Categories: Business
In this article, we’ll arm you with five facts about Vice Society so you can get the upper-hand against this persistent education sector threat.



(Read more...)




The post 5 facts about Vice Society, the ransomware group wreaking havoc on the education sector appeared first on Malwarebytes Labs.

Move over Lockbit, there's a new ransomware-as-a-service (RaaS) player in town attacking the education sector—and its name is Vice Society.

Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. And their ideal prey? You guessed it: universities, colleges, and K-12 schools. The Federal Bureau of Investigation (FBI) has even released a joint Cybersecurity Advisory (CSA) after observing that Vice Society has disproportionately targeted the education sector. 

But with knowledge comes power. The more the education sector knows about Vice Society, the better prepared they get to defend against them. 

In this article, we’ll arm you with five facts about Vice Society so you can get the upper-hand against this persistent threat.

**1\. In 2022 they were far and away the biggest attackers on the education sector**

If you’re a regular reader of our monthly ransomware review, you know that the education sector has gotten plenty of attention from ransomware gangs in the last year, to say the least.

It wasn't until Vice Society, however, that we saw a gang taking their love for the sector to a whole new level. 

Like many other ransomware gangs, Vice Society is known to steal information from victims' networks before encryption for the purposes of double extortion—threatening to publish the data on the dark web unless you pay up the ransom they demand.

A few of the institutions published on their leak site last year include De Montfort School, Cincinnati State, and one that made national headlines in September: Los Angeles Unified, the second largest school district in the US.

_Around 40% of the victims shared on the Vice Society leak site are educational institutions, a large proportion compared to other gangs._

**2\. And they have shown no signs of slowing down in 2023**

As of January 2023, Vice Society has already published the data of six schools on their leak site. That’s more than any other RaaS gang so far this year.

_The Vice Society leak site_

**3\. They leverage living off the land techniques to sneak past detection**

Living off the land (LOTL) attacks are when threat actors use legitimate tools for malicious purposes, which effectively allows them to hide in plain sight as they carry out their attack.

Vice Society actors leverage one such legitimate tool, Windows Management Instrumentation (WMI), as a means of living off the land to execute malicious commands. WMI allows administrators to manage and monitor various aspects of a computer, such as hardware and software, from a remote location.

See where we’re going with this?

Vice Society and other adversaries can use WMI to gain access to a system and then execute malicious code, install malware, or steal sensitive information.

That means you won’t be able to detect them using traditional signature-based detection mechanisms—hash values, IOCs and signatures do not detect living off the land attacks. Instead, you’ll need to turn to an Endpoint Protection Platform (EPP) that uses a combination of machine learning, behavioral analysis, and sandboxing.

**4\. We know how they get initial access to networks**

So we know what Vice Society is doing once they’re in school networks and how to detect it. But how can we stop them from entering in the first place?

Using a combination of data from Unit 42 and the Cybersecurity Advisory (CSA) posted on CISA.org, we can paint a pretty good picture of how Vice Society is getting initial access to their targets.

Vice Society is not reinventing the wheel: these threat actors are using familiar techniques such as phishing, compromised credentials, and exploits to establish a foothold in victim networks.

_Three ways Vice Society is known to get initial access (with MITRE IDs)_

Our advice is as old as time, but always worth reiterating:

*   **Address phishing** with employee training, web-based protection, and DNS filtering
*   **Address compromised accounts** by removing dormant accounts, enforcing the principle of least privilege, and having strict password policies.
*   **Address exploits** by maintaining regular vulnerability assessment and patching, preferably using an automated tool.

**5\. It seems like they’re open to negotiating their initial ransoms**

First things first, the FBI recommends never paying the ransom to attackers.

There’s a good argument for not paying too: doing so encourages more attacks and there’s no guarantee you’ll get your data back either way. There is no honor among thieves, after all.

But sometimes not paying is easier said than done. Paying the ransom might be the only option left for some organizations for various reasons.

_A Vice Society ransom note._

We know that Vice Society isn’t the most aggressive gang when it comes to their ransom demands. The difference between their initial demands and final demands could be as large as 60% after negotiations take place.

**Getting the upper-hand against RaaS gangs**

Vice Society is currently the most severe RaaS threat to the education sector. Still, to say ransomware attacks on schools is a Vice Society problem purely is missing the forest for the trees.

We don’t want to say launching ransomware on K-12 schools, colleges, and universities is as easy as taking candy from a baby, but unfortunately that’s how many RaaS gangs see it. The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making them an easy target for cybercriminals. 

We recommend the education sector follow a few best practices to prevent (and recover) from ransomware attacks from every angle. That includes: 

*   **Make an emergency plan** sooner, rather than later.
*   **Endpoint Protection** that uses a layered approach with multi-vector detection and prevention techniques to stop ransomware early-on.
*   **Ransomware rollback options** that should store changes to data files on the system in a local cache for 72 hours (no ransomware actually exceeds 24 hours), which can be used to help revert changes caused by ransomware.

In our Ransomware Emergency Kit, you'll find more tips your educational organization needs to defend against RaaS gangs. 

Get the Ransomware Emergency Kit

5 facts about Vice Society, the ransomware group wreaking havoc on the education sector

Two common attacks against on-premises Kerberos authentication servers — known as Pass the Ticket and Silver Ticket — can be used against Microsoft's Azure AD Kerberos, a security firms says.

Microsoft's Azure AD Kerberos service, a cloud-based identity and access management (IAM) service based on Kerberos authentication, can be attacked using techniques similar to those used by attackers against on-premises Kerberos servers.

Kerberos is a widely used protocol used to authenticate users and devices via symmetric key cryptography and a key distribution center; it enables modern authentication mechanisms such as single sign-on (SSO). Because Kerberos authentication is a standard security measure for many enterprises, attackers have frequently tried to compromise or bypass the authentication servers using identity attacks that spoof legitimate users.

In the on-premises world, a pair of common identity attacks are the Pass the Ticket and Silver Ticket approaches, which allow an attacker to use stolen credentials or mint their own credentials, respectively, and authenticate with enterprise services. Both techniques continue to work to some degree against the cloud versions of Kerberos authentication servers, according to cybersecurity services firm Silverfort, which dubbed the cloud-based iterations of the attacks the Bounce the Ticket and Silver Iodide threats.

"Identity attacks that have existed for some time are still a risk as organizations move into the cloud," says Dor Segal, senior security researcher at the firm. "Azure AD Kerberos is a new implementation but not a new protocol. Security teams need to be aware of this fact and put appropriate mitigations in place."

The fact that variants of the two attacks still work in the cloud show that moving security infrastructure to the cloud has little impact on the threat, Segal says.

"The issues outlined could impact anyone using the new Azure AD Kerberos protocol," he says. "While Azure AD Kerberos is still in initial stages of adoption, as with anything released by Microsoft, the scale of usage will increase. In the past, this type of lateral movement was an issue affecting the on-premises enterprise network. These \[new\] attacks break this perimeter."

Microsoft added Kerberos functionality to its Azure Active Directory service last August, and attackers are sure to follow, Silverfort argued in a research report issued Jan. 25. After all, IAM systems have become linchpins for many companies' zero-trust security efforts, with Microsoft Active Directory, for example, a target of attacks in nine out of 10 incidents. In addition, Kerberos is a frequent target of attackers, who often go after "tickets" — i.e., encrypted authentication credentials or tokens, used by the Kerberos protocol as proof that a client or device has authenticated to the server. 

A successful attempt to duplicate a ticket gains attackers access to protected resources for a limited time, generally on the order of hours, allowing them to move around a corporate network or use SSO services like email that might be protected by the Kerberos credential.

**Bouncing & Silver Tickets**

In the first attack, dubbed a Bounce the Ticket attack, an attacker who has compromised one user's system and who steals a Kerberos ticket from the machine's memory can then then use the secret key to gain access to cloud workloads. This attack bears similarities to the on-premises Pass the Ticket attack on Kerberos authentication services and gives the attack the ability to "access cloud-based resources that rely on Azure AD Kerberos," according to Silverfort's research.   

    

The Bounce the Ticket attack flow. Source: Silverfort

In the second attack, dubbed a Silver Iodide attack, an attacker who gains access to one user's Azure AD account can connect to a specific service — in the example given by Silverfort, the Azure Files cloud sharing service — after finding a "security gap" in the service. The security weakness, which Silverfort did not describe, can be used to create a new server ticket to access or manipulate information. The technique, which resembles the Silver Ticket attack against on-premises Kerberos servers, could be used against other cloud services as well, as long as attackers can find ways around specific controls, Silverfort stated. 

**No Fix Ahead**

Overall, the two issues represent ways an attacker — who has compromised either a system on the network or an Azure AD account — could recover Kerberos tickets and reuse those secrets to extend access to other infrastructure. 

Silverfort disclosed the issues to Microsoft, and while the company is aware of the weaknesses, it does not plan to fix them, because they are not "traditional" vulnerabilities, Segal says. Microsoft also confirmed that the company does not consider them vulnerabilities. 

"This technique is not a vulnerability, and to be used successfully a potential attacker would need elevated or administrative rights that grant access to the storage account data," a Microsoft spokesperson tells Dark Reading. "We recommend customers regularly review their role definitions that include 'listkeys' permissions, and enable software that prevents attackers from stealing credentials, such as Credential Guard."  

Silverfort's Segal acknowledges that to fix the issues, the Kerberos protocol would have to be redesigned, and that is unlikely.

"Fixing a weakness in any implementation of Kerberos is not as straightforward as patching a traditional software vulnerability because it would require re-engineering the entire protocol," he says. "This would be a significant undertaking which would take a large amount of resource and impact the compatibility of legacy applications using Kerberos."

Companies can make it harder to exploit any security weakness in their cloud-based Kerberos infrastructure, however. Organizations should review any changes to the Azure Access Control service and monitor updates to the permissions. Reducing the number of systems authorized to hold some of the more critical cloud-based credentials — such as the Ticket-Granting Ticket (TGT) — will harden an enterprise's infrastructure to Bounce the Ticket attacks, Silverfort stated in its report.

Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts

Encrypted backups for several GoTo remote work tools were exfiltrated from LastPass, along with encryption keys.

The GoTo remote work tool software platform has confirmed that encrypted backups for several of its tools, including Central, Pro, join.me, Hamachi, and RemotelyAnywhere, were exfiltrated, along with some encryption keys, in last November's compromise of the LastPass cloud-based password keeper.

The compromised GoTo data could include usernames, salted and hashed passwords, some multifactor authentication (MFA) settings, product settings, and licensing information, according to the company's recent disclosure.

Impacted customers will be contacted by GoTo directly, and all affected users will have their passwords and MFA settings reset, according to a post from GoTo CEO Paddy Srinivasan, which included details on the breach.

"In addition, we are migrating their accounts onto an enhanced identity management platform, which will provide additional security with more robust authentication and login-based security options," Srinivasan added.

Last December, LastPass confirmed the theft of customer data — a follow-on cyberattack from the previous August, when the LastPass source code was stolen.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

GoTo Encrypted Backups Stolen in LastPass Breach

Don't make perfect the enemy of good in vulnerability management. Context is key — prioritize vulnerabilities that are actually exploitable. Act quickly if the vulnerability is on a potential attack path to a critical asset.

The widespread vulnerability that first appeared in Apache Log4j in 2021 will continue to be exploited, potentially even in worse ways than we've seen to date. The more worrisome aspect of these threats is that there's a good chance they'll continue to be exploited months or years into the future.

The Department of Homeland Security's Cyber Safety Review board debuted in 2021, and in 2022 released its inaugural safety report (PDF). In it, the board called Log4j an "endemic vulnerability," chiefly because there isn't a comprehensive "customer list" for Log4j, making keeping up with vulnerabilities a near-impossible task. One federal Cabinet department even spent 33,000 hours on its Log4j response.

And many organizations and security solutions on the market fail to identify the difference between exploitability and vulnerability — leaving an opportunity for attackers to carry out malicious activity.

**Exploitability vs. Vulnerability**

One of the key issues with cybersecurity today is understanding the difference between vulnerabilities and their severity. When it comes to measuring exploitability versus a vulnerability, there's a big difference between whether a security threat is exploitable within your business or if it's just "vulnerable" and cannot hinder the business or reach a critical asset. Security teams spend too much time not understanding the difference between the two and fix each vulnerability as it comes, instead of prioritizing those that are exploitable.

Every company has thousands of common vulnerabilities and exposures (CVEs), many of which score high on the Common Vulnerability Scoring System (CVSS), so it's impossible to fix them all. To combat this, the hope is that risk-based vulnerability management (RBVM) tools will make prioritization easier by clarifying what is exploitable.

However, security prioritization approaches that combine CVSS scores with RBVM threat intel don't provide optimal results. Even after filtering and looking just at what is exploitable in the wild, security teams still have too much to handle because the list is long and unmanageable. And just because a CVE doesn't have an exploit today doesn't mean that it won't have one next week.

In response, companies have been adding predictive risk AI, which can help users understand if a CVE might be exploited in the future. This still isn't enough and leads to too many issues to fix. Thousands of vulnerabilities will still show to have an exploit, but many will have other sets of conditions that have to be met to actually exploit the problem.

For example, with Log4j, the following parameters need to be identified:

*   Does the vulnerable Log4j library exist?
*   Is it loaded by a running Java application?
*   Is the JNDI lookup enabled?
*   Is Java listening to remote connections, and is there a connection for other machines?

If the conditions and parameters aren't met, the vulnerability isn't critical and shouldn't be prioritized. And even if a vulnerability could be exploitable on a machine, so what? Is that machine extremely critical, or maybe it isn't connected to any critical or sensitive assets?

It's also possible the machine isn't important yet it can enable an attacker to continue toward critical assets in stealthier ways. In other words, context is key — is this vulnerability on a potential attack path to the critical asset? Is it enough to cut off a vulnerability at a chokepoint (an intersection of multiple attack paths) to stop the attack path from reaching a critical asset?

Security teams hate vulnerability processes and their solutions, because there are more and more vulnerabilities — nobody can ever fully wipe the slate clean. But if they can focus on what can create _damage_ to a critical asset, they can have a better understanding of where to start.

**Combating Log4j Vulnerabilities**

The good news is that proper vulnerability management can help reduce and fix the exposure to Log4j-centric attacks by identifying where the risk of potential exploitation exists.

Vulnerability management is an important aspect of cybersecurity and is necessary for ensuring the security and integrity of systems and data. However, it's not a perfect process and vulnerabilities can still be present in systems despite best efforts to identify and mitigate them. It's important to regularly review and update vulnerability management processes and strategies to ensure that they are effective and that vulnerabilities are being addressed in a timely manner.

The focus of vulnerability management should not only be on the vulnerabilities themselves, but also on the potential risk of exploitation. It is important to identify the points where an attacker may have gained access to the network, as well as the paths they may take to compromise critical assets. The most efficient and cost-effective way to mitigate the risks of a particular vulnerability is to identify the connections between vulnerabilities, misconfigurations, and user behavior that could be exploited by an attacker, and to proactively address these issues before the vulnerability is exploited. This can help to disrupt the attack and prevent damage to the system.

You should also do the following:

*   **Patch:** Identify all your products that are vulnerable to Log4j. This can be done manually or by using open source scanners. If a relevant patch is released for one of your vulnerable products, patch the system ASAP.
*   **Workaround:** On Log4j versions 2.10.0 and above, in the Java CMD line, set the following: log4j2.formatMsgNoLookups=true
*   **Block:** If possible, add a rule to your Web application firewall to block: "jndi:"

Perfect security is an unachievable feat, so there's no sense making perfect the enemy of good. Instead, focus on prioritizing and locking down potential attack paths that continuously improve security posture. Identifying and being realistic about what actually is vulnerable versus what is exploitable can help do this, since it will allow the ability to strategically funnel resources toward critical areas that matter the most.

Log4j Vulnerabilities Are Here to Stay — Are You Prepared?

The DPRK has turned crypto scams into big business to replenish its depleted state coffers.

The blockchain industry hemorrhaged money last year, with the global market for cryptocurrencies plummeting 63%. But investors didn't only lose money to half-baked coins and overhyped NFTs.

In a report published today, researchers from Proofpoint detailed how North Korean state-backed hackers managed to siphon more than $1 billion dollars in cryptocurrencies and other blockchain assets in the 2022 calendar year (all the more impressive considering how depressed those assets had become).

Proofpoint attributed the success of the TA444 group and related clusters — variously referred to as APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and Copernicium — to their startup-like approach.

Hallmarks, the researchers said, include "rapid iteration, testing products on the fly, and failing forward." The group regularly experiments with new methods of intrusion, and has cycled through different and better malware in recent years.

"While we do not know if the group has ping-pong tables or kegs of some overrated IPA in its workspace," the authors wrote, "TA444 does mirror the startup culture in its devotion to the dollar and to the grind."

**TA444's Evolving Threat**

There's an element of "move fast and break things" to TA444.

In recent years, the group has iterated on their social engineering tactics many times over. Sometimes it sent private messages from hijacked LinkedIn accounts of representatives from legitimate companies, other times it abused email marketing tools in order to circumvent spam filters. It has engaged with victims in English, but also Japanese, Polish, and Spanish.

In one oddball case, it email-blasted organizations across the US healthcare, education, finance, and government sectors, using barebones, typo-laden phishing lures. At best, their lures made reference to specific brand names in the industry, sometimes promising salary increases or job opportunities, but the efforts here were mainly rudimentary.

Where other cybercrime groups may focus on perfecting social lures and delivery mechanisms, researchers explained that malware creation is where TA444 really distinguishes itself.

Their collection of post-exploitation backdoors has included the msoRAT credential stealer, the SWIFT money laundering framework DYEPACK, and various passive backdoors and virtual "listeners" for receiving and processing data from target machines.

"This suggests that there is an embedded, or at least a devoted, malware development element alongside TA444 operators," according to the report.

**North Korea: The OG Crypto Bro**

To supplement its maladroit command economy, the government of North Korea has long used hackers for fundraising, targeting wherever a financial opportunity happens to lie. That includes everything from retailers in the United States to the SWIFT banking system, and, in one notorious case, the entire world.

Because cryptocurrency companies offer few safeguards against theft, transactions are generally irreversible, and parties to those transactions are difficult to identify, the industry is rife with financially motivated cybercrime. North Korea has been dipping into this well for years, with campaigns against startups, botnets that mine coins, and ransomware campaigns soliciting crypto payments.

Last year, though, the scale of the theft reached a new level. Blockchain research firm Chainalysis assessed that the country stole nearly $400 million dollars in cryptocurrency and blockchain assets in 2021. In 2022, they surpassed that figure with a single attack — against a blockchain gaming company called SkyMavis — estimated to be worth over $600 million at the time. Add in other attacks throughout the calendar year, and their total haul reaches 10 figures.

"While we may poke fun at its broad campaigns and ease of clustering," the researchers warned, "TA444 is an astute and capable adversary."

Proofpoint's report noted that monitoring for MSHTA, VBS, Powershell, and other scripting-language execution from new processes or files can help detect TA444 activity. It also recommended using best practices for a defense-in-depth approach to combat TA444 intrusions: Using network security monitoring tools, using robust logging practices, a good endpoint solution, and an email monitoring appliance, in addition to training the workforce to be aware of heist activity that stems from contact on WhatsApp or LinkedIn. 

"Additionally, given the credential phishing campaign activity we observed, enabling MFA authentication on all externally accessible service would help limit the impact of credentials eventually getting stolen," the researchers said via email.

North Korea's Top APT Swindled $1B From Crypto Investors in 2022

By Deeba Ahmed
GoTo-owned LastPass revealed that hackers stole customers' encrypted data in a November 2022 data breach.
This is a post from HackRead.com Read the original post: GoTo’s LastPass Breach: Encrypted Customer Data Taken

The data breach of the LastPass password manager keeps haunting its parent company, GoTo, and its customers.

Software and remote collaboration firm GoTo, which owns LastPass, has confirmed that during the security breach that occurred in November 2022, hackers stole some customers’ encrypted data and LastPass password vaults.

**Detailed Analysis**

LastPass, LastPass, previously called LogMeIn, has shared new findings about the security breach that hit the company on November 30, 2022. GoTo has previously confirmed that unusual activity was noticed in its cloud storage service and development environment.

It now claims that some of its enterprise products may be impacted by the hack. This includes exposure of encrypted customer backups, which are emergency recovery data copies, for Central, Pro, join.me, Hamachi, and RemotelyAnywhere.

Moreover, GoTo stated that this was possible because an encryption key used to secure the data for some customers was stolen in the November 2022 data breach.

**How Did The Breach Occur?**

The November data breach was directly caused by another breach in August, wherein an unauthorized entity gained access to customer data stored on a third-party cloud storage service shared by GoTo and LastPass.

Using the information stolen in August, attackers accessed another LastPass database in November and captured customer data. In that breach, GoTo had become the victim of a security breach in which unknown cybercriminals targeted their shared cloud-storage service.

**Stolen Data Details**

Earlier, the company stated that stolen data included names, billing addresses, emails, IP addresses, and phone numbers and that unencrypted credit card data wasn’t accessed.

However, now it revealed that the encrypted data of customers was exposed and product-related data including account usernames, a portion of MFA (multi-factor authentication) settings, salted/hashed passwords, and some product settings and licensing data was exposed.

According to Paddy Srinivasan, GoTo’s CEO, Rescue and GoToMyPC’s encrypted databases weren’t compromised and only a small subset of their customers’ MFA settings was impacted.

Moreover, Srinivasan claims in their blog post that there’s no evidence that any other GoTo products were impacted by the theft. GoTo didn’t reveal how many customers were affected, but the company is notifying impacted customers.

**_MORE LASTPASS HACKING NEWS_**

1.  LastPass hacked; security compromised for good
2.  “Unique” Vulnerability Found in LastPass Manager
3.  Error prompted LastPass to send false breach alerts

GoTo’s LastPass Breach: Encrypted Customer Data Taken

Some predictions about impending security challenges, with a few tips for proactively addressing them.

Cloud transformation has become a strategic advantage for many organizations, providing convenience, cost savings, and near-permanent uptimes compared with on-premises infrastructure. At the same time, the move to cloud has also increased the attack surface, resulting in an uptick in criminal activity targeting cloud environments. As we roll into 2023, fears about a potential recession and a corresponding desire to cut costs are renewing urgency to move to the public cloud.

For organizations to successfully secure cloud environments, they must understand the critical risks that can be exploited by attackers to infiltrate cloud environments. As with legitimate activity in the cloud, attackers continue to evolve their approaches, so the challenges faced in 2023 will be different than those faced in 2022 and prior. Here are my top 2023 predictions.

**Multicloud Environments Will Continue to Compound Security Challenges**

Multicloud offers numerous benefits, from avoiding vendor lock-in to reliability, agility, and cost-efficiency. At the same time, however, it brings additional layers of complexity, particularly regarding security management. According to a recent report, 78% of organizations deploy applications on more than three public clouds.

Moreover, the number of services available from the top three public cloud providers (Amazon Web Services, Azure, and Google) is expected to surpass 1,000, up from 750 today. In an effort to embrace agility and innovation, security practitioners will need to find ways to support these news services as soon as they are available.

With each cloud provider's unique capabilities enhanced and expanded almost daily, organizations will have to invest in automated tools that map new services to security and compliance frameworks, like NIST, CIS, and others.

**Securing Developer Environments Will Become the Most Critical Component**

The continuous growth and diversity of application deployments are creating an extensive attack surface for malicious actors. We have seen cybersecurity incidents like SolarWinds, Kaseya, and Spring4Shell significantly impact organizations.

On the other hand, we also see issues like Log4j, which recently demonstrated how many organizations can be impacted due to software vulnerabilities. Hence, we expect securing developer environments will become one of the most critical components for organizations in 2023.

**DevSecOps Tool Sprawl Will Begin to Consolidate**

According to Gartner, of those organizations that have implemented a DevSecOps pipeline for cloud security, "these organizations have manually stitched together DevSecOps with 10 or more disparate security tools — some old and some new — each with siloed responsibility and view of application risk."

Recognizing the overhead with managing so many tools, and the challenges with achieving consistent policies across cloud providers and services, information security teams will increasingly standardize on broader platforms, such as cloud-native application protection platforms, at the expense of point products, such as cloud security posture management, infrastructure-as-code scanners, and cloud workload protection platforms.

**Focused Approach for Data Protection**

Monitoring data across multicloud environments has been an unsolved problem for a couple of years for most organizations. When production workloads are moved between multiple public cloud environments, it becomes difficult to track data or access permissions. Tools for cloud service providers have limitations to secure data in multicloud environments.

In 2023, organizations need to adopt new tool sets and new mindsets, and make a greater effort to detect, classify, and enforce policies to secure sensitive data. We expect data protection to be at the center of the cloud security strategy to avoid increasingly high-profile, complex cyberattacks and data breaches.

**Do More With Less**

The current economic climate is pointing toward a trend of tighter budgets in 2023. To combat this challenge, leaders will be consolidating tools, processes, and expertise with a more collaborative approach. We'll see wider use of cross-functional teams with even greater ROI focus to boost efficiency and reduce complexity.

**Cybersecurity Hiring Will Remain a Challenge**

According to the (ISC)2 2022 Cybersecurity Workforce Study, there is a shortage of 3.4 million cybersecurity workers worldwide. With limited staff, we expect security leaders to emphasize security automation with risk-based prioritization.

**How to Stay Safe in 2023**

Based on our experience of investigating attacks and related incidents, we believe that security leaders need to focus on the following tactics and techniques:

*   Cloud security approach and strategy: With the prevalence of large-scale cloud-native deployments, adopting a more modern, agile, and integrated cybersecurity approach is mission-critical.

*   Select the right tooling: Shifting to robust security with the right solutions and level of expertise, over security layers and threat intelligence.

*   Prioritizing visibility: Gain insight and control over the complex cloud environment covering threats, risks, and vulnerabilities in the cloud.

*   Data security in focus: Secure data in large, dispersed environments with strategic integrated data protection and DLP approach.

*   Threat intelligence, advanced correlation, and machine-learning techniques: Use a combination of advanced techniques to stay ahead of bad actors and proactively reduce risk.

*   Automate and maintain continuous compliance standards.

*   Team collaboration: Distribute and delegate security responsibilities using automation across the organization.

Multicloud Security Challenges Will Persist in 2023

Ubuntu Security Notice 5825-1 - It was discovered that PAM did not correctly restrict login from an IP address that is not resolvable via DNS. An attacker could possibly use this issue to bypass authentication.

=========================================================================  
Ubuntu Security Notice USN-5825-1  
January 25, 2023

pam vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

PAM would allow unintended access to the machine over network.

Software Description:  
- pam: Pluggable Authentication Modules

Details:

It was discovered that PAM did not correctly restrict login from an IP  
address that is not resolvable via DNS. An attacker could possibly use this  
issue to bypass authentication.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  libpam-modules                  1.5.2-2ubuntu1.1

Ubuntu 22.04 LTS:  
  libpam-modules                  1.4.0-11ubuntu2.1

Ubuntu 20.04 LTS:  
  libpam-modules                  1.3.1-5ubuntu4.4

Ubuntu 18.04 LTS:  
  libpam-modules                  1.1.8-3.6ubuntu2.18.04.4

Ubuntu 16.04 ESM:  
  libpam-modules                  1.1.8-3.2ubuntu2.3+esm2

Ubuntu 14.04 ESM:  
  libpam-modules                  1.1.8-1ubuntu2.2+esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5825-1  
  CVE-2022-28321

Package Information:  
  https://launchpad.net/ubuntu/+source/pam/1.5.2-2ubuntu1.1  
  https://launchpad.net/ubuntu/+source/pam/1.4.0-11ubuntu2.1  
  https://launchpad.net/ubuntu/+source/pam/1.3.1-5ubuntu4.4  
  https://launchpad.net/ubuntu/+source/pam/1.1.8-3.6ubuntu2.18.04.4

Ubuntu Security Notice USN-5825-1

Red Hat Security Advisory 2023-0432-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include an out of bounds read vulnerability.

Red Hat Security Advisory 2023-0432-01

Report identifies 1.75m cyberattacks were stopped by BlackBerry in the last 90 days.

**WATERLOO, ON****,** **Jan. 25, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) today released its Global Threat Intelligence Report, highlighting the volume and model of threats across a range of organizations and regions, including industry-specific attacks targeting the automotive and manufacturing, healthcare and financial sectors. After the success and continued demand for its annual threat report, BlackBerry has switched to a quarterly cadence to match the speed adversaries evolve to provide a more holistic view of the threat landscape, helping businesses to prepare and protect themselves accordingly.

BlackBerry's Threat Research and Intelligence team identified that in the 90 days between September 1 and November 30, 2022 (Q4), BlackBerry's AI-driven prevention-first technology stopped 1,757,248 malware-based cyberattacks. This includes 62 unique samples per hour, or one sample each minute. The most common cyber-weapons used in  attacks include the resurgence of the Emotet botnet after a four-month dormancy period, the extensive presence of the Qakbot phishing threat, which hijacks existing email threads to convince victims of their legitimacy, and the increase in infostealer downloaders like GuLoader.

"Annual threat reports have been a fantastic way to provide insight into overall trends, but now more than ever, organizations need to make well-informed decisions and take prompt effective actions, using the latest actionable data," said Ismael Valenzuela, Vice President, Threat Research & Intelligence at BlackBerry. "Our public and private reports are written by our top threat researchers and intelligence analysts, world-class experts that not only understand the technical threats but also the global and local geopolitical situation, and how it affects organizational threat models in each region. This expertise allows us to provide actionable and contextualized threat intelligence to increase cyber resilience and to enable mission and business objectives."

Highlights from the report include:

*   **MacOS is not immune**. It is a common misconception that macOS is a "safe" platform due to it being used less among enterprise systems. However, this could be lulling IT managers into a false sense of security. BlackBerry explores the pernicious threats targeting macOS, including malicious codes that are sometimes even explicitly downloaded by users. In Q4, the most-seen malicious application on macOS was Dock2Master which collects users' data from its own surrepticious ads. BlackBerry researchers noted that 34 percent of client organizations using macOS had Dock2Master on their network.
*   **RedLine was the most active and widespread infostealer in this last quarter.** Post-pandemic work models have necessitated the need for businesses to support remote and hybrid employees, putting corporate credentials at greater risk of attack from malicious actors than ever before. RedLine is capable of stealing credentials from numerous targets including browsers, crypto wallets, and FTP and VPN software, among others, and selling them on the black market. Cybercriminals and nation state threat actors rely on initial access brokers trading stolen credentials. RedLine is one of them providing initial access to another threat actors.
*   **BlackBerry is uniquely positioned to uncover threats that affect industries that aren't often discussed in other threat reports**. With a strong presence in both the cyber and IoT markets, BlackBerry provides insights into the current threat landscape and trends for the future that affect the automotive and manufacturing industries, along with financial and healthcare. The report includes analysis of GuLoader and the BlackCat ransomware group that targets small-to-medium sized enterprises, largely in the manufacturing sector, and threatens victims to leak compromised data to further extort their ransom.

To learn more, download a copy of the Global Threat Intelligence Report: Delivering Actionable and Contextualized Intelligence to Increase Cyber Resilience now, and tune into BlackBerry's LinkedIn Live Session on January 26th to discover more.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 215M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

Tag

#mac