Focused on bringing ease of use to IT security automation, ThreatQ TDR Orchestrator addresses industry needs for simpler implementation and more efficient operations.

**London, UK, September 20, 2022** — ThreatQuotient™, a leading security operations platform innovator, today announced a new version of ThreatQ TDR Orchestrator, the industry’s first solution for a simplified, data-driven approach to security operations. Built on the ThreatQ Platform, the continued innovation of ThreatQ TDR Orchestrator includes enhanced automation, analysis, and reporting capabilities that accelerate threat detection and response across disparate systems.

The latest research from ThreatQuotient, planned for full release later in 2022, shows signs that adoption of security automation is advancing, as budgets in this area are increasing for 98% of companies. The data also indicates that organisations have become more confident in automation itself, with over 88% of companies having some level of trust in automation outcomes compared to only 59% in the year prior. However, 98% say they have experienced problems during implementation. To support organisations with security automation solutions that are easier to use, cheaper than traditional automation tools and learn over time, ThreatQuotient has prioritised the development of ThreatQ TDR Orchestrator to enable more efficient and effective operations that can be directly measured by time savings and FTEs gained, improved risk management, and greater confidence when detecting and responding to an event.

The latest version of ThreatQ TDR Orchestrator offers the following benefits:

*   **Prioritise automation on the most important events/alerts** with context from threat intelligence and other internal and external sources. A feedback loop captures results to improve the automation flow over time.

*   **Playbooks are easier to maintain** as a result of Smart Collections which are used to abstract automation logic. Atomic Automation allows for immediate action when a complex response is not needed; and Automation Packs for vulnerability prioritisation, indicator enrichment, XDR, and more use cases coming soon, help users get started with common use cases quickly.

*   **Less training is required up front** as a result of a no-code user interface which also delivers a lower total cost of ownership over time, and enables users to rely less on their organisation’s technical resources which can be a bottleneck (e.g. waiting for internal developers to work through their backlog and write the playbook automations requested).

“Leveraging automation to do the heavy lifting and cut through the noise is vital to helping cybersecurity teams thrive under pressure. ThreatQuotient continues to innovate in a way that drives meaningful operational benefits to customers,” says Leon Ward, Vice President of Product Management at ThreatQuotient. “Many process-based SOAR platforms are designed such that only security engineers and analysts have the skills necessary to use them directly; making these traditional platforms hard to implement and maintain which drives higher costs over time. This ThreatQ TDR Orchestrator release reinforces the need for no-code solutions that empower operators to adapt to dynamic threat landscapes faster, and focus their energy on security operations workflows that provide critical business context.”

In an environment where security operations employee turnover is high, ThreatQuotient’s platform is well suited for increasing the number of people who know how to develop and maintain automation playbooks. ThreatQ’s data-driven approach means that anyone with business context can understand and maintain workflows, making teams more nimble and resilient. Additionally, Atomic Automation works at the "atomic" or lowest level, allowing an analyst to automate a single action or string of a few simple actions without needing a complex playbook. This enables analysts to pull data or push actions without actually needing to pivot from UI to UI for each of the products involved.

To learn more about ThreatQ TDR Orchestrator, register for ThreatQuotient’s upcoming webinar, ThreatQ Cyber Forum on ROI, taking place live on Wednesday 21st September at 10:00 am GMT. For a first-hand look at how ThreatQ, ThreatQ TDR Orchestrator, and ThreatQ Investigations can support your organisation’s security goals, register for the ThreatQ Online Experience, a unique interactive tour.

**About ThreatQuotient**

ThreatQuotient improves security operations by fusing together disparate data sources, tools and teams to accelerate threat detection and response. ThreatQuotient’s data-driven security operations platform helps teams prioritise, automate and collaborate on security incidents; enables more focused decision making; and maximises limited resources by integrating existing processes and technologies into a unified workspace. The result is reduced noise, clear priority threats, and the ability to automate processes with high fidelity data. ThreatQuotient’s industry leading data management, orchestration and automation capabilities support multiple use cases, including incident response, threat hunting, spear phishing, alert triage and vulnerability prioritisation, and can also serve as a threat intelligence platform. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe, MENA and APAC. For more information, visit www.threatquotient.com.

ThreatQuotient Enhances Data-Driven Automation Capabilities With New ThreatQ TDR Orchestrator Features

Overall SASE Spend on Pace to Top $6 Billion in 2022.

REDWOOD CITY, Calif., Sept. 20, 2022 /PRNewswire/ — According to a recently published report from Dell'Oro Group, the trusted source for market information about the telecommunications, networks, and data center industries, the strong enterprise appetite for network and security transformation drove robust growth in SASE related SD-WAN networking and security service edge (SSE) security technologies.

"Even in an environment of macro-economic angst, enterprises continued to strategically invest in SASE technologies to secure and improve connectivity for cloud-based apps and hybrid work," said Mauricio Sanchez, Research Director, Network Security, and SASE & SD-WAN at Dell'Oro Group. "Both SASE's components, SSE and SD-WAN, saw more than 30 percent growth, showing enterprises value SASE's network and security transformation benefits."

Additional highlights from the 2Q 2022 SASE & SD-WAN Quarterly Report:

*   The SASE market has over 35 vendors, with the top 11 representing 80 percent of the market by revenue.
*   The top 4 overall SASE vendors, Broadcom/Symantec, Cisco, Palo Alto Networks, and Zscaler (in alphabetical order), represented 50 percent of the market by revenue.
*   The top 3 SASE security (also known as SSE) vendors, Broadcom/Symantec, Cisco, and Zscaler (in alphabetical order), represented 60 percent of the market by revenue.
*   The top 3 SASE networking (also known as SD-WAN) vendors, Fortinet, Cisco, and VMware (in alphabetical order) represented 50 percent of the market by revenue.
*   SSE use cases with the most vigorous growth were zero trust network access (ZTNA) and firewall-as-a-service.
*   SD-WAN hardware demand continued to outstrip supply.
*   Unified SASE grew twice as fast as disaggregated SASE.

**About the Report**

The Dell'Oro Group SASE & SD-WAN report includes manufacturers' revenue covering the SASE and Access Router markets. In addition, the report analyzes the SASE market from two perspectives, technology (SD-WAN networking and SSE security) and implementation (unified and disaggregated). The report also provides unit information for the Access Router market. To purchase this report, please contact us at \[email protected\].

**About Dell'Oro Group  
**Dell'Oro Group is a market research firm that specializes in strategic competitive analysis in the telecommunications, enterprise network, data center infrastructure, and network security markets. Our firm provides in-depth quantitative data and qualitative analysis to facilitate critical, fact-based business decisions. For more information, contact Dell'Oro Group at +1.650.622.9400 or visit www.delloro.com.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SASE Bucks Economic Uncertainty With Over 30% Growth in 2Q 2022, According to Dell'Oro Group

The balance of deploying secure applications vs. time to market continues to be the biggest risk to organizations.

AUSTIN, Texas, Sept. 20, 2022 /PRNewswire/ — Invicti Security™, an application security leader for over 15 years, today released a new white paper, "Automated Application Security Testing for Faster Development," from independent industry analyst firm Enterprise Strategy Group (ESG). The report covers how Invicti customers are cost-effectively incorporating security into their development processes to secure their applications.

Organizations have been challenged in adapting their application security strategies and solutions as they undergo digital transformation for faster development cycles. As organizations migrate workloads to the cloud, they speed up development but also increase the risk of security vulnerabilities as application development and security teams clash on priorities. In fact, an earlier ESG study found that 48% of developers push vulnerable code in order to meet deadlines.

Traditional application security solutions haven't worked well to scale with modern development because they are costly to deploy and manage, they raise too many alerts and false positives, and they don't work in modern development workflows.

_Download the report to **view the full findings and insights.**_

**Join Invicti Chief Product Officer Sonali Shah and on October 13 for a live webinar to discuss the report findings and insights. Register here.**

The report describes how:

*   With the move to the cloud, organizations need a seamless solution that gives them protection and coverage for all of their applications, not just certain business-critical applications. Otherwise, simple coding mistakes can leave them vulnerable to attacks that could compromise company or customer data.
*   A leading television service network serving 26 million viewers has deployed Invicti to help them deliver secure applications on time, enabling them to innovate while protecting information collected online, particularly the personally identifiable information (PII) of viewers and staff, as well as its own company data and intellectual property.
*   A global travel and vacations company uses Invicti to cost-effectively automate security testing for applications across its portfolio of companies, enabling developers to fix security issues within their workflows.
*   Invicti customers also reported time and cost savings with fewer security incidents and teams working more efficiently with security integrated with developer workflows.

"With the increasing speed of development, companies need fast, seamless security solutions that integrate extremely well with developer workflows and tools, so they can bridge the gap between developer and security team priorities and needs," said Sonali Shah, Chief Product Officer at Invicti. "Dynamic application security testing (DAST) is the best-positioned tool to reduce the risk of pushing out vulnerable web applications without burdening developer teams or slowing them down."

"The development lifecycle is an intricate process that requires many pieces and technologies to be successful. Adding security as an afterthought to this process is proven to create points of exposure for organizations," said Melinda Marks, Senior Analyst at ESG. "With Invicti's approach to application security, security experts can help developers infuse secure practices into their development processes so that security enables innovation instead of slowing things down or blocking it."

**About Invicti Security**

Invicti Security – which acquired and combined respective DAST leaders Acunetix and Netsparker – is transforming the way web applications are secured. An AppSec leader for more than 15 years, Invicti enables organizations in every industry to continuously scan and secure all of their web applications and APIs at the speed of innovation. Invicti provides a comprehensive view of an organization's entire web application portfolio, and powerful automation and integrations enable customers to achieve broad coverage of thousands of applications. Invicti is headquartered in Austin, Texas, and serves more than 3,600 organizations of all sizes in more than 70 countries. For more information, visit our website or follow us on LinkedIn.

Invicti Security and ESG Report on How Companies are Shifting for Higher Quality, Secure Application Code

Assessment tool instantly generates a detailed report breaking down a company’s current network security maturity and recommended next steps.

**HALIFAX, NOVA SCOTIA — September 20, 2022 —** Byos (www.byos.io), the edge microsegmentation company dedicated to helping organizations protect themselves from the risk of ubiquitous remote, guest, and internet of things (IoT) network connectivity, announced today the release of the Byos Network Security Maturity Assessment: a free tool that details actions and technologies to improve an organization's security posture. Developed by a team of network security industry veterans and consultants, the tool scores a company's current network security maturity via a 15-minute survey and provides a tailored set of recommendations that can be used to develop priorities, action plans, long-term budgets, and more. The Assessment tool can be found at: https://www.byos.io/network-security-maturity-assessment-welcome.

“We saw a real need for a way to get a baseline set of recommendations without having to bring in outside consultants,” said Matias Katz, founder and chief executive officer at Byos. “That process can be long, expensive, and difficult to justify. We wanted our tool to give companies access to actionable advice without all the costs and distractions of the traditional way of doing it. Because that meant that it almost never got done.”

The Byos Network Security Maturity Assessment uses a 29-question survey covering general network security, managing access, lateral movement, and risk/threat assessment. Respondents rate their agreement with each question on a five-point scale, and the tool uses this data to calculate their network security maturity level across each category. The Byos Network Security Maturity Assessment then leverages its extensive recommendation database — built on NIST and CIS recommendations and insight from the network security veterans who developed the tool — to generate a report tailored to the company's strengths and weaknesses and suggest actionable next steps.

“Byos was committed to building a high-quality tool from the very start,” said Caston Thomas, lead consultant on the Assessment and chief executive officer at InterWorks, LLC. “I am amazed a vendor could be so confident in its technology that it would release a free tool without any bias toward its products. We developed the assessment to help any size organization gain perspective to improve their network security without having to hire expensive consultants.”

The launch of the Byos Network Security Maturity Assessment continues this legacy, using technology to allow companies to rapidly evaluate the strength of their cybersecurity strategy.

To learn more about Byos Network Security Maturity Assessment — or to start using the tool today — visit https://www.byos.io/network-security-maturity-assessment-welcome.

**About Byos**

IoT, mobile devices, “the cloud,” working-from-home, and video streaming have all radically changed how the internet works. That growth and complexity is accelerating. Yet there is little difference in how internet security operates from the time when it was originally built almost 50 years ago.

Byos is stepping up the challenge to create a new way of securing “the net,” and in doing so, is proving that network security can be simpler and, at the same time, fundamentally more secure. Simply stated, Byos makes all devices, and the network itself, invisible. Byos communicates ON the network without being connected TO the network by isolating each device on its own network of one. Even if a device is compromised by some other means, like malware from an email, Byos limits the spread.

Byos is backed by Silicon Valley investors and advisors and based in Nova Scotia. We serve customers across all industries and governmental institutions. For more information, visit www.byos.io.

Byos Releases Free Assessment Tool to Provide Companies With Tailored Network Security Recommendations

A call for federal agency "review and assessment" of cyber-safety plans at water treatment plants should better protect customers and move the industry forward.

Sparked by high-risk cyberattacks and subsequent mainstream press coverage, the federal government is moving toward new requirements for critical infrastructure cybersecurity.

A July Office of Management and Budget (OMB) memo (PDF) called for agencies across the federal government to establish specific cybersecurity "performance standards" for their respective industries — and, even more significantly, to budget for federal agency "review and assessment" of cyber-hardening plans prepared by organizations required to meet those new standards.

**Needed: Federal Review and Assessment of Plans**

This level of direct supervision extends the approach that today is applied only to the most critical national infrastructure — notably the electrical grid (regulated by the Department of Energy, the Federal Energy Reliability Commission, and the North Amerian Reliability Corp.) and oil and gas pipelines (Department of Homeland Security and the Transportation Security Administration) — across the full range of US industries that people rely on, including retail, pharmaceuticals, chemical, transportation and distribution, food and beverage, and many others.

One industry that's likely to feel this regulatory activity strongly, and see substantial changes as a result, is the water sector. Heavily vulnerable to cyberattacks, water utilities are in urgent need of refreshed — and enforced — security standards. In fact, the Biden administration recently hinted that the Environmental Protection Agency (EPA) is set to issue a new rule that would include cybersecurity in sanitation reviews of the nation's water facilities — further supporting higher standards when it comes to cybersecurity.

The stakes are high: A typical municipal water processing system filters 16 million gallons of water each day, and one successful hacker could taint the community's entire water supply. This is not a hypothetical fear — a hacking group recently managed to infiltrate a water treatment system in Oldsmar, Fla. By tinkering with the amount of lye in the water, they put an entire town at risk. And recently, the Clop ransomware gang targeted the South Staffordshire water utility in the UK. While these attacks are not always successful, the gravity of the risks has been made abundantly clear.

Despite previous attempts to improve security standards for the water sector, it remains vulnerable. Even America's Water Infrastructure Act of 2018 (AWIA), which stated that water utilities must develop emergency response plans that address cybersecurity threats as part of a broader effort to improve overall infrastructure and quality, did not significantly change the cybersecurity posture for the industry. The sector encompasses 50,000 separate utilities in the United States, most of which are small and managed by municipalities; this fragmentation, coupled with general unwillingness from operators to abandon existing practices, allowed the impetus for change to peter out.

But precedent tells us that, when done right, federal regulations can make a difference. We're already seeing progress in another vulnerable critical infrastructure sector: oil and gas. Following the high-profile Colonial Pipeline hack in 2021, the Department of Homeland Security's Transportation Security Administration (TSA) quickly released two Security Directives, with an update in 2022, doubling down on its efforts to ensure better protection for energy infrastructure nationwide. These directives emphasized credential management and access control, two things that would have helped block the ransomware attack in the first place.

Despite initial pushback from pipeline owners and operators, these first-of-their-kind TSA requirements are already leading the entire sector toward a more-protected environment. Operators are now leaning into security measures centered around proactivity and attack prevention.

**Call for Attack Prevention Leads to More Protection**

The key difference here is that the TSA directives require implementation plans for cyber _protection_, not just for incident detection and response. Once operators were required to _protect_ themselves, not just respond to events after the fact — and once the federal government was reviewing their cyber-protection plans — the oil and gas sector began to move in earnest.

And now, with the OMB's guidance to agencies, the same direct supervision of cyber protection will come to other sectors, too, including water. In other words, the movement within oil and gas is a hint at what's to come for other critical infrastructure.

The 2021 Oldsmar hack showed the world just how easy — and how devastating — an attack on a water plant can be. Regardless of historical industry norms, a clear need for better cybersecurity has emerged, and it appears that the government is prepared to move ahead more aggressively than ever. Its broad push toward better security for critical infrastructure is poised to be the catalyst that many sectors, such as water, have desperately needed.

Plant owners and operators can no longer ignore the risks; heavier regulation is a "when," not an "if." Now is the time for them to pursue better, more modern cybersecurity.

Water Sector Will Benefit From Call for Cyber Hardening of Critical Infrastructure

The investment in Salt Security underscores the fact that attacks targeting APIs are increasing.

The boom in mobile apps, cloud services, and Web applications have led to a worrying trend: Attackers are increasingly targeting the APIs that underpin them. Enterprises need tools in order to secure these data-rich connectors, and CrowdStrike's announcement that it is investing in Salt Security highlights the critical role API security plays in Web application security.

APIs – application programming interfaces – are ubiquitous in the modern enterprise. Consider the following:

*   A Web application displaying a map and location data relies on the Google Maps API.
*   An e-commerce application offering multiple payment options, such as the "Pay with PayPal" feature, is using an API.
*   Retailers use APIs to work with couriers and delivery companies to ensure package are picked up and delivered correctly.
*   Companies may send software via API. That's what Tesla does.

"APIs connect the critical data and services that drive today's digital innovation," said Roey Eliyahu, CEO and co-founder at Salt Security, in a statement.

Developers rely on APIs to connect their applications to multiple data sources and services in order to build new features and products without having to start from scratch. For example, not many organizations have the resources or data to maintain detailed maps, but they don't need to because Google Maps offers the information via an API. However, the fact that APIs have access to sensitive data and systems makes them vulnerable. If the API is somehow abused, that can expose the underlying data and result in a data breach.

A bug in the Peloton API allowed anyone to pull users’ private account data directly from Peloton’s servers, even if a user's profile was set to private. There was a similar situation involving a financial lending site, where a leaky Experian API allowed anyone to look up credit scores of someone else with only a name and mailing address.

"Enterprises are producing a massive number of APIs at a rate that far outpaces the maturity of network and application security practices," wrote Gartner analysts Jeremy D’Hoinne and Mark O’Neill in a recent "Gartner Predicts" report on API security. "Strong inventory and real-time discovery are both necessary to gain enough visibility into all APIs that the organization produces."

From a financial perspective, CrowdStrike's investment makes sense. The API security market is expected to grow 26.3% between 2022 and 2032, according to research from Future Market Insights earlier this month. Gartner estimates that API attacks will soon become the most-frequent attack vector for Web applications.

In addition to the investment, CrowdStrike says it plans to work with Salt Security on security testing to harden APIs and API discovery and runtime protection for applications.

CrowdStrike Investment Spotlights API Security

The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an external contractor's credentials, as researchers parse the incident for takeaways.

Uber has attributed last week's massive breach at Uber to the notorious Lapsus$ hacking group and released additional details on the attack. Researchers say the incident has highlighted the risks that can come from trusting too much in multifactor authentication (MFA), as well as unmanaged risk around cloud-service adoption.

In an update on Monday, Uber laid out the attribution: "We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so." Uber's announcement pointed to other companies that had been targeted by the notorious gang via similar techniques, including Cisco, Microsoft, Nvidia, Okta, and Samsung,

Lapsus$ has attracted considerable attention in recent months for its brazen attacks on some of the world's largest and well-known companies. One well-known tactic that the group has been known to use is co-opt MFA-circumventing tools into its attack chain.

And indeed, Uber on Monday said the attacker who breached its network last week had first obtained the VPN credentials of an external contractor, likely by purchasing them on the Dark Web. The attacker then repeatedly tried to log in to the Uber account using the illegally obtained credentials, prompting a two-factor login approval request each time. 

After the contractor initially blocked those requests, the attacker contacted the target on WhatsApp posing as tech support, telling the person to accept the MFA prompt — thus allowing the attacker to log in.

"The Uber breach appears to be a result of an MFA fatigue attack, also referred to as an MFA bombing attack," says Duncan Greenwood, CEO of Xage. "It’s a technique in which hackers send multiple authentication approval requests to a secondary device like a mobile phone, in hopes that a user unintentionally provides access, or grows so frustrated that they eventually approve a request." 

**Remediation Process Begins**

Once in, the attacker breached multiple internal systems, and Uber is currently in the process of doing an impact analysis, the company said: "The attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack."

The company said the attacker does not appear to have made any changes to its codebase, nor does he appear to have access to any customer or user data stored by cloud providers. The attacker did appear to have downloaded some internal Slack messages and accessed or downloaded an internal tool that Uber's finance team uses to manage invoices. Though the attacker also accessed a database of vulnerability disclosures in its platform submitted via external researchers through the HackerOne bug-bounty program, all the bugs have been remediated, Uber said.  

**Breach Shows MFA's Weaknesses**

Greenwood describes MFA fatigue attacks as being a very effective tactic for breaching target organizations. He says his company has observed attackers typically sending frequent MFA requests in the middle of the night or sending less frequent requests over a few days. 

"Either way, in traditional MFA architectures, all it takes is just one approved request for a hacker to access internal systems, from which they can further infiltrate the target organization," he says.

Uber's security practices are sure to come under scrutiny because of the breach. But the reality is that the company was the victim of practices that are common to many organizations, researchers note.

Patrick Tiquet, vice president of security and architecture at Keeper Security, says the Uber attack highlights a fundamental misconception around MFA's strength as a method to secure access. 

"Although MFA adds a critical second layer of security to your accounts, the biggest misconception about MFA is that all forms are equally secure," he says.

One example of how MFA can fail is SIM card porting, aka SIM-swapping, Tiquet notes. This is where attackers port a mobile number to a SIM card or device that they control to receive SMS messages or phone calls for the target number. 

"Use of SMS text messages as MFA should be discouraged and never used as MFA for high-value assets," Tiquet says. "The use of an authenticator app, security key, or biometrics are stronger and more effective methods to protect your accounts." 

Security researcher Bill Demirkapi explains that another very common misconception is that standard forms of MFA — such as push, touch, and mobile — protect against social engineering. The reality is that MFA remains vulnerable to man-in-the-middle (MitM) attacks, he says.  

He notes that best practices include using phishing- and MiTM-resistant forms of MFA rather than time-based one-time passwords (TOTP), not centralizing access keys, and rotating keys regularly. On the latter point, organizations also often do not limit access keys to the minimum privileges required for the key's intended purpose.   

"Uber may not have followed best practices, but many other companies don't either," he says. "The main point I'd like to drive home is the importance of not only investing into security for your organization, but specifically investing into these best practices as well."

It should be noted that the Uber breach is not the only high-profile hit in the last few days; the same Lapsus$ hacker who claimed responsibility in that incident (or at least someone using the same "Teapot" alias that the Uber hacker used) now appears to have also breached Take-Two Interactive's Rockstar Games, posting videos of an early development copy of the Grand Theft Auto 6 video game. In a message, the company acknowledged the breach and said it was "extremely disappointed" to have details of the game leaked in advance of its release.

**Cloud Service Adoption Increases Risk **

MFA is not the only weak link for many companies. At a higher level, breaches like the one at Uber show the impact that rapid cloud services adoption and distributed work models are having on enterprise security strategies, says Russell Spitler, co-founder and CEO of Nudge Security. 

The move to a more distributed model has increased enterprise reliance on asynchronous communications tools such as Slack and WhatsApp in business-critical environments, he says. The rapid adoption of SaaS has created an unmanaged risk in the form of complex integrations between poorly managed services.

"The recent breach at Uber points to the fact that security orgs are outpaced by the sprawling complexity of modern, distributed IT environments and sprawling digital supply chains," Spitler notes. "This complexity creates opportunities for even the most novice of threat actors to gain access using compromised credentials and \[finding\] their way to critical assets."

Uber: Lapsus$ Targeted External Contractor With MFA Bombing Attack

The Take-Two Interactive subsidiary acknowledges an attack on its systems, where an attacker downloaded "early development footage for the next Grand Theft Auto" and other assets.

Rockstar Games, a subsidiary of Take-Two Interactive Software, today confirmed that an unauthorized third party had downloaded files and videos for its flagship game Grand Theft Auto 6 following the posting over the weekend of scores of video clips to an online forum.

More than 90 video files — since removed — were posted at 3:26 a.m. on Sunday, Sept. 18, to the GTAForums. Several forum users considered the videos to be authentic, and the forum administrators appeared to confirm that that data was stolen when they pulled down the files and posted a warning for forum members to not share media or links to copyrighted material.

By early Monday, Take-Two Interactive had confirmed the breach in a corporate filing with the Securities and Exchange Commission.

"Rockstar Games recently experienced a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from its systems, including early development footage for the next Grand Theft Auto," the company stated in the filing. "Current Rockstar Games services are unaffected. We have already taken steps to isolate and contain this incident."

The breach is the latest attack on gaming companies. In June 2021, game giant Electronic Arts suffered a massive breach, with cybercriminals stealing nearly 800GB of source code and data from the firm. The breach followed an attack on CD Projekt Red, the maker of the Witcher games and Cyberpunk 2077, which resulted in the theft of internal data and source code.

Game companies are not the only group being targeted — attackers are also focused on gamers. Players of the top 28 games encountered more than 380,000 instances of malware and unwanted files the 12 months ending in June 2022, according to software security firm Kaspersky Lab. Rockstar Games' Grand Theft Auto was the fourth most targeted PC game, according to the firm's analysis.

"Despite the fact that the number of users affected by gaming-related threats has dropped, certain gaming threats are still on the rise," Kaspersky researchers stated. "Over the past year, we have seen an increase in cybercriminal activity around stealers, which allow attackers to steal bank card data, credentials, and even crypto wallets data from infected devices."

**Uber-Hacker Poser**

In the Rockstar Games attack, the threat actor apparently gained access through a compromised credential. The cybercriminal used the name "teapotuberhacker," reportedly claiming to be the person behind the breach of Uber last week.

However, reliable details of the hack are in short supply. Already, fraudsters have posted a great deal of misinformation on Twitter and have reserved names similar to the hacker's on Telegram and other social media networks.

A thread on the GTAForums appears to be genuine, however. The administrators have already removed the video files and links posted by the purported hacker. Multiple posts on the GTAForums have claimed that the videos came from a developer Slack channel, which is similar to the compromise of Electronic Arts. The posted videos are dated between March 2021 and September 2022.

Take-Two Interactive and Rockstar Games played down the impact of the attack, maintaining that the development of the game will not be affected.

"Work on the game will continue as planned," the company stated in its SEC filing. "At this time, Rockstar Games does not anticipate any disruption to its current services nor any long-term effect on its development timelines as a result of this incident."

The hacker posted the videos to GTAForums early Sunday morning, stating, "Here are 90 footage/clips from GTA 6," and adding, "Its possible i could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build."

The attacker may not have had general access to Rockstar Games' systems, but only the communication channels used by developers. "These videos were downloaded from Slack," the poster wrote, clarifying that the source was "employee communications."

**Wall Street Fallout**

The breach initially hurt Take-Two Interactive's stock price (NASDAQ: TTWO), but the company's assurance that the game's launch date would not be delayed seemed to assuage investors, and the stock rose slightly by late afternoon. The company has actually not yet announced the game's official release data, but reports have pegged mid- to late-2024 as likely.

"We are extremely disappointed to have any details of our next game shared with you all in this way," the company said in a statement posted on Twitter. "Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations."

Rockstar Games Confirms 'Grand Theft Auto 6' Breach

Pool controllers exposed to the Internet with default passwords let threat actors tweak pool pH levels, and potentially more.

After the hacktivist group GhostSec bragged it had breached a hotel pool controller in Israel, a team of researchers decided to take a deep dive. 

The cyberattack group didn't provide details about the operational technology (OT) breach, but researchers at Otorio found two Aegis II controllers exposed to the Internet with default passwords. The Aegis II controller is used to control the chemical concentration in water in locations such as pools. 

Last week, GhostSec first claimed it breached 55 Berghof programmable logic controllers (PLCs) across Israel. On Sept. 10, the group claimed it had control over an unidentified hotel's pool water system. 

GhostSec warned in a posted message that while it has control of the pool's pH and chlorine levels, it wasn't interested in using the access to harm innocent people. The threat actors simply wanted to demonstrate the kind of damage they could do, the post added. 

"Our research found two pool controllers that could be affected," the Otorio report said. "While we do not know for certain, it appears that the most likely aim of the breach was for the attackers to demonstrate that they had the ability to control the water's pH in the hotel's pools as GhostSec's Telegram message alleged."

The researchers noted that the incident underscores the potential dangerous real-world implications of OT cyberattacks. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattackers Make Waves in Hotel Swimming Pool Controls

If we know a user is legitimate, then why would we want to make their user experience more challenging?

Years ago, I had to get hold of a personal document that I needed from a government office. I had brought with me all of the documentation that I was told I needed, but there was an issue — a bureaucratic technicality that rendered one of the pieces of documentation invalid in the eyes of the clerk.  

I tried to argue that if we zoomed out and looked at the big picture, it was clear that I was me and entitled to my own document. The clerk would not hear of it, though, and replied, "It should not be easy to get this document." I did not agree and quipped, "It should be easy to get this document if one is entitled to it." Unfortunately, that remark did not get me the document, and I was forced to return another day.

The reason I am sharing this story with you is because it can teach us an important lesson about balancing fraud and user experience. My example illustrates how off-base the conventional wisdom is that says making something harder for a legitimate user to get reduces risk. If a user is legitimate, and if we know they are legitimate, then why would we ever want to make their user experience more challenging?

All that does is introduce another kind of risk — the risk that the user will give up and go elsewhere to get what they need. I didn't have the option of going elsewhere when I needed my document from the government. The users of your online application, on the other hand, very much do have that option in most cases. It is worth thinking about how user experience can be balanced against the need to detect and mitigate fraud losses.

Here are five ways enterprises can improve their fraud detection capabilities in order to better balance fraud detection and user experience.

**1\. Device Intelligence**

I am often surprised by how many fraud rules focus on IP addresses. As you know, IP addresses are trivial for a fraudster to change — the minute you block them from one IP address, they move on to another. The same goes for blocking entire countries or ranges of IP addresses — it is trivial for a fraudster to bypass that. Focusing on IP addresses creates unreliable rules that generate a huge volume of false positives.

Reliable device identification, on the other hand, is entirely different. Being able to identify and track end-user sessions via their device identifiers, rather than their IP addresses, enables fraud teams to hone in on devices that are interacting with the application. This allows for fraud teams to perform a variety of checks and analyses that leverage device identification, such as looking for known fraudster devices, looking for devices that log into a relatively high number of accounts, and other methods.

**2\. Behavioral Intelligence**

It can be quite difficult to differentiate between legitimate users and fraudsters at layer 7 (the application layer) of the OSI model. Moving up to layer 8, or the user layer, however, makes that differentiation much more plausible.

In most cases, legitimate users and fraudsters behave differently within sessions. This is mainly because they have different objectives and levels of familiarity with the online application. Studying end-user behavior gives enterprises another tool they can use to more accurately differentiate between fraud and legitimate traffic.

**3\. Environmental Intelligence**

In many cases, environmental clues (the environment being where the end user is coming from) exist that can help a fraud team differentiate between fraud and legitimate traffic. Having insight into and properly leveraging these environmental clues takes some investment, though it pays huge dividends when it comes to more accurately detecting fraud.

**4\. Known Good User Identification**

As organizations get better at understanding what fraudulent traffic looks like, they also reap another benefit: They become better at identifying what good traffic and what known good users look like. In other words, if I can be reasonably confident that the session in question and the end user navigating it are both good, I can be reasonably confident that I don't need to pile on tons of friction in the form of authentication requests, multifactor authentication (MFA) challenges, or otherwise.

**5\. Session Focus**

Some teams focus somewhat myopically on transactions. That is a bit like trying to see the beauty of the ocean through a straw. True, you can see a portion of the ocean, but you miss most of it. Similarly, looking across the entirety of the end-user session, rather than at individual transactions or groups of transactions, is a great way to more accurately separate fraudulent traffic from legitimate traffic. The techniques mentioned above, along with others, all work far better with a broader, more strategic view of what is going on.

**Reduce the Friction**

Enterprises do not need to choose between effective fraud detection and ease of use. It is possible to manage and mitigate risk without introducing additional friction to your end users as they journey through your online applications. The time has come to throw out the conventional wisdom that says otherwise.

Source

DARKReading