Ubuntu Security Notice 6089-1 - It was discovered that the Intel i915 graphics driver in the Linux kernel did not perform a GPU TLB flush in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6089-1May 18, 2023linux-oem-6.0 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-oem-6.0: Linux kernel for OEM systemsDetails:It was discovered that the Intel i915 graphics driver in the Linux kerneldid not perform a GPU TLB flush in some situations. A local attacker coulduse this to cause a denial of service or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.0.0-1016-oem      6.0.0-1016.16   linux-image-oem-22.04b          6.0.0.1016.16After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6089-1   CVE-2022-4139Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1016.16

Ubuntu Security Notice USN-6089-1

85% of AppSec pros say ability to differentiate between real risks and noise is critical, yet only 38% can do so today; mature DevOps organizations cite widespread impact due to lack of cloud-native tools

**Tel Aviv, May 17, 2023** \- Backslash Security, the new cloud-native application security solution for enterprise AppSec teams, today released a new research study, **Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report**, exploring how the state of application security has evolved given the rise of cloud-native application development. The study examines the practices, tools, and needs of CISOs, AppSec managers, and AppSec engineers at enterprise organizations of 1,000 or more employees with mature cloud-native app development environments. 

The study reveals that AppSec teams are stuck in a catch-up cycle, unable to keep up with the increasingly rapid, agile dev pace, and playing security defense via an endless and unproductive vulnerability chase. **Notably, 58% of respondents report spending over 50% of their time chasing vulnerabilities, with a shocking 89% spending at least 25% of their time in this defensive mode.** This costly 'defensive tax' — the cost of employing AppSec engineers who chase vulnerabilities rather than drive a comprehensive cloud-native AppSec program — is estimated to be upwards of $1.2 million annually.

Given the accelerated pace of digital innovation across enterprises of all sizes and the blurred lines between AppSec and CloudSec, enterprise AppSec teams are saddled with solutions that have not caught up to the cloud pace. **As a result, AppSec professionals are losing faith in the prevailing AppSec tools:** 

*   Almost all organizations are seeing a widespread impact of the lack of cloud-native AppSec tools, including growing friction between AppSec and dev teams (39%), jeopardized ability to generate revenue (39%), and inability to retain high-value dev talent (38%) and AppSec talent (35%);
*   94% of respondents cited multiple issues with today’s AppSec technologies; top complaints were the considerable amount of time spent prioritizing findings (48%) and that existing AppSec tools are noisy (45%);
*   SAST and DAST are quickly losing ground, with just 32% of respondents stating that they use either of these prevailing standards extensively.

The report emphasizes the urgent need for a **new AppSec paradigm that maps a clear path to a modern standard for cloud-native AppSec success,** characterized by end-to-end visualization of all microservices, automatic identification and prioritization of real risks, and intelligent triaging and remediation. In assessing the importance of these three key tenets of modern AppSec: 

*   82% agree that automating threat model visualization will help AppSec teams save time and manual labor analyzing cloud-native application risks;
*   91% believe correlating application security risks with the application’s exposure to the outside world, such as via open APIs, is important;
*   91% believe differentiating between general code weaknesses and critical vulnerabilities is important;
*   Eight out of the nine total capabilities that define this new cloud-native AppSec paradigm were ranked as “critical” or “important” by 70%+ of respondents.

**However, the AppSec industry suffers from a massive cloud-native enablement gap.** Across all of the most critical capabilities, respondents reported that enablement is sorely lacking: 

*   85% of respondents say the ability to differentiate between real risks and noise is critical to their success, making it the #1 most important capability; yet only 38% of respondents are enabled to do so;
*   This trend persists throughout, including “correlating security findings to the developer or dev team responsible for the fix” (78% vs. 43%); “meeting compliance standards” (78% vs. 38%); and “efficient triaging between Dev and AppSec” (73% vs. 42%).

"What we're hearing across the board is a message of urgency – we've entered a new, cloud-native reality, and it’s time to put an end to the AppSec catch-up game," said Shahar Man, co-founder and CEO of Backslash. "These outdated AppSec methodologies hamper productivity, innovation and talent retention for both AppSec and dev teams. The cloud-native application development paradigm calls for a new, unified approach to application security that will make the friction between development and AppSec teams a thing of the past, enable enterprises to retain valuable talent, and accelerate innovation and growth."

This report surveyed 300 security professionals specifically tasked with application security for their organization, equally split between CISOs, AppSec managers and AppSec engineers from U.S. companies with 1,000 or more employees. Companies represent a wide range of industries. 

Click here to download the report and learn more. 

**About Backslash Security**

Backslash is the first Cloud-Native Application Security solution for enterprise AppSec teams to provide unified security and business context to cloud-native code risk, coupled with automated threat modeling, code risk prioritization, and simplified remediation across applications and teams.

With Backslash, AppSec teams can see and easily act upon the critical toxic code flows in their cloud-native applications; quickly prioritize code risks based on the relevant cloud context; 

and significantly cut MTTR (mean time to recovery) by enabling developers with the evidence they need to take ownership of the process.

Backed by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co., and a roster of security veterans as angel investors, including technology entrepreneur and investor Shlomo Kramer, Ron Zoran (former CRO of CyberArk), and Brian Fielder (General Manager, CTO Enterprise Security at Microsoft), Backslash has been deployed across leading technology organizations and Fortune 100 companies. 

More at https://www.backslash.security/.

AppSec Teams Stuck in Catch-Up Cycle Due to Massive Cloud-Native Enablement Gap

Malicious Google Search ads for generative AI services like OpenAI ChatGPT and Midjourney are being used to direct users to sketchy websites as part of a BATLOADER campaign designed to deliver RedLine Stealer malware.
"Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord)," eSentire

Artificial Intelligence / Cyber Threat

Malicious Google Search ads for generative AI services like OpenAI ChatGPT and Midjourney are being used to direct users to sketchy websites as part of a BATLOADER campaign designed to deliver RedLine Stealer malware.

"Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord)," eSentire said in an analysis.

"This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps."

BATLOADER is a loader malware that's propagated via drive-by downloads where users searching for certain keywords on search engines are displayed bogus ads that, when clicked, redirect them to rogue landing pages hosting malware.

The installer file, per eSentire, is rigged with an executable file (ChatGPT.exe or midjourney.exe) and a PowerShell script (Chat.ps1 or Chat-Ready.ps1) that downloads and loads RedLine Stealer from a remote server.

Once the installation is complete, the binary makes use of Microsoft Edge WebView2 to load chat.openai\[.\]com or www.midjourney\[.\]com – the legitimate ChatGPT and Midjourney URLs – in a pop-up window so as to not raise any red flags.

The adversary's use of ChatGPT and Midjourney-themed lures to serve malicious ads and ultimately drop the RedLine Stealer malware was also highlighted last week by Trend Micro.

This is not the first time the operators behind BATLOADER have capitalized on the AI craze to distribute malware. In March 2023, eSentire detailed a similar set of attacks that leveraged ChatGPT lures to deploy Vidar Stealer and Ursnif.

The cybersecurity company further pointed out the abuse of Google Search ads has fallen off from their early 2023 peak, suggesting that the tech giant is taking active steps to curtail its exploitation.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The findings come weeks after Securonix uncovered a phishing campaign dubbed OCX#HARVESTER that targeted the cryptocurrency sector between December 2022 and March 2023 with More\_eggs (aka Golden Chickens), a JavaScript downloader that's used to serve additional payloads.

eSentire, in January, traced the identity of one of the key operators of the malware-as-a-service (MaaS) to an individual located in Montreal, Canada. The second threat actor associated with the group has since been identified as a Romanian national who goes by the alias Jack.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 Searching for AI Tools? Watch Out for Rogue Sites Distributing RedLine Malware

The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-2704: BP Social Connect <= 1.5 - Authentication Bypass — Wordfence Intelligence

Plug X and other information-stealing remote-access Trojans are among the malware targeting networking, manufacturing, and logistics companies in Taiwan.

Cyber espionage attacks against organizations in Taiwan have surged against the backdrop of recent political tensions, new research shows.

Trellix this week cited a fourfold rise in malicious phishing emails targeting Taiwanese companies between April 7 and 10 of this year. Networking/IT, manufacturing, and logistics, were hit the most.

The emails followed different archetypes — a fake shipment update from DHL, a fake order for bulk cement, or a fake payment overdue notification.

Some of the emails came fitted with malicious attachments, while others contained links to fake login pages designed to harvest credentials.

Following the jump in malicious emails, the researchers detected an even more significant rise in instances of PlugX — a decade-old remote access Trojan common among Chinese state-linked threat actors. PlugX is perhaps most notable for its stealthiness, using DLL sideloading as a means of circumventing Windows security measures and running arbitrary code on a target machine.

Other infostealer malware families spotted in attacks against Taiwan include Zmutzy — a Trojan written in .NET — and Formbook — a cheap infostealer-as-a-service with downloader capabilities.

Patrick Flynn, head of commercial threat intelligence at Trellix, says the majority of the attacks appear to be nation-state, with about 40% targeting Taiwan officials and agencies.

**Cyberattacks in the China-Taiwan Conflict**

Conflict between China and Taiwan dates back three quarters of a century, with the former claiming sovereignty over the autonomous latter. Tensions have ebbed and flowed ever since, with a recent flare-up precipitating from the parallel conflict in Ukraine, diplomatic meetings between American and Taiwanese officials, and Chinese military drills in the Taiwan Strait. The political and economic implications are severe.

As in Ukraine, cyberattacks have long played a role in the Taiwan conflict — a simpler, more cost-effective, and less politically dangerous weapon of war most often deployed by the more powerful side to target their adversary.

"Cyberwarfare is an attractive option for a number of nation states, as it lets them target their adversaries without escalating to a 'shooting war,'" says Mike Parkin, senior technical engineer at Vulcan Cyber.

In January 2023, for example, Trellix observed a 30-times increase in extortion emails sent to Taiwanese officials. "Though it's unclear if this activity is from China-backed threat actors, it speaks to a continued increase in attacks specifically targeting Taiwan," the researchers explained.

For now, there's no reason to believe that cyber campaigns against Taiwan and its economy will slow down any time soon, so the impetus will fall on organizations to defend themselves.

"In most cases, the things we do to counter common cybercriminals are the same things we should be doing to counter nation-state attacks: training users, up-to-date patches, secure configurations, etc.," Parkin says.

But "state-level threats are likely to have more resources and can deploy more sophisticated malware, more targeted phishing attacks, and they have the time and energy to stay persistent," he says. "Facing threats like that makes it even more important for us to have our security stack at least to baseline."

Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict

Risk from artificial intelligence vectors presents a growing concern among security professionals in 2023.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

10 Types of AI Attacks CISOs Should Track

The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight.

Thursday, May 18, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

You probably already know this by now, but May is Mental Health Awareness Month across the globe.

Many people will apply this time of reflection and education to their personal lives — it’s easy to discuss anxiety, depression and other mental health concerns when it comes to things like personal relationships, friendships, family and how you express yourself.

I think not enough of us are applying the discussions we have every May to work, though. After all, many of us spend more than half our day working, and probably even more than that, thinking about work. And yes, it’s important to maintain healthy relationships around you and share your feelings with loved ones openly, but I would like us all to start being more honest about how work can affect our mental health.

This is particularly a problem in the cybersecurity industry, where burnout is constantly a cloud hanging over the workforce. A study last year from email security company Mimecast found that 84 percent of cybersecurity professionals are experiencing some form of burnout and it’s impeding their motivation at work.

And the Australian non-profit Cybermindz also found cybersecurity workers ranked their “professional efficacy,” or how well they feel they’re performing in their current role, lower than the general population — this is a key metric used to measure burnout in each industry.

I feel this is a problem in cybersecurity for several reasons: it seems like defenders can never take a day (or even an hour) off without something “hitting the fan,” the work can often be incredibly high-stakes and there is the ghost of social media always hanging over our head to be the “first” to find something or always needing to add something witty or insightful to the conversation of the day.

I would certainly not call myself a cybersecurity practitioner, per se, so I don’t have much hands-on experience with this. But I know from talking to teammates as part of my Researcher Spotlight blog series how important it is to have other interests outside of work.

And while I can’t say I’m personally experiencing burnout at work, I have dealt with anxiety for pretty much my entire life and have attended talk therapy on and off over the past few years and currently take medication to manage my various mental health conditions. That makes me feel somewhat empowered to say: It’s OK to take a break.

This is something Talos VP Matt Watchinski said in a conversation with Hazel Burton and I this week that we recorded for an upcoming episode of Talos Takes. The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight. And the threat of state-sponsored actors is not going to be solved by a single botnet takedown.

I would encourage everyone to have harder barriers up around their work and personal lives. Take up a new hobby or find a way to get outside. For example, Azim Khodjibaev is a rowing coach. Giannis Tziakouris from Cisco Talos Incident Response scuba dives. Watchinski has shooting sports.

Find your thing that is not explicitly work — because the work will be there when you get back, I promise.

**The one big thing**

A new ransomware actor we’re calling “RA Group” has been active for about a month, already targeting organizations across multiple sectors in the U.S. and South Korea. Talos researchers believe with high confidence that the group is using altered leaked source code from the Babuk ransomware family. The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands.

**Why do I care?**

The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals. Since ransomware continues to be one of the top security threats all industries face, it’s always important to keep an eye out for new groups that pop up.

**So now what?**

The Talos blog outlines several ways that Cisco Secure products and Talos open-source software can detect and block RA Group’s activities.

**Top security headlines of the week**

**Global governments are being urged to take a more aggressive stance on spyware regulation.** The European Union has agreed to work on standards around the purchase and use of these types of tracking software, which often target vulnerable populations and industries like activists and journalists. A special European Parliament committee voted this week to ban the sale, acquisition, or use of spyware while the broader EU works on these new guidelines. In the U.S., some government agencies have still been attempting to use spyware, such as tools from the infamous NSO Group, despite bans on spyware from the Biden administration. Reporters from the New York Times found at least one government contract with Paragon, another Israeli software developer that makes spyware but is not as widely known as the NSO Group. (New York Times, The Guardian)

**A recent ransomware attack against Micro-Star International (MSI), including the theft of UEFI signing keys, is already having wide-ranging effects** across the security industry. MSI does not have a way to retract the keys after they were leaked onto the dark web, leading to fears of future supply chain attacks. Attackers could hypothetically inject malicious updates into legitimate software, using the MSI keys to sign them. MSI Keys are trusted by default by many end-user devices. Security researchers found that some of the keys work for the Intel BootGuard firmware-verification technology that runs on devices made by several different manufacturers. The Money Message ransomware group first claimed responsibility for the ransomware attack in April when it listed MSI as a new victim on its leak site and published screenshots purporting to show private encryption keys, source code and other data. (Decipher, Ars Technica)

**Twitter announced it was rolling out end-of-end encryption for its direct messages, though several security holes remain.** The company appears to not have actually completed a security audit of its DMs that it claimed it had, and the messages are still vulnerable to man-in-the-middle attacks. One security researcher also says it’s easy for Twitter employees to potentially hijack messages by adding their own keys to a list that are approved to read the messages. Encryption is also a paid feature — both users partaking in the messages must be either Twitter Blue subscribers or a verified organization on Twitter. Group conversations are also not included in this encryption process. Security and privacy experts say users who are looking for secure messaging should stick to encrypted apps like Telegram and Signal. (ZDNet, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #138: What makes “Greatness” so great?
*   Beers with Talos Ep. #135: The XDR files
*   RA Group uses leaked Babuk code to attack companies in the US, South Korea
*   Cisco warns of new ‘Greatness’ phishing-as-a-service tool seen in the wild
*   New 'Greatness' service simplifies Microsoft 365 phishing attacks

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Threat Modeling webinar: Applying a Threat Informed Defense (May 23)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women (June 8)**

Doha, Qatar

**REcon** **(June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2  
**MD5:** 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc  
**Typical Filename:** PDFShark.exe  
**Claimed Product:** PDFShark  
**Detection Name:** Win.Dropper.Razy::95.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s really OK to take a break sometimes, especially in security

Cybercrime group that often uses smishing for initial access bypassed traditional OS targeting and evasion techniques to directly gain access to the cloud.

A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients' cloud environments.

Tracked as UNC3944 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain, Mandiant researchers revealed in a blog post this week.

Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3944 establishes persistence using SIM swapping and gains full access to the Azure tenant, the researchers said.

From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.

"Mandiant has observed this attacker using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes," the researchers wrote. "These extensions are executed inside of a VM and have a variety of legitimate uses."

**Hijacking the VM**

By leveraging in particular the serial console in Microsoft Azure, UNC3944 can connect to a running OS via serial port, giving the attacker an option besides the OS to access a cloud environment.

"As with other virtualization platforms, the serial connection permits remote management of systems via the Azure console," they wrote. "The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer."

UNC3944 is a financially motivated threat group active since last May that typically targets Microsoft environments for ultimate financial gain. The group was previously seen in December leveraging Microsoft-signed drivers for post-exploitation activities.

However, once UNC3944 takes control of an Azure environment and uses LotL tactics to move within a customer's cloud, the consequences go beyond mere data exfiltration or financial gain, one security expert notes.

"By gaining control of an organization's Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud," Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said in a statement sent to Dark Reading.

**From the VM to the Environment**

Mandiant detailed in the post how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence.

"The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms," the researchers wrote.

Before pivoting to another system, the attacker set up a reverse SSH (Secure Shell Protocol) tunnel to its command-and-control (C2) server and deployed a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389, they explained in the post. This allowed UNC3944 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account, the researchers said.

The attack demonstrates the evolution and growth in sophistication of both attackers' evasion tactics and targeting, the latter of which now goes beyond the network and the endpoint directly to mobile devices and the cloud, notes Kern Smith, vice president of Americas, sales engineering at mobile security firm Zimperium.

"Increasingly, these attacks are targeting users where organizations have no visibility using traditional security tooling — such as smishing — in order to gain the information needed to enable these types of attacks," he says.

**How to Defend Against this VM Attack**

To thwart this type of threat, organizations must first prevent targeted smishing campaigns "in a way that enables their workforce while not inhibiting productivity or impacting user privacy," Smith says.

Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible.

"Additionally, Mandiant recommends reviewing user account permissions for overly permissive users and implementing appropriate Conditional Access Authentication Strength policies," the researchers wrote.

They also directed organizations to the available authentication methods in Azure AD on the Microsoft website, recommending that least-privilege access to the serial console be configured according to Microsoft's guidance.

Microsoft Azure VMs Hijacked in Cloud Cyberattack

Elevated attack rate expected to remain during 2023 as cybercrime becomes more sophisticated and widespread.

**ATLANTA****,** **May 17, 2023** **/PRNewswire/ --** LexisNexis® Risk Solutions today released the results of its annual Cybercrime Report, an analysis of data from 79.8 billion transactions processed through its LexisNexis® Digital Identity Network® throughout 2022. The report, _Trust and Collaboration as Foundations to Fight Fraud_, shows that the global digital attack rate increased 20% year over year (YOY) compared to 2021, continuing the trend of digital fraud rising as economies re-open following the pandemic.

The LexisNexis® Identity Abuse Index, which records the percentage of attacks per day, shows attack rates fell in the fourth quarter of 2022 although the picture varies by region, with sizeable spikes in APAC, LATAM and North America at the end of the year. 

Despite the effects of economic uncertainty, inflation and the war in Ukraine, digital transactions in 2022 went up by 24% YOY primarily driven by increasing transactions in financial services (29%) and ecommerce (17%).

Organizations are looking to establish consistent digital identity insights across all digital channels and end-customer touch points to mitigate rising fraud levels. They are striving to increase the level of trust with their customers, as well as identifying risk more easily. The report showed that the percentage of transactions classified as trusted in the Digital Identity Network® platform increased by 9% YOY, allowing organizations to provide a smoother customer journey.

"Businesses remain vulnerable to transactional fraud during this time of accelerated digitalization," said Stephen Topliss, vice president of fraud and identity strategy for LexisNexis Risk Solutions. "Despite heightened regulatory scrutiny, technological innovations and higher public awareness, there are persistent challenges in preventing fraud. This trend is likely to endure as consumers continue adopting digital channels. As fraud levels and its sophistication increase, relying on multi-factor authentication alone as a defense is inadequate in today's digital world. Organizations, industries and countries must collaborate and identify the interconnected signals of complex fraud attacks because criminal networks working in a structured way are here to stay. Addressing the latest scams requires targeted machine learning models that can consume the latest digital intelligence insights, behavioral biometrics signals and mule account indicators."

**Key findings from** _The LexisNexis Risk Solutions Cybercrime Report, January to_ December 2022**:**

*   **Mobile Channels Increasingly Popular** **–** Mobile transactions have reached a record high of 77% of all observed transactions in the Digital Identity Network, with the mobile app channel making up 82% of all mobile interactions.
*   **Attack Rate Continues to Rise** **–** The global attack rate continues to increase, driven by an uptick in the financial services and ecommerce industries at 31% and 29% respectively. The report shows that criminals continue to target the communications, mobile and media industries more than any other sector. However, a noticeable decline of 27% YOY in the overall attack rate suggests criminals are changing focus. 
*   **Vulnerabilities in Payments –** Across all desktop and mobile channels, attack rates on digital payments increased 27% YOY. Alternative payment methods, such as digital wallets, QR code payments and peer-to-peer transfers, continue to gain popularity, particularly in APAC. The shift has contributed to the 32% YOY growth in payment transactions in that region, yet criminals are also fast at exploiting vulnerabilities. The report shows a 50% YOY increase in APAC's payment attack rate.
*   **Lucrative Avenue for Cybercrime –** Automated bot attacks in the ecommerce space have grown 195% globally. Almost half of these attacks focused on the U.S., where ecommerce focused bot attacks increased by 127% YOY. Bot attacks increased 112% in the U.S. gaming and gambling industry, while the sector grows due to legalization in more states.

Download a copy of _Trust and Collaboration as Foundations to Fight Fraud: The_

**Methodology**

The LexisNexis Risk Solutions Cybercrime Report is based on cybercrime attacks detected by the Digital Identity Network platform. It processed 92 billion transactions in 2022, including common attack types such as new account creation, account login and payment fraud. It analyzes transactions for legitimacy based on device identification, geolocation, history and behavioral analytics in near real-time, providing insight into global digital identities. Customers benefit from global risk views and custom-tuned policies. The report covers "high-risk" transactions scored by global customers. Digital Identity Network does not include transaction data from all countries in the world.

**About LexisNexis Risk Solutions**

LexisNexis® Risk Solutions includes seven brands that span multiple industries and sectors. We harness the power of data, sophisticated analytics platforms and technology solutions to provide insights that help businesses and governmental entities reduce risk and improve decisions to benefit people around the globe. Headquartered in metro Atlanta, Georgia, we have offices throughout the world and are part of RELX (LSE: REL/NYSE: RELX), a global provider of information-based analytics and decision tools for professional and business customers. For more information, please visit www.risk.lexisnexis.com and www.relx.com.

LexisNexis Risk Solutions Cybercrime Report Reveals 20% Annual Increase in Global Digital Attack Rate

New retainer provides expert support starting in the first 72 hours of the incident response process to contain the attack and improve preparedness for the future.

**Helsinki, Finland – May 17, 2023:** The first 72 hours of an attack are a crucial window for incident response teams. To support organizations in preparing a swift, efficient response to incidents while minimizing their impact on operations, WithSecure™ (formerly known as F-Secure Business) is offering a new range of incident readiness and response packages.  

Incident response is more challenging than ever. Cloud services complicate IT security, skills are scarce, and responsibilities are shared with cloud service providers.   

Based on his experience, Cyber Security Advisor Paul Brucciani says that in spite of cyber attacks’ ubiquity, many mid-market organizations find themselves unprepared for incidents when they occur.

“Today, only about one in five organizations have an incident response plan–typically enterprises with well-developed cyber security. Mid-market companies don’t have these resources and if there is any service fit to be outsourced, it is incident response. Our new offering brings industry-leading incident response services to the mid-market to make it more resilient to cyber-attacks, covering both traditional on-premise and cloud IT,” he said.  

WithSecure™ has a strong record of providing incident response services to organizations large and small throughout the globe. It has over 30 years of experience in helping organizations prepare for, respond to, and recover from data breaches. Its incident response capability is assured by government agencies in Germany and the UK.

The new range of incident response offerings include three different but related services:  

*   Incident Readiness
*   Incident Response Retainer
*   Emergency Incident Response Support  
    

"The first 72 hours of an attack are vital for limiting the damage. Not just to mitigate direct damages, but it’s also important for GDPR compliance, as organizations are required to report certain incidents within that time frame. Without an effective response during that window, organizations will struggle to understand the scope of the damages and what steps to take next,” added Brucciani.    

More information on WithSecure's range of incident response services is available at

**About WithSecure™**

WithSecure™, formerly F-Secure Business, is cyber security's reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world's most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations. Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we've built our portfolio to grow with our partners through flexible commercial models.  

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.

Tag

#intel