Headline
Economic Downturn Raises Risk of Insiders Going Rogue
Insiders could become more vulnerable to cybercrime recruitment efforts, new report says.
Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.
Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network’s Unit 42 threat intelligence team recommended in a report this week.
The security vendor’s report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.
Vulnerable Insiders
Unit 42 researchers analyzed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cybercrime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it’s easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.
Palo Alto Networks’ report points to how some threat actors — such as the highly destructive LAPSUS$ group — have attempted to recruit insiders by offering money for access credentials or for helping them carry out their attack in other ways. “When some people are struggling to make ends meet, [such] offers could be more tempting to some,” the report said.
This trend has been flagged before: A report from Flashpoint in May noted the growing popularity of insider recruitment efforts among threat actors. Flashpoint counted as many as 3,988 unique insider-related chat discussions — primarily on Telegram — between Jan. 1 and Nov. 30, 2021, with a particularly sharp spike happening after August. Many of those attempting to recruit were ransomware operators or other extortion groups. Commonly employed tactics included using a known insider or running public recruitment advertisements and direct solicitation.
Another survey that Pulse and Hitachi ID conducted of 100 IT and security professionals showed 65% saying that threat actors had approached them or their employees for assistance with a ransomware attack over the past year.
Phishing, Software Vulns Remain Major Initial Access Vectors
Unit 42’s research also confirmed what security teams fighting on the front lines to keep their organizations safe already know: Ransomware and BEC attacks continue to dominate the need for incident response. A startling 70% of intrusions were tied to one of these two causes. In BEC attacks, the data showed that threat actors typically spent between 7 and 48 days in the breached environment before the victim contained the threat, with a median dwell time of 38 days. The median dwell time for ransomware attacks was slightly lower, at 28 days, likely because of how noisy these attacks are.
Phishing continues to be the top vector for initial access so far in 2022, and was the suspected cause in 37% of the incident response cases that Unit 42 completed between April 2021 and May 2022.
“Unfortunately, most organizations learn about one of these attacks the hard way — upon receiving an extortion demand or after wire fraud is committed,” says Dan O’Day, consulting director, Unit 42 at Palo Alto Networks. “Increasingly, threat actors quickly gain access, identify and exfiltrate sensitive data, and deploy extortion tactics — sometimes in a matter of hours or in just a few days.”
Notably, 31% — or nearly one-in-three intrusions — resulted from attackers gaining an initial foothold via a software vulnerability. Some 87% of the vulnerabilities that Unit 42 researchers were able to positively identity fell into one of six categories: ProxyLogon and ProxyShell flaws in Exchange Server; the Apache Log4j flaw; and vulnerabilities in technologies from Zoho, SonicWall and Fortinet. In 55% of incidents where Unit 42 was able to positively identify the vulnerability that an attacker used to gain initial access, the vulnerability was ProxyShell, and in 14% of the cases it was Log4j.
“Because one-third of attacks target software vulnerabilities, security teams should continue to patch vulnerabilities early and often,” says O’Day. While some threat actors continue to rely on older, unpatched vulnerabilities, others are looking to exploit new vulnerabilities increasingly quickly. “In fact, it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough,” he says.
As one example, he points to a threat prevention signature that Palo Alto Networks released for an authentication bypass vulnerability in F5 Big IP technology (CVE-2022-1388). “Within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts,” he says. “More and more, we’re seeing attackers scanning as soon as details of a critical vulnerability are published.”
Poor patch management practices exacerbated the issue for many organizations — it contributed to 28% of the breaches that Unit 42 responded to. One example of poor patch management is simply waiting too long to implement a patch for a known vulnerability, O’Day notes. “Further, around 30% of organizations were running end-of-life software versions that were affected by CVEs that had known active exploits in the wild and were featured in cybersecurity advisories from the US government.”
Related news
U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.
At least one group of threat actors is using the recently patched vulnerability in F5 BIG-IP to wipe the file system of vulnerable devices. The post F5 BIG-IP vulnerability is now being used to disable servers appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the recently disclosed F5 BIG-IP flaw to its Known Exploited Vulnerabilities Catalog following reports of active abuse in the wild. The flaw, assigned the identifier CVE-2022-1388 (CVSS score: 9.8), concerns a critical bug in the BIG-IP iControl REST endpoint that provides an unauthenticated adversary with a method to
Summary A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity. This vulnerability, tracked as... [[ This is only the beginning! Please visit the blog for the complete entry ]]
The bug has a severe rating of 9.8, public exploits are released.
This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.
F5 BIG-IP remote code execution proof of concept exploit that leverages the vulnerability identified in CVE-2022-1388.
Only a few days after the release of the patch for a vulnerability in F5 BIG-IP, exploits were developed and are now being deployed. The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.
Users should patch immediately
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated