REDWOOD CITY, Calif., Oct. 11, 2022 /PRNewswire/ — Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today released _Cloud Server Privilege Management for Dummies_, a new eBook immediately available in print and digital editions. The complimentary resource puts best practices for cloud server security front and center to simplify complexities around securing access to business-critical resources.

According to the 2022 Thales Cloud Security Report, 45% of businesses have experienced a cloud-based data breach or failed audit in the past twelve months, suggesting that almost half of organizations are highly vulnerable to cloud server security breaches. Server security is critically tied to securing accounts and their associated entitlements for logging into machines and running privileged commands and applications.

"While the pandemic was a call to action for many organizations to expedite their cloud initiatives, most were already moving towards multi-cloud and hybrid infrastructure," said Tony Goulding, Senior Director, Technical Product Marketing at Delinea and co-author of the new Dummies book. "What many had not been focusing on as part of their efforts was shifting from a reactive to proactive security posture when it comes to privileged access management of cloud resources. This book helps any organization protect distributed IT server infrastructure in hybrid- or multi-cloud environments to reduce risk."

As with other editions in the popular Dummies books series, _Cloud Server Privilege Management for Dummies_ helps guide IT professionals in clear language and with examples to help them tackle some of their biggest cloud server security challenges, including:

*   Getting visibility into assets and permissions to facilitate proactive risk mitigation with granular controls
*   Reducing lateral movement between cloud resources to minimize the possibilities of data exfiltration or encryption for ransom in case of breach
*   Enforcing least privilege with a zero trust approach to ensure authenticated, legitimate users only have access to what they need, when they need it

"Time and again we see that the biggest risks to organizations are typically related to over-privileged users, standing privileges on resources, and not understanding the shared responsibility model when it comes to cloud," said Chris Smith, Chief Marketing Officer at Delinea. "This Dummies book clearly lays out how to address all of those areas of concern in one free resource."

Delinea offers a range of complimentary informative resources to further help organizations secure their on-premises, multi-cloud, and hybrid infrastructure, including six additional Dummies books, educational publications, whitepapers, tools, blogs, and more.

Visit delinea.com/resources to download _Cloud Server Privilege Management for Dummies_ and more.

**About Delinea  
**Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Delinea Releases 'Cloud Server Privilege Management for Dummies' eBook

Investment led by Section 32 will be used to scale the product and team.

MOUNTAIN VIEW, Calif., Oct. 11, 2022 — Stairwell, a company that empowers security teams to outsmart any attacker, today announced a $45M Series B capitalization. The funding round was led by Section 32, with additional investments from Sequoia Capital, Accel, Lux Capital, Gradient Ventures, and angel investors Eric Schmidt and Michael Ovitz. This brings Stairwell’s total funding to date to $69.5 million as it looks to scale its flagship product, Inception, to become the most powerful continuous intelligence, detection, and response solution available.

“New vulnerabilities are discovered daily, and continuous monitoring, threat hunting, and response are needed for around-the-clock efforts to secure the enterprise. Our goal is to plug these gaps, while simultaneously strengthening organizations’ overall security stack via capturing, storing, and analyzing all executable files across their environment,” said Mike Wiacek, CEO and Founder of Stairwell. “This Series B reflects the confidence investors feel in Inception and Stairwell’s mission to enable security teams to take back control of their data and stay one step ahead of even the most advanced attackers.”

Following deals with key customers and MSSP partner Cyderes earlier this year, this Series B will enable Stairwell to meet increased demand for new Inception features as malware attacks continue to rise. By scaling the Inception platform, Stairwell will create a more intuitive and integrated experience for increased customer success in securing their organizations against any emerging malware threats, including supply chain attacks.

“The platform Stairwell has built is making a huge impact for security teams, and the company is led by some of the sharpest minds in cybersecurity,” said Andy Harrison, Managing Partner at Section 32. “The power and advanced capabilities of the Inception platform are clear to customers and partners, and it's rare to find a company with such a strong combination of product, engineering, customer focus, and executive leadership.”

This funding will also play a critical role in the expansion of Stairwell’s team. Since the Series B round closed, Stairwell has increased headcount by 100%, with plans to add significantly more employees this year. These hires will include specialized engineers to bring more functionality to Inception as a whole. Notable recent appointments within the company include Brian Lee as Vice President of Marketing and Eric Byrd as Head of Enterprise Sales.

Lee has spent the last decade at Ogilvy working with some of the most famous technology brands in the world, from large Fortune 500 companies (Google, Samsung, Qualcomm, Cummins) to exciting, high-growth start-ups. His vision for Stairwell’s marketing arm is to drive holistic growth for the company, building an enduring brand complemented with a robust marketing machine to drive awareness using the latest technology, data, and techniques.

“As a marketer, the best asset you can have is a good company and product. That’s what initially drew me to Stairwell,” said Lee. “We have a differentiated, innovative product in a category growing in importance. Add to that the incredible pedigree of our team, top investors, and positive business momentum. I knew from my first conversation with Mike Wiacek that I had to be a part of this company’s trajectory as Vice President of Marketing.”

Byrd comes from Red Canary, where he led a team of Senior Enterprise Account Executives across the Northeast and Southeast regions of the United States in securing new customers for security solutions. At Stairwell, Byrd will lead the sales team in identifying Stairwell’s next customers who will make significant strides in their security goals by partnering with the company.

“I've been really lucky to work with many incredible teams, so I've learned what it takes to build a strong security business that continues to improve its capabilities for customers as you grow,” said Byrd. “Understanding what leading security teams expect from their partners has prepared me to deliver exceptional service for Stairwell’s customers so they can take their security teams to new heights.”

For more information on the roles Stairwell is currently hiring for, please visit www.stairwell.com/careers.

**About Stairwell  
**Stairwell helps organizations with security solutions that attackers can't evade. Its Inception platform empowers security teams to outsmart any attacker by providing continuous intelligence, detection, and response. The Inception platform is used by a number of Fortune 500 companies. Stairwell is comprised of security industry leaders and engineers from Google and is backed by Sequoia Capital, Accel, Section 32, Lux Capital, and Gradient Ventures. For more information, visit www.stairwell.com or connect with us on Twitter or LinkedIn.

Stairwell Announces $45M Series B Funding Round

Pen testing solutions to empower businesses to proactively address application security vulnerabilities amid surging threats.

CHICAGO, Oct. 11, 2022 /PRNewswire-PRWeb/ — Today, Outpost24 announced the introduction of its Penetration Testing as a Service (PTaaS) solutions to the North American market to better empower businesses to understand and address threats in their web application attack surface. Outpost24's PTaaS solutions provide companies with on-demand, continuous monitoring, ensuring organizations are fully protected against threats in their application attack surface.

Web application attacks accounted for roughly 70% of security incidents in 2021, making application security a top priority. While penetration testing provides an effective way to detect application flaws before they turn into a serious threat, in the always-on economy, traditional penetration testing is no longer enough. Traditional penetration testing solutions often require long and disruptive set-up times and usually only examine a specific and isolated point in time - insufficient when application code changes multiple times per day.

Outpost24's PTaaS is a modernized approach to penetration testing with continuous, real-time monitoring. Additionally, providing customers with direct access to a team of penetration testers and a knowledge base to address vulnerabilities, it allows IT and development teams to remediate quickly and efficiently, making it well-suited for agile organizations who need a more flexible approach to review and secure web application code at scale. 

"In an agile application development cycle, security is imperative - but it can also be a roadblock," said Eren Cihangir, Product Engineer, Outpost24. "Outpost24 is meeting a critical gap in the market by providing ongoing monitoring to secure applications as they evolve while also saving developers time so they can stay focused on their real priority: Innovation."

Outpost24 PTaaS includes annual or project-based packages depending on an organization's priorities, including:

*   SWAT: Outpost24's flagship PTaaS offering that combines continuous monitoring with manual penetration testing to ensure continuous  
    protection for the most prevalent software vulnerabilities

*   Snapshot: A time-boxed PTaaS offering that provides on-demand penetration testing and deep analysis of web applications with expert  
    validation, support, and re-testing services for 30 days For more information about Outpost24's PTaaS offerings, check out outpost24.com and contact us today.

**  
About Outpost24**  
The Outpost24 group is pioneering cyber risk management with vulnerability management, application security testing, threat intelligence and access management - in a single solution. Over 2,500 customers in more than 65 countries trust Outpost24's unified solution to identify vulnerabilities, monitor external threats and reduce the attack surface with speed and confidence. Delivered through our cloud platform with powerful automation supported by our cyber security experts, Outpost24 enables organizations to improve business outcomes by focusing on the cyber risk that matters.

Outpost24 Announces Expansion of Penetration Testing Offerings to North America

Australian IT services provider Dialog has announced a breach, making it the third telecom company in the area compromised in less than a month.

First it was Optus, followed by Telstra. Now, a third Australian telecom company has disclosed it was breached — this time it's Dialog, an information technology services provider with a sizable market share of Aussie customers in both the public and private sectors. 

Dialog, a subsidiary of SingTel, said its servers were compromised on Sept. 10, and although initial investigations showed no signs of exfiltrated data, on Oct. 7, a sample of the company's employee personal data was available on the Dark Web. 

Dialog said it is still investigating the incident further. 

Just days before, Australia's largest telecom carrier, Telstra, announced its own breach, of personal and sensitive employee information, going back to 2017. 

Telstra's major competitor, Optus, was also recently targeted in a massive cyberattack, which successfully stole the personal information of nearly 10 million customers across Australia. Optus, also a SingTel subsidiary, first announced the cyberattack on Sept. 21, which then drew the attention of the FBI. 

Days later, the cybercriminals withdrew their ransom demand of $1 million, explaining there were "too many eyes" on the data. But before the attackers had a change of heart, they leaked more than 10,000 customer records, reportedly as proof of what they had. 

The attackers later apologized for leaking the stolen info. 

**Telcos Historically Draw Advanced Attacks**

Telecommunications companies will always be an attractive target for cybercrime because of the vast amounts of data they gather, process, and store on their customers, Erfan Shadabi, a cybersecurity expert with Comforte AG tells Dark Reading. 

"However, they have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature. The outcome of not doing this is exactly what these companies face now," he adds.

John Bambanek, principal threat hunter with Netenrich, agrees, adding that IT providers, managed service providers (MSPs), managed security service providers (MSSPs), and telcos have always been prime targets from advanced threat actors. 

"These companies have privileged access so its easy to go from point A to points B through Z immediately," Bambanek explains to Dark Reading. He adds that intelligence services like the National Security Agency (NSA) also regularly turn the focus of their operations to telecommunications service providers because of the wealth of sensitive data inside their systems. 

"Eventually, targeting priorities and techniques filter from the intelligence world into sophisticated cybercriminals such as ransomware groups," Bambenek says. "Ultimately, the math is the same. Why attack one target and have only one victim when you can attack one target and have many victims? More victims means more money."

High-Value Targets: String of Aussie Telco Breaches Continues

It's not too early for firms to start preparing for change.

The days and weeks that follow a security incident are never easy. Executing incident response investigations to determine what led to the event, while simultaneously grappling with potential operational disruptions, reputational damage, and dealing with concerns from customers and investors takes time.

Following a security incident, executive leaders and their security teams are faced with a host of questions: How and where did the attacker enter our network? Did data exfiltration occur? And most importantly: Has the attack been contained and vulnerabilities mitigated? The incident response process is a rigorous one and can take many weeks to successfully conclude. However, this process may be about to become even more complex, particularly for public companies.

Earlier this year, the US Securities and Exchange Commission (SEC) announced proposed amendments to its security incident disclosure requirements for public companies. If these requirements are formalized into law, one of the most notable proposed changes will require companies to disclose material security incidents within four business days of their occurrence — "material" meaning anything that could impact an individual's decision to buy, hold, or sell a company's stock.

Specifically, the proposal would require:  

*   Form 8-K disclosure updates reporting any material cyber incident to be filed within four business days
*   Periodic disclosures regarding the following: Updates about previously reported material cybersecurity incidents; company policies and procedures to identify and manage cybersecurity risks; management's role in implementing those policies and procedures; board of directors' cybersecurity expertise and risk oversight.

**An Array of Challenges**

These proposed SEC disclosure requirements present an array of challenges. First and foremost, very few incident investigations are completed within four days. In most situations, executive leadership teams and security teams won't fully grasp the extent of their "material" damages until much later. Currently, depending on the severity of an event, it can take weeks to fully contain, remediate, and measure the effects of the damage. Following this, it can take months for further forensic investigations.

Determining if the event rises to the level of material impact can realistically happen only after all of these steps are taken. However, if there's a four-day time limit imposed by the SEC, organizations will have to immediately consult with legal advisers to decide what needs to be disclosed publicly, and how to do so in the most pragmatic manner.

By adding this obligatory disclosure clause, the SEC could severely disrupt incident response. Most firms will not know if a material event has occurred within this timeline, and many will feel compelled to admit damages prior to the conclusion of an investigation. Firms undergo many nonmaterial cybersecurity events every year. A short disclosure timeline will only inspire panic and negative public scrutiny.

**Containment and Remediation**

The bigger threat, however, is the proposed law's implications on the containment and remediation phases of the incident response process. Once a security incident occurs, IT and security teams work tirelessly to repair systems and lock attackers out. The new SEC proposal could significantly interfere with this activity, requiring members of those teams to meet with directors, officers, law enforcement, legal counsel, members of the media, SEC investigators, investment analysts, and customers, all of which will take focus away from mitigating the incident itself.

This could lead to unpatched vulnerabilities or allowing attackers to further penetrate an organization's network. It may also jeopardize any investigations being conducted by law enforcement, who typically will ask to postpone any public disclosure so as not to compromise their work, and until after they have made any arrests.

While the four-day disclosure rule is the most significant proposed change, the requirement to provide updates on _previously_ disclosed material incidents is also noteworthy. Up until now, there has been no formal external reporting required for previous security incidents and events, except for the most high-profile breaches that have already made headlines. This element of the law would create a new scope of work for public companies, forcing them to upgrade their level of reporting and documentation — a new task that promises to be difficult to manage and expensive to execute.

While the comment period for the proposed new rules has already passed and we should expect to see final regulations published soon, there are a few measures organizations can implement to prepare themselves, should these proposals be implemented as originally published in the federal register:

*   Create a robust and comprehensive incident response process, one that outlines clear disclosure policies and procedures in the event of a security incident.
*   Have the right partners in place, specifically compliance consultants and legal counsel that understand security and data privacy.
*   Consider adding an executive leader to the security team focused on incident response to maintain operational command while the CISO is called away to liaise with SEC investigators, the press, customers, and investors.
*   Set aside budget for settlements and litigation.
*   Ensure your CISO or equivalent is covered under your officer and director insurance.

While we await the final verdict from the SEC, it is important that firms begin scoping out the resources they'll need to deploy in handling these new regulations, specifically the investor and government relations portions of the disclosure. Much like there are playbooks and plans for the actual security incident, there now also needs to be a plan in place for ensuring compliance with all disclosure requirements.

Proposed SEC Disclosure Rules Could Transform Cyber-Incident Response

LOUISVILLE, Ky., Oct. 11, 2022 /PRNewswire/ — Deloitte and the National Association of State Chief Information Officers (NASCIO) today released their 2022 Cybersecurity Study, "State Cybersecurity in a Heightened Risk Environment." The survey captures responses from chief information security officers (CISOs) in all 50 states and three territories about current cybersecurity trends, challenges and opportunities.

The survey found that state CISOs throughout the U.S. gained considerable strength and authority over the past few years, as they rapidly migrated government operations and services to a virtual environment and expedited digital transformations to meet the immediate needs of individuals and families. Due to the dedicated efforts of these CISOs, state agencies were able to continue providing high-quality service to their constituents, despite the challenges imposed by a global pandemic.  

Additional highlights from the 2022 Deloitte/NASCIO survey include:

*   **Addressing the talent gap**: In 2022, the demand for high-skilled workers has grown even more acute for public and private sector employers. In this environment, the lack of cybersecurity professionals and other staff remains among the top five barriers cited by state CISOs.
    *   Despite CISOs' growing responsibilities and the increasing sophistication of both technology and threats, **headcounts for state cybersecurity professionals remain about the same as in 2020, and more than 6 in 10 CISOs report gaps in competencies among their staffs**.
*   **Embracing the entire state**: It is an imperative to provide for greater security across the entire state through a tighter collaboration with local governments and state higher education institutions. CISOs made significant progress in enhancing their stature and visibility at the state executive and legislative levels, and they are continuing to get the institutional support and resources they need.
    *   All 50 states now have a CISO, and many are establishing new positions for chief privacy officers, chief risk officers and identity program directors.
    *   More state legislators are codifying the role of the CISO into state law and funding the position. They are also codifying several cyber initiatives into state law, such as enterprise risk management frameworks, cybersecurity legislative councils and cybersecurity training.
    *   More states now require CISOs to provide periodic reports to senior state officials, such as the governor, legislature and agency secretaries.
    *   CISOs are looking to establish and activate a shared security services approach to enable a whole-of-state approach to protecting local governments and public higher education institutions.
*   **Emerging technologies present new opportunities**: In the post-pandemic digital landscape, CISOs have an even more critical role to play in guiding the evaluation and implementation of new technologies.
    *   State CISOs confirm that many applications have migrated to the cloud. With remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate and transact.
    *   **States have taken a big step forward to provide digital identities for citizen services**. Capabilities, such as cloud computing, artificial intelligence and robotic process automation, enable states to further enhance digital modernization in service of their missions and constituents.

"The complexity of cyber challenges that the state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders," said Srini Subramanian, principal, Deloitte & Touche LLP, and Deloitte's global risk advisory leader for government and public services. "To address these challenges, state CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next-generation of highly capable cyber talent."

"State CISOs played critical roles helping the country successfully navigate the twists and turns of the pandemic, and this year's survey identifies the steps needed to grow this increasingly public role and meet the current and future challenges faced by state agencies," said Meredith Ward, director of policy and research at NASCIO and a co-author of the 2022 Deloitte/NASCIO Cybersecurity Study. "We're proud to again bring the perspectives of state CISOs to the forefront of conversations around cybersecurity."

Additional takeaways from the 2022 Deloitte/NASCIO survey include:

*   Thirty states increased their cybersecurity budgets from 2021 to 2022. And for the first time, CISOs report that a handful of states are allocating more than 10% of their IT budgets to cybersecurity, in alignment with federal government levels. However, most states still only allocate between 2% and 10% of their budgets to cybersecurity efforts.
*   Many state CISOs identified the drafting and implementation of the Zero Trust framework as a key initiative.
*   CISOs say that malware, ransomware and phishing attempts continue to present security challenges. Concern among CISOs about foreign state-sponsored espionage has also risen significantly, while the perceived threat from third parties and social engineering has declined.
*   CISOs found that the three leading causes of cyber incidents remain web applications, malicious code and financial fraud. However, CISOs note a rise in cyber incidents involving foreign state-sponsored espionage, zero-day attacks and attacks against cloud platforms.
*   Nearly one-third of state CISOs say that state agencies manage cyber incidents on their own, rather than working with a central state IT security group.
*   CISOs are increasingly contracting cybersecurity professionals and states are demonstrating more interest in outsourcing specific cybersecurity functions to managed service providers. In fact, more than half of CISOs report outsourcing security operations center tasks, which require 24x7 monitoring, and more than 60% of CISOs report having confidence in the cybersecurity services of third-party vendors.
*   State CISOs are starting to incorporate diversity, equity and inclusion (DEI) practices, such as designating a DEI leadership position or teams to foster a culture of inclusion. However, many CISOs say they do not know if they have such practices in place.

See here for the full survey results.

See here for learn more about Deloitte's cyber risk practice.

**About Deloitte**

Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today's marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's approximately 415,000 people worldwide connect for impact at www.deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Cybersecurity Survey of State CISOs Identifies Many Positive Trends

Killnet calls on other groups to launch similar attacks against US civilian infrastructure, including marine terminals and logistics facilities, weather monitoring centers, and healthcare systems.

UPDATE 

Hot on the heels of attacks against US state government websites, pro-Russian threat group Killnet on Monday disrupted the websites of multiple US airports in a series of distributed denial-of-service (DDoS) attacks.

It also called on similarly aligned groups and individuals to carry out DDoS attacks on other US infrastructure targets, in what appears to be an escalation of a recent campaign protesting the US government's support for Ukraine in its war with Russia.

Airport websites that were affected by Killnet's DDoS attacks included Los Angeles International Airport (LAX), Chicago O'Hare, and the Hartsfield-Jackson Atlanta International Airport, among others. While the DDoS attacks made some of the sites inaccessible for several hours, they do not appear to have had any impact on airport operations.

Researchers from Mandiant who have been tracking the attacks said they observed a total of 15 US airport websites being impacted.

**Mostly Brief Interruptions**

In a statement to Dark Reading, airport authorities at LAX confirmed the attack.

"Early this morning, the FlyLAX.com website was partially disrupted," an LAX spokesperson noted in an emailed statement. LAX officials described the service interruption as being limited to portions of the public-facing FlyLAX.com website only. "No internal airport systems were compromised and there were no operational disruptions," according to the statement, adding that the airport's IT team has restored services and that the airport has notified the FBI and the Transportation Security Administration (TSA).

In an emailed statement to Dark Reading, the Chicago Department of Aviation (CDA) noted that its flychicago.com and related websites for O'Hare and Midway international airports went offline, but confirmed that airport operations were affected. 

"City of Chicago IT staff worked diligently to restore the website's functionality shortly after noon Central Time, and they continue to vigilantly monitor the situation," the statement said.

Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, says Killnet has also asked its supporters to join in on the airport attacks and posted a list of domains to be targeted on its Telegram channel. In total, the group mentioned 49 domains belonging to airports across the US, he says. Killnet's target list includes airports in some two dozen states including California, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, and Michigan.

"At this time, it is unknown how successful these attacks were, but Killnet attacks are known to take websites down for short periods," Righi says. The attacks began with a DDoS attack on O'Hare, where the group stated its motivation to target US civilian network sector, which the group deemed to be not secure, he says.  

**Calls for Broader Attacks**

Vlad Cuiujuclu, team lead for global intel at Flashpoint, says the DDoS attack on O'Hare International Airport came shortly after Killnet announced new rounds of DDoS attacks against domains that belong to the civilian infrastructure of the United States. Among the targets it is urging supporters to attack are marine terminals and logistics facilities, weather monitoring centers, healthcare systems, ticketing systems for public transit, exchanges, and online trading systems, Cuiujuclu says.

Killnet's post urging other pro-Russian groups to launch DDoS attacks against domains that belong to the US civilian infrastructure was shared by other Russian-speaking cyber-collectives, including Anonymous | Russia, Phoenix, and We Are Clowns, Cuiujuclu noted.

Killnet has been among the more active pro-Russian cyberthreat groups in recent months. Just last week it claimed credit for DDoS attacks on the government websites of Mississippi, Kentucky, and Colorado. In July, the group claimed credit for a DDoS attack on the website of the US Congress, which briefly affected public access.

In August, Killnet said it planned to attack Lockheed Martin, the company manufacturing the US-made rocket launchers that the Ukrainian military has been using in the conflict. The group claimed it had compromised Lockheed Martin's identity authorization infrastructure, but Flashpoint, which tracked the campaign, said it was unable to find any verifiable evidence of the supposed attack. "This is possible, but Killnet has this far shown little verifiable evidence of this beyond a video and a spreadsheet allegedly containing employee data, the authenticity of which could not be determined," Flashpoint said at the time.

**An Especially Active Threat Actor**

Almost since the beginning of the Russian invasion of Ukraine, Killnet has been continuously posting alleged evidence of DDoS attacks against organizations in NATO member states and those it perceives as supporting Ukraine in the conflict. Flashpoint has previously described Killnet as a media-savvy threat group with a tendency to try to inflate its profile by bragging about attacks. "While Killnet’s threats are often grandiose and ambitious, the tangible effects of their recent DDoS attacks have so far appeared to be negligible."

Killnet's attacks — and those it is urging others to carry out — are examples of what security experts say is the tendency in recent years for geopolitical conflicts to spill over into the cyber domain. The threat group's apparent escalation of its campaign against US and other NATO countries, for instance, comes just days after an explosion destroyed a section of a critical bridge connecting Russia to the Crimean Peninsula.

So far, most of the cyberattacks by pro-Russian groups that impacted US organizations have not been nearly as disruptive as attacks by Russian groups against Ukrainian entities. Some of those attacks — including many going back to Russia's annexation of Crimea — were designed to destroy systems and degrade power and other critical infrastructure in support of Russian military objectives.

**_This story was updated at 11:30 a.m. ET to include a statement from the Chicago Department of Aviation, and to reflect that the Indianapolis airport was not affected._**

US Airports in Cyberattack Crosshairs for Pro-Russian Group Killnet

An analysis of the malware and its infection strategies finds nearly 21,000 minor and 139 major variations on the malware — complexity that helps it dodge analysis.

The threat group behind the Emotet malware-delivery botnet has resurrected the malware-as-a-service offering with more sophisticated countermeasures to foil takedowns.

According to a 68-page analysis on Oct. 10 from VMware's Threat Analysis Unit — based on data collected from several new Emotet campaigns in early 2022 — the group has learned lessons from the 2021 law enforcement takedown of the group's infrastructure. That includes creating more complex and subtle chains of execution, hiding its configurations, and hardening its command-and-control (C2) infrastructure. In addition, the group recently updated two of the eight modules to improve credit-card stealing functionality and its capabilities for spreading laterally through a network.

Overall, the research suggests that Emotet is continuously changing to make it more difficult for defenders to adapt and block the malware, Chad Skipper, global security technologist at VMware, stated in a press briefing.

"Emotet \[has\] embraced its role as a malware distributor, focusing more on advancing its technique for initial infection and relying on waves of spam emails that entice users to open up documents and click on links," he said.

The analysis of Emotet completes the malware-as-a-service group's resurrection, following a takedown in January 2021 by international law enforcement. Just the month before the takedown, Check Point Software Technologies had estimated that 7% of companies had been affected by the botnet. Law enforcement agencies gained control of the infrastructure and disrupted Emotet's infection and payload-delivery capabilities.

In late 2021, however, updated versions of Emotet and Conti began being distributed by another group, Trickbot, bootstrapping the once-defunct malware network and bringing it back from the dead.

The group behind Emotet — often referred to as Mummy Spider, MealyBug, or TA542, depending on different security firm nomenclature — typically uses waves of spam email messages and specially crafted messages to convince users to click on malicious links or open malicious documents. Access to the compromised machines is then sold to interested groups, who then steal data, install ransomware, or find other ways to monetize access.

VMware's TAU group analyzed data collected from the spam messages, URLs, and malicious attachments to classify the attacks into different waves, map the attacker's C2 infrastructure, and reverse engineer any delivered malware to gain insight into the attacker's activities.

    

The top execution clusters for the Emotet malware. Source: VMware's Emotet Exposed report

The two waves analyzed by VMware in the report both used a malicious Excel document to infect systems, with the first — and smaller — wave using XL4 macro, while the second wave paired that with PowerShell. The researchers deconstructed the attacks into initial invocation variations and into execution flows finding 139 unique program chains and 20,955 unique invocation chains, which are variants made to make the infection look unique.

"Based on a new similarity metric, \[the research group\] was able to identify various stages of Emotet attacks with a number of initial infection waves that change the way in which the malware is delivered," VMware stated in its analysis.

Other recent updates include a module that targets Google's Chrome browsers to steal credit card information, and a second module that spread the infection to other computers using the Server Message Block (SMB) protocol, a common technique for hackers.

The threat actors also use significant anti-analysis countermeasures to attempt to hide the details of their C2 infrastructure, the report stated. The post-recovery version of Emotet has two major sets of infrastructure, which VMware calls Epoch 4 and Epoch 5, which have only a single common IP address between them. In addition, the malware could be executed using any of 139 different program chains, although 80% of the samples analyzed belonged to one of four different chains.

The most popular chain involved "a simple three-stage attack involving the execution of Excel and regsvr32.exe," the report stated. "The second most popular chain shows the same attack chain as the first but with an additional stage."

VMware found that the attackers' infrastructure led back to 328 different IP addresses, 18% of which were in the United States, with Germany and France accounting for a significant share as well. However, the servers hosting modules, updates and other payloads came from a different set of IP addresses, with the largest share (26%) hosted in India.

"\[T\]he IP addresses of the servers hosting the Emotet modules can be different from the IP addresses extracted from the initial Emotet payload configuration," the report stated. "\[M\]ost of the IP addresses extracted from the configuration were likely to be compromised legitimate servers used to proxy the actual servers that hosted the Emotet modules."

Emotet Rises Again With More Sophistication, Evasion

A flaw in unpatched Zimbra email servers could allow attackers to obtain remote code execution by pushing malicious files past filters.

Administrators running Zimbra servers are being warned to update their systems with the "pax" utility by researchers, who have observed cyberattackers actively attempting to exploit a known flaw.

Zimbra is a cloud-hosted email and employee collaboration platform. The bug, being tracked as CVE-2022-41352, exists in the virus-scan process for incoming emails; it could allow malicious files to get through, ultimately leading to remote code execution (RCE).

Synacor, the development company behind Zimbra, issued an alert to users on Sept. 14, warning admins they needed to install the pax package against the vulnerability,

Now, Rapid7 researchers said in a blog post that they have observed active exploitation of the flaw in the wild, and urged administrators who haven't already, to update their systems. 

Synacor added that Ubuntu users should have already had the pax package installed automatically.

"The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails," the Rapid7 team explained in an Oct. 6 blog post. "Zimbra has provided a workaround, which is to install the pax utility and restart the Zimbra services."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Zimbra RCE Bug Under Active Attack

A CISO's responsibilities have evolved immensely in recent years, so their first three months on the job should look a different today than they might have several years ago.

Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company's business strategy and operations.

The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.

Given this evolution in responsibilities, a CISO's first 90 days on the job should look a lot different today than it did even several years ago.

**The First 90 Days**

While many CISOs want to immediately demonstrate value by jumping in with big ideas and projects on day one, they will be able to make much more of a long-term impact if they first take the time to understand the company's mission, values, and business objectives. They also need to get up to speed on core activities, products, services, research and development, intellectual property, and merger and acquisition plans. And they need to understand all potential issues, previous breaches, regulatory or external obligations, and existing technical debt.

With this in mind, here are a few recommendations on what a CISO's focus should be during their first 90 days on the job.

**Gain An Understanding of the Organization's Larger Mission and Culture**

The very first day, begin to deploy a collection of interview and interrogation techniques with a goal of understanding the business, its purposes and its priorities. Interview your employees, midlevel business leaders, and customers to get a sense of all key stakeholders, initial pain points, and how mature the cybersecurity culture is within the organization. Finally, gently interrogate your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help build a 90-day action plan and road map.

**Identify the Crown Jewels**

Determine which data and systems underpin the company's strategic mission and core competencies, represent intellectual property, differentiate the enterprise from its competitors, or support major customer segments or revenue lines. These crown jewels are the digital assets that are most likely to be targeted by threat actors, and thus must have their cyber-hygiene efforts accelerated. If the C-suite and board understand these critical areas, they can tell you their risk appetite, and you can implement security strategies accordingly.

**Develop a Plan Based on the Company's Current IT and Business Landscape**

Once assets are identified and prioritized, develop a written risk management plan with checklists for deliverables, structure and communication between key internal and external stakeholders. On this latter point, the CISO always must act as an information broker and as a partner to all the key organizational decision-makers. One effective way to do this is to establish formal and informal communication with these roles, so the organization can move forward strategically.

**Master the Basics**

There are many technologies needed to secure the modern company, but there are a few must-haves that should be implemented right away, if they aren't already. These are baseline controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multifactor authentication, sensitive data encryption, application whitelisting, 24/7 security monitoring, file integrity monitoring, privileged access management, network segmentation, data loss prevention, and a rigorous assessment and audit function connected to vulnerability and patching strategies.

**Implement Benchmarks**

Prove the value of security plans, processes, and technologies to the C-suite, business unit executives, and the board by implementing benchmarks and maturity assessments that show how the company stacks up against competitors, how security strategies stack up against industry best practices and frameworks, and how security initiatives are enabling the business with secure operations.

**Always Treat Security as a Business Problem**

Security incidents can result in myriad consequences on the business, and conversely, strong security can help the business succeed in a secure fashion. This is why it's so important that IT and security teams always remain integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executive leaders, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they'll be more apt to pay attention and participate in security efforts.

At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? What is our capability maturity against industry standard frameworks? What are our most critical vulnerabilities and cyber-risk scenarios? What data is most important to the organization? What data risks could have the most significant negative impact on the organization? And what will it take to improve the organization's security posture, and do we have a road map?

While this may seem like a lot to get to the bottom of in a three-month timespan, following these six steps will set your company up for both short- and long-term security and business success.

Source

DARKReading