Conti's ransomware attack cripples Costa Rica's Treasury, sparking the US to offer a $15M bounty on the group.

Newly elected Costa Rican president Rodrigo Chaves has declared a state of national cybersecurity emergency after weeks of fallout from a Conti ransomware attack that has crippled the country's government and economy. 

The Ministry of Finance was one of the initial targets on April 18, but other Costa Rican government agencies were also affected, including the Ministry of Labor and Social Security; the Ministry of Science, Innovation, Technology and Telecommunications; the National Meteorological Institute, and more. 

Costa Rica's Treasury has been without digital services since the attacks started, slowing the country's private sector's ability to do business, according to local reports from AmeliaRueda.com.   

Conti reportedly demanded $10 million in ransom from Costa Rica in exchange for not releasing the data exfiltrated from the Ministry of Finance, which the government declined to respond to, Swissinfo reported. 

In an effort to help stop Conti's brutal ransomware attacks on Costa Rica and others, the US is offering a $15 million reward for any information leading to the identification and arrest of the group's leaders. In a statement, the State Department said that as of January, there had been more than 1,000 Conti victims, with payouts exceeding $150 million, making it the costliest strain of ransomware ever documented.

"In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cybercriminals," the announcement of the reward said. "We look to partner with nations willing to bring justice for those victims affected by ransomware."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Costa Rica Declares State of Emergency Under Sustained Conti Cyberattacks

When you find yourself the target of a narcissist, familiarize yourself with their tactics and learn how to survive.

Security professionals face a lot of challenges, whether dealing with adversaries trying to breach networks or employees who may be malicious or negligent when it comes to security policy. It's vital that your team and organization feel confident in your ability to do your job and trust your professional intentions so that you can lead — and that hard job gets harder if you have to deal with a narcissist.

Narcissism — more specifically, narcissistic personality disorder (NPD) — is a serious problem, and I don't mean to imply people who have it are inherently mean. While I'm not a mental health professional, I have been the target of a narcissist more than once, both personally and professionally. Through those difficult experiences, I've learned a few things about how to handle a narcissist. Although this isn't exclusive to security, it is an important career topic, and I'd like to share those tips with you in this piece.

**What Is Narcissistic Personality Disorder?**  
First off, if you aren't familiar with narcissism and NPD, there is plenty of reading material from a number of reliable and reputable sources on the topic. I encourage you to read about it to better educate yourself. In particular, I have found articles explaining manipulative tactics used by narcissists to be the most helpful. You may recognize certain behaviors you've experienced in the past and begin to wonder whether you were dealing with a narcissist.

It might surprise you to learn that somewhere between 1% and 5% of the general population has NPD. That means that most of us likely know someone who has it. If that is the case, you might ask, why are so many people unfamiliar with the issue? There are many reasons why, though the narcissist's ability to present favorably in public, recruit and co-opt support, lie without thinking of it as wrong, manipulate situations, and punish their targets privately behind closed doors is a big part of it.

Before we get into how to handle a narcissist, it is helpful to familiarize yourself with a few of the tactics narcissists may use:

1.  Lying
2.  Manipulating
3.  Gaslighting (deliberately presenting false narratives to someone, leading them to doubt their perceptions and question their sanity)
4.  Impression management (charming others in an attempt to recruit and co-opt support)
5.  Vilifying the victim/playing the victim (attempting to make it seem like the victim is the aggressor and vice versa)
6.  Projection (projecting what they do onto others and accusing them of doing it)
7.  Abusive tactics (belittling, bullying, attacking, criticizing, raging, ridiculing, and mocking, among others)
8.  Burden of proof (you need to prove your statements, but they do not need to prove theirs)
9.  False compromise (presenting the idea of compromise when there are clearly sensible and nonsensible choices)
10.  Future faking/empty promises
11.  Slogans (catchphrases intended to shut down all discussion)
12.  Deflection, diversion, and evasion (when cornered, caught in a lie, asked a difficult question, or confronted with a difficult situation)
13.  Emotional blackmail (leveraging something you crave, such as praise or acknowledgment, and withholding it until you do what they want)
14.  Silent treatment (a form of rage that involves complete withdrawal from the conversation)
15.  Moving the goalposts (no matter how much you do or how hard you work, you can never achieve anything or be good enough since the metrics keep changing)

There are many more destructive tactics that narcissists employ, though these should give you the general idea.

**5 Ways to Deal With a Narcissist**  
Now that you have a better idea of what you're up against, what can you do when you become the target of a narcissist? Unfortunately, not as much as you might hope. That being said, here are my top five tips. (These tips work when you're targeted by anyone who intends you harm, but they're particularly vital when that person might not even see what they're doing as wrong.)

**1\. Document everything:** Write everything down. Narcissists are skilled liars and manipulators. They have no problem telling you something and then later denying they said it. They also have no problem telling others that you said something you didn't, quoting you out of context, or twisting your words. It is preferable to communicate with a narcissist in writing only, though if you need to communicate verbally, ensure there are witnesses and send out written summaries immediately afterward.

**2\. Disengage:** A narcissist wants you to engage emotionally. That is one way they get you to lose focus on what is important and drag you into an argument. Do not engage with them emotionally on anything. Nothing good will come of it as they lack true empathy, even though they might be good at faking it.

**3\. Stay on topic:** Ignore the bait thrown at you continuously. Stay focused on the topic at hand and do not respond to tactics designed to get you off topic and drag you into (yep, you guessed it) an argument.

**4\. Know you are not alone:** You are far from the only victim of a narcissist. Unfortunately, it is difficult for victims of narcissists to network and share experiences, as the narcissist and their co-opted accomplices will work tirelessly to shut down any public or semi-public dialogue around the topic. Others who have been the victims of narcissists will see your struggle and will often approach you privately to share their stories and offer support. You can do the same when you're ready.

**5\. Do not expect support from the masses:** I have seen narcissists easily fool psychiatrists, psychologists, therapists, social workers, clergy, and others to the point where those individuals aren't even interested in looking at objective facts and written documentation on the situation.

**You Can Survive**  
The sad reality is that when a skilled narcissist is intent on harming you, there is no winning. But if you focus on the points above, you will survive being the target of the narcissist. While there will be pain along the way, you will emerge from the experience stronger and better for it.

Narcissism and NPD are dangerous forces in both your personal and professional worlds. They create difficult situations that are hard to remedy. Narcissists tend not to seek therapy because they generally lack the self-awareness required to know that they need mental help. At the same time, those recruited and co-opted by narcissists are, by design, unable to see the narcissist for who they truly are. As such, you may find that outing a narcissist is nearly impossible and will most often result in you getting harmed rather than the narcissist.

When you find yourself the unfortunate target of a narcissist, it is much more effective to familiarize yourself with the narcissist's tactics and learn how to survive their slings and arrows. This too shall pass.

5 Tips to Protect Your Career Against a Narcissist

Cybersecurity has to be a top priority as enterprises begin incorporating the use of nonfungible tokens into their business strategies, brand-awareness campaigns, and employee-communication efforts, experts say.

A recent malware campaign that targeted online artists with a lure about lucrative nonfungible token (NFT) projects is a good indication of how threat actors are capitalizing on the snowballing interest in digital goods — and it has implications for the growing number of corporate brands trying to ride the NFT wave, too.

The campaign, which researchers from Malwarebytes observed, involved messages purporting to be from NFT project Cyberpunk Ape Executives. These were sent to digital art creators on online platforms such as DeviantArt and Pixiv, and they invited the recipients to work with the people behind the Cyberpunk Ape project to create new NFT characters. They also promised them $350 per day by way of compensation.

A link in the message directed recipients to more information about the project. When users clicked on it, they were sent to a site that downloaded multiple images of apes that purported to be examples of NFTs from the project. One of the images was an executable file, which when opened infected the user's system with an information stealer.

Malwarebytes said it observed several account holders on platforms such as Pixiv and DeviantArt complaining about their accounts being used to spam others with messages about the same Cyberpunk Ape Executive NFT project. Malwarebytes said it couldn't confirm if the information stealer itself was responsible for the account hacks or if some other form of phishing was involved.

**NFT-Related Cybercrime: A Rapidly Growing Threat  
**The campaign is one in a rapidly growing number of NFT-centric attacks, security researchers say. Most of them, for the moment at least, are aimed at people working directly in the NFT space, says Chris Boyd, lead malware intelligence analyst at Malwarebytes. "However, as more mainstream businesses adopt NFT projects or look to get involved with blockchain, it will quickly become a concern across more traditional industries," he predicts.

Analyst firms such as Gartner and Forrester already predict a world where NFTs will play a crucial part in enterprise strategies over the next few years. Gartner included NFTs in its 2021 hype cycle for emerging technologies, and it has described them as one of the technologies that could have the most significant impact on business and society over the next 10 years. The analyst firm expects NFTs will play a fundamental role in an emerging metaverse where organizations try to provide better engagement, collaboration, and connection with employees and others through immersive virtual workplaces. 

Forrester also has pointed to organizations such as insurance firm State Farm jumping into the NFT space with a football-themed treasure hunt as an example of how a quickly growing number of enterprises are experimenting with nonfungible tokens.

Harvard Business Review earlier this year described initial enterprise efforts around NFTs as focused on launching their own digital collectibles — such as Campbell's soup can art. HBR predicts that in the next few years, NFTs could become the "central digital touchpoint" between enterprises and their customers.

**A Variety of Attacks  
**Boyd says Malwarebytes researchers have been observing a variety of NFT and cryptocurrency threats daily. 

"The most common attacks try to trick cryptocurrency enthusiasts into handing over their wallet’s recovery phrase," he says. Users who fall for the scam often stand to lose access to their funds permanently, he says. "Bogus Airdrops, which are fake promotional giveaways, are also common and ask for recovery phrases or have the victim connect their wallets to malicious Airdrop sites, he adds, noting that many fake Airdrop sites are imitations of real NFT projects. And with so many small unverified projects around, it’s often hard to determine authenticity, he notes.

Oded Vanunu, head of product vulnerability at Check Point Software, says what his company has observed by way of NFT-centric attacks is activity focused on exploiting weaknesses in NFT marketplaces and applications. 

"We need to understand that all NFT or crypto markets are using Web3 protocols," Vanunu says, referring to the emerging idea of a new Internet based on blockchain technology. Attackers are trying to figure out new ways to exploit vulnerabilities in applications connected to decentralized networks such as blockchain, he notes.

Over the last few months, Check Point Research has observed attacks that try to trick the user to provide NFT platform or wallet access, and those that target NFT marketplace vulnerabilities to access NFTs belonging to digital artists. 

Check Point has also observed attacks involving the use of malicious NFTs to exploit platform vulnerabilities, Vanunu says. He says organizations that hold NFT assets or crypto assets need to be aware of these threats. Enterprise users who access NFT marketplaces using their company-issued device could also put their organizations at risk, he says.

The increase in NFT-centric scams also shows how attackers are leveraging the new and relatively unknown in attacks against victims, notes Hank Schless, senior manager security solutions at Lookout. Many are purchasing NFTs with cryptocurrency without fully understanding the underlying mechanisms, he says. For example, "people who are new to NFTs might not understand how to validate that the digital asset they’re looking at is the real thing," he says.

Attackers can take advantage of this lack of knowledge to trick people into bidding on fake NFTs, for instance. This can especially be an issue with more expensive NFTs, where a principal bidder or purchaser might offer fragmented ownership of an NFT to a large group of buyers. 

"These group purchases are usually coordinated over social-media platforms like Twitter, Reddit, and Discord, which give an attacker access to a large number of potential victims," Schless says. While most NFT scams continue to be consumer-focused, an attacker could easily use an NFT lure to deliver malware to a corporate device and gain access to corporate data, he says.

Check Point's Vanunu says it's time for organizations to improve user awareness around NFT-centric threats. Organizations with an NFT platform or crypto wallet should enforce multifactor authentication for accessing them, for one. He also recommends that they use two wallets: one that is cold — or offline — for holding all digital asses, and one just for trading with low amounts. 

That way, he says, "in case of exploitation, hackers will not be able to hijack too much."

NFTs Emerge as the Next Enterprise Attack Vector

The CSM by Deloitte platform includes cloud security policy orchestration, cyber predictive analytics, attack surface management, and cyber cloud managed services.

NEW YORK, May 9, 2022 /PRNewswire/ -- To help U.S. executives concerned about visibility into the security of their cloud workloads and applications, Deloitte has expanded existing capabilities to launch Cloud Security Management (CSM) by Deloitte. The platform of services and solutions includes cloud security policy orchestration (CSPO), cyber predictive analytics, attack surface management and cyber cloud managed services (CCMS) – all of which can be applied in Google Cloud, Microsoft Azure and other public clouds alone, or in multi-cloud environments.

"We integrated newly acquired capabilities with our existing technologies and leading global security services to help our clients secure and enhance their cloud environments more efficiently and effectively," said Vikram Kunchala, Deloitte Risk & Financial Advisory Cyber Cloud leader and principal, Deloitte & Touche LLP. "We worked to ensure our platform integrates and operates with the major cloud providers' security capabilities so that our clients can more easily scale their cloud security programs and apply security throughout the systems development lifecycle – even when non-standard security requirements are involved. Building upon the strength of the CSM by Deloitte platform, we plan to expand it over time as client demands change and the technology landscape evolves."

Deborah Golden, Deloitte Risk & Financial Advisory Cyber and Strategic Risk leader and principal, Deloitte & Touche LLP said, "While many are eager to accelerate cloud adoption in a secure, resilient and agile manner, that process is not always easy or simple – particularly when digital transformations occur at various stages, multiple cloud environments are involved, and regulatory compliance requires a variety of shared infrastructure situations, inclusive of third-party requirements. Whether organizations want to leverage our advanced technologies or large practice of highly skilled cyber specialists – or both – CSM by Deloitte acts as a potential change agent for organizations that want to operate confidently and securely in the cloud environment even as that threat landscape evolves."

The CSM by Deloitte platform initially includes:

*   A **CSPO solution** offering continuous, cloud-native, multi-cloud security posture monitoring and policy application. Leveraging a comprehensive set of industry-specific policies provided in the form of policy-as-code, the solution can be customized and managed via GitOps to serve as the "single source of truth" for policy enforcement while also making it easier for DevSecOps teams to include security earlier in product development.
*   **CCMS** include end-to-end cloud security design, 24x7x365 operations support, as well as multiple specialization modules. Clients can apply one, some or all modules to their environments, including identity and access management, infrastructure and network security, detection logging and monitoring, data protection, infrastructure and network security, threat and incident response, endpoint protection as well as DevSecOps, automation and orchestration.
*   **Cyber predictive analytics** that leverage models trained on attack simulations and real-world data to quickly comb through petabytes of data, surfacing threats that might otherwise be missed. Through automated threat hunting and detection, actionable risk metrics are combined and accessible through an interactive, persona-driven suite of dashboards.
*   **Attack surface management** functionality incorporates the results of continuous testing through managed services and intelligent automation into threat detection and response activities. Asset identification, service fingerprinting and vulnerability scanning help users define specific risk areas, identify high priority security and compliance issues and orchestrate remediation efforts.

**About Deloitte**  
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today's marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's more than 345,000 people worldwide connect for impact at www.deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

SOURCE Deloitte

Deloitte Launches Expanded Cloud Security Management Platform

Despite what it may feel like when you're in the trenches after a security incident, the world doesn't stop moving. (Part 3 of a series.)

_Click here to read Part 1, "What Do You Do When It Hits the Fan?" and Part 2, "What Will the Public Hear When You Say You've Been Breached?"_

Even when cybersecurity investigations after an incident are ongoing and you won't have all the answers upfront, it's still important to communicate what you can as early as possible and as often as possible. Communication is integral to successful incident response and the endurance of a brand's reputation. The main reason it's important to divulge as much as possible as soon as possible is that brands can die after a security incident if a third party (such as the press or customers) was the first to break the news of the incident.

Even if you don't have all of the answers, it's better that any new information comes from your organization and not the press or third-party groups. Again, show empathy and ownership every step of the way. Keep anyone who is potentially affected — customers, vendors, third parties — updated on an ongoing basis about technical findings, results, and impact. Offer these people helpful and relevant resources and support.

**What Happens After a Security Incident?  
**Information sharing can heal even the deepest wounds; companies that are advised (by lawyers or others) to keep as much as they can under lock and key are, frankly, short-sighted. Sharing threat data and information needs to happen in a clear and concise way. With whom and how this information is shared should be discussed and agreed upon with lawyers **_before_** any major incident occurs. Don't be afraid to share technical details and the steps your security team is taking to investigate and avoid these vulnerabilities in the future. You might consider sharing technical details such as events to look out for, CVEs, or indicators of compromise. These details are extremely valuable because they can help customers get ahead of the incident and take their own remediation steps.

**Final Thoughts  
**Despite what it may feel like when you're in the trenches after a security incident, the world doesn't stop moving. If you've publicly announced a breach, other cyber adversaries don't magically disappear. There are still threats looming, possibly waiting to attack your infrastructure while it's at its weakest. After a security incident, it can be easy to forget about our defenses against everything else, but set up a system to make sure this doesn't happen. Ensure you're monitoring for additional nefarious activities. Make sure your team members get regular rest breaks (tired people make mistakes!). Nutrition and hydration matter just as much as sleep.

Second, it's important to note cyber adversaries typically don't break in, they log in. This is certainly the case for Lapsus$ and other similar threat groups. They can compromise credentials through a variety of methods and log in to most networks and applications. Security teams should shift their focus from purely _preventing_ credential compromise to _tracking_ user behavior so that anomalies can be quickly identified and acted upon. Thanks to modern tools that utilize machine learning or behavior analytics layers, there is little to no burden on the analyst.

Lastly, big breaches can take years to clean up and settle in court. The true cost of security and privacy failures is underreported — I'd venture to say it's probably double or triple what you read in the news — both in terms of cost and time to remediate. Although stock prices usually don't change after a breach, it is most certainly more difficult to sell a product or service for a year or so. Develop the right relationships — with sales, marketing, legal, comms, executives, and stakeholders — long before a cyberattack takes place.

Security Stuff Happens: Where Do You Go From Here?

In the next 10 years, public-key encryption needs to be replaced by post-quantum techniques that can stand up to the new challenges.

Within a decade, the growth of powerful quantum computers will lead to a new era in security, in which once-impenetrable public-key techniques like RSA and ECC will fall to higher levels of brute force. Such techniques need to be replaced by post-quantum cryptography that can stand up to the new challenges.

That's according to an intelligence brief from research company PreScouter. The brief, titled "Quantum Computing and Cybersecurity: Preparing for Post-Quantum Cryptography," says the global quantum computing market will grow from $472 million in 2021 to $1.765 billion by 2026. As the technology spreads from research labs to the cloud, the likelihood of it getting used to defeat current encryption methods rises to near certainty. Indeed, the Biden administration just issued two directives to prepare US government and businesses against future quantum cyberattacks.

"Hackers are currently unlikely to have the resources to develop quantum computing systems," the PreScouter brief states. "However, the emergence of general-purpose quantum computing will be available in the cloud as an infrastructure platform like a service, making it affordable for a wide range of users with current technological capabilities." IBM added its Quantum Cloud service back in 2017, and today users can rent time on a quantum computer from more than a dozen vendors, including Azure and AWS.

Numerous groups have been working on post-quantum cryptography for years, including European Telecommunication Standards Institute (ETSI), the European Union Agency for Cybersecurity (ENISA), and the International Organization for Standardization (ISO). In the US, NIST initiated its post-quantum work back in 2016. This foresight is necessary, PreScouter says, because replacing encryption algorithms requires many steps, so the sooner we get started, the better.

The brief notes that while hackers might not be breaking into OT systems and medical devices by 2030, we need to have post-quantum cryptography implemented by then to stave off such attacks. Algorithmic approaches to post-quantum cryptography include lattice-based, hash-based, isogeny-based, multivariate, and code-based systems.

Download the brief in full from PreScouter.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Post-Quantum Cryptography Set to Replace RSA, ECC

An unauthorized employee accessed Ikea's customer database, but it's unclear what the intention was.

Ikea Canada has confirmed that an employee compromised a database of 95,000 Canadian customers. 

The employee performed unsanctioned searches of the database between March 1 and 3, Kristin Newbigging, public relations leader at Ikea Canada, explains to Dark Reading. She adds that no banking information was exposed during the unauthorized system access.

However, personally identifiable information was compromised, according to reports. That includes customer names, email addresses, phone numbers, and postal codes, along with IKEA Family loyalty program numbers in some cases.

"We have proactively notified the Office of the Privacy Commissioner of Canada about this incident, as well as any applicable customers," Newbigging adds. "We have also reviewed and updated internal processes to prevent such incidents in the future." 

The company said there is no action required by Ikea customers, and that the company took "steps to prevent the data from being used, stored, or shared with any third parties."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ikea Canada Breach Exposes 95K Customer Records

The attack may have been "a major wake-up call" about the need for greater resilience in IT environments, but have security teams hit the snooze bar one too many times?

Cybersecurity experts have warned about vulnerabilities within the critical infrastructure for years. It came to fruition in May 2021, when Colonial Pipeline was hit with a ransomware attack. The response, of course, was the company temporarily shut down oil and gasoline delivery, which resulted in major panic and shortages all over the East Coast.

"The Colonial Pipeline attack was a major wake-up call to improve cyber defenses for critical infrastructure," says Tom Badders, senior product manager at Telos. "The attack vector for ransomware has typically been targeted to information technology networks. This was the first major attack on an operational technology network."

The attack brought much-needed attention to risks to the critical infrastructure and how something as simple as a stolen password can create a national nightmare. The immediate response was to come up with ways to prevent a similar attack (and there has not been one as of yet), but over the past year, have we really learned any lessons from Colonial Pipeline? Has anything changed in the way we think about protecting our systems, particularly critical infrastructure?

**Wake-Up Call  
**The Colonial Pipeline attack offered everyone, from government officials to ordinary citizens, a glimpse into what could happen and why it is vital to have a good security team with a solid mitigation plan in place, says Willy Leichter, CMO at LogicHub.  

"In terms of wake-up calls, the Colonial Pipeline cyberattack was a good jolt of caffeine to the country," he says. "The Colonial security teams acted quickly, cautiously, and probably correctly to shut down the pipeline, although it took six days to get it back online."

But then the country hit the snooze button.

"Unfortunately, I think very little has changed," says Den Jones, CSO at Banyan Security.

Many companies still operate under the "it won't happen to me" assumption, Jones points out, and smaller organizations don't have the resources in place — or don't think they need them — to address a major cyber incident. When organizations do have security teams in place, they are spread thin.

"And perhaps worst of all," Jones adds, "organizations of all shapes and sizes haven't dramatically improved their basic security hygiene. This includes having sound, repeatable, audible processes for keeping systems patched and up to date, directory systems current, and making use of important tools like MFA. Remember, having a process doesn't mean it has to be complicated."

**Some Progress Made  
**Little change isn't the same as no change, however. There have been signs of progress in the wake of the Colonial Pipeline attack.

"Government agencies have been more active in issuing security recommendations and creating much stricter rules about breach notification," says Leichter. Days after the ransomware attack was revealed, for example, the White House released an executive order requiring improvements to federal cybersecurity efforts. At the state level, more than 250 bills were introduced that deal directly with improving cybersecurity both overall and to directly protect government entities.

In addition, operational technology security services demand has doubled since Colonial Pipeline, according to Darren Van Booven, cyber advisory practice lead at Trustwave. The increase, he says, "has mostly been driven from the board and C-level as a direct response to Colonial Pipeline. Organization leaders are calling for security system audits and assessments, ransomware protection strategies, and detection and response capabilities for advanced threats, such as cybergangs."

Another positive to come from the Colonial Pipeline attack was the public/private partnership to get the pipeline back into operational mode quickly. That effort has continued to see positive steps forward with the Biden administration's prioritization of such cooperation, codified by the Cybersecurity and Infrastructure Security Agency (CISA) when it launched the Joint Cyber Defense Collective to coordinate government and industry response to cyberattacks.

"Eighty-five percent of the nation's critical infrastructure is managed by the private sector," says Telos' Badders. "These organizations need the support of the US government to defend the country's vital infrastructure."

**The Bad Guys Are Learning, Too  
**One of the greatest challenges facing cybersecurity teams is the knowledge that threat actors have access to the same technologies and intelligence that they do.

"The Colonial Pipeline ransomware attack exposed weaknesses in the US's critical infrastructure," says Jason Rebholz, CISO at Corvus Insurance. "For nation-states such as Russia, it served as a case study on how a single cyberattack can cause devastating impacts and incite chaos. The significance of that knowledge, given the current geopolitical environment, is cause for concern."

The bad guys may also be learning another lesson: targeting US critical infrastructure was too risky. 

"Following the Colonial Pipeline attack, the DarkSide ransomware infrastructure was shut down and a portion of the ransom payment paid in Bitcoin was actually recovered," Rebholz explains. "Ransomware actors saw that they could not operate without repercussions — a clear line in the sand had been drawn."

**Where Do We Go From Here?  
**Colonial Pipeline's ransomware attack highlights the need for greater resilience in IT environments. "Security is no longer about only keeping the bad actors out but must include building a malleable environment that can withstand attacks," says Rebholz.

Moving forward in a post-Colonial Pipeline cyber environment, organizations are making adjustments. Cyber insurance carriers, for example, have implemented mandatory controls including, but not limited to, network segmentation and robust backup solutions, resulting in the number of ransomware claims requiring a ransom payment decreasing. And the concept of zero trust, with the US government's endorsement, is getting more attention as a security approach.

"This attack showed that perimeter security can be defeated with a single password," says LogicHub's Leichter. "We must have defense-in-depth that understands context \[and\] assumes that threats can come from anywhere, and security systems \[that\] have the ability to detect and respond to new attacks at any stage."

What We've Learned in the 12 Months Since the Colonial Pipeline Attack

An operational slip-up led security researchers to an attacker associated with Nigerian letter scams and malware distribution, after he infected himself with Agent Tesla.

In what can only be described as a case of karmic irony, a Nigerian scammer responsible for stealing more than 800,000 credentials from some 28,000 victims over the past several years recently infected his own machine with info-stealing malware that resulted in his identity being exposed.

Researchers from Malwarebytes got on his trail when they identified a group they track as "Nigerian Tesla" among numerous threat actors targeting Ukrainian entities. Malwarebytes had tracked the group for years initially while it was engaged in a string of so-called 419 advance fee fraud (aka Nigerian letter scams), where victims receive emails promising them a generous commission for facilitating a money transfer involving a large sum.

Over the past two years, Malwarebytes researchers had observed the threat actor switching from 419 scams to distributing Agent Tesla, a widely used remote-access Trojan (RAT) for stealing personal data from infected systems.

Malwarebytes recently identified Nigerian Tesla attempting to distribute the malware via an email with a subject header titled "Final Payment" in Ukrainian. Recipients who clicked on the link in the email were directed to a file-sharing site, which then downloaded the Agent Tesla binary to the user's system.

The attack chain involved the command-and-control server (C2) sending a message to Agent Tesla on infected systems, designed to confirm that the malware had been properly configured for remote communication. In examining the campaign, researchers detected an oddity — multiple messages containing the text "Test successful" coming from the attacker's own machine. There's only one logical conclusion: The attacker had somehow managed to self-inflict Agent Tesla malware.

A member of Malwarebytes' threat intelligence team tells Dark Reading that the threat actor made several mistakes: "The biggest one was to infect his own computer with the Agent Tesla stealer," he says. "By doing so, all the credentials from their machine, stored in common applications such as browsers, were collected and exfiltrated. In a sense, they became just another victim, but in this case of their own malware."

An examination of the test emails exposed the attacker's IP address, which then led the researchers down a path that ultimately revealed to them the attacker's real identity, address, photos, and a copy of his Nigerian driver's license.

**A Trail of Bread Crumbs**  
One of the first things Malwarebytes discovered when investigating the threat actor's IP address was that he had sent more than two dozen additional emails from the same IP address. The researchers were unable to figure how the attacker had managed to infect his own system. But the emails revealed several other services that the threat actor used as part of his attack infrastructure.

These included a service that could be used as a source for victim emails, another for extracting emails from compromised systems, file hosting and storage services, virtual private servers, and VPN and DNS services. The researchers also discovered several assumed names that the Nigerian Tesla group used in past email scams, along with numerous email accounts that were used in phishing scams and data theft campaigns.

An investigation of the emails and the personae associated with them showed that the Nigerian Tesla group had been engaged in criminal cyber activities going back to at least 2014. At that time the group was primarily engaged in 419 scams involving emails from fictitious people going by names such as Rita Bent, Lee Chen, and John Cooper. Malwarebytes found the threat making a switch to malware distribution in 2020, and identified the tools the attacker used to obfuscate their binaries and to test whether they could be detected.

During their investigation Malwarebytes researchers found a couple of photos of the individual that appeared to have started the operation, as well as the Agent Tesla-infected person's driver's license. Malwarebytes identified the individual only as "E.K" and as someone born in 1985.

Scammer Infects His Own Machine With Spyware, Reveals True Identity

Biden's executive order pushes new NIST quantum-cryptography standards and directs federal government to move toward quantum-resistant cybersecurity.

The Biden administration has issued a pair of presidential directives that establish a national policy on quantum computing and lay out a plan to protect both the government and business sectors against quantum-based cyberattacks. 

One of the directives establishes an advisory board, while the national security memorandum (NMS) orders direct the National Institute of Standards and Technology (NIST) to come up with new standards through a new "Migration to Post-Quantum Cryptography Project." The group's work will encourage public-private sector collaboration and provide a road map for IT departments to transition into a post quantum-computing world, according to the White House fact sheet on the directives. 

A White House senior administration official responsible for coordinating the NSN told reporters on a background call that although the reality of a quantum-computing threat is likely "years away," the country needs to prepare now. 

"Current research shows that at some point in the not-too-distant future, when quantum information science matures and quantum computers are able reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications," the administration official said. "America must start the lengthy process of updating our IT infrastructure today to protect against this quantum-computing threat tomorrow."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading