**DUBLIN****,** **Jan. 23, 2023** **/PRNewswire/ --** The "Supply Chain Security Market by Component (Hardware, Software, Services), Security Type (Data Locality & Protection, Data Visibility & Governance), Organization Size, Application (Healthcare & Pharmaceuticals, FMCG) and Region - Global Forecast to 2027" report has been added to  **ResearchAndMarkets.com's** offering.

The publisher forecasts that the global supply chain security market will grow from an estimated USD 2.0 billion in 2022 to USD 3.5 billion by 2027 at a compound annual growth rate (CAGR) of 11.0%. One of the factors driving the market growth is the increasing need for supply chain transparency.

**By components, services segment is to grow at the highest CAGR during the forecast period**

Supply chain security is an important supply chain management (SCM) segment. It primarily manages the risks of transportation, logistics, vendors, and suppliers. Professional security analysts ensure support with incident response and remote client assistance during suspicious activities. Professional services such as support and maintenance, training, and education are a part of this segment. With the increased adoption of supply chain security, there is an increased demand for these services, further boosting the market growth. The services segment includes numerous services required to deploy, execute, and maintain supply chain security solutions in organizations. This supply chain security market segment is classified into training and consultation, integration and deployment, and support and maintenance.

**By services, integration, and deployment services to grow at highest CAGR during forecast period**

Tailored supply chain security deployment and integration services are offered by integration and deployment service providers. These services are used by highly qualified industry experts, domain experts, and security professionals that assist organizations in formulating and implementing supply chain security strategies, preventing revenue losses, minimizing risks, understanding cybersecurity solutions, and enhancing security in the existing information system.

In system integration, the vendor's security services are integrated with the client's security system without hampering the existing client's system. Benefits, such as reduced risks and complexity, are offered by design and integration services. This enhances security and enables resiliency to cyberattacks by identifying vulnerable or potentially exploited components at all supply chain stages.

**Market Dynamics**

Drivers

*   Rising Incidences of Cyberattacks Across Supply Chains
*   Growing Need for Supply Chain Transparency
*   Increasing Demand for Enhanced Security of Supply Chain Transactions

Restraints

*   Budgetary Constraints Among Small and Emerging Startups in Developing Economies

Opportunities

*   Improving Risk Prediction and Management
*   Widespread Adoption of Automation Technology Across Value Chain
*   Increasing IoT Devices in Supply Chain

Challenges

*   Limited Awareness About Supply Chain Security Among Organizations

Key Topics Covered: 

1\. Introduction

2\. Research Methodology

3\. Executive Summary

4\. Premium Insights

5\. Market Overview and Industry Trends

6\. Supply Chain Security Market, by Component

7\. Market, by Security Type

8\. Market, by Organization Size

9\. Market, by Application

10\. Market, by Region

11\. Competitive Landscape

12\. Company Profiles

13\. Adjacent Markets

14\. Appendix

**Companies Mentioned**

*   Altana Ai
*   Berlinger & Co. Ag
*   C2A Security
*   Cold Chain Technologies
*   Controlant
*   Dickson
*   Elpro
*   Emerson
*   Fourkites
*   Hanwell Solutions
*   Ibm
*   Logtag Recorders
*   Monnit
*   Nxp Semiconductors
*   Omega Compliance
*   Oracle
*   Orbcomm
*   Roambee
*   Rotronic
*   Safetraces
*   Sensitech
*   Signatrol
*   Tagbox Solutions
*   Testo
*   Tive

For more information about this report visit https://www.researchandmarkets.com/r/cok35b

**About ResearchAndMarkets.com**

ResearchAndMarkets.com is the world's leading source for international market research reports and market data. We provide you with the latest data on international and regional markets, key industries, the top companies, new products and the latest trends.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Supply Chain Security Global Market Report 2022: Sector to Reach $3.5 Billion by 2027 at an 11% CAGR

This time around, weak API security allowed a threat actor to access account information, the mobile phone giant reported.

T-Mobile has disclosed a new, enormous breach that occurred in November, which was the result of the compromise of a single application programming interface (API). The result? The exposure of the personal data of more than 37 million prepaid and postpaid customer accounts.

For those keeping track, this latest disclosure marks the second sprawling T-Mobile data breach in two years and more than a half-dozen in the past five years.

And they've been expensive.

Last November, T-Mobile was fined $2.5 million for a 2015 data breach by the Massachusetts attorney general. Another 2021 data leak cost the carrier $500 million; $350 million in payouts to affected customers, and another $150 million pledged toward upgrading security through 2023.

Now the telecom giant is mired in yet another cybersecurity incident.

**T-Mobile's Cybersecurity Snafu**

The threat actor who claimed to be behind the 2021 breach of 54 million T-Mobile customers, past, present and prospective, John Binns, bragged in an interview with the Wall Street Journal that T-Mobile's "awful" security made his job easy.

But an infrastructure like T-Mobile's means it's tough to cover the entire attack surface, making their systems particularly complicated to shore up, Justin Fier, senior vice president for red-team operations with Darktrace, tells Dark Reading.

"Like most big brands, T-Mobile has a very complex and sprawling digital estate," Fier explains. "It is becoming harder by the day to gain visibility into every aspect of that estate and make sense of the data, which is why we’re increasingly seeing firms lean on technology to perform that role."

However, he adds that breaching a vulnerable API doesn't require much know-how on the part of an attacker.

Besides weak API security, Mike Hamilton CISO of Critical Insight, tells Dark Reading that this latest compromise also demonstrates a lack of network visibility and ability to detect abnormal behavior.

"Details are scant, and there has been no attribution of the 'bad actor,' who apparently had access to data for about 10 days before being stopped," Hamilton says.

**T-Mobile's Next Regulator Bout**

In the disclosure of the cybersecurity incident, T-Mobile downplayed the stolen account information, adding the data was "basic," and "widely available in marketing databases." While it might read like a glib dismissal of the impact on its customers, the distinction could protect the company from state regulators, Hamilton adds.

"The data may be monetized by selling in bulk, although it's of little actual value," Hamilton says. "Most of the data in the theft can be found in public sources and is unlikely to cause legal action from state privacy statutes like the CCPA (California Consumer Privacy Act)."

However, T-Mo might have more trouble in Europe with GDPR and Information Commissioner's Office (ICO) regulators in the UK, Tim Cope, CISO of NextDLP, explains to Dark Reading. Penalties like these ultimately will drive investment in the necessary cybersecurity protections, he adds.

"The regulatory oversight of the ICO and GDPR should hopefully bring a large series of fines along with these privacy breaches," Cope says, "which should in turn feed more investment into security teams to help build better controls to guard APIs against the current and future attacks."

T-Mobile Breached Again, This Time Exposing 37M Customers' Data

Two new reports show ransomware revenues for threat actors dropped sharply in 2022 as more victims ignored ransom demands.

In another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.

If the trend continues, analysts expect ransomware actors will start demanding bigger ransoms from larger victims to try and compensate for falling revenues, while also increasingly going after smaller targets that are more likely to pay (but which represent potentially smaller payoffs).

**A Combination of Security Factors**

"Our findings suggest that a combination of factors and best practices — such as security preparedness, sanctions, more stringent insurance policies, and the continued work of researchers — are effective in curbing payments," says Jackie Koven, head of cyber-threat intelligence at Chainanalysis.

Chainanalysis said its research showed ransomware attackers extorted some $456.8 million from victims in 2022, down nearly 40% from the $765.6 million they had extracted from victims the year before. The actual number is likely to be much higher considering factors like underreporting by victims and incomplete visibility over ransomware addresses, Chainanalysis conceded. Even so, there is little doubt that ransomware payments were down last year because of an increasing unwillingness by victims to pay their attackers, the company said.

"Enterprise organizations investing in cybersecurity defenses and ransomware preparedness are making a difference in the ransomware landscape," Koven says. "As more organizations are prepared, fewer need to pay ransoms, ultimately disincentivizing ransomware cybercriminals."

Other researchers agree. "The businesses that are most inclined not to pay are those that are well prepared for a ransomware attack," Scott Scher, senior cyber-intelligence analyst at Intel471, tells Dark Reading. "Organizations that tend to have better data backup and recovery capabilities are definitely better prepared when it comes to resiliency to a ransomware incident and this highly likely decreases their need to pay ransom."

Another factor, according to Chainanalysis, is that paying a ransom has become legally riskier for many organizations. In recent years, the US government has imposed sanctions on many ransomware entities operating out of other countries. 

In 2020, for instance, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) made it clear that organizations — or those working on their behalf — risk violating US rules if they make ransom payments to entities on the sanctions list. The outcome is that organizations have become increasingly leery of paying a ransom "if there’s even a hint of connection to a sanctioned entity," Chainanalysis said.

"Because of the challenges threat actors have had in extorting larger enterprises, it is possible that ransomware groups may look more toward smaller, easier targets lacking robust cybersecurity resources in exchange for lower ransom demands," Koven says.

**Declining Ransom Payments: A Continuing Trend**

Coveware also released a report this week that highlighted the same downward trend among those making ransom payments. The company said its data showed that just 41% of ransomware victims in 2022 paid a ransom, compared with 50% in 2021, 70% in 2020, and 76% in 2019. Like Chainanalysis, Coveware also attributed one reason for the decline to better preparedness among organizations to deal with ransomware attacks. Specifically, high-profile attacks like the one on Colonial Pipeline were very effective in catalyzing fresh enterprise investments in new security and business continuity capabilities.

Attacks becoming less lucrative is another factor in the mix, Coveware said. Law enforcement efforts continue to make ransomware attacks more costly to pull off. And with fewer victims paying, gangs are seeing less overall profit, so the average payoff per attack is lower. The end result is that a smaller number of cybercriminals are able to make a living off ransomware, Coverware said.

Bill Siegel, CEO and co-founder of Coveware, says that insurance companies have influenced proactive enterprise security and incident response preparedness in a positive manner in recent years. After cyber-insurance firms sustained substantial losses in 2019 and 2020, many have tightened their underwriting and renewal terms and now require insured entities to have minimum standards like MFA, backups, and incident response training. 

At the same time, he believes that insurance companies have had negligible influence in enterprise decisions on whether to pay or not. "It is unfortunate, but the common misconception is that somehow insurance companies make this decision. Impacted companies make the decision," and file a claim after the incident, he says.

**Saying "No" to Exorbitant Ransomware Demands**

Allan Liska, intelligence analyst at Recorded Future, points to exorbitant ransom demands over the past two years as driving the growing reticence among victims to pay up. For many organizations, a cost-benefit analysis often indicates that not paying is the better option, he says. 

"When ransom demands were \[in the\] five or low six figures, some organizations might have been more inclined to pay, even if they didn't like idea," he says. "But a seven or eight-figure ransom demand changes that analysis, and it is often cheaper to deal with recovery costs plus any lawsuits that may stem from the attack," he says.

The consequences for nonpayment can vary. Mostly, when threat actors don't receive payment, they tend to leak or sell any data they might have exfiltrated during the attack. Victim organizations also have to contend with potentially longer down times due to recovery efforts, potential expenses released to purchasing new systems, and other costs, Intel471's Scher says.

To organizations in the front lines of the ransomware scourge, news of the reported decline in ransom payments is likely to be of little consolation. Just this week, Yum Brands, the parent of Taco Bell, KFC, and Pizza Hut, had to close nearly 300 restaurants in the UK for a day following a ransomware attack. In another incident, a ransomware attack on Norwegian maritime fleet management software company DNV affected some 1,000 vessels belonging to around 70 operators.

**Declining Revenues Spur Gangs in New Directions**

Such attacks continued unabated through 2022 and most expect little respite from attack volumes in 2023 either. Chainanalysis' research, for instance, showed that despite falling ransomware revenues, the number of unique ransomware strains that threat operators deployed last year surged to over 10,000 just in the first half of 2022.

In many instances, individual groups deployed multiple strains at the same time to improve their chances of generating revenue from these attacks. Ransomware operators also kept cycling through different strains faster than ever before — the average new ransomware strain was active just for 70 days — likely in an effort to obfuscate their activity.

There are signs that falling ransomware revenues are putting pressure on ransomware operators.

Coveware, for instance, found that average ransom payments in the last quarter of 2022 surged 58% over the previous quarter to $408,644 while the median payment skyrocketed 342% to $185.972 over the same period. The company attributed the increase to attempts by cyberattackers to compensate for broader revenue declines through the year. 

"As the expected profitability of a given ransomware attack declines for cybercriminals, they have attempted to compensate by adjusting their own tactics," Coveware said. "Threat actors are moving slightly up the market to try and justify larger initial demands in the hopes that they result in large ransom payments, even as their own success rate declines."

Another sign is that many ransomware operators began re-extorting victims after extracting money from them the first time, Coveware said. Re-extortion has traditionally been a tactic reserved for small business victims. But in 2022, groups that have traditionally targeted mid- to large-size companies began employing the tactic as well, likely as a result of financial pressures, Coveware said.

Ransomware Profits Decline as Victims Dig In, Refuse to Pay

Zendesk has alerted customers to a successful SMS phishing campaign that has exposed "service data," but details remain scarce.

It has come to light that the Zendesk software-as-a-service (SaaS) company for customer relationship management (CRM) was compromised in October, exposing client account data to a threat actor, according to an email sent to affected accounts on Jan. 13, 2023.

The email from Zendesk with the details of the security incident was made public by Coinigy, which provides virtual wallet services and "felt the need to disclose it to our customers," Coinigy's post about the compromise explained.

Zendesk explained in the email to Coinigy that the breach was the result of an SMS phishing campaign targeting Zendesk employees.

"Zendesk determined that Service Data belonging to your coiningy.zendesk.com account may have been in the (exposed) unstructured logging platform data," the email from Zendesk explained. "There is no evidence suggesting the threat actor accessed the Zendesk instance of your coiningy.zendesk.com account at any time."

Besides applauding Coinigy's decision to publicly share the compromise details, security researcher Jake Williams was not as encouraged by Zendesk's response.

"The disclosure is vague and references 'unstructured data from a logging platform' which could be just about anything," Williams tells Dark Reading. "The disclosure simply doesn't give enough information for any organization to evaluate what (if anything) they need to do in response."

There's been no word yet as to whether other customers of Zendesk beyond Coinigy are affected.

Zendesk did not respond to Dark Reading's request for comment.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Compromised Zendesk Employee Credentials Lead to Breach

Orca Security is one of the companies integrating conversational AI technology into its products.

While there are some concerns about how generative AI chatbots such as ChatGPT can be used maliciously — to craft phishing campaigns or write malware — several companies are harnessing the power of conversational AI technology to enhance their product capabilities, including for security.

ChatGPT, a large language model (LLM) developed by OpenAI, uses GPT 3 LLM and relies on large test data sets culled from multiple sources. ChatGPT, which can understand human language, provides detailed answers to simple questions and can handle complex tasks such as creating documents and writing code in response to user queries. It's an example of how conversational AI can be used to organize large volumes of information and enhance user experience and communications.

For instance, a conversational AI tool — whether that's ChatGPT or something else — could serve as the back end of an information concierge that automates the use of threat intelligence in enterprise support, according to IT research and advisory firm Into-Tech Research.

That's the approach Orca Security appears to be taking with Orca Security Platform. The company incorporated OpenAI's GPT3 API, specifically the "Da-Vinci-03" series, to enhance the platform's ability to generate contextual and accurate remediation plans for security alerts, Lior Drihem, Orca's director of innovation, and Itamar Golan, head of data science, wrote in the announcement. 

The new pipeline takes a security alert and preprocesses the data, such as basic information about the risk and its contextual environment — such as affected assets, attack vectors, and potential impact — before feeding the pieces as input to GPT3. The AI then generates a detailed explanation of the best and most practical ways to remediate the issue, Golan and Drihem wrote. These remediation steps can also be embedded in tickets, such as Jira tickets, for teams to reference and implement.

While the AI model can provide inaccurate information (or vague results), "the benefits of utilizing GPT3's natural language generation capabilities outweigh any potential risks, and have seen significant improvements in the efficiency and effectiveness of our remediation efforts," according to Drihem and Golan.

This isn't the first time Orca Security has been working with language models. The company recently integrated GPT3 into its cloud security platform to enhance the remediation information customers receive regarding infosec risks. 

"By fine-tuning these powerful language models with our own security data sets, we have been able to improve the detail and accuracy of our remediation steps — giving you a much better remediation plan and assisting you to optimally solve the issue as fast as possible," Golan and Drihem wrote.

**Harnessing AI & LLM for Applications**

Orca Security joins other companies incorporating language models into its product portfolio. Earlier this week, Gupshup launched Auto Bot Builder, which harnesses GPT-3 to help enterprises build their own advanced conversational chatbots. Auto Bot Builder builds chatbots tailed to the enterprise's specific requirements by using content from the enterprise website, documents, message logs, product catalogs, databases, and other corporate systems, processing the information using GPT-3 LLM (Large Language Model), and fine-tuning it with proprietary industry-specific models. Enterprises can use Auto Bot Builder to build chatbots for marketing lead generation activities, product discovery, product recommendations, shopping advice, troubleshooting, and customer support.

These chatbots differ from ChatGPT, a general-purpose chatbot, but like ChatGPT, they have an "exceptionally high degree of language capability" to engage with end users, according to Gupshup.

The cryptocurrency community is also using ChatGPT to create applications such as trading bots and crypto blogs, Jerrod Piker, a competitive intelligence analyst at Deep Instinct, wrote in an email. Examples include using ChatGPT to write a sample smart contract, and a trading bot that identifies entry and exit points to help automate the process of buying and selling cryptocurrencies.

A generative AI chatbot that can answer questions is not a new concept, but ChatGPT stands out from the others because of the breadth of topics it can handle and its ease of use, says Casey Ellis, founder and CTO of Bugcrowd.

GPT Emerges as Key AI Tech for Security Vendors

Serious security flaws go unpatched, and ransomware attacks increase against manufacturers.

More than three-quarters of manufacturing organizations harbor unpatched high-severity vulnerabilities in their systems, a study of the sector found.

New telemetry from SecurityScorecard shows a year-over-year increase in high-severity vulns in those organizations.

In 2022, some "76% of manufacturing organizations, SecurityScorecard observed unpatched CVEs on IP addresses our platform attributes to those organizations," says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard.

Nearly 40% of these organizations — which include metals, machinery, appliance, electrical equipment, and transportation manufacturing — suffered malware infections in 2022.

Almost half (48%) of critical manufacturing organizations received a ranking between "C" and "F" on SecurityScorecard's security ratings platform.

The platform includes ten groups of risk factors, including DNS health, IP reputation, Web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence.

The severity of cyberattacks against manufacturers is noteworthy, Yampolskiy says.

"Many of these incidents have involved ransomware where the threat actor, usually in the form of a criminal group, sets out to make money through extortion," he says. "While the ransomware problem is global, we’ve seen a rising number of attacks on critical infrastructure come from nation-state actors in pursuit of various geopolitical objectives."

Meanwhile, incident response investigations by teams at Dragos and IBM X-Force overwhelmingly showed that the hottest operations technology (OT) target is the manufacturing sector, and the main weapon attacking these organizations is now ransomware.

**"Democratized" Cybersecurity**

Sophisticated state-sponsored actors such as Russia target several different critical infrastructure organizations across the US, from healthcare to energy to telecommunications, Yampolskiy says.

The good news? "Globally, governments are already taking steps to strengthen cybersecurity," he notes.

Take the US Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring critical infrastructure to report certain cyber incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA).

Other agencies, such as the Federal Energy Regulatory Commission, the Securities and Exchange Commission, and the Treasury Department, are also in various stages of rulemaking for entities under their regulatory jurisdiction.

Yampolskiy says policymakers should continue working with industry to have a greater and continuous understanding of the security postures of the organizations and industries that directly impact essential services for citizens, or the US economy in general.

"A more democratized, integrated, and collaborative approach to cybersecurity resilience that provides continuous visibility of the global threat landscape and convenes public and private sectors is essential to protect the world's critical infrastructure" he says, further noting that better information-sharing between government and industry is key.

Critical Manufacturing Sector in the Bull's-eye

Head off account takeover attacks by being proactive about IoT security. Start with designing and building better security protocols into IoT devices, always change weak default configurations, and regularly apply patches to ensure that IoT devices are secure.

Account takeover attacks are like the widely told campfire story about a babysitter that receives a series of threatening phone calls that are traced from "inside the house."

Fear of the unknown hits too close to home. Initial access brokers are closely related to account takeover attacks, and both are linked to ransomware. Now, it seems likely that initial access brokers (IABs) and account takeover attacks will set their sights on Internet of Things-enabled devices. Instead of the call coming from inside the house, the attack is coming from inside the phone (VoIP-enabled, of course).

**The Role of Initial Access Brokers in Ransomware Attacks**

The rise of remote work has contributed to the increase in ransomware attacks in recent years. With more employees working from home, organizations have had to rely on remote access technologies, such as remote desktop protocol (RDP) and virtual private networks (VPNs), which provide attackers with an easy way to gain initial access to a network.

Account takeover attacks are often used as a means of gaining initial access to a network to carry out a ransomware attack. In an account takeover attack, the attacker typically uses stolen or purchased login credentials to gain unauthorized access to a victim's online accounts.

IABs, also known as breach brokers, provide access to hacked or compromised computer systems to other individuals or organizations. The use of IABs has become increasingly common in recent years, as this allows cybercriminals to easily and quickly gain access to a range of targets without having to spend time and resources on hacking them themselves.

However, as organizations better secure RDP, VPN, and other IT credentials, attackers will have to turn their attention to new targets. IoT devices are a logical choice because of their widespread deployment — more than a quarter of devices in every organization are IoT devices, regardless of industry, and that number is expected to continue to increase. Unfortunately, many of these devices are vulnerable to attack, making them an attractive target.

**Three Reasons IoT Devices Are Vulnerable to Attack**

Although there are many reasons that IoT devices are vulnerable to attack, three main reasons are that they are often used with default configurations, patch management is difficult, and they were not designed with security in mind.

Default credentials are easy targets — Access:7 research identified entire product lines of IoT devices that shared hardcoded credentials for remote access.

Specialized IoT firmware may remain unpatched — Project Memoria identified more than 100 vulnerabilities in TCP/IP stacks that affected several devices, but many were not patched by the manufacturers.

Many IoT devices lack authentication and encryption — OT:ICEFALL research has demonstrated how insecure protocols in operational technology are easily exploited by attackers.

Of course, vulnerabilities tell only half of the story. For organizations to understand the nature of the threat, they also need to understand how IoT devices are currently under attack.

**IABs for IoT**

There are many examples of advanced persistent threats (APTs) that have used corporate IoT for initial access into organizations. For instance, the Russian state-sponsored actor Strontium has leveraged VoIP phones, office printers, and video decoders, while Chinese state-sponsored actors have exploited vulnerabilities on IP cameras to infiltrate US organizations.

Attack techniques tend to trickle down from APTs to less-sophisticated actors, and there are already cybercriminal gangs, such as the Conti, Deadbolt, and Lorenz ransomware groups, which have targeted IP cameras, NAS devices, and VoIP for initial access. In addition, there are groups that trade IoT exploits on Dark Web markets — the logical next step is an IAB market for IoT.

An IAB for IoT would likely act in a similar way to hacktivists that have been targeting IoT/OT. They would scan target organizations using tools such as Shodan and Kamerka, enumerate vulnerabilities or discover credentials, and use those for initial access.

One of the main differences between IABs that focus on RDP/VPN and those that target IoT devices is that the latter could also leverage vulnerabilities in IoT devices, which tend to remain unpatched for much longer. This means that they would be able to gain access to organizations in a more stealthy and persistent way, making them a more attractive target for cybercriminals.

**Mitigating the Risk of IABs for IoT**

Although IABs for IoT are different from those targeting RDP/VPN credentials, the good news is that organizations can still take a similar approach to cybersecurity. The discovery of new devices on the network, the continuous monitoring of network traffic, and the use of appropriate network segmentation are all best practices to mitigate the risk of an attack — regardless of if it leverages an IT or an IoT device.

To address the issues unique to IoT devices, manufacturers and organizations need to take a proactive approach to IoT security. This means changing default weak configurations and regularly applying patches to ensure that devices are secure. In addition, protocols used in specialized IoT devices should be designed with security in mind, including basic security controls such as authentication and encryption. By taking these steps, we can improve the security of IoT devices and reduce the risk of attacks.

The Evolution of Account Takeover Attacks: Initial Access Brokers for IoT

The credential-stuffing attack, likely fueled by password reuse, yielded personal identifiable information that can be used to verify the authenticity of previously stolen data.

Nearly 35,000 PayPal user accounts fell victim to a recent credential-stuffing attack that exposed personal data likely to be used to fuel additional, follow-on attacks.

PayPal submitted a breach disclosure that revealed that the attack began on Dec. 6, 2022 and continued until it was discovered on Dec. 20, 2002. As a result, the names, addresses, Social Security numbers, tax identification numbers, and/or dates of birth for 34,942 users were exposed.

"We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," PayPal explained in a letter sent to affected users. "There is also no evidence that your login credentials were obtained from any PayPal systems."

PayPal added that once the attack was discovered, account passwords were reset, and additional security controls were put in place. The payment platform is offering Equifax identity theft monitoring for victims.

**Stolen Credential Ecosystem**

The credential-stuffing attack on PayPal was likely a way for threat actors to validate username and passwords they had already obtained; now that they've been checked against breached PayPal accounts, those verified credentials will be sold to another threat actor, according to Jason Kent, hacker in residence with Cequence Security.

"The value in the list is that it is verified," Kent said in a statement provided to Dark Reading. "My guess is the usernames and passwords were sourced by some other breach that pointed to the possibility of the accounts having PayPal access."

**Password Reuse the True Culprit**

Even the strongest, most complex passwords can't keep data secure if they're reused across accounts. The PayPal accounts might have been protected in this case if they'd had unique passwords, noted Erich Kron, security awareness advocate at KnowBe4.

"This is what allows credential-stuffing attacks to be so successful," Kron said in a statement about the incident. "Bad actors will take credentials scavenged from other data breaches and attempt to use them on other likely services such as banks, online shopping sites, social media, and in this case, online payment sites."

While a password manager isn't a "silver bullet," Kron added, it's an important added layer of protection against credential-stuffing attacks like that on PayPal.

"Remembering all of these passwords can be nearly impossible; however, through the use of password managers which can generate and store completely unique passwords, this can be achieved without a significant amount of effort," Kron said. "In addition, the application of multi-factor authentication can be very helpful in these cases of account takeovers."

PayPal Breach Exposed PII of Nearly 35K Accounts

Multiple misconfigurations in a service that underpins many Azure features could have allowed an attacker to remotely compromise a cloud user's system.

An attack chain exploiting misconfigurations and weak security controls in a common Azure service is highlighting how lack of visibility impacts the security of cloud platforms.

The "EmojiDeploy" attack chain could allow a threat actor to run arbitrary code with the permission of the Web server, steal or delete sensitive data, and compromise a targeted application, Ermetic stated in its Jan. 19 advisory. An attacker could use a trio of security issues affecting the common Source Code Management (SCM) service — a cloud service used by many Azure applications without an explicit indication to the user, according to Ermetic.

The issues demonstrate that the security of cloud platforms are undermined by the lack of visibility into what those platforms do under the hood, says Igal Gofman, head of research for Ermetic.

"Azure and cloud service consumers — enterprises — must be familiar with each service and its internals, and not trust \[that the\] default settings provided by cloud providers are always secure," he says. "Even though cloud providers spend millions of dollars on securing their cloud infrastructure, misconfigurations and security bugs will happen."

The EmojiDeploy research joins other attack chains recently discovered by security researchers that could have resulted in data breaches on cloud platforms or otherwise compromised cloud services. In October 2022, for example, researchers found two vulnerabilities in Atlassian's Jira Align, an agile project management application, that could have allowed threat groups to attack the Atlassian service. In January 2022, Amazon fixed two security issues in its Amazon Web Services (AWS) platform that could have allowed a user to take control of another customer's cloud infrastructure.

An attacker only needs to take an average of three steps — often starting, in 78% of cases, with a vulnerability — to compromise sensitive data on cloud services, one analysis found.

"Cloud systems are highly complex," Ermetic stated. "Understanding the complexity of the system and environment you are working in is crucial to defending it."

**Source Code Manager Exploit**

The attack found by Ermetic made use of the insecurity of a specific cookie configuration for the Source Code Manager (SCM). The Azure service set two controls — cross-site scripting (XSS) prevention and cross-site request forgery (XSRF) prevention — to a default of "Lax," according to Ermetic's advisory.

After further investigating the implications of those settings, Ermetic researchers found that those who use any of three common Azure services — Azure App Service, Azure Functions, and Azure Logic Apps — could be attacked through the vulnerability. The attack was made possible because these three major services all use the Source Code Management (SCM) panel to allow development and Web teams to manage their Azure application. Because SCM relies on the open source Kudu repository management project, which is a .NET framework similar to Git, a cross-site scripting vulnerability in the open source project also affects Azure SCM.

Unfortunately, the security setting is not obvious, Ermetic stated, adding that many Azure Web Services customers would not even know of the existence of the SCM panel.

A single vulnerability is not enough, however. The researchers paired the lax cookie security with a specially crafted URL that bypasses the cloud service's check that every component of the website came from the same origin. Combining the two components allows a full cross-origin attack, Ermetic stated in its advisory. A third weakness allowed specific actions or payloads to be incorporated into the attack as well.

**Shared Responsibility Means Configuration Transparency**

The attack chain underscores that cloud providers need to make their security controls more transparent and default to more secure configurations, says Ermetic's Gofman. While shared responsibility has long been the mantra of cloud security, cloud infrastructure services have not always offered easy access or integration to security controls.

"Awareness of default service settings and configurations is important since the cloud uses a shared responsibility model for security between the provider and the customer," he says. "Applying the principle of least privilege and being aware of the shared responsibility model is very important."

Emetic notified Microsoft of the attack chain in October, and the vendor issued a global fix for Azure by early December, according to the advisory.

"The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity," Ermetic stated in its advisory. "Effectively applying the principle of least privilege can significantly limit the blast radius."

EmojiDeploy Attack Chain Targets Misconfigured Azure Service

Mainly Apple iOS in-app ads were targeted, injecting malicious JavaScript code to rack up phony views.

A sprawling new adware campaign that abused the Vast video ad server template to rack up fraudulent digital advertising views on an enormous scale has been shut down.

At its peak, the adware effort hit more than 12 billion requests per day.

Human Security's Satori threat intelligence team uncovered the adware campaign, touting it as the largest find in the cybersecurity research group's history. Following the discovery, Satori said it led a takedown of the ad fraud operation, which they dubbed as Vastflux.

The team added in its report that, in all, Vastflux spoofed more than 1,700 apps, targeted 1,200 publishers, and displayed ads on applications running on about 11 million devices.

"What was technically impressive and incredibly concerning about Vastflux \[were\] the fraudsters hijacked impressions on legitimate apps, which makes it nearly impossible for users to tell if they are impacted," Gavin Reid, Human's CISO, said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading