Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.

IT teams should prioritize the patching of two zero-day vulnerabilities, one in Microsoft Outlook's authentication mechanism and another that's a Mark of the Web bypass, security experts said today. The two are part of a cache of 74 security bugs that Microsoft disclosed in its March Patch Tuesday security update.

In a blog post, researchers from Automox recommended that organizations patch both vulnerabilities within 24 hours since attackers are exploiting them in the wild. 

In addition, several of the critical flaws in the March update enable remote code execution (RCE), making them a high priority for patching as well. 

Vendors had slightly different takes on the total number of new critical vulnerabilities in Microsoft's March update — likely because of differences in what they included in the count. Trend Micro's Zero-Day Initiative (ZDI), for instance, identified six of the vulnerabilities in Microsoft's March update as critical, while Tenable and Action1 pegged the number at nine.

**Privilege Escalation Zero-Day**

One of the zero-days is a critical privilege escalation vulnerability in Microsoft Outlook tracked as CVE-2023-23397, which allows an attacker to access the victim's Net-NTLMv2 challenge-response authentication hash and then impersonate the user. 

What makes the bug dangerous is that an attacker could trigger it simply by sending a specially crafted email that Outlook retrieves and processes before the user even views it in the Preview Pane.

"This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email," said Satnam Narang, senior staff research engineer at Tenable in an emailed comment. An attacker could use the victim's Net-NLMv2 hash to conduct an attack that exploits the NTLM challenge-response mechanism and allows the adversary to authenticate as the user.

That makes the bug more of an authentication bypass vulnerability than an privilege escalation issue, added ZDI researcher Dustin Childs, in a blog post that summarized the most important flaws in Microsoft's March Patch Tuesday update. Disabling the Preview Pane option will not mitigate the threat because the bug gets triggered even before that, he wrote.

Microsoft attributed the bug's discovery to researchers from Ukraine's Computer Emergency Response Team (CERT) as well as one of its own researchers.

Organizations that cannot patch CVE-2023-23397 immediately should consider implementing Microsoft's mitigation for the flaw, which prevents the use of NTLM as an authentication mechanism, Automox said.

**Actively Exploited Security Feature Bypass Flaw**

Microsoft identified the second zero-day bug as CVE-2023-24880, a Windows SmartScreen security feature bypass issue than at attacker could use to bypass the Mark of the Web designation that Microsoft uses to identify files that a user might download from the Internet. 

The feature is designed to warn users about potentially unsafe content. CVE-2023-24880 affects all desktop systems running Windows 10 and above and systems running Windows Server 2016, 2019, and 2022.

Chris Goettl, vice president of security products at Ivanti, cautioned administrators not to be lulled into a sense of false security by Microsoft's relatively low severity rating for the flaw. 

"The CVSSv3.1 score is only 5.4, which may avoid notice by many organizations," Goettl said in a statement. On its own, the CVE may not be all that threatening, "but it was likely used in an attack chain with additional exploits," he warned.

**Other Security Bugs at High Patching Priority**

One of the RCE flaws to make a special note of is CVE-2023-23415, which exists in the Internet Control Message Protocol (ICMP) that network devices use to diagnose communications issues. 

"An attacker can remotely exploit this vulnerability through the use of a low-level protocol error containing a fragmented IP packet in its header that is sent to the target machine," Microsoft said. The vulnerability affects multiple Microsoft products, including Windows 10, Windows 11, Windows Server 2008, 2012, 2016, 2019, and 2022.

ZDI, Automox, and Action1 also all identified a RCE vulnerability with a near maximum severity of 9.8 on the CVSS scale in the HTTP Protocol Stack as another issue that organizations might want to prioritize. 

The vulnerability (CVE-2023-23392) allows an unauthenticated attacker to send a specially crafted packet to a server that uses the HTTP Protocol Stack leading to RCE. "The vulnerability affects Windows Server 2022 and Windows 11, and has a low-complexity attack vector that requires no privileges or user interaction," Action1 warned. Because of this, Microsoft has assessed the vulnerability as one that threat actors are more likely to exploit than other flaws.

Automox also recommended that organizations address CVE-2023-23416, a RCE bug in the Windows Cryptographic Services protocol, within 72 hours. That's because, among other things, it affects all versions of desktops Windows 10 and above, and all Windows server editions from Server 2012 on.

In addition to patches for new vulnerabilities, Microsoft also issued updates for four older flaws — all from 2022 — in its March patch cycle. The update expands the number of Microsoft software and applications affected by the vulnerabilities and provides a patch for them, Ivanti said. The security vendor identified the four updated patches as CVE-2022-43552, CVE-2022-23257, CVE-2022-23825, and CVE-2022-23816.

Microsoft Zero-Day Bugs Allow Security Feature Bypass

Financing will help support increasing customer demand while continuing to transform incident response for cloud and SaaS environments

**NEW YORK, March 14, 2023 –** Mitiga, the cloud and SaaS incident response leader, today announced the completion of its $45 million Series A Round, bringing total funding to $45 million, led by ClearSky Security, with participation from Samsung Next and existing investors Blackstone, Atlantic Bridge and DNX. This news comes on the heels of Mandiant’s former President/COO, John Watters, joining Mitiga as an independent board member.

"When we founded Mitiga, we had one goal in mind — to help organizations accelerate their responses to the rising tide of cloud and SaaS attacks," stated Tal Mozes, co-founder and CEO, Mitiga. "We knew we could do it better than traditional incident response (IR) solutions because they’re reactive by nature, and tremendously time-consuming. Our proactive and automated approach enables organizations that experience cloud and SaaS breaches to respond immediately and recover faster than any other solution on the market. We are thrilled to include Samsung Next as one of our investors and look forward to our next growth phase in 2023 and beyond."

Mitiga will use the investment to accelerate its growth, helping to meet the high demand for cloud incident response services from the overwhelming number of organizations that now rely on cloud and SaaS environments—because today's harsh reality is that cloud attacks are inevitable. Mitiga’s modern approach offers cloud-driven companies a new level of cyber and organizational resilience. By enabling ongoing readiness and compressing the investigation time from weeks or months to hours, Migita's solution reduces incident-related damage and gets customers back to business fast.

"As more and more companies are advancing their cloud journeys, they're beginning to understand that growing their cyber resiliency is a vital part of that transformation" stated Tal Achituv, CTO, Samsung Next. "Mitiga's modern incident response solution combined with the team’s deep cloud forensics expertise enables companies to prepare for cloud breaches before they happen — so they get back to business immediately. It's an important capability and we're happy to be supporting Mitiga to enable it."

To learn more about Mitiga, please visit www.migita.io, or if attending the 2023 RSA Conference, stop by Moscone North Expo, Booth 5624. 

**About Mitiga**

Mitiga is the cloud and SaaS incident response leader. In a world filled with cloud risks, we help organizations return to business as usual 90% faster than traditional incident response. Our IR2 solution provides instant answers to the most burning breach-related questions, enabling teams to speed investigations, minimize impact, and enhance cyber resilience against future attacks. Mitiga’s approach leverages automated insights from our leading-edge SaaS platform and combines them with support from Mitiga's world-leading cloud incident responders. The result not only accelerates and improves incident response, but it also minimizes enterprises' breach-related costs through a subscription-based model that makes cloud and SaaS IR expenditures more predictable.

Samsung Next Invests in Mitiga, Brings Total Funding to $45M

The ransomware group sent a message directly to Elon Musk: Pay or the confidential SpaceX information goes up for grabs on the Dark Web.

The LockBit ransomware group is reportedly threating to release stolen SpaceX schematics unless Elon Musk pays to keep them under wraps.

Musk has until March 20 to make an extortion payment, according to a recent LockBit post shared on Twitter by cybersecurity analyst Dominic Alvieri. The confidential drawings were reportedly lifted not from SpaceX itself, but from a third-party vendor: Maximum Industries, which produces parts for SpaceX projects.

"Elon Musk we will help you sell your drawings to mother manufacturers — build the ship faster and fly away," the LockBit ransomware demand read.

“When people hear of extortion, their mind immediately goes to ransomware. However, ransomware is just one tool in an attackers arsenal," says Javvad Malik, lead awareness advocate at KnowBe4,. "The data is the actual gold dust that the criminals are after. If they can exfiltrate it, then they have immense leverage over the victim."

He adds, "This raises the important questions of how criminals get into organizations, how they spend so long undetected, and how can sensitive data be exfiltrated without being blocked. The answers to these extend beyond simply looking at point products, but is really about looking at the overall security culture in an organization and how it can be strengthened in a positive manner to reduce the overall risk.”

Ransomware accounted for about $34 million in adjusted losses reported to the FBI last year, according to the FBI's Internet Crime Report (PDF).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LockBit Threatens to Leak Stolen SpaceX Schematics

An agency team will identify vulnerabilities being exploited by ransomware groups and alert organizations ahead of attacks, CISA says.

An anti-ransomware project launched by the Cybersecurity and Infrastructure Security Agency (CISA) will proactively track common vulnerabilities being exploited by ransomware gangs, and alert exposed organizations to the risks to help them mitigate the threat before a cyberattack occurs.

The Ransomware Vulnerability Warning Pilot (RVWP) program started out by alerting 93 organizations open to the recent Microsoft Exchange Service "ProxyNotShell" vulnerability, which was under open attack by ransomware operators in the wild, the CISA announcement explained. The intention is for the RVWP to replicate the model on a larger scale and help critical infrastructure organizations stave off future ransomware attacks.

"Ransomware attacks continue to cause untenable levels of harm to organizations across the country, including target rich, resource poor entities like many school districts and hospitals," Eric Goldstein, executive assistant director for cybersecurity at CISA, said about the program in CISA's announcement. “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA Trials Ransomware Warning System for Critical Infrastructure Orgs

One researcher thinks trust is broken in AD. Microsoft disagrees that there's a security vulnerability. But enterprise IT environments should be aware of an authentication gap either way.

An access control gap in Microsoft's Active Directory (AD) service may allow users within Windows environments to access domains beyond those for which they are authenticated, all while IT admins are none the wiser.

AD, Microsoft's catchall identity management service for authenticating computers, printers, users, or really anything participating in an IT environment, is built into most Windows domain-type networks. Tens of thousands of organizations use the service, including 90% of Global Fortune 1000 companies, according to Frost & Sullivan.

Network administrators use AD to manage authentication across a domain, ensuring that intended users — _only_ intended users — can access the resources they're allotted — _only_ those they're allotted.

In a report published March 14, however, Charlie Clark, security researcher at Semperis, detailed how a user can escape the guardrails within AD, and access domains for which they were not explicitly granted permission.

"It massively increases the attack surface for an attacker," he explains, "and obviously, the larger the attack surface, the more likely it is that an attacker can find an exploitable bug."

**MSFT AD's "Transitive Trust" Problem**

According to the transitive property of mathematics, if a = b and b = c, then a = c.

In AD, if domain A connects to domain B, and domain B connects to domain C, domains A and C may or may not be able to access one another, depending on whether they share a "transitive trust." As stated in Microsoft's documentation, "transitivity determines whether a trust can be extended outside of the two domains with which it was formed."

Two domains belonging to two different organizations might bear an "external trust" — a form of trust that's set up manually in AD, which is nontransitive. However, herein lies the issue that Clark found: that external trust can be used by one company to access sister domains within the same group (what Microsoft calls a "forest") as the second, for which no official external trust has been established, Clark says.

"If what we thought about non-transitive trusts were true," Clark explains, an authenticated user from one domain would "only be able to target the specific domain they've got a trust with. They wouldn't be able to move around the forest to other domains."

Instead, "any account within the trusted domain will be able to authenticate against any domain within the entire forest in which the trusting domain resides," he wrote in his analysis.

A malicious user who figures out how to burrow around a forest at will can access resources, reach accounts, and find data they otherwise should not.

"It allows an attacker to have a much larger attack surface from any low-privileged account on a trusted domain," Clark reasons, because "if you manage to take over a single domain within a forest, it's very easy to take over the whole forest."

Clark first reported his findings to Microsoft on May 4, 2022. On Sept. 29, Microsoft wrote in an email that "we have determined that this submission does not meet the definition of a security vulnerability for servicing. This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering." With that, the company closed the case.

“We provide many mechanisms for limiting resource access when using external trusts in a forest trust environment," a Microsoft spokesperson explained. "For example, by applying an authentication policy to resources at any granularity to allow or deny authentication based on any security descriptor. Customers can also set a deny-by-default posture which only allows those users to authenticate to accounts where the user has the allowed-to-authenticate right. We are continuously researching ways to improve security for future releases. More information is available in our authentication policy documentation.”

**Why Trust Matters**

Clark worked as a systems administrator for over 15 years, and a pen tester for six. "Every medium to large business or infrastructure that I've worked with has had external trusts," he claims. By that logic, most of AD's clients are likely at risk right now, he alleges, if additional protections haven't been put in place.

Microsoft's recommendations aside, to protect against this form of access control abuse, Clark recommends that admins remove all external trusts. If this is not possible, then monitoring which users are accessing what is the next best thing.

The most important thing, in the end, is awareness. Otherwise, admins may fall prey to a false sense of security. They "can see that a trusted domain is a higher risk. So they may apply greater security to that domain," Clark explains, but "they might not apply the same level of security to the rest of the domains within the forest," despite the similar risk.

"I think the main thing is to make system admins aware that this is possible," Clark concludes. By knowing this, "they can harden the rest of the domain sufficiently."

Access Control Gap in Microsoft Active Directory Widens Enterprise Attack Surface

Organizations need to take steps now to strengthen their cyber defenses.

Anxiety over an artificial intelligence tool called ChatGPT is spreading across a wide range of sectors, from education to business to cybersecurity circles. Numerous articles have shown ChatGPT's efficiency in creating phishing emails, as well as passing medical and business school tests. Its ability to write, speak, and answer queries across a wide range of subjects as competently as many humans do, as well as its ability to find vulnerabilities in computer systems, has raised legitimate concerns over how it may be used to create effective phishing campaigns on a large scale.

While today it's a toy, a parlor trick that people take out to show how much AI has improved, businesses and government institutions should be worried about what's going to happen in two to five years, as AI models continue to improve and bad actors take advantage of what it can do. Organizations need to take steps now to strengthen their cyber defenses, against both current threats and what's lurking around the corner.

**AI's Versatility Creates Risks**

ChatGPT, created by OpenAI, has been available for queries since November 2022, in an open-ended beta testing period. OpenAI, a research and deployment company that pursues innovations in AI, says it created the chatbot to interact in a conversational way, study user feedback, and learn its own strengths and weaknesses. It's been used to explore scientific subjects, help write a poem or a song, and even apply for a job. ChatGPT does make mistakes. The coding platform StackOverflow temporarily banned ChatGPT because its answers to questions were often incorrect, deciding that posting those answers would be "substantially harmful" to StackOverflow users. But it is learning and improving.

**The Next Stage of AI Threats**

The most immediate cybersecurity concerns over ChatGPT are that it can give neophyte cyberattackers the ability to write phishing emails, exploit buffer overflows, and carry out other basic cyberattacks. But in a few years, these threats will become much more serious.

AI tools will make it easier for malicious insiders or cybercriminals who gained brokered access to engineer and manipulate intracompany dialogue, sending precisely targeted phishing emails that look like legitimate requests from a person inside the company.

**What Businesses Can Do to Protect Themselves**

There are several steps businesses can take to adopt a security-first culture and protect themselves from the kind of threats AI poses, now and in the future:

1.  **Make sure the business leans toward skepticism.** People at every level of a company should question what they see in email or any other communication channels. Phishing is so pervasive because it has so often worked, accounting for 73% of social engineering attacks in North America, according to Verizon's "2022 Data Breach Investigations Report." Employees should be trained to look at any email, Slack invitation, or other communication with a critical eye. They need to be aware of the signs that it's fraudulent.
2.  **Deliver continuous, real-time cybersecurity training.** Almost every organization has a cybersecurity training program that their employees must take annually. Given the number of breaches we've seen based on phishing attacks, it's clear this is not enough. Organizations need to help employees identify phishing attacks in real-time, pointing out as it happens when employees click on fraudulent links or download privileged information onto a thumb drive. For the sake of productivity, employees try to find workarounds, and cybersecurity training needs to happen in the moment to remind employees why protocols are there in the first place.
3.  **Establish some Internet borders to reduce unnecessary use.** Workplaces already do this to some extent, such as by blocking offensive websites or forbidding Internet use that could put company data in jeopardy. If they have not done it already, businesses can establish a written policy detailing acceptable and forbidden Internet use. Programs are available that will limit Internet use to approved websites, and routers can be used to block sites. Tracking and logging Internet use also can act as a deterrent.
4.  **Improve corporate security policies and actually enforce them.** Security transformation does not happen in days. It happens over months and years, requiring a cultural change in how everyone in the organization thinks about cybersecurity. The best practices in security today can be effective, but only if fully implemented and followed. As with other security steps, businesses should communicate consistently about security, reminding staff of what's expected from them.
5.  **Question current standard practices.** One of the most common explanations used in IT has always been, "We've always done it that way." This is the worst explanation possible for any security practice. An essential component of a security-minded culture is a willingness to change processes and implement new tools to keep up with the ever-changing cyber threat landscape. Be ready to consider more secure and efficient modes of cybersecurity protocol.

**Building a Culture Around Security**

Many organizations begin to see greater success against advanced AI threats when they empower their workforce, which begins with strengthening communication between IT, HR, security teams, and employees about anything and everything concerning risk, data privacy, Internet use, and more. In today's threat environment, security is everyone's responsibility.

How Businesses Can Get Ready for AI-Powered Security Threats

Organizations must educate themselves and their users on how to detect, disrupt, and defend against the increasing volume of online disinformation.

More and more, nation-states are leveraging sophisticated cyber influence campaigns and digital propaganda to sway public opinion. Their goal? To decrease trust, increase polarization, and undermine democracies around the world.

In particular, synthetic media is becoming more commonplace thanks to an increase in tools that easily create and disseminate realistic artificial images, videos, and audio. This technology is advancing so quickly that soon anyone will be able to create a synthetic video of anyone saying or doing anything the creator wants. According to Sentinel, there was a 900% year-over-year increase in the proliferation of deepfakes in 2020.

It's up to organizations to protect against these cyber influence operations. But strategies are available for organizations to detect, disrupt, deter, and defend against online propaganda. Read on to learn more.

**Building a Cyber Influence Campaign**

Cyber influence operations have three main stages. They begin with prepositioning, which is when nation-state actors first introduce their propaganda or false narratives to the general public — whether using the Internet or through making it part of breaking world news. These false Internet narratives are especially harmful because they can lend credence to subsequent references.

Next is the launch phase. This involves foreign entities creating a coordinated campaign to spread their narrative through government-influenced media outlets and social channels. Then comes the amplification phase in which nation-state-controlled media and proxies amplify false narratives to targeted audiences.

The corruption doesn't end there. Cyber influence campaigns can lead to market manipulation, payment fraud, vishing, impersonations, brand damage, and botnets, to name a few. But the greater threat is to our collective sense of trust and authenticity. The growing use of artificial media means that any compromising or undesirable image, audio, or video of a public or private figure can be dismissed as fake — even when it's legitimate.

**How Organizations Can Protect Themselves**

As technology advances, tools that have traditionally been used in cyberattacks are now being applied to cyber influence operations. Nation-states have also begun collaborating to amplify each other's fake content.

These trends point to a need for greater consumer education on how to accurately identify foreign influence operations and avoid engaging with them. We believe the best way to promote this education is to increase collaboration between the federal government, the private sector, and end users in business and personal contexts.

There are four key ways to ensure the effectiveness of such training and education. First, we must be able to detect foreign cyber influence operations. No individual organization will be able to do this on its own. Instead, we will need the support of academic institutions, nonprofit organizations, and other entities to better analyze and report on cyber influence operations.

Next, defenses must be strengthened to account for the challenges and opportunities that technology has created for the world's democracies — especially when it comes to the disruption of independent journalism, local news, and information accuracy.

Another element in combating this widespread deception is radical transparency. We recommend increasing both the volume and dissemination of geopolitical analysis, reporting, and threat intelligence to better inform effective responses and protection.

Finally, there have to be consequences when nation-states violate international rules. While it often falls on state, local, and federal governments to enforce these penalties, multistakeholder action can be leveraged to strengthen and extend international norms. For example, Microsoft recently signed onto the European Commission's Code of Practice on Disinformation along with more than 30 online businesses to collectively tackle this growing challenge. Governments can build on these norms and laws to advance accountability.

Ultimately, threat actors are only going to continue getting better at evading detection and influencing public opinion. The latest nation-state threats and emerging trends show that threat actors will keep evolving their tactics. However, there are things organizations can do to improve their defenses. We just need to create holistic policies that public and private entities alike can use to combat digital propaganda and protect our collective operations against false narratives.

Deepfakes, Synthetic Media: How Digital Propaganda Undermines Trust

An analysis of trillions of DNS requests shows a shocking amount of malicious traffic inside enterprise networks, with threats using DNS as a sort of malicious Autobahn.

The Internet's domain name system (DNS) has become a superhighway of sorts for threat actors, with one in six organizations experiencing malicious network traffic in the form of either malware such as Emotet, phishing attacks, or command-and-control (C2) activity in an given quarter, researchers have found.

Researchers from Akamai looked at data from more than than 7 trillion daily DNS requests to examine how threat actors are leveraging the servers and devices enterprises use to manage these requests to conduct their nefarious activity.

What they found is that attackers are zooming in and out of networks via DNS at an alarming frequency, with between 23% and 27% of organizations experiencing at least one instance in which C2 traffic was observed traveling out of their network in any given quarter, the Akamai researchers said in a report published today.

This traffic provides "a very accurate predictor for attacks in progress, and can provide a very accurate image of the threat landscape," says Eliad Kimhy, cybersecurity research team lead at Akamai.

Moreover, much of this traffic is occurring in real time, making it harder for the enterprise to defend against it, he adds.

"Attackers are increasingly operating with a 'hands on keyboard' philosophy, giving the job of hacking an organization to a live operator," Kimhy says. "This is going to make detecting and stopping C2 traffic a crucial aspect of an organization's security, and we will likely see this play an ever-growing role in the modern attack."

**Emotet, QSnatch & the Current State of Attacks**

The Akamai researchers reported a range of findings about not only how attackers are using DNS, but what type of attacks and malware are most prevalent in their observations. One of the most interesting was that the stalwart threat Emotet, which resurfaced recently after a brief hiatus, is not only back, but back with a vengeance.

"It is prevalent and seems to conduct massive campaigns to try and breach organizations," Kimhy says.

The researchers observed one "massive campaign" last year, and it appears that the threat group is ramping up for another, he says. "This is a very difficult group to contend with, as it specializes in breaching and selling access to more dangerous groups, like ransomware groups," Kimhy notes.

Moreover, this resurgence of Emotet is a good indicator that more attacks — potentially from ransomware groups — are on the horizon, as the malware is often used as an initial access to networks, he says.

In fact, the researchers found that 9% of infected network devices that they observed reaching out to C2s accessed domains associated with ransomware-as-a-service (RaaS) group, demonstrating the continued risk from ransomware attacks with business-crippling consequences — including remediation and recovery costs, legal fees, fines, downtime resulting in loss of productivity, and brand and reputation damages — for the enterprise.

Attackers also are increasingly finding their way into organizations' networks via network-attached storage (NAS) devices on the back of the botnet QSnatch, with more than a third of affected devices that researchers observed showing traffic leading to C2 domains related to this threat, the researchers found.

These devices can represent "a huge threat surface" if they're not well-secured, as organizations often use NAS devices for backups and the storage of crucial data, according to Akamai.

"Finding yourself in a position where your data is stolen or backups are deleted in support of a ransomware attack can be a terrible position to be in," Kimhy says.

In terms of which types of organizations attackers go after using DNS, the researchers found that manufacturing, business services, and retail are facing the highest risk, though no industry is safe from imminent attack.

**How Cyber Defenders Can Protect Against DNS Threats**

Given the insight about the current malicious activity hitching a ride into enterprise networks via DNS, security administrators can now arm themselves against the most prevalent threats targeting their networks. One way to do this is to conduct gap assessments and close those gaps where necessary, the researchers said.

Overall, given the current threat landscape, knowledge is power, Kimhy says. "Security teams need to know who’s on the other side of the attack — and which groups put their organization at risk — in order for them to be able to defend," he says.

Moreover, the "broken record" advice of adopting a "zero trust" mentality continues to ring true, with the deployment of "products that specialize in stopping an attack that has gone past the perimeter" — such as endpoint detection and response (EDR), microsegmentation, and secure Web gateways (SWGs) — offering particular advantage in defending against the current threat landscape, the researchers said.

Given the advanced threat posed to NAS devices, the Akamai researchers also recommended that organizations ensure any that companies have on their network be securely nailed down. "It is strongly advised that security teams ensure their NAS devices are up to date," Kimhy says "and properly secured via segmentation, or other appropriate tools."

Emotet, QSnatch Malware Dominate Malicious DNS Traffic

Only by working collaboratively can boards and security leaders make progress and agree about cybersecurity threats and priorities.

As leaders responsible for prioritizing their organizations' goals, board members must push the cybersecurity agenda forward. Yet new research shows healthcare boards are far behind their peers in making cybersecurity a priority and understanding cyber-risks, despite the potentially severe consequences to patient safety and care.

"Cybersecurity: The 2022 Board Perspective," a new global report from Proofpoint and Cybersecurity at MIT Sloan, found that cybersecurity is much lower on healthcare boards' agendas compared with other sectors. Although 77% of the 600 board members surveyed suggested cybersecurity is a top priority for their organizations, only 59% of healthcare directors concurred.

The report also found that only 61% of healthcare boardrooms discuss the topic at least monthly (versus 75% across all sectors), and only 64% believe they have invested adequately in cybersecurity (versus 76% for all sectors).

The future appears just as bleak. While 87% of participants expected to see their cybersecurity budgets increase in the next 12 months, only 77% of healthcare board members share this belief.

****Healthcare Boards Need Better Focus on Cyber-Risks****

What makes these findings more alarming is the contrast between healthcare boards' opinions about their cyber preparedness and the sentiments of other boards. Despite their lower cyber priorities, healthcare boards are much more optimistic. Only 50% believe their organization is at risk of a material cyberattack in the next 12 months (compared to 65% across sectors), and just 43% think their organizations are unprepared to cope with a targeted cyberattack (compared with 47% for all cohorts).

One reason behind the healthcare directors' misplaced confidence is their lack of cybersecurity understanding and expertise — another area where they fall behind their peers. Across all industries, 85% of survey participants believe their boards understand systemic risk, but only 61% of healthcare directors feel the same. Furthermore, fewer healthcare organizations have experts on their boards (68% versus 73%) and adequate training to respond to a cyber incident (59% versus 74%).

Given the gap in the directors' understanding of cyber-risks, it is understandable that they would look to their chief information security officers (CISOs) for guidance. However, the report findings show that this is not true. Only 57% of healthcare boardrooms have regular presentations from CISOs or other cybersecurity experts, compared to 73% across all sectors. Twenty-three percent of healthcare board members only see their CISOs when they appear before the board to make a cybersecurity report.

****Board-CISO Rift a Barrier to Progress****

Our industry is well aware of the communications gap between boards and CISOs. For years, boards showed little interest in cybersecurity, viewing it as an IT problem rather than a business one. Today, thanks to growing publicity about escalating threats such as ransomware, we finally see cybersecurity elevated to the board level.

But this increased awareness has not yet resulted in thawed tensions between boards and their security leaders. The survey found that 31% of directors globally still do not see eye to eye with their CISOs — and even more healthcare directors (41%) fall into this camp. If the two sides don't know, like, or even see each other very much, how can they agree on priorities and improve their organizations' security posture?

This chasm is especially alarming given the magnitude of cyber threats and patient risk in healthcare. A Ponemon Institute report on healthcare threats earlier this year found that 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months. Among those that experienced attacks such as ransomware and cloud compromise, 20% saw an increased patient mortality, rate while 57% saw poor patient outcomes because of delays in tests or procedures. There is a clear connection between cybersecurity and patient wellbeing — yet the healthcare sector often fails to take that seriously.

Why Healthcare Boards Lag Other Industries in Preparing for Cyberattacks

Organizations recognize that they are responsible for protecting remote workers from cyber threats, but they have a long way to go in deploying the necessary security technologies.

Remote work, or work from anywhere, is the reality for most organizations. However, organizations are still in the early stages of implementing security technology to accommodate the remote workforce, according to a recent report from Fortinet.

The insecurity of home networks, employees using company laptops for personal use, and compromised family devices infecting an employee's work device are considered to be the top security risks around work-from-anywhere, the company found in its "2023 Work-From-Anywhere Global Study." Just shy of three-quarters of respondents (71%) of respondents said the responsibility for protecting home offices falls on the corporation and service providers.

Of the 570 respondents, 40% had shifted back to being in the office full-time and 55% had some form of hybrid policy (remote work either one to two days or three to four days per week). Nearly two-thirds (62%) of respondents said their companies experienced a data breach during the past two to three years that could be attributed to an employee working remotely.

The survey asked respondents to identify which security solutions are the most important to secure remote employees, which security solutions have already been deployed within their organizations, and which areas they plan to invest in over the next 24 months. The results are uneven and show that organizations have much room for improvement in how they protect their remote workforce. While the top priority was network access control, only 58% said they have deployed network access control. In fact, only half of the respondents in the survey said they have implemented some of the fundamentals, such as installing antivirus on corporate devices (62%), enabling multifactor authentication (59%), and setting up a secure web gateway (53%). Barely half of the organizations have VPNs (51%) or require employees to run a firewall on personal devices (48%) despite the fact that they both were included in the list of 10 most important security technologies to protect remote workers.

Interestingly, those who have had a breach that can be attributed to a remote employee are more likely to be investing in antivirus for corporate devices, virtual private networks, secure access service edge, SD-WAN, and zero-trust network access. However, the report suggests that organizations are still figuring out what kind of protection to provide.

Not many organizations have deployed advanced security controls, such as zero trust networks (29%) or extended detection and response (XDR), but the interest in implementing them is high, at 72% and 79%, respectively. The fact that 92% of the respondents said they have plans to implement VPN in the next two years is a sign of just how far organizations have to go.

Source

DARKReading