From analyzing your company's risk profile to knowing where keys are stored and who can access them, prioritize key clean-up and management. Make compliance an outcome and develop a risk management strategy.

The stratospheric rise in the number of global cybersecurity attacks cast a floodlight on the critical need to follow best practices with encryption and security in general. Adopting an inside-out mindset is one thing; putting it into practice is another.

To assist, the team at Cryptomathic has compiled a list of five key pointers to better cryptographic key management to help organizations jumpstart the journey.

**Tips for Better Cryptographic Key Management**

**1\. Start with really good keys — and an inventory scan.** Without a doubt, the most important thing you can do is make sure that your organization is using high-quality keys. If you don't use good keys, what's the point? You're building a house of cards.

Creating good keys requires knowing where the keys come from and how they were generated. Did you create them on your laptop or with a pocket calculator, or did you use a purpose-built tool designed specifically for the job? Do they have enough entropy? From generation, to usage, to storage, the keys should never leave the secure boundaries of a hardware security module (HSM) or a similar device.

Chances are, your organization is already using keys and certificates — do you know where they reside? Who has access to them and why? Where are they stored? How are they managed? Create an inventory of what you have and then start to prioritize the clean-up and centralization life cycle management for those keys, certificates, and secrets.

**2\. Analyze your entire risk profile across your whole environment.** You can create the most brilliant, thorough, and comprehensive cybersecurity strategy, but ultimately, it will only be successful if everyone in your organization buys in and complies with it. That's why it's important to develop a risk management strategy with input from representatives from across the business. Include compliance and risk people from the beginning to keep the process honest. For the security processes and protocols to be meaningful, they must include everyone from IT people to the business units who bring use cases and can go back and explain to their peers why the security steps are necessary.

**3\. Make compliance an outcome, not the ultimate objective.** This might sound counterintuitive, but hear me out. Even though compliance is incredibly important, there's an inherent risk to using regulatory compliance as the sole driver of your strategy. When systems are designed to simply tick the boxes on a regulatory checklist, organizations miss the broader, more important point: to design and build for better security.

Instead, use regulations and security standards as a guideline for the minimum set of requirements and then make sure that your efforts actually address your security and business needs going forward. Don't let compliance be a distraction from the real objective.

**4\. Balance security with usability.** How does security affect usability? Have you created a system that's so secure that it's impractical for most users? It's imperative to find a balance between security and the user experience, and to make sure that the security processes don't hinder people from actually doing their work. For example, multifactor authentication can be a great way to make access more secure, but if it's not implemented correctly, it can cause workflows to break down and efficiency to take a nosedive.

**5\. Be a specialist … that knows when to call an expert.** Key management is serious business and should be treated as such. Someone in your organization should become really proficient at understanding the tools and technology to establish good key management practices at the core of everything your organization does.

At the same time, it's equally important to recognize when you need expert support, like when your organization has too many keys to manage. The National Institute for Standards and Technology (NIST) publishes a huge document that lays out recommendations for everything that should and shouldn't be done to establish good key management practices. Cryptography professionals deep-dive into these recommendations to make sure that the cryptographic tools and key management solutions offered meet these standards. That way, when your organization needs additional support for the key management process, you'll have the framework to evaluate the options and find the expertise you need to secure your assets effectively.

5 Keys to Better Key Management

Instagram and Facebook parent company Meta was slapped with the fine for exposing the personal data of minors.

Following an investigation that began in 2020, Ireland's data privacy regulation agency will reportedly issue Meta a $400 million fine, for mishandling Instagram user data belonging to minors.

The Data Protection Commissioner (DPC) told Reuters the full decision on the Instagram data privacy fine will be released in a few days.

Reuters reported the DPC was looking into the ability of 13-to-17-year-old users to obtain business accounts, exposing their personal information in violation of GDPR data privacy rules. Instagram and Facebook parent company Meta has vowed to appeal, but has since put measures in place to protect under-age users' data.

Last March, the DPC issued a €17 million (US$16.9 million) fine against Meta for noncompliance with GDPR regulations following a series of 12 data breaches.

Reuters added that the draft ruling against Instagram was shared with other European Union regulators, so there could be more fines coming.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meta to Appeal $400M GDPR Fine for Mishandling Teen Data in Instagram

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organizations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts _combined_. And data the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

**Exchange Server Flaws Fuel the Exploit Frenzy**

Kaspersky attributed the surge in exploit activity last year as likely tied to the multiple critical Exchange Server vulnerabilities that Microsoft disclosed, including a set of four zero-days in March 2021 known as the ProxyLogon flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). When chained together they allowed attackers to gain complete remote control over on-premises Exchange Servers. 

Attackers — which included organized criminal gangs and state-sponsored groups from China — quickly exploited tens of thousands of vulnerable Exchange Server systems and dropped Web shells on them before Microsoft could issue a patch for the flaws. The vulnerabilities evoked considerable concern because of their ubiquity and severity. They even prompted the US Department of Justice to authorize the FBI to take the unprecedented step of proactively removing ProxyLogon Web shells from servers belonging to hundreds of organizations — in most cases, without any notification.

Also driving the exploit activity in 2021 was another trio of Exchange Server vulnerabilities collectively labeled ProxyShell (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) that attackers used extensively to drop ransomware and in business email compromise (BEC) attacks.

More than a year later, the ProxyLogon and ProxyShell vulnerabilities continue to be targets of heavy exploit activity, says Konstantin Sapronov, head of Kaspersky's Global Emergency Response Team. One of the most severe of these flaws (CVE-2021-26855) has also been the most targeted. Kaspersky observed the vulnerability — part of the ProxyLogon set — being exploited in 22.7% of all incidents involving vulnerability exploits that it responded to in 2021, and the flaw continues to be a favorite among attackers this year as well, according to Sapronov.

**Same Exploitation Trend Likely Playing Out in 2022**

Even though several serious vulnerabilities have surfaced this year — including the ubiquitous Apache Log4j vulnerability (CVE-2021-44228) — the most exploited vulnerabilities of 2021 remain very prevalent in 2022 as well, Sapronov says, even beyond the Exchange server bugs. For instance, Kaspersky identified a flaw in Microsoft's MSHTML browser engine (CVE-2021-40444, patched last September) as the most heavily attacked vulnerability in the second quarter of 2022.

"Vulnerabilities in popular software such as MS Exchange Server and library Log4j have resulted in a huge number of attacks," Sapronov notes. "Our advice to enterprise customers is to pay close attention to patch management issues."

**Time to Prioritize Patching**

Others have noted a similar spike in vulnerability exploit activity. In April, researchers from Palo Alto Networks' Unit 42 threat research team noted how 31%, or nearly one in three incidents, they had analyzed up to that point in 2022 involved vulnerability exploits. In more than half (55%) of those, threat actors had targeted ProxyShell. 

Palo Alto researchers also found threat actors typically scanning for systems with a just-disclosed flaw literally minutes after the CVE is announced. In one instance, they observed an authentication bypass flaw in an F5 network appliance (CVE-2022-1388) being targeted 2,552 times in the first 10 hours after vulnerability disclosure.

**Post-Exploitation Activity is Tough to Spot**

Kaspersky's analysis of its incident-response data showed that in nearly 63% of cases, attackers managed to stay unnoticed in a network for more than a month after gaining initial entry. In many cases, this was because the attackers used legitimate tools and frameworks such as PowerShell, Mimikatz, and PsExec to collect data, escalate privileges, and execute commands. 

When someone did quickly notice a breach, it was typically because the attackers had created obvious damage, such as during a ransomware attack. "It's easy to detect a ransomware attack when your data is encrypted, as services are unavailable, and you have a ransom note on your monitor," Sapronov says.

But when the target is a company’s data, attackers need more time to roam around the victim’s network to collect necessary information. In such cases, attackers act more stealthily and cautiously, which makes these kinds of attacks harder to detect. "To detect such cases, we suggest employing a security tool stack with extended detection and response (EDR)-like telemetry and implement rules for detection of pervasive tools used by adversaries," he says.

Mike Parkin, senior technical engineer at Vulcan Cyber, says the real takeaway for enterprise organizations is that attackers will take any opportunity they can to breach a network. 

"With a range of exploitable vulnerabilities, it’s not a surprise to see an uptick," he says. Whether the numbers are higher for vulnerabilities over socially engineered credential attacks, is hard to say, he notes. 

"But the bottom line is threat actors will use the exploits that work. If there's a new remote code exploit on some Windows service, they’ll flock to it and breach as many systems as they can before the patches come out or firewall rules get deployed," he says.

The real challenge is the long-tail vulnerabilities: The ones that are older, like ProxyLogon, with vulnerable systems that have been missed or are ignored, Parkin says, adding that patching must be a priority.

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

The initial access broker (IAB) for ransomware gangs known as UAC-0098 has targeted Ukrainian organizations in five separate phishing campaigns spanning April to August.

Former members of the Russia-linked Conti ransomware gang are repurposing their tactics to join in with an initial access broker (IAB) that's been targeting Ukraine in a series of phishing campaigns that occurred over a recent four-month span.

Google Threat Analysis Group (TAG) has been tracking recent activity of a group it identifies as UAC-0098, which researchers think now includes former members of the notorious ransomware actor.

As TAG's Pierre-Marc Bureau wrote in a blog post published Wednesday, UAC-0098 — historically known for delivering the IcedID banking Trojan as a prelude to human-operated ransomware attacks — in recent months has acted specifically against Ukrainian organizations, the government of Ukraine, and pro-Ukraine European humanitarian and nonprofit organizations.

The activity's goal has been to sell persistent access into such targets' networks to various ransomware groups, including Quantum and Conti (aka FIN12 or Wizard Spider).

UAC-0098's latest campaigns demonstrate a shift in focus to politically motivated actions, reflecting the group's affiliation with Conti and, unsurprisingly, its support of Russia's military actions against Ukraine, notes Tom Kellermann, CISM and senior vice president of cyber strategy at Contrast Security.

"Conti's recent engagement in the war illustrates not only their patriotism to Russia but their need to pay homage to the regime," he said in an email to Dark Reading.

**Making the Connection**

Google TAG discovered five separate and specific phishing campaigns that occurred from April to August, using tools and tactics previously identified with Conti. Threat actors impersonated several known entities to lure victims into downloading malware using typical phishing tactics to give ransomware groups access for further threat activity.

The first campaign that linked UAC-0098 to Conti caught TAG's attention in late April, when researchers identified attacks delivering AnchorMail, also referred to as "LackeyBuilder." AnchorMail, developed by Conti and previously installed as a Trickbot module, is a version of the Anchor backdoor that uses the simple mail transfer protocol (SMTPS) for command-and-control (C2) communication.

"The campaign stood out because it appeared to be both financially and politically motivated," Bureau wrote in the post. "It also seemed experimental: instead of dropping AnchorMail directly, it used LackeyBuilder and batch scripts to build AnchorMail on the fly."

Researchers also identified UAC-0098 activity in another email campaign that occurred earlier in the month to deliver IcedID and Cobalt Strike as attachments to Ukrainian organizations. This particular initial phase of the group's Conti-linked activity occurred between mid-April to mid-June, and primarily targeted hotels in the Ukraine.

**Other Campaigns**

Another phishing attack occurred on May 11 when UAC-0098 targeted Ukrainian organizations in the hospitality industry with phishing emails impersonating the National Cyber Police of Ukraine. The emails contained a download link urging targets to use it to update their operating systems; the link generated a PowerShell script to fetch and execute IcedID.

On May 17, UAC-0098 used a compromised account of a hotel in India to send phishing emails again to Ukrainian hospitality organizations, researchers said. The emails included an attached .ZIP archive containing a malicious .XLL file that downloaded a variant of IcedID.

On that day, the same compromised account also was used to target humanitarian nongovernmental organizations (NGOs) in Italy, delivering IcedID as an .MSI file through the anonymous file sharing service dropfiles\[.\]me.

Two days later in a fourth separate campaign, UAC-0098 impersonated representatives of Elon Musk and his StarLink satellite service using the address "\[email protected\]\[.\]info" to send phishing emails claiming to deliver software required to connect to the Internet using StarLink satellites. The email included a link to an .MSI installer dropping IcedID, downloaded from the attacker-controlled domain, "starlinkua\[.\]info."

Four days later, a similar attack targeted a wider range of Ukrainian organizations operating in the technology, retail, and government sectors using the same IcedID binary with a file name that resembled a Microsoft update, researchers said.

The last phishing campaign by UAC-0098 uncovered by TAG occurred on May 24, and targeted the Academy of Ukrainian Press with a phishing email containing a Dropbox link to a malicious Excel document. The document directly fetched a Cobalt Strike file from an IP address previously used to deliver IcedID payloads in the campaign against the Italian NGOs on May 17, researchers said.

**Conti's Notorious Past**

Conti, a ransomware group active since late 2019, ceased operations as a formal entity in May. However, its members have carried on its cybercriminal legacy, remaining as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.

In its heyday, Conti was known as one of the most dangerous and ruthless ransomware groups in the world; one of its last acts, in fact, so crippled the government of Costa Rica that the country was forced into a state of emergency.

Though linked to Russia, Conti previously had flip-flopped in its support of Russia's invasion of Ukraine, initially showing support on its data leak site early in the conflict before issuing a retraction that condemned "the ongoing war." The group then noted in a statement soon after that it would take "retaliatory measures" if the West launched cyberattacks against Russia or Russian-speaking countries.

The latest alignment with UAC-0098 now appears to show that at least some former members of Conti are backing Russia once more. It also demonstrates a blurring of the lines between financially motivated and government-backed groups in Eastern Europe, "illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests," noted TAG's Bureau.

Another group that notably also has turned against Ukraine is Trickbot, which IBM researchers said in July had been systematically attacking Ukrainian targets over the previous three-month period. Trickbot over the years has evolved from a banking Trojan to an initial access broker and a distributor for several ransomware and malware tools, including the Conti and Ryuk ransomwares, and the Emotet Trojan.

Former Conti Ransomware Members Join Initial Access Broker Group Targeting Ukraine

Investment to fuel growth and market presence as demand grows for SaaS' next-generation security tools for managed service providers.

**WILMINGTON, N.C., Sept. 8, 2022 / PRNewswire —** SaaS Alerts, the cybersecurity company purpose-built for managed service providers (MSPs) to protect and monetize their customers' core business SaaS applications, announced today that it has secured a $22 million growth investment from global software investor Insight Partners to accelerate the growth of its SaaS Security monitoring and response platform.

The accelerated rate of SaaS Application adoption by businesses, driven by the need to provide collaboration and productivity tools to remote workforces and for more centralized and tightly controlled business data resources, has elevated awareness and critical concern for major threat vectors and security gaps that exist in SaaS Application security. These security concerns present opportunities for MSPs to better safeguard their clients while offering SaaS security services that drive profitable new revenue streams.

SaaS Alerts was designed to help MSPs monitor and protect their customers' usage of today's most popular SaaS applications such as Microsoft 365, Google Workspace, Salesforce, Dropbox and more — and to safeguard against security threats to a business' SaaS environment such as data theft, data that's at risk due to unintentional employee mishaps and actions taken by bad actors.

"We couldn't be more excited to partner with Insight Partners and we see their investment in SaaS Alerts as a monumental endorsement for what we have built and what we intend to build as we collaborate going forward," said Jim Lippie, CEO of SaaS Alerts. "I'm very proud of our team for reaching this milestone and look forward to working with Insight to continue to build value for our MSP partners and stakeholders."

"SaaS applications have become essential for businesses of every size and MSPs need the ability to better protect those applications on behalf of their customers. SaaS Alerts has pioneered SaaS security for MSPs and has a clear vision for how detecting and correlating abnormal user behavior can greatly impact the MSP industry," said Philine Huizing, Principal at Insight Partners. "We're excited to partner with SaaS Alerts as the company scales to address this unique opportunity."

**About SaaS Alerts**

SaaS Alerts is the cybersecurity company purpose-built for MSPs to protect and monetize customers' core SaaS business applications. SaaS Alerts offers a unified, real-time monitoring platform for MSPs to protect against: data theft, data at risk and bad actors and integrates with the most popular SaaS Applications. Learn more at www.saasalerts.com.

**About Insight Partners**

Insight Partners is a global software investor partnering with high-growth technology, software, and Internet startup and ScaleUp companies that are driving transformative change in their industries. As of June 30, 2022, the firm has over $80B in regulatory assets under management. Insight Partners has invested in more than 700 companies worldwide and has seen over 55 portfolio companies achieve an IPO. Headquartered in New York City, Insight has offices in London, Tel Aviv, and Palo Alto. Insight's mission is to find, fund, and work successfully with visionary executives, providing them with practical, hands-on software expertise to foster long-term success. Insight Partners meets great software leaders where they are in their growth journey, from their first investment to IPO. For more information on Insight and all its investments, visit insightpartners.com or follow us on Twitter @insightpartners.

SOURCE: SaaS Alerts

SaaS Alerts Secures $22M Investment from Insight Partners to Scale SaaS Security Monitoring and Response Platform

Penetration testing not only serves to triage and validate other defect discovery activities, it informs risk management activities, such as threat modeling and secure design.

As threats become much more pervasive and dynamic, organizations are adopting proactive security measures such as penetration testing to build out a comprehensive security strategy.

Pentesting validates that software and hardware controls have been implemented by using the same tools and techniques an attacker would use to uncover vulnerabilities. This way, organizations can identify gaps in their overall information security program and measure the effectiveness of their patch management and incident response programs.

However, modern DevSecOps teams need more speed and flexibility than what traditional pentesting engagements can deliver. Incremental pentesting programs can help identify and address security gaps more frequently because they focus on smaller segments at a time.

With the needs of DevSecOps teams in mind, penetrating testing-as-a-service (PTaaS) is seeing a higher profile.

**Development Teams Align Pentesting with DevSecOps**

PTaaS company Cobalt announced its new Agile Pentesting service to help security teams align penetration testing with the continuous integration and continuous delivery (CI/CD) pipeline. The smaller pentest engagements can help extend the reach of security teams and accelerate secure build-to-release timelines.

Andrew Obadiaru, Cobalt's CISO, says that end users of this offering are security and development teams who are looking to align pentesting more closely to their DevSecOps processes.

"These are teams who are pentesting beyond compliance obligations and conducting more targeted tests that focus on a specific area of an asset, or a specific vulnerability across an asset," he says.

The Agile Pentesting offering allows organizations to focus on a specific area of an asset, such as a new feature or product release, specific vulnerability, or incremental testing.

"Focused pentesting allows organizations and IT teams to quickly determine potential vulnerabilities or security flaws in a specific product or feature prior to deploying into production," Obadiaru adds.

**Incremental Pentesting a Risk-Based Effort**

John Steven, CTO at ThreatModeler, an automated threat modeling provider, says part of the prioritization that occurs with incremental penetration testing should be the alignment of test scope with new features and release promises.

"This creates natural alignment between delivery and security priority and focus," he explains. "Additionally, there's a quick benefit: defect studies indicate that where code churns, bugs — and vulnerability — are more likely to be found."

Steven adds that "the dirty secret" is that all penetration testing is incremental.

"Exhaustively testing even a small system would take months," he says. "Taking an incremental posture on penetration first acknowledges that the effort is 'risk-based', prioritizing that which is most impactful and likely."

Second, it allows the activity to fit more closely within the cadence of delivery, so that its results can be acted on with a minimum (if any) exposure time of vulnerable systems in production.

"Confining penetration testing efforts to those things threat modeling indicate are high impact and potentially likely for a worrying population of adversaries is perhaps the most key optimization organizations can make," he adds.

Dave Gerry, chief operating officer at Bugcrowd, a crowdsourced cybersecurity specialist, says a long-standing challenge with pentesting has been the "point-in-time" nature of the tests.

"At some pre-defined period of time, the test is completed against the then-current version of the application and a report is delivered," he says.

The challenge is that development changes significantly over the course of years, and often by the time a pentest is completed and the report is delivered, the information is already out of date due to application changes.

"By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround," Gerry explains.

This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure within scope.

**Automation Aids Continuous Testing**

Jason Rowland, vice president of penetration testing and cloud services at Coalfire, a provider of cybersecurity advisory services, says that continuous testing, given resource constraints faced by the infosec community, will require an approach that maximizes use of testers and offloads work that can be automated.

"Utilizing platforms to perform attack surface discovery and vulnerability identification, as an example, will become prevalent as we unlock the true value of offensive security," Rowland says.

As an industry impaired by the sheer volume of vulnerabilities, security alerts, and frameworks, prioritizing the behaviors of the adversary provides clarity and facilitates better decisions on the use of finite security resources, he says.

"This model is being adopted and will continue to gain prevalence as organizations focus on activities that deliver the specific outcome of minimizing the impact of security incidents," Rowland notes.

Obadiaru adds that while pentesting is a modernized approach to enhanced security, this process and method will continue to evolve — especially as cyberattacks become more commonplace and complex.

"Security tools will need to remain strong and keep up with heightened demands," he says. "It's likely we'll also see increased use of pentesting in non-traditional security areas, such as mergers and acquisitions, assurance, and regulatory compliance."

**PTaaS Offers Real-Time Insights**

Gerry notes that in the past few years, there's been an increased shift from traditional pentesting to PTaaS.

"Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary evil to maintain compliance with internal or external requirements," he says.

He explains by leveraging a PTaaS offering, security teams gain the ability to view results in real time via a SaaS platform, integrate pentesting into their development and security product suite, and institute ongoing testing across retests, focused-scope testing, and new product capability testing.

"Every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced," Gerry says. "Security organizations must maintain the ability to gain real-time visibility into the current posture — both from a risk governance perspective and from a compliance perspective."

Rowland says as organizations begin to prioritize defense and detection capability investments based on the tactics, techniques, and procedures of the actors most likely to target their organization, the role of offensive security has become increasingly integrated and central to the success of the security strategy.

"Since the tactics of the adversary and attacks surface are dynamic, offensive security must continuously validate that the program is keeping pace," he explains. "Regular testing is necessary to drive and validate adjustments to defenses based new intelligence, architectural changes, or the introduction of new assets."

Steven believes that many people think of penetration testing in an "attacker-centric" way, forgetting that penetration testing is a highly technology-specific pursuit when it comes to software and platforms as well.

"We found that specialized teams were necessary for ATMs, automotive, healthcare, Web, and mobile," he says. "Still others handled mainframe and OS-level penetration testing."

He says as applications move to the cloud, penetration testing and the teams servicing that activity must adapt.

"The cloud isn't a single monolith — it's several major providers, each with tens or hundreds of specific APIs and control sets," Steven adds. "Penetration testers will have to use tools to discover sprawling cloud-based assets, no longer confined to a datacenter or IP range, and then quickly become experts in the tech stacks used by any in-play orchestration platforms, control planes, and providers."

Pentesting Evolves for the DevSecOps World

After a high-profile 2017 breach and a Holiday Inn ransomware hit earlier this year, IHG confirms that its booking channels and applications have been disrupted in yet another cyberattack.

InterContinental Hotels Group (IHG) has disclosed its systems have been breached — again — and that its booking systems and applications have been "significantly disrupted" since Sept. 5.

UK-based IHG operates 17 iconic hospitality brands, including Holiday Inn, Crowne Plaza, and Candlewood Suites. This is the third compromise the massive hotel company has had since 2017.

"IHG is working to fully restore all systems as soon as possible, and to assess the nature, extent, and impact of the incident," explained IHG in a notification of the cyberattack. "We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG's hotels are still able to operate and to take reservations directly."

In the previous attack, the company's point-of-sale systems were compromised, allowing cybercriminals to steal customer credit-card details for guests across 1,200 hotels. Then, in a less sweeping incident, just last month the Holiday Inn in Istanbul was reportedly the victim of a LockBit ransomware attack.

**Three Attacks Is a Trend**

It's likely the three separate attacks are connected, Justin Vaughan-Brown with Deep Instinct said in an emailed statement. 

"Unfortunately, this is not the first cyberattack that Holiday Inn has experienced, with breaches in 2017 and one last month in Istanbul," Vaughan-Brown noted. "Once cybercriminal groups know that an organization can be breached, it can encourage further attacks."

Some follow-on attacks are simple copycat cybercrimes, while others are carried out for bragging rights — i.e., to demonstrate the ability to pull off the same caper better or faster than the competition, Vaughan-Brown explained.

**Hot Hotel Data**

Any organization, like a hotel chain, that holds onto massive amounts of valuable, personal data will continue to be a prime target for cyberattacks, Erfan Shadabi, a cybersecurity expert with Comforte AG explained in a statement provided to Dark Reading.

"Consumer-based industries such as travel and entertainment, retail, and financial services definitely apply, as they collect sensitive information on large swathes of their customers and prospects," Shadabi explained. "The reason is simple: threat actors want that data for personal gain."

Holiday Inn Owner InterContinental Has a Breach Trend

Continued collaboration will help win the fight as cybersecurity remains a national priority. International and public-private cooperation is helping stem the damage from ransomware threats and cyberattacks.

As a cybersecurity leader, a large part of my job involves defending companies against cybercrime; the rest is spent figuring out how I can take the fight to the cybercriminals. You'll hear many people say things like "the threat landscape is always changing" or "cybercrime never sleeps." What they really mean is that cybercrime is a global problem — it affects every industry and every time zone. This is why I believe this is a fight we can only win by collaborating across public and private sectors, taking advantage of the skill sets, expertise, and jurisdictions our combined forces offer.

**The Power of Collaboration in Action**

My journey as a cybercrime fighter has led me into some unusual spaces. Back in early 2020, I helped co-found the CTI League, a volunteer organization that works to defend the healthcare industry from cybercriminals. The CTI League peaked at around 2,000 members, with several hundred members originating from governments and agencies all over the world, representing 80 different countries.

The power of collaboration like this cannot be understated. We were able to track and report vulnerabilities in a matter of hours and/or dismantle threats in a matter of days. Taking down malicious sites became a matter of a quick conversation, while engaging law enforcement involved little more than a quick shout-out or visiting a private channel. The league showed that it was possible to work across borders, organizations, and with governments all over the world.

**Borderless Expertise — The Private Sector's Advantage**

The cybersecurity industry has grown immensely over the past 10 years, and has continued to try to keep pace with cybercriminals. Some of the brightest minds working on the most advanced technologies have made it possible to gather risk signals, detect threats, and help prevent attacks everywhere, including for government agencies and global nongovernmental organizations. The depth of the private sector's expertise, and, in some cases, the capabilities of organizations' themselves to throttle cybercriminal infrastructure, cannot be overstated. It's key to staying on top of a global, borderless ransomware problem.

This diversification of expertise and the skill sets that are needed to succeed in such a fast-moving, competitive environment means that operationally, the private sector will always be faster, more agile and more focused than the public sector, which is generally spread much thinner and consequently limited to a number of select, specialized priority missions. This means that the private sector will always have a different, likely broader view of the threat landscape than the public sector and, consequently, broader operation scope, too. This puts the private sector in a unique position where it can help inform and expand missions undertaken by the public sector. Missions like taking on the entire cybercrime ecosystem.

**The Public Sector's Governance Opportunity**

Governmental agencies have the ability to not only centralize insights, findings, and investigative groups, but they can levy the kinds of broad policy enforcements that can change the way the industry and organizations operate. A good example of this is the "Know Your Customer" (KYC) rules enforced on financial institutions.

KYC enforcement has made a huge impact on financial crimes, and is starting to have an impact on ransomware where exchanges agree to enforce them properly. Governance initiatives like this can help the public sector improve its security posture, mitigate modern risks, and improve efficiency. By uniting lawmakers and enforcement agencies, the public sector can change the course of the industry and the landscape in which criminals and private sector outfits operate.

**Joining Forces to Combat Cybercrime**

Combining the capabilities of both groups and attacking the very ecosystem that they thrive in is the only way we are going to beat cybercriminals at their game. There is already a precedent for this kind of success.

For the last year, I have also been a member of the IST Ransomware Task Force (RTF), a group of industry experts who dedicate time to fighting the scourge of ransomware. Led by the Institute of Security and Technology (IST), the RTF works across industry sectors and collaborates closely with policy makers, law enforcement, and other agencies to ensure that we both protect our nation and take the fight to the threat actors who profit from this crime.

Since publishing its inaugural report, we have seen good progress, as 88% of the recommendations that were in the report have seen some implementation. The complete status of report recommendations can be read here (PDF). Just as encouragingly, Director Jen Easterly of the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Agency (CISA) made it clear that the US government's Joint Ransomware Task Force would include a significant role for the private sector, and the IST Ransomware Task Force specifically.

We still have much work ahead of us. Ransomware is not just the well-known names we read about in the papers, names such as Conti, LockBit, and Ryuk. These are just façades — brands that hide an ecosystem of criminals who move around and change their tactics on a regular basis, because it's profitable. Until we join together and attack that profitability, whether it's through driving up the cost of doing business or seizing their ill-gotten gains, we won't disrupt their businesses. I do believe we can do it, though. There's more of us than there are of them, and we are just as dedicated and passionate as they are — perhaps more so because we are fighting for the common good of organizations everywhere.

Together, we can take away the tools they use to build their software. We can identify and restrict the places that provide them with sanctuary, and we can reach out and empty their pockets, destroying their lifestyle. By hitting at the very heart of what makes them successful — criminal enterprises — we can disrupt every ransomware group at once, ultimately crushing them entirely. However, we should expect these criminals to look for different schemes, and that's why building lasting partnerships to keep the pressure on the whole ecosystem will be so important.

Fighting Ransomware Takes an Army: Our Public & Private Sector Soldiers Join Forces

A SaaS-specific security solution can help security teams make sure apps and usage are both secure, reducing the chances of a breach.

**Question: How can you keep your SaaS applications secure in the face of employee turnover?**

**Noam Shaar, CEO and Co-Founder of Wing Security:** In short, you need the right tools.

The fluidity of today's workforce and the accelerated pace at which people change jobs creates new cybersecurity challenges for companies. The average worker in the United States will work for 12 employers over their career, with the typical tenure just over four years. Each employee who exits will leave a trail of external access points that create potential vulnerabilities.

When employees switch companies and roles, access points are left open. Bad actors can use this access to infiltrate networks and steal valuable assets, including proprietary information and financial data. According to a poll from OneLogin, an identity management firm, nearly one-quarter of IT decision-makers said a failure to deprovision employees from corporate applications contributed to a data breach. Of those, 47% said more than 10% of all data breaches resulted from ex-employees.

Organizations likely have multiple exposed accounts that can provide entry points for malicious activity. In one high-profile case, a former engineer at Cisco was sentenced to two years in prison for compromising the company's network after he left, deleting thousands of Webex accounts. This, of course, is just one of the known incidents.

While many software-as-a-service (SaaS) applications offer built-in security controls, businesses should not assume they remain secure because they come from a big-name vendor. Threat actors often conspire or sell attack methods to break into these systems, or they will take advantage of organizations they already can access.

A SaaS security solution can help security teams understand who uses all of these applications and make sure the apps and usage are both secure. This not only strengthens overall security, it can quickly show gaps often left by offboarding. Best practices include:

*   **Use tools to watch for inconsistencies.** Multiple products being used by a large number of people often reveals a pattern of use. When behavior steps out from that norm, it is often a sign that something is amiss. Leverage a tool that can monitor this behavior and alert your team when necessary.
*   **Weed your garden.** It's critical to mitigate risks by getting rid of unaccessed apps — there's no use for them, and they create a potential opening. When it comes to apps, the company motto should be, "If they're not being used, we probably don't need them."
*   **Automate offboarding tasks where possible.** HR staff must keep tight rein during employee offboarding. One important task is notifying the technology team to discontinue access, which can easily be automated with a security and monitoring solution. While HR members still will want to notify technology leaders, having safeguards in place can eliminate gaps just in case that process gets overlooked.

SaaS applications have improved efficiency and expanded remote work capability, but employees no longer want to spend their entire careers with a single company. The rising number of applications and rate of turnover has increased risk. This risk can be managed with the correct tools and processes, but too many organizations have yet to change their mindset.

How Can I Protect My SaaS Apps Amid Employee Turnover?

The Shikitega malware takes over IoT and endpoint devices, exploits vulnerabilities, uses advanced encoding, abuses cloud services for C2, installs a cryptominer, and allows full remote control.

A Linux-focused malware dubbed Shikitega has emerged to target endpoints and Internet of Things (IoT) devices with a unique, multistage infection chain that results in full device takeover and a cryptominer.

Researchers at AT&T Alien Labs who spotted the bad code said that the attack flow consists of a series of modules. Each module not only downloads and executes the next one, but each of these layers serves a specific purpose, according to a Tuesday posting from Alien Labs.

For instance, one module installs Metasploit’s “Mettle” Meterpreter, which allows attackers to maximize their control over infected machines with the ability to execute shell code, take over webcams and other functions, and more. Another is responsible for exploiting two Linux vulnerabilities (CVE-2021-3493 and CVE-2021-4034) to achieve privilege-escalation as root and achieve persistence; and yet another executes the well-known XMRig cryptominer for mining Monero.

Further notable capabilities in the malware include the use of the "Shikata Ga Nai" polymorphic encoder to thwart detection by antivirus engines; and the abuse of legitimate cloud services to store command-and-control servers (C2s). According to the research, the C2s can be used to send various shell commands to the malware, allowing attackers full control over the target.

**Linux Malware Exploits on the Rise**

Shikitega is indicative of a trend toward cybercriminals developing malware for Linux — the category has skyrocketed in the past 12 months, Alien Labs researchers said, spiking 650%.

The incorporation of bug exploits is also on the rise, they added.

"Threat actors find servers, endpoints, and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads," according to the posting. "New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate recently discovered vulnerabilities to find new victims and increase their reach."

On a related note, Linux is becoming a popular target for ransomware, too: A report from Trend Micro this week identified a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the same period last year.

**How to Protect Against Shikitega Infections**

Terry Olaes, director of sales engineering at Skybox Security, said that while the malware might be novel, conventional defenses will still be important to thwart Shikitega infections.

"Despite the novel methods used by Shikitega, it is still reliant on tried-and-true architecture, C2, and access to the Internet, to be fully effective," he said in a statement provided to Dark Reading. "Sysadmins need to consider appropriate network access for their hosts, and evaluate the controls that govern segmentation. Being able to query a network model to determine where cloud access exists can go a long way toward understanding and mitigating risk to critical environments."

Also, given the focus that many Linux variants put on incorporating security bug exploits, he advised companies to, of course, focus on patching. He also suggested incorporating a tailored patching-prioritization process, which is easier said than done.

"That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape," he said. "Organizations should ensure they have solutions capable of quantifying the business impact of cyber-risks with economic impact factors. This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses, such as exposure-based risk scores."

He added, "They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them, how urgent it is to remediate, and what options are there for said remediation."

Source

DARKReading