Latest release gives small and mid-sized enterprises AI-driven analysis tools and unified visibility across IT environments for stronger ransomware protection.

**SAN FRANCISCO****,** **Feb. 8, 2023** **/PRNewswire/ —** ActZero®, a leading cybersecurity provider for small and mid-sized enterprises, announced the release of its next-generation Managed Detection and Response (MDR) platform. The ActZero MDR platform leverages its defense ingenuity and precision AI-detection to give customers an industry-leading ransomware block rate of 90 percent. Within this initial launch, security teams will gain unified real-time visibility across their environment with correlated threat insights, AI-driven tools to surface information faster for better decision making, and continuous protection against emerging ransomware threats.

Ransomware attacks are expected to cost businesses $30 billion in damages worldwide by this year. The speed and sophistication of these attacks are increasing, with adversaries now able to achieve breakout in under 43 minutes on average. ActZero successfully contains and eradicates ransomware threats within 17 minutes, compared to 98 minutes, based on assessments by an independent third-party evaluation platform. Speed to defend against a cyber threat is critical to saving a company's data, reputation, and business.

"Relying on a cybersecurity partner to protect against threats takes trust. With attackers frequently retooling to evade defenses, it's not enough to verify once; you need to continuously verify that systems are properly defended to build that trust. We thrive on that accountability," said ActZero President and Chief Revenue Officer Chris Finan. "Today, we are excited to announce the newest release of the ActZero MDR platform, making it easier for customers to continuously measure outcomes and interface seamlessly with our expert analysts. When every second counts, you need to have complete trust that your security partner will stop the threats to your business."

The newly designed ActZero MDR platform dashboard gives customers a real-time and holistic picture of their IT ecosystem and users. Critical metrics such as the ransomware block rate and average mean-time-to-first-response rate, along with real-time reporting provide the actionable intelligence for validating the cybersecurity team investment and continuous efforts to improve security.

"Businesses today need to operate at machine-speed to stop advanced cyber threats, but IT leaders and security teams also need complete visibility of their environment, which legacy SIEM and MDR approaches fail to deliver," said ActZero Chief Security Officer Adam Mansour. "We designed this new generation of our platform to give IT security teams the benefits of our market-leading, AI-driven detection, and response with purpose-built visibility and investigative tooling to empower them with complete control."

**About ActZero**

ActZero is a Gartner-recognized provider of Managed Detection and Response (MDR) services that delivers a powerful and affordable cybersecurity service to protect small and mid-sized enterprises against ransomware attacks. By  continuously testing defenses against the latest attack techniques and variants, ActZero ensures AI-detections and human threat hunters quickly stop threats. The company brings deep roots and expertise in cybersecurity to deliver measurable ransomware defense, reducing false alerts and responding quickly on a customer's behalf. Combined with exceptional service, ActZero empowers businesses with confidence that the company and customers are protected.

For more information on ActZero, please visit actzero.com.

SOURCE ActZero

ActZero Unveils Next-Generation MDR Platform

Skybox closes $50 million in financing to drive growth of its SaaS-based security platform.

**SAN JOSE, Calif., Feb. 8, 2023–** Skybox Security, a global leader in Security Policy and Vulnerability Management, today announced the appointment of Mordecai (Mo) Rosen as Chief Executive Officer, and the closing of $50 million in financing from CVC Growth Funds, Pantheon, and J.P. Morgan. Mr. Rosen is a seasoned security technology executive with over 25 years of experience and will focus on driving company growth and accelerating the adoption of the industry’s first Software-as-a-Service (SaaS) solution for Security Policy and Vulnerability Management.  

“CVC is incredibly pleased to bring on Mo as the new CEO of Skybox and to continue our long-standing financial support of the company. Skybox is the cornerstone of the security infrastructure of hundreds of the largest enterprises around the globe. With its new SaaS platform, Skybox Cloud, the company is well positioned for significant market growth,” said Jason Glass, Partner at CVC. “Mo brings a wealth of knowledge and a track record of success in leading cybersecurity and SaaS companies, and we have every confidence that he will lead Skybox to its next level of long-term growth and profitability.” 

Before joining Skybox, Mr. Rosen was the President and CEO of Digital Guardian, a data loss prevention software company, where he significantly grew recurring revenue while simultaneously leading the organization to profitability. Before Digital Guardian, he served as the Corporate Senior Vice President and General Manager for Security at CA Technologies, now a Broadcom company.  

“I was drawn to Skybox by its disruptive technology platform, blue chip customer base, and seasoned cybersecurity team,” said Mr. Rosen. “With our first to market SaaS offering, Skybox Cloud, we are well positioned to disrupt both the Security Policy and Vulnerability Management markets with a single integrated SaaS platform. I am thrilled to join Skybox at this exciting inflection point and lead the company to its next level of growth.” 

To learn more about Skybox Security, visit https://www.skyboxsecurity.com/.  

**About Skybox Security**

Over 500 of the largest and most security-conscious enterprises in the world rely on Skybox for the insights and assurance required to stay ahead of dynamically changing attack surfaces. Our SaaS-based Security Posture Management Platform delivers complete visibility, analytics, and automation to quickly map, prioritize and remediate vulnerabilities across your organization. The vendor-agnostic solution intelligently optimizes security policies, actions, and change processes across all corporate networks and cloud environments. With Skybox, security teams can now focus on the most strategic business initiatives while ensuring enterprises remain protected.

Skybox Security Appoints Cybersecurity Veteran Mordecai Rosen as CEO

**SAN FRANCISCO, Feb. 8, 2023 --** Corelight, the leader in open network detection and response (NDR), today announced it has expanded its partnership with CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data. Under the agreement, CrowdStrike will have the ability to deploy Corelight NDR technology in customer engagements when delivering Incident Response, Compromise Assessment, and Network Security Monitoring services.

"We are honored to enter into this expanded partnership with CrowdStrike, a brand that's trusted and respected throughout the security space," said Brian Dye, CEO of Corelight. "We share a passion for using evidence to help customers find and disrupt advanced attacks, and we are excited about delivering this benefit to customers."

CrowdStrike Services will have the ability to leverage Corelight's NDR solution to enhance visibility, accelerate investigations, expand threat hunting, and understand the mechanism of advanced attacks across the full spectrum of endpoints, cloud platforms and the network – including unmanaged devices.

CrowdStrike Services delivers industry-leading incident response, technical assessments, training, and advisory services that help organizations prepare to defend against advanced threats, respond to widespread attacks, and enhance cybersecurity practices and controls. Harnessing the power of the CrowdStrike Security Cloud and the CrowdStrike Falcon platform, Services help protect critical areas of enterprise risk and hunt for threats using adversary-focused cyber threat intelligence to identify, track and prevent attacks from impacting our customer's business and brand.

"Corelight is a natural and highly complementary technology partner," said Thomas Etheridge, chief global professional services officer at CrowdStrike. "Better security outcomes require world-class and timely data. Because Corelight also seamlessly integrates with a range of CrowdStrike products, including CrowdStrike Falcon XDR and CrowdStrike Falcon LogScale, our mutual customers can hunt for unknown attacks, close visibility gaps, and even disrupt future threats faster by seeing everything that matters on the network – including unmanaged endpoints and IoT devices."

The agreement is the latest evidence of ongoing collaboration between the two companies: CrowdStrike's Falcon Fund is an investor in Corelight, and CrowdStrike was recently named Corelight's Apex Awards Alliance Partner of the Year for Innovation.

**About Corelight**

Corelight transforms network and cloud activity into evidence that security teams use to proactively hunt for threats, accelerate response to incidents, gain complete network visibility and create powerful analytics. Corelight's global customers include Fortune 500 companies, major government agencies, and large universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely-used network security technology. For more information, visit https://corelight.com or follow @corelight\_inc.

Corelight Expands Partnership With CrowdStrike to Provide Network Detection and Response Technology for CrowdStrike Services

Omdia has learned that Gigamon sold its ThreatInsight NDR business to Fortinet for approximately $31 million. The deal highlights what may be a pivot point for the NDR market.

Gigamon has exited the network detection and response (NDR) business, selling its NDR solution to a former competitor, Omdia has learned.

The Santa Clara, California-based network visibility and IT observability vendor quietly sold its ThreatInsight NDR business to Fortinet at the end of last year. Omdia research indicates the acquisition price was approximately $31 million.

The sale also encompassed the staff dedicated to ThreatInsight, including Gigamon’s former threat intelligence group. Omdia research indicates that approximately 30 to 50 Gigamon employees moved to Fortinet in the transaction.

**Gigamon Shifts to NDR Enabler**

Gigamon entered the NDR market in 2018 when it acquired NDR startup Icebrg. Seen at the time as a strong complement to its portfolio of network visibility solutions, which includes network traffic decryption, ThreatInsight never lived up to Gigamon's commercial expectations, in part because enterprise buying centers for visibility and observability tend to differ from those related to threat detection, investigation, and response (TDIR).

One of the difficulties of selling point products is that they tend to have very specific buying centers. This is highlighted by the position that Gigamon found itself in with NDR. While it continues to have success selling its broader portfolio by targeting CISOs and security architecture teams, NDR sales are typically evaluated and funded within incident response groups, which require a different sales motion.

While security remains an important use case for Gigamon’s visibility portfolio generally, Gigamon increasingly saw itself as better positioned as an ecosystem enabler of NDR solutions through partnership with leading NDR vendors.

By eliminating any competitive conflicts, the deal should immediately make Gigamon a more attractive partner with a variety of NDR vendors with which it formerly competed. Additionally, the company can re-emphasize its renewed focus on network and hybrid cloud observability, this following its recent pivot to relabel its core platform as a Deep Observability Pipeline solution.

**Fortinet Doubles Down on NDR**

Fortinet will rebrand the ThreatInsight technology as FortiNDR Cloud and sell it as a cloud-based addition to its existing on-premises FortiNDR product (formerly known as FortiAI).

Fortinet introduced FortiAI in 2020 as an AI/ML appliance for network detection and response. The company has seen strong demand for NDR as customers shift focus to what Fortinet calls advanced and early detection. The growing adoption of a zero-trust philosophy is also driving additional interest as organizations treat internal east-west traffic with increased scrutiny.

**NDR Market Evolution**

The move also highlights the NDR market’s continuing evolution. As enterprises increasingly seek to unify their TDIR product architectures, interest is growing in NDR solutions that can not only detect and respond to network-specific threats but can also provide insight to and integration with broader solution sets, such as XDR and other security operations platforms.

This evolution is playing out in several ways. For example, NDR vendors are continuing to expand their functional footprint to include additional network security capabilities, such as a broader set of detection capabilities. Of course, the flip side to that trend is network security appliance vendors potentially adding NDR as an additional feature.

Fortinet is a case in point. While FortiNDR Cloud will be available as a stand-alone product, and one that requires no Fortinet hardware, NDR functionality is sure to find its way into broader network security solutions such as next-generation firewalls (NGFWs). This trend will shift the competitive landscape in NDR, which is currently dominated by pure plays such as Darktrace, ExtraHop, and Vectra.

NDR solutions are also increasingly expected to integrate across emerging open XDR ecosystems. This, of course, requires significant investment as the number of integration requests can be large, even if initially just focusing on EDR vendors. Omdia believes success in NDR would have required a significant new investment from Gigamon.

Ironically, given the increased partnership opportunities, Omdia believes this divestiture might well grow Gigamon’s overall share of security dollars, as security teams are either stakeholders or outright buyers of the network observability capabilities that Gigamon offers. More broadly, the company is betting that customers will be shopping for a comprehensive observability platform across hybrid environments.

Omdia's most recent global NDR market outlook indicates the NDR market is worth $0.95 billion as of the end of 2021 and is expected to grow to $1.98 billion by the end of 2027. However, Omdia forecasts that growth in the stand-alone NDR market will slow in 2023 due to macroeconomic headwinds but will rebound and continue to show reasonable growth for the foreseeable future. That said, consolidation of detection and response functionality across digital domains is an important trend.

More broadly, and as importantly, security buyers are looking to consolidate security functionality from a smaller group of larger providers. While best-of-breed security point products will never disappear, suite vendors such as Palo Alto Networks, Fortinet, and Cisco, among others, are well positioned for current vendor consolidation.

Gigamon Exits NDR Market, Sells ThreatInsight Business to Fortinet

Campaigner bemoans glacial progress of review and urges government to set clear timetable

Campaigner bemoans glacial progress of review and urges government to set clear timetable

A review of the UK’s creaking cybercrime laws has been criticized for lacking “urgency” after the UK government launched a second public consultation on the issue.

The consultation is primarily seeking feedback on three proposals to emerge from an earlier call for information related to the aging Computer Misuse Act 1990 (CMA).

According to security minister Tom Tugendhat, these proposals would grant law enforcement agencies new powers to seize control of maliciously deployed domains and IP addresses, “require the preservation of computer data” while police determine the data’s relevance to an investigation, and take action against persons “possessing or using data obtained by another person through a CMA offence”.

**Statutory defense**

Tugenhadt also invited comment on sentencing, extra-territorial threats, and the prospect of introducing a statutory defense for hacking undertaken for good-faith or benign rather than malicious motives.

The CyberUp campaign, which lobbies for a complete overhaul of the CMA, wants robust legal protections for responsible vulnerability research and disclosure, disseminating threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and running honeypots.

The campaign, whose backers include the Confederation of Business Industry (CBI) and parliamentarians like Lord Chris Holmes, believe the lack of legal clarity for good-faith security work threatens to undermine vital intelligence-sharing between the private cybersecurity industry and law enforcement agencies.

RELATED Statutory defense for ethical hacking under UK Computer Misuse Act tabled

The Home office recognized that a statutory defense could “advance our whole of society approach to cyber security” but warned of the risk of providing legislative cover for ‘hacking back’.

“We believe further work is required to consider options, and the risks and benefits associated with the introduction of statutory defences,” it said.

**‘Way behind other nations’**

The latest consultation comes around 21 months after the CMA review was first announced by then Home Secretary Priti Patel, in May 2021.

“Cybercrime is endemic across the UK. We need urgency and pace – not for these issues to be kicked into the long grass,” said Ollie Whitehouse, spokesperson for the CyberUp campaign.

“We welcome that the government has acknowledged that there is a problem with legitimate cybersecurity activity being constrained by the UK’s outdated cyber laws; 66% of respondents to its consultation agreed on this point.

“And yet – today’s announcement lacks concrete action, leaving the UK way behind other nations.”

Progress has certainly been more notable across the Atlantic in terms of enhancing legal protections for legitimate security research, following a landmark Supreme Court ruling and US Department of Justice pledge not to prosecute good-faith security researchers last year.

BACKGROUND US Computer Fraud and Abuse Act: ‘Landmark’ ruling has implications for security researchers

Kat Sommer, group head of strategy and public affairs at NCC Group, which leads the CyberUp campaign, told The Daily Swig that she welcomed the government’s recognition “that cybercrime laws must not unnecessarily prohibit cyber security activities”, and “commitment to work with the industry to consider the defences that should be introduced to safeguard cyber professionals.

“Nevertheless, the continued ambiguity while this work takes place will act as a brake on the industry,” she continued. “After 21 months of consultation, we would have hoped for further progress to bring the 32-year-old Computer Misuse Act into the 21st century, than what has been announced this week.”

Ollie Whitehouse said “very little progress has been made in nearly two years” and urged the government to “lay out a clear timetable and plan for the next steps, to ensure there are no more delays”.

A further round of consultation on the CMA began yesterday (7 February) and ends on 6 April 2023.

There were an estimated 1.6 million incidents of computer misuse reported in England and Wales in the year ending March 2022, accounting for 14% of crime overall.

DON’T FORGET TO READ DOM XSS vulnerability in Gartner Peer Insights widget patched

Second UK Computer Misuse Act consultation reflects ‘very little progress’

Categories: Ransomware
Categories: Threat Intelligence
Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in January 2023, and looks at LockBit's newest encryptor. 



(Read more...)




The post Ransomware review: February 2023 appeared first on Malwarebytes Labs.

_Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom._

LockBit started off the new year just as it ended the last one, topping the charts once again as January’s most prolific ransomware-as-a-service (RaaS). The Hive ransomware group meanwhile found itself shut down by the FBI.

It’s not all old news for Lockbit, however: Last month the gang was seen using a new Conti-based encryptor named 'LockBit Green’. This latest ransomware version, the third from the gang after LockBit Red and LockBit Black, shares 89% of its code with Conti v3 ransomware and has already been used to attack at least five victims.

Considering the success of LockBit Black, it’s unusual (and unclear) why the gang is offering a new variant. One possible explanation is that it wants to attract affiliates who are more comfortable using Conti-based ransomware, such as ex-Conti members. Expanding marketing operations, so to speak.

A post on the Dark Web by LockBit (translated from the original Russian) suggests the group is supplementing the ransomware ("lockers") it already sells, rather than replacing it:

> I have repeatedly said that I want to collect as many top lockers as possible in one panel, who have well-known and good sources lying around, write - I will buy. I don't care what the reviewers think and say. It is important for me to expand the arsenal in my wonderful panel. Each advert decides for himself what to work with or combines several lockers in an attack on one company if time permits. Agree, it would be nice if I had some other Petya Ransomware or something else epic in my panel?

Known ransomware attacks by gang in January 2023

Known ransomware attacks by country in January 2023

Known ransomware attacks by industry sector in January 2023

While LockBit was plowing through the new year, however, there was nothing but radio silence from another notorious ransomware player: BlackBasta. Ever since we started tracking them in April 2022, BlackBasta’s high placement every month among the ranks of other ransomware groups has been more or less a foregone conclusion. Their absence of activity in January therefore bears mentioning.

Apparent inactivity by ransomware gangs is complicated by the fact that their Dark Web leak sites only show companies that didn't pay a ransom, so an extremely successful month for them also looks like an inactive month. A month where nobody refused to pay would be hugely unusual though.

Having said that, the Black Basta News Tor site, where it publishes new victims, has been down for several weeks. We saw that it was reactivated on January 22, but the next day it went down again. The backend to the site used to contact the victims seems to be down as well.

The BlackBasta contact site

On the other hand, attacks by Vice Society—the ransomware gang responsible for an infamous attack on the LA Unified School District—have shot up to their highest level in three months. Vice Society is believed to be a Russian-based group whose ideal prey appears to be universities, colleges, and K-12 schools. The Federal Bureau of Investigation (FBI) even released a joint Cybersecurity Advisory (CSA) in September, after observing that Vice Society has disproportionately targeted the education sector.

In January, Vice Society published the data of nine schools on its leak site. It’s perhaps not a coincidence then that attacks on the education sector are the highest they have been in three months.

Last month we introduced a newcomer named Endurance, a solo actor who successfully infiltrated big corporations and breached several US government entities. In January the lone wolf managed to crack the top five biggest ransomware gangs for the month, launching successful attacks on places such as car marketplace Autotrader, where they stole data belonging to 1.4 million users. Another newcomer we introduced last month, Unsafe, which recycles leaks from other ransomware groups, added seven new victims to its rap sheet in January.

Play’s surge in December activity fell by about 76% percent in January. At the same time, we witnessed the ‘return of the dead’ with AvosLocker, placing itself back on the map for the first time since October 2022.

**Hive seized**

Hive ransomware is no stranger to the Threat Intelligence team: It was one of the most widely used RaaS in 2022 and indeed if their 15 attacks in December was any indication, Hive showed no signs of slowing down going into the new year.

Hive’s final chapter came to a close in late January, however, after the United States Department of Justice (DoJ) confirmed it had launched a successful disruption campaign against them.

Known attacks by ransomware gangs, based on data leaked since April 2022

The disruption campaign has reportedly had access to Hive's infrastructure since July of 2022. Its access became public on Thursday when Hive's Dark Web site began showing a notice that “this hidden site has been seized”.

According to the DoJ, the Hive ransomware group has targeted over 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, attempting to extort hundreds of millions of dollars from victims in the United States and around the world.

We can’t say we’re sad to see them go.

What's left of the Hive leak site

**Nevada Ransomware**

Nevada is a relatively new ransomware which emerged on the Dark Web right before the start of 2023, but it wasn’t until late January that it got a serious upgrade.

On December 10, an actor named ‘nebel’ published a post promoting the project on the RAMP underground community, which is known as a space for initial access brokers (IABs) and Russian and Chinese hackers. On January 30, researchers at Resecurity released a report on how the operators behind the project “updated and significantly improved the functionality of the locker for Windows and Linux/ESXi, and distributed new builds for their affiliates”.

Nevada ransomware promotion on RAMP

**Ransomware revenue down**

According to blockchain data platform Chainalysis, ransomware revenue “plummeted” from $765.6 in 2021 to at least $456.8 in 2022. The data is based on an analysis of the cryptocurrency addresses known to be controlled by ransomware attackers.

Image courtesy of Chainalysis

While the real numbers are likely much higher, it does present us with an idea of the development of ransomware payments. Last year's estimate at this point seemed to show a decline from $765 million to $602 million, but turned out to be a small gain after correction.

According to our own research and Chainalysis, the declining numbers are likely due to victim organizations increasingly refusing to pay ransomware attackers.

In our Ransomware Emergency Kit, you'll find tips your organization needs to defend against RaaS gangs. 

GET THE RANSOMWARE EMERGENCY KIT

Ransomware review: February 2023

Generative AI combined with user awareness training creates a security alliance that can let organizations work protected from ChatGPT.

ChatGPT has taken the world by storm since late November, sparking legitimate concerns about its potential to amplify the severity and complexity of the cyber-threat landscape. The generative AI tool's meteoric rise marks the latest development in an ongoing cybersecurity arms race between good and evil, where attackers and defenders alike are constantly in search of the next breakthrough AI/ML technologies that can provide a competitive edge.

This time around, however, the stakes have been raised. As a result of ChatGPT, social engineering is now officially democratized — expanding the availability of a dangerous tool that enhances a threat actor's ability to bypass stringent detection measures and cast wider nets across the hybrid attack surface.

**Casting Wide Attack Nets**

Here's why: Most social engineering campaigns are reliant upon generalized templates containing common keywords and text strings that security solutions are programmed to identify and then block. These campaigns, whether carried out via email or collaboration channels like Slack and Microsoft Teams, often take a spray-and-pray approach resulting in a low success rate.

But with generative AIs like ChatGPT, threat actors could theoretically leverage the system's Large Language Model (LLM) to stray away from universal formats, instead automating the creation of entirely unique phishing or spoofing emails with perfect grammar and natural speech patterns tailored to the individual target. This heightened level of sophistication makes any average email-borne attack appear far more credible, in turn making it far more difficult to detect and prevent recipients from clicking a hidden malware link.

However, let's be clear that ChatGPT _doesn't_ signify the death sentence for cyber defenders that some have made it out to be. Rather, it's the latest development in a continuous cycle of evolving threat actor tactics, techniques, and procedures (TTPs) that can be analyzed, addressed, and alleviated. After all, this isn't the first time we've seen generative AIs exploited for malicious intent; what separates ChatGPT from the technologies that came before it is its simplicity of use and free access. With OpenAI likely moving to subscription-based models requiring user authentication coupled with enhanced protections, defending against ChatGPT attacks will ultimately come down to one key variable: fighting fire with fire.

**Beating ChatGPT at Its Own Game**

Security operation teams must leverage their own AI-powered large language models (LLMs) to combat ChatGPT social engineering. Consider it the first _and_ last line of defense, empowering human analysts to improve detection efficiency, streamline workflows, and automate response actions. For example, an LLM integrated within the right enterprise security solution can be programmed to detect highly sophisticated social engineering templates generated by ChatGPT. Within seconds of the LLM identifying and categorizing a suspicious pattern, the solution flags it as an anomaly, notifies a human analyst with prescribed corrective actions, and then shares that threat intelligence in real-time across the organization's security ecosystem.

The benefits are the reason why the rate of AI/ML adoption across cybersecurity has accelerated in recent years. In IBM's 2022 "Cost of a Data Breach" report, companies that leveraged an AI-driven security solution alleviated attacks 28 days faster, on average, and reduced financial damages by more than $3 million. Meanwhile, 92% of those polled in Mimecast's 2022 "State of Email Security" report indicated they were already leveraging AI within their security architectures or planned on doing so in the near future. Building on that progress with a stronger commitment to leveraging AI-driven LLMs should be an immediate focus moving forward, as it's the only way to keep pace with the velocity of ChatGPT attacks.

**Iron Sharpens Iron**

The applied use of AI-driven LLMs like ChatGPT can also enhance the efficiency of black-box, gray-box, and white-box penetration testing, which all require a significant amount of time and manpower that strained IT teams lack amidst widespread labor shortages. Considering time is of the essence, LLMs offer an effective methodology for streamlining pen-testing processes — automating the identification of optimal attack vectors and network gaps without relying on previous exploit models that often become outdated as the threat landscape evolves.

For example, within a simulated environment, a "bad" LLM can generate tailored email text to test the organization's social engineering defenses. If that text bypasses detection and reaches its intended target, the data can be repurposed to train another "good" LLM on how to identify similar patterns in real-world environments. This helps to effectively inform both red and blue teams on the intricacies of combating ChatGPT with generative AI, while also providing an accurate assessment of the organization's security posture that allows analysts to bridge vulnerability gaps before adversaries capitalize on them.

**The Human Error Effect**

It's important to remember that only investing in best-of-breed solutions isn't a magic bullet to safeguard organizations from sophisticated social engineering attacks. Amidst the societal adoption of cloud-based hybrid work structures, human risk has emerged as a critical vulnerability of the modern enterprise. More than 95% of security breaches today, a majority of which are the result of social engineering attacks, involve some degree of human error. And with ChatGPT expected to increase the volume and velocity of such attacks, ensuring hybrid employees follow safe practices regardless of where they work should be considered nonnegotiable.

That reality heightens the importance of implementing user awareness training modules as a core component of their security framework — employees who receive consistent user awareness training are five times more likely to identify and avoid malicious links. However, according to a 2022 Forrester report, "Security Awareness and Training Solutions," many security leaders lack extensive understanding of how to build a culture of security awareness and revert to static, one-size-fits-all employee training to measure engagement and influence behavior. This approach is largely ineffective. For training modules to resonate, they must be scalable and personalized with entertaining content and quizzes that align with employees' areas of interest and learning styles.

Combining generative AI with well-executed user awareness training creates a robust security alliance that can enable organizations to work protected from ChatGPT. Don't worry cyber defenders, the sky isn't falling. Hope remains on the horizon.

Why ChatGPT Isn't a Death Sentence for Cyber Defenders

Legal experts say a key law should already prevent brokers from collecting and selling data that's weaponized against vulnerable people.

The letter also points to databases maintained by the British multinational RELX and the Canadian conglomerate Thomson Reuters, which, according to CUNY law professor Sarah Lamdan, author of _Data Cartels: The Companies That Control and Monopolize Our Information_, contain dossiers on roughly two-thirds of the US population, tracing their whereabouts and mapping social and familial relationships. 

In 2020 alone, data brokers extracted some $29 million while vying to undermine legislative efforts to rein in their industry, according to lobbying disclosures unearthed by The Markup. 

While many major data collectors acknowledge falling under the jurisdiction of the FCRA, others have evaded regulatory scrutiny by relying on what the lawyers petitioning Chopra deem erroneous legal analysis. Other firms partition their products and the surveillant data they gather to exempt from compliance what the credit reporting industry calls “header information,” traditionally consisting of people’s names, birth dates, and Social Security numbers, in addition to phone and residential histories. This, even when that data is derived from sources clearly subject to the law. 

“Data brokers are packaging the same personal data points about us into different products for sale and then claiming that certain products are beyond the reach of key legal protections,” says Laura Rivera, an attorney with Just Futures Law. “It’s dishonest, exploitative, and it leads to real harm to consumers of all backgrounds, but especially low-income communities of color, including immigrants.”

“In advocating for coverage of data brokers, we're simply asking the CFPB to restore the scope of the Act as Congress originally intended,” adds Chi Chi Wu, a staff attorney at the National Consumer Law Center, who identified a series of constricting court rulings over the years with watering the FCRA down. 

Historically disadvantaged communities face the brunt of the harm, Wu says, pointing to the sale of information on some of America’s poorest communities to predatory “payday” lenders. In fact, data brokers derive significant profit from businesses whose whole purpose is identifying consumers who face financial instability. A 2013 US Senate report noted, for example, that these purchases were often made by companies that “sell high-cost loans and other financially risky products”—unscrupulous businesses making bread and butter out of the economically vulnerable, including widows. 

Companies playing fast and loose with personal data have drawn the ire of consumer protectionists and Capitol Hill privacy hawks for years, leading to meager gains for consumers. In 2021, a slew of utility companies that had long pilfered cable, phone, and energy customers of sensitive data for their own profit agreed to end the practice of selling it to Thomas Reuters, which had, in turn, supplied it to government agencies and police, including US Immigration and Customs Enforcement. 

“Selling personal information that people provide to sign up for power, water, and other necessities of life, and giving them no choice in the matter, is an egregious abuse of consumers’ privacy,” Senator Ron Wyden, a Democrat of Oregon and leading government-surveillance critic, said in a letter to Chopra at the time. 

The US’s Defense Intelligence Agency, Defense Counterintelligence and Security Agency, and Customs and Border Protection (CBP) are among a wide range of federal agencies known to purchase Americans' private data, including that which law enforcement agencies would normally require probable cause to obtain. The US Supreme Court ruled in 2018 that police and intelligence agencies had no right to compel businesses to turn over location data derived from cellphones and other devices without a legal warrant. 

The decision did little to stop the government from sidestepping the courts. The Justice Department, the Office of the Director of National Intelligence, the Pentagon, and hundreds if not thousands of state and local police agencies have interpreted the ruling as having placed no restrictions on their ability to simply buy location data.

How the US Can Stop Data Brokers' Worst Practices—Right Now

A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine.
Dubbed Graphiron by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as Nodaria, which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056.
"The malware is written in Go and is designed to harvest a wide

Threat Intelligence / Data Safety

A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine.

Dubbed **Graphiron** by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as **Nodaria**, which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056.

"The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files," the Symantec Threat Hunter Team said in a report shared with The Hacker News.

Nodaria was first spotlighted by CERT-UA in January 2022, calling attention to the adversary's use of SaintBot and OutSteel malware in spear-phishing attacks targeting government entities.

The group, which is said to be active since at least April 2021, has since repeatedly deployed custom backdoors such as GraphSteel and GrimPlant in various campaigns since Russia's military invasion of Ukraine. Select intrusions have also entailed the delivery of Cobalt Strike Beacon for post-exploitation.

Graphiron, the latest program added to the group's arsenal, is an improved version of GraphSteel, packing in features to run shell commands and harvest system information, files, credentials, screenshots, and SSH keys.

Another notable aspect is that while GraphSteel and GrimPlant made use of Go version 1.16, Graphiron relies on version 1.18, which officially shipped in March 2022. This also suggests that Graphiron is a more recent development.

Furthermore, an analysis of the infection chains reveals the presence of two stages, a downloader that's responsible for retrieving an encrypted payload containing the Graphiron malware from a remote server.

With the latest findings, Nodaria joins another Russian state-sponsored group referred to as Gamaredon in extensively singling out Ukraine.

"While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group's high-level activity over the past year suggests that it is now one of the key players in Russia's ongoing cyber campaigns against Ukraine," Symantec said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Using Graphiron Malware to Steal Data from Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert warning of cyber attacks against state authorities in the country that deploy a legitimate remote access software named Remcos.
The mass phishing campaign has been attributed to a threat actor it tracks as UAC-0050, with the agency describing the activity as likely motivated by espionage given the toolset employed.
The

Threat Intelligence / Cyber War

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert warning of cyber attacks against state authorities in the country that deploy a legitimate remote access software named Remcos.

The mass phishing campaign has been attributed to a threat actor it tracks as **UAC-0050**, with the agency describing the activity as likely motivated by espionage given the toolset employed.

The bogus emails that kick-start the infection sequence claim to be from Ukrainian telecom company Ukrtelecom and come bearing a decoy RAR archive. Of the two files present in the file, one is a password-protected RAR archive that's over 600MB and the other is a text file containing the password to open the RAR file.

Embedded within the second RAR archive is an executable that leads to the installation of the Remcos remote access software, granting the attacker full access to commandeer compromised computers.

Remcos, short for remote control and surveillance software, is offered by Breaking Security either for free or as a premium version that costs anywhere between €58 and €945.

The Italian company calls it a "lightweight, fast and highly customizable Remote Administration Tool with a wide array of functionalities."

The latest CERT-UA advisory comes as the State Cyber Protection Centre (SCPC) of Ukraine pointed fingers at a Russian state-sponsored threat actor known as Gamaredon for its targeted assaults aimed at public authorities and critical information infrastructure.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel