Implement zero-trust policies for greater control, use BYOD management tools, and take proactive steps such as keeping apps current and training staff to keep sensitive company data safe and employees' devices secure.

Mobile workers are productive and often essential to a business's success, but it puts an immense amount of pressure on IT to protect the company's corporate apps and data while maintaining worker privacy.

Bring your own device, also known as BYOD, challenges corporate security protocols and IT staff to protect their intellectual property and keep hackers at bay.

**BYOD Security Risks  
**When the pandemic first hit, organizations were forced to shift from mainly supporting corporate-owned, fully managed devices to supporting personal devices used for work purposes. This abrupt move to remote work forced companies to quickly shift their networking and security capabilities, creating a large amount of risk to their organization. Without proper security measures in place, these unmanaged BYOD devices grant employees access to company resources and sensitive data, which poses a potential risk for sensitive data to be leaked, inadvertently or on purpose.

With over 58% of employees saying their use of personal devices for work purposes increased during the COVID-19 pandemic, shortcuts were destined to be taken with the quick shift to remote work and BYOD. We saw IT teams prioritizing and investing in network access capabilities rather than remote security. With 84% of survey respondents saying they didn't invest in data protection, it's doubtful their security measures increased during the duration of the pandemic. As employees start to return to the office and regain access to even more company resources and sensitive data, their use of BYOD at work could expose their company to new risks.

Here's a spring-cleaning checklist to keep your employee's devices secure for their return to office and beyond:

**Step 1: Improve your BYOD security policy.** If you don't have a BYOD security policy, create one now! For the 39% of organizations that have a formal policy in place, ask yourself if your company's BYOD security policy is restrictive or too vague and adjust as needed. Consider employee's privacy and productivity concerns when making improvements to the policy.

**Step 2: Implement zero-trust security.** With 72% of organizations around the world that have either adopted or are in the process of planning or adopting zero trust, it has become the new business standard for reliable security in our "work-from-anywhere" world. Whether you're working in the office, checking your email in the airport, or working from home, zero-trust security expands beyond a company's security perimeter. Zero trust prescribes that every resource — including devices — must be assessed for potential risks or policy violations before gaining access to corporate data, giving greater control over a BYOD environment.

**Step 3: Make use of BYOD management tools.** It's difficult for companies to manage a fleet of devices across multiple departmental disciplines and mobile device management (MDM) software can help make it simple and easy. Various core functions of MDM ensure that devices are remotely available for auditing, update over the air, that software runs effectively, and devices are available for remote diagnosis and troubleshooting. According to Markets and Markets, the MDM market is anticipated to grow to $15.7 billion by 2025.

**Step 4: Keep your apps and their components up to date.** Each day, hundreds of vulnerabilities are discovered in the mobile and web space, and patches are released regularly. Developers should incorporate these patches in their applications and encourage their users to regularly update their app and their operating systems. This ensures that hackers who try to exploit these known vulnerabilities will be unsuccessful.

**Step 5: Empower employees with information.** According to Trustlook, more than 50% of employees haven't received formal instructions for how to safely use BYOD in the workplace. One of the biggest things companies can do to make sure BYOD devices are secure is empowering employees with information to understand how their devices can be risky to the company's data and create vulnerabilities. Without understanding the cause and effect of BYOD devices to the company, employees won't value a BYOD security policy.

**Step 6: Mitigate future mobile application security issues.** Don't let the wrong mobile security strategy result in customer data being stolen or misused by a cyber scam. Encourage your employees to scan all their mobile apps whether they're for personal or business use.

**Choosing Your Path  
**Large organizations with distributed and often multinational operations need to ensure employees use the latest technologies without putting corporate data and intellectual property at risk. Hybrid and remote work are here to stay, and the demand for BYOD will continue to increase. Determine which security tools and strategies are right for your organization and start implementing them before they cost you in the long run.

Spring Cleaning Checklist for Keeping Your Devices Safe at Work

In just one month, the ransomware group's activity rose by 2,100%, a new report finds.

While on the whole the ransomware landscape remained fairly stable between March and April, a new analysis shows a sizable hike in attack activity from the CLOP ransomware group.

The NCC Group April Threat Pulse update says that the CLOP ransomware group leapfrogged from dead last to the fourth most active group for the month, a 2,100% increase over March. 

The industrial sector was most targeted in April, suffering 35% of ransomware attacks, followed by consumer cyclicals (19%) and technology (10%), according to NCC. 

CLOP appears to favor targeting the industrial and technology sector, the researchers warn. 

"The increase in CL0P's activity seems to suggest they have returned to the threat landscape," Matt Hull, global lead for strategic threat intelligence at NCC Group, said in a statement about the new ransomware group activity findings. "Organizations within CL0P's most targeted sectors — notably industrials and technology — should consider the threat this ransomware group presents, and be prepared for it." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CLOP Ransomware Activity Spiked in April

With manufacturing ranking as the fourth most targeted sector, manufacturers that understand their exposure will be able to build the necessary security maturity.

Digital transformation within the manufacturing industry, often referred to as Industry 4.0, is bringing a new world of connectivity and efficiency to modern-day factories. Smart factories incorporate new technology — such as factory automation, artificial intelligence, and the Internet of Things — at all levels of production and the supply chain. Whether robots on the factory floor, wearable devices that improve safety, or monitoring of equipment data through the IoT, adopting Industry 4.0 is the way forward to ongoing success and innovation in the industry.

Manufacturers are on board with the change: The market for smart factory equipment is expected to expand from $295.65 billion in 2021 to more than $500 billion in 2026. However, cyber threats are increasing in tandem with the rise of Industry 4.0.

According to the Kroll "Q4 2021 Threat Landscape" report, manufacturing is the fourth most targeted sector, behind only professional services, technology/telecommunications, and healthcare. As with most other sectors, phishing is the most common attack vector detected against manufacturing targets.

The threat landscape will only continue to expand. Manufacturers that take steps now to understand their exposure will be able to build the security maturity needed to embrace connected technology.

**Manufacturing's Security Maturity  
**Cyberattackers are pivoting toward manufacturing due to the industry's comparatively low level of security maturity, newfound connectivity in core processes, and the difficulty of securing complex manufacturing environments. Differentiated manufacturing processes have always been considered trade secrets, and the industry is highly sensitive to interruptions in service.

However, in the past, mission-critical systems were air gapped, or not Internet connected. This drove attackers to look for easier targets in financial services or healthcare, both of which have lucrative assets, connected devices, and operate with a high degree of urgency, which can lead to security shortcuts, and connected devices.

Now that manufacturing is adopting connected devices, analyzing more data, and feeding that data into custom software, the need for security maturity in the manufacturing sector is urgent. This is a problem that transcends the IT department. Effective security maturity is a multidisciplinary undertaking that must consider the ways that technologies, processes, and people contribute to keeping critical data and devices secure. Protecting industry 4.0 requires dedicated cybersecurity knowledge and expertise.

**Current Cyber Threats in Manufacturing  
**Threats against the manufacturing sector fall into three main categories.

Traditional cyber threats include ransomware against IT systems, data theft, supply chain attacks, and intellectual property theft. These are serious threats that can cost manufacturing businesses time, money, and credibility. They are also threats that smaller manufacturers, in particular, have not yet built strong defenses against due to limited time, resources, or hiring capabilities.

Manufacturing firms are also uniquely at risk for targeted attacks against industrial control systems (ICS). As operational technology (OT) works more closely with traditional IT assets, including connected industrial IoT (IIoT) devices, it is becoming easier to bridge the gap between those groups of devices, and to compromise OT that was originally designed or configured as an isolated network. This can lead not only to the compromise of sensitive information but also interruptions in service and delays in fulfillment.

Another layer of threat against the manufacturing sector involves bespoke software. To make sense of the data that connected systems create, and to enjoy efficiency advantages this data can offer, that data has to be fed into other software. The software is often custom-made for an individual company's technology and data assets. This software and the infrastructure on which it runs can be an attractive target. If it wasn't designed from the start with security in mind, and if it is not implemented and maintained with security in mind, that bespoke software can become the weak link that lets an attacker in.

**What's Next: Adopting Industry 4.0 Securely  
**As a manufacturer, you cannot afford _not_ to adopt Industry 4.0. For efficiency reasons, including just-in-time manufacturing, as well as workplace monitoring, Industry 4.0 is the path toward factories that are both more cost-effective and safer. These changes are not only exciting, but they are becoming necessary: Customers are demanding the flexibility, agility, and information that only Industry 4.0 provides.

However, this is not just a revolution in what you can do on the factory floor, and in what you can do to delight customers. It is also a revolution in how your company needs to think about security. Consider your products: Putting a safe, high-quality product on the market in the first place is more efficient and cheaper in the long run than having to handle a recall if something goes wrong.

A similar attitude makes sense in security. Considering security from the beginning, both in terms of connected infrastructure and the custom code that holds systems together, leads to smoother operations and avoids the major business disruption, cost, and reputational damage that comes with incident response, and the subsequent remaking of code or infrastructure after an issue is exploited.

Effectively preparing and defending against the security challenges of Industry 4.0 is an endeavor that requires action and initiative from people beyond IT. In short, it requires dedicated cybersecurity expertise, with people who can consistently analyze risks and the threat landscape. The effort needs professionals who know how to design and implement effective security controls that prevent active threats, and can make sense of log data and identify anomalies, as well as respond to attacks. They can also oversee that best practices are followed for secure design and coding in applications that ingest and process factory data.

Industry 4.0 Points Up Need for Improved Security for Manufacturers

A DDoS campaign observed by Akamai from actors claiming to be REvil would represent a major pivot in tactics for the gang.

Concern has been raised that a coordinated distributed denial-of-service (DDoS) attack from a malicious actor could be associated with the notorious ransomware-as-a-service (RaaS) group REvil.  

According to a report from Akamai’s Security Intelligence Response Team (SIRT), the attack was aimed at one of Akamai’s hospitality customers. It consisted of a simple HTTP GET request, with a message demanding payment to a Bitcoin (BTC) wallet in exchange for stopping the attack. It also included an additional request for the company to stop operating in a specific country.

Given the request to stop operating in the geospecific location appeared to stem from a recent Supreme Court decision in that country, the attack took on a political flavor that Akamai analysts say would be a break with REvil’s earlier strategies.

“We haven’t seen them linked to hacktivism or political goals in any of the previously reported attacks,” according to Akamai.

On the technical front, the use of proxying capabilities and “fairly well” distributed IPs participating in the attack indicated that some level of coordination was required between the attacker and the proxying system, the Wednesday report notes.

And, due to the extensive use of MikroTik devices identified in the attacking sources, the report suggests the attack could be supported by the MikroTik-based Meris botnet, which also has links to REvil. That said, the low volume of requests per second (Rps) and relatively unsophisticated nature of the campaign are atypical of Meris attacks, the report notes.

**REvil Redux?**

Since being reportedly dismantled by the Russian government earlier this year, there have been hints that REvil – or at least some previous members of the gang – is putting itself back together.

In April, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

Then in March, security firm Imperva reported mitigating a ransom DDoS attack tied to the Meris botnet measuring 2.5 million requests per second (Mrps). It included a series of ransom notes received by the customer that also claimed it came from REvil.

While DDoS has been used in the past by some groups as an extra layer of pressure on ransomware victims to pay up, in both the March incident and this latest case, the attack is pure-play DDoS.

"We haven't seen ransomware linked to these campaigns. The only tie to ransomware is the naming of REvil in the extortion demands," says SIRT engineer Chad Seaman.  

But as to whether this latest incident means that REvil is truly back and testing out new techniques, Seaman is skeptical.

"I don't feel there are strong indicators here that this is indeed a resurgence of REvil,” he says. “Even in the prior reported campaigns, I don't believe there are strong indicators that positively attribute those attacks to REvil in reality."

For instance, the alert also pointed out that the BTC wallet does not have any previous connection to REvil. And the gang has maintained in the past that it is purely profit driven, after all.

Seaman says the threat is more likely to stem from a copycat group looking to leverage REvil’s notoriety.

**DDoS Extortion: A New Avenue for Fear**

He added that be it REvil or someone leveraging the name or reputation, the attack is clearly a play on fear in the hopes of easy money, so the most concerning takeaway from Akamai’s investigation is the fear and panic associated with the threat.

“This is the goal of these types of attacks: to scare the victim into paying, lending credibility to the threat using a scary name,” he explained. “When these campaigns spin up and start to get press, it's typically followed by a surge of copycats.”

From Seaman’s perspective, the publishing of reports like these requires a delicate balance of notifying the public of the threat without the threat turning into a wildfire of copycats.

“We're hoping to help raise awareness while ramping down the associated fear because if we don't get out in front of these types of campaigns and fear-based reporting outpaces sane analysis, it only serves to fuel the fire, not fight it,” he said.

DDoS Extortion Attack Flagged as Possible REvil Resurgence

Verizon's "2022 Data Breach Investigations Report" repeatedly makes the point that criminals are stealing credentials to carry out their attacks.

Credentials, phishing, exploiting vulnerabilities, and botnets "pervade all areas of the DBIR, and no organization is safe without a plan to handle them all," Verizon's team of researchers wrote in this year's "Data Breach Investigations Report."

Attackers don't have to bother with zero-day vulnerabilities or build out elaborate attack tools when they can just steal credentials and log right in. Whether the report is looking at Web application attacks, email scams such as business email compromise, or malware, the theme was consistent: Stolen credentials played a role. 

DBIR is chock-full of charts and visualizations, so it is difficult to pick just one -- though the chart about what types of data attackers are stealing is a particularly striking. For a long time, criminals were interested in personal data -- data that could be used for identity theft or other types of financial fraud. While that is still the case, that is not the complete story. Attackers are focusing heavily on obtaining stolen credentials, since those credentials make carrying out other attacks even easier and harder to detect. The report considers 180 different actions that lead to data breaches, and the use of stolen credentials is the most common.

"We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system," the report says.

Consider how ransomware gets onto the targeted system: 40% of ransomware incidents involve the use of desktop sharing software, such as remote desktop protocol. And the easiest way to access RDP is via weak passwords.

While third-party breaches represent just 1% of breaches in the 2022 dataset, about half of them involved the use of stolen credentials. 

Phishing and stolen credentials were the top two actions in data breaches involving social engineering attacks. The third is "pretexting," almost all of which are business email compromises. A quarter of BECs used stolen credentials against the victim organization, according to the report.

And finally, in the area of web application attacks, the vast majority of incidents use stolen credentials as their entry point. Over 80% of the breaches that was categorized under web application attacks in this year's DBIR can be attributed to stolen credentials. In comparison, the second most common action, exploiting vulnerabilities, is less than 20%.

"There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years," the report says.

"Even if passwordless authentication isn't ready for prime time in your organization, the report findings can be used to help fund and implement multi-factor authentication," says Rick Holland, CISO and vice-president of strategy at Digital Shadows.

DBIR Makes a Case for Passwordless

Ransomware has become so efficient, and the underground economy so professional, that traditional monetization of stolen data may be on its way out.

The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component.

That's the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year's report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that's more than the previous five years of growth combined.

The 15th annual DBIR analyzed 23,896 security incidents, of which 5,212 were confirmed breaches. About four in five of those were the handiwork of external cybercriminal gangs and threat groups, according to Verizon. And according to Alex Pinto, manager of the Verizon Security Research team, these nefarious types are finding it easier and easier to earn an ill-gotten living with ransomware, making other types of breaches increasingly obsolete.

"Everything in cybercrime has become so commoditized, so much like a business now, and it's just too darn efficient of a methodology for monetizing their activity," he tells Dark Reading, noting that with the emergence of ransomware as-a-service (RaaS) and initial-access brokers, it takes very little skill or effort to get into the extortion game.

"Before, you had to get in somehow, look around, and find something worth stealing that would have a reseller on the other end," he explains. "In 2008 when we started the DBIR, it was by and large payment-card data that was stolen. Now, that has fallen precipitously because they can just pay for access someone else established and install rented ransomware, and it's so much simpler to reach the same goal of getting money."

A corollary to this story is that any and every organization is a target — companies no longer need to have something worth stealing in the way of highly sensitive data to fall in the cybercrime crosshairs. That means that small- and midmarket organizations should beware, Pinto said, as well as very small, mom-and-pop organizations.

"You don't have to go for the big guys anymore," Pinto said. "In fact, going for the big guys might be counterproductive because those folks usually have their ducks more in a row as far as defenses. If a business has a handful of computers and they care about their data, you're potentially going to make a few bucks out of them."

Put into a different context, the DBIR found that around 40% of data breaches are due to the installation of malware, he said (what Verizon refers to as system intrusions), and the rise in RaaS has led to 55% of those specific breach incidents involving ransomware.

"Our concern is that really, there's no ceiling here," Pinto says. "I think we're not convinced anymore that it's going to stop — unless someone comes up with something that's even more efficient. I cannot imagine what that would be, but maybe this is why I'm not in the organized crime business."

**The SolarWinds Effect**

The fallout from the infamous SolarWinds supply-chain hack blew far and wide over the course of the year, with the "software updates" vector pushing the "partner breach" category up to being responsible for 62% of system-intrusion incidents (including ransomware incidents) — and that's way, way up, from a negligible 1% in 2020.

Pinto noted that despite the headlines and the interest in incidents like SolarWinds (and others, such as the Kaseya-related ransomware attacks), dealing with supply-chain breaches doesn't require an operational overhaul for most businesses.

"Protecting against the fallout of a supply-chain breach if you were one of the affected customers is not so different from protecting from several other types of malware, because your servers are beaconing out to somewhere they shouldn't be. If you're a CISO, the techniques you use should be fairly similar to the ones you already use because, quite frankly, trying to go after every single software supplier you have to try to make them secure will make you insane. It's a very big lift."

**Where to Start on Ransomware Defense**

In examining the entry paths for breaches, Pinto noted that attacks can reliably be boiled down to four different (and familiar) avenues: the use of stolen credentials; social engineering and phishing; vulnerability exploits; and the use of malware.

"The one thing when you close this report to do is, go look at those four things in your environment and what controls you have for them," Pinto says.

When it comes to ransomware-related breaches in particular, 40% of incidents analyzed involved the use of desktop sharing software such as Remote Desktop Protocol. And 35% involved the use of email (phishing, mostly).

"Locking down your external-facing infrastructure, especially RDP and emails, can go a long way toward protecting your organization against ransomware," Pinto says.

It's worth noting that overall, 82% of all breaches analyzed by Verizon relied on human error (misconfigurations, for example, accounting for 13% of breaches) or interaction (phishing, social engineering, or stolen credentials). Artur Kane, vice president of product at GoodAccess, says that this indicates a few best practices to take a look at.

First, there are the technical solutions, such as requiring multifactor authentication (MFA) and network segmentation by access privileges, along with implementing real-time threat detection capability, keeping continuous access logs, and running regular backups.

"However, security administrators also need to have solid response and recovery plans in place for these occurrences, and should conduct regular trainings and drills," Kane says. "\[And\] user training can greatly contribute to improving the overall company security posture. As a large part of ransomware attacks opens with a phishing lure, training employees in how to spot them can save millions of dollars in later breach recovery."

'There's No Ceiling': Ransomware's Alarming Growth Signals a New Era, Verizon DBIR Finds

But there was a substantial drop in the overall number of critical vulnerabilities that the company disclosed last year, new analysis shows.

The number of privilege escalation bugs in Microsoft's products increased for the second year in a row in 2021, highlighting the growing risk this vulnerability category poses for organizations.

BeyondTrust recently analyzed data from Microsoft vulnerability disclosures in 2021 and found that 588 — or 49% — of the total 1,212 bugs that the company disclosed gave attackers a way to elevate privileges on compromised systems and networks. The number represented a 5% increase from the 559 privilege escalation bugs in Microsoft products that BeyondTrust counted in 2020, when such bugs also eclipsed all other categories of vulns in the company's technologies.

The trend is important because organizations sometimes tend to pay less attention to privilege escalation vulnerabilities than other bugs because often, they can only be exploited after an attacker has already compromised a system. "Elevation of privilege bugs do not get the same attention from organizations" as some other vulnerabilities, says Tim McGuffin, director of adversarial engineering at LARES Consulting. Most organizations focus on preventing initial compromise, which can come from remote code execution vulnerabilities and other flaws, he says. "But \[they\] often de-prioritize patches for EoP vulns and wait until quarterly or annual patch cycles."

**A New Trend**

The number of privilege escalation vulnerabilities in Microsoft's technologies increased last year even as the overall number of reported bugs in the company's products declined for the first time in years. The 1,212 bugs that Microsoft disclosed in 2021 was about 5% lower than the 1,268 bugs it reported in 2020. That was in sharp contrast to the previous four years, which saw a near doubling in bugs — from 451 in 2016 to 858 in 2019.

BeyondTrust also observed a 47% decrease in the number of critical vulnerabilities that Microsoft disclosed in 2021 — 104 compared to 196 in 2020. The number of Windows OS vulnerabilities, too, dropped dramatically in 2021 — from a record 907 vulnerabilities across Windows 7, Windows RT, Windows 8/8.1, and Windows 10 to just 507 last year.

Remote code execution vulnerabilities, which were the most common type of security issue in Microsoft products until 2019, ranked second last year at 326, followed by information disclosure vulnerabilities (119), spoofing (66), and denial of service bugs (55). Microsoft reported a total of 44 security bypass vulnerabilities last year and 3 issues related to tampering. BeyondTrust observed declines in other vulnerabilities such as in overflow, memory corruption, and cross-site scripting flaws in Microsoft technologies. Cumulatively, there were 215 fewer vulnerabilities across these three categories in 2021 compared to the prior year.

The vendor ascribed several likely reasons for the Microsoft vulnerability reductions last year, including better security and coding practices on Microsoft's part; end of life of Windows 7 and other products: and the shift of more enterprise workloads and services to the cloud.

**Fewer Critical Vulnerabilities**

"A drop in critical vulnerabilities reported from 196 to 104 is great news," says Richard Stiennon, chief research analyst at IT-Harvest. "Yet it's hard to derive insights from just the numbers."

The increase in privilege escalation vulnerabilities, for instance, is significant because it indicates that researchers are looking harder for these flaws in Microsoft products. "These are critical because an attacker will use them to ultimately get admin privileges and thus complete control of a system," Stiennon says. "APT groups usually have some sort of escalation exploits in their toolboxes to compromise their targets."

Microsoft's late-2021 adoption of the industry-standard CVSS format for reporting vulnerabilities also made it impossible to determine how many of the critical vulnerabilities it disclosed last year could have been mitigated by removing admin rights on user systems, BeyondTrust said.

The CVSS is derived from data that is designed to produce a numerical score relative to the severity of a vulnerability, says Christopher Hills, chief security strategist at BeyondTrust. "This is great for the overall audience in seeing which vulnerabilities have the highest severity," he says. "But it provides camouflage for those vulnerabilities that leverage privilege elevation because those are now buried in the report."

Between 2015 and 2020, some 75% of critical Microsoft vulnerabilities could have been mitigated by removing admin rights on user systems. There's little reason to believe that the situation has changed a whole lot now, according to BeyondTrust.

"With end user systems and remote access being the top attack vector for bad actors, there truly is no valid reason why users should have standing rights or admin rights on end user systems," Hills says. Removal of admin rights has the potential to impact end user productivity and foster a bad user experience, he admits: "But with today’s technology and the solutions available, there is no amount of end user productivity that could outweigh the cost of a breach or compromise."

McGuffin says the decline in reported Microsoft vulnerabilities last year could also have to do with other reasons. Some countries have modified their vulnerability disclosure processes so that newly discovered vulnerabilities must be reported to the government first — and only then can be reported to the vendor, he notes. "Those same countries have also restricted citizens' ability to participate in competitions like Pwn2Own, where vulnerabilities would be publicly disclosed after the competition," he notes.

And because researchers sometimes focus on specific areas and technologies, that also can have an impact on the number of vulnerabilities discovered in a particular category, McGuffin says. "As an example, one vulnerability in the \[Windows\] print spooler service prompted several other researchers to dig deeper, and we're up to over a dozen RCE and PrivEsc vulns in the spooler now," he says.

Microsoft Elevation-of-Privilege Vulnerabilities Spiked Again in 2021

Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.

When it comes to packaging malware, the file format of choice remains Microsoft Word or Excel, but a recent attack using a PDF file to lure in victims caught the attention of researchers.

The campaign _—_ observed by HP Wolf Security _—_ sent the malicious PDF as an email attachment. Once opened, it used a variety of tactics to evade detection, embed malicious files, load remote exploits, and shellcode encryption, according to the researchers.

"Embedding files, loading remotely hosted exploits, and encrypting shellcode are just three techniques attackers use to run malware under the radar," the HP Wolf team reported on the malicious PDF attack in a recent blog post. "The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for attackers."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Attack Shows Weaponized PDF Files Remain a Threat

Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Decentralized finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cybercriminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.  

Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cybersecurity practices of the sector.  

DeFi averaged five attacks per week last year, with most of the them (51%) coming from the exploitation of "smart contracts" bugs, the analysts found. Smart contracts are essentially records of transactions, stored on the blockchain.  

Other top DeFi attack vectors include cryptowallets, protocol design flaws, and so-called "rug-pull" scams (where investors are lured to a new cryptocurrency project that is then abandoned, leaving targets with a worthless currency). But taken together, 80% of all events were caused by the use (and re-use) of buggy code, according to the report.

"The desire to develop quickly and save time, or perhaps just the lazy disinclination to review or recreate one's own code, too often leads to the use of untested, and therefore ultimately vulnerable, code," the report says. 

And indeed, as users and DeFi platforms themselves try to reinvent banking — and a complex new infrastructure to support it — administrators can't overlook the importance of security basics, Dylan Dubeif, senior security consultant at Bishop Fox tells Dark Reading.   

"No matter how innovative or sophisticated your project is, don't forget about security by ignoring what seems minor or basic," he says. "A trivial vulnerability can end up costing you the most."

**DeFi Smart-Contract Vulns** A prime example is the May 28 BurgerSwap Dex smart-contract-related DeFi breach, which led to a $7.2 million loss. That attack leveraged vulnerabilities that are so well known that their use here seemed confounding, according to the report. These included exploiting a missing x\*y≥k check\*\* and mounting re-entrancy attacks, according to the report. The weaknesses allowed attackers to leverage well-known tactics such as flash-loan abuse and the use of fake tokens.

"We can't emphasize it enough — maintain a recurring audit process and test each piece of code before it goes into production," the report says. "In decentralized finance, even the shortest line of vulnerable code can lead to a total loss of project tokens and the collapse of the project." 

Last August, Cream Finance took a major financial hit at the hands of cybercriminals, losing nearly $29 million before the attack was discovered (418,311,571 in Amp Coin and 1,308.09 in Ethereum cryptocurrency).

The hack was made possible due to a re-entrancy bug in its smart-contracts function, introduced by the $AMP tokens used by the exchange.

“The … breach of the Cream Finance platform was facilitated by the latest in a long chain of smart-contract vulnerabilities introduced by human error (or possibly insider attacks),” Joe Stewart, a researcher with PhishLabs, noted at the time. "It is very easy to shoot yourself in the foot by something as simple as failing to include the correct function modifier in your code — exactly what happened to the author of the Cream Finance smart contract.”

Smart contracts become trickier to code-audit as well after they start interacting with each other, Stewart added.

“The increasing complexity of DeFi contracts that interact with one another (possibly even across different blockchains) make it difficult to predict all possible code paths that could lead to privilege escalation and loss of funds locked in the contract,” Stewart said.

**Front-End DeFi Attacks  
**The code used to create DeFi digital wallets and website interfaces has also proved to be an easy attack vector for scammers. 

In one attack on BadgerDAO last December, analysts said that attackers exploited a CloudFlare vulnerability to get an API key, which then allowed them to tweak the site's source code to divert funds to wallets in their control, the report explains. 

"In late September, users on a Cloudflare community support forum reported that unauthorized users were able to create accounts and were also able to create and view (Global) API keys (which cannot be deleted or deactivated) before email verification was completed," Badger said in a post-mortem statement about the breach. "It was noted that an attacker could then wait for the email to be verified, and for the account creation to be completed, and they would then have API access."  

**Flash-Loan DeFi Attacks  
**As mentioned earlier, another type of DeFi attack involves flash loans. A flash loan is an unsecured loan for buying and then selling a certain cryptocurrency; it can be requested by building a smart contract on the blockchain. Then the contract executes the loan and the trades, all in a flash.

In an attack, cybercriminals can use this function for price manipulation. For instance, last May the DeFi project PancakeBunny fell victim to this after an attacker mined a large amount of $Bunny tokens and then turned around and immediately sold them off. Not only can the cybercriminals make a fortune in this way, they can also tank the value of an entire cryptocurrency market in minutes.  

"Although \[this\] may seem painfully simple in retrospect, it _did_ occur, with not-insignificant consequences," the report says.   

The PancakeBunny DeFi project became prey on May 19. Attackers used a bug in the platform and a flash loan to throw the pool out of balance and miscalculate the exchange in the threat actor's favor. Worse yet, just days later, two forks (i.e., new DeFi communities developed from the same blockchain), MerlinLabs and Autoshark, were targeted using the same code and attack methodology. 

"Even though the teams from both projects were aware of having copied the PancakeBunny code with very few modifications, they nevertheless suffered the same attack five and seven days, respectively, after the initial project," the report says. 

**DeFi Servers  
**Servers storing private keys for cryptowallets are also a prime target for cybercriminals, the researchers warn. In several instances, wallets were swiped with stolen keys, the report says, sometimes with devastating losses; one wallet had a balance of about $60 million, for instance.

"Financial loss could have been avoided by auditing the companies’ underlying servers and adding technical and organizational measures (such as multisignature wallets) with zero-trust and least-privilege principles," the report states.

**Preventing the DeFi Pwn-apalooza  
**With so much cybercrime activity, what should be done? To answer that, the Bishop Fox team offered two important pieces of advice for users trying to navigate this new digital financial frontier. One, don't trust any system to be secure; and two, recognize that investments can evaporate in a second. 

The risk to users varies; in some cases, like the PolyNetwork breach, an attacker stole, then returned, $610 million in cryptocurrency and everyone recouped their losses. In other instances, hacked DeFi platforms weren't so lucky. 

Since there's no standard for responsibility, users should be prepared for the worst. "When we talk about DeFi, we are talking about investing in the fledgling cryptocurrency financial system that has yet to learn from its mistakes," the report states.

The researchers acknowledge that with so many parts of the business, defending DeFi platforms is particularly difficult.

"As the attack surface in DeFi projects is larger than usual," the report says, "teams must ensure that adequate precautions are taken to protect all assets."

DeFi Is Getting Pummeled by Cybercriminals

As states address privacy with ad-hoc laws, corporate compliance teams try to balance yet another set of similar but diverging requirements.

Connecticut became the fifth state to pass a consumer data privacy law with the signing of SB 6, titled "An Act Concerning Personal Data Privacy and Online Monitoring." The law, which goes into effect July 1, 2023, is similar to privacy laws in Virginia, Colorado, and Utah, but it falls short of some of the provisions and protections in California's California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA).

This latest state law on privacy further intensifies the pressure on corporate compliance departments to attempt to address the increasingly difficult task of meeting the reporting and coverage requirements of various privacy laws, and it puts pressure on the federal government to come up with a national law that clarifies consumer privacy rights, says Lisa Sotto, partner and chair of the privacy and cybersecurity practice at Hunton Andrews Kurth LLP, a Richmond, Va.-based law firm.

"It's completely insane complying with all of these \[privacy\] laws; it's virtually impossible," she says. There is no "highest common denominator" that permits organizations to comply with a given set of privacy regulations to ensure compliance with all of them. 

"It's a mess," Sotto says.

While all of the privacy laws have a lot in common, no two are identical. When you layer additional laws — such as those directed at privacy related to minors, healthcare, financial services, and other areas — on top of the five statewide laws, the matrix of compliance requirements becomes unwieldy.

**Ever-Growing Thicket of Privacy Laws**

Currently there is no national privacy law in the United States, but there is a patchwork of laws at the national and state levels that address varying areas of privacy. Among the federal laws are the Gramm-Leach-Bliley Act (GLBA), the Privacy Act of 1974, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH).

There are also industry rules, such as the Payment Card Industry Data Security Standard (PCI DSS), that dictate how companies should handle consumer privacy. Sometimes laws and industry rules are in direct conflict, such as when a data breach needs to be reported and to whom, forcing companies to choose which regulations to follow.

Add to those state and local laws, such as the New York State Personal Privacy Protection Law, as well as international laws, such as the European Union's General Data Protection Regulation (GDPR) — which holds individuals across the globe liable for mishandling the personally identifiable information (PII) of EU citizens — and compliance becomes unmanageable.

One huge challenge companies face when trying to manage compliance is determining exactly what the laws require and how they define privacy, which is open to interpretation. Forrester analyst Stephanie Liu says the Colorado law, for example, does not permit the sale of personal information for "valuable consideration." It explicitly does not say selling only for cash but rather anything of value.

However, Liu says, she has "talked to a couple of data brokers who said that they do not sell data. If a data broker is making that argument, then you've got a loophole there."

Comparing the Utah, Colorado, Virginia, and Connecticut laws, the "definition of sale" is where they tend to differ, Liu says. "It's a huge headache," she adds.

**Exactly the Same, Only Different**

While the Connecticut law specifically talks about guarding consumers' privacy rights from those who sell products directly to the state's citizens, not all privacy rights are covered by the law. Insurance, for example, is a huge part of the state's economy, but insurance companies are not covered by this new law. Instead, says Sotto, those companies are covered by the federal GLBA regulations.

Boards of directors have a fiduciary duty of oversight when it comes to cyber, she says, and that is forcing them to take a much closer look at privacy as well. Boards are taking a much more personal interest in privacy and compliance, especially now that recent laws can hold board members personally liable if a company is breached or if PII is stolen and made public.

Protecting personal privacy could have an impact on cyber insurance rates as well. Ransomware attacks that steal PII and threaten to make it public are very common today, and cyber insurance policies often include coverage for paying those ransom demands.

For cyber insurance carriers, notes Forrester senior analyst Jess Burn, that means very high legal costs are included under the premiums. Companies that are breached "need to work with their outside counsel on data breach notifications for every single affected state," Burns says. "In addition, if it's a B2C company, \[you have\] consumer notifications, credit monitoring, and all of those different fees that come along with it. Oh, and then the fines are going to come in as well."

Not every privacy issue is addressed in privacy legislation, and not all non-PII is addressed directly in state privacy laws. Data that might contain personal data about investors, for example, is often addressed under other legislation that is not privacy-specific. The Fair Credit Reporting Act, for example, covers some consumer privacy issues that overlap the state privacy laws, as do HIPAA and other healthcare legislation, but these do not necessarily contradict other laws.

"Connecticut exempts employee data from its law entirely," Burn says. "That's another area where it's interesting to see \[that\] sort of the uncertainty, if we're being honest about how states are approaching it."

Source

DARKReading