**STAMFORD,** **Conn.,** **January** **23,** **2023** **—** Zero trust is top of mind for most organizations as a critical strategy to reduce risk, but few organizations have actually completed zero-trust implementations.Gartner, Inc. predicts thatby 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place, up from less than 1% today.

Gartner defines zero trust as a security paradigm that explicitly identifies users and devices and grants them just the right amount of access so the business can operate with minimal friction while risks are reduced.

“Many organizations established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads. Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives,” said John Watts, VP Analyst at Gartner. “Zero trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices, and resources.”

To help organizations complete the scope of their zero-trust implementations, it is critical that chief information security officers (CISOs) and risk management leaders start by developing an effective zero-trust strategy which balances the need for security with the need to run the business.

“It means starting with an organization’s strategy and defining a scope for zero-trust programs,” said Watts. “Once the strategy is defined, CISOs and risk management leaders must start with identity - it is foundational to zero trust. They also need to improve not only technology, but the people and processes to build and manage those identities.

“However, CISOs and risk managementleaders should not assume that zero trust will eliminate cyberthreats. Rather, zero trust reduces risk and limits impacts of an attack.”

Gartner analysts predict thatthrough 2026, more than half of cyberattacks will be aimed at areas that zero- trust controls don’t cover and cannot mitigate.

“The enterprise attack surface is expanding faster and attackers will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero-trust architectures (ZTAs),”said Jeremy D’Hoinne, VP Analyst at Gartner.”This can take the form ofscanning and exploiting of public-facing APIs or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own “bypass” to avoid stringent zero-trust policies.”

Gartner recommends that organizations implement zero trust to improve risk mitigation for the most critical assets first, as this is where the greatest return on risk mitigation will occur. However, zero trust does not solve all security needs. CISOs and risk management leaders must also run a continuous threat exposure management (CTEM) program to better inventory and optimize their exposure to threats beyond the scope of ZTA.

Gartner clients can learn more in “Predicts 2023: Zero Trust Moves Past Marketing Hype Into Reality.”

Learn how to prepare for any cybersecurity attack in the complimentary Gartner ebook 3 Must-Haves in Your Cybersecurity Incident Response Plan.

**About Gartner Security & Risk Management Summit** 

Gartner analysts present the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summits 2023, taking place February 13-14 in India, February 27-28 in Dubai, June 5-7 in National Harbor, MD, March 28-29 in Sydney, July 26-28 in Tokyo and September 26-28 in London. Follow news and updates from the conferences on Twitter using #GartnerSEC.

**About Gartner for Information Technology Executives**

Gartner for Information Technology Executives provides actionable, objective insight to CIOs and IT leaders to help them drive their organizations through digital transformation and lead business growth. Additional information is available at www.gartner.com/en/information-technology.

Follow news and updates from Gartner for IT Executives on Twitter and LinkedIn. Visit the IT Newsroom for more information and insights. 

**About Gartner**

Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission critical priorities. To learn more, visit gartner.com.

Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026

S-RM reports show that cybersecurity concerns surrounding hybrid work prevail for 37% of organizations.

**23rd January 2023 – LONDON –** Leading global intelligence and cyber security consultancy S-RM has today revealed in its _Cyber Security Insights Report_ that there has been a drop in concern around the cyber security threats posed by hybrid working. However, a significant proportion (35%) of IT leaders say they are concerned over a cyber skills gap among employees. 

The report, which draws on data from 600 C-suite and IT budget holders from organisations with revenue over USD $500m, found that 37% of organisations reported concerns around hybrid working – a drop from 46% in 2021. This may be in part due to growing awareness of cyber security threats among employees. When asked about the biggest cyber security challenges their organisation faced, just 31% of respondents'perceived lack of importance from employees in 2022'. While there is still a way to go, this figure is down from 36% in 2021. 

Despite growing awareness among employees, the cyber skills gap still remains an area of vulnerability. Over a third of senior IT leaders and C-suite holders in 2022 (35%) highlighted a lack of cyber skills and expertise as a key challenge facing their business when it comes to cyber security defence and incident management – a figure that rose to 42% within the financial services industry. These statistics support the ongoing industry discussion about the difficulties of attracting and retaining the best talent.

The report also illustrated that businesses with more mature cyber security policies prioritise different challenges than less experienced companies. Businesses where senior leaders viewed the company’s cyber security as ‘very mature’ were more likely to consider compliance and unsophisticated or outdated cyber security tools as their key challenges (37% and 33%). 

Comparatively, companies describing themselves as 'somewhat mature' were less likely to identify these as key challenges (25% and 26%) but rather identified a lack of skills and expertise (38%) as well as a lack of internal training (33%) as their main issues to their business – highlighting again the worries over the skills gap amongst decision makers .

**Jamie Smith, Board Director at S-RM said:**

_“While we have found that more companies are now adjusting to hybrid working and viewing it as less of a risk, it is clear that cyber security challenges are continuously evolving and2023 will bring fresh risks to consider._ 

_“One of the biggest protective measures companies can take over cyber security threats is to build a resilient workforce, and a positive takeaway from our report is that we are seeing more employees take more notice of security threats.”_ 

**Paul Caron, Head of Cyber Security, at S-RM said:**

_“Our report finds some great progress in cyber security maturity across a slew of industries but there is still asignificant skills gap evident in the workforce. This is a perennial problem for the sector: how to attract and retain the best talent, to win the knowledge, skills, and technology arms race between threat actors and private businesses._ 

_“It is crucial, for businesses to continue to invest in high quality cyber security training in order to both attract this talent and firm up their own defences by closing this skills gap.”_  

Further detail on the full report can be accessed on the S-RM website, here: https://www.s-rminform.com/cyber-security-insights-report

Cybersecurity Worries Around Hybrid Working Drop, but Many IT Leaders Still Concerned Over Cyber-Skills Gap

**DUBLIN****,** **Jan. 23, 2023** **/PRNewswire/ --** The "Supply Chain Security Market by Component (Hardware, Software, Services), Security Type (Data Locality & Protection, Data Visibility & Governance), Organization Size, Application (Healthcare & Pharmaceuticals, FMCG) and Region - Global Forecast to 2027" report has been added to  **ResearchAndMarkets.com's** offering.

The publisher forecasts that the global supply chain security market will grow from an estimated USD 2.0 billion in 2022 to USD 3.5 billion by 2027 at a compound annual growth rate (CAGR) of 11.0%. One of the factors driving the market growth is the increasing need for supply chain transparency.

**By components, services segment is to grow at the highest CAGR during the forecast period**

Supply chain security is an important supply chain management (SCM) segment. It primarily manages the risks of transportation, logistics, vendors, and suppliers. Professional security analysts ensure support with incident response and remote client assistance during suspicious activities. Professional services such as support and maintenance, training, and education are a part of this segment. With the increased adoption of supply chain security, there is an increased demand for these services, further boosting the market growth. The services segment includes numerous services required to deploy, execute, and maintain supply chain security solutions in organizations. This supply chain security market segment is classified into training and consultation, integration and deployment, and support and maintenance.

**By services, integration, and deployment services to grow at highest CAGR during forecast period**

Tailored supply chain security deployment and integration services are offered by integration and deployment service providers. These services are used by highly qualified industry experts, domain experts, and security professionals that assist organizations in formulating and implementing supply chain security strategies, preventing revenue losses, minimizing risks, understanding cybersecurity solutions, and enhancing security in the existing information system.

In system integration, the vendor's security services are integrated with the client's security system without hampering the existing client's system. Benefits, such as reduced risks and complexity, are offered by design and integration services. This enhances security and enables resiliency to cyberattacks by identifying vulnerable or potentially exploited components at all supply chain stages.

**Market Dynamics**

Drivers

*   Rising Incidences of Cyberattacks Across Supply Chains
*   Growing Need for Supply Chain Transparency
*   Increasing Demand for Enhanced Security of Supply Chain Transactions

Restraints

*   Budgetary Constraints Among Small and Emerging Startups in Developing Economies

Opportunities

*   Improving Risk Prediction and Management
*   Widespread Adoption of Automation Technology Across Value Chain
*   Increasing IoT Devices in Supply Chain

Challenges

*   Limited Awareness About Supply Chain Security Among Organizations

Key Topics Covered: 

1\. Introduction

2\. Research Methodology

3\. Executive Summary

4\. Premium Insights

5\. Market Overview and Industry Trends

6\. Supply Chain Security Market, by Component

7\. Market, by Security Type

8\. Market, by Organization Size

9\. Market, by Application

10\. Market, by Region

11\. Competitive Landscape

12\. Company Profiles

13\. Adjacent Markets

14\. Appendix

**Companies Mentioned**

*   Altana Ai
*   Berlinger & Co. Ag
*   C2A Security
*   Cold Chain Technologies
*   Controlant
*   Dickson
*   Elpro
*   Emerson
*   Fourkites
*   Hanwell Solutions
*   Ibm
*   Logtag Recorders
*   Monnit
*   Nxp Semiconductors
*   Omega Compliance
*   Oracle
*   Orbcomm
*   Roambee
*   Rotronic
*   Safetraces
*   Sensitech
*   Signatrol
*   Tagbox Solutions
*   Testo
*   Tive

For more information about this report visit https://www.researchandmarkets.com/r/cok35b

**About ResearchAndMarkets.com**

ResearchAndMarkets.com is the world's leading source for international market research reports and market data. We provide you with the latest data on international and regional markets, key industries, the top companies, new products and the latest trends.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Supply Chain Security Global Market Report 2022: Sector to Reach $3.5 Billion by 2027 at an 11% CAGR

This time around, weak API security allowed a threat actor to access account information, the mobile phone giant reported.

T-Mobile has disclosed a new, enormous breach that occurred in November, which was the result of the compromise of a single application programming interface (API). The result? The exposure of the personal data of more than 37 million prepaid and postpaid customer accounts.

For those keeping track, this latest disclosure marks the second sprawling T-Mobile data breach in two years and more than a half-dozen in the past five years.

And they've been expensive.

Last November, T-Mobile was fined $2.5 million for a 2015 data breach by the Massachusetts attorney general. Another 2021 data leak cost the carrier $500 million; $350 million in payouts to affected customers, and another $150 million pledged toward upgrading security through 2023.

Now the telecom giant is mired in yet another cybersecurity incident.

**T-Mobile's Cybersecurity Snafu**

The threat actor who claimed to be behind the 2021 breach of 54 million T-Mobile customers, past, present and prospective, John Binns, bragged in an interview with the Wall Street Journal that T-Mobile's "awful" security made his job easy.

But an infrastructure like T-Mobile's means it's tough to cover the entire attack surface, making their systems particularly complicated to shore up, Justin Fier, senior vice president for red-team operations with Darktrace, tells Dark Reading.

"Like most big brands, T-Mobile has a very complex and sprawling digital estate," Fier explains. "It is becoming harder by the day to gain visibility into every aspect of that estate and make sense of the data, which is why we’re increasingly seeing firms lean on technology to perform that role."

However, he adds that breaching a vulnerable API doesn't require much know-how on the part of an attacker.

Besides weak API security, Mike Hamilton CISO of Critical Insight, tells Dark Reading that this latest compromise also demonstrates a lack of network visibility and ability to detect abnormal behavior.

"Details are scant, and there has been no attribution of the 'bad actor,' who apparently had access to data for about 10 days before being stopped," Hamilton says.

**T-Mobile's Next Regulator Bout**

In the disclosure of the cybersecurity incident, T-Mobile downplayed the stolen account information, adding the data was "basic," and "widely available in marketing databases." While it might read like a glib dismissal of the impact on its customers, the distinction could protect the company from state regulators, Hamilton adds.

"The data may be monetized by selling in bulk, although it's of little actual value," Hamilton says. "Most of the data in the theft can be found in public sources and is unlikely to cause legal action from state privacy statutes like the CCPA (California Consumer Privacy Act)."

However, T-Mo might have more trouble in Europe with GDPR and Information Commissioner's Office (ICO) regulators in the UK, Tim Cope, CISO of NextDLP, explains to Dark Reading. Penalties like these ultimately will drive investment in the necessary cybersecurity protections, he adds.

"The regulatory oversight of the ICO and GDPR should hopefully bring a large series of fines along with these privacy breaches," Cope says, "which should in turn feed more investment into security teams to help build better controls to guard APIs against the current and future attacks."

T-Mobile Breached Again, This Time Exposing 37M Customers' Data

Two new reports show ransomware revenues for threat actors dropped sharply in 2022 as more victims ignored ransom demands.

In another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.

If the trend continues, analysts expect ransomware actors will start demanding bigger ransoms from larger victims to try and compensate for falling revenues, while also increasingly going after smaller targets that are more likely to pay (but which represent potentially smaller payoffs).

**A Combination of Security Factors**

"Our findings suggest that a combination of factors and best practices — such as security preparedness, sanctions, more stringent insurance policies, and the continued work of researchers — are effective in curbing payments," says Jackie Koven, head of cyber-threat intelligence at Chainanalysis.

Chainanalysis said its research showed ransomware attackers extorted some $456.8 million from victims in 2022, down nearly 40% from the $765.6 million they had extracted from victims the year before. The actual number is likely to be much higher considering factors like underreporting by victims and incomplete visibility over ransomware addresses, Chainanalysis conceded. Even so, there is little doubt that ransomware payments were down last year because of an increasing unwillingness by victims to pay their attackers, the company said.

"Enterprise organizations investing in cybersecurity defenses and ransomware preparedness are making a difference in the ransomware landscape," Koven says. "As more organizations are prepared, fewer need to pay ransoms, ultimately disincentivizing ransomware cybercriminals."

Other researchers agree. "The businesses that are most inclined not to pay are those that are well prepared for a ransomware attack," Scott Scher, senior cyber-intelligence analyst at Intel471, tells Dark Reading. "Organizations that tend to have better data backup and recovery capabilities are definitely better prepared when it comes to resiliency to a ransomware incident and this highly likely decreases their need to pay ransom."

Another factor, according to Chainanalysis, is that paying a ransom has become legally riskier for many organizations. In recent years, the US government has imposed sanctions on many ransomware entities operating out of other countries. 

In 2020, for instance, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) made it clear that organizations — or those working on their behalf — risk violating US rules if they make ransom payments to entities on the sanctions list. The outcome is that organizations have become increasingly leery of paying a ransom "if there’s even a hint of connection to a sanctioned entity," Chainanalysis said.

"Because of the challenges threat actors have had in extorting larger enterprises, it is possible that ransomware groups may look more toward smaller, easier targets lacking robust cybersecurity resources in exchange for lower ransom demands," Koven says.

**Declining Ransom Payments: A Continuing Trend**

Coveware also released a report this week that highlighted the same downward trend among those making ransom payments. The company said its data showed that just 41% of ransomware victims in 2022 paid a ransom, compared with 50% in 2021, 70% in 2020, and 76% in 2019. Like Chainanalysis, Coveware also attributed one reason for the decline to better preparedness among organizations to deal with ransomware attacks. Specifically, high-profile attacks like the one on Colonial Pipeline were very effective in catalyzing fresh enterprise investments in new security and business continuity capabilities.

Attacks becoming less lucrative is another factor in the mix, Coveware said. Law enforcement efforts continue to make ransomware attacks more costly to pull off. And with fewer victims paying, gangs are seeing less overall profit, so the average payoff per attack is lower. The end result is that a smaller number of cybercriminals are able to make a living off ransomware, Coverware said.

Bill Siegel, CEO and co-founder of Coveware, says that insurance companies have influenced proactive enterprise security and incident response preparedness in a positive manner in recent years. After cyber-insurance firms sustained substantial losses in 2019 and 2020, many have tightened their underwriting and renewal terms and now require insured entities to have minimum standards like MFA, backups, and incident response training. 

At the same time, he believes that insurance companies have had negligible influence in enterprise decisions on whether to pay or not. "It is unfortunate, but the common misconception is that somehow insurance companies make this decision. Impacted companies make the decision," and file a claim after the incident, he says.

**Saying "No" to Exorbitant Ransomware Demands**

Allan Liska, intelligence analyst at Recorded Future, points to exorbitant ransom demands over the past two years as driving the growing reticence among victims to pay up. For many organizations, a cost-benefit analysis often indicates that not paying is the better option, he says. 

"When ransom demands were \[in the\] five or low six figures, some organizations might have been more inclined to pay, even if they didn't like idea," he says. "But a seven or eight-figure ransom demand changes that analysis, and it is often cheaper to deal with recovery costs plus any lawsuits that may stem from the attack," he says.

The consequences for nonpayment can vary. Mostly, when threat actors don't receive payment, they tend to leak or sell any data they might have exfiltrated during the attack. Victim organizations also have to contend with potentially longer down times due to recovery efforts, potential expenses released to purchasing new systems, and other costs, Intel471's Scher says.

To organizations in the front lines of the ransomware scourge, news of the reported decline in ransom payments is likely to be of little consolation. Just this week, Yum Brands, the parent of Taco Bell, KFC, and Pizza Hut, had to close nearly 300 restaurants in the UK for a day following a ransomware attack. In another incident, a ransomware attack on Norwegian maritime fleet management software company DNV affected some 1,000 vessels belonging to around 70 operators.

**Declining Revenues Spur Gangs in New Directions**

Such attacks continued unabated through 2022 and most expect little respite from attack volumes in 2023 either. Chainanalysis' research, for instance, showed that despite falling ransomware revenues, the number of unique ransomware strains that threat operators deployed last year surged to over 10,000 just in the first half of 2022.

In many instances, individual groups deployed multiple strains at the same time to improve their chances of generating revenue from these attacks. Ransomware operators also kept cycling through different strains faster than ever before — the average new ransomware strain was active just for 70 days — likely in an effort to obfuscate their activity.

There are signs that falling ransomware revenues are putting pressure on ransomware operators.

Coveware, for instance, found that average ransom payments in the last quarter of 2022 surged 58% over the previous quarter to $408,644 while the median payment skyrocketed 342% to $185.972 over the same period. The company attributed the increase to attempts by cyberattackers to compensate for broader revenue declines through the year. 

"As the expected profitability of a given ransomware attack declines for cybercriminals, they have attempted to compensate by adjusting their own tactics," Coveware said. "Threat actors are moving slightly up the market to try and justify larger initial demands in the hopes that they result in large ransom payments, even as their own success rate declines."

Another sign is that many ransomware operators began re-extorting victims after extracting money from them the first time, Coveware said. Re-extortion has traditionally been a tactic reserved for small business victims. But in 2022, groups that have traditionally targeted mid- to large-size companies began employing the tactic as well, likely as a result of financial pressures, Coveware said.

Ransomware Profits Decline as Victims Dig In, Refuse to Pay

Zendesk has alerted customers to a successful SMS phishing campaign that has exposed "service data," but details remain scarce.

It has come to light that the Zendesk software-as-a-service (SaaS) company for customer relationship management (CRM) was compromised in October, exposing client account data to a threat actor, according to an email sent to affected accounts on Jan. 13, 2023.

The email from Zendesk with the details of the security incident was made public by Coinigy, which provides virtual wallet services and "felt the need to disclose it to our customers," Coinigy's post about the compromise explained.

Zendesk explained in the email to Coinigy that the breach was the result of an SMS phishing campaign targeting Zendesk employees.

"Zendesk determined that Service Data belonging to your coiningy.zendesk.com account may have been in the (exposed) unstructured logging platform data," the email from Zendesk explained. "There is no evidence suggesting the threat actor accessed the Zendesk instance of your coiningy.zendesk.com account at any time."

Besides applauding Coinigy's decision to publicly share the compromise details, security researcher Jake Williams was not as encouraged by Zendesk's response.

"The disclosure is vague and references 'unstructured data from a logging platform' which could be just about anything," Williams tells Dark Reading. "The disclosure simply doesn't give enough information for any organization to evaluate what (if anything) they need to do in response."

There's been no word yet as to whether other customers of Zendesk beyond Coinigy are affected.

Zendesk did not respond to Dark Reading's request for comment.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Compromised Zendesk Employee Credentials Lead to Breach

Orca Security is one of the companies integrating conversational AI technology into its products.

While there are some concerns about how generative AI chatbots such as ChatGPT can be used maliciously — to craft phishing campaigns or write malware — several companies are harnessing the power of conversational AI technology to enhance their product capabilities, including for security.

ChatGPT, a large language model (LLM) developed by OpenAI, uses GPT 3 LLM and relies on large test data sets culled from multiple sources. ChatGPT, which can understand human language, provides detailed answers to simple questions and can handle complex tasks such as creating documents and writing code in response to user queries. It's an example of how conversational AI can be used to organize large volumes of information and enhance user experience and communications.

For instance, a conversational AI tool — whether that's ChatGPT or something else — could serve as the back end of an information concierge that automates the use of threat intelligence in enterprise support, according to IT research and advisory firm Into-Tech Research.

That's the approach Orca Security appears to be taking with Orca Security Platform. The company incorporated OpenAI's GPT3 API, specifically the "Da-Vinci-03" series, to enhance the platform's ability to generate contextual and accurate remediation plans for security alerts, Lior Drihem, Orca's director of innovation, and Itamar Golan, head of data science, wrote in the announcement. 

The new pipeline takes a security alert and preprocesses the data, such as basic information about the risk and its contextual environment — such as affected assets, attack vectors, and potential impact — before feeding the pieces as input to GPT3. The AI then generates a detailed explanation of the best and most practical ways to remediate the issue, Golan and Drihem wrote. These remediation steps can also be embedded in tickets, such as Jira tickets, for teams to reference and implement.

While the AI model can provide inaccurate information (or vague results), "the benefits of utilizing GPT3's natural language generation capabilities outweigh any potential risks, and have seen significant improvements in the efficiency and effectiveness of our remediation efforts," according to Drihem and Golan.

This isn't the first time Orca Security has been working with language models. The company recently integrated GPT3 into its cloud security platform to enhance the remediation information customers receive regarding infosec risks. 

"By fine-tuning these powerful language models with our own security data sets, we have been able to improve the detail and accuracy of our remediation steps — giving you a much better remediation plan and assisting you to optimally solve the issue as fast as possible," Golan and Drihem wrote.

**Harnessing AI & LLM for Applications**

Orca Security joins other companies incorporating language models into its product portfolio. Earlier this week, Gupshup launched Auto Bot Builder, which harnesses GPT-3 to help enterprises build their own advanced conversational chatbots. Auto Bot Builder builds chatbots tailed to the enterprise's specific requirements by using content from the enterprise website, documents, message logs, product catalogs, databases, and other corporate systems, processing the information using GPT-3 LLM (Large Language Model), and fine-tuning it with proprietary industry-specific models. Enterprises can use Auto Bot Builder to build chatbots for marketing lead generation activities, product discovery, product recommendations, shopping advice, troubleshooting, and customer support.

These chatbots differ from ChatGPT, a general-purpose chatbot, but like ChatGPT, they have an "exceptionally high degree of language capability" to engage with end users, according to Gupshup.

The cryptocurrency community is also using ChatGPT to create applications such as trading bots and crypto blogs, Jerrod Piker, a competitive intelligence analyst at Deep Instinct, wrote in an email. Examples include using ChatGPT to write a sample smart contract, and a trading bot that identifies entry and exit points to help automate the process of buying and selling cryptocurrencies.

A generative AI chatbot that can answer questions is not a new concept, but ChatGPT stands out from the others because of the breadth of topics it can handle and its ease of use, says Casey Ellis, founder and CTO of Bugcrowd.

GPT Emerges as Key AI Tech for Security Vendors

Serious security flaws go unpatched, and ransomware attacks increase against manufacturers.

More than three-quarters of manufacturing organizations harbor unpatched high-severity vulnerabilities in their systems, a study of the sector found.

New telemetry from SecurityScorecard shows a year-over-year increase in high-severity vulns in those organizations.

In 2022, some "76% of manufacturing organizations, SecurityScorecard observed unpatched CVEs on IP addresses our platform attributes to those organizations," says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard.

Nearly 40% of these organizations — which include metals, machinery, appliance, electrical equipment, and transportation manufacturing — suffered malware infections in 2022.

Almost half (48%) of critical manufacturing organizations received a ranking between "C" and "F" on SecurityScorecard's security ratings platform.

The platform includes ten groups of risk factors, including DNS health, IP reputation, Web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence.

The severity of cyberattacks against manufacturers is noteworthy, Yampolskiy says.

"Many of these incidents have involved ransomware where the threat actor, usually in the form of a criminal group, sets out to make money through extortion," he says. "While the ransomware problem is global, we’ve seen a rising number of attacks on critical infrastructure come from nation-state actors in pursuit of various geopolitical objectives."

Meanwhile, incident response investigations by teams at Dragos and IBM X-Force overwhelmingly showed that the hottest operations technology (OT) target is the manufacturing sector, and the main weapon attacking these organizations is now ransomware.

**"Democratized" Cybersecurity**

Sophisticated state-sponsored actors such as Russia target several different critical infrastructure organizations across the US, from healthcare to energy to telecommunications, Yampolskiy says.

The good news? "Globally, governments are already taking steps to strengthen cybersecurity," he notes.

Take the US Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring critical infrastructure to report certain cyber incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA).

Other agencies, such as the Federal Energy Regulatory Commission, the Securities and Exchange Commission, and the Treasury Department, are also in various stages of rulemaking for entities under their regulatory jurisdiction.

Yampolskiy says policymakers should continue working with industry to have a greater and continuous understanding of the security postures of the organizations and industries that directly impact essential services for citizens, or the US economy in general.

"A more democratized, integrated, and collaborative approach to cybersecurity resilience that provides continuous visibility of the global threat landscape and convenes public and private sectors is essential to protect the world's critical infrastructure" he says, further noting that better information-sharing between government and industry is key.

Critical Manufacturing Sector in the Bull's-eye

Head off account takeover attacks by being proactive about IoT security. Start with designing and building better security protocols into IoT devices, always change weak default configurations, and regularly apply patches to ensure that IoT devices are secure.

Account takeover attacks are like the widely told campfire story about a babysitter that receives a series of threatening phone calls that are traced from "inside the house."

Fear of the unknown hits too close to home. Initial access brokers are closely related to account takeover attacks, and both are linked to ransomware. Now, it seems likely that initial access brokers (IABs) and account takeover attacks will set their sights on Internet of Things-enabled devices. Instead of the call coming from inside the house, the attack is coming from inside the phone (VoIP-enabled, of course).

**The Role of Initial Access Brokers in Ransomware Attacks**

The rise of remote work has contributed to the increase in ransomware attacks in recent years. With more employees working from home, organizations have had to rely on remote access technologies, such as remote desktop protocol (RDP) and virtual private networks (VPNs), which provide attackers with an easy way to gain initial access to a network.

Account takeover attacks are often used as a means of gaining initial access to a network to carry out a ransomware attack. In an account takeover attack, the attacker typically uses stolen or purchased login credentials to gain unauthorized access to a victim's online accounts.

IABs, also known as breach brokers, provide access to hacked or compromised computer systems to other individuals or organizations. The use of IABs has become increasingly common in recent years, as this allows cybercriminals to easily and quickly gain access to a range of targets without having to spend time and resources on hacking them themselves.

However, as organizations better secure RDP, VPN, and other IT credentials, attackers will have to turn their attention to new targets. IoT devices are a logical choice because of their widespread deployment — more than a quarter of devices in every organization are IoT devices, regardless of industry, and that number is expected to continue to increase. Unfortunately, many of these devices are vulnerable to attack, making them an attractive target.

**Three Reasons IoT Devices Are Vulnerable to Attack**

Although there are many reasons that IoT devices are vulnerable to attack, three main reasons are that they are often used with default configurations, patch management is difficult, and they were not designed with security in mind.

Default credentials are easy targets — Access:7 research identified entire product lines of IoT devices that shared hardcoded credentials for remote access.

Specialized IoT firmware may remain unpatched — Project Memoria identified more than 100 vulnerabilities in TCP/IP stacks that affected several devices, but many were not patched by the manufacturers.

Many IoT devices lack authentication and encryption — OT:ICEFALL research has demonstrated how insecure protocols in operational technology are easily exploited by attackers.

Of course, vulnerabilities tell only half of the story. For organizations to understand the nature of the threat, they also need to understand how IoT devices are currently under attack.

**IABs for IoT**

There are many examples of advanced persistent threats (APTs) that have used corporate IoT for initial access into organizations. For instance, the Russian state-sponsored actor Strontium has leveraged VoIP phones, office printers, and video decoders, while Chinese state-sponsored actors have exploited vulnerabilities on IP cameras to infiltrate US organizations.

Attack techniques tend to trickle down from APTs to less-sophisticated actors, and there are already cybercriminal gangs, such as the Conti, Deadbolt, and Lorenz ransomware groups, which have targeted IP cameras, NAS devices, and VoIP for initial access. In addition, there are groups that trade IoT exploits on Dark Web markets — the logical next step is an IAB market for IoT.

An IAB for IoT would likely act in a similar way to hacktivists that have been targeting IoT/OT. They would scan target organizations using tools such as Shodan and Kamerka, enumerate vulnerabilities or discover credentials, and use those for initial access.

One of the main differences between IABs that focus on RDP/VPN and those that target IoT devices is that the latter could also leverage vulnerabilities in IoT devices, which tend to remain unpatched for much longer. This means that they would be able to gain access to organizations in a more stealthy and persistent way, making them a more attractive target for cybercriminals.

**Mitigating the Risk of IABs for IoT**

Although IABs for IoT are different from those targeting RDP/VPN credentials, the good news is that organizations can still take a similar approach to cybersecurity. The discovery of new devices on the network, the continuous monitoring of network traffic, and the use of appropriate network segmentation are all best practices to mitigate the risk of an attack — regardless of if it leverages an IT or an IoT device.

To address the issues unique to IoT devices, manufacturers and organizations need to take a proactive approach to IoT security. This means changing default weak configurations and regularly applying patches to ensure that devices are secure. In addition, protocols used in specialized IoT devices should be designed with security in mind, including basic security controls such as authentication and encryption. By taking these steps, we can improve the security of IoT devices and reduce the risk of attacks.

The Evolution of Account Takeover Attacks: Initial Access Brokers for IoT

The credential-stuffing attack, likely fueled by password reuse, yielded personal identifiable information that can be used to verify the authenticity of previously stolen data.

Nearly 35,000 PayPal user accounts fell victim to a recent credential-stuffing attack that exposed personal data likely to be used to fuel additional, follow-on attacks.

PayPal submitted a breach disclosure that revealed that the attack began on Dec. 6, 2022 and continued until it was discovered on Dec. 20, 2002. As a result, the names, addresses, Social Security numbers, tax identification numbers, and/or dates of birth for 34,942 users were exposed.

"We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," PayPal explained in a letter sent to affected users. "There is also no evidence that your login credentials were obtained from any PayPal systems."

PayPal added that once the attack was discovered, account passwords were reset, and additional security controls were put in place. The payment platform is offering Equifax identity theft monitoring for victims.

**Stolen Credential Ecosystem**

The credential-stuffing attack on PayPal was likely a way for threat actors to validate username and passwords they had already obtained; now that they've been checked against breached PayPal accounts, those verified credentials will be sold to another threat actor, according to Jason Kent, hacker in residence with Cequence Security.

"The value in the list is that it is verified," Kent said in a statement provided to Dark Reading. "My guess is the usernames and passwords were sourced by some other breach that pointed to the possibility of the accounts having PayPal access."

**Password Reuse the True Culprit**

Even the strongest, most complex passwords can't keep data secure if they're reused across accounts. The PayPal accounts might have been protected in this case if they'd had unique passwords, noted Erich Kron, security awareness advocate at KnowBe4.

"This is what allows credential-stuffing attacks to be so successful," Kron said in a statement about the incident. "Bad actors will take credentials scavenged from other data breaches and attempt to use them on other likely services such as banks, online shopping sites, social media, and in this case, online payment sites."

While a password manager isn't a "silver bullet," Kron added, it's an important added layer of protection against credential-stuffing attacks like that on PayPal.

"Remembering all of these passwords can be nearly impossible; however, through the use of password managers which can generate and store completely unique passwords, this can be achieved without a significant amount of effort," Kron said. "In addition, the application of multi-factor authentication can be very helpful in these cases of account takeovers."

Source

DARKReading