The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.

CVE-2022-3095: sdk/CHANGELOG.md at master · dart-lang/sdk

70% of investors on the cap table are women.

**TORONTO – October 27, 2022** **—** Cybersecurity startup Protexxa today announced it has raised CAD$4 million in seed funding. The company, which launched at an intimate event earlier this month, aims to address the risk to businesses resulting from gaps in personal cybersecurity for both companies and individuals. Its seed funding round was led by BKR Capital, which makes transformational investments in disruptive companies and promising Black technology founders. The Firehood Angels and several angel investors, including Jeff Fettes, Annette Verschuren, and Leen Li also participated in the round. The funds will be used to build out the cybersecurity platform with assisted remediation technology, facilitate pilots with global customers, and prepare to scale its operations. The company is currently in the process of filing several patents.

Protexxa is the brainchild of global information technology leader and cybersecurity executive Claudette McGowan. Prior to Protexxa, McGowan held the role of Global Executive Officer for Cybersecurity at TD Bank. As she is passionate about advancing women in technology, 70% of Protexxa investors are women.

**Protexxa Personalized Cybersecurity Protection Platform**

Of the 4.95 billion global internet users, half are victims of cybercrime and most don’t even realize they have been compromised. Protexxa is addressing the human element of cybersecurity by connecting the dots between personal cyber hygiene and business risk. Using artificial intelligence (AI), the Protexxa platform rapidly identifies, evaluates, predicts, and resolves common cyber issues. With 43% of cyberattacks aimed at small businesses, cyber solutions for businesses of all sizes are needed now more than ever.

Protexxa’s personalized cybersecurity protection platform is currently being piloted across several industries including government, academia, and healthcare.

“Since the pandemic, cybercrime has quadrupled and continues to accelerate. Our goal is to be part of the solution. Through Protexxa, we will democratize cybersecurity by making it more accessible for both businesses and individuals,” says McGowan, who is at the helm of Protexxa in the role of Chief Executive Officer. “The key is to connect the dots on how personal cyber hygiene can affect an organization. This means identifying blind spots and building out personalized training, assessment, and awareness plans to move cyber health in a positive direction.”

**Protexxa Advisory Circle**

As Protexxa Advisory Chair, Jodi Kovitz leads the company’s Advisory Circle, which includes notable executives such as Wes Hall, Chairman of Kingsdale; Sherry Shannon-Vanstone, former CEO of Trustpoint and now CEO of Profound Impact; Yung Wu, CEO of MaRS; Jean Augustine, CEO of Jean Augustine Centre for Young Women's Empowerment; and Larissa Holmes, former Chief Talent Officer at Borrowell.

**Cyber Security Fast Facts**

*   90% of digital breaches and attacks are caused by human error.
*   Remote work and lockdowns has resulted in a 50% increase in worldwide internet traffic, leading to new cybercrime opportunities.
*   Global spending on cybersecurity exceeded $1 trillion in 2021.
*   More than 90% of successful attacks against businesses originate from phishing.
*   $21 billion is anticipated to be spent annually on training and cyber awareness by 2027.

**About Protexxa**

Protexxa is a B2B SaaS cybersecurity startup that connects the dots between personal cyber hygiene and business risk. Using artificial intelligence (AI), the Protexxa platform rapidly identifies, evaluates, predicts, and resolves common cyber issues. With a key focus on prevention and increasing global cyber literacy, Protexxa also offers personalized training and consulting for companies worldwide. For additional information, visit protexxa.com.

Cybersecurity Startup Protexxa Raises $4 Million in Seed Funding to Protect Businesses and Individuals Online as Cybercrime Accelerates

**DUBLIN, Oct. 27, 2022 /PRNewswire/ —** The "Banking Encryption Software Market Size, Share & Trends Analysis Report by Component, by Deployment, by Enterprise Size, by Function (Cloud Encryption, Folder Encryption), by Region, and Segment Forecasts, 2022-2030" report has been added to **ResearchAndMarkets.com's** offering.

The global banking encryption software market size is expected to reach USD 5.03 billion by 2030, expanding at a CAGR of 13.0% from 2022 to 2030, according to this study conducted. The growing need for modern security solutions worldwide is anticipated to drive the growth of the industry. In addition, the rising incidences of cyber-attacks also bode well for growth.

Banking encryption software facilitates the confidential exchange of vital data by encrypting the data at the sender's end in a form not readable without a proper authentication key, which is usually in the form of a password. The receiver can use the authentication key to decrypt the data and read it. The strong emphasis banks and other financial institutions are putting on securing data transactions is driving the adoption of banking encryption software.

The growing partnerships among the encryption software providers are expected to drive market growth. For instance, In April 2021, Google Cloud and Broadcom collaborated. This collaboration increased the integration of cloud services into Broadcom's primary software franchises. In this partnership, Broadcom was able to make enterprise operations software and its security suite available on Google Cloud, enabling organizations to encrypt and decrypt data at the column level.

**Banking Encryption Software Market Report Highlights**

*   The software segment is expected to dominate the segment over the forecast period. This is due to its offered benefits such as security and privacy protection to the financial institutes
*   The cloud segment is anticipated to witness the fastest growth over the projection period. The growth of the segment can be attributed to the inexpensive deployment and customization options
*   The large enterprise segment dominated the market in 2021. Large organizations are adopting encryption solutions to meet the changing security needs owing to the rising incidences of cybercrimes
*   The cloud encryption segment is anticipated to witness the fastest growth because of its capability to facilitate a cost-effective and scalable encryption model
*   The Asia Pacific regional market is expected to witness the fastest growth over the projection period due to an increase in demand for encryption software among banks in developing countries in the Asia-Pacific, including China and India, to safeguard and ensure the privacy of data

**Key Topics Covered**

Chapter 1: Methodology and Scope  
Chapter 2: Executive Summary  
Chapter 3: Banking Encryption Software Industry Outlook  
Chapter 4: Investment Landscape Analysis  
Chapter 5: FinTech Industry Highlights  
Chapter 6: Banking Encryption Software Component Outlook  
Chapter 7: Banking Encryption Software Deployment Outlook  
Chapter 8: Banking Encryption Software Enterprise Size Outlook  
Chapter 9: Banking Encryption Software Function Outlook  
Chapter 10: Banking Encryption Software Regional Outlook  
Chapter 11: Competitive Analysis  
Chapter 12: Competitive Landscape

**Companies Mentioned**

*   Broadcom
*   ESET North America
*   IBM Corporation
*   Intel Corporation
*   McAfee, LLC
*   Microsoft
*   Sophos Ltd.
*   Thales Group
*   Trend Micro Incorporated
*   WinMagic

For more information about this report visit https://www.researchandmarkets.com/r/fp92vx.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

*   Penetration Testing, Red Teaming, and More: Improving Your Defenses By Thinking Like an Attacker
*   Building & Maintaining an Effective Incident Readiness and Response Plan

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Breaches Prompt Changes to Enterprise IR Plans and Processes

Editors' Choice

Tara Seals, Managing Editor, News, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Shauli Rozen, CEO and Co-Founder, ARMO

Dark Reading Staff, Dark Reading

Webinars

*   Penetration Testing, Red Teaming, and More: Improving Your Defenses By Thinking Like an Attacker
*   Building & Maintaining an Effective Incident Readiness and Response Plan
*   State of Bot Attacks: What to Expect in 2023
*   Analyzing and Correlating Security Operations Data
*   Understanding Cyber Attackers & Their Methods

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Breaches Prompt Changes to Enterprise IR Plans and Processes
*   Implementing Zero Trust In Your Enterprise: How to Get Started
*   6 Elements of a Solid IoT Security Strategy
*   Incorporating a Prevention Mindset into Threat Detection and Response

White Papers

*   Understanding the Zero Trust Approach
*   Top Cloud Threats to Cloud Computing: Pandemic Eleven
*   BotGuard for Applications Higher Education Case Study
*   Top Four Steps to Reduce Ransomware Risk
*   2022 Cyber Threat Landscape Report

Events

*   Understanding Cyber Attackers - A Dark Reading Nov 17 Event
*   Black Hat Europe - December 5-8 - Learn More
*   Black Hat Middle East & Africa - November 15-17 - Learn More

More Insights

Webinars

*   Penetration Testing, Red Teaming, and More: Improving Your Defenses By Thinking Like an Attacker
*   Building & Maintaining an Effective Incident Readiness and Response Plan

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Breaches Prompt Changes to Enterprise IR Plans and Processes

Worldwide Banking Encryption Software Market to Reach $5.03 Billion by 2030 at a 13% CAGR

Setting priorities for internal security measures and outsourcing complex practices help protect small and midsize businesses.

Due to their limited security budgets and high dependence on unmanaged IT systems, small businesses are often left vulnerable and frequently targeted by cybercriminals. While large enterprises can usually recover from an attack, many small businesses are forced to shut down if they cannot afford to pay ransoms or restore the function of their network systems. These ransomware attacks can leave behind millions in damages. However, to keep your small to midsize business (SMB) as unscathed as possible in the face of an attack, it becomes imperative to understand internal vulnerabilities and how to strengthen your organization's cybersecurity posture from the top down.

One of the reasons SMBs have seen an uptick in ransomware attacks is the sheer ease with which criminals can successfully penetrate their defenses. Threat actors don't need to employ expensive and highly technical gangs to assist in a breach. Instead, they simply infiltrate internal networks through the use of software with artificial intelligence and machine learning. Once in, they can seize data, open backdoors for future exploitation, and freeze entire IT systems.

Additionally, SMBs are part of a far bigger picture. SMBs are often key members of larger companies' supply chains, and the revenue from these relationships with large companies is essential to their well-being. Those larger companies are imposing strict rules or policies on the security posture of their smaller counterparts to protect themselves against vulnerabilities in their supply chains. SMBs that are slow to adapt to this demand may start losing business whether or not they actually get hacked. And if they do get hacked, the larger companies are more likely than ever to discontinue the business relationships.

Establishing a well-thought-out disaster recovery plan that allows for routine and proper testing is essential to protecting the operation of the organization. A holistic approach to cyber infrastructure management enables an organization to properly deploy effective protections. Here are three steps to begin implementing those protections.

**1\. Keep Evolving Your Risk Management**

Insufficient security measures not only escalate the risk of attack, but they escalate the risk of significant compliance violations as well. Risk is constantly evolving, and managing that risk is an essential part of every cybersecurity program and critical to business resilience. But it is often overlooked and not well executed. Frequently, SMBs run outdated software that all but invites attackers to target well-known vulnerabilities. Fortunately, the ability to share intel has vastly improved the ability to continuously seek out indicators of compromise, allowing IT teams to quickly mitigate sophisticated actors before they can bring harm to the company.

**2\. Establish Continuous Vulnerability Monitoring**

The most effective approach to recognizing vulnerabilities is a monitoring system that detects attacks as quickly as possible, with swift remediation tactics in place. Security monitoring generally refers to the process of analyzing several logs or network devices (firewalls, servers, switches, etc.) for potential security incidents.

Most often, a security incident and event management (SIEM) system is used to aggregate, consolidate, and normalize that data. Advanced behavioral analytics augment the SIEM alerts and provide a comprehensive view of the customer landscape. Within this system, suspicious activity can be identified and quickly brought to IT personnel's attention to determine if it represents a true threat. SMBs can outsource this function to receive access to enterprise-grade security technology and expertise they otherwise might not have been able to attract, afford, or retain. Continuous monitoring means threats can often be mitigated ahead of time, and vulnerabilities can be quickly patched around the clock.

**3\. Select Appropriate Security Vendors**

Most SMBs lack the technical expertise to properly evaluate a security solution/provider. If this is the case with your organization, consider engaging a third-party managed security provider to assist in the evaluation. Selecting a security solution/partner should be a well-thought-out decision that is focused on results. You must ask yourself whether the provider protects your business from as many angles as possible. What specific tools is this partner going to use? And how are they keeping up with the continued advancements that bad actors are using to gain access to your data?

Security vendors should be able to ingest data from several sources, including firewalls, endpoints, virtual private networks, flow data, DNS, DHCP, intrusion detection and prevention systems, and cloud log data. There should be a wide range of analytics using various methodologies, such as statistical models that look for advanced beaconing and domain beaconing. Applied math helps to identify account enumeration, cohort anomalies, data loss, pattern matching, dispersion analysis, and statistical variance. Machine learning can also be used to check bidirectionally long term and short term using probability, Arima modeling, and neural networks to look for long and slow activity. These analytic processes continuously learn from the data they ingest and become more powerful over time.

Staying on top of security can create the resilience to defend against damaging attacks that could force shutdowns or create large disruptions in business. By crafting a strong defense against an aggressive threat landscape, businesses can remain both compliant with legal and contractual requirements and resilient to real-world threats.

3 Steps Small Businesses Can Take to Prevent Cyberattacks

Cybersecurity and telecom providers from around the world can now test their technologies and use cases in OneLayer's digital twin private network environment.

**TEL AVIV, Israel, Oct. 27, 2022 /PRNewswire/ —** OneLayer, a pioneer in securing private LTE/5G networks for enterprises, announced today the launch of one of the world's first 5G private network security labs. The lab, which will be open to the public for research purposes, acts as a digital twin to simulate specific threat scenarios posed to an enterprise network. The data collected during these simulations will help companies find the best security solutions for each organization and its needs.

Private cellular networks provide organizations with improved connectivity and increased reliability, a dedicated bandwidth with capacity and range, no lag time, and connectivity of IoT and OT devices across vast areas. As organizations increasingly adopt private networks, they must also address securing such networks, so the same standard of security applied to enterprise IP networks is addressed in the cellular domain.

The OneLayer 5G Security Lab provides a simulated environment for cyber and telecom companies to examine diverse security challenges and solutions in this domain. Using core equipment from Nokia, Druid, and Airspan, the lab can create private networks based on different types of cores, end units, and IoT devices to model different types of cyberattacks and the solutions to defend against them.

"The goal of this security lab is to provide the opportunity to test private networks and security use cases to improve the understanding of connected IoT and OT devices for continued R&D of OneLayer's private cellular security platform," said Liron Ben-Horin, VP of Systems Engineering at OneLayer. "We intend to collect and analyze data in order to profile devices and segment networks appropriately. We want to share our tools and capabilities with the private network ecosystem to foster industry collaboration. As such, we welcome any company that is researching or testing LTE/5G devices to join us on this journey at our Tel Aviv-based security lab."

"OTORIO and OneLayer have joined forces in order to leverage OneLayer's 5G Security Lab to test the integrations with various technologies and telecom systems," said Matan Dobrushin, VP Research at OTORIO. "We are excited for our mutual research collaboration to ensure the usability, efficiency and safety of OTORIO's solutions in hybrid networks."

"We are excited for the opportunity to leverage OneLayer's Security Lab and to work together to improve the cybersecurity of 5G core network devices," said Sharon Brizinov, Director of Security Research at Claroty's Team82. "The collaborations coming out of the security lab will benefit enterprise security overall as we explore the ever-growing attack surface of the Extended Internet of Things (XIoT) and these devices' connectivity within cellular networks."

"Armis recognizes the growing risk raised by private cellular networks," said Barak Hadad, Head of Research at Armis. "Together with OneLayer, we can help defenders gain full visibility to their core networks and their connected devices."

"I'm excited to see a Tel Aviv-based startup, OneLayer, investing in a unique 5G devices lab. These types of activities enable the Israeli ecosystem and cybersecurity market to ensure we are ahead of the bad guys as the network continues to evolve," said Eli Fainberg, VP Product at Forescout.

**About OneLayer**

OneLayer provides enterprise-grade security for private LTE/5G networks. Its platform and IoT security toolkit can be implemented in private cellular networks to provide better visibility, control and protection for organizations. The company was founded by world-class cybersecurity experts with a deep understanding of both cellular protocols and IoT security needs and veterans from the IDF's 8200 and 81 intelligence units. OneLayer is backed by industry-leading advisors and has partnered with experts both in the cybersecurity domain as well as the telecom industry. To learn more about OneLayer please visit https://one-layer.com/ or LinkedIn.

OneLayer Opens 5G Security Lab for Network Security Companies to Research Threats to Private Cellular Networks

Ubuntu Security Notice 5703-1 - Selim Enes Karaduman discovered that a race condition existed in the General notification queue implementation of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan and Ariel Sabba discovered that some Intel processors with Enhanced Indirect Branch Restricted Speculation did not properly handle RET instructions after a VM exits. A local attacker could potentially use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5703-1October 26, 2022linux-intel-iotg vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-intel-iotg: Linux kernel for Intel IoT platformsDetails:Selim Enes Karaduman discovered that a race condition existed in theGeneral notification queue implementation of the Linux kernel, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2022-1882)Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildanand Ariel Sabba discovered that some Intel processors with EnhancedIndirect Branch Restricted Speculation (eIBRS) did not properly handle RETinstructions after a VM exits. A local attacker could potentially use thisto expose sensitive information. (CVE-2022-26373)Eric Biggers discovered that a use-after-free vulnerability existed in theio_uring subsystem in the Linux kernel. A local attacker could possibly usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2022-3176)It was discovered that the Netlink Transformation (XFRM) subsystem in theLinux kernel contained a reference counting error. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2022-36879)Jann Horn discovered that the KVM subsystem in the Linux kernel did notproperly handle TLB flush operations in some situations. A local attackerin a guest VM could use this to cause a denial of service (guest crash) orpossibly execute arbitrary code in the guest kernel. (CVE-2022-39189)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1017-intel-iotg  5.15.0-1017.22   linux-image-intel-iotg          5.15.0.1017.18After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5703-1   CVE-2022-1882, CVE-2022-26373, CVE-2022-3176, CVE-2022-36879,   CVE-2022-39189Package Information:   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1017.22

Ubuntu Security Notice USN-5703-1

Categories: News
Categories: Ransomware
Tags: DAIXIN

Tags:  FBI

Tags:  CISA

Tags:  HHS

Tags:  ransomware team

Tags:  DAIXIN Team

Tags:  ransomware

The FBI, CISA, and HSH have issued a joint advisory about a new threat to healthcare organizations



(Read more...)




The post US agencies issue warning about DAIXIN Team ransomware appeared first on Malwarebytes Labs.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a joint advisory about DAIXIN Team, a fledgling ransomware and data exfiltration group that has been targeting US healthcare.

First spotted in June 2022, the DAIXIN Team quickly got the government's attention after executing multiple ransomware attacks against organizations in the health and public health sector. As is standard these days, the ransomware attacks involved both encrypting servers and stealing data. In this case the data included both personally identifiable information and patient health information PHI.

The DAIXIN leak site

The advisory reports that DAIXIN Team has been seen gaining initial access to victims' systems through their VPN severs. In one case they accessed a victim through an unpatched vulnerability, and in another the gang used phished credentials.

Upon successful infiltration, the team conducts reconnaissance, escalates privileges through credential dumping or the pass-the-hash technique, steals sensitive data, and deploys ransomware based on the Babuk Locker source code leaked in 2021.

According to Malwarebytes' Malware Intelligence Analyst and ransomware expert Marcelo Rivero, DAIXIN Team has been quieter of late. "At this time, they appear to have taken a hiatus, as they haven't listed any new victims so far this month."

As with most ransomware groups, DAIXIN team publishes details of its victims and leaks their stolen data, if they don't pay the ransom. After publishing details of three victims in August, it only published one in September, and so far none in October, with November just around the corner. A lack of published victims may indicate inactivity, or it could be that DAIXIN Team have been successful at persuading victims to pay up.

Still, healthcare organizations must heed the alarm raised by the FBI, CISA, and the HHS. They report that out of 649 ransomware reports received by the FBI Internet Crime Complaint Center in 2021, 148 were in the Healthcare and Public Health sector. DAIXIN Team may be the latest ransomware threat, but it isn't the only threat.

Basic mitigations can close the loopholes ransomware groups exploit:

*   Create a plan for patching software in a timely manner.
*   Train users to report suspicious emails and phishing attempts.
*   Require two-factor authentication (2FA) on remote desktops and VPNs.
*   Use endpoint security software with EDR to identify intruders and stop ransomware.
*   Assign access rights according to the Principle of Least Privilege.
*   Segment networks to make lateral movement more difficult.
*   Create and test offline, offsite backups that are beyond the reach of attackers.

For more information about how to protect your organization against DAIXIN Team and other ransomware gangs, go to this AA22-294A alert page.

US agencies issue warning about DAIXIN Team ransomware

The manufacturing segment was especially hard hit by cyberattacks in the third quarter of 2022.

Ransomware gangs are hitting the industrial sector hard — and especially manufacturing companies, with significant spikes in cyberattack activity against US organizations spotted in the third quarter. Meanwhile, emerging ransomware groups are bursting onto the scene, threatening to push the rate of attacks up even higher.

According to a Dragos Q3 analysis of ransomware attacks on industrial organizations, 36% of the recorded cases globally hit North America (46 incidents). This is a significant 10% increase over last quarter, when a quarter of cases affected the region.

However, the analysis also found that the rate of attacks globally remained flat quarter over quarter — 128 incidents for Q3 vs. 125 in Q2.

The majority (68%) of observed incidents were aimed at the manufacturing sector. Out of the confirmed attacks (i.e., those publicly reported, seen in the firm's telemetry, or confirmed on the Dark Web), 88 were against that segment, especially those producing metal products (12 attacks).

Stephen Banda, senior manager of security solutions at Lookout, noted that the manufacturing sector, like everyone else, is moving to the cloud; digitizing manufacturing, inventory tracking, operations, and maintenance increases agility and efficiency, with less production downtime and a greater nimbleness. But it also opens up new attack surfaces.

"To remain competitive, manufacturers are investing in intellectual property and new technologies like digital twins," he tells Dark Reading. "In short, manufacturers are transforming the way they produce and deliver goods - moving toward industrial automation and the flexible factory. This transformation, known as Industry 4.0, puts pressure on mobile devices and cloud solutions."

Yet for most manufacturers, security solutions still remain on-premises, he adds.

"This creates efficacy and scalability challenges when tasked with protecting productivity solutions that have moved to the cloud," he notes. "Security therefore must also move to the cloud to adequately safeguard manufacturing operations."

As for other industrial segments, 9% of attacks targeted the food and beverage sector (12 incidents), followed by oil and natural gas (6%, or eight incidents) and the energy and pharmaceuticals sectors (collectively making up 10% of attacks, with seven and six incidents respectively). The chemical, mining, engineering, and water and wastewater systems segments had just one attack each.  

**Different Threat Actors Target Different Industrial Segments**

In terms of the actors on the industrial stage, the LockBit gang was behind more than a third of all global incidents (35%), while some other known names focused on the energy sector (Ragnar Locker and BlackCat/AlphaV, notably). But the quarter also saw the rise of some emerging actors, like Sparta Blog, BianLian, Donuts, Onyx, and the slow-burning Yanluowang.

In all cases, various groups seemed to have specialties, Dragos noted, including:

*   Ragnar Locker has been targeting mainly energy.
*   Cl0p Leaks has been targeting only water and wastewater.
*   Karakurt has targeted only manufacturing in Q3, while in Q2, it only targeted transportation entities.
*   LockBit 3.0 is the only group that targeted chemicals, drilling, industrial supplies, and interior design.
*   Stormous has only targeted Vietnam.
*   Lorenz has only targeted the United States.
*   Sparta Blog has only targeted Spain.
*   Black Basta and Hive mainly targeted the transportation sector.

Bud Broomhead, CEO at Viakoo, noted that specific ransomware strains targeting specific industries should galvanize intelligence sharing.

"This should spur more industry-level coordination to protect against those threats, specifically between companies that otherwise would compete in the marketplace," he says. "Rather than every organization individually mounting defenses, industry-wide responses are needed (put another way, cybercriminals are attacking an industry which requires industry-level responses). Threat actors don’t exist in silos, so why should the response to them be siloed?"

That coordination could be vitally important, given that going forward, Dragos researchers warned that more new ransomware groups will appear in the next quarter, as either new or reformed ones, due to the changes in ransomware groups and the leaking of the LockBit 3.0 builder — all of which could lead to greater attack volumes.

"\[We have\] high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of \[operational technology\] OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems," Dragos researchers said in the Wednesday report.

Broomhead noted that ramped up attacks are likely being driven by twin engines, including the Russia-Ukraine conflict.

"The rise in ransomware attacks against industrial organizations who rely on OT systems is likely coming from threat actors viewing such organizations as easier victims because OT systems and devices are much more vulnerable than traditional IT systems," he says. "While there may be a rise in targeting industrial organizations because of the conflict in Ukraine, those organizations have been targeted for a long time by several foreign adversaries, therefore this increase is a combination of industrial OT systems being easier to exploit and increased activity due to Ukraine."

Ransomware Gangs Ramp Up Industrial Attacks in US

When we think about cybercrime and retail it is natural to focus on websites being targeted with attacks. Indeed, there has been a shocking rise in the number of cyberattacks perpetrated against online retailers in the past year. Dakota Murphey explains why store owners and security managers need to also protect their physical locations from the cyber threat, too, however.

_This article was written by Dakota Murphey._

Figures from SonicWall's Biannual Report revealed that e-commerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers' minds.

However, for those retailers that have a physical store as well as an online presence, there might be an assumption that the cybersecurity in-store doesn't need to be considered as a top priority. Well, doing so could be a big mistake.

In this article, we take a look at why retail stores are more vulnerable to cybercrime than ever before.  

**Security Is Weaker**

There can be no doubt that one of the major issues around security in-store is the issue of complacency. It is assumed that physical stores themselves are unlikely to be targeted by cybercriminals — surely it is more likely that they will put their resources into using hacking or phishing? 

In reality, cybercriminals are always looking for ways to maximize their time — they want quick wins. Increasingly, as retail stores are less well protected they are being seen as an easy way into the computer system of a company. Perhaps the lesson that needs to be learned here is that you should never assume that you won't or can't be attacked.

Cybercriminals are far more sophisticated than they've ever been. If there are gaps in security, they can identify and tap into them. Retailers, for instance, need to balance consumers' privacy and data protection with their own tight security measures that protect their internal IT systems and physical stores. Failure to install security effectively and comply can result in firms facing fines for breaches in privacy laws under stringent CCTV regulations and GDPR guidelines.

**Stores and Websites Are Intrinsically Linked**

You might think that there is a divide inside your business: your physical store and your online store. However, it is generally the case that your physical premises are linked to your digital system just as much as an office might be. Do you log in to your system at work? Do you track customers' details using an IT system? 

For the majority of businesses, the physical store is actually just as dependent on your IT system as the site online. This presents a potential problem. If your physical retail store can potentially allow access to your whole IT system, cybercriminals can use nefarious methods in your physical premises. 

**The Rise of the Internet of Things**

Physical stores are increasingly reliant on Internet of Things devices — that being any device that is connected to the Internet. This might include stock checkers, smart shelves, predictive maintenance equipment and much more. 

Physical security devices such as CCTV, video surveillance, and alarm systems are often connected to the Internet and can also be a vulnerability for targeted cyberattacks. The wider use of video surveillance technology and other types of physical devices extends to more than pure crime detection. They have intelligent capabilities that can be applied to monitor crowds, secure physical sites, and support building management platforms. 

Although such integrated systems do a good job in providing smart data to support security firms and facilities managers managing retail sites, any data, files and surveillance videos can be vulnerable to cyberattacks. 

Whether stored or managed on cloud-based applications or as on-premise solutions, such physical security devices that protect retail stores also open up another potential entry point to your IT system that criminals can exploit. And, if CCTV, video surveillance and alarm systems are not managed properly, they can be a major problem.

**The Invasion of Shadow IT**

Shadow IT is the use of any kind of software or applications that aren't approved by the IT team. This is becoming a big problem, especially in stores where staff make use of personal devices as a part of their role. 

"The popularity of shadow IT is partly due to its perceived benefits," says George Glass, head of threat intelligence at cybersecurity specialists Redscan, "these include the ability to take initiative in setting up and using technology and the freedom to adopt systems and software more quickly in order to reduce workload. However, these apparent benefits come at a significant cost."

The issue arises when this shadow IT is not checked for vulnerabilities or is not kept up to date because it is not known by the IT team. These vulnerabilities and flaws can present a potential opening for cybercriminals. 

**Prioritizing Speed of Service Over Security**

It is naturally the case that many businesses in retail want to prioritise fast and effective customer service. Unfortunately, this can ultimately result in good security practices being overlooked in favour of getting on with tasks. For example, if a customer comes in requesting a password reset on their account, there may be some pressure to simply go ahead with this rather than following the correct procedure. 

Retail stores need to understand the interconnected nature of cybercriminals and in-person crime. With the rise in cashless retail and a surge in online sales (that has witnessed an unprecedented rise in recent years), retailers' IT security has had to keep in step and reposition itself with the evolution of consumers' buying habits. This increased awareness, however, has been reinforced by the UK Government's measures to support security technology within the retail industry. 

While retail stores are more vulnerable than ever to cybercrime, there is much that businesses can do to mitigate risk. Perhaps the most important factor is providing staff training to ensure that everyone understands their role in preventing cybercrime. 

_Dakota Murphey_ _is a freelance tech writer._

_**This story first appeared on**_ _**IFSEC Global**__**, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.**_

Why Retail Stores Are More Vulnerable Than Ever to Cybercrime

Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings

Adam Bannister 26 October 2022 at 16:00 UTC  
Updated: 27 October 2022 at 09:42 UTC

Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings

UPDATED A pair of vulnerabilities patched in Jira Align could have enabled low-privileged malicious users to elevate their privileges to super admin, a security researcher has found.

Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application.

A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).

Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance, the researcher said.

**MisAligned permissions**

Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.

Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.

“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.”

Catch up with the latest cloud security news

Shafer also speculated that, while his testing “stopped at the edge of the Atlassian infrastructure”, leveraging the SSRF “under the right conditions” might theoretically enable attackers to move laterally or upward through Atlassian’s AWS infrastructure.

However, Atlassian disputed this assertion in response to queries from The Daily Swig, emphasizing “that Jira Align's SaaS and Atlassian's wider SaaS are not connected. The Jira Align AWS environment was locked down to a level that there was no accessible information that was not encrypted and other layers could not be reached, so this is a purely hypothetical and misleading statement”.

**No exploitation detected**

The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.

The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix on June 9.

Bala Sathiamurthy, chief information security officer at Atlassian, told The Daily Swig: “These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted cloud offering had either vulnerability exploited.”

He added: “As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”

**People permissions**

The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.

This could either be done by “intercepting the role change request directly to the API and modifying the parameter to ”, or by performing an API call with a request containing their session cookies.

The SSRF resides in the Jira Align API, which manages external connections.

A user-supplied URL value called points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.

This article was updated on October 27 with the addition of comment from Atlassian.

RECOMMENDED Policy-as-code approach counters ‘cloud native’ security risks

Tag

#intel