Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimizing the greatest risks.

There is a common misconception that all problems have clear, straightforward solutions — as long as you look hard enough. While this is a bold and ambitious goal, it's misguided when applied to cybersecurity.

Organizations cannot prevent data breaches or cyberattacks altogether, and avoiding a breach or cyber incident is nearly impossible in the modern era. Organizations can, however, take steps to reduce an attack's negative impacts.

Before I joined Coalition, I was similarly under the impression that cybersecurity companies should be focused on thwarting attacks. But I have found that companies — especially in the cyber insurance space — are more aptly concentrated on managing risk and creating the right incentives for themselves and their clients to get to an acceptable level of risk.

Why? Eradicating risk is an impractical goal because you cannot "solve" something that constantly changes. Instead, cyber insurers are in the business of helping companies avoid having to file a claim by managing their digital risk.

**To Understand Where Claims Come From, Think Like an Attacker**

Threat actors are, first and foremost, opportunistic. They will always look for the easiest targets to maximize their financial gain. So intimately understanding an organization's level of risk is the first step to managing and reducing it — and making yourself less of a target.

Coalition compiles risk assessment data by analyzing complex public data sets, threat intelligence, and proprietary claims information. For the third year in a row, we gave that data to Verizon, which incorporated it into its most recent "Data Breach Investigations Report" (DBIR). Verizon found four critical ways that threat actors most frequently use to compromise organizations large and small: credential compromise, phishing, vulnerability exploitation, and botnets.

These findings were consistent with our most recent "Cyber Claims Report Mid-year Update," which further found that phishing accounted for 57.9% of reported cyber insurance claims — a 32% increase over 2021. The report also found that ransomware attacks continued an upward trend, with an almost 13% increase in 2022. This increase was nearly as big as the previous five years of attacks combined.

The DBIR also reported that 40% of ransomware incidents involved the use of desktop-sharing software, and 35% involved email. This split attack vector makes it incredibly hard to anticipate.

These findings were once again consistent with Coalition's data. We have observed that ransomware demands continue to hover around an average of $1 million — a high price for any size organization to pay. And these attacks are becoming increasingly complex and harder to prevent.

Ultimately, understanding this complex threat landscape is the first step to being informed and aware of your organization's risk — knowledge that empowers more effective risk management.

**Take Steps to Manage Risk**

Not every organization can afford a dedicated security or IT team or sophisticated cybersecurity technologies, but any organization can implement an appropriate incident response plan and apply an offensive security mindset to mitigate overall risk.

For example, hosting security training can increase positive cybersecurity behaviors from employees, such as developing strong passwords. Implementing multifactor authentication (MFA) and having a backup solution — even that hard drive you take home at the end of each day is better than nothing! — can help reduce risk. Increasing basic email security can also help minimize credential compromise, phishing, and botnet attacks.

Finally, taking the time to map out a system's top vulnerabilities can help organizations gain a macro look at where in their networks they are the most at risk and understand where to prioritize patching; this is all to reduce the likelihood of being exploited by attackers. Some would argue that gaining total visibility into a digital infrastructure is the simplest — and smartest — way for an organization to manage and reduce its risk.

**Where Cyber Insurance Comes Into Play**

Cyber insurers can serve as risk management partners for organizations that need help knowing where to start. They can help these organizations improve their defenses today to reduce negative impacts tomorrow.

Traditional insurance — like that offered for vehicles, natural disasters, and healthcare — maps risk based on predicting the future and evaluating potential costs. But cybersecurity will never be predictable. This is why cyber insurance will never be (and should never be) a one-size-fits-all approach. Organizations cannot simply checkbox their way to a stronger security posture.

Cyber insurance is more than just a fail-safe for when things go wrong. It should work with an organization to improve overall risk exposure. Yes, insurance can absolutely help businesses in dire times, but insurers should focus on assisting companies to avoid disasters in the first place.

Cyber insurance, and all efforts focused on improving cybersecurity defenses, should be ever-evolving. "Solving" dynamic digital risk is a journey, not a destination. In the end, it's about managing and reducing risk, not preventing it altogether.

Cybersecurity Should Focus on Managing Risk

Patients transferred and operations canceled following a recent network breach at a hospital in the outskirts of Paris.

French Health Ministry authorities were forced to shut down operations and transfer critically ill patients following a weekend cyberattack on a hospital outside Paris. 

Minister Francois Braun told France 24 that the hospital, which is located in Versailles, had been fending off regular ransomware attacks, along with many others in the area — including area hospital Corbeil-Essonnes, which was breached and unable to return to normal operations for weeks after refusing to pay a $10 million ransom. 

The region's health agency added that while hospital operations are halted, it is still doing everything possible to accept emergency walk-in patients until systems are recovered. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattack Shuts Down French Hospital

In short, the global Internet is now part of your external attack surface. Here’s how to better protect your users and data.

In today’s landscape of cloud computing and decentralized work, external attack surfaces have grown to encompass multiple clouds, complex digital supply chains, and massive third-party ecosystems. For organizations, this means rethinking the way they approach comprehensive security in the face of ongoing global cyber threats.

Given this evolving reality, organizations should keep in mind some new, key considerations when assessing their attack surfaces.

**The Global Attack Surface Grows With the Internet**

Every minute, 117,298 hosts and 613 domains are created, leading to a rapidly expanding global attack surface that grows and scales over time. And cyber threats are growing at scale with the rest of the Internet, too.

In the first quarter of 2021, 611,877 unique phishing sites were detected, with 32 domain-infringement events and 375 new total threats that emerged per minute. These threats encouraged employees and customers to click malicious links so cybercriminals could phish for sensitive data. The result is that security teams now have to treat the Internet as part of their networks.

**3 New Elements Foster a Hidden Attack Surface**

Organizations need a complete view of their Internet assets and how those assets are connected to the global attack surface to adequately protect operations. But shadow IT, mergers and acquisitions (M&A), and digital supply chains can all block visibility.

When employee needs aren’t being met by their company’s current toolset, they’ll often look elsewhere for support through a process called shadow IT. Nearly one-third of employees reported using communication or collaboration tools that weren't explicitly approved, and this can be costly. As much as 50% of IT spending at large companies is devoted to shadow IT.

Critical business initiatives, like an M&A, can also expand external attack surfaces; overall, less than 10% of global deals contain cybersecurity due diligence. Large organizations often have thousands of active websites and publicly exposed assets, and their internal IT teams don’t always have a complete asset register of websites.

Finally, because enterprise business is so dependent on digital alliances in the modern supply chain, we’ve been left with a complicated web of third-party relationships outside the purview of security teams. Third-party attacks are one of the most frequent and effective vectors for threat actors, and many come through the digital supply chain. Among IT professionals, 70% reported having a moderate to high level of dependency on external entities, and 53% of organizations said they have experienced at least one data breach caused by a third party.

**Apps in App Store Target Organizations and Their Customers**

Each year, businesses are investing more in mobile to support the proliferation of mobile apps. Since 2016, the number of apps downloaded per year has increased by 63%. Consumers are getting in on the action, too. Mobile app spending grew to $170 billion in 2021, a 19% year-over-year growth.

This growing landscape represents a significant portion of an enterprise’s overall attack surface beyond the firewall. Threat actors often exploit security teams’ lack of visibility by creating rogue apps that mimic well-known brands and can be used to phish for sensitive information or upload malware. While these apps will appear in official stores on rare occasions, some less reputable stores are overrun. Microsoft blocklists a malicious mobile app every five minutes.

**The Global Attack Surface Is Part of an Organization’s Attack Surface, Too**

If you have an Internet presence, you are interconnected with everyone else — including those who want to do you harm. This makes tracking threat infrastructure just as important as tracking your own infrastructure.

Threat groups often recycle and share infrastructure — IPs, domains, and certificates — and use open source commodity tools, such as malware, phish kits, and C2 components, to avoid easy attribution. In the first half of 2022 alone, more than 270,000 new malware variants were detected — a 45% increase over the same period last year. This year, the number of detected malware variants rose by 75%.

While today’s security teams have a larger attack surface to protect, they also have more resources. Zero trust is one way for organizations to secure their workforce — protecting people, devices, applications, and data regardless of where they’re located or the threats they’re facing. Targeted evaluation tools can help you assess the zero-trust maturity stage of your organization. View our in-depth report to learn more about critical attack surface elements.

The New External Attack Surface: 3 Elements Every Organization Should Monitor

The comprehensive zero trust security solution for medical devices lets healthcare organizations automate zero trust policy recommendations and manage new connected technologies quickly and securely.

**SANTA CLARA, Calif., Dec. 5, 2022 /PRNewswire****/** — As healthcare providers use digital devices such as diagnostic and monitoring systems, ambulance equipment, and surgical robots to improve patient care, the security of those devices is as important as their primary function. Today, Palo Alto Networks (NASDAQ: PANW) announced Medical IoT Security — the most comprehensive Zero Trust security solution for medical devices — enabling healthcare organizations to deploy and manage new connected technologies quickly and securely. Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust by continuously verifying every user and device.

"The proliferation of connected medical devices in the healthcare industry brings a wealth of benefits, but these devices are often not well secured. For example, according to Unit 42, an alarming 75% of smart infusion pumps examined on the networks of hospitals and healthcare organizations had known security gaps," said Anand Oswal, senior vice president of products, network security at Palo Alto Networks. "This makes security devices an attractive target for cyberattackers, potentially exposing patient data and ultimately putting patients at risk."

While a Zero Trust approach is critical to help protect medical devices against today's innovative cyberthreats, it can be hard to implement in practice. Through automated device discovery, contextual segmentation, least privilege policy recommendations and one-click enforcement of policies, Palo Alto Networks Medical IoT Security delivers a Zero Trust approach in a seamless, simplified manner. Medical IoT Security also provides best-in-class threat protection through seamless integration with Palo Alto Networks cloud-delivered security services, such as Advanced Threat Prevention and Advanced URL Filtering.

The new Palo Alto Networks Medical IoT Security uses machine learning (ML) to enable healthcare organizations to:

*   **Create device rules with automated security responses:** Easily create rules that monitor devices for behavioral anomalies and automatically trigger appropriate responses. For example, if a medical device that typically only sends small amounts of data unexpectedly begins to use a lot of bandwidth, the device can be cut off from the internet and security teams can be alerted.
*   **Automate Zero Trust policy recommendations and enforcement:** Enforce recommended least-privileged access policies for medical devices with one click using Palo Alto Networks Next-Generation Firewalls or supported network enforcement technologies. This eliminates error-prone and time-consuming manual policy creation and scales easily across a set of devices with the same profile.
*   **Understand device vulnerabilities and risk posture:** Access each medical device's Software Bill of Materials (SBOM) and map them to Common Vulnerability Exposures (CVEs). This mapping helps identify the software libraries used on medical devices and any associated vulnerabilities. Get immediate insights into the risk posture of each device, including end-of-life status, recall notification, default password alert and unauthorized external website communication.
*   **Improve compliance:** Easily understand medical device vulnerabilities, patch status and security settings, and then get recommendations to bring devices into compliance with rules and guidelines, such as the Health Insurance Portability Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and similar laws and regulations.
*   **Verify network segmentation:** Visualize the entire map of connected devices and ensure each device is placed in its designated network segment. Proper network segmentation can ensure a device only communicates with authorized systems.
*   **Simplify operations:** Two distinct dashboards allow IT and biomedical engineering teams to each see the information critical to their roles. Integration with existing healthcare information management systems, like AIMS and Epic Systems, helps automate workflows.

Healthcare organizations are using Palo Alto Networks products to secure the devices that deliver cutting-edge care to millions of patients all over the world.

"Establishing and maintaining acute situational awareness of the Internet of Medical Things (IoMT) environment is paramount to establishing an effective enterprise cybersecurity program. The ability to accurately detect, identify and respond to cyber threats is critical to ensuring minimal operational impact to clinical operations during a cyber event," said Tony Lakin, CISO, Moffitt Cancer Center. "Palo Alto Networks IoT capability seamlessly integrates with our continuous monitoring processes and threat-hunting operations. The platform consistently provides my teams with actionable information to allow them to proactively manage the threat surface of our medical device portfolio."

"With thousands of devices to manage, healthcare environments are extremely complex and require intelligent security solutions capable of doing more. Palo Alto Networks understands this requirement and is leveraging machine learning (ML) for Medical IoT security. Adding intelligence will enable providers to improve operational efficiency, which will enhance patient and practitioner experience and alleviate the burden of an ongoing IT skills shortage," said Bob Laliberte, principal analyst, ESG.

"Healthcare providers continue to be high-value targets for attackers. This reality, combined with the diversity of medical IoT devices and their inherent vulnerabilities, points to a real need for device security that is purpose-built for healthcare use cases. The ability to defend against threats targeting critical care devices while maintaining operational availability and strengthening the alignment of device governance responsibilities between IT and Biomed engineering teams is quickly becoming a necessity for the protection of patient data and lives," said Ed Lee, research director, IoT and Intelligent Edge Security, IDC.

**More Information**

*   Learn more about Medical IoT Security here.
*   Read the Medical IoT Security announcement blog here.
*   Register to attend the Palo Alto Networks Ignite Conference on Dec. 12th - 15th, 2022, here.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**Availability**

Medical IoT Security will be available in January 2023.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyber threats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE: Palo Alto Networks Inc.

Palo Alto Networks Announces Medical IoT Security to Protect Connected Devices Critical to Patient Care

Introduces a "Developing Secure Software" training course in Japanese at OpenSSF Day Japan.

**YOKOHAMA, Japan, Dec. 5, 2022** — The Open Source Security Foundation (OpenSSF), a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important software supply chain security initiatives, today announced many new members from leading technology firms in sectors that span software development, cybersecurity, data science, platform-as-a-service, semiconductors, finance, think tanks, academics, and more, bringing the total number of OpenSSF members to over 100.

New general member commitments include those from Airbyte, Anaconda, BoostSecurity, ControlPlane, Cybozu, Docker, Endor Labs, FOSSA, HackerOne, Phylum, Qualys, Trail of Bits, VicOne, and AMD Xilinx. New associate members include FS-ISAC, OpenForum Europe, and Nanyang Technological University.

“We are delighted to welcome new members to the OpenSSF,” says Brian Behlendorf, General Manager of OpenSSF. “As attacks continue to target critical infrastructure, both industry and governments around the world are paying attention and are proactively seeking ways to improve the security posture of the open source software we all depend on.”

The latest commitments follow a productive period for OpenSSF in which the foundation has announced Sigstore general availability, new investments from Alpha-Omega, new features from Scorecards, concise guides for developing more secure software and evaluating open source software from the Best Practices Working Group, an expanded set of technical initiatives with a new End Users Working Group, Software Bill of Materials (SBOM) Everywhere Special Interest Group (SIG), Secure Supply Chain Consumption Framework SIG, and much more.

On Dec. 5, OpenSSF hosts the OpenSSF Day Japan at the Open Source Summit Japan in Yokohama, where community members lead sessions about ongoing work to secure the software supply chain and the future of open source security. As part of this conference, OpenSSF announces that the free Developing Secure Software training course focused on the fundamentals of developing secure software is now available in Japanese.

**General Member Quotes**

**Airbyte**

"We are excited to join the Open Source Security Foundation’s growing community. As a data infrastructure company that is both a user of open source software and a host of a thriving open source project, Airbyte is particularly sensitive to the data protection needs that exist up and down the supply chain. We are as thrilled to be collaborating on the evolution of open source security standards as we are to support and learn from the experiences of others in the OpenSSF network."

*   Patsy Bailin, Head of Data Policy, Airbyte

**Anaconda**

We are excited to be a sponsor and contributing member of this important foundation. We are committed to securing open source software and providing maintainers, users, and administrators the tools needed to secure open source. With more than 30 million users of Anaconda Distribution and our repository of packages built from source, we are highly dedicated to the advancement of the open-source community and recognize, as do the other members of this foundation, that it will take all of us working together in the open to secure the future of open-source software.

*   Stephen Nolan, SVP of Product, Anaconda

**BoostSecurity**

“The software supply chain, and in particular, the open source ecosystem - finds itself today in front a big challenge: how to secure, and regain trust, in the software that the world uses…Solving this will require lots of innovation, collaboration among, and determination to keep ‘chipping away at it’ - one piece at a time. BoostSecurity believes that software supply chain security should be accessible, and consumable - by companies of all sizes and at all levels of security maturity and capabilities, and are proud to do our part in this endeavour. We are eager to work with the OpenSSF and its member companies to make the world’s software factory more secure.”

*   Zaid Al Hamami, Founder and CEO, BoostSecurity

**ControlPlane**

“Open source software is the engine of innovation for enterprises and governments across the globe. Its proliferation brings opportunity, but increases exposure in the face of the modern threat landscape. ControlPlane is committed to advancing cross-industry collaboration through the OpenSSF to systematically reduce risk for a more secure technological future.”

*   Andrés Vega, Vice President of Operations, North America, ControlPlane

**Cybozu**

“As a company whose vision is to build a society brimming with teamwork, we are excited to be joining OpenSSF to work together to strengthen the security of the open source software ecosystem. The challenge is not just to make our cloud service secure, but to collaborate across the industry to improve the security of the software supply chain as a whole. We look forward to working with OpenSSF members on this project and building a more secure future.”

*   Takuya Yoshikawa, Cloud Service Department Manager, Cybozu

**Docker**

"Docker has been working on supply chain security for many years, and is excited to join OpenSSF to work more closely with the communities there. As a developer focused company with many millions of users and customers, Docker recognises that security work falls to developers to implement, and they need help, support and tooling to improve the security of the world's software that they develop and consume. Docker has been working with upstream open source communities for many years, through initiatives like Docker Official Images and Docker Verified Publishers that are used and trusted by millions of developers. Joining OpenSSF is part of our commitment to expand the work we are doing in this space, and work even more closely with the other communities and companies involved in the essential work of securing open source software."

*   Justin Cormack, CTO, Docker

**Endor Labs**

"Eighty percent of the code in modern applications is code your developers didn’t write but depend on through open source packages. When our founding team was leading the Prisma Cloud engineering group at Palo Alto Networks, we realized the true magnitude of this issue. Our mission now is to enable OSS to live up to its true potential without introducing unnecessary risk. It’s exciting to once again take a new approach to the market, and we believe these solutions will radically enhance application development everywhere. The OpenSSF is leading the charge on open source security. They are establishing a trust-based partnership with any organization that relies on open source, with the goal of making open source use scalable and secure, while helping the community thrive. These ideals align perfectly with ours, which is why we're so excited for this partnership."

*   Varun Badhwar, CEO and Co-Founder, Endor Labs

**FOSSA**

“FOSSA is proud to join the 100+ other members of the OpenSSF community in our shared mission to advance open source security. We’re excited to get to work with the other remarkable leaders in the foundation, and share our expertise across the software supply chain, especially mitigating the risks associated with open source license violations and security vulnerabilities. Everything we do at FOSSA is for the love of open source, and in support of the massive positive impact it has on innovation and equality for our customers. Our support for and participation in OpenSSF is another example of that commitment."

*   Kenaz Kwa, VP of Product, FOSSA

**HackerOne**

“Open source software is foundational to our digital world and, just as we all benefit from open source, we must collectively contribute to its security. Log4Shell demonstrated the devastating impact of open source vulnerabilities, if not properly addressed, on organizations and their software supply chains. For too long, only a small but vital group of volunteers have helped secure open-source projects for the entire internet. We launched the Internet Bug Bounty to fund the security of open-source projects to address this challenge, and we view OpenSSF as a critical teammate in building toward the same vision of a safer internet. We are proud to join OpenSSF and support project maintainers, developers, and security teams to reduce the impact of Log4Shell and vulnerabilities like it.”

*   Kayla Underkoffler, Senior Security Technologist, HackerOne

**Phylum**

“We are excited to be a contributing member of the Linux Foundation and to support OpenSSF’s mission. At Phylum, we are doing our part to secure the universe of code by automating software supply chain security to block new risks, prioritize existing issues and allow organizations to only use open-source code that they trust.”

*   Patrick Sheehan, CRO, Phylum

**Trail of Bits**

“Open-source software is at the very core of Trail of Bits. We make our tools open source with the aspiration that organizations can use them to tackle their security challenges, including those within the software supply chain. When our engineers and researchers work on a problem, it’s likely that the solution will benefit the entire community, not just a given customer. We consider it of strategic importance that we make our in-house knowledge available, so issues can be solved at-large. To that end, we’ve built tools that automatically build a dependency graph and SBOM, find various issues in Python, and enable code signing and verification. We plan to build on these accomplishments as a general member of OpenSSF, and look forward to collaborating with other organizations in the pursuit of making open-source software as secure as possible.“

*   Dan Guido, CEO, Trail of Bits

**VicOne**

“Modern electronic vehicles adopt more and more open source software and it’s becoming a regular target of hackers. The security concerns have been raised in regulations, such as UN R155, ISO/SAE 21434. Powered by Trend Micro’s 30+ years of experience in cybersecurity, VicOne, as an automotive cybersecurity expert, will help our OEM/Tier-1 customers to strengthen data security practices and comply with international standards and regulations including proactive monitoring new cybersecurity incidents, open source vulnerability assessment, prioritization, and SBOM management.”

*   Terence Wang, Director of Product Management, VicOne Inc.

**AMD Xilinx**

"AMD is excited to join the Open Source Security Foundation to contribute to and stay on top of the latest open source security standards, including tooling, best practices, and other standards. AMD is committed to driving the adoption of open source software and joining OpenSSF will be critical to helping to ensure that AMD's open source software releases are using the latest security standards accepted by the open source community. It will also provide additional confidence for our customers that not only is our software open sourced, but is also secure."

*   Nathan Menhorn, Sr. Product Security Engineer, AMD

**Additional Resources**

*   View the complete list of OpenSSF members
*   Contribute efforts to one or more of the active OpenSSF working groups and projects

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, PyTorch, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at: linuxfoundation.org.

OpenSSF Membership Exceeds 100, With Many New Members Dedicated to Securing Open Source Software

The successful combo of stolen credentials and social engineering to breach networks is increasing demand for infostealers on the Dark Web.

Malicious actors are finding success deploying information stealer (infostealer) malware, combining stolen credentials and social engineering to carry out high-profile breaches and leveraging multifactor authentication (MFA) fatigue attacks.

These were among the findings of a report from Accenture’s Cyber Threat Intelligence team (ACTI) surveying the infostealer malware landscape in 2022, which also noted a spike in the number of Dark Web advertisements for variety of new infostealer malware variants.

The marketplace for compromised credentials is also growing, according to the report, which takes an in-depth look at a Russian market site used by malicious groups RedLine, Raccoon Stealer, Vidar, Taurus, and AZORult to obtain credentials for sale.

Paul Mansfield, cyber-threat intelligence analyst at Accenture, explains the most important point to understand about the rise of the rise of infostealer malware is the threat to corporate networks.

"There are many examples throughout 2022 of infostealer malware being used to harvest the credentials which serve as an entry point for further attacks," he says.

For Mansfield, the most concerning finding from the report was the damage that can be done at such little cost to the threat actor.

"The malware generally costs around $200 for one month plus a few other minor additional costs," he notes. "During that time, they can steal a high volume of credentials from around the globe, pick out the most valuable for targeted attacks — of which there have been several high-profile examples in 2022 — and sell the rest in bulk to marketplaces for others to do the same."

Ricardo Villadiego, co-founder and CEO of Lumu, says the rise of infostealer malware is a consequence of the ransomware-as-a-service business (RaaS) model boom.

"There are as many variants of infostealers as people willing to pay for the code," he explains. "The people behind infostealer malware attacks range from individuals with low technical skills to groups allegedly sponsored by governments."

He adds that what those groups of people have in common is the interest in gathering sensitive data (personal data from their computers, including login credentials, bank account details, cryptocurrency addresses, and granular location data).

"They understand that information is currency in the modern world," Villadiego says.

**Beyond the Limits of MFA**

The report highlighted the growing effectiveness of MFA fatigue attacks, which involve repeated attempts to log on to an MFA-enabled account using stolen credentials, thereby bombarding a potential victim with MFA push requests.

An earlier report found that while MFA has gained adoption among organizations as a way of improving security over passwords alone, increasing theft of browser cookies undermines that security.

"MFA uptake has been rapid since the shift to remote working caused by COVID that now means many workers are conditioned to automatically accepting MFA requests, associating them with security," Mansfield says. "Threat actors have realized this and are attempting to take advantage of it."

Villadiego points out that MFA fatigue is an "incredibly simple" technique, and it was popularized because of the Uber breach.

The bad actor appeals to the user getting "tired" of multiple push notifications claiming to be second-factor verifications and he or she accepts it to make it go away.

"This kind of technique will continue to increase during the holidays and result in high-profile breaches because we have a highly distracted workforce and the temptation to make messages or push notifications go away is even greater," Villadiego predicts.

He says the key takeaway is that the cybercriminal will find a way for the user to fall for the scam.

"They know that if they try hard enough, and consistently enough, the user will eventually cave in," he says. "Companies can have all the best-in-breed protection, but attacks evolve infinitely and defenses must evolve as well."

Villadiego adds it's about having the right controls and the intelligence in place to mitigate all contacts with the adversary as soon as they get in — and to contain the impact that an attack can have on an organization.

Mansfield says as threat actors observe how successful other groups have been in 2022 — e.g., those behind Raccoon Stealer, Redline Stealer, and Vidar — more will enter the scene and create a more competitive market.

"This in turn will drive innovation, so we expect to see new stealers with additional features to those we have seen in 2022," he explains.

Villadiego says that infostealer malware allows cybercriminals to get a "world-class company revenue," and that’s why Accenture forecasts it will keep growing as one of the predominant attacks affecting companies, individuals, and governments in 2023.

"It’s likely that we’ll see infostealers as one of the top three most prevalent attacks by the end of next year, competing hand in hand with Emotet and cryptomining botnets," he says.

**Defending Against Infostealer Malware**

Mansfield says organizations can protect against infostealer malware by ensuring operating systems and software are fully updated and that staff are trained on how to spot and deal with suspicious emails and links and also use antivirus software.

He suggests implementing MFA best practices, pointing to the US Cybersecurity and Infrastructure Security Agency (CISA) as a resource that can provide some guidance on the topic.

Villadiego adds one immediate step an organization can take to shore up defenses against infostealer malware is to look inside the network.

"You need broad visibility, and most companies don't have it," he says. "You need real-time intelligence of when and how the bad actor is getting in, so you can do something about it before the damage is too great to contain."

He says it's important to remember these attacks don't happen in seconds — the adversaries are leaving breadcrumbs and telegraphing what they are about to do, but IT security teams need to spot the attack and have a way to respond to it in real time.

"The bad guys constantly tell us what they are going to do; we just have to look closely, and we have to believe them, not turn a blind eye," he says. "There’s no such thing as small threats."

He points out that many major cyberattacks are preceded by intense cryptomining and domain generation algorithm activity.

"This activity usually goes under the radar of conventional solutions," Villadiego says. "That’s why modern attacks require paying attention to precursors and to act decisively against threats like infostealers."

Infostealer Malware Market Booms, as MFA Fatigue Sets In

Privacy standards are only going to increase. It's time for organizations to get ahead of the coming reckoning.

Since the dawn of digital marketing, people have been asked to provide their personal information in exchange for information online. This "information swap" is still a common digital tactic. However, it isn't just marketing forms that collect data. Contact forms, checkout carts, and digital healthcare forms are all examples of ways data is being captured.

While data privacy hasn't been the biggest priority for many Web applications, there is a reckoning on the horizon. We are seeing a growing number of news stories about companies doing shady things with customer data, litigation popping up over excessive data collection, massive General Data Protection Regulation (GDPR) fines for broad-based privacy policies, and the first-ever fine under the new California Consumer Privacy Act (CCPA) regulations. While there are still very limited privacy standards in the United States, the Federal Trade Commission (FTC) is on the warpath in regard to data privacy, and its reach includes punitive actions against company executives too. It's time for organizations to step up and start getting ahead of these privacy issues.

**What Exactly Is the Problem?**

Presently, we are facing two major challenges when it comes to digital privacy: data collection without consent and abuse of data collection with consent. Both of these issues stem from the growing level of complexity and third-party code in modern Web applications. Additionally, more application logic and functionality has been moving to the client side (inside the browser), where traditional security tools can't reach. This lack of visibility and protection within the client side is creating the perfect privacy storm for organizations of all sizes.

Let's look a little deeper into the two major issues organizations are facing today.

**Stop Stealing My Data (Without My Consent)**

Today, when you fill out a form or create an account online, there is an expectation you are going to be marketed to. The privacy policy and terms of services often spell out that your information will be used for marketing purposes, analytics, and advertising. But what happens when your data is sent to third parties before you submit the form? Or worse, what happens when data about you, your browser, and the device you are on is captured before you consent to anything?

This type of data collection may not be the intention of the organization, but nevertheless, inclusion of third-party code makes this invisible data capture a reality. While conducting an analysis of dozens of popular software-as-a-service (SaaS) applications, we found that more than 85% of the time, third-parties are capturing your data before you submit a form. This data capture without consent is reminiscent of digital skimming attacks, which perform very similar types of data capture for malicious purposes.

**Stop Sharing My Data (Even With My Consent)**

The second problem we run into is when you complete a form, like signing up for a new account, and explicitly agree to the privacy policy. While you are acknowledging that your data is likely to be shared, it is important to understand with whom it will be shared. Often we find that privacy policies for organizations are written in an extremely broad manner to offer the greatest flexibility and liability reduction to the organization, without any regard for the individual.

If your data is sent to a dozen third parties when you sign up for an account, the risk of having your data exposed in a cybersecurity incident increases significantly. It's no longer just the company in question that you have to be concerned about but all of the third parties that receive a copy of your data.

**How Can We Fix This?**

As an individual, the best thing you can do is use a privacy-focused browser extension like uBlock Origin or Ghostery. Both can help automatically filter out third-party digital trackers while adding a layer of protection to your privacy. While it's impossible to account for every single third-party risk, this initial layer of protection is a step in the right direction.

But what about organizations? This is slightly more problematic, due to the complexity of modern websites and Web applications (as I touched on earlier). In order to tackle this privacy challenge, organizations need to focus on two key areas: data asset identification and data access to those assets. In other words, what types of data are you collecting and which third-parties have access to that data.

Since most Web applications don't have a centralized mopping of all input fields, the identification process requires someone (typically from the application security team) to manually inspect each webpage for inclusion of data assets.

Once each data asset is identified, another review of those webpages will be required, this time to manually investigate what third-party code is loaded on the page and which parties have direct access to the data assets.

This entire process is incredibly time consuming and is further complicated by the fact that application security teams don't own the application. This will require multiple teams, such as marketing, legal, development, product, _and_ AppSec, to work together in order to determine what third-party code belongs for critical functionality and what needs to go.

The time and resource cost associated with bringing better privacy protections to your Web applications may not seem worth it at first, but consider the dual costs of a fine (from the Federal Trade Commission) and erosion of trust from your end users. The push for better privacy standards is on the rise, and it's only a matter of time before each state has a digital privacy requirement in place.

The Privacy War Is Coming

As ransomware's prevalence has grown over the past decade, leading ransomware groups such as Conti have added services and features as part of a growing trend toward professionalization.

Ransomware groups are getting their acts together, growing in sophistication and business acumen while monetizing ransomware beyond encryption, including double and triple extortion, as the market for ransomware-as-a-service (RaaS) matures.  

In first half of 2022, LockBit, Conti, Alphv, Black Basta, and Vice Society were among the most prolific ransomware gangs, focusing their attack on US-based organizations, according to a LookingGlass report on the topic.

The report confirmed and attributed 1,133 ransomware attacks in the first six months of the year and attributed 207 data leaks across all active threat actor groups throughout the same period. Of the more than 1,300 incidents, the bulk came from the top 15 most active ransomware groups, led by LockBit, Conti, and Alphv.

Ransomware gangs have primarily targeted two sectors during the analysis period: manufacturing and industrial products, followed by engineering and construction and healthcare and life sciences, with the consumer and retail industry rounding out the top five.

**Professionalization & Economies of Scale**

The report highlighted the rise of sophisticated software and networks as a principal contributor to the professionalization of ransomware, with malicious actors now offering RaaS, bug bounties, sales teams, and even customer support.

"This new, more professional ransomware structure can only mean that the problem will continue to grow in the months ahead," the report noted. "We anticipate the adoption of more traditional business practices as the underground economy continues to remain robust."

LookingGlass CEO Bryan Ware says a key reason for this professionalization is for economies of scale, noting it enables ransomware gangs to make more money because they're improving operations to enable scale and growth.

"Think of it like a startup: you start with a small group of people delivering 'product.' Then, as they see success and demand growing, they add more people on to help make more money," he says. "At some point, you need operations and processes in place to enable the group to capture that demand."

For most ransomware gangs, the motivation is financial, and professionalizing is part of what enables more revenue for the threat actors.

"Beyond this, it's hard to speak to motivation," Ware says. "However, as in the analogy used above regarding startups, we might anticipate that professionalization also means they will have road maps for functionality, operating systems they support, and future-proofing, for example."

He explains one thing that IT security teams need to know is that this professionalization is going to impact the development of malware for ransomware activities.

"Malware is likely going to be better produced and maintained — and produced faster," Ware says. "This is because there are different team members who can focus on their strengths: some can be working on development, others on QA of malware, and so on."

**Professionalization of RaaS Actors Likely to Continue**

The report echoes findings of a Verizon DBIR report earlier this year, which found ransomware has become so efficient — and the underground economy so professional — that traditional monetization of stolen data may be on its way out.

Ware notes that, in general, the belief is that RaaS will only grow.

"Because ransomware gangs may now have departments focused on specific operations, such as a 'customer' or victim-support group," he says. "It's not absurd to think they will double-down on RaaS as a model for growth, especially by growing affiliate or 'channel' marketing capabilities and staff. There may even be developments to franchise."

Overall, the increasing professionalization of ransomware gangs increases the threat to businesses, as these groups may be better able to develop ransomware on a per-industry basis.

"This would be true especially if they keep up their current development," Ware says. "But overall, the threat remains high to businesses and will likely stay that way, if not grow."

Meanwhile, a surging and evolving ransomware sector continues to expand across the Dark Web with hundreds of thriving marketplaces — recent research by Venafi and Forensic Pathways uncovered 475 web pages filled with listings for ransomware strains, ransomware source code, build and custom-development services, and full-fledged RaaS offerings.

Earlier this year, a study by Sophos found a growing nexus between ransomware actors and initial access brokers (IABs), which offer elite access to compromised systems and slick, professional services, is raising the bar in the underground economy.

The evolution of IABs such as Genesis, which lists more than 400,000 bots (compromised systems) in more than 200 nations, also points to the "growing professionalization and specialization" of the cybercrime economy, the report noted.

Ransomware Professionalization Grows as RaaS Takes Hold

A single improperly formatted command has effectively killed KmsdBot botnet, security vendor says.

It's not often that malware authors go through the effort of creating a malicious tool for assembling a botnet, only to then find a way to effectively sabotage it themselves.

But that appears to be precisely the case with "KmsdBot," a distributed denial-of-service (DDoS) and cryptomining botnet that researchers from Akamai found infecting systems across multiple industries last month. Now, it has since gone largely silent because of a single improperly formatted command on the part of its author.

**A Versatile Threat**

The malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and uses UDP, TCP, and HTTP POST and GET commands in DDoS attacks. Kaspersky found the malware is designed to target multiple architectures such as Windows, Arm64, and mips64 systems. Among those the malware has affected are luxury car makers, gaming companies, and IT firms.

In all the attacks that Akamai observed, the threat actors used KmsdBot to execute DDoS attacks, though the malware also contains cryptomining functionality.

Following Akamai's initial disclosure in November, researchers from the company continued to monitor and analyze the threat. As part of the exercise, they modified a recent sample of KmsdBot and decided to test various scenarios related to the malware's command and control (C2) functionality.

The Akamai researchers found the spot in the malware's code that contained the IP address and port for KmsdBot's C2 server and modified it, so the address pointed to Akamai's IP space. The goal was to have a controlled environment from where the researchers could send their own commands to the bot sample to see how it worked.

**A Fatal Oopsie**

During the testing, the Akamai researchers discovered the bot suddenly stopped working after receiving a command to send a bunch of junk data to bitcoin.com, in an apparent bid to DDoS the website.

A closer look showed the command to be malformed. "The guys running the botnet crashed it by accident," Larry Cashdollar, principal security intelligence response engineer at Akamai, tells Dark Reading. "They sent in a command that was missing a space between the target URL and port number."

The bot does not contain any error-checking functionality to verify if the commands it receives are properly formatted, Cashdollar says. As a result, the Go binary crashes with an "index out of range" error message.

He also says that Akamai was able to replicate the issue by sending the bot it had modified an improperly formatted command of its own. 

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Akamai noted in its update on the malware this week.

Importantly, the bot does not support any persistence mechanism. So, the only way for the malware authors to rebuild the KmsdBot botnet is to reinfect systems from scratch.

Cashdollar says almost all of the KmsdBot-related activity that Akamai was tracking over the past several weeks has ceased. But there are signs that the threat actors have begun attempting to infect systems again, he notes.

Malware Authors Inadvertently Take Down Own Botnet

Almost a third of respondents in Fastly's Fight Fire with Fire survey view data breaches and data loss as the biggest cybersecurity threat.

Even with the shifting threat landscape, organizations view malware, phishing, and data breaches as their biggest threats.

Almost a third of respondents in Fastly's Fight Fire with Fire survey consider data breaches and data loss as the biggest cybersecurity threat to their organization over the next 12 months. Malware (29%) and phishing (26%) round out the top three. What's notable is the change in focus from 2021, when 31% of respondents named malware as their biggest threat, followed by distributed denial of service attacks (26%) and attacks targeting known vulnerabilities (25%).

While attacks exploiting vulnerabilities or misconfigured services were perceived as the biggest threats in 2021, malware, phishing, and ransomware appeared to be bigger issues in 2022. Fastly noted the fact that the 2022 Threat Landscape report from ENISA also identified ransomware as the top threat businesses were concerned about, while malware was the second most commonly identified threat.

Fastly's data showed that just 14% were concerned about DDoS attacks in 2022 — which is a surprisingly steep decline, especially considering the stratospheric increase in DDoS attacks in 2022. There were 60% more DDoS attacks in the first six months of 2022 than in the entirety of 2021, according to the report. One reason for the disconnect may be because content delivery networks (CDNs) are able to absorb the vast majority of DDoS attacks, freeing up IT to focus on other areas, Sean Leach, Fastly's chief product architect, said in the report.

While attacks against remote workers did not show up on the list of threats organizations are worried about, Fastly's data suggests that organizations are still very concerned about their ability to protect remote workers. Nearly half, or 46%, predicted that attacks on remote workers will drive cybersecurity threats over the next 12 months.

"Remote workers create no additional vulnerability on their own," Leach said, noting that concerns about securing remote workers have more to do with adoption of new technologies and learning how to use security controls effectively.

To bolster their defenses, 51% of global businesses are actively investing in remote employee security, with a further 38% planning on investing in it within the next two years, Fastly said in its report.

Overall, IT leaders are increasing their cybersecurity investments to bring in more tools and technologies to defend against threats — 73% said they were increasing cybersecurity investment. Unfortunately, more tools don't necessarily mean better security, as some of these tools may not easily integrate with the existing security stack or with each other, Leach said.

"Instead of buying any number of unnecessary tools, businesses with successful security strategies often work with fewer technologies which work closely together and are deeply integrated with one another," Leach said.

Source

DARKReading