it's essential to prioritize identity verification, Adams said.

"If we're going to do a transfer transaction, we've got to know that you are who you say you are, because if you're at all being impersonated, then we can't trust any of the information," he says.

CertifID says its PayoffProtect product validates mortgage payoff wiring instructions, authenticating parties and bank wire information in real estate transactions. Its broader platform addresses the specific needs of real estate agents, title agents, and law firms.

Trust is one of the cardinal points in the real estate industry. Every single home that's for sale is online, and attached to it is a real estate agent who has a phone number and email address. They want to be contacted by as many people as possible because they want to sell that home, and they don't know whether a buyer is legit or a fraudster.

"Given real estate transactions are a fertile ground for BEC, and the impact these frauds have on the livelihoods of individuals and businesses, we'll continue to support this industry until we've made a significant impact in the fight against fraud," Adams said.

3 Reasons Why BEC Scams Work in Real Estate

2,700 cybersecurity career pursuers have already passed the (ISC)2 Certified in Cybersecurity℠ exam, with more than 53,000 more people registered for a free course and exam.

ALEXANDRIA, Va., Sept. 29, 2022 /PRNewswire/ — (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced the rapid adoption of three initiatives aimed at addressing the cybersecurity workforce gap. (ISC)2 Candidates, (ISC)2 Certified in CybersecuritySM and (ISC)² One Million Certified in Cybersecurity are significant milestones in making cybersecurity careers more accessible to more people around the world.

One month after announcing (ISC)2 Candidates, launching Certified in Cybersecurity and opening enrollment for One Million Certified in Cybersecurity:

*   **55,000 individuals have signed up for (ISC)2 Candidates,** which is for individuals pursuing or considering a career in cybersecurity, or already seeking an (ISC)² certification. Upon enrolling as an (ISC)² Candidate, participants receive access to exclusive resources and benefits to propel them along their journeys to becoming cybersecurity professionals.
*   **2,700 people have passed their Certified in Cybersecurity exams**. Anyone earning the (ISC)² Certified in Cybersecurity certification demonstrates that they have the foundational knowledge, skills and abilities to take on entry- and junior-level cybersecurity roles, enabling employers to more confidently build resilient teams across all experience levels.
*   Through the **One Million Certified in Cybersecurity initiative,** **53,000 more people have enrolled** for a free Certified in Cybersecurity course and exam. This initiative pledges to provide free, entry-level cybersecurity certification exams and self-paced educational program courses to **one million new professionals starting a career in cybersecurity**.

**New Roads to Cybersecurity Career Success  
**Through these initiatives, tens of thousands of people have established or strengthened their connection with the cybersecurity community in just the past month, highlighting the importance of creating new and diverse pathways into the industry.

"These initial successes demonstrate that our efforts have already made a positive impact in opening new and unique pathways into the cybersecurity industry," said Clar Rosso, CEO, (ISC)². "They have also enabled us to expand our association which now reaches over a quarter of a million members, associates and candidates worldwide. It is exciting to see how targeted programs aimed at getting more people exposed to the cybersecurity profession can quickly lay the foundation for the next generation and not only help secure our nations and economies, but also enable them to benefit from rewarding and challenging careers."

"I'm switching career paths to move into cybersecurity," said Eric Turner, Systems Integration Developer, MSD of Warren Township. "The (ISC)2 Certified in CybersecuritySM entry-level certification is another great way to demonstrate my knowledge."

Learn more about these programs at www.isc2.org/candidate

(ISC)² will highlight the importance of diversity and accessibility in cybersecurity at its 12th annual (ISC)² Security Congress conference, a hybrid event taking place on October 10-12, 2022, in Las Vegas and online.

**About (ISC)²**

(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, more than 235,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

(ISC)² Recruits More Than 55,000 Cybersecurity Candidates in First 30 Days of New Programs to Address Workforce Gap

Capital One lures leveraged the bank's new partnership with Authentify, showing that phishers watch the headlines, and take advantage.

A recent phishing campaign exploits Capital One's new partnership with verification service Authentify, sending thousands of scam emails to the bank's customers to try and trick them into uploading images of their identification cards. 

The emails appear to be sent from a Capital One corporate account, and explain what the Authentify authentication app does, according to researchers at Vade who have been tracking the campaign since July 1. To provide an idea of the volume of scam emails being launched at customers, Vade reported that, at one point, the attackers sent out at least 6,000 in one day. 

"You are required to provide any copy of your ID for verification and to ensure that you are fully enrolled to avoid account restrictions now," the phishing email read. 

Vade noted that, unlike most other campaigns targeting credentials, this Capital One phishing scam was after identities. 

**Phishers Watch the News**

The timing of the campaign shows cybercriminals are acutely aware of news items they can use to help sell their latest scams to victims, the Vade report said, adding that on the same day Capital One announced it would be working with Authentify, six other financial organizations, including Bank of America, PNC Bank, Wells Fargo, and other household brands, announced similar deals. 

These phishing attacks represent a larger trend of threat actors co-opting financial services brands to use as phishing lures for the cybercrimes, Vade added. Currently, financial services brands are the most spoofed, making up a full 34% of all phishing URLs during the first quarter of 2022, according to Vade's analysis. 

"We anticipate this trend to continue and urge users to be suspicious of both emails from financial institutions and also third-party applications associated with those institutions," read the report. "Always operate under the assumption that both can be spoofed and always login to accounts directly from a browser or application and not from email."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Capital One Phish Showcases Growing Bank-Brand Targeting Trend

APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange.

An emerging cyber-espionage threat group has been hitting targets in the Middle East and Africa with a novel backdoor dubbed "Stegmap," which uses the rarely seen steganography technique to hide malicious code in a hosted image.  

Recent attacks show the group — called Witchetty, aka LookingFrog — fortifying its tool set, adding sophisticated evasion tactics, and exploiting known Microsoft Exchange vulnerabilities ProxyShell and ProxyLogon. Researchers from Symantec Threat Hunter observed the group installing webshells on public-facing servers, stealing credentials, and then spreading laterally across networks to propagate malware, they revealed in a blog post published Sept. 29.

In attacks between February and September, Witchetty targeted the governments of two Middle Eastern countries and the stock exchange of an African nation in attacks that used the aforementioned vector, they said.

ProxyShell is comprised of three known and patched flaws — CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 — while ProxyLogon is comprised of two, CVE-2021-26855 and CVE-2021-27065. Both have been exploited widely by threat actors since they were first revealed in August 2021 and December 2020, respectively — attacks that persist as many Exchange Servers remain unpatched.  

Witchetty's recent activity also shows that the group has added a new backdoor to its arsenal, called Stegmap, which employs steganography — a stealthy technique that stashes the payload in an image to avoid detection.

**How the Stegmap Backdoor Works**

In its recent attacks, Witchetty continued to use its existing tools, but also added Stegmap to flesh out its arsenal, the researchers said. The backdoor uses steganography to extract its payload from a bitmap image, leveraging the technique "to disguise malicious code in seemingly innocuous-looking image files," they said.

The tool uses a DLL loader to download a bitmap file that appears to be an old Microsoft Windows logo from a GitHub repository. "However, the payload is hidden within the file and is decrypted with an XOR key," the researchers said in their post.

By disguising the payload in this way, attackers can host it on a free, trusted service that is far less likely to raise a red flag than an attacker-controlled command-and-control (C2) server, they noted.

The backdoor, once downloaded, goes on to do typical backdoor things, such as removing directories; copying, moving, and deleting files; starting new processes or killing existing ones; reading, creating, or deleting registry keys, or setting key values; and stealing local files.

In addition to Stegmap**,** Witchetty also added three other custom tools — a proxy utility for connecting to command-and-control (C2), a port scanner, and a persistence utility — to its quiver, the researchers said.

**Evolving Threat Group**

Witchetty first caught the attention of researchers at ESET in April. They identified the group as one of three subgroups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10) that typically targets US-based utilities as well as diplomatic organizations in the Middle East and Africa, the researchers said. The other subgroups of TA410, as tracked by ESET, are FlowingFrog and JollyFrog.

In initial activity, Witchetty used two pieces of malware — a first-stage backdoor known as X4 and a second-stage payload known as LookBack — to target governments, diplomatic missions, charities, and industrial/manufacturing organizations.

Overall, the recent attacks show the group emerging as a formidable and savvy threat that combines a knowledge of enterprise weak spots with its own custom tool development to take out "targets of interest," the Symantec researchers noted.

"Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organization," they wrote in the post.  

**Specific Attack Details Against Government Agency**

Specific details of an attack on a government agency in the Middle East reveal Witchetty maintaining persistence over the course of seven months and dipping in and out of the victim's environment to perform malicious activity at will.

The attack started on Feb. 27, when the group exploited the ProxyShell vulnerability to dump the memory of the Local Security Authority Subsystem Service (LSASS) process — which in Windows is responsible for enforcing the security policy on the system — and then continued from there.

Over the course of the next six months the group continued to dump processes; moved laterally across the network; exploited both ProxyShell and ProxyLogon to install webshells; installed the LookBack backdoor; executed a PowerShell script that could output the last login accounts on a particular server; and attempted to execute malicious code from C2 servers.

The last activity of the attack that researchers observed occurred on Sept. 1, when Witchetty downloaded remote files; decompressed a zip file with a deployment tool; and executed remote PowerShell scripts as well as its custom proxy tool to contact its C2 servers, they said.

Espionage Group Wields Steganographic Backdoor Against Govs, Stock Exchange

Bugs in Canon Medical's Virea View could allow cyberattackers to access several sources of sensitive patient data.

Canon Medical's Vitrea View is a widely used tool for securely sharing medical images between radiologists, physicians, and other healthcare providers on a patient care team. Two newly discovered vulnerabilities (collectively tracked as CVE-2022-37461) could allow threat actors to access much more than X-rays.   

One flaw is an unauthenticated reflected cross-site scripting (XSS) in an error message, according to a new report from Trustwave's SpiderLabs. Jordan Hedges, the threat researcher behind the finds, said the second is a separate Reflected XSS in the Vitrea View admin panel. 

"If exploited, these vulnerabilities could be used to retrieve patient information, stored images, or scans, and modify information, depending on privileges used during the session," Hedges wrote in a Thursday analysis. "Sensitive information and credentials for various services integrated with Vitrea View could be accessed, as well."

The Vitrea View meets international Digital Imaging and Communications in Medicine (DICOM) standards, the report notes, and thus integrates with many other things.

“Vitrea View is used to centralize potentially multiple sources and solutions for medical imaging, including X-Rays, MRIs, CRT scans, 3D imaging, etc.," Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells Dark Reading. 

He added, "The images are also associated with a patient’s records, so these vulnerabilities means that there could potentially be a wealth of information that might be exfiltrated (damaging a patient’s confidentiality) or modified (swapping a patient’s medical images with another, deleting records, or potentially modifying patient information directly).”

The XSS medical imaging vulnerabilities were submitted to Canon Medial and a patch has been released. Hedges recommends organizations running the tool apply it immediately.

XSS Flaw in Prevalent Media Imaging Tool Exposes Trove of Patient Data

Organizations looking to get ahead in cloud security have gone down the path of deploying CSPM tooling with good results. Still, there’s a clear picture that data security and security operations are next key areas of interest.

As an industry, we're now at a point where we don't have to convince anyone that we have a massive digital dependence on cloud technologies and that securing cloud deployments is a key initiative for most organizations. There is widespread availability of cloud security posture management (CSPM) tooling — commercial- and community-driven alike — and CSPM itself is being incorporated into new tooling coming under the heading of cloud-native application protection platforms (CNAPP).

Many cloud security conversations focus primarily on making sure clouds are configured properly, but there is much more to cloud security than that. Much like traditional security is much more than patching, there is more to cloud security than configuration.

As we analyze cloud security trends, we recently collected survey data under our Omdia Decision Makers survey and found interesting results that highlight these conclusions.

The figure below plots responses to the question "What are your top concerns in relation to cloud security?" The bars on the left show the aggregate view (n=186). We can clearly see a major concern with cost of security tooling, then other concerns aggregated together, including security tooling functionality, responding to events, data security, and others.

    

That said, we also segmented the population into two groups based on their response to a previous question about how advanced their deployments of CSPM tools were. Our ongoing industry interactions with multiple stakeholders point to CSPM tools as the type of tool most often associated with "cloud security" conversations, so we chose CSPM deployment experience as a proxy for cloud experience. Statistician George Box is famous for saying "all models are wrong, but some are useful," which we think is relevant here; there's no implication of causation, but some interesting variations show up in the response data.

For those that have what we consider "low" experience with cloud security (n=61) by virtue of having CSPM deployments in the pilot or proof-of-concept stage, concerns around cost are even more pronounced, as are concerns about cloud permissions and a slight bump for concerns about compliance.

For those that have more cloud security experience (n=54) — those that responded that they have deployed CSPM in widespread production use —responses shifted significantly. Now, concerns about data security are much more pronounced, as are concerns about how to respond quickly to incidents, with additional notable concerns regarding the ever-present skills gap in terms of cloud technologies.

**Heightened Concerns**

Our interpretation of this data is that customers are indeed seeing value from the CSPM tooling for configurations and compliance, but they now have heightened concerns on data security, security operations, and making sure their teams are skilled in cloud technologies. These concerns are already lurking in the shadows, and once CSPM clears the way of handling the more visible security configuration/compliance concerns, these issues come to the forefront.

The responses uncovered here point to interesting directions for future inquiry. It is increasingly clear that data security presents a key area of concern. What are the ways one gets to data? One way is via direct access to the data stores themselves. This is the provenance of cloud configuration (CSPM) and the increasingly popular DSPM (data security posture management) category. Another is getting access via the very APIs provided by the company; this then leads down a path of paying close attention to API security.

For security operations, the path forward appears to include more considerations about how to incorporate cloud security use cases in SOC response flows. Dubbed cloud detection and response (CDR), this is also a promising area of research that we're watching.

For end users, this means being ready to address these categories soon. For vendors, understand that there is much more to customer demand for cloud security than CSPM — or even CNAPP — alone.

Source

DARKReading