**PRESS RELEASE**

**MILPITAS, Calif.,Oct. 26, 2023/PRNewswire/ --** As Cybersecurity Awareness Month comes to a close, SonicWall today released the findings of its 2023 SonicWall Threat Mindset Survey which found that 55% of its customers are more concerned about cyberattacks in 2023, with the main threat being focused on digital attacks like ransomware and spear phishing.

"Understanding our partners and customers greatest concerns is at the heart of SonicWall's outside-in strategy," said SonicWall President and CEO Bob VanKirk. "Even further, it's taking that insight and acting upon it to provide key value-add products and services. The data from the 2023 SonicWall Threat Mindset Survey helps keep our finger on the pulse of what truly matters to our valued customers. As organizations around the globe struggle with economic declines and political strife, SonicWall remains committed to providing the latest in threat intelligence and cyber security solutions to help our partners and customers successfully navigate these rough waters."

SonicWall's proprietary threat mindset survey uncovered additional findings:

*   **Continued concerns about intensifying cyberattacks**: There is growing concern regarding cyberattacks amongst 54% of professionals surveyed; ransomware leads the distress as 83% of all customers cited it as their biggest concern. 94% of respondents are equally or more concerned about overall attacks in 2023. Phishing and spear-phishing (76%), as well as encrypted malware (64%), comprised the top three concerns.
*   **Organizations slow to patch**: Despite rising cyberattack concerns, 78% of organizations don't patch critical vulnerabilities within 24 hours of patch availability; another 13% only apply critical patches when time allows.
*   **Increased fear around insider threats:** Insider threat incidents have continued to increase and 49% of IT professionals cited it as a growing worry. The larger the organization, the more potential insider threat incidents exist. Critical business information and sensitive data can be found in employees' emails – and IT professionals feel the concern.
*   **Now Hiring: cybersecurity professionals needed:** 41% of respondents described their IT/ cybersecurity personnel as inadequate. With the cyberattack landscape becoming savvier with stronger capabilities of pulling off attacks, organizations must prioritize protection and hiring individuals who have the knowledge and skills to best position their company to not fall victim to these ongoing cyberattacks.

Companies are not only losing millions of dollars to unending malware and ransomware strikes but cyberattacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyberattacks, organizations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against never-ending cyberattacks.

"The evolving cyber threat landscape is the new normal," said EIS Management CIO Jeff Falk. "The labor diverted from business initiatives to cybersecurity concerns swells year-over-year, which demands I spend more of my time managing the business' security needs, having an impact on business operations."

In an effort to promote cybersecurity attentiveness, SonicWall supports Cybersecurity Awareness Month in October with an added emphasis on a new enduring cybersecurity awareness program, Secure Our World. Secure Our World reflects a new enduring message to be integrated across the Cybersecurity and Infrastructure Security Agency's (CISA) awareness campaigns and programs and encourages all of us to take action each day to protect ourselves when online or using connected devices.

**Methodology**

SonicWall surveyed approximately 10,000 customers from around the globe. Questions were optional and some were open-ended, while others were multiple choice.

**About SonicWall**

SonicWall, a partner-first business, has been an unquestioned leader in the cybersecurity for more than 30 years. SonicWall defends organizations mobilizing for their new business normal with seamless protection that stops the most evasive cyberattacks across endless exposure points and increasingly remote, mobile and cloud-enabled workforces. By knowing the unknown, providing real-time visibility and enabling breakthrough economics, SonicWall closes the cybersecurity business gap for enterprises, governments and SMBs worldwide. For more information, visit www.sonicwall.com or follow us on Twitter, LinkedIn, Facebook and Instagram.

SOURCE SONICWALL INC

SonicWall Data Confirms That Ransomware Is Still the Enterprise's Biggest Fear

**PRESS RELEASE**

**DENVER****,** **Oct. 26, 2023** **/PRNewswire/ --** New data from the Lumen Technologies (NYSE: LUMN) Distributed Denial of Service (DDoS) mitigation platform landed the banking industry in the unenviable position of being the most targeted vertical of Q3 2023. This is the first time the banking industry topped Lumen's "most targeted verticals" list and was largely due to the events of a single day: Sept. 21, 2023.

On that day, a single banking customer was targeted with more than 230 DDoS attacks – a whopping 4,500% increase over the daily average for that industry – yet it experienced no downtime. Had the attackers been successful, they could have caused significant damage in the form of lost business, remediation costs and reputational damage.

"The successful mitigations for this banking customer can be traced back to Lumen's multi-layered approach to DDoS mitigation," said Brett Lemarinel, director of unified threat management for Lumen. "It starts at our network, where countermeasures are built in, and our intelligent routing technology, which sends excess traffic through our 500+ scrubbing locations. Our DDoS customers have an added layer of protection from Rapid Threat Defense, our proprietary capability that utilizes threat intelligence from Lumen Black Lotus Labs® to block DDoS botnet traffic before it reaches the customer's environment."

Lemarinel continued, "This should be a warning to all other businesses. More than 230 mitigations in a single day suggests the threat actor was determined to wreak havoc on this customer. Even though the attacker failed, the activity we saw on Sept. 21 is a potent reminder that any business can be in an attacker's crosshairs on any given day."

**Other notable findings in the report include:**

A never-before-seen, four-vector combination was attempted during the Sept. 21 event. The four-vector combination included DNS Amplification, IP Fragmentation, Invalid Packets and Static Filtering. Cyber attackers frequently modify their vector combinations as they attempt to defeat mitigation strategies, but the Lumen DDoS mitigation platform has the flexibility required to recognize and stop these attacks before they impact the targeted customers. The total number of attacks decreased in Q3 2023. Attackers frequently run their operations like a business and, as with any business, cyberattacks have seasonal ups and downs. In Q3 2023, Lumen mitigated 4,217 attacks, which was a 23% quarter-over-quarter decrease and a 24% annual decrease. The banking industry was also the most-targeted vertical for application threats, according to Lumen's application protection partner, ThreatX. Among all industries, the highest percentage of blocked traffic (25.5%) came from programmatic access, which are suspicious, automated attempts to access a web application. This number is up 89% from the previous quarter. The banking sector experienced a significant percentage of "Attacks Against Authentication" (nearly 25%), which are used to gain unauthorized access to financial data. Financial institutions are attractive to attackers, as evidenced by the high attack ratio and combination of brute-force attacks that targeted banks in Q3. Protecting financial data is paramount, but robust web application and API protection solutions can help protect the industry.

"The Q3 ThreatX application attack analysis underscores the critical importance of bot protection and the need for awareness of industry-specific threats," said Neil Weitzel, director, Security Operations Center at ThreatX. "The especially high number of programmatic access threats this quarter underscores the prevalence of bots in API and application attacks. In addition, our findings reveal variations in threats across industries, so businesses must stay vigilant and proactive to safeguard their applications and APIs."

**About Lumen Technologies**

Lumen connects the world. We are igniting business growth by connecting people, data, and applications – quickly, securely, and effortlessly. Everything we do at Lumen takes advantage of our network strength. From metro connectivity to long-haul data transport to our edge cloud, security, and managed service capabilities, we meet our customers' needs today and as they build for tomorrow. For news and insights visit news.lumen.com, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies, and YouTube: /lumentechnologies.

**About ThreatX**

ThreatX is managed API and application protection that lets you secure them with confidence, not complexity. It blocks botnets and advanced attacks in real time, letting enterprises keep attackers at bay without lifting a finger. Trusted by companies in every industry across the globe, ThreatX profiles attackers and blocks advanced risks to protect APIs and applications 24/7. Learn more at https://www.threatx.com.

Lumen Q3 DDoS Report: Banking Was the Most Targeted Industry for the First Time

**PRESS RELEASE**

**SEATTLE – Oct. 24, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the launch of WatchGuard MDR, a new 24/7 cybersecurity service purpose-built to make MDR vastly more accessible to managed service providers (MSPs) working to address soaring customer demand for managed cybersecurity delivery. The new service is managed by an elite team of cybersecurity experts and powered by AI. It requires no investment in a traditional security operation center (SOC) infrastructure, advanced technologies, or security experts, which addresses the pressures of scarce cybersecurity professionals and funding faced by MSPs.

“WatchGuard’s new solution has effectively super charged our managed security services business by allowing us to effortlessly tap into the immense potential of MDR and offer it as a value-added service to customers,” said Raul Zayas, president of ZTek Solutions. “By removing the burden on us to create a modern SOC, WatchGuard MDR expedited our ability to give customers what they need the most: top-notch, comprehensive cybersecurity backed by industry-leading cyber experts to ensure a resilient defense against evolving cyber threats. Not only has WatchGuard put us in the fast lane in that regard, they also make it all incredibly simple to do through their Unified Security Platform architecture to help ensure we stay ahead of the curve.”  

Highly customizable and scalable, this new MDR service further strengthens WatchGuard's Unified Security Platform architecture, providing advanced threat detection and response capabilities on top of WatchGuard EDR, EPDR, and Advanced EPDR that empower MSPs to build out robust, comprehensive security offerings for their customers. It comes with the support of WatchGuard’s automated Zero-Trust Application Service, Threat Hunting Service, advanced security analytics, threat intelligence, and a dedicated team of skilled cybersecurity analysts that monitor, detect, and respond to threats 24/7. 

“As a 100% channel-driven company, we wanted to deliver an enterprise-class MDR solution that would allow our MSP partners to expand their business without the expense of building their own SOC or adding to the challenges they already face in finding cybersecurity talent,” said Andrew Young, chief product officer at WatchGuard Technologies. “We are dedicated to supporting our MSP community, and the launch of WatchGuard MDR represents another milestone in the long-term trusted relationships we build with our partners. Not only does this service help MSPs break through existing barriers to entry for delivering managed security services – it allows them to capitalize on a growing opportunity with an innovative new solution we’ve purpose-built for them specifically.” 

**Key Features and Benefits**

WatchGuard MDR is the ideal choice for service providers looking to elevate the security posture of their customers, expand their portfolio, and generate recurring revenue streams with zero investment in modern security operations center (SOC), sophisticated and expensive AI-based technology, and scarce cybersecurity experts. Capabilities include:  

*   **24/7 Endpoint Activity Monitoring and Data Collection –** to provide real-time and retrospective monitoring using event data captured by WatchGuard EPDR or Advanced EPDR in WatchGuard’s modern SOC.
*   **24/7 Proactive Hunting and Detection** – to reduce time to detect and mitigate threats using AI, machine learning, and other advanced techniques to identify indicators of attack, while WatchGuard’s MDR threat hunters search for threats lurking in endpoints.
*   **24/7 Investigation and Validation** – to minimize the impact of potential threats by relying on WatchGuard experts to quickly investigate and accurately validate incidents to determine their nature and severity.
*   **Immediate Incident Notification** – to provide prompt notification with key insights such as affected machines and tactics used when a validated incident occurs so MSPs can take immediate action.
*   **Options for Mitigation and Guidelines for Remediation** – to give MSPs the flexibility to choose the strategy that works best for their business. They can rely on their own team with guidance from WatchGuard experts on how to contain and remove traces of an attack, restore data, patch vulnerabilities, and install additional controls. Or they can outsource the initial response and the containment through endpoint isolation to automated playbooks developed by WatchGuard MDR experts.
*   **Weekly Security Health Status Report and Monthly Activity Reporting** – to build trust with customers by providing regular reports on their security status, which service providers can customize to better engage customers with their MDR service and provide valuable feedback throughout the process.  

For more information about WatchGuard MDR, click here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

WatchGuard Launches MDR Service, Helps MSPs Accelerate Cybersecurity Service Delivery

**PRESS RELEASE**

**SANTA CLARA, Calif.,Oct. 25, 2023/PRNewswire/ --** Malwarebytes, a global leader in real-time cyber protection, today launched an essential new consumer solution, Identity Theft Protection. The new service helps individuals secure their digital identities and defend against identity and online threats. Malwarebytes Identity Theft Protection includes real-time identity monitoring and alerts, robust credit protection and reporting and live agent-supported identity recovery and resolution services – backed by up to a $2 million identity theft insurance policy. The new service, paired with Malwarebytes' award-winning antivirus and VPN software, helps prevent criminals from stealing or using personal information to drain financial accounts, hack or impersonate social media accounts, damage a user's reputation or other online and identity-based attacks.

Today's digital life is complex and sometimes deceptive. According to new research from Malwarebytes, identity theft ranks as people's third biggest concern when it comes to online security, just behind fear of financial accounts and personal data being breached – both of which play into identity theft. Of those surveyed 64% agree that identity theft protection is important, but only 13% have it. Consumers are also increasingly fearful of new technology. Malwarebytes gives consumers protection they can trust, alerting them when we see their information has been stolen and providing live agent support to restore their identity and replace lost items.

"Even as we spend more and more of our lives online, we all know that the internet today can't be trusted," said Mark Beare, GM of Consumer Business Unit, Malwarebytes. "Consumers need a tool that not only blocks threats like malware and phishing, but that also monitors and protects their digital identity, be that social media profiles, bank accounts or email. With Malwarebytes Identity Theft Protection, we provide a robust and exhaustive suite of services so individuals and families can rest easy knowing that we are actively working to keep them safe and protect their digital identity."

Malwarebytes Identity Theft Protection is available globally through a variety of tiered offerings that provide protection via computers and mobile devices across multiple operating systems including Windows, macOS, Android and iOS.

**Key features include:**

*   Identity Monitoring & Alerts**:** Continuously scours a multitude of websites and data sources, including the Dark Web, to alert if personal information is being illegally traded or sold. Recommends actions to take to protect yourself.
*   Credit Monitoring and Protection**:** Ongoing tracking of credit for critical changes, such as new accounts or inquiries and applications for new lines of credit. A credit freeze also can be activated\*.
*   Breach IQ**:** Provides a safety score and alerts if personal information is part of a known breach\*.
*   Identity Recovery & Resolution**:** Assistance in the event of an identity theft incident, including guided steps to report the crime, dispute fraudulent charges, restore identity and recuperate financial losses incurred. Includes up to a $2 million insurance policy.

To read more about the latest threats and cyber protection strategies, visit our blog, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

_\*U.S. only_

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions along with a world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe daily. Malwarebytes solutions are consistently recognized by independent tests including AVLAB and AV-TEST. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Announces Consumer Identity Theft Protection Solution

**PRESS RELEASE**

**CAMBRIDGE, England****,** **Oct. 26, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security AI, today unveiled a new Darktrace/Cloud™ solution based on its unique Self-Learning AI. The new solution provides comprehensive visibility of cloud architectures, real-time cloud-native threat detection and response, and prioritized recommendations and actions to help security teams manage misconfigurations and strengthen compliance. When combined with insight from Darktrace solutions for network, email, apps, zero trust and endpoint, Darktrace/Cloud provides a deeper, contextualized understanding of the risks and threats currently facing an organization's digital estate.  

According to a recent report, "Gartner® anticipates over 99 percent of cloud breaches will be based on a customer error, account takeover or misconfiguration until 2027"\[1\]. Cloud environments are constantly evolving so security professionals need to increase the level of visibility while keeping up with changing compliance, risk and security requirements. The rise of cloud-native technologies including containers, Kubernetes and microservices also require new tools and techniques for detecting and responding to known and novel threats.

"Unlike static cloud security tools that provide snapshots of a specific point in time, Darktrace/Cloud is real-time, all the time. Our Self-Learning AI continuously learns patterns between workloads, assets, policy configurations and identities to provide a dynamic view of cloud architectures. We analyze the entire cloud stack from data to control plane, combining an understanding of architecture and network with a new flexible, scalable deployment model," said Jack Stockdale, Chief Technology Officer, Darktrace. "Our innovative approach to cloud security is built on more than a decade of leadership in Cyber AI that is already protecting our customers' critical business areas from network and email to operational technology."

Available today, the new capabilities in Darktrace/Cloud include:

*   **Comprehensive visibility and architecture modeling** for insights into the constantly changing nature of cloud environments. This visibility is constructed dynamically from configuration, network, users and identity and access management (IAM) data. Darktrace establishes patterns of life for cloud resources, identities, and services to understand who has access to what and how. This is critical for detecting anomalies and unknown threats.
*   **Universal attack path modeling** provides a dynamic view of where attackers may look to move next. Darktrace brings together real-time cloud data and a deep understanding of your cloud environment with a platform approach that provides insights about risks from other covered areas of the business (e.g., network, email) to highlight potential attack paths and prioritize important assets to secure.
*   **Unique real-time and cloud-native threat detection and response** that provides a dynamic view of known and novel threats within the cloud. Darktrace combines deep cloud attack path knowledge with real-time anomaly and threat detection through cloud-native autonomous response actions, such as detaching a policy from a user or removing a workload from a security group.
*   **Prioritized cloud posture management** that starts by examining cloud configurations against common compliance frameworks. Where misconfigurations are detected, Darktrace provides a prioritized view of what to fix first, based on a risk profile generated from security and business context. Guided steps can be provided to help teams proactively address these before they become a significant issue.
*   **Cost discovery** to provide a better understanding of cloud resource allocation. This helps teams contextualize their cloud resources according to security and business priorities.
*   **Communication and collaboration capabilities** to streamline workflows between security teams and DevOps teams. Tickets can be created on demand, teams can communicate directly via messaging platforms, and alerts and anomaly detections can be sent to Security Information & Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) products and the Darktrace Mobile app so they can be alerted on the go.
*   **Flexible deployment options** include an agentless deployment by default so organizations can be up and running in minutes. Teams can use the dynamic architectural view and risk context to decide where to deploy agents for enhanced real-time actions and deeper inspection.

Sykes Cottages, a cloud-native travel agency platform in the UK, has experienced significant growth in the last five years and has relied on the cloud to help them scale throughout this period.

"When it comes to cybersecurity, having visibility and an understanding of what you've got and your risks is critical. If I don't know it's there, I can't protect it," said Jonny Mattey, Head of Cybersecurity, Sykes Cottages. "Having a holistic, live view of our cloud environment enables us to work pragmatically and use AI to cut down management time so that we can address security risks and improve our resilience."

The new Darktrace/Cloud solution is now available on Amazon Web Services (AWS) through the AWS Marketplace, a curated digital catalog that makes it easy for customers to find, buy, deploy, and manage the third-party software they need to build solutions and run their business. Darktrace and AWS have been collaborating since 2017 to help organizations secure their AWS environments. Darktrace protects AWS environments for organizations around the world including Sunwest Bank and ProPhase Labs. Darktrace is an AWS Security Competency Partner and is part of the AWS ISV Accelerate program.

"Security is job zero at AWS," said Paddy Fitzpatrick, Director – Independent Software Vendors, UK & Ireland at Amazon Web Services. "As the threat landscape continues to evolve, the availability of AI-based tools like Darktrace/Cloud on the AWS Marketplace will help customers to gain increased visibility, and respond more effectively to security risks and threats."

Darktrace first extended its Cyber AI capabilities to cloud environments in 2016, applying its world class algorithms to granular network traffic. Darktrace/Cloud was recently named Cloud Security Product of the Year for Large Enterprises by Computing Magazine in its 2023 Cloud Excellence Awards.

Learn more about the new enhancements to Darktrace/Cloud by tuning into the launch event at 11:30am ET/4:30pm BST.

**ABOUT DARKTRACE**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, is on a mission to free the world of cyber disruption. Breakthrough innovations in our Cyber AI Research Center in Cambridge, UK have resulted in over 160 patents filed and research published to contribute to the cyber security community. Rather than study attacks, Darktrace's technology continuously learns and updates its knowledge of 'you' and applies that understanding to optimize your state of optimal cyber security. Darktrace is delivering the first ever Cyber AI Loop, fueling a continuous end-to-end security capability that can autonomously spot and respond to novel in-progress threats within seconds. Darktrace employs over 2,200 people around the world and protects approximately 8,900 customers globally from advanced cyber threats. Darktrace was named one of TIME magazine's 'Most Influential Companies' in 2021. To learn more, visit http://www.darktrace.com.

SOURCE Darktrace

Darktrace Unveils Cloud-Native Security Solution Using AI

**PRESS RELEASE**

**LONDON** **and** **MIAMI****,** **Oct. 26, 2023** **/PRNewswire/ --** Sumsub, a full-cycle verification platform, today releases its "State of Verification and Monitoring in the Crypto Industry 2023" report. The findings focus on the regulations and verification practices for crypto companies, with highlights from verification performance and identity fraud statistics.

The intention of the report is to provide crypto businesses with a clear understanding of industry verification standards and trends, offering insights into enhancing user experience and improving operations. To gather direct insights, Sumsub conducted a survey among 100+ crypto companies, and combined its results with expert interviews of professionals in the crypto industry. Overall, 800,000+ fraud attempts were studied for this report. All data was aggregated and anonymized.

Key findings from the report include\*:

*   77% of crypto companies observed new fraud patterns and schemes this year, with attack methods becoming more professional;
*   Deepfakes remain a growing concern for the crypto industry, with 70% of companies noting their increasing popularity among fraudsters;
*   In 2023, the number of deepfakes in the crypto industry increased by 128% compared to 2022;
*   55% of crypto companies reported an increase in fraud\-related losses – both financial and reputational – connected to applicants;
*   The shift from document-based to Non-Doc Verification solutions is underway in crypto, demonstrating faster verification, from 38 to as fast as five seconds and from 46 to as quick as three seconds in Brazil and Ghana, respectively. 

_"As the_ crypto _industry continues to evolve, we see a global trend of decreasing onboarding time for_ crypto _users,"_ comments Jacob Sever**, co-founder and Chief Innovation Officer of Sumsub**. _"From 2022 to 2023, verification time nearly halved across all regions, driven by the growing expectation of swifter processes among users. As such, providers face the challenge of complying with increasingly stringent regulations, making solutions such as Non-Doc Verification essential. By expediting onboarding processes,_ crypto _firms eliminate the need for users to upload any documents, better allowing providers to keep pace with industry demands and enhance pass rates, all while thwarting the threat of synthetic_ fraud_."_

To download the free "**State of Verification and Monitoring in the** Crypto **Industry 2023**" report, visit https://sumsub.com/crypto-report-2023/.

_\* The statistics presented in the report are based on Sumsub's internal data on millions of verification checks analyzed in the first 8 months of 2023 and the same period in 2022._

**About** **Sumsub**

Sumsub is a full-cycle verification platform that secures the whole user journey. With Sumsub's customizable KYC, KYB, transaction monitoring and fraud prevention solutions, you can orchestrate your verification process, welcome more customers worldwide, meet compliance requirements, reduce costs and protect your business.

Sumsub has over 2,000 clients across the fintech, crypto, transportation, trading, e-commerce and gaming industries including Binance, Mercuryo, Bybit, Huobi, Unlimit, DiDi, Poppy and TransferGo.

SOURCE Sumsub

70% of Crypto Companies Report Deepfake Fraud Rise

The industrial automation giant agrees to buy Verve Industrial Protection, joining in an ICS trend of bringing cybersecurity capabilities in-house to keep up with attackers.

Manufacturers of industrial automation and control systems continue to scoop up industrial cybersecurity firms to provide customers with more protection for their factories and facilities.

This week, Rockwell Automation agreed to acquire Verve Industrial Protection, a cybersecurity software and services firm, which will become part of Rockwell's Lifecycle Services division. The acquisition follows the July commitment by Honeywell to buy SCADAfence, an operational technology and IoT security firm, as a way to acquire asset discovery and threat detection capabilities. And just last week, technology firm Siemens announced an all-in-one testing suite for industrial networks — partnering with Tenable on the initial testing tools, but committing to including more third parties in the future.

The large manufacturers are trying to catch up with attackers and fix their cybersecurity shortcomings, says Katell Thielemann, distinguished vice president analyst at business intelligence firm Gartner.

"OEMs are on a bit of a redemption journey," she says. "Their end-user clients are starting to be vocal about buying multimillion-dollar assets that contain vulnerabilities and misconfigurations, and then having to pay million-dollar support services contracts that allow fixes downstream."

An additional impetus for Honeywell, Siemens, and Rockwell to acquire cybersecurity services comes from the desire to create additional channels for sales, says Dale Peterson, CEO and founder of Digital Bond, an ICS consultancy.

"What we are seeing is the large ICS vendors are developing practices to sell cybersecurity products and services — sometimes through acquisition ... and sometimes through partnerships," he says. "It's unclear if this will be successful or how committed they will be to this in tough times."

**Target Threats Tailored to ICS**

The acquisition announced comes as attackers are increasingly targeting industrial control systems (ICS) and the industrial Internet of Things (IIoT). In May 2021, an attack on Colonial Pipeline's information systems resulted in the company shutting down pipelines, causing a fuel shortage along the East Coast of the United States.

Overall, 77% of attacks on critical infrastructure came from state-affiliated actors and organized criminal groups, according to an analysis of 122 public incidents published by Rockwell Automation last month. The largest share of attacks (39%) hit the energy sector, with critical manufacturing, transportation, and nuclear sectors each accounting for another tenth of attacks, according to the report.

Attackers are increasingly targeting industrial automation and safety equipment with tailored malware, while defenders have seen "a worrisome increase in disclosed vulnerabilities in industrial cyber-physical systems," says Thielemann. Typically, the vast majority (84%) of attacks have come through IT networks, while only 14% have initially infected an OT device, according to Rockwell's report.

Operators of industrial systems need to know what devices are present in their OT and IT networks, which are vulnerable, and which can be patched, she says.

"As the threat landscape starts to pose a clear and present danger in production environments, it is critical to know what assets you have, and to shift from a network-centric view of security to an asset-centric one," Thielemann says.

**Industrial Automation Struggles With Security**

The Rockwell-Verve merger might also be a way to change the industrial control system and automation industries' mindset on security. Operators typically have not had good visibility into the devices and equipment deployed to their operational networks, and patching equipment that have lifecycles of decades when dealing with software with lifecycles of years is a complex problem.

Rockwell Automation has rolled out signed firmware and support for CIP Security for defense-in-depth, supporting device identification and authentication using certificates on devices, says Peterson.

Still, industrial automation providers have a ways to go to earn their customers' confidence that they will put security ahead of profits, he says.

"\[W\]hether the asset owner will trust the ICS vendor to be straightforward about risk when it reflects poorly on their own systems or reflects positively on a competitor" is an open question, Peterson says. "All this to say that the ICS vendor as a channel for ICS security products and services is unproven."

Rockwell Automation did not disclose the details of its purchase agreement with Verve. The company noted that the acquisition must meet regulatory approvals and should close in the first quarter of its fiscal year in 2024.

Rockwell's Verve Buy Enlivens Critical Infrastructure Security

Nation-state hackers are using hybrids to ensnare those in the maritime, shipping, and logistics industries.

A threat actor sponsored by the Islamic Republic of Iran has been using watering-hole attacks, with a new malware downloader and a budding new method of infection, against Mediterranean organizations involved in the maritime, shipping, and logistics sectors.

These latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Tortoiseshell, Imperial Kitten, TA456, Crimson Sandstorm, and Yellow Liderc, according to a blog post this week from PricewaterhouseCoopers. The Islamic Revolutionary Guard Corps-backed threat actor has previously been recorded using watering holes, phishing domains, highly targeted emails, fake social media accounts, and more, in its globe-spanning espionage campaigns.

**Yellow Liderc's Latest Campaign**

Since 2022, Yellow Liderc has been compromising legitimate websites and using them to insert malicious JavaScript. The JavaScript fingerprints unwitting visitors, capturing details such as their location, device, time of visit, and so on. If a visitor matches a specific profile — in this case, entities along the Mediterranean associated with maritime, logistics, and shipping — they will be served further malware.

The malware in question is "IMAPLoader," a dynamic link library (DLL) written in .NET, which uses email as a means of command-and-control (C2) communication.

This new sample is in most ways similar in function to Yellow Liderc's previous loaders. It distinguishes itself, however, in its advanced method of infection: a technique known as "appdomain manager injection." First demonstrated by a proof-of-concept (PoC) called "GhostLoader" in 2020, hackers or red teamers can use it to circumvent tools designed to detect a DLL or executable being loaded onto a Windows machine.

After slyly injecting itself on a host computer deemed of high value, IMAPLoader communicates with the attackers' Russian-hosted, very American-sounding email addresses — leviblum\[@\]yandex.com and brodyheywood\[@\]yandex — where further payloads lie.

**Yellow Liderc's Tactics and Targets Vary**

Anyone who tries to defend against Yellow Liderc simply by accounting for this method of injection, or this malware, will end up falling short. The group has been known to cycle through and combine various tactics, techniques, and procedures over the years.

"What we've seen more often and most recently is reconnaissance emails," says Joshua Miller, senior threat researcher at Proofpoint. Since 2021, he says, it has used the open source red-team tool GoPhish to insert malicious links into fake newsletters impersonating legitimate organizations. But it's also got more, weirder strategies in its arsenal. In 2021, Proofpoint described an elaborate, yearslong ruse they ran, posing as a woman named Marcella Flores, in order to phish a specific employee at an aerospace company.

Recently, Proofpoint observed a unique cluster within the same APT targeting workers and organizations in the healthcare, technology, and the nuclear division of a European energy company. According to PwC, it remains an ongoing threat not just to all of these industries and regions thus far named, but also the automotive, defense, and IT industries, in places as far and wide as the Middle East, South Asia, and North and South America.

Perhaps the only consistent elements of a Yellow Liderc attack are the minor discrepancies between the email sender, newsletter, or website one expects, and the actual sender or experience they're delivered.

"Look for any unusual network traffic," Miller advises, and pay attention to suspicious emails. "Checking who's sending an email is important. I know that we say that all the time, but it's true and important for this sort of case."

Iran APT Targets the Mediterranean With Watering-Hole Attacks

The English-speaking cyberattack group behind the MGM and Caesars Entertainment attacks is adding unique capabilities and gaining in sophistication. Prepare now, Microsoft says.

"One of the most dangerous financial criminal groups" — and growing in sophistication. That is Microsoft's assessment of the 0ktapus cyberattack collective, which was most recently in the news for carrying out the strikingly disruptive MGM and Caesars Entertainment ransomware hits.

The English-speaking group (aka Scatter Swine, UNC3944 or, as Microsoft calls it, "Octo Tempest") typically engages in adversary-in-the-middle (AitM) techniques, social engineering involving calling up targets directly, and SIM swapping. It's been known to carry out cryptocurrency theft, data-leak extortion, and ransomware attacks (it became a BlackCat/ALPHV affiliate in mid-2023). Aside from the casino/hospitality wins in September, it previously made a name for itself by specializing in successfully compromising Okta credentials in a spate of attacks, including the widespread Twilio leak last August.

The threat has been evolving in recent campaigns, according to a detailed Microsoft analysis this week, and it exhibits a notable level of sophistication for which organizations need to actively prepare.

"We observed Octo Tempest leverage a diverse array of tactics to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data," according to the report, which delves into the granular details of 0ktapus' arsenal. "Octo Tempest leverages tradecraft that many organizations don't have in their typical threat models. The well-organized, prolific nature of Octo Tempest's attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators."

**0ktapus' Unique Technique**

For instance, 0ktapus has recently turned to a unique technique using the data movement platform Azure Data Factory and automated development pipelines, Microsoft warned; the goal appears to be data exfiltration via attacker-controlled Secure File Transfer Protocol (SFTP) servers, looking to hide amid a victim's legitimate big data operations.

"Additionally, the threat actor commonly registers legitimate Microsoft 365 backup solutions such as Veeam, AFI Backup, and CommVault to export the contents of SharePoint document libraries and expedite data exfiltration," according to Microsoft.

Roger Grimes, data-driven defense evangelist at KnowBe4, noted that 0ktapus's large spectrum of possible attacks and motives creates challenges for organizations. 

"Every organization must create its best defense-in-depth cyber defense plan using the best combination of policies, technical defenses, and education, to best mitigate the risk of these attacks," he said in an emailed statement. "The methods and sophistication of these attacks must be shared to employees. They need lots of examples. Employees need to be able to recognize the various cyberattack methods and be taught how to recognize, mitigate, and appropriately report them."

He added, "we know that 50% to 90% involve social engineering and 20% to 40% involve unpatched software and firmware, so whatever an organization can do to best fight those two attack methods is where they should likely start."

Microsoft: 0ktapus Cyberattackers Evolve to 'Most Dangerous' Status

With Google's announcement of seven years of support, other smartphone makers risk falling behind.

Consumers want their devices to be secure and need to be supported for longer, according to Omdia's new survey of 1,578 consumers across 13 major countries in the Americas, Asia & Oceania, and Europe in September 2023. Google and Fairphone are pushing this forward, but governments are also stepping in to ensure security is taken seriously —  benefiting consumer safety and the environment.

**The Need for Security Updates**

While every effort can be put in place by a device manufacturer to ensure the device is "secure by design" or even certified to regulatory or standardized requirements, vulnerabilities are constantly evolving. Updates are key to ensure that new vulnerabilities are found and remediated in a timely manner.

This is happening as consumers increasingly use their mobile phones for sensitive activities such as online banking, identity verification and even relying on services such as Apple or Google Pay.

The update support period is therefore crucial, as well as the frequency of updates and the ability for security-specific updates to be rolled out independent of wider software updates — which is now offered by many of the leading smartphones.

**How Much Support Do Consumers Need?**

Security update periods and replacement cycle rates are frequently a topic of discussion among those pushing for sustainable tech. There's also skepticism as to how long devices should realistically be updated for, with some questioning the usefulness of five-year+ support.

However, shedding light on the actual usage of mobile devices makes it clear that the longer the support, the better — for both security and sustainability. As such, we asked consumers how long they are using their smartphones.

Security updates for many phones under $500 only last two years, yet 56% of consumers used their previous phone for longer. While premium phones typically have five years' support, more than 5% reported that they kept their previous phone longer — beyond the support of any phone available at the time. This also doesn't take into account how late after release the consumer is buying it; if you bought a Samsung Galaxy S22 Ultra now, you'd get a little over three years of support. If you bought a refurbished iPhone 11, you'd get under 1 year. This is effectively stifling a growing second-hand phone market — and leaving those devices potentially vulnerable.

Currently the only phones to offer more than five years of guaranteed security updates are the Google Pixel 8 and Pixel 8 Pro (seven years) and the Fairphone 5 (eight years). Longer updates can help to slow replacement and production rates, effectively keeping working phones in consumers' hands for longer. By reducing phone production, it drastically reduces the environmental impacts of the smartphone industry.

    

Source: Omdia

**Who's Responsible?**

Fifty percent of consumers believe it should be the operating system developer (either Apple or Google) that is responsible for the security of their smartphone. However, how long a phone is supported is primarily down to the device maker and its negotiations with the chipset maker.

Apple and Google are in the unique position of making their own chip, device, and operating system. They are, therefore, their own arbiters. This is likely how Google can commit to seven years — but for Samsung and other Android brands, it would be a more complex process.

Ultimately, regulatory pressure, discussed below, will put mandatory security requirements on device manufacturers, and in some cases importers and distributors, to ensure device update transparency.

    

Source: Omdia

**Security Is a Key Purchase-Driver**

Consumers have security top-of-mind when considering their next phone. Forty-six percent confirmed better security features would be a purchase driver, while just 7% said no.

Sixty-nine percent of survey respondents said good security features were critical or important when deciding which smartphone to purchase, although this is second to key hardware specs such as long battery life, durability, and processor speed. When comparing two similar phones, security and brand trust could become the most important and deciding factor.

**Governments, Policymakers and Standards Bodies Must Step In**

There has historically been a lack of standardization and transparency from equipment manufacturers on security measures for their devices. As a result, governments and standards bodies are developing standards to define baseline requirements, defining product labels to increase consumer visibility and choice, and eventually mandating minimum security requirements.

For example, while Apple has historically given five years of support, it's not transparent at launch; if you just bought a new iPhone 15, you have no official commitment from Apple that it will be supported for two years or five. But with the UK's Product Security and Telecommunications Infrastructure (PSTI) Act, the support period must be stated at the point of sale, from April 2024.

The UK PSTI is just one example, with guidance and legislation being proposed in the US, EU, China, Japan, Korea, and more. While mobile devices are sometimes out of the scope of IoT legislation and government guidance, the proposed EU Cyber Resilience Act will include operating systems for mobile devices — mandating security updates for at least five years, among other requirements.

All manufacturers of connected devices should prioritize and adopt standards and guidance such as the widely referenced ETSI EN 303 645 (Cybersecurity for Consumer IoT) or TS 103 732 (Consumer Mobile Device Protection Profile) to future-proof for upcoming regulation. Further, although at the current time labelling is voluntary, device makers can and should ensure and empower consumer choice by opting in to labelling and certification schemes.

Source

DARKReading