Why Continuous Security Testing is a Must for Organizations Today

The global cybersecurity market is flourishing. Experts at Gartner predict that the end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026.

One big area of spending includes the art of putting cybersecurity defenses under pressure, commonly known as security testing. MarketsandMarkets forecasts the global penetration testing (pentesting) market size is expected to grow at a Compound Annual Growth Rate (CAGR) of 13.7% from 2022 to 2027. However, the costs and limitations involved in carrying out a penetration test are already hindering the market growth, and consequently, many cybersecurity professionals are making moves to find an alternative solution.

Pentests aren’t solving cybersecurity pain points

Pentesting can serve specific and important purposes for businesses. For example, prospective customers may ask for the results of one as proof of compliance. However, for certain challenges, this type of security testing methodology isn’t always the best fit.

1 — Continuously changing environments

Securing constantly changing environments within rapidly evolving threat landscapes is particularly difficult. This challenge becomes even more complicated when aligning and managing the business risk of new projects or releases. Since penetration tests focus on one moment in time, the result won’t necessarily be the same the next time you make an update.

2 — Rapid growth

It would be unusual for fast-growing businesses not to experience growing pains. For CISOs, maintaining visibility of their organization’s expanding attack surface can be particularly painful.

According to HelpNetSecurity, 45% of respondents conduct pentests only once or twice per year and 27% do it once per quarter, which is woefully insufficient given how quickly infrastructure and applications change.

3 — Cybersecurity skills shortages

As well as limitations in budgets and resources, finding the available skillsets for internal cybersecurity teams is an ongoing battle. As a result, organizations don’t have the dexterity to spot and promptly remediate specific security vulnerabilities.

While pentests can offer an outsider perspective, often it is just one person performing the test. For some organizations, there is also an issue on trust when relying on the work of just one or two people. Sándor Incze, CISO at CM.com, gives his perspective:

“Not all pentesters are equal. It’s very hard to determine if the pentester you’re hiring is good.”

4 — Cyber threats are evolving

The constant struggle to stay up to date with the latest cyberattack techniques and trends puts media organizations at risk. Hiring specialist skills for every new cyber threat type would be unrealistic and unsustainable.

HelpNetSecurity reported that it takes 71 percent of pentesters one week to one month to conduct a pentest. Then, more than 26 percent of organizations must wait between one to two weeks to get the test results, and 13 percent wait even longer than that. Given the fast pace of threat evolution, this waiting period can leave companies unaware of potential security issues and open to exploitation.

5 — Poor-fitting security testing solutions for agile environments

Continuous development lifecycles don’t align with penetration testing cycles (often performed annually.) Therefore, vulnerabilities mistakenly created during long security testing gaps can remain undiscovered for some time.

Bringing security testing into the 21st-century Impact

Cybersecurity Testing

A proven solution to these challenges is to utilize ethical hacker communities in addition to a standard penetration test. Businesses can rely on the power of these crowds to assist them in their security testing on a continuous basis. A bug bounty program is one of the most common ways to work with ethical hacker communities.

What is a bug bounty program?

Bug bounty programs allow businesses to proactively work with independent security researchers to report bugs through incentivization. Often companies will launch and manage their program through a bug bounty platform, such as Intigriti.

Organizations with high-security maturity may leave their bug bounty program open for all ethical hackers in the platform’s community to contribute to (known as a public program.) However, most businesses begin by working with a smaller pool of security talent through a private program.

How bug bounty programs support continuous security testing structures

While you’ll receive a certificate to say you’re secure at the end of a penetration test, it won’t necessarily mean that’s still the case the next time you make an update. This is where bug bounty programs work well as a follow-up to pentests and enable a continuous security testing program.

The impact of bug bounty program on cybersecurity

By launching a bug bounty program, organizations experience:

  1. More robust protection: Company data, brand, and reputation have additional protection through continuous security testing.
  2. Enabled business goals: Enhanced security posture, leading to a more secure platform for innovation and growth.
  3. Improved productivity: Increased workflow with fewer disruptions to the availability of services. More strategic IT projects that executives have prioritized, with fewer security “fires” to put out.
  4. Increased skills availability: Internal security team’s time is freed by using a community for security testing and triage.
  5. Clearer budget justification: Ability to provide more significant insights into the organization’s security posture to justify and motivate for an adequate security budget.
  6. Improved relationships: Project delays significantly decrease without the reliance on traditional pentests.

Want to know more about setting up and launching a bug bounty program?

Intigriti is the leading European-based platform for bug bounty and ethical hacking. The platform enables organizations to reduce the risk of a cyberattack by allowing Intigriti’s network of security researchers to test their digital assets for vulnerabilities continuously.

If you’re intrigued by what you’ve read and want to know about bug bounty programs, simply schedule a meeting today with one of our experts.

www.intigriti.com

Source :
https://thehackernews.com/2022/09/why-continuous-security-testing-is-must.html

IT threat evolution in Q2 2022. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2022:

  • Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
  • Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.
  • Ransomware attacks were defeated on the computers of 74,377 unique users.
  • Our File Anti-Virus detected 55,314,176 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q2 2022, Kaspersky solutions blocked the launch of malware designed to steal money from bank accounts on the computers of 100,829 unique users.

https://e.infogram.com/_/xVIqEwzQRE40afesiEuD?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of unique users attacked by financial malware, Q2 2022 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

https://e.infogram.com/_/VAlc8RYhTGIEk24LI7Q3?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of financial malware attacks, Q2 2022 (download)

TOP 10 countries and territories by share of attacked users

Country or territory*%**
1Turkmenistan4.8
2Afghanistan4.3
3Tajikistan3.8
4Paraguay3.1
5China2.4
6Yemen2.4
7Uzbekistan2.2
8Sudan2.1
9Egypt2.0
10Mauritania1.9

* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

TOP 10 banking malware families

NameVerdicts%*
1Ramnit/NimnulTrojan-Banker.Win32.Ramnit35.5
2Zbot/ZeusTrojan-Banker.Win32.Zbot15.8
3CliptoShufflerTrojan-Banker.Win32.CliptoShuffler6.4
4Trickster/TrickbotTrojan-Banker.Win32.Trickster6
5RTMTrojan-Banker.Win32.RTM2.7
6SpyEyeTrojan-Spy.Win32.SpyEye2.3
7IcedIDTrojan-Banker.Win32.IcedID2.1
8DanabotTrojan-Banker.Win32.Danabot1.9
9BitStealerTrojan-Banker.Win32.BitStealer1.8
10GoziTrojan-Banker.Win32.Gozi1.3

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

In the second quarter, the Lockbit group launched a bug bounty program. The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting  web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.

Another well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica’s information systems, which prompted the government to declare a state of emergency. The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.

While some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil’s website went back online in April, and researchers discovered a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.

Kaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and released a decryptor for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.

Number of new modifications

In Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.

https://e.infogram.com/_/LLQNUsWe0kQuAyykdQ9p?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of new ransomware modifications, Q2 2021 — Q2 2022 (download)

Number of users attacked by ransomware Trojans

In Q2 2022, Kaspersky products and technologies protected 74,377 users from ransomware attacks.

https://e.infogram.com/_/YAmZLBPilFKmsbsxFKpJ?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of unique users attacked by ransomware Trojans, Q2 2022 (download)

Geography of attacked users

https://e.infogram.com/_/oDrJKQvRPnVf4zT5I0kp?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of attacks by ransomware Trojans, Q2 2022 (download)

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory*%**
1Bangladesh1.81
2Yemen1.24
3South Korea1.11
4Mozambique0.82
5Taiwan0.70
6China0.46
7Pakistan0.40
8Angola0.37
9Venezuela0.33
10Egypt0.32

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans

NameVerdicts*Percentage of attacked users**
1Stop/DjvuTrojan-Ransom.Win32.Stop17.91
2WannaCryTrojan-Ransom.Win32.Wanna12.58
3MagniberTrojan-Ransom.Win64.Magni9.80
4(generic verdict)Trojan-Ransom.Win32.Gen7.91
5(generic verdict)Trojan-Ransom.Win32.Phny6.75
6(generic verdict)Trojan-Ransom.Win32.Encoder6.55
7(generic verdict)Trojan-Ransom.Win32.Crypren3.51
8(generic verdict)Trojan-Ransom.MSIL.Encoder3.02
9PolyRansom/VirLockTrojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom2.96
10(generic verdict)Trojan-Ransom.Win32.Instructions2.69

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression — in March through May we found a total of no more than 10,000 new modifications — was followed by a record of sorts.

https://e.infogram.com/_/vZm5Z2G3sFuuIAqZGWRA?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of new miner modifications, Q2 2022 (download)

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.

https://e.infogram.com/_/ibd7ASo3u4ZaWhgBgbcF?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of unique users attacked by miners, Q2 2022 (download)

Geography of miner attacks

https://e.infogram.com/_/e5HYDOqPpDYZ08UMSsAM?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of miner attacks, Q2 2022 (download)

TOP 10 countries and territories attacked by miners

Country or territory*%**
1Rwanda2.94
2Ethiopia2.67
3Tajikistan2.35
4Tanzania1.98
5Kyrgyzstan1.94
6Uzbekistan1.88
7Kazakhstan1.84
8Venezuela1.80
9Mozambique1.68
10Ukraine1.56

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by criminals during cyberattacks

Quarterly highlights

During Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, CVE-2022-26809 critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: CVE-2022-24491 and CVE-2022-24497. By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The CVE-2022-24521 vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. CVE-2022-26925, also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.

Most of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved brute-forcing  access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability (CVE-2021-44228) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability CVE-2022-22965 that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.

Vulnerability statistics

Exploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited CVE-2017-11882 and CVE-2018-0802, which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, CVE-2017-8570, allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of CVE-2022-30190or Follina vulnerability also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim’s computer, can cause an arbitrary command to be executed — even if macros are disabled and the document is opened in Protected Mode.

https://e.infogram.com/_/1dqpsnMqrH26rdzDOOht?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 (download)

Attempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: CVE-2022-0609CVE-2022-1096, and CVE-2022-1364. The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, CVE-2022-1097, which appears when processing NSSToken-type objects from different streams. The browser was also found to contain CVE-2022-28281, a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, CVE-2022-1802 and CVE-2022-1529, were exploited in cybercriminal attacks. The exploitation method, dubbed “prototype pollution”, allows executing arbitrary JavaScript code in the context of a privileged parent browser process.

As in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.

Attacks on macOS

The second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group Earth Berberoka (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The TraderTraitor campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.

TOP 20 threats for macOS

Verdict%*
1AdWare.OSX.Amc.e25.61
2AdWare.OSX.Agent.ai12.08
3AdWare.OSX.Pirrit.j7.84
4AdWare.OSX.Pirrit.ac7.58
5AdWare.OSX.Pirrit.o6.48
6Monitor.OSX.HistGrabber.b5.27
7AdWare.OSX.Agent.u4.27
8AdWare.OSX.Bnodlero.at3.99
9Trojan-Downloader.OSX.Shlayer.a3.87
10Downloader.OSX.Agent.k3.67
11AdWare.OSX.Pirrit.aa3.35
12AdWare.OSX.Pirrit.ae3.24
13Backdoor.OSX.Twenbc.e3.16
14AdWare.OSX.Bnodlero.ax3.06
15AdWare.OSX.Agent.q2.73
16Trojan-Downloader.OSX.Agent.h2.52
17AdWare.OSX.Bnodlero.bg2.42
18AdWare.OSX.Cimpli.m2.41
19AdWare.OSX.Pirrit.gen2.08
20AdWare.OSX.Agent.gen2.01

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.

Geography of threats for macOS

https://e.infogram.com/_/sREMxK7Q3GvfvQe7t1Ql?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of threats for macOS, Q2 2022 (download)

TOP 10 countries and territories by share of attacked users

Country or territory*%**
1France2.93
2Canada2.57
3Spain2.51
4United States2.45
5India2.24
6Italy2.21
7Russian Federation2.13
8United Kingdom1.97
9Mexico1.83
10Australia1.82

* Excluded from the rating are countries and territories  with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.

IoT attacks

IoT threat statistics

In Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.

Telnet82,93%
SSH17,07%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022

The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.

Telnet93,75%
SSH6,25%

Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022

TOP 10 threats delivered to IoT devices via Telnet

Verdict%*
1Backdoor.Linux.Mirai.b36.28
2Trojan-Downloader.Linux.NyaDrop.b14.66
3Backdoor.Linux.Mirai.ek9.15
4Backdoor.Linux.Mirai.ba8.82
5Trojan.Linux.Agent.gen4.01
6Trojan.Linux.Enemybot.a2.96
7Backdoor.Linux.Agent.bc2.58
8Trojan-Downloader.Shell.Agent.p2.36
9Trojan.Linux.Agent.mg1.72
10Backdoor.Linux.Mirai.cw1.45

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT-threat statistics are published in the DDoS report for Q2 2022.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

TOP 10 countries and territories that serve as sources of web-based attacks

The following statistics show the distribution by country or territory  of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.

https://e.infogram.com/_/Mii35djEPWnjaHq4c2Ve?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Distribution of web-attack sources by country and territory, Q2 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory*%**
1Taiwan26.07
2Hong Kong14.60
3Algeria14.40
4Nepal14.00
5Tunisia13.55
6Serbia12.88
7Sri Lanka12.41
8Albania12.21
9Bangladesh11.98
10Greece11.86
11Palestine11.82
12Qatar11.50
13Moldova11.47
14Yemen11.44
15Libya11.34
16Zimbabwe11.15
17Morocco11.03
18Estonia11.01
19Turkey10.75
20Mongolia10.50

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 8.31% of the Internet users’ computers worldwide were subjected to at least one Malware-class web attack.

https://e.infogram.com/_/ZeKtZKpRpQBrBYKAEvcg?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of web-based malware attacks, Q2 2022 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q2 2022, our File Anti-Virus detected 55,314,176 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.

Note that these rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory*%**
1Turkmenistan47.54
2Tajikistan44.91
3Afghanistan43.19
4Yemen43.12
5Cuba42.71
6Ethiopia41.08
7Uzbekistan37.91
8Bangladesh37.90
9Myanmar36.97
10South Sudan36.60
11Syria35.60
12Burundi34.88
13Rwanda33.69
14Algeria33.61
15Benin33.60
16Tanzania32.88
17Malawi32.65
18Venezuela31.79
19Cameroon31.34
20Chad30.92

*  Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Source :
https://securelist.com/it-threat-evolution-in-q2-2022-non-mobile-statistics/107133/

IT threat evolution Q2 2022

Targeted attacks

New technique for installing fileless malware

Earlier this year, we discovered a malicious campaign that employed a new technique for installing fileless malware on target machines by injecting a shellcode directly into Windows event logs. The attackers were using this to hide a last-stage Trojan in the file system.

The attack starts by driving targets to a legitimate website and tricking them into downloading a compressed RAR file that is booby-trapped with the network penetration testing tools Cobalt Strike and SilentBreak. The attackers use these tools to inject code into any process of their choosing. They inject the malware directly into the system memory, leaving no artifacts on the local drive that might alert traditional signature-based security and forensics tools. While fileless malware is nothing new, the way the encrypted shellcode containing the malicious payload is embedded into Windows event logs is.

The code is unique, with no similarities to known malware, so it is unclear who is behind the attack.

WinDealer’s man-on-the-side spyware

We recently published our analysis of WinDealer: malware developed by the LuoYu APT threat actor. One of the most interesting aspects of this campaign is the group’s use of a man-on-the-side attack to deliver malware and control compromised computers. A man-on-the-side attack implies that the attacker is able to control the communication channel, allowing them to read the traffic and inject arbitrary messages into normal data exchange. In the case of WinDealer, the attackers intercepted an update request from completely legitimate software and swapped the update file with a weaponized one.

Observed WinDealer infection flow

The malware does not contain the exact address of the C2 (command-and-control) server, making it harder for security researchers to find it. Instead, it tries to access a random IP address from a predefined range. The attackers then intercept the request and respond to it. To do this, they need constant access to the routers of the entire subnet, or to some advanced tools at ISP level.

Geographic distribution of WinDealer victims

The vast majority of WinDealer’s targets are located in China: foreign diplomatic organizations, members of the academic community, or companies active in the defense, logistics or telecoms sectors. Sometimes, though, the LuoYu APT group will infect targets in other countries: Austria, the Czech Republic, Germany, India, Russia and the US. In recent months, they have also become more interested in businesses located in other East Asian countries and their China-based offices.

ToddyCat: previously unknown threat actor attacks high-profile organizations in Europe and Asia

In June, we published our analysis of ToddyCat, a relatively new APT threat actor that we have not been able to link to any other known actors. The first wave of attacks, against a limited number of servers in Taiwan and Vietnam, targeted Microsoft Exchange servers, which the threat actor compromised with Samurai, a sophisticated passive backdoor that typically works via ports 80 and 443. The malware allows arbitrary C# code execution and is used alongside multiple modules that let the attacker administer the remote system and move laterally within the targeted network. In certain cases, the attackers have used the Samurai backdoor to launch another sophisticated malicious program, which we dubbed Ninja. This is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat.

The next wave saw a sudden surge in attacks, as the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries, including Iran, India, Malaysia, Slovakia, Russia and the UK.

Subsequently, we observed other variants and campaigns, which we attributed to the same group. In addition to affecting most of the previously mentioned countries, the threat actor targeted military and government organizations in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave was extended to desktop systems.

SessionManager IIS backdoor

In 2021, we observed a trend among certain threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities in Microsoft Exchange. Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a target organization — to collect emails, update further malicious access or clandestinely manage compromised servers.

We published our analysis of one such IIS backdoor, called Owowa, last year. Early this year, we investigated another, SessionManager. Developed in C++, SessionManager is a malicious native-code IIS module. The attackers’ aim is for it to be loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server. This kind of malicious modules usually expects seemingly legitimate but specifically crafted HTTP requests from their operators, triggers actions based on the operators’ hidden instructions and then transparently passes the request to the server for it to be processed just as any other request.

Figure 1. Malicious IIS module processing requests

As a result, these modules are not easily spotted through common monitoring practices.

SessionManager has been used to target NGOs and government organizations in Africa, South America, Asia, Europe and the Middle East.

We believe that this malicious IIS module may have been used by the GELSEMIUM threat actor, because of similar victim profiles and the use of a common OwlProxy variant.

Other malware

Spring4Shell

Late in March, researchers discovered a critical vulnerability (CVE-2022-22965) in Spring, an open-source framework for the Java platform. This is a Remote Code Execution (RCE) vulnerability, allowing an attacker to execute malicious code remotely on an unpatched computer. The vulnerability affects the Spring MVC and Spring WebFlux applications running under version 9 or later of the Java Development Kit. By analogy with the well-known Log4Shell vulnerability, this one was dubbed “Spring4Shell”.

By the time researchers had reported it to VMware, a proof-of-concept exploit had already appeared on GitHub. It was quickly removed, but it is unlikely that cybercriminals would have failed to notice such a potentially dangerous vulnerability.

You can find more details, including appropriate mitigation steps, in our blog post.

Actively exploited vulnerability in Windows

Among the vulnerabilities fixed in May’s “Patch Tuesday” update was one that has been actively exploited in the wild. The Windows LSA (Local Security Authority) Spoofing Vulnerability (CVE-2022-26925) is not considered critical per se. However, when the vulnerability is used in a New Technology LAN Manager (NTLM) relay attack, the combined CVSSv3 score for the attack-chain is 9.8. The vulnerability, which allows an unauthenticated attacker to force domain controllers to authenticate with an attacker’s server using NTLM, was already being exploited in the wild as a zero-day, making it a priority to patch it.

Follina vulnerability in MSDT

At the end of May, researchers with the nao_sec team reported a new zero-day vulnerability in MSDT (the Microsoft Support Diagnostic Tool) that can be exploited using a malicious Microsoft Office document. The vulnerability, which has been designated as CVE-2022-30190 and has also been dubbed “Follina”, affects all operating systems in the Windows family, both for desktops and servers.

MSDT is used to collect diagnostic information and send it to Microsoft when something goes wrong with Windows. It can be called up from other applications via the special MSDT URL protocol; and an attacker can run arbitrary code with the privileges of the application that called up the MSD: in this case, the permissions of the user who opened the malicious document.

Kaspersky has observed attempts to exploit this vulnerability in the wild; and we would expect to see more in the future, including ransomware attacks and data breaches.

BlackCat: a new ransomware gang

It was only a matter of time before another ransomware group filled the gap left by REvil and BlackMatter shutting down operations. Last December, advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums, claiming that the group had learned from the errors of their predecessors and created an improved version of the malware.

The BlackCat creators use the ransomware-as-a-service (RaaS) model. They provide other attackers with access to their infrastructure and malicious code in exchange for a cut of the ransom. BlackCat gang members are probably also responsible for negotiating with victims. This is one reason why BlackCat has gained momentum so quickly: all that a “franchisee” has to do is obtain access to the target network.

The group’s arsenal comprises several elements. One is the cryptor. This is written in the Rust language, allowing the attackers to create a cross-platform tool with versions of the malware that work both in Windows and Linux environments. Another is the Fendr utility (also known as ExMatter), used to exfiltrate data from the infected infrastructure. The use of this tool suggests that BlackCat may simply be a re-branding of the BlackMatter faction, since that was the only known gang to use the tool. Other tools include the PsExec tool, used for lateral movement on the victim’s network; Mimikatz, the well-known hacker software; and the Nirsoft software, used to extract network passwords.

Yanluowang ransomware: how to recover encrypted files

The name Yanluowang is a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell. This ransomware is relatively recent. We do not know much about the victims, although data from the Kaspersky Security Network indicates that threat actor has carried out attacks in the US, Brazil, Turkey and a few other countries.

The low number of infections is due to the targeted nature of the ransomware: the threat actor prepares and implements attacks on specific companies only.

Our experts have discovered a vulnerability that allows files to be recovered without the attackers’ key — although only under certain conditions — with the help of a known-plaintext attack. This method overcomes the encryption algorithm if two versions of the same text are available: one clean and one encrypted. If the victim has clean copies of some of the encrypted files, our upgraded Rannoh Decryptor can analyze these and recover the rest of the information.

There is one snag: Yanluowang corrupts files slightly differently depending on their size. It encrypts small (less than 3 GB) files completely, and large ones, partially. So, the decryption requires clean files of different sizes. For files smaller than 3 GB, it is enough to have the original and an encrypted version of the file that are 1024 bytes or more. To recover files larger than 3 GB, however, you need original files of the appropriate size. However, if you find a clean file larger than 3 GB, it will generally be possible to recover both large and small files.

Ransomware TTPs

In June, we carried out an in-depth analysis of the TTPs (tactics, techniques and procedures) (TTPs) of the eight most widespread ransomware families: Conti/Ryuk, Pysa, Clop, Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. Our aim was to help those tasked with defending corporate systems to understand how ransomware groups operate and how to protect against their attacks.

The report includes the following:

  • The TTPs of eight modern ransomware groups.
  • A description of how various groups share more than half of their components and TTPs, with the core attack stages executed identically across groups.
  • A cyber-kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps.
  • A detailed analysis of each technique with examples of how various groups use them, and a comprehensive list of mitigations.
  • SIGMA rules based on the described TTPs that can be applied to SIEM solutions.

Ahead of the Anti-Ransomware Day on May 12, we took the opportunity to outline the tendencies that have characterized ransomware in 2022. In our report, we highlight several trends that we have observed.

First, we are seeing more widespread development of cross-platform ransomware, as cybercriminals seek to penetrate complex environments running a variety of systems. By using cross-platform languages such as Rust and Golang, attackers are able to port their code, which allows them to encrypt data on more computers.

Second, ransomware gangs continue to industrialize and evolve into real businesses by adopting the techniques and processes used by legitimate software companies.

Third, the developers of ransomware are adopting a political stance, involving themselves in the conflict between Russia and Ukraine.

Finally, we offer best practices that organizations should adopt to help them defend against ransomware attacks:

  • Keep software updated on all your devices.
  • Focus your defense strategy on detecting lateral movements and data exfiltration.
  • Enable ransomware protection for all endpoints.
  • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents.
  • Provide your SOC team with access to the latest threat intelligence.

Emotet’s return

Emotet has been around for eight years. When it was first discovered in 2014, its main purpose was stealing banking credentials. Subsequently, the malware underwent numerous transformations to become one of the most powerful botnets ever. Emotet made headlines in January 2021, when its operations were disrupted through the joint efforts of law enforcement agencies in several countries. This kind of “takedowns” does not necessarily lead to the demise of a cybercriminal operation. It took the cybercriminals almost ten months to rebuild the infrastructure, but Emotet did return in November 2021. At that time, the Trickbot malware was used to deliver Emotet, but it is now spreading on its own through malicious spam campaigns.

Recent Emotet protocol analysis and C2 responses suggest that Emotet is now capable of downloading sixteen additional modules. We were able to retrieve ten of these, including two different copies of the spam module, used by Emotet for stealing credentials, passwords, accounts and emails, and to spread spam.

You can read our analysis of these modules, as well as statistics on recent Emotet attacks, here.

Emotet infects both corporate and private computers all around the world. Our telemetry indicates that in the first quarter of 2022, targeted: it mostly targeted users in Italy, Russia, Japan, Mexico, Brazil, Indonesia, India, Vietnam, China, Germany and Malaysia.

Moreover, we have seen a significant growth in the number of users attacked by Emotet.

Mobile subscription Trojans

Trojan subscribers are a well-established method of stealing money from people using Android devices. These Trojans masquerade as useful apps but, once installed, silently subscribe to paid services.

The developers of these Trojans make money through commissions: they get a cut of what the person “spends”. Funds are typically deducted from the cellphone account, although in some cases, these may be debited directly to a bank card. We looked at the most notable examples that we have seen in the last twelve months, belonging to the Jocker, MobOk, Vesub and GriftHorse families.

Normally, someone has to actively subscribe to a service; providers often ask subscribers to enter a one-time code sent via SMS, to counter automated subscription attempts. To sidestep this protection, malware can request permission to access text messages; where they do not obtain this, they can steal confirmation codes from pop-up notifications about incoming messages.

Some Trojans can both steal confirmation codes from texts or notifications, and work around CAPTCHA: another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special CAPTCHA recognition service.

Some malware is distributed through dubious sources under the guise of apps that are banned from official stores, for example, masquerading as apps for downloading content from YouTube or other streaming services, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft.

Other mobile subscription Trojans are less sophisticated. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as they enter their number and click the login button, and the amount is debited to their cellphone account.

Other Trojans employ subscriptions with recurring payments. While this requires consent, the person using the phone might not realize they are signing up for regular automatic payments. Moreover, the first payment is often insignificant, with later charges being noticeably higher.

You can read more about this type of mobile Trojan, along with tips on how to avoid falling victim to it, here.

The threat from stalkerware

Over the last four years, we have published annual reports on the stalkerware situation, in particular using data from the Kaspersky Security Network. This year, our report also included the results of a survey on digital abuse commissioned by Kaspersky and several public organizations.

Stalkerware provides the digital means for a person to secretly monitor someone else’s private life and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. It may be legal to market stalkerware, although its use to monitor someone without their consent is not. Developers of stalkerware benefit from a vague legal framework that still exists in many countries.

In 2021, our data indicated that around 33,000 people had been affected by stalkerware.

The numbers were lower than what we had seen for a few years prior to that. However, it is important to remember that the decrease of 2020 and 2021 occurred during successive COVID-19 lockdowns: that is, during conditions that meant abusers did not need digital tools to monitor and control their partners’ personal lives. It is also important to bear in mind that mobile apps represent only one method used by abusers to track someone — others include tracking devices such as AirTags, laptop applications, webcams, smart home systems and fitness trackers. KSN tracks only the use of mobile apps. Finally, KSN data is taken from mobile devices protected by Kaspersky products: many people do not protect their mobile devices.  The Coalition Against Stalkerware, which brings together members of the IT industry and non-profit companies, believes that the overall number of people affected by this threat might be thirty times higher — that is around a million people!

Stalkerware continues to affect people across the world: in 2021, we observed detections in 185 countries or territories.

Just as in 2020, Russia, Brazil, the US and India were the top four countries with the largest numbers of affected individuals. Interestingly, Mexico had fallen from fifth to ninth place. Algeria, Turkey and Egypt entered the top ten, replacing Italy, the UK and Saudi Arabia, which were no longer in the top ten.

We would recommend the following to reduce your risk of being targeted:

  • Use a unique, complex password on your phone and do not share it with anyone.
  • Try not to leave your phone unattended; and if you have to, lock it.
  • Download apps only from official stores.
  • Protect your mobile device with trustworthy security software and make sure it is able to detect stalkerware.

Remember also that if you discover stalkerware on your phone, dealing with the problem is not as simple as just removing the stalkerware app. This will alert the abuser to the fact that you have become aware of their activities and may precipitate physical abuse. Instead, seek help:  you can find a list or organizations that can provide help and support on the Coalition Against Stalkerware site.

Source :
https://securelist.com/it-threat-evolution-q2-2022/107099/

Threat landscape for industrial automation systems for H1 2022

H1 2022 in numbers

Geography

  • In H1 2022, malicious objects were blocked at least once on 31.8% of ICS computers globally.Percentage of ICS computers on which malicious objects were blocked
  • For the first time in five years of observations, the lowest percentage in the ‎first half of the year was observed in March.‎ During the period from January to March, the percentage of attacked ICS computers decreased by 1.7 p.p.Percentage of ICS computers on which malicious objects were blocked, January – June 2020, 2021, and 2022
  • Among regions, the highest percentage of ICS computers on which malicious objects were blocked was observed in Africa (41.5%). The lowest percentage (12.8%) was recorded in Northern Europe.Percentage of ICS computers on which malicious objects were blocked, in global regions
  • Among countries, the highest percentage of ICS computers on which malicious objects were blocked was recorded in Ethiopia (54.8%) and the lowest (6.8%) in Luxembourg.15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H1 202210 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2022

Threat sources

  • The main sources of threats to computers in the operational technology infrastructure of organizations are internet (16.5%), removable media (3.5%), and email (7.0%).Percentage of ICS computers on which malicious objects from different sources were blocked

Regions

  • Among global regions, Africa ranked highest based on the percentage of ICS computers on which malware was blocked when removable media was connected.Regions ranked by percentage of ICS computers on which malware was blocked when removable media was connected, H1 2022
  • Southern Europe leads the ranking of regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H1 2022

Industry specifics

  • In the Building Automation industry, the percentage of ICS computers on which malicious email attachments and phishing links were blocked (14.4%) was twice the average value for the entire world (7%).Percentage of ICS computers on which malicious email attachments and phishing links were blocked, in selected industries
  • In the Oil and Gas industry, the percentage of ICS computers on which threats were blocked when removable media was connected (10.4%) was 3 times the average percentage for the entire world (3.5%).Percentage of ICS computers on which threats were blocked when removable media was connected
  • In the Oil and Gas industry, the percentage of ICS computers on which malware was blocked in network folders (1.2%) was twice the world average (0.6%).Percentage of ICS computers on which threats were blocked in network folders

Diversity of malware

  • Malware of different types from 7,219 families was blocked on ICS computers in H1 2022.Percentage of ICS computers on which the activity of malicious objects from different categories was prevented

Ransomware

  • In H1 2022, ransomware was blocked on 0.65% of ICS computers. This is the highest percentage for any six-month reporting period since 2020.Percentage of ICS computers on which ransomware was blocked
  • The highest percentage of ICS computers on which ransomware was blocked was recorded in February (0.27%) and the lowest in March (0.11%). The percentage observed in February was the highest in 2.5 years of observations.Percentage of ICS computers on which ransomware was blocked, January – June 2022
  • East Asia (0.95%) and the Middle East (0.89%) lead the ransomware-based ranking of regions. In the Middle East, the percentage of ICS computers on which ransomware was blocked per six-month reporting period has increased by a factor of 2.5 since 2020.Regions ranked by percentage of ICS computers on which ransomware was blocked, H1 2022
  • Building Automation leads the ranking of industries based on the percentage of ICS computers attacked by ransomware (1%).Percentage of ICS computers on which ransomware was blocked, in selected regions, H1 2022

Malicious documents

  • Malicious documents (MSOffice+PDF) were blocked on 5.5% of ICS computers. This is 2.2 times the percentage recorded in H2 2021. Threat actors distribute malicious documents via phishing emails and actively use such emails as the vector of initial computer infections.Percentage of ICS computers on which malicious documents (MSOffice+PDF) were blocked
  • In the Building Automation industry, the percentage of ICS computers on which malicious office documents were blocked (10.5%) is almost twice the global average.Percentage of ICS computers on which malicious office documents (MSOffice+PDF) were blocked, in selected industries

Spyware

  • Spyware was blocked on 6% of ICS computers. This percentage has been growing since 2020.Percentage of ICS computers on which spyware was blocked
  • Building Automation leads the ranking of industries based on the percentage of ICS computers on which spyware was blocked (12.9%).Percentage of ICS computers on which spyware was blocked, in selected industries

Malware for covert cryptocurrency mining

  • The percentage of ICS computers on which malicious cryptocurrency miners were blocked continued to rise gradually.Percentage of ICS computers on which malicious cryptocurrency miners were blocked
  • Building Automation also leads the ranking of selected industries by percentage of ICS computers on which malicious cryptocurrency miners were blocked.Percentage of ICS computers on which malicious cryptocurrency miners were blocked, in selected industries

The full text of the report has been published on the Kaspersky ICS CERT website.

Source :
https://securelist.com/threat-landscape-for-industrial-automation-systems-for-h1-2022/107373/

5 Ways to Mitigate Your New Insider Threats in the Great Resignation

Companies are in the midst of an employee “turnover tsunami” with no signs of a slowdown. According to Fortune Magazine, 40% of the U.S. is considering quitting their jobs. This trend – coined the great resignation – creates instability in organizations. High employee turnover increases security risks, and companies are more vulnerable to attacks from human factors worldwide.

At Davos 2022, statistics connect the turmoil of the great resignation to the rise of new insider threats. Security teams are feeling the impact. It’s even harder to keep up with your employee security. Companies need a fresh approach to close the gaps and prevent attacks. This article will examine what your security teams must do within the new organizational dynamics to quickly and effectively address unique challenges.

Handling Your New Insider Threats

Implementing a successful security awareness program is more challenging than ever for your security team—the new blood coming in causes cultural dissonance. Every new employee brings their own security habits, behavior, and ways of work. Changing habits is slow. Yet, companies don’t have the luxury of time. They must get ahead of hackers to prevent attacks from new insider threats.

Be sure to handle your organization’s security high-impact risks:

  • Prevent data loss – When employees leave, there’s a high risk of sensitive data leaks. Manage off-boarding and close lurking dormant emails to prevent data loss.
  • Maintain best practices – When new employees join the organization, even if security training is well conducted, they’re not on par with their peers. Unknown security habits may put the organization at risk.
  • Ensure friendly reminders – With less staff, employees are overburdened and pressured. Security may be “forgotten” or neglected in the process.
  • Support remote work –To support rapid employee recruitment, working at home is a must. Remote work flexibility helps to attract and retain new employees.
  • Train on the go – Remote work requires securing remote devices and dealing with new employee behavior for inherent distractions – on the go and at home.

5 Preventive Measures for High Impact in Your Organization

Security teams must protect companies against new phishing attempts within the high workforce flux. Practical security training is key to countering hackers. New techniques and practices are required to support remote work and new behavioral challenges, especially during times of high employee turnover. To succeed, your training must keep cyber awareness fresh for all staff. It must genuinely transform the behavior of your new employees.

Here are five preventive measures to effectively protect your organization for cyber resilience:

Ensure all staff get continuous training

Security risks are constantly evolving and ever-present. All employees are needed to protect against sophisticated phishing threats. It’s even more complicated in the great resignation. With new weak links, your company is at the greatest risk. Gullible employees leave security ‘holes’ in your organization’s front line. Security teams are well aware of the risks.

Research shows that companies must continuously train 100% of their staff every month. Yet, employees spend little time thinking about security.

Automated security awareness training like CybeReady makes it easier to manage security training for all your staff.

  • Instead of manual work, use new, in-depth BI data and reports to guide your training plan for new and experienced employees.
  • Adjust difficulty level to the role, geography, and risk, to flexibly control your diverse employee needs and vulnerabilities.
  • Raise employee awareness of threats.
  • Prevent hacker exploitation and emergency triage with company leadership.

Target new employees

Your security depends on employee help and cooperation. Build best practices on the job. Threat basics aren’t enough to stop malicious actors. Whether in the office or working remotely, security training must foster mastery. Start with low difficulty. Create a foundation. Continually promote learning to the next level. You must understand and cater to your employee’s needs and way of work for effectiveness.

Simply sending out emails to employees is not enough for a robust learning experience. With security awareness platforms like CybeReady, training becomes more scientific for continuous, accurate analysis of your security awareness.

  • Adjust your training simulations to employee contexts and frequency for mastery.
  • Set difficulty level depending on employee behavior and results.
  • Use intensive, bite-size intervals for success.
  • By varying attack scenarios, new employees get proper onboarding.
  • Put security on the top of the mind of all your staff.

Prioritize your highest risk groups

For a cyber awareness training program to be successful, security teams must plan, operate, evaluate and adapt accordingly. Forecasting actual difficulty and targeting groups can be complex. Security teams must determine future attack campaigns based on employee behavior and address challenges in a given scenario.

With data-driven platforms like CybeReady, your security teams monitor campaign performance to fine-tune employee defense.

  • Build custom high-intensity training campaigns for your high-risk groups.
  • Focus on specific challenges for concrete results like:

1) Password and data requests

2) Messages from seemingly legitimate senders and sources

3) Realistic content tailored to a specific department or role.

  • Adapt your training for both individuals and attack vectors while respecting employee privacy.
  • Shift problematic group behavior to best practices.

Keep busy staff vigilant

Security is 24/7. Keep your training unpredictable to maintain employee vigilance. Send surprising simulation campaigns in a continuous cycle. Catch employees off guard for the best learning. To create high engagement, ensure your training content is relevant to daily actions. Use short, frequent, and intriguing content in their own language. Tailor to local references and current news.

With scientific, data-based simulations like CybeReady, companies mimic the rapidly changing attack environment – plus, tick all your compliance boxes for a complete solution. Stay abreast of evolving global phishing trends as they vary around the world. Focus all your employees on the attacker styles and scenarios most popular in their geographies and languages. Adjust frequency to personal and group risk.

Ensure long-term results for every employee

Take advantage of the ‘golden moment.’ Just-in-time learning is the key to the most effective results. Instead of random enforcement training often irrelevant to employees, make a lasting impression right when mistakes happen. Ensure that your training uses this limited window of time. People are likelier to remember the experience and change behavior the next time.

With data science-driven cyber security training platforms like CybeReady, security teams seize the moment of failure for long-term results. With just-in-time learning, employees immediately get training on mistakes made upon falling for a simulation. They retain critical knowledge and respond better in future attack scenarios. With a new awareness of risks, transform learning into new behaviors.

Cutting Your Security Risks with a New Level of Employee Awareness

In global organizations today, seamlessly integrating the latest security know-how into everyday work is a must to counter the new risks of the great resignation. It’s more important than ever for every employee to get up to speed for high cyber resilience quickly.

Download the CybeReady Playbook to learn how CybeReady’s fully automated security awareness training platform provides the fast, concrete results you need with virtually zero effort IT, or schedule a product demo with one of our experts.

Source :
https://thehackernews.com/2022/09/5-ways-to-mitigate-your-new-insider.html

KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)

Summary

The Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects using remote procedure calls (RPCs). DCOM is used for communication between the software components of networked devices.  

Hardening changes in DCOM were required for CVE-2021-26414. Therefore, we recommended that you verify if client or server applications in your environment that use DCOM or RPC work as expected with the hardening changes enabled.

To address the vulnerability described in CVE-2021-26414, you must install updates released September 14, 2021 or later and enable the registry key described below in your environment. We recommended that you complete testing in your environment and enable these hardening changes as soon as possible. If you find issues during testing, you must contact the vendor for the affected client or server software for an update or workaround before early 2022.

Note We recommend that you update your devices to the latest security update available to take advantage of the advanced protections from the latest security threats.

Timeline

Update releaseBehavior change
June 8, 2021Hardening changes disabled by default but with the ability to enable them using a registry key.
June 14, 2022Hardening changes enabled by default but with the ability to disable them using a registry key.
March 14, 2023Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

Registry setting to enable or disable the hardening changes

During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:

  • Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
  • Value Name: “RequireIntegrityActivationAuthenticationLevel”
  • Type: dword
  • Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to enabled.

Note You must enter Value Data in hexadecimal format. 

Important You must restart your device after setting this registry key for it to take effect.

Note Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

Note This registry value does not exist by default; you must create it. Windows will read it if it exists and will not overwrite it.

New DCOM error events

To help you identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log; see the tables below. The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. You can trace to the client device from the server-side event log and use client-side event logs to find the application.

Server events

Event IDMessage
10036“The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.”(%1 – domain, %2 – user name, %3 – User SID, %4 – Client IP Address)

Client events

Event IDMessage
10037“Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.”
10038“Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.”(%1 – Application Path, %2 – Application PID, %3 – CLSID of the COM class the application is requesting to activate, %4 – Computer Name, %5 – Value of Authentication Level)

Availability

These error events are only available for a subset of Windows versions; see the table below.

Windows versionAvailable on or after these dates
Windows Server 2022September 27, 2021KB5005619
Windows 10, version 2004, Windows 10, version 20H2, Windows 10, version 21H1September 1, 2021KB5005101
Windows 10, version 1909August 26, 2021KB5005103
Windows Server 2019, Windows 10, version  1809August 26, 2021KB5005102
Windows Server 2016, Windows 10, version 1607September 14, 2021KB5005573
Windows Server 2012 R2 and Windows 8.1October 12, 2021KB5006714

Source :
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Password Security and the Internet of Things (IoT)

The Internet of Things (IoT) is here, and we’re using it for everything from getting instant answers to random trivia questions to screening visitors at the door. According to Gartner, we were expected to use more than 25 billion internet-connected devices by the end of 2021. But as our digital lives have become more convenient, we might not yet have considered the risks involved with using IoT devices.

How can you keep yourself secure in today’s IoT world, where hackers aim to outsmart your smart home? First we’ll look at how hackers infiltrate the IoT, and then we’ll look at what you can do right now to make sure the IoT is working for you – not against you.

How hackers are infiltrating the Internet of Things

While we’ve become comfortable asking voice assistants to give us the weather forecast while we prep our dinners, hackers have been figuring out how to commandeer our IoT devices for cyber attacks. Here are just a few examples of how cyber criminals are already infiltrating the IoT.

Gaining access to and control of your camera

Have you ever seen someone with a sticker covering the camera on their laptop or smartphone? There’s a reason for that. Hackers have been known to gain access to these cameras and spy on people. This has become an even more serious problem in recent years, as people have been relying on videoconferencing to safely connect with friends and family, participate in virtual learning, and attend telehealth appointments during the pandemic. Cameras now often come with an indicator light that lets you know whether they’re being used. It’s a helpful protective measure, but not a failsafe one.

Using voice assistants to obtain sensitive information

According to Statista, 132 million Americans used a digital voice assistant once a month in 2021. Like any IoT gadget, however, they can be vulnerable to attack. According to Ars Technica, academic researchers have discovered that the Amazon Echo can be forced to take commands from itself, which opens the door to major mischief in a smart home. Once an attacker has compromised an Echo, they can use it to unlock doors, make phone calls and unauthorized purchases, and control any smart home appliances that the Echo manages.

Many bad actors prefer the quiet approach, however, slipping in undetected and stealing information. They can piggyback on a voice assistant’s privileged access to a victim’s online accounts or other IoT gadgets and make off with any sensitive information they desire. With the victim being none the wiser, the attackers can use that information to commit identity fraud or stage even more ambitious cyber crimes.

Hacking your network and launching a ransomware attack

Any device that is connected to the internet, whether it’s a smart security system or even a smart fridge, can be used in a cyber attack. Bad actors know that most people aren’t keeping their IoT gadgets’ software up to date in the same way they do their computers and smartphones, so they take advantage of that false sense of security. Once cyber criminals have gained access to an IoT device, they can go after other devices on the same network. (This is because most home networks are designed to trust devices that are already connected to them.) When these malicious actors are ready, they can launch a ransomware attack that brings your entire digital life to a halt – unless you agree to fork over a hefty sum in bitcoin, that is.

Using bots to launch a DDOS attack

Although most people never notice it, hackers can and do infect IoT devices with malware en masse, gaining control over them in the process. Having turned these zombie IoT devices into bots, the hackers then collectively use them to stage what’s called a botnet attack on their target of choice. This form of assault is especially popular for launching distributed denial of service (DDOS) attacks, in which all the bots in a botnet collectively flood a target with network requests until it buckles and goes offline.

How you can keep your Internet of Things gadgets safe from hackers

So how can you protect your IoT devices from these determined hackers? Fortunately, you can take back control by becoming just a little more cyber smart. Here are a few ways to keep your IoT gadgets safe from hackers:

  • Never use the default settings on your IoT devices. Although IoT devices are designed to be plug-and-play so you can start enjoying them right away, their default settings are often not nearly as secure as they should be. With that in mind, set up a unique username and strong password combination before you start using any new IoT technology. While you’re at it, see if there’s an option to encrypt the traffic to and from your IoT device. If there is, turn it on.
  • Keep your IoT software up to date. Chances are, you regularly install the latest software updates on your computer and phone. Hackers are counting on you to leave your IoT gadgets unpatched, running outdated software with vulnerabilities they can exploit, so be sure to keep the software on your IoT devices up to date as well.
  • Practice good password hygiene. We all slip into bad password habits from time to time – it’s only human – but they put our IoT security at risk. With this in mind, avoid re-using passwords and be sure to set unique, strong passwords on each of your IoT devices. Update those passwords from time to time, too. Don’t store your passwords in a browser, and don’t share them via email. A password manager can help you securely store and share your passwords, so hackers never have a chance to snatch them.
  • Use secure, password-protected WiFi. Cyber criminals are notorious for sneaking onto open, insecure WiFi networks. Once they’re connected, they can spy on any internet activity that happens over those networks, steal login credentials, and launch cyber attacks if they feel like it. For this reason, make sure that you and your IoT devices only use secure, password-protected WiFi.
  • Use multi-factor authentication as an extra layer of protection. Multi-factor authentication (MFA), gives you extra security on top of all the other measures we mentioned above. It asks you to provide one more credential, or factor, in addition to a password to confirm you are who you say you are. If you have MFA enabled and a hacker tries to log in as you, you’ll get a notification that a login attempt is in progress. Whenever you have the option to enable MFA on any account or technology, take advantage of it.

Protect your Internet of Things devices with smart password security

The IoT is making our lives incredibly convenient, but that convenience can be a little too seductive at times. It’s easy to forget that smart home devices, harmless-looking and helpful as they are, can be targeted in cyber attacks just like our computers and phones. Hackers are counting on you to leave your IoT gadgets unprotected so they can use them to launch damaging attacks. By following these smart IoT security tips, you can have the best of both worlds, enjoying your smart life and better peace of mind at the same time.

Learn how LastPass Premium helps you strengthen your password security.

Source :
https://blog.lastpass.com/2022/08/password-security-and-the-iot/

Staying Safe With QR Codes

QR codes link the offline to the online. What started as a way to streamline manufacturing in the automotive industry is now a widespread technology helping connect the physical world to digital content. And as the world embraced remote, no-touch solutions during the Covid pandemic, QR codes became especially popular. QR codes offer convenience and immediacy for businesses and consumers, but cybercriminals also take advantage of them. Here’s what you need to know about QR codes and how to stay safe when using them. 

Why QR codes? 

Due to their size and structure, the two-dimensional black and white barcodes we call QR codes are very versatile. And since most people carry a smartphone everywhere, they can quickly scan QR codes with their phone’s camera. Moreover, since QR codes are relatively easy to program and accessible for most smartphone users, they can be an effective communication tool. 

They also have many uses. For example, QR codes may link to a webpage, start an app or file download, share contact information, initiate a payment, and more. Covid forced businesses to be creative with touchless experiences, and QR codes provide a convenient way to transform a physical touchpoint into a digital interaction. During Covid, QR codes became a popular way to look at restaurant menus, communicate Covid policies, check in for an appointment, and view marketing promotions, among other scenarios.  

As a communication tool, QR codes can transmit a lot of information from one person to another, making it easy for someone to take action online and interact further with digital content.  

What hackers do with QR codes 

QR codes are inherently secure, and no personally identifiable information (PII) is transmitted while you’re scanning them. However, the tricky part about QR codes is that you don’t know what information they contain until you scan them. So just looking at the QR code won’t tell you if it’s entirely trustworthy or not. 

For example, cybercriminals may try to replace or sticker over a QR code in a high-traffic, public place. Doing so can trick people into scanning a malicious QR code. Or, hackers might send malicious QR codes digitally by email, text, or social media. The QR code scam might target a specific individual, or cybercriminals may design it to attract as many scans as possible from a large number of people. 

Once scanned, a malicious QR code may take you to a phishing website, lead you to install malware on your device, redirect a payment to the wrong account, or otherwise compromise the security of your private information.  

In the same way that cybercriminals try to get victims to click phishing links in email or social media, they lure people into scanning a QR code. These bad actors may be after account credentials, financial information, PII, or even company information. With that information, they can steal your identity or money or even break into your employer’s network for more valuable information (in other words, causing a data breach). 

QR code best practices for better security 

For the most part, QR code best practices mirror the typical security precautions you should take on social media and elsewhere in your digital life. However, there are also a few special precautions to keep in mind regarding QR codes. 

Pay attention to context. Where is the code available? What does the code claim to do (e.g., will it send you to a landing page)? Is there someone you can ask to confirm the purpose of the QR code? Did someone send it unprompted? Is it from a business or individual you’ve never heard of? Just like with phishing links, throw it out when in doubt. 

Look closely at the code. Some codes may have specific colors or branding to indicate the code’s purpose and destination. Many codes are generic black and white designs, but sometimes there are clues about who made the code. 

Check the link before you click. If you scan the QR code and a link appears, double-check it before clicking. Is it a website URL you were expecting? Is it a shortened link that masks the full URL? Is the webpage secure (HTTPS)? Do you see signs of a phishing attack (branding is slightly off, strange URL, misspelled words, etc.)? If it autogenerates an email or text message, who is the recipient and what information is it sending them? If it’s a payment form, who is receiving the payment? Read carefully before taking action. 

Practice password security. Passwords and account logins remain one of the top targets of cyber attacks. Stolen credentials give cybercriminals access to valuable personal and financial information. Generate every password for every account with a random password generator, ideally built into a password manager for secure storage and autofill. Following password best practices ensures one stolen password results in minimal damage. 

Layer with MFA. Adding multi-factor authentication to logins further protects against phishing attacks that steal passwords. With MFA in place, a hacker still can’t access an account after using a stolen password. By requiring additional login data, MFA can prevent cybercriminals from gaining access to personal or business accounts. 

QR codes remain a popular marketing and communication tool. They’re convenient and accessible, so you can expect to encounter them occasionally. Though cyber attacks via QR codes are less common, you should still stay vigilant for signs of phishing and social engineering via QR codes. To prevent and mitigate attacks via QR codes, start by building a solid foundation of digital security with a trusted password manager

Source :
https://blog.lastpass.com/2022/08/staying-safe-with-qr-codes/

CISA Adds 7 New Actively Exploited Vulnerabilities to Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022.

CyberSecurity

Described as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions –

  • SAP Web Dispatcher (Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)
  • SAP Content Server (Version – 7.53)
  • SAP NetWeaver and ABAP Platform (Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)

“An unauthenticated attacker can prepend a victim’s request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary web caches,” CISA said in an alert.

“A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation,” Onapsis, which discovered the flaw, notes. “Consequently, this makes it easy for attackers to exploit it and more challenging for security technology such as firewalls or IDS/IPS to detect it (as it does not present a malicious payload).”

Aside from the SAP weakness, the agency added new flaws disclosed by Apple (CVE-2022-32893, and CVE-2022-32894) and Google (CVE-2022-2856) this week as well as previously documented Microsoft-related bugs (CVE-2022-21971 and CVE-2022-26923) and a remote code execution vulnerability in Palo Alto Networks PAN-OS (CVE-2017-15944, CVSS score: 9.8) that was disclosed in 2017.

CyberSecurity

CVE-2022-21971 (CVSS score: 7.8) is a remote code execution vulnerability in Windows Runtime that was resolved by Microsoft in February 2022. CVE-2022-26923 (CVSS score: 8.8), fixed in May 2022, relates to a privilege escalation flaw in Active Directory Domain Services.

“An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System,” Microsoft describes in its advisory for CVE-2022-26923.

The CISA notification, as is traditionally the case, is light on technical details of in-the-wild attacks associated with the vulnerabilities so as to avoid threat actors taking further advantage of them.

To mitigate exposure to potential threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the relevant patches by September 8, 2022.

Source :
https://thehackernews.com/2022/08/cisa-adds-7-new-actively-exploited.html

Spectre and Meltdown Attacks Against OpenSSL

The OpenSSL Technical Committee (OTC) was recently made aware of several potential attacks against the OpenSSL libraries which might permit information leakage via the Spectre attack.1 Although there are currently no known exploits for the Spectre attacks identified, it is plausible that some of them might be exploitable.

Local side channel attacks, such as these, are outside the scope of our security policy, however the project generally does introduce mitigations when they are discovered. In this case, the OTC has decided that these attacks will not be mitigated by changes to the OpenSSL code base. The full reasoning behind this is given below.

The Spectre attack vector, while applicable everywhere, is most important for code running in enclaves because it bypasses the protections offered. Example enclaves include, but are not limited to:

The reasoning behind the OTC’s decision to not introduce mitigations for these attacks is multifold:

  • Such issues do not fall under the scope of our defined security policy. Even though we often apply mitigations for such issues we do not mandate that they are addressed.
  • Maintaining code with mitigations in place would be significantly more difficult. Most potentially vulnerable code is extremely non-obvious, even to experienced security programmers. It would thus be quite easy to introduce new attack vectors or fix existing ones unknowingly. The mitigations themselves obscure the code which increases the maintenance burden.
  • Automated verification and testing of the attacks is necessary but not sufficient. We do not have automated detection for this family of vulnerabilities and if we did, it is likely that variations would escape detection. This does not mean we won’t add automated checking for issues like this at some stage.
  • These problems are fundamentally a bug in the hardware. The software running on the hardware cannot be expected to mitigate all such attacks. Some of the in-CPU caches are completely opaque to software and cannot be easily flushed, making software mitigation quixotic. However, the OTC recognises that fixing hardware is difficult and in some cases impossible.
  • Some kernels and compilers can provide partial mitigation. Specifically, several common compilers have introduced code generation options addressing some of these classes of vulnerability:
    • GCC has the -mindirect-branch-mfunction-return and -mindirect-branch-register options
    • LLVM has the -mretpoline option
    • MSVC has the /Qspectre option

  1. Nicholas Mosier, Hanna Lachnitt, Hamed Nemati, and Caroline Trippel, “Axiomatic Hardware-Software Contracts for Security,” in Proceedings of the 49th ACM/IEEE International Symposium on Computer Architecture (ISCA), 2022.

Posted by OpenSSL Technical Committee May 13th, 2022 12:00 am

Source :
https://www.openssl.org/blog/blog/2022/05/13/spectre-meltdown/