Top Cybersecurity Threats for August 2023 Business

Author: Phil Muncaster,On the third Wednesday of every month, the Verizon Threat Research Advisory Center (VTRAC) holds a Monthly Intelligence Briefing (MIB) to discuss the current cybersecurity threat landscape. Below is the summary of their most recent briefing and here is the . 1. Ivanti released patches for a zero-day vulnerability and other bugs used in an attack on the Norwegian government,2. Researchers warned of a malicious campaign exploiting Citrix NetScaler zero-day,3. MOVEit organization victim count rose to over 1,100 with 56 million individuals impacted as Deloitte joined the list of affected firms, According to SecurityWeek.com, the Norwegian government that a zero-day vulnerability in cybersecurity vendor Ivanti's Endpoint Manager (EPMM) product (also known as MobileIron Core) enabled threat actors to compromise 12 government departments. The said the campaign, revealed in late July, dated as far back as April at least, with possible chaining observed between the zero-day (CVE-2023-35078) and another Ivanti vulnerability (CVE-2023-35081). The former allowed remote attackers to obtain Personally Identifiable Information (PII), add an administrative account, and change the configuration because of an authentication bypass. The latter enabled actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Both have been patched. Ivanti and Rapid7 labeled the chained vulnerability and —described it as a remote unauthenticated API access vulnerability in MobileIron Core 11.1 and older. Researchers warned that it could allow an attacker to write malicious webshell files to the appliance, which could then be executed by an attacker. Some affected products are now out of support so no new patches will be released. The VTRAC has not identified additional victims of the original zero-day attack. Security researchers at NCC Group that over 1,900 Citrix appliances were compromised in a new campaign exploiting the former zero-day vulnerability CVE-2023-3519. an advisory about the critical bug—which enables unauthenticated remote code execution—and two others on July 18. It impacts NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). NCC Group said that 31,000 devices were vulnerable to the zero-day at the time of the campaign. An automated process placed webshells on vulnerable NetScalers to gain persistent access and allow for execution of arbitrary commands. It's unclear what the end goal of the attackers is, but 1,828 appliances remained backdoored as of August 14. Of those, 1,248 are actually patched for CVE-2023-3519. NCC Group warned a patched appliance can still contain a backdoor. The estimates that over 56 million individuals around the world have been impacted by the MOVEit data theft campaign. That means their Protected Health Information (PHI) or PII could have been taken in the large-scale attack, which targeted the popular MOVEit managed file transfer software with a zero-day exploit. VTRAC assesses the number of organizations caught in the campaign at 1,100, as of the end of July. This includes Deloitte, the third of the Big Four accounting firms to be impacted, to have seen no evidence of an impact on client data. According to Verizon's experts, these figures brought the total number of organizations known to have been victimized by ransomware this year to 2,776, including 472 in July. That makes July the worst month this year. This count is based on victims that appear on leak sites and/or publicly disclose themselves, so the real figure is likely to be even higher. Learn more about the ever-evolving nature of security threats and complex risk environments. Top Cybersecurity Threats for June 2023 Business

Author: Phil Muncaster,On the third Wednesday of every month, the Verizon Threat Research Advisory Center (VTRAC) holds its Monthly Intelligence Briefing (MIB) to discuss the current cybersecurity landscape and provide the latest threat intelligence. Below is the summary of their most recent briefing and here is the . 1. Verizon 2023 Data Breach Investigation Report (DBIR) reveals developments in the current threat landscape,2. MOVEit flaw exploited by Clop ransomware group in large supply chain attack,3. Barracuda zero-day bug exploited by Chinese state-linked threat actor, It found that external (83%) and financially motivated (95%) breaches were most common, thanks to the dominant role of organized crime. Insiders accounted for a fifth (19%), although this includes negligence as well as malicious activity. The human factor accounted for 74% of breaches. That's not surprising considering (49%) and (12%) were the top two techniques for gaining entry into networks, followed by vulnerability exploitation (5%). Among social engineering, business email compromise (BEC), or , is now present in more incidents than phishing. As stated on page 31 of the 2023 DBIR, cases doubled over the past year, with the . (24%) recorded its highest-ever share of breaches, and continues to impact organizations of all sizes and in all industries. Infamous ransomware group Clop exploited in popular managed file transfer software MOVEit to steal data from countless MOVEit customers. The group is currently adding victim names to its leak site as the data for ransom payment expired. It has claimed hundreds of victims, while VTRAC has counted at least 96 so far. Among these are the BBC, British Airways and the U.S. Department of Energy. It was a sophisticated, multi-stage attack, which calls to mind the of 2021, also linked to Clop. As well as the original zero-day (), two more critical vulnerabilities have since been found and patched by MOVEit developer Progress Software: another SQLi flaw () and (). Financial services and insurance companies appear hardest hit, with the financial and reputational impact likely to be high. The U.S. government a $10 million dollar reward for information linking the attack to a nation-state. In early June, Barracuda Networks took the of urging all customers of its Barracuda Email Security Gateway appliance impacted by a recent to replace the devices immediately, regardless of patch version. That followed efforts by the cybersecurity vendor to update the appliances on May 21. The reason became clear after new intelligence on the case, which it was brought in to help with. An aggressive and persistent state-linked Chinese actor had been exploiting the zero-day in an espionage campaign dating back to October 2022. The Mandiant report named the unknown group UNC4841. It said that Barracuda decided to issue the call for customers to replace their appliances after the group switched malware and deployed new persistence mechanisms, following the issuing of the Barracuda update. UNC4841 stepped up its campaign from May 22-24, with high frequency operations targeting victims in 16 countries. A third were government agencies, but individual victims included well-known academics in Taiwan and Hong Kong and Asian and European government officials in Southeast Asia. Mandiant warned network defenders to continue monitoring for UNC4841 activity. Top Cybersecurity Threats for October 2023 Business

Author: Phil Muncaster,On the third Wednesday of every month, the VTRAC holds a Monthly Intelligence Briefing (MIB) to discuss the current security threat landscape, latest cybersecurity trends, news and threat intelligence. Below is the summary of their most recent briefing and here is the . 1. Big-name casino breaches illuminate the costs and challenges posed by ransomware,2. Chinese hackers target vulnerable network edge devices in major espionage operation,3. Rapid Reset bug exploited to launch some of the largest ever distributed denial-of-service (DDoS) attacks, Scattered Spider (UNC3944) works with ALPHV/BlackCat ransomware and is said to comprise members based in the U.S. and U.K. These recent cyber attacks underline the serious impact ransomware continues to have on wealthy organizations. MGM suffered widespread outages following the attack, including several of its websites, the MGM mobile rewards app, online bookings, and in-casino services like ATMs, slot machines and card payment machines. It claimed in that resulting costs could hit close to $110 million, although the company expects its cyber-insurance policy to cover this. In both this incident and a breach at Caesars, customers' personal data was stolen. However, in the latter case, to pay its extortionists a $15 million ransom. In the case of MGM, Scattered Spider appears to have compromised the company by targeting its employees. After doing some research on LinkedIn, they the IT helpdesk at the company pretending to be an employee and socially engineered the IT admin into handing over credentials within minutes. Such vishing tactics highlight the continued need for cybersecurity training and awareness of cybersecurity trends, at all levels of an organization. A joint U.S.-Japan has revealed a major Chinese linked state cyberespionage operation in which actors exploited the network routers of multinationals (MNCs) in order to access their networks. The BlackTech (Circuit Panda) group was blamed for the attacks on government, industrial, technology, media, electronics and telecommunication sector firms, including entities that support the militaries of the U.S. and Japan, according to the alert. The group exploited various router brands and models using a customized firmware backdoor enabled and disabled through specially crafted TCP or UDP packets. This malware was used for initial access into networks, maintaining persistence and exfiltrating data. Routers were compromised at subsidiaries of large MNCs, with threat actors then pivoting to the networks of the same firms' headquarters. The group made a big effort to stay hidden, by using stolen code-signing certificates and blending in with corporate network traffic, among other tactics. Threat actors have been exploiting a zero-day vulnerability in the HTTP/2 protocol since August to launch the ever seen by Cloudflare. is the cause of a series of Rapid Reset attacks. They take advantage of the fact that HTTP/2 allows multiple streams to be created over the same TCP connection. Exploiting an attacker to open multiple new streams and quickly send RST_FRAMEs to close them, putting a heavy load on the server with little effort required on the part of the threat actor. Attacks aimed at Layer 7 like this are typically harder to mitigate than network-layer threats. exploitation of CVE-2023-44487 enabled attackers to launch a series of DDoS attacks that reached a peak of 398 million requests per second (rps). Cloudflare added that it mitigated over a thousand attacks at 10 million rps, including 184 which were bigger than its previous record of 71 million rps. This was with botnets of just 20,000 machines. Whilst infrastructure giants like Google and Amazon have patched the zero-day, organizations that handle this in-house were told to urgently follow suit. Learn more about the ever-evolving nature of security threats and complex risk environments. To find out more, listen to the full threat intelligence briefing from the . Verizon SOC boosts Fujifilm cybersecurity capabilities

Learn how Verizon Security Operations Centres enables Fujifilm to boost its surveillance &amp; set the foundation for secure digital transformation.
Read Now

TJ Fox named to newly created role SVP of IoT and Automotive, Verizon Business

TJ Fox has been appointed to the newly created role Senior Vice President of Industrial IoT and Automotive for Verizon Business.
Learn more

