Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.

FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, one of this year's most prolific ransomware families.

That's the conclusion of researchers at SentinelOne based on what they say are various similarities in the tactics, techniques, and procedures between the Black Basta campaign and previous FIN7 campaigns. Among them are similarities in a tool for evading endpoint detection and response (EDR) products; similarities in packers for packing Cobalt Strike beacon and a backdoor called Birddog; source code overlaps; and overlapping IP addresses and hosting infrastructure.

**A Collection of Custom Tools**

SentinelOne's investigation into Black Basta's activities also unearthed new information about the threat actor's attack methods and tools. For example, the researchers found that in many Black Basta attacks, the threat actors use a uniquely obfuscated version of the free command-line tool ADFind for gathering information about a victim's Active Directory environment.

They found Black Basta operators are exploiting last year's PrintNightmare vulnerability in Windows Print Spooler service (CVE-2021-34527) and the ZeroLogon flaw from 2020 in Windows Netlogon Remote Protocol (CVE-2020-1472) in many campaigns. Both vulnerabilities give attackers a way to gain administrative access on domain controllers. SentinelOne said it also observed Black Basta attacks leveraging "NoPac," an exploit that combines two critical Active Directory design flaws from last year (CVE-2021-42278 and CVE-2021-42287). Attackers can use the exploit to escalate privileges from that of a regular domain user all the way to domain administrator.

SentinelOne, which began tracking Black Basta in June, observed the infection chain beginning with the Qakbot Trojan-turned-malware dropper. Researchers found the threat actor using the backdoor to conduct reconnaissance on the victim network using a variety of tools including AdFind, two custom .Net assemblies, SoftPerfect's network scanner, and WMI. It's after that stage that the threat actor attempts to exploit the various Windows vulnerabilities to move laterally, escalate privileges, and eventually drop the ransomware. Trend Micro earlier this year identified the Qakbot group as selling access to compromised networks to Black Basta and other ransomware operators. 

"We assess it is highly likely the Black Basta ransomware operation has ties with FIN7," SentinelOne's SentinelLabs said in a blog post on Nov. 3. "Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7."

**Sophisticated Ransomware Threat**

The Black Basta ransomware operation surfaced in April 2022 and has claimed at least 90 victims through the end of September. Trend Micro has described the ransomware as having a sophisticated encryption routine that likely uses unique binaries for each of its victims. Many of its attacks have involved a double-extortion technique where the threat actors first exfiltrate sensitive data from a victim environment before encrypting it. 

In the third quarter of 2022, Black Basta ransomware infections accounted for 9% of all ransomware victims, putting it in second place behind LockBit, which continued by far to be the most prevalent ransomware threat — with a 35% share of all victims, according to data from Digital Shadows.

"Digital Shadows has observed the Black Basta ransomware operation targeting the industrial goods and services industry, including manufacturing, more than any other sector," says Nicole Hoffman, senior cyber-threat intelligence analyst, at Digital Shadows, a ReliaQuest company. "The construction and materials sector follows close behind as the second most targeted industry to date by the ransomware operation."

FIN7 has been a thorn in the side of the security industry for a decade. The group's initial attacks focused on credit and debit card data theft. But over the years, FIN7, which has also been tracked as the Carbanak Group and Cobalt Group, has diversified into other cybercrime operations as well, including most recently into the ransomware realm. Several vendors — including Digital Shadows — have suspected FIN7 of having links to multiple ransomware groups, including REvil, Ryuk, DarkSide, BlackMatter, and ALPHV. 

"So, it would not be surprising to see yet another potential association," this time with FIN7, Hoffman says. "However, it is important to note that linking two threat groups together does not always mean that one group is running the show. It is realistically possible the groups are working together."

According to SentinelLabs, some of the tools that the Black Basta operation uses in its attacks suggest that FIN7 is attempting to disassociate its new ransomware activity from the old. One such tool is a custom defense-evasion and impairment tool that appears to have been written by a FIN7 developer and has not been observed in any other ransomware operation, SentinelOne said.

FIN7 Cybercrime Group Likely Behind Black Basta Ransomware Campaign

Manufacturing relies on complex interconnected networks and technologies, but with more vendors comes risk that needs to be secured.

The Fourth Industrial Revolution created a new digital world for manufacturers — one requiring greater connectivity, agility, and efficiency than ever before. To keep up with global demands, manufacturers transformed into smart factories. Now, critical operations no longer rely on just legacy applications and perimeter-based security but, instead, complex networks of software, workstations, and devices, in several different locations, accessed by hundreds of people.

But with modernization came unforeseen risks. As organizations work with more third parties to improve collaboration across businesses, they introduce uncertainty to their environment. And if third-party access is not properly secured or managed, uncertainty can turn into vulnerability.

**Struggling With Third-Party Security**

With multiple vendors connected to a network, it's impossible to know exactly who is accessing what information without a proper solution. And unfortunately, many manufacturers, especially small to midsize ones, are still managing vendor access the old-fashioned way: manually. But it’s not necessarily working. In fact, according to a recent Ponemon report, 70% of organizations stated they experienced a third-party breach that came from granting too much access.

This isn’t lost on hackers who view critical infrastructure as a major target. Manufacturers that produce fuel, food, or machinery are more likely to pay large ransoms to quickly get operations back up and running.

Because many manufacturers still have complex environments composed of legacy applications and operational technology (OT), it can be a challenge to ensure and verify all access into these systems. Without a solution that provides seamless management and visibility into access of all necessary technology, the risks of connectivity could outweigh the benefits.

**Risks of Poor Vendor Management**

Consider this: You give the key to your safe to a trusted friend to put something in it. When they put that object in the safe, they also steal the money you had inside. Or they lose the keys to your safe and someone else steals from it.

This is the risk that comes with poor third-party management — and the repercussions can be devastating. The infamous SolarWinds attack that caused thousands of customers to download corrupted software showed us how pervasive third-party connections can be and how long they can go on without proper management. Not to mention the reputational damage caused to the brand after the incident. There can also be financial consequences, if hackers had deployed ransomware through the agent, it could have led to a hefty payout.

There’s also the operational risk of a third-party breach. We saw Toyota halt operations earlier this year after one of its contracted manufacturers experienced a breach. On top of that, there are legal and regulatory implications too. If an organization does not take steps to vet its third parties appropriately, they could expose themselves to compliance risks and security concerns.

A recent Ponemon report found that organizations are now relying more on third parties to do business, compared with previous years. But attacks are on the rise, with 54% of organizations surveyed reporting a third-party cyberattack in the last 12 months. These threats are not going away. As manufacturing embraces more third parties, they need to consider vendor privileged access management.

**Securing Third Parties With Privileged Access Management**

While these threats are pervasive, they are not impossible to prevent. The most effective way to do so is with an automated solution like vendor privileged access management. More reliance on vendors and more third-party attacks calls for implementing the following best security practices:

*   **Inventory all vendors and third parties:** Before organizations can implement a privileged access management solution, they need to do a thorough audit over who is accessing what information, applications, and data in their systems. While you may have given one login to a vendor, it could be used by hundreds of reps. Ensure you regularly update vendor inventory to have a clearer view into access.
*   **Minimize movement with access controls:** With a wide attack surface, privileged access management is necessary for vendors to prevent an unauthorized user from laterally moving across the network. It provides credential access through a vault, so that a user only has permission to access the resources necessary for their specific task when they need it.
*   **Monitor and review all privileged session access:** Use an automated solution that enables monitoring and session recording of all privileged access. Technology that keeps keystroke logs and indicates any anomalies or suspicious behavior is helpful, but only if they are reviewed regularly.

Alone, a vendor privileged access management solution won’t be enough to protect your entire environment. But alongside other strong principles, like zero trust, it can make a tremendous difference in reducing the third-party risks manufacturing faces.

**About the Author**

    

Wes Wright is the chief technology officer at Imprivata. Wes brings more than 20 years of experience with healthcare providers, IT leadership, and security.

Prior to joining Imprivata, Wes was the CTO at Sutter Health, where he was responsible for technical services strategies and operational activities for the 26-hospital system. Wes has been the senior vice president/CIO at Seattle Children’s Hospital and has served as the chief of staff for a three-star general in the US Air Force.

Wes holds a B.S. in business and management from the University of Maryland and received his MBA from the University of New Mexico. Wes is a member of the CHIME & AEHIT Virtual Health Policy Workgroup.

Why Third-Party Risk Should Be Manufacturing's Top Priority

An official just revealed the US Department of Treasury was able to fend off a Killnet DDoS attack last month.

US Treasury Department officials revealed for the first time on Tuesday that the agency was able to disrupt a distributed denial of service attack from Russian-sponsored cyberattack group Killnet last month.

At a financial services cybersecurity conference, Todd Conklin, cybersecurity counselor to Deputy Secretary Wally Adeyemo, described the attack as "pretty low-level DDoS activity targeting Treasury's critical infrastructure nodes," Reuters reported.

The newly confirmed cyberattack on Treasury adds to the list of reported Killnet breaches during October including JPMorgan Chase, US state government systems, and several airports.

Conklin attributed the department's success to the effectiveness of its new focus on cybersecurity.

"It confirmed that we're on the right track with how we're trying to actually share tactical information with the sector in real time, with the mind that we are interconnected and face the same threat actors," Conklin added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DDoS Cyberscore: US Treasury: 1, Killnet: 0

Senhasegura first to offer password manager and privileged access management (PAM) in a single platform.

**SÃO PAULO & SAN FRANCISCO -- (BUSINESS WIRE) —** senhasegura, a leading provider of privileged access management (PAM) solutions, today introduced MySafe, an advanced password manager that works with senhasegura’s PAM solution to enhance IT security in the personal sphere. With the goal to assist “normal” users with regular permissions, such as administration, salespeople or engineers that make up the majority of a company’s employees, senhasegura is the first to help security teams tackle user passwords, one of an organization’s biggest security risks, and privileged users, one of an attacker’s most lucrative targets, all from a single platform.

Securing employees' personal passwords should be an essential part of overall information security. Yet users still use the same password for multiple applications and online services, including easy-to-guess passwords such as birth dates, personal names, and 123456. According to the 2022 Verizon Data Breach Investigations Report, compromised passwords were responsible for 82% of reported cyberattacks in the last year alone.

Working in conjunction with senhasegura’s PAM solution, MySafe helps employees easily manage their passwords with just a few clicks, reducing the risk of stolen credentials. By randomly generating passwords, senhasegura’s MySafe makes it more difficult for cybercriminals to guess an employee's personal password and gain access to corporate systems. Through encryption, MySafe enables secure password sharing via the internet or mobile devices.

Key benefits of senhasegura MySafe include:

*   Encryption – All managed passwords are stored encrypted, ensuring they are only accessed through senhasegura MySafe.
*   Password Sharing – Enables password sharing between users via web or smartphone, meeting the needs of employees who share access to common services.
*   Automatic Password Injection – Passwords can be automatically injected on websites or just checked out on demand.
*   Traceability – Verify which passwords people had access to, letting administrators know what passwords they need to change after someone leaves the company
*   Maximum Security – senhasegura MySafe is secured by strong encryption methods and several methods of multi-factor authentication.

According to Marcus Scharra, CEO of senhasegura, “Passwords are still the most popular method for authenticating users, yet they create a huge security risk when employees reuse or share them with others. MySafe addresses the needs of employees with regular account privileges through an easy and secure way to store, manage and share their passwords. By using the same platform and user interface as our PAM solution, senhasegura uniquely offers security teams a simple yet powerful solution that addresses the authentication needs of all of a company’s employees, all in one place.”

Detailed product information can be found at MySafe.

**About senhasegura**

senhasegura is committed to helping companies create secure, resilient organizations by stopping privilege abuse from inside and out of the organization. senhasegura’s award- winning, Privileged Access Management (PAM) solution addresses the entire privilege access management lifecycle, including before access, during and afterward, and plays a critical role in implementing a company’s zero trust architecture. Established in São Paulo, New York and San Francisco, senhasegura is a global leader with customers in over 45 countries throughout Latin America, North America, Asia-Pacific, and Europe, Middle East and Africa. The Company’s PAM solution is distributed through an international network of more than 150 value added, trusted channel partners.

For more information, go to https://senhasegura.com/ or follow us on LinkedIn https://www.linkedin.com/company/senhasegura and Twitter @senha\_segura.

Senhasegura Introduces MySafe for Managing Personal Passwords

**TEL AVIV, LONDON and NEW YORK – November 3, 2022 –** Apiiro, the leader in Cloud-Native Application Security, today announced a significant Series B round of $100M led by General Catalyst with participation by Greylock and Kleiner Perkins. The new funding will be used to accelerate the business and advance the company’s mission to empower developers and application security engineers to proactively fix risks before releasing to the cloud with all the context they need in a single solution.

With more companies shifting to agile development and adopting CI/CD practices to release code to the cloud on a daily basis, there is an exponential increase in the number of changes. This creates a massive market opportunity to help CISOs and CIOs effectively and contextually identify, prioritize and eliminate risks in their code and development environments to prevent application and software supply chain threats using one solution.

“In this economy, it’s important to invest in technology that helps companies drive business growth,” said Quentin Clark, Managing Director at General Catalyst. “Idan, Yonatan and the Apiiro team are giving customers a solution to a whole problem – not just a piece of it. They are going beyond providing tools for developers to address potential security issues in the code base and actually delivering an operational platform that workflows those fixes in context of how a company is configuring and deploying software. This approach has driven phenomenal growth to date, which comes from strong execution with the right team at the right time.”

Apiiro has introduced a completely new approach to application security in the cloud by providing complete visibility into code bases, assessing risks from design to code to cloud and proactively fixing actual risks that attackers can exploit before releasing to the cloud. This enables Fortune 500 companies to reduce operational costs and risks at scale with seamless deployment by connecting to their source control managers via API.

There are several isolated and unrelated findings hiding across code, configurations, open source packages and cloud infrastructure that when pulled together with relevant context, creates a “risk story” that is exploitable by attackers. Apiiro’s Risk Graph technology connects these infinite factors with actionable context to offer a completely new way for developers and security teams to fix risks.

_“_The unrelenting demand for next generation application security solutions has allowed us to deploy our product at-scale with leading Fortune 500 customers,” said Idan Plotnik, co-founder and CEO of Apiiro. “Early innovation enabled us to grow faster and more efficiently than the competition, and we are building the company for hyper growth. The combination of our team, business momentum, and support from top-tier investors positions Apiiro to continue to lead a growing industry.”

**Supporting Resources**

*   Apiiro blog
*   Apiiro on LinkedIn
*   Apiiro on Twitter

**About Apiiro**

Apiiro helps security and development teams proactively fix risks before releasing to the cloud. The company is backed by General Catalyst, Greylock, and Kleiner Perkins. apiiro.com.

Apiiro Raises $100M Series B Funding Round to Solidify Position as the Cloud-Native Application Security Leader

Banco de Crédito Cooperativo (BCC) wins the first hyper-realistic cybersecurity competition for the financial industry.

**RESTON, Va. and BOSTON, Nov. 3, 2022 /PRNewswire/ —** FS-ISAC, the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, and Cyberbit, provider of the world's leading cybersecurity skill development and readiness platform, announced today that team "IsNotTheEDR" from Banco de Crédito Cooperativo (BCC) is the winner of the first International Cyber League (ICL) Financial Cup, 2022 – the first hyper-realistic cybersecurity tournament for the financial industry. The first runner-up is team "Suboptimal" from a leading Fortune 500 financial institution, the second runner-up is Team "AskITTeam" from BCC and the third runner up is team "TIAA" from TIAA.

The tournament ran from 6-26 October 2022 and challenged cybersecurity teams from the financial sector to respond to live-fire cyberattack simulations replicating attacks they may encounter in real life. Teams were scored based on typical incident response KPIs including investigation, eradication, and remediation goals, as well as their response times. The BCC team outperformed 55 cyber defense teams from leading financial organizations around the world and scored a perfect 100 in the live-fire challenge. The Cyberbit platform, normally used by enterprises to train and upskill information security teams, as well as for FS-ISAC's monthly cyber range workshops, was repurposed to power the ICL competition. The platform provided a virtual arena that emulated an organizational network and a virtual security operations center (SOC) that simulated the live attacks and automatically scored the teams based on their achievements.

The ICL reinvents cybersecurity competition formats by assessing cyber defense skills in real-world scenarios, allowing teams to predict their performance during an attack. Traditional Capture-the-Flag (CTF) events test offensive skills, but these do not reflect the capabilities that cyber defenders will be required to demonstrate during an attack. The ICL leverages cyber range live-fire scenarios to simulate real threat vectors and malware that assess essential "blue team" skills, including technical skills like malware analysis and SIEM investigation, as well as soft skills like teamwork, critical thinking, and communications.

"We in the financial sector believe that exercising builds muscle memory to ensure smooth and efficient incident response," said **Cameron Dicker, Global Head of Business Resilience at FS-ISAC**. "We run a wide variety of exercises to ensure preparedness throughout all different organizational levels and functions, and we chose this competition format during Cybersecurity Awareness Month to bring a little fun into this critical tool for operational resilience."

"CISA and the NCA aptly named this year's cyber awareness month theme as 'See Yourself in Cyber,' demonstrating that cybersecurity is ultimately, about people," said **Sharon Rosenman, Chief Marketing Officer at Cyberbit**. "The feedback from the ICL teams was overwhelmingly positive and we are proud to collaborate with FS-ISAC in helping the financial industry become better prepared for real-world attacks by assessing and maximizing human performance."

"A Cyber Range is a strategic capability that enables governments and companies to effectively educate and train their professionals, as well as to experiment, test and validate new cybersecurity and cyber defense concepts, technologies, techniques, and tactics. Cyber range competitions such as the ICL Financial Cup help in providing a comparison with the rest of the peers in the sector", said Francisco Navarro García, Chief Information Security Officer, Banco de Crédito Cooperativo (BCC).

Additional teams who reached the top 10 in ICL finals include Loan Depot and Somerset Trust.

"The International Cyber League has been an excellent experience for our teams and a fantastic opportunity for them to test their skills with other elite teams across the financial services sector. We are incredibly proud of their work in keeping our company safe. Their strong performance in this competition is celebrated across Technology and the entire company", said Harold Rivas, Chief Information Officer, Loan Depot.

"Somerset Trust takes the security of our information very seriously, and I have always known that we assembled a good team of security professionals. It's always nice to see a competition like this that hones their skills and proves our dedication to security", said John Ash, Sr. Vice President and Chief Information Officer, Somerset Trust.

**About FS-ISAC**

FS-ISAC is the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organization's real-time information sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector's collective security and defenses. Member financial firms represent $100 trillion in assets in 75 countries.

**About Cyberbit**

Cyberbit provides the global leading attack readiness platform for enabling SOC teams to maximize their performance when responding to cyberattacks. The platform empowers security leaders to make the most of their cybersecurity investment by boosting the impact of the human element in their organization. Cyberbit delivers hyper-realistic attack simulations mirroring real-world scenarios. It enables security leaders to dramatically reduce MTTR, dwell time and cybercrime costs, improve hiring and onboarding, and increase employee retention. Customers include Fortune 500 companies, MSSPs, systems integrators, governments, and leading healthcare providers.

FS-ISAC and Cyberbit Announce Winner of the First Financial Cyber League

Earns Recognition in 2022 Gartner® Market Guide for Operational Technology Security.

**DENVER — Nov. 3, 2022 —** Global conflicts and national infrastructure needs are bringing operational technology (OT) to the forefront of the security market. Optiv, the cyber advisory and solutions leader, is extending its end-to-end capabilities to serve clients’ essential assets with heavy investment in people, process and technology for its OT cyber program.

Critical industries, such as pharmaceuticals, heavy manufacturing, energy and food and beverage production, are facing the same rapidly changing and intensifying threat landscape as today’s enterprises and governments. Optiv’s holistic security program guides clients toward cyber maturity via more modern, integrated IT/OT systems. In addition, the offering goes beyond traditional OT security to uncover previously unknown areas of risk and define tactical opportunities to improve the security posture of a client’s OT environment.

**Access the Gartner® Market Guide for OT Security here.**

“Our objectives are to keep operations online, reduce costs and downtime, and maintain the overall cyber resilience of our clients’ OT environments. We’re able to leverage our extensive combined industrial control system (ICS) expertise to identify and quantify cyber risk so the transition to more modern, outcome-driven security is smoother than not,” said Sean Tufts, IoT/OT security leader, Optiv.

Historically, industrial facilities have relied on dated ICS technologies coupled with siloed, operations-centric network security. According to Gartner, security and risk management leaders responsible for OT systems security should “anchor security efforts to operational resilience in the face of mounting risks by adopting an integrated security strategy beyond legacy OT.”1

Introducing traditional IT technologies to OT environments can improve data utilization. However, new devices and data sources open up antiquated OT networks to a whole slew of vulnerabilities they aren’t equipped to detect. It’s vital for security to be involved in the optimization and convergence of IT and OT, because Gartner also predicts “by 2025, attackers will have weaponized OT environments to successfully harm or kill humans.” 2 Optiv helps clients prepare for and cover that expanding threat surface with physical walkthroughs, risk assessments, asset discovery, threat modeling and strategic roadmapping.

In addition, Optiv’s OT cyber program offers technical network validation and network architectural services made possible by strategic, collaborative relationships with major players in OT cybersecurity products.

Learn more about Optiv’s OT Security Services with these resources:

*   Service Brief
*   Gartner® Market Guide for Operational Technology Security

Learn more about Optiv at https://www.optiv.com/company/optiv-newsroom.

Optiv Helps Safeguard Critical Industries with Cyber Advisory and Protection Offerings

TA569 has modified the JavaScript of a legitimate content and advertising engine used by news affiliates, in order to spread the FakeUpdates initial access framework.

The cyber-threat threat actor known as TA569, or SocGholish, has compromised JavaScript code used by a media content provider in order to spread the FakeUpdates malware to major media outlets across the US.

According to a series of tweets from the Proofpoint Threat Research Team posted late Wednesday, the attackers have tampered with the codebase of an application that the unnamed company uses to serve video and advertising to national and regional newspaper websites. The supply chain attack is being used to spread TA569's custom malware, which is typically employed to establish an initial access network for follow-on attacks and ransomware delivery.

Detection might be tricky, the researchers warned: "TA569 historically removed and reinstated these malicious JS injects on a rotating basis," according to one of the tweets. "Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive."

More than 250 regional and national newspaper sites have accessed the malicious JavaScript, with impacted media organizations serving cities such as Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington, DC, according to Proofpoint. However, only the impacted media content company knows the full range of the attack and its impact on affiliate sites, the researchers said.

The tweets cited Proofpoint threat detection analyst Dusty Miller, senior security researcher Kyle Eaton, and senior threat researcher Andrew Northern for the discovery and investigation of the attack.

**Historical Links to Evil Corp**

FakeUpdates is an initial access malware and attack framework in use since at least 2020 (but potentially earlier), that in the past has used drive-by downloads masquerading as software updates to propagate. It previously has been linked to activity by the suspected Russian cybercrime group Evil Corp, which has been formally sanctioned by the US government.

The operators typically host a malicious website that executes a drive-by download mechanism — such as JavaScript code injections or URL redirections — which in turn triggers the download of an archive file that contains malware.

Symantec researchers previously observed Evil Corp using the malware as part of an attack sequence to download WastedLocker, then a new ransomware strain, on target networks back in July 2020.

A surge of drive-by download attacks that used the framework followed toward the end of that year, with the attackers hosting malicious downloads by leveraging iFrames to serve up compromised websites via a legitimate site.

More recently, researchers tied a threat campaign distributing FakeUpdates through existing infections of the Raspberry Robin USB-based worm, a move that signified a link between the Russian cybercriminal group and the worm, which acts as a loader for other malware.

**How to Approach the Supply Chain Threat**

The campaign discovered by Proofpoint is yet another example of attackers using the software supply chain to infect code that's shared across multiple platforms, to broaden the impact of malicious attack without having to work any harder.

Indeed, there already have been numerous examples of the ripple effect these attacks can have, with the now infamous SolarWinds and Log4J scenarios being among the most prominent.

The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year, with multiple attacks across various organizations. The latter saga unfolded in early December 2021, with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool. That spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Supply chain attacks have become so prevalent that security administrators are looking for guidance about how to prevent and mitigate them, which both the public and private sector have been happy to offer.

Following an executive order issued by President Biden last year directing government agencies to improve the security and integrity of the software supply chain, the National Institute for Standards and Technology (NIST) earlier this year updated its cybersecurity guidance for addressing software supply chain risk. The publication includes tailored sets of suggested security controls for various stakeholders, such as cybersecurity specialists, risk managers, systems engineers, and procurement officials.

Security professionals also have offered organizations advice on how to better secure the supply chain, recommending that they take a zero-trust approach to security, monitor third-party partners more than any other entity in an environment, and choose one supplier for software needs that offers frequent code updates.

Supply Chain Attack Pushes Out Malware to More than 250 Media Websites

These aren't quick fixes, but by prioritizing needs based on risk, organizations can incrementally apply these steps to become more resilient.

With new threat actors emerging every day, cybersecurity has become a critical business imperative. Security leaders must stay competitive in a rapidly evolving business landscape while also defending against threats, reducing complexity, and facilitating digital transformation.

To better understand the top concerns among CISOs, Microsoft Security conducted a survey about cyber resilience. Keep reading to uncover our results.

**Embrace the Vulnerability of Hybrid Work and Build Resilience**

Hybrid work has forced businesses of all types into the cloud. As a result, 61% of security leaders said they view the cloud as the digital feature most susceptible to attack, and two out of three believe that hybrid work has made their organizations less secure.

This concern is not unfounded, given that 40% of all attacks in 2021 and half of all cloud attacks significantly impacted businesses. Microsoft’s research revealed that breaches due to cloud misconfiguration are just as common as malware attacks and are even more associated with significant damage to the business.

Securing the cloud is different from securing an internal network and can often be challenging. We recommend leveraging cloud security specialists to avoid administrator errors like misconfiguration and inconsistent implementation of security policies.

**Limit the Impact of Ransomware Attacks**

One in five businesses experienced a ransomware attack in 2021, and roughly one-third of security leaders listed ransomware among their top concerns. And while the financial aspects of ransomware are disruptive, they’re only part of the story. Some 48% of ransomware attack victims in our study reported that attacks caused significant operational downtime, exposure of sensitive data, and reputational damage.

Ransomware attacks come down to three primary entrance vectors: remote desk protocol (RDP) brute force, vulnerable Internet-facing systems, and phishing. Organizations can limit damage by forcing attackers to work harder to gain access to multiple business-critical systems. Zero-trust principles like least-privilege access are especially effective at preventing attacks from traveling across networks and addressing human-operated ransomware.

**Elevate Cybersecurity Into a Strategic Business Function**

An interesting mindset shift is happening among CISOs: A strong security posture should focus on building awareness of the threat landscape and establishing resilience, not on preventing individual attacks.

Microsoft’s survey data supports this line of thinking; 98% of respondents who reported feeling extremely vulnerable to attack were also implementing zero trust, and 78% already had a comprehensive zero-trust strategy in place. Because zero trust assumes a breach and optimizes for resilience rather than protection, respondents who indicated maturity in their zero-trust journey were also more likely to see attacks as an inevitability rather than a preventable threat. And while implementing zero trust does not necessarily result in fewer attacks, it can help reduce the average cost of a breach.

**Maximize Your Existing Resources**

While this data may seem dire, many CISOs are also optimistic about their ability to manage future challenges down the road.

For example, nearly 60% of leaders said they see networks as a vulnerability today. Yet only 40% see the issue persisting two years from now. Likewise, 26% fewer cite email, collaboration tools, and end users as anticipated concerns in 2024 compared with 2022, and roughly 20% fewer see supply chain vulnerability as a top concern. Only operational technology (OT) and Internet of Things (IoT) are expected to be the same or more of a challenge two years from now.

Building on a strong zero-trust foundation, organizations can optimize their existing security investments, like endpoint detection and response, email security, identity and access management, cloud access security broker, and built-in threat protection tools.

**Implement Security Fundamentals**

Today’s CISOs are being asked to do more with less. Security leaders must make the most of their existing resources by setting the right priorities — starting with foundational cyber best practices.

Microsoft estimates that 98% of cyberattacks can be thwarted by basic security hygiene, such as multifactor authentication (MFA), least privilege access, regular software updates, anti-malware, and data protection. Yet only 22% of customers using Microsoft’s cloud identity solution, Azure Active Directory, had implemented strong identity authentication protection as of December 2021.

Strengthening your cyber resilience does not happen overnight. It is a continuous journey that all organizations are on as we move forward in this rapidly changing threat landscape. By prioritizing what needs to be attended to first based on risk, organizations can incrementally apply these five steps to confidently move toward better cyber resiliency.

_Read more Partner Perspectives from Microsoft._

Security Leaders Share 5 Steps to Strengthen Cyber Resilience

Confused economies and rising unemployment rates foster a rich opportunity for cybercrime recruitment.

It's well known that cybercrime has become big business — and not just in terms of the volume but also in how crime syndicates are organizing themselves. As we saw earlier this year with the leak of files from the Conti ransomware group, that organization was operating very much like any other enterprise — it even had an HR lead and a recruitment director. We've also seen how bad actors are actively recruiting internal help with their missions.

Here's one aspect of cybercrime syndicates that's unlike most of their legitimate business counterpoints — economic uncertainty and rising unemployment rates are a boon for them. That's because these factors create a ripe opportunity for ramped-up recruitment efforts.

We're witnessing huge growth in ransomware-as-a-service (RaaS). The ransomware threat continues to adapt with more variants enabled by RaaS; our researchers saw 10,666 different variants in the first half of 2022, compared with just 5,400 in the previous six-month period. Why is this important? Because it underscores just how much easier RaaS is making it for bad actors to operate — they're able to perpetrate attacks faster and at a high rate of scale.

**Recruitment, Recruitment, Recruitment**

One way cybercriminals operate is through the use of "cyber mules" to launder their financial gain. Sometimes these mules know what they're getting into, and sometimes they're lured in under false pretenses. Criminal organizations frequently rely on legitimate-looking job postings on legitimate job-hunting websites. A dubious job ad might refer to the need for a "money transfer agent," a "payment processing agent," or even a role as vague and general as an "administration representative." These job listings and solicitation emails prey on people's desperation by offering what seems to be legitimate employment.

Leaning on insiders within organizations for help is another tactic cybercrime syndicates use for their recruitment efforts. One recent survey found 65% of respondents said they had been approached by bad actors to help with ransomware attacks against the organizations they work for.

With more people and resources, cybercrime organizations will be able to pull off more attacks and organizations need to be aware of this. Recruitment efforts show that ransomware groups are expanding and potentially able to pull off more sophisticated attacks.

**Collaboration to Combat Cybercrime Recruiting**

It takes a global team effort with solid, dependable relationships among cybersecurity stakeholders to defeat international cybercriminal groups. Criminal organizations operate nearly identically to legitimate enterprises. They have costs and profit margins. They may start looking for a new way to make money if they are unable to make a profit in a timely manner because cyber defenders are destroying their infrastructures and making them constantly start over. Cybercrime may start to decline after attackers start to give up out of concern about being discovered and arrested or because they believe the rewards aren't worth the dangers.

The World Economic Forum Partnership Against Cybercrime (PAC) is undertaking one such initiative. To disrupt cybercrime ecosystems, PAC has concentrated on fusing private sector data and digital knowledge with public sector threat intelligence. PAC has long said that breaking down communication barriers and adopting a worldwide strategy will make it simpler to get beyond the factors that protect cybercriminals.

Last year, this private-public partnership introduced the Cybercrime Atlas, a joint research initiative that gathers and compiles data about the cybercriminal ecosystem and the main threat actors active today. Legal authorities will gain from increased visibility into cybercrime operations in their investigations, takedowns, prosecutions, and convictions.

Economic insecurity provides a ripe opportunity for cybercriminals to recruit, and they've gotten so good at it that some unsuspecting job seekers get pulled into their web of evil. Or they go after employees at companies they want to target, hoping for some insider help. Collaboration at the global level combines the strengths and resources of the private and public sectors to give organizations the up-to-date intel they need to protect their networks from increased cybercrime recruitment and its fruits.

Source

DARKReading