Much like a hostage's proof-of-life video, the ransomware gang offers the film as verification that it has the goods, and asks $1 million for the data.

A ransomware gang, dubbed Medusa, has publicly released a roughly one-hour-long video containing stolen data from the Minneapolis Public School (MPS) District — with a demand of $1 million in payment in exchange for the data's deletion.

The video, shared on the American video-sharing platform Vimeo, came after Medusa listed the school district as one of its victims on its proprietary Tor data leak site. The ransomware gang provided a deadline of March 17 for the payment to be made, though it said it was willing to accept equal amounts of payment for the same data from additional buyers in the meantime. 

The video was first brought to the world's attention by Brett Callow, threat analyst at Emisoft, who, back in September, also shared screen captures of threats from the Vice ransomware gang threatening to leak data from the Los Angeles Unified School District (LAUSD).

"Medusa has uploaded a ~51 minute video to Vimeo which shows screenshots of the data they claim to have stolen from #MPS. It's the first time recall seeing this particular tactic. #ransomware," Callow posted in a tweet, alongside a screen capture of the Vimeo leak.

Though an MPS systems notice stated that the ransom has not yet been paid, and that there's no "evidence that any data accessed has been used to commit fraud," concerns about the level of cybersecurity regarding personal identifiable information (PII) of students in K-12 school districts abound, as attacks on student data continue to be ongoing. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Medusa Gang Video Shows Minneapolis School District's Ransomed Data

Unmanaged devices pose a significant challenge and risk for many organizations. Here are the five reasons you should care about unmanaged devices and assets.

Unmanaged devices pose a significant challenge for many organizations. These devices can be anything connected to a network but not actively managed by IT or security. These assets usually aren't captured in an asset inventory and can take many forms, such as shadow IT, rogue assets, and orphaned assets. Because security teams struggle to discover them, these devices fly under the radar and create potential footholds into a network.

What could happen if these devices are left unmanaged? Let's take a look at five reasons why you should care about unmanaged devices.

**Reason 1: Unmanaged devices are often the first foothold for attackers.**

Attackers often scan the network for any outliers: machines that have lower patch levels, unusual services running on ports, and unique pieces of software not found on the rest of the network. These outliers are great entry points for an attack because they tend to be more easily exploitable, are less likely to have security controls, and if orphaned, don't have anybody managing them. Identifying unmanaged devices to either update or decommission them is a great way to reduce your attack surface and mitigate risk.

**Reason 2: Unmanaged devices hinder incident investigations.**

Analysts in a security operations center (SOC) need to quickly and efficiently work through alerts. There was a case where an analyst received an alert that an internal IP address was communicating with a known-bad IP, notably the command-and-control (C2) server. However, the SIEM and CMDB didn't have any record of the IP on the network, nor did the vulnerability management or endpoint detection and response (EDR) consoles. The device turned out to be an IP camera that had been compromised by malware because it was using default credentials. With an asset inventory that tracks Internet of Things (IoT) devices, the analyst would have quickly resolved this incident. They could have also found other devices that share the same make and model to see if they were using default credentials.

**Reason 3: Accidental network bridges bypass firewalls.**

In another case, a critical manufacturing line was shut down due to ransomware. Investigations showed that a rogue device had bridged from the IT to the OT network, enabling attackers to bypass a firewall that had been put in place to segment the networks. The security team lacked visibility into network bridges of unmanaged devices, which is why the issue wasn't identified ahead of time.

**Reason 4: Rogue devices complicate governance of security controls.**

Proper governance dictates that every device has security controls. It's impossible to figure out coverage gaps without knowing all of the devices on the network. To zero in on your gaps, you need to start with a full asset inventory. Then, you can overlay data from security controls and look for gaps in the inventory. Some common things to look for are Windows machines missing CrowdStrike (or EDR agents).

**Reason 5: End-of-life devices are potentially vulnerable.**

Manufacturers often no longer provide functional and security fixes for these end-of-life (EOL) devices, making them much riskier and more difficult to secure if something goes wrong. If unmanaged devices are not inventoried, security teams are unable to get ahead of potential risks and issues. In addition, finance teams benefit from knowing which devices are fully depreciated and when a new budget is required to replace them.

**Solving for Unmanaged Devices**

Solving for unmanaged devices starts with a full asset inventory that delivers in-depth details about every asset on your network, including managed and unmanaged ones. Full asset inventory requires active, unauthenticated discovery, which doesn't assume any prior knowledge of network-connected devices, such as credentials to authenticate into devices and endpoints. Instead, it focuses on discovery capabilities that are research-driven to find and surface every network-connected asset, whether managed or unmanaged. This approach can be complemented through integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices.

Getting a handle on unmanaged assets is critical for any security program, and with a solution built around active, unauthenticated discovery, finding your unmanaged assets will finally be possible.

    

**About the Author**

Chris Kirsch started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and social engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world's largest hacker conference. Currently, Chris is the CEO of runZero (www.runzero.com), a cyber-asset management company he co-founded with Metasploit creator HD Moore.

5 Reasons You Should Care About Unmanaged Assets

More than five out of every 1,000 commits to GitHub included a software secret, half again the rate in 2021, putting applications and businesses at risk.

The rate at which developers leaked critical software secrets, such as passwords and API keys, jumped by half to reach 5.5 out of every 1,000 commits to GitHub repositories.

That's according to a report published by secrets-management firm GitGuardian this week. Though the percentage seems small, overall, the firm detected at least 10 million instances of secrets leaking to a public repository, accounting for more than 3 million unique secrets in total, the company stated in its "2022 State of Secrets Sprawl" report. 

While generic passwords accounted for the majority (56%) of secrets, more than a third (38%) involved a high-entropy secret that includes API keys, random number generator seeds, and other sensitive strings.

As more companies move their application infrastructure and operations to the cloud, API keys, credentials, and other software secrets have become critical to the security of their business. When those secrets leak, the results can be devastating, or at the very least, expensive.

"Secrets are the crown jewels of any business or organization — they really can grant access into all of your systems and infrastructure," says Mackenzie Jackson, security and developer advocate at GitGuardian. "The risk can be anything, from complete system takeovers, to small data exposures, or various other things."

    

Environment files (env) typically contain the most sensitive data. Source: GitGuardian

"Millions of such keys accumulate every year, not only in public spaces, such as code-sharing platforms, but especially in closed spaces such as private repositories or corporate IT assets," GitGuardian stated in its "2022 State of Secrets Sprawl" report.

And even those private spaces can be vulnerable. In January, for instance, collaboration and messaging platform Slack warned users that a "limited number of Slack employee tokens" had been stolen by a threat actor, who then downloaded private code repositories. Last May, cloud application platform provider Heroku, a subsidiary of Salesforce, acknowledged that an attacker had stolen a database of hashed and salted password after gaining access to the OAuth tokens used to integrate with GitHub.

**Infrastructure — as ... Whoops!**

Part of the reason for the increase in leaking secrets is because infrastructure-as-code (IaC) has become much more popular. IaC is the managing and provisioning of infrastructure through code instead of through manual processes, and in 2022, the number of IaC-related files and artifacts pushed to GitHub repositories increased by 28%. The vast majority (83%) of files consisting of configuration files for Docker, Kubernetes, or Terraform, according to GitGuardian.

IaC allows developers to specify the configuration of the infrastructure used by their application, including servers, databases, and software-defined networking. To control all those components, secrets are often necessary, Jackson says.

"The attack surface keeps expanding," he says. "Infrastructure-as-code has become this new thing and it's exploded with popularity, and infrastructure needs secrets, so infrastructure-as-code \[files\] often contains secrets."

In addition, three filetypes commonly used as caches for sensitive application information — .env, .key, and .pem — are considered the most sensitive, defined as having the most secrets per file. Developers should almost always avoid publishing those files to a public repository, Jackson says.

"If one of these files is in your Git repository, then you know you have holes in your security," he says. "Even if the file doesn't contain secrets, they just should never be there. You should have prevention in place to make sure that they're not there and alerting in place to know when they are there."

For that reason, companies should continuously scan systems and files for secrets, gaining visibility and ability to block potential dangerous files, Jackson adds.

"You want to scan all of your infrastructure to make sure you have visibility" he says. "And then the next steps include implementing tools to check engineers and developers ... to detect any secrets when they slip out."

Inside Threat: Developers Leaked 10M Credentials, Passwords in 2022

With more than 700,000 cybersecurity jobs available, now is a good time to consider a career change.

We've been battling the cybersecurity talent shortage for more than a decade, yet the problem seems to be getting worse, rather than better. According to CyberSeek, right now, there are almost 755,800 cybersecurity job openings in the US alone.

Over the past year, there's been a lot written about how companies are trying to close this gap by considering candidates with nontraditional backgrounds — including people looking to make a career change. While it's encouraging that someone may want to jump into cybersecurity, actually understanding how to make such a move can be difficult.

Let's face it: Making a career change is scary. It's completely unfamiliar territory. How do you even begin a career in cybersecurity? What steps are required? Do you need certifications before applying to a position? Do you need a degree? These are all real and relevant questions, and there hasn't been much guidance on how aspiring cybersecurity professionals can go about making a switch.

**Practical Steps**

With both a bachelor's and a master's degree in elementary education and teaching, I recently went through this process and had to find my own way, with very little outside help. So, it has become a passion of mine to help others in a similar position — no one should have to go this road alone.

Here are five practical steps for pursuing a new career in cybersecurity.

1.  **Reflect on the reasons you want to get into cybersecurity:** Don't make the career change because the grass seems greener or the pay seems higher. Really take the time to understand why this change resonates with your personal core value system. The old adage "If you love what you do, you will never work a day in your life" is applicable here. Make sure you're getting into cybersecurity for the right reasons.
2.  **Research different cybersecurity career paths to determine which you're most passionate about:** The job possibilities in cybersecurity are endless. If you want a technical role, applicable positions include designer/architect, defender, hacker, responder, auditor, and manager. If a less technical position is more up your alley, consider getting into education and training, conducting risk assessments, getting into marketing or HR, or becoming a salesperson. Whichever direction you choose to take, make sure your core cyber pathway aligns with your persona.
3.  **Look at your own job board:** Once you know which cybersecurity path you want to explore, look at your current company's job board to see which positions are open and if any of your skills are transferable. Don't worry if you don't have all the job qualifications listed — certain expertise and experience you do have could outweigh what you don't. For example, common "soft skills" required for many jobs across industries — such as being a life-long learner, a problem solver, or an effective communicator — now are essential to cyber roles and as equally valued as technical skills.
4.  **Network:** If you need to look outside your company for a cybersecurity role, think about who you know who could make a connection on your behalf. Joining industry and local cybersecurity groups is a great way to network. Women in CyberSecurity (WiCyS), which has a mission to "recruit, retain and advance women in cybersecurity," is an example of one such organization committed to networking and support.
5.  **Leverage the resources available to you to gain cybersecurity experience:** For example, (ISC)2 offers a free Certified in Cybersecurity Certification to help individuals kick-start their career. (I took this exam myself and found it very helpful and relevant.) Don't worry too much about overloading on certifications upfront, though. These can come down the road, if you decide to specialize in a certain area.

**A Note to Hiring Managers**

Entry-level cybersecurity job descriptions are deterring career changers (and recent graduates) from applying to open positions — and this in and of itself is contributing to the talent shortage.

Often, the requirements within entry-level job posts are unrealistic. For example, many require a Certified Information Systems Security Professional (CISSP), which can be attained only after five years of experience. How can an entry-level candidate already have five years under their belt? They can't. Cybersecurity professionals do not need a college degree to be successful. Post-secondary vocational schools, online training courses, and even self-learning can give candidates the skills they need to succeed.

We need to reset expectations, and the best way to do this is by having cybersecurity teams in need of new employees work directly with hiring managers to fix the disconnect between job descriptions and the actual qualifications needed to be successful in an entry-level cybersecurity role.

**It's All About Support**

Just as cybercriminals band together to go after victims, we in the cybersecurity industry need to collaborate too — not only to defend against bad actors but to help each other succeed. When security teams are fully staffed, companies' defenses against cybercriminals will be stronger. And we can help fill these open positions by supporting people who want to jump into cybersecurity, providing the resources they need to be successful, and helping to correct hiring managers' misperceptions of entry-level job qualifications. When we come together as an industry, we can truly make great strides to overcome the cybersecurity talent shortage.

How to Jump-Start Your Cybersecurity Career

A top Iranian, state-sponsored threat is a spear-phishing campaign that uses a fake Twitter persona to target women interested in Iranian political affairs and human rights.

A well-known Iranian threat group, Cobalt Illusion, has been linked to a spear-phishing campaign that is using the protests surrounding the death of Mahsa Amini in Iran as a lure.

Amini was a 22-year-old Iranian woman who was allegedly beaten to death by Iranian police for not wearing her hijab in accordance with government regulations. Her death set off a series of protests, particularly by women, who used them to publicly defy the same rules for which Amini was arrested.

Researchers from Secureworks identified the campaign, which targets such female protestors, political activists, and human rights researchers using a fake Twitter account. Someone using the name Sara Shokouhi, with a Twitter handle @SaShokouhi, reaches out to victims purportedly on behalf of US think tank Atlantic Council. In reality, Sara is a creation of the Cobalt Illusion advanced persistent threat (APT), aka Charming Kitten, APT42, Phosphorous, TA453, and Yellow Garuda.

"The threat actors create a fake person and use it to build rapport with targets before attempting to phish credentials or deploy malware to the target's device," said Secureworks CTU Rafe Pilling, principal researcher and Iran thematic lead, in a press statement. "Having a convincing persona is an important part of this tactic."

A cluster of activity reported on Twitter Feb. 24 spurred investigation into possible malicious cyber activity, with a number of women actively involved in Middle East political affairs and human rights reporting contact from the individual, researchers revealed in a blog post published today. What they discovered is that the @SaShokouhi Twitter account, in operation since October, has been tweeting or engaging in posts supportive of the Mahsa Amini protest in Iran to appear "sympathetic to protesters' interests and demands and create an illusion of shared interests," the Secureworks Counter Threat Unit (CTU) research team wrote in the post.

**Finding Common Ground**

Cobalt Illusion appears to have used the protests as a way to find common ground with targets, the researchers said. Included in some of the posts made by @SaShokouhi were "cynical use of distressing content such as images of dead children, physical abuse suffered by protesters, anti-Iranian government commentary, and anti-Iranian symbolism," the researchers wrote.

The researchers ultimately found that attackers created the Sara Shokouhi persona using stolen images from an Instagram account belonging to a psychologist and tarot card reader based in Russia, Pilling said. The APT also set up a fake Instagram account using the photos, @sarashokouhii.

The tactics used in the campaign are typical of the Cobalt Illusion APT, which is associated with Iran's Revolutionary Guard Corps (IRC) and has been active since about 2014.

"Phishing and bulk data collection are core tactics of Cobalt Illusion," Pilling said. "We've seen this happen in several guises in recent years."

Indeed, the group is known for using social media platforms to target academics, journalists, human rights defenders, political activists, intergovernmental organizations (IGOs), and nongovernmental organizations (NGOs) that focus on Iran. Their modus operandi is to set up trusted relationships through these platforms and then use phishing campaigns to steal credentials for systems they wish to access for cyber-espionage purposes, the researchers said.

Cobalt Illusion uses the information stolen through this activity in various ways, including to inform Iranian military and security operations of activity by persons of interest, which not only could lead to their surveillance, but even their arrest, detention, or targeted killing, Pilling said.

**Impersonating a Think Tank**

In the recent campaign observed by Secureworks, the SaShokouhi persona courted victims by claiming to work with Holly Dagres, a senior fellow at the Atlantic Council. In a tweet — a screenshot of which researchers included in their post — Dagres herself denied working with Shokouhi, indicating that the persona is not legitimate.

The link to Atlantic Council also is a giveaway that Cobalt Illusion is involved, the researchers said. That's because in previous activity confirmed by the Computer Emergency Response Team in Farsi (CERTFA) in September, the APT impersonated an Atlantic Council employee, they said. CERTFA is comprised of cybersecurity experts in Iran's digital security space.

"In that campaign, the group attempted to engage targets in video calls and delivered phishing links via the chat function at an appropriate point in the conversation," CTU researchers wrote.

CERTFA Lab has published a set of phishing indicators related to the campaign, which align with past Cobalt Illusion activity. Researchers recommended that organizations that could be targeted use available controls to review the IP addresses associated with the campaign and restrict access to them, being wary of the likelihood of their containing malicious content before opening them in a browser.

As always, when it comes to phishing, organizations should use industry-proven and reliable email-scanning technology to delete malicious messages before they reach employees, as well as train employees how to spot hallmarks of phishing activity to avoid engaging and thus risking compromise of sensitive data and systems, the researchers said.

Iranian APT Targets Female Activists With Mahsa Amini Protest Lures

Users should patch an unauthenticated remote code execution bug impacting FortiOS and FortiProxy administrative interfaces ASAP, Fortinet says.

Fortinet is warning users to patch a critical remote code execution (RCE) vulnerability in the FortiOS operating system, and in the FortiProxy secure Web gateway. 

An alert this week from FortiGuard Labs said a heap buffer underflow bug in the administrative interface could allow an unauthenticated, remote cyberattacker to execute code on a device running the platforms. The vulnerability could also allow a threat actor to perform a denial-of-service (DoS) attack on the GUI of devices running the vulnerable code, Fortinet added.

Fortinet has issued a security update for FortiOS and FortiProxy interfaces, and noted that no exploitation has been detected yet. 

"Fortinet is not aware of any instance where this vulnerability was exploited in the wild," the alert explained. "We continuously review and test the security of our products, and this vulnerability was internally discovered within that frame."

This is the latest bug to come to light in the popular security appliance vendor's gear. Just late last month, Fortinet urged FortiNAC users to update their systems against a flaw that allowed unauthenticated attackers to write arbitrary system files.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical RCE Bug Opens Fortinet's Secure Web Gateway to Takeover

These agile controls and processes can help critical infrastructure organizations build an ICS security program tailored to their own risk profile.

It's no secret that the industrial control system (ICS) attack surface is rapidly expanding (PDF). From advancements in business digitalization, IT-OT convergence, and Internet of Things (IoT) adoption to the ripple effects of escalating geopolitical tensions, organizations in critical infrastructure sectors must be positioned to combat accelerating ICS attacks that, in addition to forcing prolonged operational downtime, can potentially put people and communities at severe risk.

After all, there's a clear differentiator regarding the nature of ICS/OT threats. Unlike traditional attacks against enterprise IT networks that are primarily rooted in monetary gain or data theft, state-sponsored adversaries often target critical infrastructure systems with the malicious intent to disrupt operations, inflict physical damage, or even facilitate catastrophic incidents that lead to loss of life.

This isn't fable or fiction — it's reality. In early February, leaders of two US House subcommittees called on the US Energy Department to provide information regarding three nuclear research laboratories targeted by the Russian hacking group Cold River last summer. Or take the Russian state-sponsored Crashoverride incident (PDF) of 2016, which manipulated ICS equipment through the abuse of legitimate ICS protocols to disrupt the flow of electricity across Ukraine's power grid at the transmission substation level. As a result, part of Ukraine's capital, Kyiv, experienced a one-hour outage overnight.

The incident served as a microcosm to an evolving era of cyber-risk, signifying the importance of trained defenders with engineering backgrounds who can effectively monitor ICS networks and actively respond to attacks before impact. After all, a weak ICS/OT security posture can pose risk to public health, environmental safety, and national security.

That said, critical infrastructure organizations have a responsibility to deploy a robust ICS/OT security framework that protects their operational assets from sophisticated attacks. This isn't a matter of meeting mandatory compliance minimums to avoid fines or regulatory penalties. It's about leaving no stone unturned to protect people from the real-world impact of cybercrime — not only their own personnel, but those living and working in the surrounding communities from which they operate.

**The Five Components of Effective ICS/OT Security**

Balanced priorities are essential to effective ICS/OT security, as made clear by a recent SANS Institute whitepaper, "The Five ICS Cybersecurity Critical Controls." Prevention bias is a common theme across the cybersecurity community. Between 60% and 95%of the best-known and utilized security frameworks are preventative in nature but fall behind in detection and response. As a result, many organizations invest as little as 5% of their resources toward detecting, responding, operating through an attack, and recovering from compromises. Because the volume and velocity of ICS-related attacks are rapidly increasing, even the most stringent prevention measures are bound to be bypassed. Organizations must be prepared for when that happens — and integrating AI-enabled detection and response approaches that drive agile mitigation and recovery action.

Adopting an ICS/OT security framework that encompasses the following five critical controls is key to achieving that balance.

1.  **ICS incident response:** An operations-informed incident response plan is designed with focused system integrity and recovery capabilities to reduce the complexity of responding to attacks in operational settings. These exercises reinforce risk scenarios and use cases tailored to their security environment — prioritizing actions based on the potential for operational impact and how to position the system to operate through an attack. They also enhance operational resilience by facilitating root cause analysis of potential failure events. 
2.  **Defensible architecture:** An effective ICS-defensible architecture supports visibility, log collection, asset identification, segmentation, industrial demilitarized zones, and process-communication enforcement. It helps bridge the gap between technologies and humans, reducing risk through system design and implementation while driving efficient security team processes. 
3.  **ICS network visibility monitoring:** Due to the "systems of systems" nature of ICS attacks, it's vital to implement continuous network security monitoring of the ICS environment with protocol-aware tool sets and systems of systems interaction analysis. These capabilities can be leveraged to inform operations teams of potential vulnerabilities to alleviate, aiding in general resilience and recovery. 
4.  **Remote access security:** Following the societal adoption of cloud-based hybrid work structures, adversaries are increasingly exploiting remote access to infiltrate OT networks. In the past, the primary attack path to an OT network was through that organization's IT network, but now threat actors can also capitalize on the IT network vulnerabilities of their entire supply chain. In turn, maintaining secure remote access controls is nonnegotiable for modern industrial operations. 
5.  **Risk-based vulnerability management:** A risk-based vulnerability management program empowers organizations to define and prioritize the ICS vulnerabilities that generate the highest level of risk. Often, they are vulnerabilities that allow adversaries to gain access to the ICS or introduce new functionality that can be leveraged to cause operational issues such as the loss of view, control, or safety within an industrial environment. Adopting risk-based vulnerability management requires having controls and device operating conditions in place that drive risk-based decisioning during prevention, response, mitigation, and recovery action.

**Fostering a Safer Future**

For facilities struggling to get a handle on their own ICS/OT security program, I recommend using the five critical controls as a starting point. These five pillars can serve as a road map for critical infrastructure organizations to build an ICS security program tailored to their own risk profile. And while the controls are invaluable to ICS/OT security, their potency still relies on an organizational culture of alignment where the severity of cyber-risk is understood and prioritized at every level — ranging from the board and executive leadership down to their security teams.

ICS/OT security must follow a team sport approach, combining the strength of agile controls and well-defined processes to keep pace with the accelerating nature of ICS attacks. With the right framework in place, critical infrastructure organizations can take proactive steps to drive their own defenses against malicious adversaries.

5 Critical Components of Effective ICS/OT Security

It's getting hard to buy cyber insurance, but not having it is not always an option. Low-coverage plans could bridge the gap.

"Everybody says it, so it must be true" is an example of the bandwagon logical fallacy. In the context of cyber insurance, the argument goes that everyone is a potential victim of an attack, thus everybody must have cyber insurance. In reality, not every organization can afford to buy cyber insurance, and there are organizations that don't qualify for a policy even if they want one.

Having cyber insurance used to be as simple as purchasing a prepackaged cyber insurance policy, similar to the process of buying a home or car insurance policy. With the explosion of ransomware attacks, the industry has been in disorder as insurance carriers and brokers process claims for damages caused by ransomware. In response to soaring claims, carriers are reducing the amount of coverage offered per policy, charging higher prices for less coverage, imposing much tighter rules on who can qualify for coverage, and cancelling policies for companies that don't meet the minimum requirements.

Policy coverages are significantly lower than they used to be, in some cases dropping from $10 million to $5 million and often lower, and many companies cannot get enough, says J. Andrew Moss, a partner at Reed Smith LLP's Insurance Recovery Group. "You have to fill in the gaps, and that's very tough because capacity has just been low or companies are priced out from buying as much insurance as they would ideally like to buy," he adds.

**Coverage Required, But Out of Reach**

For victims of a ransomware attack or a hacking attack where private information was disclosed, it can be difficult to obtain new policies. "What we usually recommend is that they undergo what we call a holistic review of their current insurance coverage," says Moss. The review includes general liability coverage, kidnap and ransom, property, first-party property insurance, and errors and omission, if they're in a professional services organization.

Some contracts and compliance regulations require that a company have a cyber insurance policy — posing a quandary for those companies that lose coverage. Without coverage, the company will find itself out of compliance or be vulnerable to a partner lawsuit for violating the terms of an existing contract. Getting some kind of cyber insurance policy often is mandatory, even if the company has other policies that could cover many of the losses a company might experience.

"It's not a comfortable time to be in business with respect to cyber risks," says Daniel J. Struck, a partner at the law firm Culhane Meadows PLLC. Characterizing today's cyber insurance market as being similar to the Wild West, Struck said he would not be surprised to see "relatively low-cost cyber insurance that doesn't cover much, but at least it provides the certificate for a contractor." He likens such "skinny" cyber insurance offerings to the low-cost, low-coverage auto insurance policies that allow drivers to meet US state auto insurance mandates.

**Bare Minimum Provides a Fig Leaf**

One benefit of a basic policy is that it could permit more organizations to obtain affordable coverage, eliminating the possibility of losing insurance and going out of compliance or violating contractual obligations.

Curtis Dukes, executive vice president and general manager for security best practices at the Center for Internet Security (CIS), notes that most corporate cyber insurance policies are negotiated by the corporate general counsel or outside counsel, and virtually all business policies are different. Underwriting these policies can take up to three months, he adds, due to their complexity and nonstandard clauses.

CIS offers a free self-assessment tool that helps users understand the financial impact of various aspects of a breach, including costs related to productivity, response, replacement, legal, competitive advantages, and reputation. The tool helps companies assess, report, and propose changes in cybersecurity controls based on a return-on-investment analysis, the organization says.

As all states have their own insurance commissioner and rules, Dukes suggests that companies lobby the National Association of Insurance Commissioners directly to develop national, standardized policies that would be easier for organizations to understand and manage, as well as set minimum requirements for a basic policy. A copy of the NAIC's 2022 Report on the Cyber Insurance Market can be found here, with its discussions on cyber insurance, committee actions, and resources located here.

'Skinny' Cyber Insurance Policies Create Compliance Path

Confidential computing will revolutionize cloud security in the decade to come and has become a top C-level priority for industry leaders such as Google, Intel and Microsoft. Edgeless Systems is leading these advancements to ensure all data is always encrypted.

**BOCHUM,** **Germany****,** **March 7, 2023** **/PRNewswire/ --** Edgeless Systems, a pioneering confidential computing company that is turning the public cloud into the safest place for sensitive data, today announced it has raised $5 million in its seed round led by Berlin\-based SquareOne with angel investors that include Evan Weaver (founder of Fauna), Mirko Novakovic (exit of Instana to IBM), Paolo Negri (founder of Contentful), Mathias Biilman and Chris Back (founders of Netifly).

The company is also hosting the annual Open Confidential Computing Conference (OC3) on March 15, 2023 where CTOs from Intel, Microsoft, AMD, Nvidia and others will discuss the state of confidential computing.

"Too many companies remain locked out of the cloud due to security concerns, but confidential computing technologies are poised to dramatically address this challenge in the coming months and years," said Georg Stockinger, Partner, SquareOne. "Edgeless Systems is already light years ahead of anyone else building the tools to make confidential computing easily accessible for developers in the enterprise. Its Constellation platform for Kubernetes is proof of its deep technical knowledge and first-mover position."

Edgeless Systems' flagship open source platform, Constellation and its associated tools, are already being used by hundreds of developers and DevOps engineers at companies such as Bosch, IBM and Intel, among others. Constellation is a confidential orchestration platform for Kubernetes. It leverages confidential computing to isolate and runtime-encrypt entire Kubernetes deployments, finally allowing enterprises to use the public cloud like their private cloud.

"We are turning the public cloud into everyone's private cloud," said Felix Schuster, CEO of Edgeless Systems. "By encrypting data all the time, even at runtime, and providing the best possible protection against infrastructure-based threats like malicious admins or co-tenants, Edgeless Systems can transform the way developers build and secure their public cloud workloads."

Moving workloads to the public cloud has many proven benefits but raises major compliance and data security concerns. Unfortunately, data leaks and compliance violations are realities associated with cloud transformation. Confidential computing is a hardware-based technology that shields computer workloads from their environments and keeps data encrypted even during processing. The required hardware (largely big hyperscalers) to realize the promise of confidential computing has only recently become available. Edgeless Systems has been an active driver of this emerging technology and today brings to bear both the technologies and financial backing to take it to the next level.

Edgeless Systems will use the seed funding to sustain its product lead, expand into the United States and add exciting features to its Constellation platform. It aims to be the defacto standard for 100 percent secure Kubernetes in the coming years. It will also build out its marketing and sales teams to help educate the industry on confidential computing and support advancements in this area.

For more information about Edgeless Systems, visit GitHub or get in touch for a live demo.

**About Edgeless Systems**

Edgeless Systems develops leading open source software for confidential computing to make the cloud the safest place for sensitive data. Edgeless Systems' Constellation is the first Kubernetes platform to ensure that hackers, cloud admins and foreign governments cannot access any data. The company was founded in 2020 by industry experts in Bochum, Germany, and has renowned investors and customers such as the Swiss stock exchange SIX and Bosch. For more information, please visit: https://www.edgeless.systems/

Edgeless Systems Raises $5M to Advance Confidential Computing

More than two years after a major takedown by law enforcement, the threat group is once again proving just how impervious it is against disruption attempts.

Like the proverbial bad penny that constantly keeps turning up, the Emotet malware operation has resurfaced yet again — this time after a lull of about three months.

Security researchers this week noted that the group is once again posing a threat to organizations everywhere, with malicious email activity associated with Emotet resuming early on March 7. The emails have been arriving in victim inboxes as innocuous-looking replies to existing email conversations and threads, so recipients are more likely to trust their content. Some of the Emotet emails have been landing as new messages as well.

**Very Large File & Payload**

The emails contain a .zip attachment, which, when opened, delivers a Word document that prompts the user to enable a malicious macro. If enabled, the macro, in turn, downloads a new version of Emotet from an external site and executes it locally on the machine.

Researchers from Cofense and Hornet Security who observed the fresh malicious activity described the Word documents and the malicious payload as inflated in size and coming in at more than 500MB each. Overall, the volume of the activity has remained unchanged since early March 7, and all of the emails have been attachment-based spam, the researchers said.

"The malicious Office documents and the Emotet DLLs we're seeing are very large files," says Jason Muerer, senior research engineer at Cofense. "We have not yet observed any links with the emails."

Hornet Security ascribed the large file and payload sizes as a likely attempt by the group to try and sneak the malware past endpoint detection and response (EDR) tools. "The latest iteration of Emotet uses very large files to bypass security scans that only scan the first bytes of large files or skip large files completely," according to a post by Hornet researchers. "This new instance is currently running at a slow pace, but our Security Lab expects it to pick up."

**A Malware That Refuses to Die**

Emotet is a malware threat that first surfaced as a banking Trojan in 2014. Over the years, its authors — variously tracked as Mealbug, Mummy Spider, and TA542 — have turned the erstwhile banking Trojan into a sophisticated and lucrative malware delivery vehicle that other threats actors can use to deliver different malicious payloads. These payloads have in recent years included highly prolific ransomware strains, such as Ryuk, Conti, and Trickbot.

The threat actors' preferred mode for delivering Emotet has been via spam emails and phishing, crafted to get users to open attached files or to click on embedded links to malware delivery sites. Once the threat actor compromises a system, Emotet is used to download other malware on it for stealing data, installing ransomware, or for other malicious activities such as stealing financial data. Emotet's command-and-control infrastructure (C2) presently runs on two separate botnets that security vendors have designated as epoch 4 (E4) and epoch 5 (E5)

In early 2021, law enforcement officials from multiple countries disrupted Emotet's infrastructure in a major collaborative effort that has done little to stop the threat actor from continuing its malware-as-a-service. At the time, the US Department of Justice assessed that Emotet's operators had comprised over 1.6 million computers worldwide between April 2020 and January 2021. Victims included organizations in healthcare, government, banking, and academia.

**New Activity, Same Tactics**

An October 2022 analysis of the Emotet threat group by security researchers at VMware identified multiple reasons for the group's continued ability to operate after the massive law enforcement takedown. These included more complex and subtle execution chains, constantly evolving methods to obfuscate its configuration, and using a hardened environment for its C2 infrastructure.

"Emotet has been used to deliver a range of secondary payloads," Muerer says. "While it was predominantly delivering other malware families in the past, there is evidence that the current endgame for these actors will likely be focused on ransomware."

There's nothing about the new Emotet activity that suggests that the threat group has deployed any new tactic or technique, Muerer says. The email-thread hijacking tactic and the macro-enabled Word documents are both tactics that the operators have been using for some time. And, as always, the primary infection vector remains spam and phishing emails.

"Nothing major has shifted that we are aware of," Muerer says. "Emotet remains a threat to everyone, with a disproportionately high impact on small businesses and individuals."

Source

DARKReading