The security vulnerability allows attackers to spoof a target certificate and masquerade as any website, among other things.

Researchers have developed a proof-of-concept (PoC) exploit for a public x.509 certificate-spoofing vulnerability in the Windows CryptoAPI that the NSA and the National Cyber Security Center (NCSC) reported to Microsoft last year.

Microsoft quietly patched the bug, tracked as CVE-2022-34689, in its August 2022 monthly Patch Tuesday security update, but only publicly disclosed it in October. At the time, it assessed the vulnerability as one that attackers were more likely to exploit. But it offered scant details on the bug or how an attacker might exploit it.

"When the patch was released, this bug was missing from \[Microsoft's\] release notes," says Yoni Rozenshein, security researcher at Akamai. "It was announced retroactively two months later, in October, and there seems to be no information available that describes the vulnerability and how it's exploited."

**Proof-of-Concept Attack for CVE-2022-34689**

Researchers at Akamai who have been analyzing the vulnerability for the past several months this week released details of an attack they developed for it, which they said would allow attackers to spoof the target certificate and masquerade as any website, with the ability to take a variety of malicious actions.  
"The vulnerable browser would show the green lock icon indicating a secure connection even though the connection is completely controlled by the attacker," Rozenshein says. He described Akamai's PoC for it as the first for the bug.

CryptoAPI is a Windows application programming interface that developers use to enable support for cryptography for their applications. One of CryptoAPI's roles is to verify the authenticity of digital certificates. And it is in this function where the vulnerability exists, Rozenshein says.

To verify the authenticity of a certificate, CryptoAPI first checks to see if it already exists in the receiving application's certificate cache. If it does, CryptoAPI treats the received certificate as verified. Prior to Microsoft's patch for it, CryptoAPI determined whether a received certificate was already in the certificate cache or not merely by comparing MD5 hash thumbprints. If the received certificate's MD5 thumbprint matched the MD5 thumbprint of a certificate in cache, CryptoAPI treated the received certificate as verified, even if the actual contents of the two certificates did not match exactly.

That opens the door for cyberattackers to introduce an imposter certificate.

**MD5 Thumbprints: An Incorrect Assumption**

Prior to the patch, "Microsoft inherently trusts the validity of cached certificates and doesn’t perform any additional validity checks after an end certificate is found in the cache," Akamai said in its report. While this by itself is a reasonable assumption, CryptoAPI's trust that two end certificates are identical if their MD5 thumbprints match "is an incorrect assumption that can be exploited, and was the genesis of the patch," Akamai noted.

To prove how an attacker could exploit the issue, Akamai researchers first generated two certificates — one legitimately signed and the other malicious — and rigged them so they would both end up having the same MD5 thumbprints. They then devised a way to serve the first, legitimate certificate to an application with a vulnerable version of CryptoAPI (in this case, an old version of Chrome — v48). Once the application had verified the certificate and stored it in its end certificate cache, Akamai showed how an attacker could then use a man-in-the-middle attack to serve the second malicious certificate to the same application and have it be verified as authentic.

Two conditions need to exist for the attack to work, Rozenshein says. One is that the application needs to be missing the Windows patch that Microsoft released last August. The other is that the application must use CryptoAPI for certificate verification and enable a CryptoAPI feature called "end certificate caching." The feature is disabled by default on CryptoAPI, but some applications enable it to boost performance. It is these applications that attackers can target, if an organization has not patched them.

"We are still actively researching and looking to find more vulnerable applications," Rozenshein says.

**Easy to Exploit**

Rozenshein says an attacker with control over a network can exploit the flaw without much difficulty. "They will need to compute an MD5 collision, but this can be done in advance, cheaply and in only a few hours," he says pointing to previous research that has shown how it is possible for an attacker to generate two certificates with the same MD5 thumbprint.

Once the MD5 thumbprint is calculated, the attack can be carried out easily, Rozenshein says. How an attacker carries out the next two phases of the attack (serving the two certificates) depends on the type of application being targeted, he adds: "In the case of Web browsers, we have found that simply resetting the connection after the first phase has been completed causes the browser to immediately try to reconnect. This is when the attack switches to the second phase."

Microsoft did not immediately respond to a request for comment on Akamai's research or PoC attack.

CVE-2022-34689 is the second flaw in CryptoAPI that the NSA has disclosed to Microsoft in recent years. In 2020, they reported a similar issue, tracked as CVE-2020-061, or the Curveball vulnerability. Akamai assessed the more recently disclosed flaw as presenting less of a threat than CurveBall because there are more prerequisites attached to it and therefore has a more limited scope of vulnerable targets.

Researchers Pioneer PoC Exploit for NSA-Reported Bug in Windows CryptoAPI

Encrypted backups for several GoTo remote work tools were exfiltrated from LastPass, along with encryption keys.

The GoTo remote work tool software platform has confirmed that encrypted backups for several of its tools, including Central, Pro, join.me, Hamachi, and RemotelyAnywhere, were exfiltrated, along with some encryption keys, in last November's compromise of the LastPass cloud-based password keeper.

The compromised GoTo data could include usernames, salted and hashed passwords, some multifactor authentication (MFA) settings, product settings, and licensing information, according to the company's recent disclosure.

Impacted customers will be contacted by GoTo directly, and all affected users will have their passwords and MFA settings reset, according to a post from GoTo CEO Paddy Srinivasan, which included details on the breach.

"In addition, we are migrating their accounts onto an enhanced identity management platform, which will provide additional security with more robust authentication and login-based security options," Srinivasan added.

Last December, LastPass confirmed the theft of customer data — a follow-on cyberattack from the previous August, when the LastPass source code was stolen.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

GoTo Encrypted Backups Stolen in LastPass Breach

Don't make perfect the enemy of good in vulnerability management. Context is key — prioritize vulnerabilities that are actually exploitable. Act quickly if the vulnerability is on a potential attack path to a critical asset.

The widespread vulnerability that first appeared in Apache Log4j in 2021 will continue to be exploited, potentially even in worse ways than we've seen to date. The more worrisome aspect of these threats is that there's a good chance they'll continue to be exploited months or years into the future.

The Department of Homeland Security's Cyber Safety Review board debuted in 2021, and in 2022 released its inaugural safety report (PDF). In it, the board called Log4j an "endemic vulnerability," chiefly because there isn't a comprehensive "customer list" for Log4j, making keeping up with vulnerabilities a near-impossible task. One federal Cabinet department even spent 33,000 hours on its Log4j response.

And many organizations and security solutions on the market fail to identify the difference between exploitability and vulnerability — leaving an opportunity for attackers to carry out malicious activity.

**Exploitability vs. Vulnerability**

One of the key issues with cybersecurity today is understanding the difference between vulnerabilities and their severity. When it comes to measuring exploitability versus a vulnerability, there's a big difference between whether a security threat is exploitable within your business or if it's just "vulnerable" and cannot hinder the business or reach a critical asset. Security teams spend too much time not understanding the difference between the two and fix each vulnerability as it comes, instead of prioritizing those that are exploitable.

Every company has thousands of common vulnerabilities and exposures (CVEs), many of which score high on the Common Vulnerability Scoring System (CVSS), so it's impossible to fix them all. To combat this, the hope is that risk-based vulnerability management (RBVM) tools will make prioritization easier by clarifying what is exploitable.

However, security prioritization approaches that combine CVSS scores with RBVM threat intel don't provide optimal results. Even after filtering and looking just at what is exploitable in the wild, security teams still have too much to handle because the list is long and unmanageable. And just because a CVE doesn't have an exploit today doesn't mean that it won't have one next week.

In response, companies have been adding predictive risk AI, which can help users understand if a CVE might be exploited in the future. This still isn't enough and leads to too many issues to fix. Thousands of vulnerabilities will still show to have an exploit, but many will have other sets of conditions that have to be met to actually exploit the problem.

For example, with Log4j, the following parameters need to be identified:

*   Does the vulnerable Log4j library exist?
*   Is it loaded by a running Java application?
*   Is the JNDI lookup enabled?
*   Is Java listening to remote connections, and is there a connection for other machines?

If the conditions and parameters aren't met, the vulnerability isn't critical and shouldn't be prioritized. And even if a vulnerability could be exploitable on a machine, so what? Is that machine extremely critical, or maybe it isn't connected to any critical or sensitive assets?

It's also possible the machine isn't important yet it can enable an attacker to continue toward critical assets in stealthier ways. In other words, context is key — is this vulnerability on a potential attack path to the critical asset? Is it enough to cut off a vulnerability at a chokepoint (an intersection of multiple attack paths) to stop the attack path from reaching a critical asset?

Security teams hate vulnerability processes and their solutions, because there are more and more vulnerabilities — nobody can ever fully wipe the slate clean. But if they can focus on what can create _damage_ to a critical asset, they can have a better understanding of where to start.

**Combating Log4j Vulnerabilities**

The good news is that proper vulnerability management can help reduce and fix the exposure to Log4j-centric attacks by identifying where the risk of potential exploitation exists.

Vulnerability management is an important aspect of cybersecurity and is necessary for ensuring the security and integrity of systems and data. However, it's not a perfect process and vulnerabilities can still be present in systems despite best efforts to identify and mitigate them. It's important to regularly review and update vulnerability management processes and strategies to ensure that they are effective and that vulnerabilities are being addressed in a timely manner.

The focus of vulnerability management should not only be on the vulnerabilities themselves, but also on the potential risk of exploitation. It is important to identify the points where an attacker may have gained access to the network, as well as the paths they may take to compromise critical assets. The most efficient and cost-effective way to mitigate the risks of a particular vulnerability is to identify the connections between vulnerabilities, misconfigurations, and user behavior that could be exploited by an attacker, and to proactively address these issues before the vulnerability is exploited. This can help to disrupt the attack and prevent damage to the system.

You should also do the following:

*   **Patch:** Identify all your products that are vulnerable to Log4j. This can be done manually or by using open source scanners. If a relevant patch is released for one of your vulnerable products, patch the system ASAP.
*   **Workaround:** On Log4j versions 2.10.0 and above, in the Java CMD line, set the following: log4j2.formatMsgNoLookups=true
*   **Block:** If possible, add a rule to your Web application firewall to block: "jndi:"

Perfect security is an unachievable feat, so there's no sense making perfect the enemy of good. Instead, focus on prioritizing and locking down potential attack paths that continuously improve security posture. Identifying and being realistic about what actually is vulnerable versus what is exploitable can help do this, since it will allow the ability to strategically funnel resources toward critical areas that matter the most.

Log4j Vulnerabilities Are Here to Stay — Are You Prepared?

The DPRK has turned crypto scams into big business to replenish its depleted state coffers.

The blockchain industry hemorrhaged money last year, with the global market for cryptocurrencies plummeting 63%. But investors didn't only lose money to half-baked coins and overhyped NFTs.

In a report published today, researchers from Proofpoint detailed how North Korean state-backed hackers managed to siphon more than $1 billion dollars in cryptocurrencies and other blockchain assets in the 2022 calendar year (all the more impressive considering how depressed those assets had become).

Proofpoint attributed the success of the TA444 group and related clusters — variously referred to as APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and Copernicium — to their startup-like approach.

Hallmarks, the researchers said, include "rapid iteration, testing products on the fly, and failing forward." The group regularly experiments with new methods of intrusion, and has cycled through different and better malware in recent years.

"While we do not know if the group has ping-pong tables or kegs of some overrated IPA in its workspace," the authors wrote, "TA444 does mirror the startup culture in its devotion to the dollar and to the grind."

**TA444's Evolving Threat**

There's an element of "move fast and break things" to TA444.

In recent years, the group has iterated on their social engineering tactics many times over. Sometimes it sent private messages from hijacked LinkedIn accounts of representatives from legitimate companies, other times it abused email marketing tools in order to circumvent spam filters. It has engaged with victims in English, but also Japanese, Polish, and Spanish.

In one oddball case, it email-blasted organizations across the US healthcare, education, finance, and government sectors, using barebones, typo-laden phishing lures. At best, their lures made reference to specific brand names in the industry, sometimes promising salary increases or job opportunities, but the efforts here were mainly rudimentary.

Where other cybercrime groups may focus on perfecting social lures and delivery mechanisms, researchers explained that malware creation is where TA444 really distinguishes itself.

Their collection of post-exploitation backdoors has included the msoRAT credential stealer, the SWIFT money laundering framework DYEPACK, and various passive backdoors and virtual "listeners" for receiving and processing data from target machines.

"This suggests that there is an embedded, or at least a devoted, malware development element alongside TA444 operators," according to the report.

**North Korea: The OG Crypto Bro**

To supplement its maladroit command economy, the government of North Korea has long used hackers for fundraising, targeting wherever a financial opportunity happens to lie. That includes everything from retailers in the United States to the SWIFT banking system, and, in one notorious case, the entire world.

Because cryptocurrency companies offer few safeguards against theft, transactions are generally irreversible, and parties to those transactions are difficult to identify, the industry is rife with financially motivated cybercrime. North Korea has been dipping into this well for years, with campaigns against startups, botnets that mine coins, and ransomware campaigns soliciting crypto payments.

Last year, though, the scale of the theft reached a new level. Blockchain research firm Chainalysis assessed that the country stole nearly $400 million dollars in cryptocurrency and blockchain assets in 2021. In 2022, they surpassed that figure with a single attack — against a blockchain gaming company called SkyMavis — estimated to be worth over $600 million at the time. Add in other attacks throughout the calendar year, and their total haul reaches 10 figures.

"While we may poke fun at its broad campaigns and ease of clustering," the researchers warned, "TA444 is an astute and capable adversary."

Proofpoint's report noted that monitoring for MSHTA, VBS, Powershell, and other scripting-language execution from new processes or files can help detect TA444 activity. It also recommended using best practices for a defense-in-depth approach to combat TA444 intrusions: Using network security monitoring tools, using robust logging practices, a good endpoint solution, and an email monitoring appliance, in addition to training the workforce to be aware of heist activity that stems from contact on WhatsApp or LinkedIn. 

"Additionally, given the credential phishing campaign activity we observed, enabling MFA authentication on all externally accessible service would help limit the impact of credentials eventually getting stolen," the researchers said via email.

North Korea's Top APT Swindled $1B From Crypto Investors in 2022

Some predictions about impending security challenges, with a few tips for proactively addressing them.

Cloud transformation has become a strategic advantage for many organizations, providing convenience, cost savings, and near-permanent uptimes compared with on-premises infrastructure. At the same time, the move to cloud has also increased the attack surface, resulting in an uptick in criminal activity targeting cloud environments. As we roll into 2023, fears about a potential recession and a corresponding desire to cut costs are renewing urgency to move to the public cloud.

For organizations to successfully secure cloud environments, they must understand the critical risks that can be exploited by attackers to infiltrate cloud environments. As with legitimate activity in the cloud, attackers continue to evolve their approaches, so the challenges faced in 2023 will be different than those faced in 2022 and prior. Here are my top 2023 predictions.

**Multicloud Environments Will Continue to Compound Security Challenges**

Multicloud offers numerous benefits, from avoiding vendor lock-in to reliability, agility, and cost-efficiency. At the same time, however, it brings additional layers of complexity, particularly regarding security management. According to a recent report, 78% of organizations deploy applications on more than three public clouds.

Moreover, the number of services available from the top three public cloud providers (Amazon Web Services, Azure, and Google) is expected to surpass 1,000, up from 750 today. In an effort to embrace agility and innovation, security practitioners will need to find ways to support these news services as soon as they are available.

With each cloud provider's unique capabilities enhanced and expanded almost daily, organizations will have to invest in automated tools that map new services to security and compliance frameworks, like NIST, CIS, and others.

**Securing Developer Environments Will Become the Most Critical Component**

The continuous growth and diversity of application deployments are creating an extensive attack surface for malicious actors. We have seen cybersecurity incidents like SolarWinds, Kaseya, and Spring4Shell significantly impact organizations.

On the other hand, we also see issues like Log4j, which recently demonstrated how many organizations can be impacted due to software vulnerabilities. Hence, we expect securing developer environments will become one of the most critical components for organizations in 2023.

**DevSecOps Tool Sprawl Will Begin to Consolidate**

According to Gartner, of those organizations that have implemented a DevSecOps pipeline for cloud security, "these organizations have manually stitched together DevSecOps with 10 or more disparate security tools — some old and some new — each with siloed responsibility and view of application risk."

Recognizing the overhead with managing so many tools, and the challenges with achieving consistent policies across cloud providers and services, information security teams will increasingly standardize on broader platforms, such as cloud-native application protection platforms, at the expense of point products, such as cloud security posture management, infrastructure-as-code scanners, and cloud workload protection platforms.

**Focused Approach for Data Protection**

Monitoring data across multicloud environments has been an unsolved problem for a couple of years for most organizations. When production workloads are moved between multiple public cloud environments, it becomes difficult to track data or access permissions. Tools for cloud service providers have limitations to secure data in multicloud environments.

In 2023, organizations need to adopt new tool sets and new mindsets, and make a greater effort to detect, classify, and enforce policies to secure sensitive data. We expect data protection to be at the center of the cloud security strategy to avoid increasingly high-profile, complex cyberattacks and data breaches.

**Do More With Less**

The current economic climate is pointing toward a trend of tighter budgets in 2023. To combat this challenge, leaders will be consolidating tools, processes, and expertise with a more collaborative approach. We'll see wider use of cross-functional teams with even greater ROI focus to boost efficiency and reduce complexity.

**Cybersecurity Hiring Will Remain a Challenge**

According to the (ISC)2 2022 Cybersecurity Workforce Study, there is a shortage of 3.4 million cybersecurity workers worldwide. With limited staff, we expect security leaders to emphasize security automation with risk-based prioritization.

**How to Stay Safe in 2023**

Based on our experience of investigating attacks and related incidents, we believe that security leaders need to focus on the following tactics and techniques:

*   Cloud security approach and strategy: With the prevalence of large-scale cloud-native deployments, adopting a more modern, agile, and integrated cybersecurity approach is mission-critical.

*   Select the right tooling: Shifting to robust security with the right solutions and level of expertise, over security layers and threat intelligence.

*   Prioritizing visibility: Gain insight and control over the complex cloud environment covering threats, risks, and vulnerabilities in the cloud.

*   Data security in focus: Secure data in large, dispersed environments with strategic integrated data protection and DLP approach.

*   Threat intelligence, advanced correlation, and machine-learning techniques: Use a combination of advanced techniques to stay ahead of bad actors and proactively reduce risk.

*   Automate and maintain continuous compliance standards.

*   Team collaboration: Distribute and delegate security responsibilities using automation across the organization.

Multicloud Security Challenges Will Persist in 2023

**ARLINGTON, Va.****,** **Jan. 25, 2023** **/PRNewswire/ --** ThreatConnect announced today the release of ThreatConnect Platform v7.0, the industry's first threat intelligence platform designed specifically for TI Ops.  The new release radically increases the effectiveness of threat intelligence analysts and security operations teams by bringing together the power of human analysis, ML-powered analytics and intelligence, and automation. 

"Legacy approaches to threat intelligence are no longer sufficient to protect the enterprise in a world of an expanding attack surface and increasing velocity and sophistication of threats," said Andrew Pendergast, EVP of Product at ThreatConnect. "Security operations must modernize by adopting a new approach that puts threat intelligence at the core of everything – aggregating TI from multiple sources, prioritizing the most dangerous threats, and taking timely action so security programs can be strategic and proactive."

The ThreatConnect Platform enables organizations to achieve alignment between security operations and the critical risks to the business as well as better security efficiencies and greater effectiveness, including faster time to mitigate critical vulnerabilities and faster mean time to detect (MTTD) and respond (MTTR) to threats. In a recent survey of ThreatConnect customers, more than 68% of respondents said that the product helped them improve their MTTR by more than 50%.  In the same survey, 95% of respondents noted that ThreatConnect enabled them to get more value from their existing security tools such as SIEM, XDR, and SOAR.

Customers can now go beyond just managing threat intel to operationalizing it and fusing it across every part of your security program, from threat investigation to incident response to vulnerability management.

**ML-Powered Global Intelligence and Analytics with CAL™ v3.0**

With the introduction of a native natural language processing (NLP) to the  ThreatConnect Platform now automates many analyst activities saving them time and effort. CAL™ now has the ability to understand MITRE ATT&CK techniques. This capability underpins the new CAL™Automated Threat Library (ATL) intelligence. Analysts no longer need to visit dozens of blogs and news sources every day, analyzing the sources for indicators, threat actors, and ATT&CK techniques, and copying and pasting relevant intel. CAL™ ATL  automatically aggregates, enriches, scores,analyzes, and filters more than 60 top threat intel-related news sources into an intel feed ready to be used in the ThreatConnect Platform with more sources being added all the time.

**Native Reporting Engine**

The CISO down to security analysts need timely and relevant information and insights to make strategic, tactical, and operational decisions. With ThreatConnect's native Reporting engine, customers can easily create custom reports to put actionable information in front of the right people at the right time to improve defenses. With this new capability, users can create reports directly in  the Platform using the built-in report editor, saving time and effort by leveraging the intelligence already aggregated and built from your threat library in ThreatConnect with powerful graphs, charts, and free form text..  

**Built-in Enrichment** 

Built-in Enrichment with our top enrichment provider partners automates and streamlines the process of adding context to Indicators of Compromise. Users will have a simple, plug-and-play experience to have the most common enrichment providers set up throughout the ThreatConnect platform, helping them to identify false positives, and to pull out actionable intelligence to improve detection efficacy and speed up threat response.

**Learn More:**

*   Read our blog post to learn more about Threat Intelligence Operations, the Evolved Threat Intel Lifecycle, and latest capabilities in ThreatConnect Platform v7.0.
*   Download the Dawn of TI Ops  paper to learn why TI Ops is critical to security operations.
*   Download the Evolved Threat Intel Lifecycle infographic to learn why the a new threat intel lifecycle is required for TI Ops
*   Register for the webinar The Need for an Evolved Threat Intel Lifecycle on February 17, 2023.

**About ThreatConnect**

ThreatConnect enables threat intelligence operations, security operations, and cyber risk management teams to work together for more effective, efficient, and collaborative cyber defense and protection. With ThreatConnect, organizations infuse ML and AI-powered threat intel and cyber risk quantification into their work, allowing them to orchestrate and automate processes to get the necessary insights, and respond faster and more confidently than ever before. More than 200 enterprises and thousands of security operations professionals rely on ThreatConnect every day to protect their organizations' most critical assets.

ThreatConnect Extends Threat Intelligence Platform to Enable Threat Intelligence Operations (TI Ops)

**FRANKLIN LAKES, N.J.****,** **Jan. 25, 2023** **/PRNewswire/ --** BD (Becton, Dickinson and Company) (NYSE: BDX), a leading global medical technology company, today released its third annual cybersecurity report to update stakeholders about the company's ongoing efforts to advance cybersecurity maturity, protect against cyberattacks and empower customers with information about cyber risks and vulnerabilities.

Through the BD 2022 Cybersecurity Annual Report, the company is increasing awareness of health care cybersecurity challenges and the company's commitment to transparency and collaboration.

"In health care, cybersecurity is about protecting patient safety and privacy, while also securing systems and data," said Rob Suárez, chief information security officer of BD. "Patients receive medical care at some of the most critical and vulnerable moments in their lives. They trust the safeguards put in place to protect them. Upholding strong cybersecurity measures and continuing to advance cybersecurity is part of honoring that trust."

In the context of recent cybersecurity trends and developments, the report discusses:

*   **Transparency and communication** – BD strives to help customers manage risk properly through awareness and guidance. The BD 2022 Cybersecurity Annual Report outlines the company's mature coordinated vulnerability disclosure processes and how customers can access product security documentation, including certifications and attestations from Underwriters Laboratories Cybersecurity Assurance Program (UL CAP), System and Organization Controls (SOC2) and the International Standards Organization (ISO/IEC 27001:2022).
*   **Collaborative efforts to advance cybersecurity** – Strengthening cybersecurity across the health care industry requires collaboration. The report highlights the work of multiple cybersecurity working groups and outlines the company's contributions to advancing secure cybersecurity practices, including ethical hacking exercises, cybersecurity scenario trainings and preparing for greater software-bill-of-materials (SBOM) visibility.
*   **The state of health care cybersecurity** – Ransomware, phishing and software supply chain attacks reinforce the need for strong proactive and preventive measures. The report details how the company strives to protect its products, manufacturing operational technology and enterprise IT from emerging risks and threats.

For more information about the company's approach to cybersecurity, download the BD 2022 Cybersecurity Annual Report**.**

**About BD**BD is one of the largest global medical technology companies in the world and is advancing the world of health by improving medical discovery, diagnostics and the delivery of care. The company supports the heroes on the frontlines of health care by developing innovative technology, services and solutions that help advance both clinical therapy for patients and clinical process for health care providers. BD and its 77,000 employees have a passion and commitment to help enhance the safety and efficiency of clinicians' care delivery process, enable laboratory scientists to accurately detect disease and advance researchers' capabilities to develop the next generation of diagnostics and therapeutics. BD has a presence in virtually every country and partners with organizations around the world to address some of the most challenging global health issues. By working in close collaboration with customers, BD can help enhance outcomes, lower costs, increase efficiencies, improve safety and expand access to health care. For more information on BD, please visit bd.com or connect with us on LinkedIn at www.linkedin.com/company/bd1/ and Twitter @BDandCo.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

BD Publishes 2022 Cybersecurity Annual Report

Despite economic headwinds and layoffs in other areas, most retail and hospitality CISOs expect to add staff in 2023, according to a new report.

**VIENNA, Va.****,** **Jan. 25, 2023** **/PRNewswire/ --** Information security teams have always had to do more with less, but 2023 might be the year when they are able to do more with more. Riding a three-year trend, 70% of CISOs expect their budgets to increase again this year, while 60% also expect more FTEs, according to the CISO Benchmark Report released today from the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).

The annual report surveys cybersecurity leaders from consumer-facing industries to assess data about budgets, personnel, and organizational priorities.

The increase in budget and personnel reflects how cybersecurity has grown as a critical part of business operations in many organizations. This year, business disruption emerged as a top 10 (No. 7) risk that organizations currently face, up seven spots from No. 14 in 2021. Similarly, 50% of CISOs now have business continuity/disaster recovery as part of their core responsibilities, an increase of 11 percentage points since last year.

Surprisingly, although fraud in its many forms greatly impacts the bottom line, and continues to be a top risk for organizations, very few CISOs have fraud as part of their core responsibilities, according to the report.  

New this year is an additional benchmark report from RH-ISAC that survey cybersecurity practitioners to understand the challenges and priorities staff have in executing daily job functions.

Key insights from the Practitioner Benchmark Report include:

*   83% serve more than one job function, which means that employees have a valuable and diverse skill set across security operations (76%), threat intelligence (66%), and risk management (66%)
*   93% believe they have the necessary skill sets to perform their job effectively

"The retail and hospitality industries are constantly evolving, and so are the cybersecurity challenges they face," said Suzie Squier, president of RH-ISAC. "The RH-ISAC Benchmark Reports provide valuable insights and actionable information for CISOs and other information security professionals to stay informed about trends and resource allocation among infosec teams."

The companies represented in the surveys include retail, restaurants, hospitality, travel, and consumer packaged goods/manufacturing companies, and reflect more than 718,000 total locations, 3.4 million corporate employees, and $2.3 trillion in annual sales.

The full reports are available to RH-ISAC members, and summary versions of each report are available to download:  
CISO Benchmark Report   
Practitioner Benchmark Report 

**About the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC)**

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is the trusted community for sharing sector-specific cybersecurity information and intelligence. The RH-ISAC connects information security teams at the strategic, operational, and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for consumer-facing industries through collaboration. RH-ISAC serves businesses, including retailers, restaurants, hotels, gaming casinos, food retailers, consumer products, and other consumer-facing companies. For more information, visit www.rhisac.org.

SOURCE Retail and Hospitality ISAC

Cybersecurity Budgets Increase for Retail & Hospitality Industry

Report identifies 1.75m cyberattacks were stopped by BlackBerry in the last 90 days.

**WATERLOO, ON****,** **Jan. 25, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) today released its Global Threat Intelligence Report, highlighting the volume and model of threats across a range of organizations and regions, including industry-specific attacks targeting the automotive and manufacturing, healthcare and financial sectors. After the success and continued demand for its annual threat report, BlackBerry has switched to a quarterly cadence to match the speed adversaries evolve to provide a more holistic view of the threat landscape, helping businesses to prepare and protect themselves accordingly.

BlackBerry's Threat Research and Intelligence team identified that in the 90 days between September 1 and November 30, 2022 (Q4), BlackBerry's AI-driven prevention-first technology stopped 1,757,248 malware-based cyberattacks. This includes 62 unique samples per hour, or one sample each minute. The most common cyber-weapons used in  attacks include the resurgence of the Emotet botnet after a four-month dormancy period, the extensive presence of the Qakbot phishing threat, which hijacks existing email threads to convince victims of their legitimacy, and the increase in infostealer downloaders like GuLoader.

"Annual threat reports have been a fantastic way to provide insight into overall trends, but now more than ever, organizations need to make well-informed decisions and take prompt effective actions, using the latest actionable data," said Ismael Valenzuela, Vice President, Threat Research & Intelligence at BlackBerry. "Our public and private reports are written by our top threat researchers and intelligence analysts, world-class experts that not only understand the technical threats but also the global and local geopolitical situation, and how it affects organizational threat models in each region. This expertise allows us to provide actionable and contextualized threat intelligence to increase cyber resilience and to enable mission and business objectives."

Highlights from the report include:

*   **MacOS is not immune**. It is a common misconception that macOS is a "safe" platform due to it being used less among enterprise systems. However, this could be lulling IT managers into a false sense of security. BlackBerry explores the pernicious threats targeting macOS, including malicious codes that are sometimes even explicitly downloaded by users. In Q4, the most-seen malicious application on macOS was Dock2Master which collects users' data from its own surrepticious ads. BlackBerry researchers noted that 34 percent of client organizations using macOS had Dock2Master on their network.
*   **RedLine was the most active and widespread infostealer in this last quarter.** Post-pandemic work models have necessitated the need for businesses to support remote and hybrid employees, putting corporate credentials at greater risk of attack from malicious actors than ever before. RedLine is capable of stealing credentials from numerous targets including browsers, crypto wallets, and FTP and VPN software, among others, and selling them on the black market. Cybercriminals and nation state threat actors rely on initial access brokers trading stolen credentials. RedLine is one of them providing initial access to another threat actors.
*   **BlackBerry is uniquely positioned to uncover threats that affect industries that aren't often discussed in other threat reports**. With a strong presence in both the cyber and IoT markets, BlackBerry provides insights into the current threat landscape and trends for the future that affect the automotive and manufacturing industries, along with financial and healthcare. The report includes analysis of GuLoader and the BlackCat ransomware group that targets small-to-medium sized enterprises, largely in the manufacturing sector, and threatens victims to leak compromised data to further extort their ransom.

To learn more, download a copy of the Global Threat Intelligence Report: Delivering Actionable and Contextualized Intelligence to Increase Cyber Resilience now, and tune into BlackBerry's LinkedIn Live Session on January 26th to discover more.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 215M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

BlackBerry's Inaugural Quarterly Threat Intelligence Report Reveals Threat Actors Launch One Malicious Threat Every Minute

If you or your company can't find good infosec candidates, consider changing up the qualifications to find more nontraditional talent.

Cyber and information security job openings seem to have one of the higher barriers to entry compared with other services-focused roles, and this gatekeeping can be largely blamed for the shortage of available talent in the field. For some reason, other positions are very open to nontraditional backgrounds and limited experience provided the candidate isn't a complete novice and can demonstrate interest in pursuing the field (think: customer service/support, bookkeepers, or IT help-desk roles).

In a world where talent is desperately needed, it is incumbent on hiring managers to rely less on keywords in a resume to prescreen candidates for most roles and instead consider the candidate's transferable skills.

Take the list of requirements and preferences below, which was derived from a recent posting for an entry-level security role. Here are some ways to reframe the skills and qualifications that are likely to give employers most, if not all, of what they're seeking. I've also included suggestions for adjacent skills that may satisfy what the job poster is looking for.

****Requirement: Thorough Understanding of Cybersecurity Principles, Concepts, and Best Practices****

Let's change this to, "Demonstrated understanding of at least one cybersecurity domain." Why? Anyone who has been in this field for any length of time knows you can dedicate your entire career to mastering the concepts, principles, and best practices of just one domain, let alone all of cybersecurity. Instead, highlight those areas most important for this role. If the person _needs_ to understand the basics of identity access and management and the rest is beneficial, state as much. This way, if the person is truly new to the field, they can study up on exactly what you need and highlight their willingness to learn during the interview.

****Requirement: Excellent Critical Thinking and Problem-Solving Skills and Ability to Work Under Pressure****

Leave as is, but carefully consider where the applicant may have acquired these skills. As hiring managers, we always want to hear examples of dealing with this pressure during an outage or other event. Be open to hearing from a parent who had to juggle two sick kids while their spouse was traveling, or the department manager who severely underestimated the demand for toilet paper in 2020. None of these stories involve incident response (at least as we define it), but all will provide examples of being put in a difficult situation, navigating their way through it, and what they learned from it that can be applied to your role.

****Requirement: 1-2 Years Professional Experience with Firewalls, VPN, SIEM, and/or IDS and Network Management/Monitoring Tools, Azure or AWS, and IAM****

Change this to, "Demonstrable experience with common security tools, such as firewalls, cloud providers, SIEM tools, IDS/IPS, or identity providers." This requirement is nearly impossible to meet for someone brand new to the field, but if it is a requirement for the role, consider those with amateur experience with the same tools. Perhaps they built a virtual lab at home with freeware to understand the concepts, took a course on Wireshark and tapped their home Internet, or configured Pi-Hole to better secure their home network. Perhaps they have a free Amazon Web Services account and configured RBAC with test accounts or stood up a virtual syslog server.

This is arguably the most difficult requirement for new entrants and even some experienced ones because we all use different tools, so look for someone who has used _any_ relevant tools and ask them how they learned about it, what they did with it, and what they learned from the experience. A natural curiosity shows a propensity to spend the time learning any tool your company has now or will acquire later.

****Requirement: Industry Certifications****

Leave as is but consider it optional and not required. This is perhaps the easiest to meet as CompTIA, ISC2, and others offer entry-level certifications, but consider the candidate may not have the means to pursue these certifications independently due to the cost, time, or other factors. One of the greatest benefits we can offer candidates is the opportunity to learn more, so don't let this be a disqualifier.

****Requirement: 2- or 4-Year Degree in Computer Science or Related Field****

Try using, "A college degree or recently completed training in relevant technologies and concepts." I concede this one proves a base level of knowledge in a topic, but it ignores several important factors. Many candidates may not have pursued college for one reason or another; it may have been unaffordable, or they tried and weren't successful, or like many of us perhaps they simply didn't know what they wanted to do after high school. Regardless, otherwise qualified candidates should not be rejected because of a lack of a degree if they can prove relevant training and skills. 

There are plenty of other degrees and backgrounds that lend themselves to what we do. A candidate who spent four years in the military has the mindset to understand an adversary and execute on a plan as it's been prescribed, both of which are incredibly helpful in incident response. A middle school teacher can demonstrate juggling multiple priorities while maintaining incredible documentation and providing updates to stakeholders (parents). It's also exactly what you need from an internal compliance team. Similar examples are all around but require us to be flexible when deciding what we really need from entry-level hires.

Source

DARKReading