PRESS RELEASE

Houston, Texas, April 04, 2024 (GLOBE NEWSWIRE) -- Action1 Corporation, a provider of the integrated real-time vulnerability discovery and patch management automation solution, today introduced the ‘School Defense’ program aimed at improving cybersecurity at small US educational institutions. The program will offer free access to the Action1 services and other resources to help IT teams at public schools and community colleges streamline vulnerability remediation and enhance their skills.

Small educational institutions that serve our local communities and play a pivotal role in shaping the future of our society are on the front lines of the fight and are up against sophisticated threat actors when it comes to defending against cyberattacks. In addition to ensuring daily operational reliability, small IT teams at these taxpayer-funded organizations are now navigating national security issues and cyber threats, while wearing multiple hats.

“Securing schools is not only about protecting sensitive data and systems; it's about safeguarding the education and well-being of the nation's citizens," said Mike Walters, President and co-founder of Action1. “As a cybersecurity company, it's our responsibility to step up and provide support."

According to statistics, 29% of attacks on educational institutions result from vulnerability exploitation, with an additional 30% originating from phishing campaigns targeting K-12 schools in 2023 alone. On average, there are 2300 reported attacks against educational organizations each week, highlighting the urgent need for improved cybersecurity measures. At the same time, studies show that an average school spends less than 8% of its budget on cybersecurity.

Jonathan Kim, Director of Technology at the Woodland Hills School District, emphasized the significance of tailored cybersecurity offerings for public schools and community colleges: "Unlike businesses, educational institutions often lack the opportunities to develop cybersecurity skills and resources. Therefore, having a cybersecurity vendor introduce school-specific initiatives is incredibly valuable, as it addresses the specific challenges schools face and provides much-needed support." 

The 'School Defense' program will include:

*   Free Action1 platform for the first 100 endpoints, empowering small schools to streamline remediation of security vulnerabilities in OS and third-party apps in a single solution deployable in less than five minutes.
    
*   Access to educational resources to help understaffed IT teams at small schools improve their expertise and skills, both tailored to education specifics and generally cybersecurity focused.
    

Eligible organizations are US-based K-12 public schools and community colleges. By empowering these organizations with the necessary tools and knowledge, Action1 aims to enhance their defense against cyber threats, safeguard educational operations, and mitigate potential impact of cyberattacks on local communities.

For more information about the Action1 ‘School Defense' program, visit this link: www.action1.com/patch-management-for-education/.

About Action1 Corporation   
Action1 reinvents patch management with an infinitely scalable and highly secure platform configurable in 5 minutes that just works. With integrated real-time vulnerability discovery and automated remediation for both third-party software and OS, peer-to-peer patch distribution, and IT ecosystem integrations, it ensures continuous patch compliance and reduces security and ransomware risks – all while lowering costs. Action1 is certified for SOC 2/ISO 27001 and is trusted by thousands of enterprises managing millions of endpoints globally.    
Action1 was founded by cybersecurity veterans Alex Vovk and Mike Walters, who previously founded Netwrix, which was acquired by TA Associates. 

Learn more at: www.action1.com.

Action1 Unveils 'School Defense' Program To Help Small Educational Institutions Thwart Cyberattacks

A researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a million active installations.

Source: Primakov via Shutterstock

Attackers can exploit a critical SQL injection vulnerability found in a widely used WordPress plug-in to compromise more than 1 million sites and extract sensitive data such as password hashes from associated databases.

A security researcher called AmrAwad (aka 1337\_Wannabe) discovered the bug in the LayerSlider, a plug-in for creating animated Web content. The security flaw, tracked as CVE-2024-2879, has a rating of 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, and is associated with the "ls\_get\_popup\_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. The vulnerability is due to "insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query," according to Wordfence.

"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database," the company said.

Wordfence awarded the researcher a bounty of $5,500 — the company's highest bounty to date — for the discovery, according to a blog post by Wordfence. AmrAwad's March 25 submission came as part of Wordfence's second Bug Bounty Extravaganza, and the company contacted the Kreatura Team, developers of the plug-in, the same day to notify them of the flaw. The team responded the next day and delivered a patch in version 7.10.1 of LayerSlider on March 27.

**Exploiting the LayerSlider SQL Injection Flaw**

The potential for exploitation of the vulnerability lies in the insecure implementation of the LayerSlider plug-in's slider popup markup query functionality, which has an "id" parameter, according to Wordfence.

According to the firm, "if the 'id' parameter is not a number, it is passed without sanitization to the find() function in the LS\_Sliders class," which "queries the sliders in a way that constructs a statement without the prepare() function."  

Since that function would "parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks," its absence creates a vulnerable scenario, according to Wordfence.

However, to exploit the flaw requires a "a time-based blind approach" on the part of attackers to extract database information, which is "an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities," according to Wordfence.

"This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database," the company explained.

**Secure WordPress, Secure the Web**

Vulnerable WordPress sites are a popular target for attackers given the content management system's widespread use across the Internet, and often vulnerabilities exist in plug-ins that independent developers create for adding functionality to sites using the platform.

Indeed, at least 43% of websites on the entire Internet use WordPress to power their sites, e-commerce applications, and communities. Further, the wealth of sensitive data such as user passwords and payment info often stored within their pages represents a significant opportunity for threat actors who seek to misuse it.

Making "the WordPress ecosystem more secure ... ultimately makes the entire web more secure," WordPress noted.

Wordfence advised that WordPress users with LayerSlider installed on sites verify immediately that they are updated to the latest, patched version of the plug-in to ensure it isn't vulnerable to exploit.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Critical Security Flaw Exposes 1 Million WordPress Sites to SQL Injection

Tokyo-based eyeglass and medical lens-maker Hoya said the attack has halted production processes in some locations as well as an ordering system for some of its products.

Source: ronstik via Alamy Stock Photo

Japanese lens manufacturer Hoya is investigating a cyber incident that has disrupted several manufacturing sites as well as an ordering system this week.

Hoya, one of the world's largest lens-makers, manufactures eyeglasses lenses, contact lenses, intraocular lenses, and endoscopic and other medical equipment lenses.

In an update posted on its website today, the company disclosed that it spotted the incident affecting central IT operations and several facilities on March 30 after a system failure. While Hoya did not identify the type of cyberattack, the company said it was likely the result of "unauthorized access" to its systems.

"While the full effects, extent and nature of the incident continue to be investigated, the systems for some production plants and the ordering system for several products have been affected," Hoya said in a statement issued today. "We are also investigating whether any confidential or personal information held by the Company has been compromised or accessed by third parties, but the full analysis is expected to take a considerable number of days."

**About the Author(s)**

Cyberattack Shutters Some Operations at Japanese Lens Manufacturer

Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned.

Source: Lev Dolgachov via Alamy Stock Photo

COMMENTARY

Cybersecurity has never been more critical for responsible corporate governance, as cyberattacks are among the gravest threats to companies' customers, operations, and reputations. 

Boards must invest in cybersecurity-awareness training programs to prepare the entire workforce for evolving cyber threats, and chief information security officer’s (CISO) have to champion this effort.

CISOs play a vital role in building stakeholder support for cybersecurity across the company — particularly on the board. Board members often lack the necessary knowledge to make informed decisions about the company's cybersecurity posture, and it's the CISO's job to educate them in a clear and compelling way. CISOs must demonstrate how much damage cyberattacks can cause, the ways employees can be equipped to identify and prevent these attacks, and how to maintain accountability for their risk-mitigation program.

**5 Top CISO Communication Strategies**

There are several strategies that will help CISOs earn long-term support for awareness training from their boards, from communicating cybersecurity concepts in an engaging and non-technical way to showing board members that cybersecurity programs offer significant ROI. Let's take a closer look at the top five ways CISOs can show boards that it's time to prioritize cybersecurity.

**1\. Know how to communicate with non-technical audiences.**

While almost three-quarters of CISOs say they have "adequate exposure to the board," a majority of CISOs report that their board lacks "knowledge or expertise to respond effectively to their presentations." CISOs must do more to address this disconnect — a process that begins with evaluating how they communicate with board members.

Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, revealing how cybercriminals deceive and manipulate their victims, and explaining that the right behavioral interventions can enable all employees to resist cyberattacks. CISOs can also highlight concrete examples of cyberattacks.

With boards planning to increase their cybersecurity investments, it's essential for CISOs to clearly highlight the value of risk mitigation strategies like awareness training.

**2\. Focus on the entire cyber-impact chain.**

According to IBM, the average cost of a data breach surged to $4.45 million in 2023. Cyberattacks can also lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce. This is known as the cyber-impact chain — a crucial concept for CISOs to discuss with board members.

Boards need to be aware that the effects of cyberattacks extend well beyond immediate financial burdens. At a time when 86% of consumers are worried about data privacy, a major cyberattack can undermine trust for years. As data regulations become increasingly strict, companies will be held accountable for compromised customer information.

CISOs have all the information they need to educate boards about the consequences of cyberattacks. They just have to present that information in a way that will hold board members' attention.

**3\. Stress the human element.**

CISOs have the knowledge to explain how prominent cybercriminal tactics are thwarted. For example, 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.

There are several ways for CISOs to productively discuss the threat of social engineering with their boards. They can provide hard evidence for the impact of social engineering attacks, explain how awareness training arms the company to prevent these attacks, and emphasize the most effective ways to educate employees. Cybersecurity is everyone's responsibility, which is why CISOs must make the case for fully engaging employees with consistent, entertaining, and relevant awareness training content.

Awareness training is one of the best ways to mitigate the financial impact of data breaches as it can help companies keep pace with emerging cyber threats and be personalized to account for individual psychological susceptibilities and learning styles. As long as social engineering remains integral to the majority of cyberattacks, CISOs will need to prioritize human-oriented cybersecurity.

**4\. Outline how awareness-training programs can be measured.**

As investments in cybersecurity rise, CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.

CISOs must make sure employees are learning what they need to know about the most urgent cyberthreats and tactics. Companies can use assessments such as simulated phishing to expose vulnerabilities and determine whether employees are able to apply what they've learned in real-world scenarios. These tests are especially valuable considering that phishing is the most frequent and second-costliest initial attack vector, according to IBM.

Beyond simulated phishing, CISOs can outline other forms of accountability to the board: employee-specific behavioral risk profiles, organizationwide security evaluations, and proactive incident reporting. These are all ways to reassure the board that resources allocated to cybersecurity are being put to good use.

**5\. Secure long-term support.**

Despite the growing concern about cyberattacks, too many companies still treat cybersecurity as a check-the-box exercise. They rely on a few email PSAs or perfunctory cybersecurity presentations a couple times a year, which fail to provide employees with consistent and engaging content that will secure sustainable behavioral change.

Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale. Consistency is also necessary to reinforce what employees learn and identify weaknesses, such as the psychological vulnerabilities cybercriminals exploit. The goal of a security-awareness training program is to create a culture of cybersecurity at every level of the organization which can adapt to these challenges.

Cybercriminals are constantly developing increasingly sophisticated and effective ways to infiltrate companies by manipulating employees. This is why CISOs must secure long-term support for effective cybersecurity initiatives like a customer-satisfaction score (CSAT) from their boards — the threat is only becoming more dire, and companies have a responsibility to be prepared.

**About the Author(s)**

CEO, NINJIO

Dr. Shaun McAlmont is CEO of NINJIO Cybersecurity Awareness Training, and is one of the nation's leading education and training executives. Prior to NINJIO he served as President of Career and Workforce Training at Stride, Inc., had a decade-long tenure at Lincoln Educational Services, where he was President and CEO, and also served as CEO of Neumont College of Computer Science. His workforce and ed tech experience is supported by early student development roles at Stanford and Brigham Young Universities. He is a former NCAA and international athlete, and serves on the BorgWarner and Lee Enterprises boards of directors. He earned his doctoral degree in higher education, with distinction, from the University of Pennsylvania, a master's degree from the University of San Francisco, and his bachelor's degree from BYU.

How CISOs Can Make Cybersecurity a Long-Term Priority for Boards

Cybercriminals are using AI to impersonate small businesses. Security architects are using it to help small businesses fight back.

Source: Bulat Silvia via Alamy Stock Photo

Artificial intelligence (AI) is simultaneously making it easier for adversaries to pull off brand spoofing and easier for organizations to block spoofing and other threats. Both usages have significant implications for small to midsize businesses (SMBs).

Brand impersonation is typically associated with major brand names that are widely recognizable, but any brand, large or small, can be targeted. In fact, it's arguably easier and potentially more effective for adversaries to impersonate a small local credit union than a large entity like Bank of America. That's becoming even more likely with AI making it easier to collect and generate fake content.

However, AI is not just a tool in the attacker arsenal. Security architects are fighting back by designing security tools that use AI to detect and block impersonation attacks. This gives organizations, especially SMBs with limited budgets and resources, a boost in their abilities to fight back.

**Impersonating SMBs Online**

According to data provided to Dark Reading by Check Point Software, businesses with 100 or fewer employees have faced an average of 255 cyberattacks per week this year. Among them, brand spoofing is one of the most pernicious. That spoofing campaign against Bank of America won't even dent the banking giant's bottom line, but the same attack against a tiny credit union could cause serious and lasting damage.

"There's the potential degradation of trust and reputation, as consumers may feel the brand isn't reliable or safe," explains Jeremy Fuchs, Harmony Email analyst at Check Point. "There's also the potential loss of funds. Take a small clothing company. If someone wants to buy a T-shirt but instead 'buys it' from a spoof, the business is losing out on money. Finally, when a brand is spoofed, it can lead to email providers, like Google or Yahoo, blocking legitimate messages, such as for email marketing."

This is especially worrisome because a smaller brand — whether it's a local bank, doctor, law firm, or anything else — is actually easier for hackers to spoof than a larger one, Fuchs explains. Not only do they lack time, money, and personnel to invest in cybersecurity, but oftentimes "small businesses just aren't expecting it," he says. Both small businesses and customers assume that the target is going to be on the larger organization's back. Customers, if they're aware of the threat at all, may assume they are safer because they are using a smaller bank.  

Historically, SMBs have had one thing going for them: Phishing campaigns took time and effort to craft so, from an attacker's perspective, it might have felt like a bigger bang for their buck to target larger organizations with wider audiences. This is no longer the case, however, thanks to generative AI. Hackers can now use chatbots to whip up convincing emails mimicking any business in minutes flat.

**Preventing Brand Spoofing**

While attackers were able to quickly start using AI to improve the quality and efficiency of impersonation attacks, it's taking a little longer for security engineers to harness the same technology for their defenses.

Imagine, for example, that you want to use AI to detect spoofing attacks against Microsoft. You'd need to train an algorithm to distinguish legitimate and fake URLs, iconography, content, and other elements associated not just with the company as a whole, but also all of its various products, subsidiaries, the public figures behind them, and so on. It would be an involved project, even though Microsoft would be considered an easy one due to the amount of training data and content available.

"The real challenge is how to identify small businesses," explains Dan Karpati, Check Point's vice president of AI technologies. "Everyone's familiar with the big ones — the top sites in the US and other major countries — but how do we know about a store in a small village in Spain or Lisbon?"

Microsoft researchers made early inroads into the problem back in 2021, training a neural network on 1,000 brand impersonation attacks and generating mathematical representations of brand identities based on nearest neighbor classifications.

The system Karpati designed works in a similar fashion, first by automatically gathering data from a URL and the content of a legitimate Web page.

"It can be the URL, favicon, \[data\] inside of the HTML, copyrights, links in the sites, pictures — a lot of features," he explains. "Each time that we collect telemetry about a site, we open a new cluster. And if you mark it as benign, OK, now we have some sense of how benign looks for this brand. \[Then\], every time that we observe new access to a site, we extract its features and we ask — automatically — 'Is this access with these features that we extracted from the browser or on the network aligned with what we recorded about the cluster?'"

In other words, with a model for what a brand's domain structure, iconography, and content should look like, new sites that pop up with largely similar but slightly different features can be flagged as spoofs.

Because the system is cloud-based and AI-driven, it can apply this same process across just about any company with an online presence. According to Check Point, this system protects thousands of organizations in hundreds of countries every month.

**Non-AI Ways to Fight Back**

Besides AI, there are other solutions companies can implement to make the job of impersonating them more difficult and less profitable for hackers.

For example, there's Domain-based Message Authentication, Reporting & Conformance (DMARC), the email verification protocol often required of larger organizations but which smaller ones tend to overlook. Ironically, it's far easier for a small business to be DMARC-compliant than a larger one.

"You have to be able to track all your domains, and for some companies that have hundreds, it can be difficult. If you have one domain, it takes like 20 minutes," Fuchs points out. "DMARC can be a huge undertaking depending on how many domains you have, but it is a worthwhile project. It's a huge step in making sure that when somebody gets an email from you, it's coming from you or not from somebody who appears just like you."

And simply communicating with customers and vendors always helps, whether it be through helpful cyber hygiene tips and resources, or regular notices: "We'll never ask you for this code," "We'll never send you an email like this," and the like.

"Having both of those measures, and having that kind of open and honest culture — like, 'This is a problem, we're trying to fix it, here's how we're doing it, and here's how you can help us' — makes you a candidate for better outcomes," Fuchs says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

AI's Dual Role in SMB Brand Spoofing

While Singaporean organizations have adopted the majority of their government's cybersecurity recommendations, they aren't immune: More than eight in 10 experienced a cybersecurity incident over the course of the year.

Source: Cristophe Coat via Alamy Stock Photo

Singapore is leaving other countries in the dust when it comes to cybersecurity preparedness, according to a new government survey.

The Cyber Security Agency of Singapore's (CSA) Cybersecurity Health Report 2023 polled 2,036 small, medium, and large organizations, across 23 sectors, about various aspects of their cybersecurity — breaches faced, business impacts, measures implemented, and the like. It found that, on average, organizations have implemented just over 70% of the requirements necessary to obtain a "Cyber Essentials" certification. The certification includes five categories of national cybersecurity standards: "Assets," "Secure/Protect," "Update," "Backup," and "Respond."

Seventy percent is far from perfect, CSA emphasized, and some of its other results were a cause for further concern. But if graded on a curve, Singapore's organizations are doing quite well compared with the rest of the world.

"Governments and companies can take a page from Singapore's playbook and focus on proactive protection, education of the public, and discussion of cybersecurity initiatives at the highest levels of government," says Stephanie Boo, the Singapore-based senior vice president at Menlo Security.

**Why Singapore Is Ahead**

In contrast to the CSA's results, consider Cisco's 2024 Cybersecurity Readiness Index, released last week.

In a poll of 8,000 cybersecurity and business leaders across 30 countries, Cisco assessed that only 3% of organizations have a "mature" level of security readiness "needed to be resilient against modern cybersecurity risks." Seventy-one percent of organizations were graded as either in the "formative" stage (below average) or "beginner" (only just beginning to deploy security solutions).

When it comes to Singapore's vastly better results, Boo says, "Great government policies and ability to implement them across a small country are a couple contributing factors."

"However, credit also goes to a very computer-savvy population with a highly digitized economy, and a thoughtful, problem-solving approach to breaches. When the country experienced a breach in 2018, rather than continue business as usual, the government instituted an Internet separation where computers connecting to business applications are air-gapped from the Internet," she says. "For the many headline-grabbing breaches we have seen in the US, we have not seen a coordinated solution or mandate from other governments."

**Now the Bad News**

CSA's report also included some concerning results, however.

More than eight in 10 Singaporean organizations experienced a cybersecurity incident over the course of the year, and half experienced several. Among those, 99% experienced a business impact, with the most common consequences being business disruption, data loss, and reputational damage.

Singaporean business leaders were also found to suffer from the same recurring mental blocks that cyber professionals rail against no matter where they are in the world. When it came to why they haven't implemented security measures, besides a lack of knowledge and experience, respondents — 46% of businesses, 49% of nonprofits — most often expressed the belief that they were unlikely to be a target of a cyberattack. They also admitted that cybersecurity is a low priority at their organizations (38% and 44%, respectively), and cited a perceived lack of return on investment (36% and 31%).

CSA highlighted the irony in these arguments in a fact sheet, noting that the cost of meeting Singapore's Cyber Essentials threshold for a small business ranges from around $1,800 to $4,500.

"The amount is typically a small fraction of the cost of business disruptions or recovery procedures due to cyber incidents, the impact of which may also be extended beyond affected organizations to their customers and suppliers," according to the agency.

Boo notes that, in general, small businesses lack the resources to approach security from the business-case perspective.

"Small businesses focus on the must-haves to run their business and don’t have the bandwidth or forethought to look at business enablers from security," Boo says. "The best way to educate small businesses is to deliver the education through channels they already use — like their bank, credit card company, or their telecommunications provider. It is also important to keep it simple and focus on the business benefits rather than the complexity of cyber threats."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Singapore Sets High Bar in Cybersecurity Preparedness

Nearly three months after Operation Cronos, it's clear the gang is not bouncing back from the innovative law-enforcement action. RaaS operators are on notice, and businesses should pay attention.

Source: Jan Zwoliński via Alamy Stock Photo

Despite the LockBit ransomware-as-a-service (RaaS) gang claiming to be back after a high-profile takedown in mid-February, an analysis reveals significant, ongoing disruption to the group's activities — along with ripple effects throughout the cybercrime underground, with implications for business risk.

LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, according to Trend Micro, easily making it the biggest financial threat actor group of the last year. Since it emerged in 2020, it has claimed thousands of victims and millions in ransom, including cynical hits on hospitals during the pandemic.

The Operation Cronos effort, involving multiple law enforcement agencies around the world, led to outages on LockBit-affiliated platforms, and a takeover of its leak site by the UK's National Crime Agency (NCA). Authorities then used the latter to make arrests, impose sanctions, seize cryptocurrency, and more activities related to the inner workings of the group. They also publicized the LockBit admin panel and exposed the names of affiliates working with the group.

Further, they noted that decryption keys would be made available, and revealed that LockBit, contrary to its promises to victims, never deleted victim data after payments were made.

In all it was a savvy show of force and access from the policing community, spooking others in the ecosystem in the immediate aftermath and leading to wariness when it comes to working with any re-emergent version of LockBit and its ringleader, who goes by the handle "LockBitSupp."

Researchers from Trend Micro noted that, two and a half months after Operation Cronos, there's precious little evidence that things are turning around for the group — despite LockBitSupp's claims that the group is clawing its way back into normal operations.

**A Different Kind of Cybercrime Takedown**

Operation Cronos was initially met with skepticism by researchers, who pointed out that other recent, high-profile takedowns of RaaS groups like Black Basta, Conti, Hive, and Royal (not to mention the infrastructure for initial access trojans like Emotet, Qakbot, and TrickBot), have resulted in only temporary setbacks for their operators.

However, the LockBit strike is different: The sheer amount of information that law enforcement was able to access and make public has permanently damaged the group's standing in Dark Web circles.

"While they often focus on taking out command and control infrastructure, this effort went further," Trend Micro researchers explained in an analysis released today. "It saw police manage to compromise LockBit's admin panel, expose affiliates, and access information and conversations between affiliates and victims. This cumulative effort has helped to tarnish the reputation of LockBit among affiliates and the cybercrime community in general, which will make it harder to come back from."

Indeed, the fallout from the cybercrime community was swift, Trend Micro observed. For one, LockBitSupp has been banned from two popular underground forums, XSS and Exploit, hampering the admin's ability to garner support and rebuild.

Shortly after, a user on X (formerly Twitter) called "Loxbit" meanwhile claimed in a public post to have been cheated by LockBitSupp, while another presumed affiliate called "michon" opened up a forum arbitration thread against LockBitSupp for nonpayment. One initial-access broker using the handle "dealfixer" advertised its wares but specifically mentioned that they did not want to work with anybody from LockBit. And another IAB, "n30n," opened a claim on the ramp\_v2 forum about loss of payment surrounding the disruption.

Perhaps worse, some forum commentators were extremely concerned by the sheer amount of information that police were able to compile, and some speculated that LockBitSupp may even have worked with law enforcement on the operation. LockBitSupp quickly announced that a vulnerability in PHP was to blame for the ability of law enforcement to infiltrate the gang's information; Dark Web denizens simply pointed out that the bug is months old and criticized LockBit's security practices and lack of protection for affiliates.

"The sentiments of the cybercrime community to LockBit's disruption ranged from satisfaction to speculation about the group's future, hinting at the significant impact of the incident on the RaaS industry," according to Trend Micro's analysis, released today.

**LockBit Disruption's Chilling Effect on the RaaS Industry**

Indeed, the disruption has sparked some self-reflection among other active RaaS groups: A Snatch RaaS operator pointed out on its Telegram channel that they were all at risk.

"Disrupting and undermining the business model seem to have had a far more cumulative effect than executing a technical takedown," according to Trend Micro. "Reputation and trust are key to attracting affiliates, and when these are lost, it's harder to get people to return. Operation Cronos succeeded in striking against one element of its business that was most important: its brand."

Jon Clay, Trend Micro's vice president of threat intelligence, tells Dark Reading that LockBit's defanging and the disruption's chilling effect on RaaS groups in general present an opportunity for business risk management.

"This can be a time for businesses to reassess their defense models as we may see a slowdown in attacks while these other groups assess their own operational security," he notes. "This is also a time to review a business incident response plan to make sure you have all aspects of a breach covered, including business operation continuity, cyber insurance, and the response — to pay or not pay."

**LockBit Signs of Life Are Greatly Exaggerated**

LockBitSupp is nonetheless attempting to bounce back, Trend Micro found — though with few positive results.

New Tor leak sites launched a week after the operation, and LockBitSupp said on ramp\_v2 forum that the gang is actively seeking out IABs with access to .gov, .edu, and .org domains, indicating a thirst for revenge. It wasn't long before scores of supposed victims started appearing on the leak site, starting with the FBI.

However, when the ransom payment deadline came and went, instead of sensitive FBI data appearing on the site, LockBitSupp posted a lengthy declaration that it would continue to operate. In addition, more than two-thirds of the victims consisted of reuploaded attacks that occurred prior to Operation Cronos. Of the others, the victims belonged to other groups, such as ALPHV. In all, Trend Micro's telemetry revealed just one small true LockBit activity cluster after Cronos, from an affiliate in southeast Asia that carried a low, $2,800 ransom demand.

Perhaps more concerningly, the group has also been developing a new version of ransomware — Lockbit-NG-Dev. Trend Micro found it to have a new .NET core, which allows it to be more platform-agnostic; it also removes self-propagating capabilities and the ability to print ransom notes via the user's printers.

"The code base is completely new in relation to the move to this new language, which means that new security patterns will likely be needed to detect it. It's still a functional and powerful piece of ransomware," researchers warned.

Still, these are anemic sign of life at best for LockBit, and Clay notes that its unclear where it or its affiliates may go next. In general, he warns, defenders will need to be prepared for shifts in ransomware gang tactics going forward as those participating in the ecosystem assess the state of play.

"RaaS groups are likely looking at their own weaknesses being caught by law enforcement," he explains. "They may review what types of businesses/organizations they target so as to not give much attention to their attacks. Affiliates may look at how they can rapidly shift from one group to another in case their main RaaS group gets taken down."

He adds, "shifting towards data exfiltration only versus ransomware deployments may increase as these don't disrupt a business, but can still allow profits. We could also see RaaS groups shift entirely towards other attack types, like business email compromise (BEC), which don't seem to cause as much disruption, but are still very lucrative for their bottom lines."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

LockBit Ransomware Takedown Strikes Deep Into Brand's Viability

PRESS RELEASE

SEATTLE – April 3, 2024 – A new survey from the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, and Google Cloud, found that a remarkable 55% of organizations surveyed plan to adopt GenAI solutions within the next year, signaling a substantial surge in GenAI integration. The State of AI and Security Survey Report indicates that the push behind AI’s adoption can be attributed in large part to C-level executives (82% of respondents indicated executive leadership as being behind the push), who recognize the competitive advantage it offers in the modern business environment.

The study also found that AI integration into cybersecurity is not just a concept but also a practical reality for many, with 67% of respondents stating that they have tested AI specifically for security purposes. As for the ability to leverage AI, 48% of professionals expressed confidence in their organization's ability to execute a strategy for leveraging AI in security, with 28% feeling reasonably confident and 20% very confident. Given the nascent stage of GenAI in this field, this level of assurance suggests that many professionals might be optimistic about their preparedness or overlook the intricacies of AI integration.

“The insights shared in this report into how industry experts view and prepare for AI's evolving role in cybersecurity are pivotal in navigating this transition and ensuring a resilient, forward-looking digital infrastructure,” said Hillary Baron, lead author and Senior Technical Director for Research, Cloud Security Alliance.

“AI is transforming cybersecurity, offering both exciting opportunities and complex challenges. However, the disconnect between the C-suite and staff in understanding and implementing AI highlights the need for a strategic, unified approach to successfully integrate this technology," said Caleb Sima, chair of CSA’s AI Safety Initiative.

“Once in a generation, we see a chance for profound cybersecurity transformation, not just incremental gains. With generative AI, we have the potential to turn the tables on attackers by 10x’ing the capabilities of defenders. While we need to counter attacker use of AI, it’s even more important to get going on integrating AI into cyber defenses today. The findings in the report resonate well with Google’s Secure AI Framework,” said Phil Venables, CISO, Google Cloud.

Among the survey’s other key findings:

*   Security professionals are cautiously optimistic about AI. 63% of respondents believe in AI's potential to enhance security measures, especially in improving threat detection and response capabilities. However, 34% see AI as more beneficial for security teams, while 31% view it as equally advantageous for both protectors and attackers, and a notable 25% of respondents expressed concerns that AI could be more advantageous to malicious parties.
    
*   AI will empower, not replace, security professionals. Only a small fraction (12%) of security professionals believe it will completely replace their role. The majority believe it will help enhance their skill set (30%), support their role generally (28%), or replace large parts of their role (24%), freeing them up for other tasks.
    
*   C-suite executives have different perspectives from their staff when it comes to AI. C-levels demonstrate a notably higher self-reported familiarity with AI technologies than their staff. Moreover, C-levels report having a clearer understanding of potential AI use cases, with 51% feeling very clear about them, compared to just 14% of staff.
    
*   2024 will be the year for AI Implementation. Over half (55%) of organizations are planning to implement security solutions and tools with GenAI and are exploring a diverse range of use cases for these technologies, with the top use cases being rule creation (21%), attack simulation (19%), and compliance violation detection (19%).
    

Google Cloud commissioned CSA to develop a survey and report to better understand the industry’s knowledge, attitudes, and opinions regarding AI. Google Cloud financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in November 2023 and received 2,486 responses from IT and security professionals from organizations of various sizes across the Americas, APAC and EMEA. CSA’s research analysts performed the data analysis for this report.

Download the State of AI and Security Survey Report.

About Cloud Security Alliance  
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

More Than Half of Organizations Plan to Adopt AI Solutions in Coming Year, Reports Cloud Security Alliance and Google Cloud

PRESS RELEASE

Austin, TX – April 3, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent test of eleven market leading Cloud Network Firewall vendors. Six products were Recommended, one product received a Neutral rating, and four received a Caution rating.

Cloud network firewalls are considered to be the first line of defense when deployed in public cloud providers such as Amazon Web Services, Google Cloud Platform and Microsoft Azure. But implementing security in the cloud can be complex, with multiple factors influencing effectiveness. 

CyberRatings tested the cloud firewall products to determine how they handled TLS/SSL (authentication) 1.2 and 1.3 cipher suites (algorithms), how they defended against 984 exploits (attacks that take advantage of a software flaw or install malware), and whether any of 1,645 evasions could bypass protection. At all times the devices needed to remain stable under adverse conditions. To provide a more realistic rating based on modern network traffic, both clear text (HTTP) and encrypted traffic (HTTPS) were measured. Amazon Web Services (AWS) was the public cloud service chosen to run the test.

The combination of Security Effectiveness and Value dictated where products landed on the Security Value Map™ (SVM). Six out of the eleven products were Recommended for their Security Effectiveness with scores ranging from 99.70% to 100%. Recommended ratings are based on threat prevention (how many exploits and evasions were blocked?), TLS/SSL functionality, routing and policy enforcement, and stability and reliability to achieve a final Security Effectiveness score. These same products also demonstrated competitive pricing in the Total Cost per Protected Mbps (Value). The product rated Neutral received a 48.44% Security Effectiveness score. Four products rated Caution had Security Effectiveness scores ranging from 5.39% to 48.37%. 

“We have been testing firewalls for years, and more recently cloud network firewalls,” said Vikram Phatak, CEO of CyberRatings.org. “All of the products chosen were market leaders and the range of scores clearly shows that building a product for the cloud is different than building a product on an appliance where you control the environment,” said Phatak. “We recommend that enterprises check with their service providers or IT teams to see which cloud firewall products are currently deployed in their networks.”

As part of the cloud firewall test, CyberRatings also checked to see if products were secure by default. It was discovered that some firewall evasion defenses are not on by default, potentially leaving customers at significant risk. In response, CyberRatings is providing a policy and configuration guide to help enterprises ensure that their firewalls are configured properly.

Encryption matters: roughly 80% of web traffic is encrypted. The top four cipher suites account for over 95% of HTTPS traffic. In some products, decryption was not on by default. Firewalls will not see attacks delivered via HTTPS unless configured to do so. Performance is significantly different when TLS/SSL is turned on. With the exception of one vendor that failed to handle TLS 1.3 despite claiming support, all other vendors supported encryption. 

Enterprises should monitor security and performance capabilities, and update firewalls regularly. With the everchanging cloud platform and agile development, something can go wrong even when the security vendor does not make a change. 

The following products were evaluated:

Cloud Network Firewall

Rating

Security

Effectiveness

Rated Throughput

(Mbps)

Price per Protected Mbps

Amazon Web Services (AWS) Network Firewall

Caution

5.39%

1,000

$601.34

Barracuda CloudGen Firewall

Caution

11.38%

441

$287.86 

Check Point CloudGuard

Recommended

99.80%

1,180

$12.70 

Cisco Secure Firewall Threat Defense Virtual 

Caution

20.86%

373

$76.91 

Forcepoint NGFW

Recommended

99.80%

698

$8.45 

Fortinet FortiGate-VM

Recommended

100%

1,458

$10.56 

Juniper Networks vSRX

Recommended

99.70%

1,228

$5.72 

Palo Alto Networks VM-Series Next-Generation Firewall w/ Advanced Threat Prevention

Recommended

100%

1,036

$5.83 

Sophos Firewall

Caution

48.37%

135

$83.16 

Versa Networks NGFW

Recommended

99.90%

2,553

$7.58 

WatchGuard Firebox Cloud

Neutral

48.44%

291

$27.06 

Additional Resources:

Cloud Network Firewall Comparative Report and Test Reports

2024 Best Practices for Cloud Network Firewall Deployment

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Why Firewalls Should be Secure by Default

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

CyberRatings.org Announces Test Results for Cloud Network Firewall

PRESS RELEASE

MINNEAPOLIS, April 2, 2024 – Businesses are facing a critical gap when it comes to protecting endpoint data, according to a study released today by TAG Infosphere, Inc., a leading  cybersecurity research and advisory firm. The report, conducted in partnership with CrashPlan, identified the ever-growing potential for ransomware attacks, frequent misuse of cloud collaboration tools as a substitute for backup, and an over-reliance on manual policies as the break in the chain for current enterprise security configurations. 

For the study, TAG surveyed a group of CISOs and security practitioners, and the key findings were clear: The overwhelming majority (93%) of IT and cybersecurity teams aren’t confident in their policies to protect their enterprise data. Furthermore, survey respondents acknowledged the likelihood of a severe data breach through an employee’s endpoint.

“We were surprised to learn that a whopping 71% of those asked responded that they would not be surprised if they had a serious data breach on their PCs and laptops. If the question was extended to include that they might be surprised, the number grew to 86%,” said Dr. Edward Amoroso, Chief Executive Officer and founder of TAG Infosphere. “This is important because it implies that serious risk exists in this area. If that many CISOs would not be surprised if something bad happened, then that’s a problem.”

TAG introduces the MEAD framework (Malware, EDR, Analytics, and Data) for modernizing endpoint security. Central to MEAD is the adoption of endpoint backup solutions as a pivotal measure for enhancing cyber resilience. The report advocates for endpoint backup to reduce risks to data on endpoints, detailing how this strategy safeguards data against hardware malfunctions, user errors, and cyber threats. 

“New cybersecurity technologies are introduced every year, yet data breaches continue to happen,” said Todd Thorsen, Chief Information Security Officer for CrashPlan. “The reality is work habits have changed. Most companies now have a hybrid work model—and this has shined a light on just how ineffective manual policies are when it comes to protecting endpoint data. To improve resiliency, you simply can’t lose sight of the foundation. Despite new tools and technology designed to identify, detect and protect against bad actors and malicious activity, breaches will still happen. Which is why having strong data backup and resilience capabilities are critical for effective response and recovery.”

CrashPlan offers a cloud-native platform designed to address the aggregate risk associated with data stored on endpoints within organizations. It offers a comprehensive backup and data protection system that safeguards valuable business data from loss, theft, or accidental deletion. Businesses of all sizes, across all different business sectors, use CrashPlan today to ensure a more robust data protection and resilience approach.                                          

About CrashPlan  
CrashPlan® enables organizational resilience through secure, scalable, and straightforward endpoint data backup. With automatic backup and customizable file version retention, you can bounce back from any data calamity. What starts as endpoint backup and recovery becomes a solution for ransomware recovery, breaches, migrations, and legal holds. So, you can work fearlessly and grow confidently.

About Tag Infosphere

TAG is a trusted research and advisory company that provides insights and recommendations in cybersecurity, artificial intelligence, and climate science to thousands of commercial solution providers and Fortune 500 enterprises. Founded in 2016 and headquartered in New York City, TAG bucks the trend of pay-for-play research by offering unbiased and in-depth guidance, market analysis, project consulting, and personalized content—all from a practitioner perspective.

About Dr. Edward Amoroso

Dr. Ed Amoroso is currently Chief Executive Officer of TAG Infosphere Inc, a global research and advisory company that supports enterprise cyber security teams and commercial security vendors around the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

Ed has served as Research Professor at the Tandon School of Engineering at NYU since 2017. He has also been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past thirty years, where he has introduced nearly two thousand graduate students to the topic of information security. Ed also serves the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.

Source

DARKReading