Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Has this royal kingdom gone digital? Come up with a clever cybersecurity-related caption to describe the scene, above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 13, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading October Toon."
*   Via social media: X (formerly known as Twitter), Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

We received an impressive array of caption contenders for last month's "Somewhere in Sleepy Hollow" cartoon, but the one that ultimately made it's way to the top of our list came from Sumitra Rao, consulting director at Palo Alto Networks (Unit 42). Congratulations, Sumitra, and thank you to all who played!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Modern Monarchy

It's been a year since its last communication and attack on Iran — but the conflict with Hamas appears to have reactivated the group.

A pro-Israeli hacktivist group named Predatory Sparrow re-emerged in the past week.

Citing the current Gaza conflict, last week the group sent the first tweet in more than a year the group, saying: "You think this is scary? We're back. We hope you're following the events in Gaza" — with a link to a report on the US sending fighter planes and warships to support Israel.

Predatory Sparrow is a known threat that researchers believe to be a relatively sophisticated Israeli hacking operation. It has a history of destructive attacks in Iran, designed to embarrass the Iranian government.

According to Cyberscoop, in October 2021 an attack was carried out on an Iranian payment system linked to a national network of fuel pumps, while in June 2022 multiple attacks were carried out on steel facilities apparently in response to unspecified acts of "aggression" carried out by the Islamic Republic.

John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said at a press event last week that having taken credit for a series of attacks inside Iran, the group's timely reappearance makes it "certainly a player to watch."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears

By using data to drive policy underwriting, cyber-insurance companies can offer coverage without a price tag that drives customers away.

A flood or fire might have devastated a business in the mid-1990s when offices were filled with filing cabinets and paper records. Today, most of those assets are in the cloud, and business insurance must cover them in modern form. 

Cyber insurance should be a priority in this business landscape, yet too often it is an outlier. There is no other insurance product where so few have coverage but so many need it.

According to Fortune Business Insights, the global cyber-insurance market was $13.33 billion in 2022 and is forecast to grow to $84.62 billion by 2030. Many companies aren't sure how much cyber insurance they need, and, more critically, insurers aren't sure what the risk landscape looks like for an individual company that seeks coverage. 

This risk miscalculation has spurred huge losses and changed the landscape of the cyber-insurance market. In its latest report, the National Association of Insurance Commissioners (NAIC) shows the top 20 groups reporting on cyber supplements had direct loss ratios of up to 130.6%.

Insurance coverage isn't necessarily hard to obtain — a company with a mature security posture can likely get multiple quotes without a problem. However, specific sectors with historically poor security postures, like education, or highly targeted sectors, like software developers, may have a more challenging time. 

Let's look at how the market has changed and where it's heading.

**How the Market Hardened**

The cyber-insurance market has rapidly transitioned from a soft cycle, characterized by lower premiums and higher limits, to a hard cycle. This shift resulted in insurance premiums skyrocketing.

Some businesses have been surprised when their policies increased dramatically despite nothing changing on their end. But most insurance companies saw more demand than supply, and risk increased as more claims were filed. According to Verizon's "2023 Data Breach Investigations Report," ransomware accounted for roughly 5% of breaches in 2020 and soared to 24% in 2022 and 2023. Insurers raised rates accordingly.

Those rates finally dipped by 10% in June, partly because insurance companies mandated their customers implement better protections. Insurance companies must excel in risk management to offer competitive rates. This enables the insurer to accept risk and ensure prices don't have to jump to a point that makes the company noncompetitive. 

**Where SMBs Fit In**

When the market began less than a decade ago, only big businesses were looking for coverage. Underwriters want balanced books, with a few large risks and many smaller ones, but the market demanded half of that. Industrial-sized companies sought coverage, while small and midsized businesses (SMBs) were on the sidelines. 

Large tech companies had risk-management processes at the board level requiring them to seek cyber insurance. SMBs didn't know their threats, and their risks weren't considered imminent. The dynamic shifted when the threat landscape changed, and cyber insurance became more commercialized with offerings that made sense to SMBs. According to NetDiligence's 2022 Cyber Claims Study, large companies represented only 2% of cyber claims from 2017-2021, but those claims accounted for 51% of total incident costs. 

These days, large businesses require their smaller partners to carry cyber insurance, and brokers can be sued for negligence if they don't offer it to their clients. Some brokers have clients sign a waiver if they don't buy the policy, saying they at least offered it.

With these forces pushing the market, we're seeing more and more small businesses turning to cyber insurance.

**Where Things Are Going**

When insurance companies have limited capacity, they choose customers with lower risk. Low-risk companies take measures to minimize their exposure. Traditionally, it's been hard to prove where those exposures are, let alone if they've been mitigated. 

Technology is changing this. Companies now have better ways to understand where to harden their security posture, and insurance companies have new methods to determine how risky their potential client is. 

This data empowers underwriters to mitigate risk that would impact policies and offers mitigation strategies for companies seeking coverage. These efforts promote a hardened security posture, which means lower risk for insurance companies so that they can offer competitively priced premiums. This eventually translates into lower loss ratios and higher profitability for the whole industry. That in turn enables more affordable rates for businesses. 

In less than a decade, cyber insurance has grown from a niche product to a multibillion-dollar industry. By using data to drive policy underwriting, cyber-insurance companies can offer the coverage so many want without a price tag that will drive them away.

How Data Changes the Cyber-Insurance Market Outlook

SaaS security is broad, possibly confusing, but undeniably crucial. Make sure you have the basics in place: discovery, risk assessment, and user access management.

In today's fast-paced business world, software-as-a-service (SaaS) applications have transformed how we work. They offer unprecedented flexibility, collaboration, and efficiency, making them the go-to solution for most organizations. From project management to customer relationship management and file storage, SaaS applications touch nearly every aspect of daily business operations. With sensitive data and critical business processes housed in these platforms, the need for robust SaaS security has never been more pressing and clear.

SaaS security is multifaceted, covering many types of risks with tools offered by diverse vendors. SaaS security typically falls within SaaS security posture management (SSPM). While modern SSPM solutions provide automation and in-product remediation, they might be somewhat overwhelming at first, especially for smaller organizations that don't have large budgets or don't know where to start or what to prioritize.

During a career spanning two decades in the Israeli military serving various cyber-related roles, I learned the importance of breaking down large challenges into smaller pieces. Tackling a large problem starts with identifying the basic requirements. In this article, I will lay out three must-have SaaS security essentials that any organization can implement, regardless of budget or headcount. These are three steps you can introduce into your organization today.

**Step 1: Discover Your SaaS Usage**

After serving hundreds of SaaS-using companies, it is clear to me that most organizations have a serious SaaS shadow-IT problem. In fact, the average employee uses 28 SaaS applications at any given time. When you think about it, it makes sense: Most employees, when encountering a specific business need, will look up a fast and easy solution online. That solution is often a SaaS tool that requires permissions into the employee's work environment. Onboarding these SaaS applications often goes completely unnoticed by security and IT teams. So, before you can secure your SaaS environment, you must first have full visibility into every employee's SaaS usage, all the time.

**Step 2: Perform Risk Assessments on Each SaaS Application**

Now that you have a clear picture of your SaaS landscape, it's time to evaluate the security risks associated with each application. Not all SaaS applications are created equal, and some may pose a higher risk to your organization's data and operations. We should always be cautious as to where we keep or share sensitive data and who we trust with our most critical assets. There are several critical considerations for determining whether an application is risky or not. Here are a few:

*   The SaaS vendor's security and privacy compliances.
*   The SaaS vendor's size and location.
*   The SaaS app's marketplace presence: Has it been validated by others?
*   Is it a private or public company? Does it share its security status publicly?

This type of analysis is crucial not only for maintaining SaaS security; it is a significant factor in companies' vendor risk-assessment processes. SaaS is a third-party vendor, and assessment is part of how you manage a vendor's risk. Organizations cannot afford to turn a blind eye to their third-party risks of any size.

**Step 3: Ensure Users Have Only Necessary Permissions and Roles**

The third essential step is managing user permissions. Often, security breaches occur due to excessive permissions granted to users or that the users grant to certain applications. To mitigate this risk, follow these best practices:

*   **Least-privilege principle:** This means granting users only the permissions they absolutely need to perform their tasks. Avoid granting broad, blanket permissions that can lead to data exposure or unauthorized actions.
*   **Regular permission reviews:** Establish a process for regularly reviewing and updating user permissions and roles. This is especially true for your core business applications. Employees' roles and responsibilities can change over time, and permissions should be adjusted accordingly.
*   **Start with the admins:** Assessing all your employees and their roles and permissions across dozens of apps can be daunting and time consuming. I've learned that focusing on various admin roles and auto-approving low-permissions roles is a huge time saver.

**Why These Three?**

There are many ways to implement SaaS security practices. Some organizations prefer looking at sensitive files shared between these applications; others start with irregular user behaviors to tackle insider risks. These are all valid, and robust SSPM tools offer these capabilities. But for smaller organizations with tighter budgets or those that prefer to start small then expand, I firmly believe these three principles are the way to go. These are required by major compliance standards such as ISO 27001 and SOC 2 and fall under basic vendor risk-assessment and user-management requirements.

**Embrace SaaS Without Compromising Security**

By enforcing these three steps, you can make significant strides in protecting your digital workspace. Remember that security is an ongoing process, and continuous monitoring and adaptation are key to staying ahead of evolving threats in the SaaS landscape. By prioritizing security, you can ensure employees are free to fully embrace the advantages of SaaS while always keeping your organization safe from SaaS potential harm.

**About the Author**

    

A retired colonel from the elite 8200 Unit, Galit Lubetzky Sharon has vast, hands-on experience designing, developing, and deploying some of the Israeli Defense Forces' most vital defensive and offensive cyber platforms as well as leading large and strategic operations. She was an integral part of developing the IDF's first cyber capabilities and continued improving and enhancing these capabilities throughout her career. She is the recipient of numerous accolades, including the prestigious Israeli Defense Award.

3 Essential Steps to Strengthen SaaS Security

The security principle of zero trust is the cornerstone of robust cloud security.

In an era where data breaches and cyberattacks continue to dominate headlines, the importance of robust security measures has never been more evident. As organizations increasingly migrate their data and operations to the cloud, a paradigm shift in security strategy is essential. Enter zero trust, a security concept that has emerged as the cornerstone of cloud security. This article will explore why zero trust is crucial for safeguarding cloud environments.

**The Cloud Security Challenge**

Adopting cloud computing has brought unprecedented flexibility, scalability, and cost efficiency for businesses; however, migration to the cloud has also opened new avenues for cyber threats. The traditional security perimeter model — protecting the network perimeter — must change. Security must adapt to the challenges of this dynamic landscape with data residing in remote data centers and users accessing resources from anywhere.

**What Is Zero Trust?**

Zero trust is not just a technology but a holistic security approach that fundamentally shifts the security paradigm. The core tenet of zero trust is simple: "Never trust, always verify." In essence, zero trust means security teams should not inherently trust anyone or anything, regardless of whether they are inside or outside the network.

The fundamental principles of zero trust include:

1.  **Continuous verification:** Every access request is verified, regardless of the user's location or device. This principle includes strong multifactor authentication (MFA) and device health checks.
2.  **Least privilege access:** Security teams grant users and systems only the minimum access required to perform their tasks, reducing the attack surface and potential damage in case of a breach.
3.  **Micro-segmentation:** Networks are divided into small, isolated segments with access controls enforced between them, preventing lateral movement by attackers.
4.  **Data-centric security:** Zero trust prioritizes data protection, ensuring data is encrypted, classified, and rigorously access-controlled.

**Why Zero Trust for Cloud Security?**

Reasons zero trust is important for securing cloud environments include:

1.  **Perimeterless environments:** Cloud environments are inherently perimeterless. Traditional security models that rely on securing the network perimeter are ineffective when data and applications are dispersed across multiple cloud providers and accessed from anywhere. Zero trust, which focuses on continuous verification, addresses this challenge by securing access at the individual request level.
2.  **Evolving threat landscape:** Cyber threats are constantly evolving, becoming more sophisticated and persistent. Zero trust's continuous monitoring and verification principle helps organizations stay one step ahead of these threats by detecting and responding to anomalies and breaches in real time.
3.  **Remote workforce:** The rise of remote work has blurred the lines between corporate networks and the public Internet. With employees accessing cloud resources from various locations and devices, zero trust ensures access is granted based on user identity and device trustworthiness, not just network location.
4.  **Data protection:** In cloud environments, data is the crown jewel. Zero trust places data protection at its core, ensuring that even if a breach occurs, sensitive data remains encrypted and inaccessible to unauthorized parties.
5.  **Compliance and regulations:** Many industries are subject to strict data protection regulations. Zero trust helps organizations meet these compliance requirements by enforcing stringent access controls, monitoring activities, and maintaining an audit trail.

**Implementing Zero Trust in Cloud Environments**

To implement zero trust in cloud security, organizations should consider:

1.  **Identity and access management (IAM):** Implement strong authentication methods and access controls based on user identity.
2.  **Continuous monitoring:** Utilize threat detection and response tools to monitor activities and identify anomalies.
3.  **Least privilege access:** Grant minimal access permissions to users and systems based on their roles and responsibilities.
4.  **Data encryption:** Encrypt data at rest and in transit and classify data based on sensitivity.
5.  **Micro-segmentation:** Implement network segmentation to control lateral movement within cloud environments.

**Zero Trust Is Not Optional**

As organizations continue their digital transformation journey by embracing cloud technologies, zero trust emerges as the bedrock of cloud security. The principles of continuous verification, least privilege access, and data-centric security align perfectly with cloud environments' dynamic and distributed nature. Embracing zero trust is not merely an option; it's necessary to protect sensitive data, mitigate risks, and ensure the security of cloud-based operations in an ever-evolving threat landscape. Zero trust isn't just a buzzword; it's the future of cloud security. To learn more about zero trust, AI, and other topics in the ever-evolving threat landscape, log into the #AskCyderes webcast.

**About the Author**

    

Patrick Carter has 15 years of industry experience across security architecture, cloud security, security program management, and strategic consulting. He has a strong understanding of multicloud security architecture, working with both commercial and enterprise-level clients in Azure, AWS, and GCP. He has extensive experience in practice development and service optimization utilizing multiple disciplines. Having consulted enterprises of multiple industries, Patrick is passionate about developing cloud security programs that meet clients' specific needs and building strong relationships that enable them to secure their cloud journey.

Why Zero Trust Is the Cloud Security Imperative

Progress Software plans to collect millions in cyber insurance policy payouts after the MOVEit breaches, which will make getting coverage more expensive and harder to get for everyone else, experts say.

In its recent Security and Exchange Commission (SEC) filing, Progress Software, the company behind the MOVEit file transfer software that's been used to breach dozens of major organizations, says it plans to try and fully collect on its $15 million cyber insurance policy. But how is that fat $15 million payout likely to effect how insurers approach their own businesses?

Faced with class action lawsuits, fines, and a battered business brand, there's little question the company will need millions to cover its losses. And to boot, Progress Software was already collecting on a claim related to a previous incident in November 2022, unrelated to the MOVEit ransomware campaign, according to its most recent 10-Q filing with the SEC.

"As of August 31, 2023, we have recorded approximately $4.9 million in insurance recoveries, of which $3 million was related to the November 2022 cyber incident and $1.9 million was related to the MOVEit vulnerability, providing us with $10.1 million of additional cybersecurity insurance coverage (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies."

**Higher Premiums, Less Coverage**

Cyber insurers don't have the historical data or developed risk models that others do, like car or home insurers, which means they are constantly adjusting their "risk appetite," according to Mark Millender, senior advisor for global executive engagement at Tanium. He thinks payouts like the one Progress Software is seeking will both drive up premiums and ratchet up requirements for coverage across the cyber insurance ecosystem.

"As loss ratios increase and drive down profitability, risk tolerance recedes and the need to drive up revenues is reflected in premium charges," Millender says.

And, getting policies renewed in the wake of this Progress Software claim, and others, is going to get trickier, he predicts.

"At the same time, the insured submitting the claim will be under increased scrutiny at the time of renewal," according to Millender. "The insured's ability to renew with the same or another carrier will depend on many factors, including this claim experience, but also general cybersecurity defense posture and how the incident was addressed."

Cyber insurance policies are undoubtedly already getting more expensive and providing less coverage than before: Two-thirds of companies surveyed for a report from Delinea on the current state of the cyber insurance industry said they saw a 50% increase in cyber insurance premiums, with more narrow coverage over the past year. And, a full 80% of companies reported they submitted at least one claim in the past year.

"Three key factors are driving the growth of the cyber insurance market," Bud Broomhead, CEO at Viakoo says. "This includes the expanding liabilities from cyber breaches, boards and senior management holding more responsibility for breaches, and the 'forcing function' that cyber insurance provides to maintain their cyber security posture."

Broomhead adds that as the cyber insurance market matures, these factors will change, but the bottom-line result is likely to be a continuing trend towards more expensive policies with less coverage. But as cyber insurers refine their risk evaluations, premiums should stabilize, he adds.

**Cyber Insurers Communicating With Security Teams**

Cyber insurers are taking a closer look at the risk profiles of their clients, a trend that will be driven to new heights by the Progress situation. One of the outcomes of this increased scrutiny has been greater cooperation between cyber insurers and their policy holders, Dara Gibson, cyber insurance services leader with Optiv, explains.

"Cyber insurers are now communicating with cybersecurity teams," Gibson says. "It's going to become more of a collaborative effort between the insurers, cybersecurity and the insured because a greater understanding of what 'good' looks like is taking shape."

It's up to enterprise teams to do the same kinds of assessments, Broomhead advises.

"Risk assessment and cyber insurance will always be evolving in the same way that threat vectors themselves evolve," Broomhead says. "The most important thing is for an organization to do its own risk assessment and ensure that their internal policies address their entire attack surface."

How MOVEit Is Likely to Shift Cyber Insurance Calculus

CISA and FBI warn the RaaS provider's affiliates are striking critical industries, with more attacks expected to come from additional ransomware groups in the months ahead.

US authorities issued a warning this week about potential cyberattacks against critical infrastructure from ransomware-as-a-service (RaaS) operation AvosLocker.

In a joint security advisory, the Cybersecurity Infrastructure and Security Agency (CISA) and FBI warned that AvosLocker has targeted multiple critical industries across the US as recently as May, using a wide variety of tactics, techniques, and procedures (TTPs), including double extortion and the use of trusted native and open source software.

The AvosLocker advisory was issued against a backdrop of increasing ransomware attacks across multiple sectors. In a report published Oct. 13, cyber-insurance company Corvus found a nearly 80% increase in ransomware attacks over last year, as well as a more than 5% increase in activity month-over-month in September.

**What You Need to Know About AvosLocker Ransomware Group**

AvosLocker does not discriminate between operating systems. It has thus far compromised Windows, Linux, and VMWare ESXi environments in targeted organizations.

It's perhaps most notable for how many legitimate and open source tools it uses to compromise victims. These include RMMs like AnyDesk for remote access, Chisel for network tunneling, Cobalt Strike for command-and-control (C2), Mimikatz for stealing credentials, and the file archiver 7zip, among many more.

The group also likes to use living-off-the-land (LotL) tactics, making use of native Windows tools and functions such as Notepad++, PsExec, and Nltest for performing actions on remote hosts.

The FBI has also observed AvosLocker affiliates using custom Web shells to enable network access, and running PowerShell and bash scripts for lateral movement, privilege escalation, and disabling antivirus software. And just a few weeks ago, the agency warned that hackers have been double-dipping: using AvosLocker and other ransomware strains in tandem to stupefy their victims.

Post-compromise, AvosLocker both locks up and exfiltrates files in order to enable follow-on extortion, should its victim be less than cooperative.

"It's all kind of the same, to be honest, as what we've been seeing for the past year or so," Ryan Bell, threat intelligence manager at Corvus, says of AvosLocker and other RaaS groups' TTPs. "But they're becoming more deadly efficient. Through time they're getting better, quicker, faster."

**What Companies Can Do to Protect Against Ransomware**

To protect against AvosLocker and its ilk, CISA provided a long list of ways critical infrastructure providers can protect themselves, including implementing standard cybersecurity best practices — like network segmentation, multifactor authentication, and recovery plans. CISA added more specific restrictions, such as limiting or disabling remote desktop services, file and printer sharing services, and command-line and scripting activities and permissions.

Organizations would be smart to take action now, as ransomware groups will only grow more prolific in the months to come.

"Typically, ransomware groups take a little bit of a summer vacation. We forget that they are people, too," Bell says, citing lower-than-average ransomware numbers in recent months. September's 5.12% bump in ransomware cyberattacks, he says, is the canary in the coal mine.

"They will increase attacks through the fourth quarter. That's usually the highest we see throughout the year, as in both 2022 and 2021, and we're seeing that holds true even now," he warns. "Things are definitely climbing up all across the board."

Feds: Beware AvosLocker Ransomware Attacks on Critical Infrastructure

The Cyber Resilience Act's requirement to disclose vulnerabilities within 24 hours could expose organizations to attacks — or government surveillance.

The European Union (EU) may soon require software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of an exploitation. But many IT security professionals want this new rule, set out in Article 11 of the EU's Cyber Resilience Act (CRA), to be reconsidered.

The rule requires vendors to disclose that they know about a vulnerability actively being exploited within one day of learning about it, regardless of patch status. Some security professionals see the potential of governments abusing the vulnerability disclosure requirements for intelligence or surveillance purposes.

In an open letter signed by 50 prominent cybersecurity professionals across industry and academia, among them representatives from Arm, Google, and Trend Micro, the signatories argue that the 24-hour window is not enough time — and would also open doors to adversaries jumping on the vulnerabilities without allowing organizations enough time to fix the issues.

"While we appreciate the CRA's aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them," the letter states.

Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems, says there is no disagreement about the urgency of patching the vulnerabilities. The concerns center on publicizing the vulnerabilities before updates are available, which leaves organizations at risk of attack and unable to do anything to prevent it.

"Publishing the vulnerability information before patching has raised concerns that it may enable further exploitation of the unpatched systems or devices and put private companies, and citizens, at further risk," Ramamoorthy says.

**Prioritize Patching Over Surveillance**

Callie Guenther, senior manager of cyber threat research at Critical Start, says the intent behind the CTA is commendable, but it's vital to consider the broader implications and potential unintended consequences of governments having access to vulnerability information before updates are available.

"Governments have a legitimate interest in ensuring national security," she says. "However, using vulnerabilities for intelligence or offensive capabilities can leave citizens and infrastructure exposed to threats."

A balance must be struck wherein governments prioritize patching and protecting systems over exploiting vulnerabilities, Guenther says, proposing some alternative approaches for vulnerability disclosure, starting with tiered disclosure.

"Depending on the severity and impact of a vulnerability, varying time frames for disclosure can be set," she says. "Critical vulnerabilities may have a shorter window, while less severe issues could be given more time."

A second alternative Guenther describes concerns preliminary notification, where vendors can be given a preliminary notification with a brief grace period before the detailed vulnerability is disclosed to a wider audience.

A third way focuses on coordinated vulnerability disclosure, which encourages a system where researchers, vendors, and governments work together to assess, patch, and disclose vulnerabilities responsibly.

Any rule must include explicit clauses to prohibit the misuse of disclosed vulnerabilities for surveillance or offensive purposes, she adds.

"Additionally, only select personnel with adequate clearance and training should have access to the database, reducing the risk of leaks or misuse," Guenther says. "Even with explicit clauses and restrictions, there are numerous challenges and risks that can arise."

**When, How, and How Much to Disclose**

Responsible disclosure of vulnerabilities is a process that has, traditionally, included a thoughtful approach that enabled organizations and security researchers to understand the risks and develop patches before exposing the vulnerability to potential threat actors, notes John A. Smith, CEO at Conversant Group.

"While the CRA may not require deep details about the vulnerability, the fact that one is now known to be present is enough to get threat actors probing, testing, and working to find an active exploit," he cautions.

From Smith's perspective, the vulnerability should also not be reported to any individual government or the EU; that requirement will reduce consumer confidence and damage commerce due to nation-state spying risks.

"Disclosure is important — absolutely. But we must weigh the pros and cons of when, how, and how much detail is provided during research and discovery to mitigate risk," he says.

An alternative to this "arguably knee-jerk approach," Smith says, is to require software companies to acknowledge reported vulnerabilities within a specified but expedited time frame, and then require them to report back on progress to the discovering entity regularly, ultimately providing a public fix within a maximum of 90 days.

Guidelines on how to receive and disclose vulnerability information, as well as techniques and policy considerations for reporting, are already outlined in ISO/IEC 29147.

**Impacts Beyond EU**

The US has an opportunity to observe, learn, and subsequently develop well-informed cybersecurity policies, as well as proactively prepare for any potential ramifications if Europe moves forward too quickly, Guenther adds.

"For US companies, this development is of paramount importance," she says. "Many American corporations operate on a global scale, and regulatory shifts in the EU could influence their global operations."

The ripple effect of the EU's regulatory decisions, as evidenced by the General Data Protection Regulation's influence on the California Consumer Privacy Act and other US privacy laws, suggests that European decisions could presage similar regulatory considerations in the US, she points out.

"Any vulnerability disclosed in haste due to EU regulations doesn't confine its risks to Europe," Guenther cautions. "US systems employing the same software would also be exposed."

Security Pros Warn That EU's Vulnerability Disclosure Rule Is Risky

The botnet — built for DDoS, backdooring, and dropping malware — is evading standard URL signature detections with a novel approach involving Hex IP addresses.

Cyberattackers are targeting Linux SSH servers with the ShellBot malware, and they have a new method for hiding their activity: using hexadecimal IP (Hex IP) addresses to evade behavior-based detection.

According to researchers at the AhnLab Security Emergency Response Center (ASEC), the threat actors are translating the familiar "dot-decimal" command-and-control URL formation (i.e., hxxp://39.99.218\[.\]78,) into a Hex IP address format (such as hxxp://0x2763da4e/), which most URL-based detection signatures won't parse or flag.

"IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers," according to the ASEC advisory on the Hex IP attacks. "Due to the usage of curl for the download and its ability to support hexadecimal just like Web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl."

ShellBot, aka PerlBot, is a well-known botnet that uses dictionary attacks to compromise servers that have weak SSH credentials. From there, the server endpoint is marshalled into action to deliver distributed denial-of-service (DDoS) attacks or drop payloads like cryptominers on infected machines.

"If ShellBot is installed, Linux servers can be used ... for DDoS attacks against specific targets after receiving a command from the threat actor," ASEC explained. "Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server."

To protect their organizations from ShellBot attacks, administrators should simply up their password hygiene game, using strong passwords and making sure to rotate their hardened credentials on a regular basis.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic

The goal of the program is to uncover critical or important vulnerabilities within the AI-powered Bing program.

Microsoft has announced its AI bug-bounty program to encourage researchers worldwide to discover vulnerabilities within the Bing generative AI chatbot and AI integrations. Bounty rewards will range from $2,000 to $15,000 for qualified submissions.

Eligible participants must be at least 14 years old, with permission from a legal guardian if they are a minor, and an individual researcher. Should a participant be a public sector employee, the bounty award must go to the public sector organization and be signed by an attorney or executive responsible for its ethics policies. 

The scope of the bounty program extends to AI-powered Bing on bing.com, AI-powered Bing integration in Microsoft Edge, AI-powered Bing integration in the Microsoft Start app, and AI-powered Bing integration in the Skype Mobile app. Any vulnerabilities found in these integrations are qualified for submission and are eligible to win a reward.

Microsoft stated that the goal of the program is to uncover vulnerabilities that have a significant impact on the security of its customers within the AI-powered "Bing experience." When submitting a vulnerability, researchers must ensure that it has not been previously reported, is of critical or important severity as per the Microsoft Vulnerability Severity Classification for AI Systems, and is reproducible on the latest version of the product with clear steps as to how to reproduce the vulnerability. 

Further directions as to how to get started and enter a submission; specific information on different types of vulnerabilities and the winnings they have the potential to earn; research rules of engagement; and terms and conditions, are listed on Microsoft’s website.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading