The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said.

The BianLian ransomware group is ramping up its operations and maturing as a business, moving more swiftly than ever to compromise systems. It's also moving away from encryption to pure data-theft extortion tactics, in cyberattacks that have so far bagged at least 116 victims, researchers have found.

BianLian, first discovered last July, hasn't deviated much from its initial tactic: deploying a custom go-based backdoor once it infiltrates a network. The functionality of the malware essentially remains the same except for a few tweaks, researchers from Redacted said in a blog post published today.

However, the swiftness with which the group's command-and-control server (C2) deploys the backdoor has increased, and the group notably has moved away from ransoming encrypted files to focusing more on pure data-leak extortion as a means to extract payments from victims, the researchers said.

"BianLian has discovered that they don't need to actually encrypt victim networks to get paid," Adam Flatley, vice president of intelligence at Redacted, says.

This shift to focus on data-leak extortion is "extremely dangerous," because it allows the group to take the time and effort to tailor the threats to specific victims and exert more pressure to pay ransoms, he adds.

"BianLian will have an even stronger pressure position on trying to force their victims to not work with the FBI, to not report the incident, and just pay the ransom and move on," Flatley says.

BianLian's motivation for changing its encryption strategy is likely a response to Avast's release of an encryption tool for organizations that have been targets of the group to unlock their files, the researchers noted.

Given that BianLian has used double-extortion methods from the outset — threatening to release a victim organization's stolen data online if a ransom wasn't paid by a certain deadline — the group decided to skip the encryption step and go right to extortion, according to Redacted.

**Maturing As a Cyberattack Business**

This shift is part of BianLian's overall evolution and maturation as a business, the researchers said. While from its inception the group has had "a high level of operational security and skill in network penetration," they now appear to be hitting their stride in terms of the actual business of running a cybercriminal extortion gang.

Indeed, moving away from the unique encryption method that it displayed in early attacks is a smart business move, Flatley says, particularly as an evasion tactic. Because data theft does not cause network nor business disruption, it calls less attention to BianLian's activity, "which means their operations can fly more under the radar," he says.

"When business services are disrupted, it's very hard to keep an event quiet because customers and business partners start to notice that services are down, for example," Flatley says.

Another thing the group has going for it to achieve success with this new strategy is a faster time to deploy a backdoor on a network once they've gained initial access, the researchers said. This speed is linked to BianLian's strong C2 server game, with the group bringing close to 30 new ones online each month, each with a typical lifetime of about two weeks, they said.

Once BianLian establishes a C2 connection to a victim network, it now deploys its backdoor in mere minutes — which means that by the time security administrators discover a BianLian C2, "it is highly likely that the group has already established a solid foothold into a victim's network," the researchers said.

While it's difficult to know how many victims BianLian has compromised, as of March 9, the group has detailed 116 victim organizations on its leak site, the researchers noted. Of those victims, healthcare organizations represent the single largest industry vertical victimized by the group — a shift from early attacks, which focused mainly on the media and entertainment sector.

**Shoring Up Cyber Defense Against Data Theft & Extortion**

With BianLian and other ransomware group's pivoting to pure extortion tactics, enterprises must also make changes to how they defend against these attacks, the researchers said.

"They will need to focus even more on techniques that can help them avoid having to pay the ransom in double-extortion scenarios," Flatley says.

Some of those techniques include a stronger prevention strategy against easily thwarted attacks, as well as quicker detection of "unpreventable" network intrusions, he says. This can be done by "following best practices on passwords and multifactor authentication, aggressively patching your systems in a prioritized and enforced regime, and providing security training for your employees," Flatley wrote in a blog post on how organizations can avoid paying a ransom.

Shoring up incident response as well as having a plan ahead of an attack to prepare for ransom demands can also help organizations avoid the worst outcome of extortion-based attacks, Flatley says.

As part of the former, Flatley notes in his post that organizations should ensure that they have good system backups, that those backups are secured effectively so an attacker can't access them, and that the restoration process is fully tested to ensure it works correctly.

BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion

Minerva's robust technology and talented engineering team extend Rapid7's end-to-end managed threat detection and orchestration capabilities from the endpoint to the cloud.

**BOSTON, March 15, 2023 (GLOBE NEWSWIRE) --** Rapid7, Inc. (NASDAQ: RPD), a leader in cloud risk and threat detection, today announced it has acquired Minerva Labs, Ltd., a leading provider of anti-evasion and ransomware prevention technology. Today, Rapid7’s ManagedDetection and Response  (MDR) services provide customers elevated detection and response capabilities across their cloud, on-premise and extended attack surfaces. With this acquisition, Rapid7 will further extend its leading managed threat detection capabilities with the ability to orchestrate advanced ransomware prevention. These new capabilities will seamlessly extend MDR across cloud resources, traditional infrastructure, and existing endpoint protection infrastructure, enabling customers to further consolidate their security investments.  

With a growing attack landscape and the increasing pervasiveness of ransomware, organizations need to take a holistic and pragmatic approach to detection and response. In order to achieve best-in-class threat detection, security programs will benefit from leveraging seamless access to telemetry across their attack surface and technology consolidation that drives more effective threat response.

“Driving efficiency and maximizing security investments is critical in order for organizations to stay ahead of increasingly evasive and creative attacks,” said Jeremiah Dewey, senior vice president, managed services delivery at Rapid7. “Today, our MDR customers benefit from our proprietary detection and response technology, a fully integrated, world-class team of 24x7 security engineers, and leading security data science to detect, assess and respond to emerging threats. With Minerva, we are further extending our MDR capabilities with more advanced anti-evasion and malware prevention and orchestration from the endpoint to the cloud, as well as providing seamless support of existing, leading endpoint protection infrastructure. We are thrilled to welcome Minerva to Rapid7 and continue providing our customers and partners with a world-class MDR service and the opportunity for further technology and security operations consolidation.”

“Today is a monumental day for Minerva,” said Eddy Bobritsky, co-founder and CEO of Minerva Labs. “We’ve worked tirelessly to create technology that combats ransomware and puts the power back in the hands of organizations. We are excited to join Rapid7 to continue this journey and integrate our technology into Rapid7’s industry-leading managed detection and response capabilities.”

Minerva Labs was co-founded in 2014 by Eddy Bobritsky and Erez Breiman to help organizations mitigate the risks associated with ransomware. Minerva’s technology provides multi-layer prevention by neutralizing and preventing malicious activity before execution, while also enabling more agility to integrate with third-party endpoint protection solutions.

**Transaction Details**

Under the terms of the agreement, Rapid7 will pay approximately $38 million in cash and stock to acquire Minerva Labs, Ltd., subject to certain adjustments. The acquisition of Minerva is not expected to have a material financial impact to Rapid7’s Annualized Recurring Revenue growth, revenue, non-GAAP operating income, and non-GAAP net income per share for calendar year 2023, as guided on February 8, 2023.

**About Rapid7**  
Rapid7, Inc. (Nasdaq: RPD) is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. We empower security professionals to manage a modern attack surface through our best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 10,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. For more information, visit our website, check out our blog, or follow us on LinkedIn or Twitter.

**Cautionary Language Concerning Forward-Looking Statements**

This press release includes forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These forward-looking statements include, but are not limited to, the statements regarding our expectations for the acquisition of Minerva (the “Acquisition”), anticipated financial impacts of the Acquisition, our future performance, growth and operating leverage, and the ability of our solutions to drive profitable, sustainable growth. Our use of the words “anticipate,” “believe,” “estimate,” “expect,” “intend,” “may,” “will” and similar expressions are intended to identify forward-looking statements. The events described in our forward-looking statements are subject to a number of risks and uncertainties, assumptions and other factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by the forward-looking statements. Risks that could cause or contribute to such differences include, but are not limited to, the ability to recognize the anticipated benefits of the Acquisition, which may be affected by, among other things, competition and the ability of the combined company to grow and manage growth profitably and retain its key employees, costs related to the Acquisition, growing macroeconomic uncertainty, unstable market and economic conditions, fluctuations in our quarterly results, risks arising from the ongoing COVID-19 pandemic, failure to meet our publicly announced guidance or other expectations about our business, our ability to sustain our revenue growth rate, the ability of our products and professional services to correctly detect vulnerabilities, our customers renewal of their subscriptions with us, competition in the markets in which we operate, market growth, our ability to innovate and manage our growth, our sales cycles, our ability to integrate acquired companies, and our ability to operate in compliance with applicable laws as well as other risks and uncertainties set forth in the “Risk Factors” section of our most recent Quarterly Report on Form 10-K filed with the Securities and Exchange Commission (the “SEC”) on February 24, 2023 and in the subsequent reports that we file with the SEC. Moreover, we operate in a very competitive and rapidly changing environment. New risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ materially from rapid7.com those expressed in any forward-looking statements we may make. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements. You should, therefore, not rely on these forward-looking statements as representing our views as of any date subsequent to the date of this press release.

Rapid7 Acquires Minerva Labs to Extend Leading Managed Detection and Response Service

The challenges are steep, but school districts can fight back with planning.

Nantucket is a small island of windswept dunes and postcard perfect lighthouses 30 miles off the coast of Massachusetts. It's a place so isolated that Herman Melville described it in _Moby Dick_ as "a mere hillock, and elbow of sand; all beach, without a background."

But even this remote enclave couldn't escape the ransomware scourge that has been plaguing K-12 school districts around the United States.

**Attacks on Schools**

In late January, a ransomware attack caused the closure of Nantucket's four public schools. The island's 1,700 students were sent home at noon Jan. 31 and told not to use school-issued electronic devices. Schools reopened Feb. 2.

Nantucket wasn't alone. The same week, a ransomware attack affected computer systems at the Tucson Unified School District, though schools were able to remain open.

Ransomware assaults targeting the education sector have jumped dramatically around the world. Globally, a whopping 56% of K-12 schools were hit last year (PDF), according to a survey of 5,600 IT professionals in 31 countries by cybersecurity company Sophos.

The loss of learning after a cyberattack typically ranges from three days to three weeks, and recovery time lasts from two to nine months, the US Government Accountability Office reported in October.

These incidents and others — like the one in September that forced the Los Angeles Unified School District, the nation's second largest, to take its computer systems offline — not only show the lengths cybercriminals will go to if they're willing to attack one of the country's most precious institutions but the special struggles that school districts face in fighting the threat.

Public school districts tend to fall below what is commonly called the "cybersecurity poverty line," a haves-and-have-nots division between organizations equipped with the resources to implement strong security measures and those challenged by insufficient IT budget, expertise, and other factors.

A large company can afford the most stringent cybersecurity protection, but limited budgets and talent make it difficult for other organizations, from schools to small businesses, to defend themselves and recover quickly from attacks.

School districts usually confront these three distinct hurdles.

First, districts lacking the budget for all the security tools and people needed for the most fortified defenses are forced to make tough choices about what security aspects to prioritize. Second, it's a tall order for school districts to compete for cybersecurity professionals amid a worldwide talent shortage (PDF) that keeps driving salaries higher. Third, school districts are still relying on legacy IT infrastructure that is more vulnerable to cyber incidents.

And all of this comes at a time when cybercriminals keep getting more sophisticated in their attack techniques and their ambitions, the latter exemplified by a ransomware-as-a-service industry in which malware developers make their software available to third-party attackers who execute the ransomware attacks.

**Recommended Security Steps**

Despite these challenges, school districts can still pass the cybersecurity test with planning, attention, and action. Here are five recommended steps.

**1\. Determine cybersecurity maturity.**

School districts must self-examine where they are on the cybersecurity maturity spectrum. Are they at the first stage, prepared for data breaches at a basic level with safe and secure backups?

Are they at the second stage, having started taking measures such as conducting tests and simulations to prevent data breaches as well as monitoring signals from their data that help identify data risks and investigate threats faster?

Are they at the third and final stage, having embraced a proactive stance toward data breaches, regularly conducting tests of both vulnerabilities as well as of recoverability?

Many large companies have found this maturity model effective in helping better understand and measure cyber-risk management. Schools should do the same.

**2\. Have a recovery plan ready and act quickly.**

Schools must stand prepared to spring into action after a cyber incident is discovered. That means maintaining  a turnkey system for activating a clean backup of data and applications if primary systems are compromised.

**3\. Emphasize employee training.**

Attackers use techniques like phishing to compromise user identities and get to critical data. An attack can spread through a system quickly by someone clicking on an untrustworthy link.

Therefore, school districts should train, train, and train some more to help their people recognize and report phishing attacks.

**4\. Focus on data.**

In a world awash in data, organizations must protect their large volumes of data from various forms of unauthorized access. That has two ramifications for school districts.

One, school system IT teams should focus not only on securing devices and the network perimeter but also on ensuring data always remains safe and available. Data, after all, is what ransomware attackers go after.

Two, school officials should look closely at what data they have. Many have collected data for the sake of collecting data because they _might_ need it at some point. It's time to ask what really is essential, and focus on protecting the most critical and sensitive data.

**5\. Push for federal help.**

The GAO in its October report recommended actions the federal government should take to help school districts. Those included establishment by the secretary of education of a cross-agency mechanism to coordinate cybersecurity efforts between agencies and with the K-12 community; an effort by the Education Department, in coordination with federal and local stakeholders, to determine how best to help school districts overcome challenges in addressing cyber threats; and development of metrics for measuring the effectiveness of its cybersecurity-related products and services available to school districts.

School officials should welcome these recommendations and lobby to make sure they're enacted.

While it's sad that cybercriminals have made K-12 schools a top target, these steps show that districts have the power to fight back. What could be more important? Our children's learning is at stake.

5 Ways to Fight School Ransomware Attacks

Here is a cautionary tale of what happens if side-projects or sections of the website becomes obsolete. If you don't remove them, someone might hijack your subdomain.

Here is a cautionary tale of what happens if side-projects or sections of the website becomes obsolete. If you don't remove them, someone might hijack your subdomain.

Source: Ron Bull via Alamy Stock Photo

**Question: What are the risks of letting domains and subdomains expire? How do attackers hijack them?**

**Answers provided by Jossef Harush, head of software supply chain, Checkmarx:** It’s ridiculous how easy it is to find and take over an abandoned domain, says Harush.

Subdomain hijacking is a type of cyber-attack where an attacker takes control of a subdomain of a legitimate domain and uses it to host their malicious content or to launch further attacks.

Here is an example: CocoaPods is a popular dependency manager for iOS and MacOS projects used by developers to add third-party code to their applications. The company had a subdomain, _cdn2.cocoapods.org,_ which had been used years ago but was no longer in use. However, the DNS records for the subdomain still pointed to GitHub Pages, where presumably the pages for this subdomain had been hosted at one point.

Since this subdomain was no longer linked to a GitHub Pages project, attackers created their own project --a casino site -- and the existing DNS record meant users looking for that subdomain were directed to that fishy-looking site. This kind of subdomain hijacking works as long as the subdomain is unoccupied by another GitHub Pages project, Harush says.

When an organization no longer needs a subdomain or domain, it is not enough to take the relevant pages down. There needs to be an action item to delete the subdomain records from DNS. In short, the DNS entry needs to reflect the fact that _example.com_ and _a.example.com_ are still in use, but that _b.example.com_ is not.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How Do Attackers Hijack Old Domains and Subdomains?

Hornetsecurity research highlights that more than 1 in 4 companies have fallen victim to ransomware attacks, with 14.1% losing data and 6.6% paying a ransom.

**LONDON****,** **March 15, 2023** **/PRNewswire/ --** Global cybersecurity provider Hornetsecurity has today announced the launch of VM Backup V9 – the newest version of its award-winning virtual machine (VM) backup, replication and recovery solution.

This latest iteration offers ransomware protection leveraging immutable cloud storage on Wasabi and Amazon S3, with Microsoft Azure soon to follow. This new key feature enables customers to protect their backup data from ransomware by making their data tamper-proof for a defined period.

A recent Hornetsecurity study revealed that 15% of ransomware attacks specifically targeted backups, highlighting the essential need for immutable backups , which forms a key part of the V9 update.

Hornetsecurity CEO, Daniel Hofmann, said: "Data breaches and ransomware cost businesses millions of dollars every year. It's vital that organisations take preventative measures and are protected with the latest technology. We're excited to launch VM Backup V9, which provides reassurance to our customers and partners that their virtual machine data backups are protected against ransomware attacks. It also addresses the latest compliance regulations in data security and data protection."

**Ransomware protection**

Immutable Cloud Storage gives users ongoing access to their data without the need to pay a ransom if targeted by ransomware. This newest feature ensures that backup data becomes tamper-proof, as it cannot be modified or deleted by any user, including administrators and root users.

**Easy installation and newly overhauled backup repository**

VM Backup V9 has an easy-to-use, intuitive interface that gives individuals full control, allowing them to monitor and manage all Hyper-V and VMware VMs from a single console.

V9 can now handle larger infrastructure setups. Its overhauled backup repository optimises disk space, ensuring more robust long-term storage. In addition, background operations can now run in parallel with other ongoing backup and restore processes.

Hornetsecurity provides outstanding support 24 hours a day, 7 days a week, with a guaranteed call response time of less than 30 seconds.

**Learn more about Hornetsecurity's VM Backup V9** here.

**About Hornetsecurity**

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Hornetsecurity Launches VM Backup V9

Research found that phishing threats were low in 2022, while foreign login activity and application process analysis accounted for nearly 50% of incident alerts.

**DENVER** **–** **March 15, 2023** **–** DirectDefense, Inc., an information security services company, today released its "Security Operations Threat Report" which identifies the top threats in 2022 and what’s already trending for 2023. Using its proprietary ThreatAdvisor software, DirectDefense evaluated the managed services activities logged for its clients last year.

Of the hundreds of thousands of alerts managed, DirectDefense investigated 100% of them and acted on or dismissed 77% so that only 23% needed client collaboration to close the event, saving over 1.1 million hours in alert investigation time for clients while providing 7x24x365 monitoring. There were seven threat types identified by the DirectDefense team, including custom alerts created by DirectDefense based on our clients’ unique needs and program support. Outside of custom alerts, foreign login activity and process analysis (suspicious application processes) represented almost 50% of the threats identified.

*   Custom Alerting – 30%
*   Foreign Login Activity – 27%
*   Process Analysis – 21%
*   Account Activity – 9%
*   Phishing Attempts – 7%
*   Mailbox Manipulation – 5%
*   Deceptive Technologies – 1%

Surprisingly, phishing accounted for a low number of client alerts. This infrequency could be the result of tighter organizational email security protocols or simply fewer phishing attempts overall due to previous year’s events where threat actors scraped email addresses and personal information from social networking sites and took other approaches, like brute force attacks. It’s worth noting that of the 7% phishing attempt alerts, 859 were positive phishing attempts and three of those escalated to an incident response engagement.

In 2022, DirectDefense spent nearly 30,000 hours on event triage, with approximately 7,600 hours attributed to level 1 / initial analysis and 21,700 to level 2 / secondary analysis and action.

Each DirectDefense SOC analyst spent an average of 1,723 hours on event triage and response.

"The number of hours spent investigating alerts, many of which require no action, can stop productivity in its tracks. Not to mention how alert fatigue often results in simply not investigating alerts, thereby potentially missing a very real threat – and the opportunity to respond quickly," said **Jim Broome, President and Chief Technology Officer for DirectDefense**. "Even when companies elect to handle certain alerts in-house, the benefit of having 100% of alerts immediately investigated by an MSSP removes a significant strain on organizational resources."

In looking at 2023, the DirectDefense team identified four primary threats that top the list for security concerns.

*   **Ransomware:** A serious threat facing organizations, the most common infiltration techniques for ransomware include supply chain attacks, data exfiltration to a separate location, Ransomware as a Service (RaaS) / pay-for-use malware platforms, out-of-date system patches, and phishing. Operational disruptions, data compromise and loss, and reputational damages are top concerns in any security breach, especially ransomware.
*   **Cloud infrastructure attacks:** A high incidence of cloud infrastructure attacks occurred because clients were allowing their developers to run a development cloud environment with little to no production controls oversight. Organizations need to ensure they have configuration requirements and service hardening procedures in place for all cloud environments, not just production.
*   **Blind by design applications:** There are many applications that don’t offer even the most basic security controls or audit logs. These blind-by-design applications are leaving organizations open to attack, and closing these gaps requires application testing for function and logic vulnerabilities, authentication mechanisms, room for abuse, and logging quality.
*   **Emerging AI (ChatGPT):** The threat from ChatGPT is far different than headlines suggest. Right now, AI is just a tool that can be used by both malicious actors and well-intentioned individuals. DirectDefense expects to see an increase in social engineering and phishing attacks using information from ChatGPT to execute.

The full report can be found at: https://go.directdefense.com/2022-Security-Operations-Threat-Report.

**Follow DirectDefense**

LinkedIn: https://www.linkedin.com/company/directdefense/

Twitter: https://twitter.com/Direct\_Defense

Blog: https://www.directdefense.com/resources/blog/

**About DirectDefense, Inc.**

DirectDefense provides enterprise risk assessments, penetration testing, ICS/SCADA security services, and 24/7 managed security services for companies of all sizes. Focused on building security resiliency, the firm offers comprehensive security testing services with specialization in application security, vulnerability assessments, penetration testing, and compliance assurance testing. Its team of highly talented consultants has worked with the majority of the Fortune 100 companies, in industries such as power and utility, gaming, retail, financial, media, travel, aerospace, healthcare, and technology. More information can be found at www.directdefense.com.

DirectDefense Reports the Top Threats From 2022 and What's Trending for 2023

Patched earlier this month, a code-execution vulnerability is the latest FortiOS weakness to be exploited by attackers, who see the devices as well-placed targets for initial access operations.

In early March, a customer called in Fortinet's incident response team when multiple FortiGate security appliances stopped working, entering an error mode after the firmware failed an integrity self test.

It was a cyberattack, which led to the discovery of the latest vulnerability in Fortinet devices, a medium severity but highly exploitable bug (CVE-2022-41328) that allows a privileged attacker to read and write files. The threat group, which Fortinet labeled as an "advanced actor," appeared to be targeting government agencies or government-related organizations, the company stated in a recent analysis of the attack.

Yet the incident also shows that attackers are giving Fortinet devices significant attention. And the attack surface is wide: So far this year, 60 vulnerabilities in Fortinet products have been assigned CVEs and published in the National Vulnerability Database, double the rate at which flaws were disclosed in Fortinet devices in the previous peak year, 2021. Plenty are critical, too: Earlier this month, Fortinet revealed that a critical buffer underwrite vulnerability in FortiOS and FortiProxy (CVE-2023-25610) could allow a remote unauthenticated attacker to run any code on a variety of appliances.

Interest is high, as well. In November, for example, one security firm warned that a cybercriminal group was selling access to compromise FortiOS devices on a Russian Dark Web forum. But whether the vulnerabilities have spurred attention, or vice versa, is moot, says David Maynor, senior director of threat intelligence at Cybrary, a security training firm.

"Attackers smell blood in the water," he says. "The number and frequency of remotely exploitable vulnerabilities over the last two years has increased at a breakneck speed. If there is a nation-state group that isn't integrating Fortinet exploits, they are slouching on the job."

Like other network security appliances, Fortinet devices inhabit the critical point between the Internet and internal networks or applications, making them a valuable target to compromise for attackers looking for a foothold into corporate networks, the research team from threat intelligence firm GreyNoise Research said in an email interview with Dark Reading.

"A large majority of Fortinet devices are edge devices, and as a result are commonly Internet facing," the team said. "This is true of all edge devices. If an attacker is going to go through the effort of an exploitation campaign the volume of edge devices make\[s\] for a valuable target."

The researchers also warned that Fortinet is not likely alone in the crosshairs of attackers.

"All edge devices from any vendors will have vulnerabilities sooner or later," GreyNoise Research said.

**Fortinet Attack Detailed**

Fortinet described the attack on its customers' devices in some detail in its advisory. The attackers had used the vulnerability to modify the device firmware and add a new firmware file. The attackers gained access to the FortiGate devices via the FortiManager software and modified the devices' start-up script to maintain persistence.

The malicious firmware could have allowed for data exfiltration, the reading and writing of files, or given the attacker a remote shell, depending on the command the software received from the command-and-control (C2) server, Fortinet stated. More than a half dozen other files were modified as well.

The incident analysis, however, lacked several critical pieces of information, such as how the attackers gained privileged access to the FortiManager software and the date of the attack, among other details. 

When contacted, the company issued a statement in response to an interview request: "We published a PSIRT advisory (FG-IR-22-369) on March 7 that details recommended next steps regarding CVE-2022-41328," the company said. "As part of our ongoing commitment to the security of our customers, Fortinet shared additional detail and analysis in the March 9 blog post and continue to advise customers to follow the guidance provided."

Overall, by finding and disclosing the vulnerability, and publishing an analysis of their incident response, Fortinet is doing the right things, the GreyNoise Research team told Dark Reading.

"They published a detailed analysis two days later including an executive summary, as well as a massive \[number\] of accurate details about the nature of the vulnerability and the activity of the attacker, providing defenders \[with\] actionable intelligence," the team stated. "Fortinet chose to clearly, timely, and accurately communicate about this vulnerability."

Cyberattackers Continue Assault Against Fortinet Devices

Capitol Hill cybersecurity leader joins the company’s Cybersecurity Advisory Board to drive further adoption of security ratings in the public and private sectors.

**WASHINGTON, DC – March 15, 2022 –** SecurityScorecard, the global security ratings, response and resilience company, announced today that former United States Congressman John Katko has joined the company as a Senior Advisor of its Cybersecurity Advisory Board. Katko is recognized for his cybersecurity leadership and bipartisan efforts as he served New York’s 24th Congressional District.

"John is a cybersecurity luminary who is widely respected across both sides of the aisle. Among his many accomplishments, John helped create the foundation for the U.S. Cybersecurity & Infrastructure Security Agency (CISA)," said Sachin Bansal, Chief Business Officer, SecurityScorecard. "We are incredibly honored to have John join us as a Senior Advisor as we continuously work with all levels of the U.S. government to recognize SecurityScorecard as a trusted, must-have standard for measuring security."

During his congressional career, Katko was a strong voice on the House Homeland Security Committee, later being selected as the top-ranking member of the committee in 2020. Katko is also recognized for his vital guidance in the development of the CISA and his continued support of the agency’s efforts through legislation like the Securing Systemically Important Critical Infrastructure Act that prioritizes security for U.S. critical infrastructure.

"Cybersecurity is a critical component of national security, and SecurityScorecard is making a huge impact in the way it helps organizations become cyber resilient in the face of global threats," said Katko. "Given the cybersecurity landscape today, organizations need to instantly know the cyber-risk of any company in the world, including their own business, competitors, vendors, and downstream suppliers. I’m looking forward to partnering with the SecurityScorecard team as they help users measure and monitor cyber risks."

"John's commitment to national security and keeping our country safe makes him a natural fit for SecurityScorecard," said Brian Harell, former Assistant Secretary for Infrastructure Protection at the Department of Homeland Security. "He has a deep understanding of the cybersecurity challenges we face as a nation today and knows what it will take to protect our most critical assets. That perspective and expertise will serve as an invaluable resource to SecurityScorecard's users."

Katko is also a Senior Advisor at HillEast Group, a government affairs and strategic communications lobbying firm serving private sector clients. While serving New York’s 24th Congressional District, John achieved significant legislative success, with 98 bills passed the House and 45 signed into law. John is well-respected for his work across the aisle and was consistently ranked among the most bipartisan members of Congress by the nonpartisan Lugar Center. Prior to serving in Congress, John spent nearly twenty years as a federal organized crime prosecutor with the U.S. Department of Justice.

To learn more about SecurityScorecard and its award-winning solutions, please visit: https://securityscorecard.com/

**About SecurityScorecard**

Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard's patented rating technology is used by over 30,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree approach to security prevention and response for its worldwide customer and partner base. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. SecurityScorecard is listed as a free cyber tool and service as listed by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Every organization has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.

SecurityScorecard Appoints Former US Congressman John Katko As Senior Advisor

Two gang members are being charged for allegedly threatening to release personal information and impersonating law enforcement in an effort to dox victims.

Two individuals, belonging to a crime group known as "Vile," are being charged with wire fraud and conspiracy to commit computer intrusions after allegedly breaching a law enforcement database and using stolen data to blackmail their victims. Members of the group threatened to release their personal information on public websites.

According to a press release published on March 14 from the US Attorney's Office in the Eastern District of New York, Sagar Steven Singh (19) and Nicholas Ceraolo (25) used the stolen password of a police officer to gain access into a database containing records of narcotics, currency seizures, and intelligence reports. It took the perpetrators only one day to begin extorting the subjects of the reports, threatening to harm their family members if they weren't provided with the victim's personal information, such as their Social Security numbers and home addresses, or payment to keep the information off of websites, an effort known as doxxing.

In addition to this, Singh used a foreign law enforcement officer's email address to contact social media companies for information on their users, purporting to need it for police investigations. Known as emergency requests, these are requests that governments can make to social media companies for user information; there are thousands made to companies every year. In fact, 75% of the time it was asked, Meta, formerly known as Facebook, gave up the requested information.

"As alleged, the defendants shamed, intimidated, and extorted others online. This Office will not tolerate those who impersonate law enforcement officers and misuse the public safety infrastructure that exists to protect our citizens," stated United States Attorney Breon Peace in the press release. Both defendants face up to five years in prison, and Ceraolo faces up to 20 years.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Vile' Gang Duo Breaches Police Database, Impersonates Officers in Extortion Gambit

An unpatched Microsoft Web server allowed multiple cybersecurity threat groups to steal data from a federal civilian executive branch.

Multiple threat groups were able breach a federal agency and steal data by exploiting a years-old Progress Telerik vulnerability in an unpatched Microsoft Internet Information Services (IIS) Web server — and the Cybersecurity and Infrastructure Security Agency (CISA) wants other IT security teams to be on the lookout for similar exposure.

The Federal Civilian Executive Branch (FCEB) was compromised from last November to January 2023 after threat actors were able to exploit a .NET deserialization Telerik vulnerability from 2019 (CVE-2019-18935) in the agency's Microsoft Internet Information Services (IIS) Web server, CISA reported.

CISA, along with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued indicators of compromise and warn teams running Telerik UI for ASP.NET Ajax builds from earlier than 2020 who are concerned about unpatched servers to immediately:

*   Implement a patch management solution to ensure compliance with the latest security patches.
*   Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.
*   Limit service accounts to the minimum permissions necessary to run services.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading