**WOBURN, Mass.****,** **March 22, 2023** **/PRNewswire/ --** Kaspersky has released new survey results showing that one third of crypto owners in the U.S. have experienced theft of their currency or other assets, at an average cost of $97,583. This, and other findings, are part of a new report, "Crypto Threats 2023," based on a survey of 2,000 American adults in October 2022.

Crypto trading has skyrocketed in popularity in recent years. Twenty-four percent of respondents to the survey said they currently own cryptocurrency or other crypto assets. However, scammers are continuously seeking new ways to capitalize on that popularity and defraud users, with tactics such as impersonating legitimate exchanges or launching phishing attacks to steal login credentials. They also use cryptojacking malware to generate currency by stealing computing resources from unknowing victims.

A third of respondents who said they own or have owned cryptocurrency or other crypto assets said they have fallen victim to a fraudulent crypto\-related website, app or investment scam at some point. Among those victims, 19% said they experienced identity theft as a result, while 27% had payment details stolen and money taken from their bank account.

"From fake apps to cryptojacking, there is a long list of threats lurking online to target cryptocurrencies," said Marc Rivero, senior security researcher at Kaspersky's Global Research and Analysis Team. "Without any regulation or established common knowledge, people need to take care to protect themselves. This survey data shows a lot of people are getting their crypto stolen and even experiencing identity theft. Users should keep a close eye out for scams, and should employ any extra security measures that are available to them, such as multi-factor authentication."

The survey revealed that there is often more users could be doing to protect their crypto assets. On average, respondents said the last time they checked on their crypto investments was six weeks ago. Twenty-seven percent of users said they keep their crypto stored in an exchange account with no added protection, while only 34% use multi-factor authentication to protect their account. Only 15% of users said they use a "cold wallet," storing their crypto in external storage not connected to the internet. Thirty-two percent of respondents who own or have owned cryptocurrency or other crypto assets said they have lost access to a crypto\-related account at some point.

The survey also yielded some interested findings with respect to age differences among crypto traders. Thirty-six percent of respondents aged 25-44 said they currently own cryptocurrency or crypto assets, compared to just 10% of respondents aged 55 and up. Older respondents who do own crypto, however, appeared to be doing a much better job at protecting their assets. Just 8% of crypto owners aged 55+ said they have had cryptocurrency or a crypto asset stolen, and only 14% in that age group said they have fallen victim to a fraudulent crypto\-related app, website or investment scam. Meanwhile, nearly half (47%) of crypto owners aged 18-24 said they had been victimized by theft, with 46% saying they've fallen victim to a scam.

The full report is available here.

In order to avoid falling victim to cryptocurrency\-related scams, Kaspersky recommends:

*   Use strong and unique passwords for each of your crypto accounts. This will help prevent password cracking and brute force attacks.
*   Avoid phishing attacks: Be wary of suspicious emails and links, and always double-check the URL before entering your login information.
*   Don't share your private keys: your private keys unlock your cryptocurrency wallet. Keep them private and never share them with anyone.
*   Use security solutions: a reliable security solution will protect your devices from various types of threats. Kaspersky's consumer portfolio prevents cryptocurrency fraud, as well as unauthorized use of your computer's processing power to mine cryptocurrency.

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments, and consumers around the globe. The company's comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies, and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

SOURCE Kaspersky

Kaspersky Survey Finds One in Three Users Have Experienced CryptoTheft

With more than $36M nearly swindled away, an almost-successful BEC attempt in the commercial real estate space shows how sophisticated and convincing fraud attacks are becoming.

In an attempt to fraudulently obtain more than $36 million, a threat actor emailed an escrow officer and their client, a commercial real estate company, while impersonating the senior vice president and general counsel of a trusted partner company. The business email compromise (BEC) attack was caught due to a flaw in a domain name, behavioral AI, and an advanced modeling system.

Included in the email was an invoice and instructions for payment for a loan worth $36.4 million. While this may be a number that might ring alarm bells for anyone else, commercial real estate involves the use of large-sum loans, according to an analysis from Abnormal Security, so there was no initial concern. A false company letterhead was used to legitimize the scam, and the cyberattackers added another reputable real estate investment company to the email chain to make it even more convincing. 

The escrow officer may have fallen for it, but the BEC attempt was caught due to artificial intelligence (AI) technology spotting signs of fraud, such as discrepancies in the wiring instructions, newly registered email domains, and irregular language patterns in the email. In addition to this, there was a minor change in the sender domain from ".com" to ".cam."

Though this attempt was caught, BEC attacks are becoming more popular — increasing by 84% in the first half of 2022 alone. They are continuing to prove to be successful against organizations, particularly those without multifactor authentication or security awareness training.

AI might be increasingly necessary to catch ever-more-savvy BEC attacks. "As attackers shift from executive impersonation to vendor fraud and increase their payment requests, the need for security leaders to keep their organizations safe increases," according to Abnormal Security. "Because modern supply chain attacks use seemingly genuine messages, traditional tools which look for indicators like malicious attachments are becoming less effective."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$36M BEC Fraud Attempt Narrowly Thwarted by AI

Attackers claiming to be part of the Chinese navy are making calls to commercial Qantas pilots midair, while GPS, comms systems, and altimeter instruments are all experiencing denial of service.

Australia's Qantas Airways is warning pilots about ongoing signal interference on VHF communications channels from "stations purporting to represent the Chinese military," on commercial flights over the western Pacific Ocean and South China Sea.

The Australian flagship airline also warned that some flights are experiencing jamming of their GPS systems, causing denial of service (DoS), in incidents "suspected to originate from warships operating off the northwest shelf of Australia."

To boot, this is not the only China-related activity in the world of aviation in the region; on March 2, the International Federation of Air Line Pilots' Associations (IFALPA) noted that military warships located in the South China Sea, Philippine Sea, and the Eastern Indian Ocean were placing VHF calls to some passenger flights and military aircraft.

"In some cases, the flights were provided vectors to avoid the airspace over the warship," according to the alert. "We have reason to believe there may be interferences to GNSS and RADALT as well."

GNSS, short for global navigation satellite system, can be used interchangeably with GPS; RADALT stands for "radar altimeter," and refers to the instrumentation that pilots use to gauge how far above the ground an airplane is flying.

**Calculating the Physical Safety Dangers**

Though the news seems alarming, Qantas is telling flight crews to carry on with their designated flight plan should they see the unusual activity but to report the interference to the controlling air traffic control (ATC) authority. Meanwhile, a spokesperson told Aviation International News that Qantas does not consider the activity to be a physical safety threat.

Ken Munro, a co-founder at Pen Test Partners and a specialist in operational technology (OT) cybersecurity for aviation, says that while the incidents on their face "shouldn’t be of immediate concern," that's not to say the activity couldn't become dangerous in the right situation.

"GPS is only one of a number of methods for pilots to determine their position, though it is generally the most relied upon," he explains. "Inertial reference and radio navigation aids can be used to cross-check position. Indeed, these were the primary methods used prior to the advent of GPS."

He adds, "GPS and RADALT jamming are less of a concern when in the cruise at high altitude. However, errors in position or altitude when on approach are another matter, though much harder to intentionally create when near an airport."

Munro notes that jamming can also be concerning if it's part of a chain of attack or coincides with other alert-worthy activity that might be going on.

"Incidents in the airplane often start with cascade of issues, often with a simple problem starting a chain of events that leads to a more significant problem," he says.

**Motivation: A New Cyber-Air Frontier?**

Researchers note that if the perpetrators are the Chinese military, the signal interference could have several motivations.

"It's one thing for a warship to ask a commercial airliner to 'please go around us,' and something else entirely to directly interfere with their signals," says Mike Parkin, senior technical engineer at Vulcan Cyber. "On many levels, this feels like an extension of the tactics we've seen from cybersecurity threats originating with Chinese state and state-sponsored groups. Though this presents more of a potential physical threat, and interfering with commercial air traffic is a much more blatant show of power than a typical cyberattack."

NetRise CEO Tom Pace, a firmware security expert specializing in aviation, cautions that the jamming might be unintentional and that no one should jump to conclusions. "It is impossible to state the intention of the Chinese military or even if these actions are purposeful," he says. "This could simply be commercial airlines flying through a region in which the Chinese military is operating, or it could be a more active engagement where the Chinese military is seeing what they can get away with."

Mike Hamilton, CISO of Critical Insight, suspects that the activity was triggered by geopolitical events.

"This is yet another example of how geopolitical tensions are showing up as cyber events that are directed at infrastructure," he says. "I note that the Biden administration just announced a nuclear submarine deal with Britain and Australia, and this is likely the Chinese government expressing its feelings about that deal."

**Better Aviation Security Must Take Flight**

Hamilton notes that the activity points to the need for better OT security in the aviation space.

"The constellation of GPS satellites has been known to be vulnerable for some time because of our dependence for navigation and time synchronization," he says. "This act should be a wake-up call for the administration to take swift action to deploy compensating security controls around GPS before this act becomes commonplace. Longer term, GPS signal integrity controls must be developed and deployed."

NetRises' Pace explains that commercial airliners don't have sophisticated anti-jamming technologies like military aircraft, and while planes can be flown manually if need be, a better failsafe for DoS events might be putting resources into identifying weaknesses in communications systems and instrumentation.

"The top airline safety concern/challenge regarding the cybersecurity of that OT environment is that there is a significant lack of visibility which translates to an inability to identify risk in these environments," he says.

Chinese Warships Suspected of Signal-Jamming Passenger Jets

Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

An analysis of data associated with zero-day attacks in 2022 suggests that threat actors are increasingly probing for security weaknesses in edge-infrastructure technologies, including VPNs, firewalls, and IT management products.

Researchers from Mandiant tracked a total of 55 zero-day vulnerabilities that adversaries exploited in various malicious campaigns last year and found that 10 of them involved an Internet-facing edge device.

Among them were CVE-2022-1040 and CVE-2022-3236 in Sophos firewalls, CVE-2022-20821 in Cisco IOS, CVE-2022-42474 and CVE-2022-41226 in Fortinet's FortiOS, CVE-2022-288810 in Zoho ManageEngine, and CVE-2022-35247 in SolarWinds Serv-u.

**Hunting on the Edge**

Casey Charrier, Mandiant senior analyst at Google Cloud, says adversaries are focusing on edge technologies likely because they perceive enterprise organizations as having fewer capabilities around endpoint detection and response (EDR) than they have around network monitoring.

"That's definitely an element that we assess is a focus of Chinese threat groups right now," Charrier says. "As more organizations integrate Internet of Things (IoT) devices into their environment, they'll need to take this into consideration when evaluating security tools and the security of these devices."

The 55 zero-days that Mandiant observed adversaries using in 2022 are fewer than the all-time high of 81 that its researchers observed in 2021. Even so, the number was nearly three times higher than the 20 zero-days Mandiant observed being exploited in 2020.

**Chinese Actors Continue to Be Most Active Exploiters of Zero-Days**

As has been the case for some time now, Chinese state-sponsored threat groups exploited more zero-days in 2022 than any other threat group. Of the 13 zero-days that Mandiant was able to identify as likely exploited by a state-backed group, seven — or more than half — involved a Chinese advanced persistent threat (APT) group.

One example is CVE-2022-30190, a vulnerability in the Microsoft Windows Support Diagnostic Tool that enables remote code execution (RCE) via malicious Office documents, even when a user might have disabled macros. Chinese threat actors used the vulnerability, also referred to as "Follina," in numerous threat campaigns throughout the year, making it one of the most heavily exploited flaws of 2022.

Several of the zero-days that Chinese state actors leveraged in attacks last year targeted network devices. One example is CVE-2022-42475, a buffer-overflow flaw in FortiOS SSL VPN technology that a China-based actor used in a campaign last year to deliver a highly customized tool for exploiting Fortinet's FortiGate firewalls. Another flaw in this category that a Chinese actor abused is CVE-2022-41328, a path traversal vulnerability in FortiOS. Mandiant observed a Chinese group identified as UNC3886 exploiting the vulnerability in a potential cyber-espionage campaign. The same actor was previously associated with an attack campaign targeting VMware ESXi hypervisors using a new technique with malicious vSphere Installation Bundles.

Mandiant said it also observed zero-day exploit activity involving North Korean threat actors ticking up slightly in 2022 compared with previous years. The two zero-days that Mandiant identified North Korean actors exploiting were: CVE-2022-0609, a Google Chrome vulnerability that a North Korean group exploited in a campaign targeting the high tech, media, and financial sectors, and CVE-2022-41128, an RCE in Windows Server that North Korea's APT37 exploited in a phishing campaign.

**Financially Motivated Cyberattackers Want in on the Action Too**

Financially motivated threat actors continued to be another set of adversaries that actively exploited zero-day vulnerabilities last year, though not to the same extent as in 2021. Of the 16 zero-days for which Mandiant was able to attribute a motive, four were used in financially motivated attacks. Many of these attacks involved ransomware deployments. Examples include CVE-2022-29499, an RCE flaw in a Mitel VoIP appliance that a threat actor used to deploy Lorenz ransomware, and CVE-2022-41091, i.e. a Windows Mark of the Web flaw that the operator of the Magniber ransomware used in one campaign.

Since 2019, zero-day exploit activity involving ransomware groups has been increasing, says Charrier. "This is the case for a variety of reasons," Charrier notes. "For one, ransomware, as a proportion of all financially motivated activity, has continued to grow and take over the criminal ecosystem. Second, it can be more obfuscated in terms of tracking the money as well as tracking any sort of victim payments."

Microsoft, Google, and Apple topped the charts — as they always have — in terms of the number of zero-day vulnerabilities in their respective products. The three vendors together accounted for 37 of the 55 zero-days that Mandiant tracked last year. Fifteen of the zero-days in operating systems affected Windows and nine out of 11 browser zero-days were in Google Chrome.

At the same time, the number of zero-days that threat actors found and exploited in other technologies grew as well. As zero-day numbers increase, so do the number of vendors that are victims, Charrier says: "While the top three targeted vendors remain consistent, the variety of additional targeted vendors generally continues to expand and vary each year."

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

The government should not issue infrastructure regulations without the involvement of the industries it's regulating.

Last summer, the US Transportation Security Administration (TSA) rolled back some of its rules governing cybersecurity for oil and natural gas pipelines. While the oil and gas industry welcomed the changes, and the new rules marked a promising step toward public-private collaboration, there's still more work to be done. Particularly now, following the newly released National Cybersecurity Strategy, information sharing and collaboration are key to effectively protecting our critical infrastructure.

To start, the TSA's rollback — or some revision at least — was necessary. The TSA issued an initial directive in 2021, in the wake of the Colonial Pipeline hack, which exposed vulnerabilities to cyberattackers in a core component of the nation's energy infrastructure. But these rules were not well received by the industry. Pipeline operators were concerned about the directive's "aggressive" timelines. Some claimed that "the directive could require them to replace thousands of pieces of equipment all over the country," according to Tennessee Sen. Marsha Blackburn. Operators expressed concerns that the overhaul of so much equipment so quickly might itself create even worse security issues by introducing new technologies that hadn't yet been fully vetted into systems that had been running stably for decades.

The new rules, issued through a pair of directives (in June and July), and enhanced toward the end of the year, simultaneously extend and ease the TSA's cybersecurity requirements, bringing them more in line with what the industry was asking for. The new guidelines focus on more performance-based measures, rather than the prescriptive measures issued in 2021.

Progress, right? It depends on who you ask.

**Prescriptive vs. Pragmatic Rules**

The TSA's new pipeline rules are more pragmatic and more suited to the oil and gas industry's needs, but there's a trade-off: They are weaker.

The prescriptive nature of the first memo was out of touch with the reality of operational technology (OT). Many of the requirements were reasonable for the IT networks used by pipeline operators but were either not useful or directly unhelpful for the OT world, which has different technologies and different requirements, and operates in different environments.

The new memo effectively reduces the prescriptiveness to more realistic standards, so pipeline operators won't be penalized for failing to meet impossible requirements.

On the other hand, the new rules may be too loose to make any drastic improvements in our pipeline security. They are extremely simplified best practices, and it's difficult to see how anyone can be held accountable to them. For example, phrases like "timely manner" and "risk-based methodology" are qualitative measurements. Is a pipeline operator truly responding in a timely manner or not? Is their methodology risk-based or not? It's a judgment call.

So while this memo gives more flexibility for operators to enact reasonable changes, it may also leave too much wiggle room to pipeline operators.

**The Challenge of Patching OT Systems**

The reality is that ironclad regulation is nearly impossible. It's difficult for the government to push prescriptive guidelines with binary outcomes ("secure" or "not secure") in complex environments.

For example, many pipeline operators are running OT systems that are 30 or 40 years old. Some of these systems have been running continuously for decades and have never been connected to the Internet. The people who wrote the site-specific code are long since retired, and those who wrote the operating system are probably dead. Who are you going to call if something goes wrong?

The fact is, patching very old OT systems is riskier than leaving them unpatched. Regulation of any kind is not well suited to handling such situations — what's needed is deep local knowledge of the systems, complete awareness of what components are involved (especially any that connect to the Internet in any way) and what data they are transmitting (and to where), and a willingness to maintain security to the best of one's ability.

**Embracing Public-Private Cybersecurity Partnerships**

However, the TSA's new pipeline rules do show a way forward. While imperfect, the new rules are more reflective of public-private partnership than the initial directive, and that collaborative approach is reason to be hopeful.

When preparing their directive, the TSA asked for and received extensive input from industry stakeholders, as well as federal partners, including the Department's Cybersecurity and Infrastructure Security Agency (CISA).

The TSA has stated that it will continue to propose regulations to codify a number of cybersecurity requirements for pipelines over the year, and we hope that will continue to be done in partnership with the industry.

In short, the TSA should be commended for its multistakeholder approach. The type of industry consultation and review that went into the newer directives should be part of any future cybersecurity regulations affecting critical infrastructure. This is especially true given that 80% of critical infrastructure is run by the private sector.

When it comes to infrastructure, the government should not issue regulations without the active involvement of the industries it's regulating. True public sector cybersecurity depends on more public-private partnerships like this.

Pipeline Cybersecurity Rules Show the Need for Public-Private Partnerships

Administrator shutters the forum on fears that it had been breached by federal authorities but assured members it's not the end for the popular underground hacking site.

The BreachForums underground hacker site — which emerged to replace RaidForums nearly a year ago — now also has gone offline less than a week after its leader was arrested in New York.

The forum's administrator, who goes by the online moniker "Baphomet," said in a post on the group's Telegram channel March 19 that he was closing down the forum due to concerns that the FBI had access to the site, researchers from Dark Owl, a provider of Dark Web data and intelligence, said in a blog post.

Baphomet apologized to members of the forum for closing it down but said he would set up another Telegram group for further information and news, teasing that the launch of another site or other support for their activities was in the works, according to the post.

"I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is," he wrote in the message, according to a screenshot shared in the Dark Owl blog post. "You are allowed to hate me, and disagree with my decision, but I promise what is to come will be better for us all."

**BreachForums Leader Apprehended**

The shutdown came just five days after US federal agents arrested man called Conor Brian Fitzpatrick, who they allege is behind the forum's administrator handle "pompompurin," and its chief operator. Fitzpatrick was arrested in Peekskill, NY, on March 15, according to an affidavit made in a New York district court.

Fitzpatrick was charged with one count of conspiracy to commit access device fraud, and bail was set at $300,000, which was paid for by his parents, Dark Owl researchers said. When arrested, he admitted to his role as admin on BreachForums and the use of the alias, which the researchers said was surprising.

BreachForums emerged in April 2022 in the wake of the takedown of RaidForums, allowing users to buy and sell data obtained from cybercriminal activity, with site administrators running an escrow service ensuring that sellers received the funds that they had requested, the researchers said.

Cybercriminals widely used BreachForums to purchase stolen data and host data from controversial leaks, such as data stolen from the Washington, DC, healthcare exchange, they said. Pompompurin also conducted cyberattacks of his own, revealing in an interview for the KrebsOnSecurity site in November 2021 that he was responsible for sending fake emails using the fbi.gov domain, the researchers said.

This behavior is likely what put him in the crosshairs of federal authorities, according to Dark Owl. "He claimed at the time this was done to point out vulnerabilities in the FBI systems, but it undoubtedly put him higher on the FBI's radar, leading to his recent arrest," the researchers wrote.

**What Comes Next?**

Since BreachForums itself came about after the Department of Justice seized what at the time was one of the world's largest hacker forums — RaidForums — and arrested its founder and chief administrator, Portuguese national Diogo Santos Coelho, it's likely that a new forum will emerge from its ashes.

RaidForums was founded in 2015 and, prior to its seizure, was used by its members to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.

BreachForums' Baphomet practically acknowledged that a new underground hacker site is in the works in his post on Telegram, the researchers noted. He said he is working to create new infrastructure that would replace BreachForums and even may collaborate with competitor marketplaces to keep support for members going.

However, for now, the BreachForums onion site is no longer reachable, and cybercriminals who used the site will have to take a wait-and-see approach until its current administrators regroup and create a new forum on which they can conduct their nefarious activity, the researchers said.

For its part, Dark Owl researchers said they "will continue to monitor the Dark Web and adjacent sources, such as Telegram, to identify any news of emerging groups and sites which may take the place of BreachForums."

BreachForums Shuts Down in Wake of Leader's Arrest

Review and update plans to minimize recovery time. Practice and a well-thumbed playbook that considers different scenarios will ensure faster recovery of critical data.

The threat landscape is complex, and the tactics used by threat actors are constantly evolving. In this never-ending game of cat and mouse, it seems no matter what cybersecurity advancements the good guys make, it's a perpetual state of catch-up. As tactics evolve, so should readiness plans.

All businesses, regardless of size, should have a set of incident response plans that take into consideration a variety of situations. For example, the action you take for a ransomware attack versus discovering an employee doing something nefarious are greatly different. Having a playbook that considers many scenarios ensures nothing is missed. After all, the last thing any business wants to do during a crisis is ad hoc incident response.

**Key Points to Cover**

Incident response requires meticulous planning; this is something smaller businesses often struggle with. While not all organizations have the resources to plan for every potential scenario, the goal is to get to a place of satisfaction.

The following considerations will make the process less daunting.

**Know your assets.** Identify critical assets and put steps in place to revive them in the event of a failure. For example, create a list of internal systems that are core to the function of day-to-day business. It doesn't have to be a cyberattack that could take these offline. Hardware failures, natural disasters, and faulty updates can cause disruptions. Regardless of the cause, having a plan in place speeds the rebound process.

Since even carefully built backup-and-recovery plans can be compromised in an attack, additional safeguards are important for cyber resilience. For example, in anticipation of a ransom attack, keep multiple copies of backups in different domains (e.g., local and cloud). Likewise, consider backup solutions that do not allow an attacker to rewrite, encrypt, or modify previous backups. Equally important, maintain a history of restored points and backups that cannot be compromised; this will allow one to restore from a good copy of an earlier snapshot. While not all malware attacks are ransomware, the ability to quickly recover data following an incident is essential to minimize downtime and resume normal business operations.

**Take the time to learn.** Cybersecurity is challenging because even with the rights steps taken and all the right boxes checked, a business can still fall victim to an attack. However, each encounter with a security incident is also an opportunity to learn.

For those that dig deeper, valuable insight can be gained as to how a user initially encountered a threat. There may be something upstream of their actions that could be improved upon. Maybe they clicked on an email that got through the spam filter. Additional opportunities exist when users report a suspicious email; take the opportunity to learn how it got into their inbox. This is where an IT or security operations center (SOC) team can really help; this is also where experience can make a big difference.

**Plan and practice.** There's no one-size-fits-all incident response plan. Have plans for a variety of security incidents that you can anticipate. An employee doing something nefarious that requires them to be fired on the spot requires a different course of action than the discovery of a third-party breach. For each scenario, create a playbook to ensure nothing is missed.

Don't wait for an incident to test the effectiveness of plans. To identify gaps and achieve a desired level of confidence, it's important to run an occasional fire drill. Reflect on how things went and look for areas of improvement.

Set up a rapid response alias via e-mail to ensure all stakeholders are included; this allows for quick alert in the event of an incident, so less time is spent delegating and more time is spent recovering. Involve this team early on, during the build out of response plans and assignment of responsibilities in the event an attack does take place. A fire drill will expose what (or who) is missed and what could be done better.

**Practice, Then Review Plans Annually**

Once a level of comfort is achieved, this doesn't mean you never practice again. Confidence simply lowers the cadence for reviewing plans. As tactics shift, your response plans should, too. A good rule of thumb is, once you have confidence in your plans, review them on an annual basis.

Incident response plans are a must for businesses of every size. Because it's not if an organization will experience an incident but when, having a documented plan to detect, contain, and respond is critical. Planning and practice can greatly minimize the time required for recovery of critical data so businesses can minimize downtime and even maintain operations during an incident.

How to Keep Incident Response Plans Current

IONIX illuminates exploitable risks across the real attack surface and its digital supply chain providing security teams with critical focus to accelerate risk reduction.

**NEW YORK****,** **March 21, 2023** **/PRNewswire/ --** Cyberpion, the leader in Attack Surface Management, has rebranded as IONIX (pronounced 'eye on x'). IONIX helps customers keep an 'eye on x,' providing visibility into their real attack surface including an organization's internet-facing assets and their mesh of connected dependencies.

A threat actor set on penetrating an organization doesn't care whether they're attacking internet-facing assets directly or exploiting a vulnerability from an exposed third-party digital service. Using Connective Intelligence, IONIX accurately maps an organization's real attack surface and its digital supply chain, discovering more organizational assets than any other provider, and delivers unmatched capabilities for proactively preventing attacks.

2022 was a transformational year for IONIX. The company delivered 250% ARR growth and secured $27 million in Series A funding, led by U.S. Venture Partners and existing investors Team8 Capital and Hyperwise Ventures. In January 2023, IONIX announced that Marc Gaffan had been named CEO. Co-founder Nethanel Gelernter moved from CEO to Chief Technology Officer where he is focusing on accelerating innovation and scaling the company's ASM platform. Additionally, the company announced the appointment of Doron Gill as Vice President of Engineering, and Ido Samson as Chief Revenue Officer. 

"IONIX was built on the premise that the increasingly interwoven nature of the digital supply chain demands a radically different approach to threat protection by identifying the sprawling network of dependencies on the same level as an organization's other assets," said Marc Gaffan, CEO, IONIX. "IONIX's ASM solution helps organizations take control of their real attack surface and its digital supply chain. By working closely with our customers, we have expanded our offering with wider coverage and deeper focus into their biggest attack surface risks. We believe that our new brand and product strategy will provide us with a strong platform to grow and lead in this market."

**IONIX ASM Platform**

IONIX Connective Intelligence technology leverages machine learning to discover and monitor every internet-facing asset and connection, delivering laser focus into the most critical risks to the business. IONIX goes further, enabling action by providing the tools to rapidly remediate exploitable threats and reduce attack surface risk.

IONIX focuses on real risks by surfacing exploitable issues with large blast radius that require immediate attention. With less noise and fewer alerts, security teams can remediate what matters most, faster. To deliver on these market needs, IONIX has significantly expanded its capabilities to include:

Multi-layered prioritization that goes beyond risk severity to validate exploitability and identify blast radius:

*   Determine the blast radius - Rank asset importance based on data sensitivity, business context, brand reputation and inter-connectivity
*   Evaluate exploitability - Identify exploitable misconfigurations, documented exploits and simulated attacks
*   Integrate threat intelligence - Correlate deep dark web findings regarding leaked credentials and compromised machines with customers' asset inventories

*   Smart remediation workflows that reduce noise with clear action items and automatically assign tasks to the right subsidiary or operational owner
*   Integration with customers' cloud environments by combining inside out visibility with an outside in attackers' view to uncover even more exposed assets and shadow IT
*   Risk scores that quantify attack surface risk across multiple categories enabling decision makers to understand their security posture, track progress over time and make strategic, risk-informed decisions.
*   Executive ASM reports, generated with one-click, that provide a comprehensive high-level overview of customers' attack surface with visibility into their assets, risks and action items. 

"The IONIX brand is new, but the team here has been helping organizations secure their extended attack surface since long before there was even a market category," said Rik Turner, senior principal analyst in Omdia's IT security and technology team. "What they are delivering now as IONIX is a combination of broad coverage of the extended attack surface, along with a focus on the threats that matter most to the organization. The addition of the Risk Scores and Executive Reports comes as the C-Suite and Boards of Directors are focused on cybersecurity like never before, due to the attention of lawmakers and regulators, not to mention the extra attention attack surfaces have gained thanks to the pandemic."

**About IONIX**

IONIX is the attack surface management solution that uses Connection Intelligence to shine a spotlight on exploitable risks across your real attack surface – and its digital supply chain. Only IONIX discovers and monitors every internet-facing asset and connection, delivers laser focus into the most important risks to your business, and provides the tools to rapidly remediate exploitable threats and reduce attack surface risk. Global leaders including Infosys, The Telegraph, Warner Music Group and E. ON depend on IONIX's machine learning-powered discovery engine, contextual risk assessment and prioritization, and end-to-end remediation workflows to go on the offensive in managing their complex and ever-changing attack surfaces. For more information visit www.ionix.io or connect with us on LinkedIn.

Cyberpion Rebrands As IONIX

In a possible first for the NuGet repository, more than a dozen components in the .NET code repository run a malicious script upon installation, with no warning or alert.

A baker's dozen of packages hosted on the NuGet repository for .NET software developers are actually malicious Trojan components that will compromise the installation system and download crypto-stealing malware with backdoor functionality.

Software supply chain security firm JFrog stated in an analysis published March 21 that the 13 packages, which have since been removed, have been downloaded more than 166,000 times and impersonate other legitimate software, such as Coinbase and Microsoft ASP.NET. JFrog detected the attack when the company's researchers noted suspicious activity when a file — init.ps1 — executed upon installation and then downloaded an executable file and ran it.

The discovery of the malicious code highlights that attackers are further branching out into the software supply chain as a way to compromise unwary developers, even though .NET and the C# programming languages are lesser known among attackers, says Shachar Menashe, director of security research for JFrog.

"The techniques to get malicious code executed on NuGet package install, while trivial, are less documented than in Python or JavaScript, and some of them have been deprecated, so some novice attackers may think it's not possible," he says. "And perhaps NuGet has better automated filtering of malicious packages."

The software supply chain has become increasingly targeted by attackers with attempts to compromise developers' systems or propagate unnoticed code to the end user through developers' applications. The Python Package Index (PyPI) and the JavaScript-focused Node Package Manager (npm) ecosystems are frequent targets of supply chain attacks targeting open source projects.

The attack on the .NET software ecosystem, which consists of nearly 350,000 unique packages, is the first time that malicious packages have targeted NuGet, according to JFrog, although the company noted that a spamming campaign had previously pushed phishing links to developers.

**Typosquatting Still a Problem**

The attack underscores that typosquatting continues to be a problem. That style of attack involves creating packages with similar sounding names — or the same name with common spelling errors — as legitimate ones, in the hopes that a user will mistype a common package or won't notice the errors.

Developers should give new packages a good look before including them in a programming project, JFrog researchers Natan Nehorai and Brian Moussalli wrote in the online advisory.

"Even though no prior malicious-code attacks were observed in the NuGet repository, we were able to find evidence for at least one recent campaign using methods such as typosquatting to propagate malicious code," they wrote. "As with other repositories, safety measures should be taken at every step of the software development lifecycle to ensure the software supply chain remains secure."

**Immediate Code Execution Is Problematic**

Files that are automatically executed by development tools are a security weakness and should be eliminated or limited to reduce the attack surface area, the researchers stated. That functionality is a significant reason why the npm and PyPI ecosystems have poisoning issues, as compared to, say, the Go package ecosystem.

"Despite the fact that the discovered malicious packages have since been removed from NuGet, .NET developers are still at high risk from malicious code since NuGet packages still contain facilities to run code immediately upon package installation," the JFrog researchers stated in the blog post. "\[A\]lthough it is deprecated, \[an initialization\] script is still honored by Visual Studio and will run without any warning when installing a NuGet package."

JFrog advised developers to check for typos in imported and installed packages and said that developers should make sure not to "accidentally install them in their project, or mention them as a dependency," the company stated.

In addition, developers should view the contents of packages to ensure that there are no executable files that are being downloaded and automatically executed. While such files are common in some software ecosystems, they are usually an indication of malicious intent.

Through a variety of countermeasures, the NuGet repository — as well as npm and PyPI — are slowly, but surely, eliminating the security weaknesses, says JFrog's Menashe. 

"I don't expect NuGet to become more of a target in the future, especially if the NuGet maintainers were to fully remove support for running code on package install — which they have already partially done," he says.

.NET Devs Targeted With Malicious NuGet Packages

The application security expert, who went by "@aloria," is being remembered for her brilliance and generosity, as tributes start to pour in honoring her life.

The cybersecurity sector is mourning the passing of security expert Kelly Lum, also widely known by her Twitter handle, @aloria.

SummerCon, one of the many cybersecurity organizations to which Lum lent her expertise over the years, was one of the first to share the news about her death. "It is with profound sadness that we mourn the loss of out friend and mentor, @aloria," the tweet from SummerCon said.

Lum was the director of information security at Service Channel, a position she held since 2019. She previously served an adjunct professor at New York University's Tandon School of Engineering, where she shared her vast experience in application security with a new generation of cybersecurity professionals. Lum was regularly featured at cybersecurity conferences, including Black Hat, where she served as a member of the Black Hat Advisory Board and as the Defense Track lead.

In 2014 at Black Hat USA, Lum, who was then a security engineer with Tumblr, teamed up with Zach Lanier, then-senior security researcher at Duo Security, to disclose their findings on dangerous cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in four commercial data loss prevention (DLP) products. 

Lum passed away "due to progressed critical illness, in a hospitalized setting surrounded by her family," SummerCon tweeted.

_**Editor's note:**_ _**Lum was a respected expert source to Dark Reading and a friend to many. She will be deeply missed.**_

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading