These specialized database servers, which collect and archive information on device operation, often connect IT and OT networks.

Databases are a common point of attack by threat actors, but an uncommon type of database is gaining attention as a potentially critical target: data historian servers.

On Jan. 17, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that a set of five vulnerabilities found in the the GE Proficy Historian server could leave unpatched servers vulnerable to exploitation of poor access controls and the upload of dangerous files. GE is not alone: In the past, security researchers have found security issues in Schneider Electric's Vijeo Historian Web server and Siemens' SIMATIC Process Historian.

The servers could be used as a bridge between an organization's information technology (IT) network and its operational technology (OT) network, Uri Katz, a security researcher for cybersecurity firm Claroty's Team82 stated in its advisory on the GE Proficy vulnerabilities. 

"\[D\]ue to its unique position in between the IT and OT networks, attackers are targeting the historian, and could use it as a pivot point into the OT network," Katz said, adding that "historians often contain valuable data about industrial processes, including data about process control, performance, and maintenance."

Data historian servers — also called operational historians or process historians — give companies the ability to monitor and analyze data from their industrial control systems and physical-device networks. Essentially a data lake to store time-series data in an industrial setting, historians collect real-time information on critical infrastructure, manufacturing, and operations. 

For attackers, however, the historian server represents an opportunistic bridge between the IT and OT segments of a network because it is typically a centralized database connected to both. Because of this, historian servers have been identified as a likely target of attack in ICS networks, including adversary-in-the-middle attacks and database injection attacks, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

**DMZ**

While combining IT and OT networks can make industrial technology more agile and cost effective, "multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization, and can expose mission-critical control systems to cyber threats," CISA stated in its Control Systems Cyber Security Defense in Depth Strategies document.

While only one of the four advisories for industrial control systems published by the agency on Jan. 17 had to do with historian servers, CISA has warned in the past about vulnerable historian servers, such as Siemens SIMATIC Process Historian in 2021. In its previous incarnation as the ICS-CERT, the organization also warned about default passwords in Schneider Electric's Wonderware Historian in 2017 and vulnerabilities in Schneider Electric's Vijeo Historian Web Server in 2013.

Claroty's Team 82 research group installed the historian software, enumerated the structure of the messages it uses to communication, and looked for authentication bypasses to compromise the server. It found vulnerabilities that could allow an attacker to bypass authentication, delete a code library, replace the library with malicious code, and then run that code.

So far, no attack using a historian server has caused a publicized breach, Claroty's Katz said in an email interview. Yet historian servers do represent an interconnection between operational and information networks that will likely be exploited in the future, he added.

"Historian servers are generally not Internet-facing, but they are often located in the DMZ layer between the enterprise network and OT network," he said. "Some of the vulnerabilities can be chained to bypass authentication and gain pre-authentication remote code execution."

**History Lessons**

Industrial and critical-infrastructure organizations should include historian servers in their cybersecurity planning, experts say. In a list of five scenarios that companies should perform as industrial control system (ICS) tabletop exercises, the SANS Institute's Dean Parsons included a breach that uses a data historian to gather data on sensitive devices and controls.

"A set of compromised IT Active Directory credentials \[could be\] used to access the Data Historian, then pivot into the industrial control environment," said Parsons, who is also CEO and a principal consultant of ICS Defense Force. "It is critical that ICS networks be segmented from the Internet and from the IT business network."

Organizations should ensure historian servers are up to date and separated from other parts of the network, Claroty's Katz said. "Network segmentation is ... a mitigation that could help against these vulnerabilities and keep attackers from using them as a pivot point from IT to OT," he says.

Some ICS cybersecurity vendors, such as Waterfall Security and Clarify, limit access to the historian servers. They instead clone the system in the IT network segment or offer an intermediary service, allowing engineers and technicians to access the data while preventing attackers from executing code or changing data.

Vulnerable Historian Servers Imperil OT Networks

The founder and majority owner of a cryptocurrency exchange, Bitzlato Ltd. (Bitzlato), was arrested last night in Miami for his alleged operation of a money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements. 

Anatoly Legkodymov, 40, a Russian national who resides in Shenzhen, People’s Republic of China, is scheduled to be arraigned this afternoon in the U.S. District Court for the Southern District of Florida. French authorities and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) are taking concurrent enforcement actions.

"Today the Department of Justice dealt a significant blow to the cryptocrime ecosystem," said Deputy Attorney General Lisa O. Monaco. “Overnight, the Department worked with key partners here and abroad to disrupt Bitzlato, the China-based money laundering engine that fueled a high-tech axis of cryptocrime, and to arrest its founder, Russian national Anatoly Legkodymov. Today’s actions send the clear message: whether you break our laws from China or Europe – or abuse our financial system from a tropical island – you can expect to answer for your crimes inside a United States courtroom.”

“As alleged, the defendant helped operate a cryptocurrency exchange that failed to implement required anti-money laundering safeguards and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “The National Cryptocurrency Enforcement Team’s tremendous efforts to disrupt Bitzlato and arrest the defendant demonstrate that we will continue to work with our partners – both foreign and domestic – to combat cryptocurrency-fueled crimes, even if they transcend international borders.”

According to court documents, Legkodymov is a senior executive and the majority shareholder of Bitzlato, a Hong Kong-registered cryptocurrency exchange that operates globally. Bitzlato has marketed itself as requiring minimal identification from its users, specifying that “neither selfies nor passports \[are\] required.” On occasions when Bitzlato did direct users to submit identifying information, it repeatedly allowed them to provide information belonging to “straw man” registrants.

“Institutions that trade in cryptocurrency are not above the law and their owners are not beyond our reach,” said U.S. Attorney Breon Peace for the Eastern District of New York. “As alleged, Bitzlato sold itself to criminals as a no-questions-asked cryptocurrency exchange, and reaped hundreds of millions of dollars’ worth of deposits as a result. The defendant is now paying the price for the malign role that his company played in the cryptocurrency ecosystem.”

As a result of these deficient know-your-customer (KYC) procedures, Bitzlato allegedly became a haven for criminal proceeds and funds intended for use in criminal activity. Bitzlato’s largest counterparty in cryptocurrency transactions was Hydra Market (Hydra), an anonymous, illicit online marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services that was the largest and longest running darknet market in the world. Hydra users exchanged more than $700 million in cryptocurrency with Bitzlato, either directly or through intermediaries, until Hydra was shuttered by U.S. and German law enforcement in April 2022. Bitzlato also received more than $15 million in ransomware proceeds.

“The FBI will continue to pursue actors who attempt to mask their criminal activity behind keyboards and use means such as cryptocurrency to evade law enforcement,” said Assistant Deputy Director Brian Turner of the FBI. “We, along with our federal and international partners, will work relentlessly to disrupt and dismantle these types of criminal enterprises. Today’s arrest should serve as a reminder the FBI will impose risk and consequences upon those who engage in these activities.”

“As alleged today, Legkodymov knowingly allowed Bitzlato to become a perceived safe haven for funds used for and resulting from a variety of criminal activities,” said Assistant Director in Charge Michael J. Driscoll of the FBI New York Field Office. “The FBI and our partners remain steadfast in our commitment to keeping cryptocurrency markets – as with any financial market – free from illicit activity.  Today’s action should serve as an example of this commitment as Legkodymov will now face the consequences of his actions in our criminal justice system.”

As alleged in the complaint, Bitzlato’s customers routinely used the company’s customer service portal to request support for transactions with Hydra, which Bitzlato often provided, and admitted in chats with Bitzlato personnel that they were trading under assumed identities. Moreover, Legkodymov and Bitzlato’s other managers were aware that Bitzlato’s accounts were rife with illicit activity and that many of its users were registered under others’ identities. For instance, on May 29, 2019, Legkodymov used Bitzlato’s internal chat system to write to a colleague that Bitzlato’s users were “known to be crooks,” using others’ identity documents to register their accounts. Legkodymov was repeatedly warned by colleagues that Bitzlato’s customer base consisted of “addicts who buy drugs at \[\] Hydra” and “drug traffickers,” with one senior executive even stressing that Bitzlato should combat drug dealers only “nominally,” to avoid hurting the company’s bottom line. An internal spreadsheet saved in Bitzlato’s shared management folder encapsulated the company’s view of itself: “Positives: No KYC. . . . Negatives: Dirty money. . . .”

As alleged in the complaint, although Bitzlato claimed not to accept users from the United States, it did substantial business with U.S.-based customers, and its customer service representatives repeatedly advised users that they could transfer funds from U.S. financial institutions. Moreover, Legkodymov – who himself administered Bitzlato from Miami in 2022 and 2023 – received reports reflecting substantial traffic to Bitzlato’s website from U.S.-based Internet Protocol addresses, including over 250 million such visits in July 2022.

Legkodymov is charged with conducting an unlicensed money transmitting business. If convicted, he faces a maximum penalty of five years in prison.

Concurrent with the arrest announced today, French authorities, working with Europol and partners in Spain, Portugal, and Cyprus, dismantled Bitzlato’s digital infrastructure, seized Bitzlato’s cryptocurrency, and took other enforcement actions.

In addition, the Treasury Department’s FinCEN announced an Order pursuant to section 9714(a) of the Combating Russian Money Laundering Act, as amended, identifying Bitzlato as a “primary money laundering concern” in connection to Russian illicit finance. The order imposes a special measure prohibiting certain transmittals of funds involving Bitzlato by any covered financial institution.

National Cryptocurrency Enforcement Team (NCET) Trial Attorneys Alexander Mindlin, Scott Meisler, and Matthew Blackwood of the Justice Department’s Criminal Division and Assistant U.S. Attorney Artie McConnell for the Eastern District of New York are prosecuting the case, with assistance from Paralegal Specialist Mary Clare McMahon.

The Justice Department investigated this case in close coordination with French law enforcement authorities and the Treasury Department’s FinCEN, both of which took separate enforcement actions today under their respective authorities. The Justice Department’s Office of International Affairs and the FBI’s Legal Attaché in France provided critical assistance in this case, with significant support from the department’s Cyber Operations International Liaison. The NCET and U.S. Attorney’s Office for the Eastern District of New York also extend their appreciation to the Cyber Division of the Paris Prosecution Office and to France’s Gendarmerie Nationale Cyberspace Command (Cyber Crime Investigation Unit / C3N). Assistance was also provided by the Customs and Border Protection, the Transportation Safety Administration, and the New York City Police Department. EUROPOL and Dutch and Belgian authorities have contributed to the overall investigation with respect to operational expertise, coordination, and information-sharing.

The NCET was established to combat the growing illicit use of cryptocurrencies and digital assets. Under the Criminal Division, the NCET conducts and supports investigations into individuals and entities that enable the use of digital assets to commit and facilitate a variety of crimes, with a particular focus on virtual currency exchanges, mixing and tumbling services, and infrastructure providers. The NCET also sets strategic priorities regarding digital asset technologies, identifies areas for increased investigative and prosecutorial focus, and leads the department’s efforts to collaborate with domestic and foreign government agencies as well as the private sector to aggressively investigate and prosecute crimes involving cryptocurrency and digital assets. 

_A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law._

Founder and Majority Owner of Cryptocurrency Exchange Charged With Processing Over $700 Million of Illicit Funds

Layoffs intended to cut costs, help company shift its focus on cybersecurity services, Sophos says.

A slowing economy and a strategic push into the cybersecurity services market were reportedly behind a decision to cut some 450 jobs at Sophos.

Although reports haven't confirmed the exact number of layoffs at Sophos, a company spokesperson, Jitendra Bulani, told TechCrunch the restructuring could potentially impact as much as 10% of the global Sophos workforce.

"Sophos is taking these steps for two main reasons: first, to ensure that we achieve the optimal balance of growth and profitability to support Sophos’ long-term success, which is particularly important in the midst of a challenging and uncertain macro environment, and second, to allocate our investments across the company to support our strategic imperative to be a market leader in delivering cybersecurity as a service," Jitendra said.

Sophos was acquired by Thoma Bravo for $3.9 billion in March 2020.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Sophos Cuts Jobs to Focus on Cybersecurity Services

The powerful AI bot can produce malware without malicious code, making it tough to mitigate.

The newly released ChatGPT artificial intelligence bot from OpenAI could be used to usher in a new dangerous wave of polymorphic malware, security researchers warn.

One of the many spectacular tricks ChatGPT has been able to pull off is writing highly advanced malware that actually contains no malicious code at all, making it difficult to detect and mitigate, researchers at CyberArk explained in its recent threat research report.

The CyberArk team also detailed how the chatbot can be used to both generate injection code, as well as mutate it.

This new wave of cheap and easy ChatGPT polymorphic malware is something cybersecurity professionals should pay attention to, the analysis added.

"As we have seen, the use of ChatGPT's API within malware can present significant challenges for security professionals," the report said. "It's important to remember, this is not just a hypothetical scenario but a very real concern."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ChatGPT Could Create Polymorphic Malware Wave, Researchers Warn

New module introduces shadow SaaS application discovery, monitoring, and remediation to protect businesses from supply chain attacks.

**NEW YORK****,** **Jan. 18, 2023** **/PRNewswire/ --** DoControl, the automated Software-as-a-Service (SaaS) security company, today announced a platform expansion with the launch of its comprehensive Shadow Apps solution. Building on prior innovations that address mission-critical use cases, DoControl's newest module introduces shadow SaaS application discovery, monitoring, and remediation to better protect businesses from SaaS supply chain attacks.

SaaS application-to-application connectivity features increase risk by introducing machine identities that are often overprivileged, unsanctioned, and unmonitored. Compromised machine identities can easily gain permission to read, write, and delete sensitive data on improperly managed applications, significantly increasing security, business, and compliance risk for organizations. DoControl's SaaS Security Platform expansion provides complete visibility and control across all sanctioned and unsanctioned SaaS applications to close compliance gaps and remediate supply chain-based attack vectors automatically.

The significant growth of SaaS applications, the demand to integrate them, and the economic pressures to consolidate vendors are contributing to a market need for a single service platform that provides centralized security across disparate applications. Offering CASB, DLP, Insider Risk, Workflows, and now Shadow Apps, DoControl has emerged as the end-to-end SaaS Security platform provider to help security teams do more with less overhead.

The expansion of the DoControl SaaS Security Platform enables comprehensive "shadow application" governance through:

*   **Discovery and Visibility**: Organizations can discover all interconnected first, second, and third-party SaaS applications – sanctioned and unsanctioned – within a business's estate. With a complete mapping and inventory, businesses can identify issues of non-compliance and understand the riskiest SaaS platforms, applications, and users exposed within the SaaS estate.
*   **Monitor and Control**: Organizations can perform application reviews with business users through pre-approval policies and workflows that require end users to provide a business justification to onboard new applications. Security teams can also quarantine suspicious applications, reduce excessive permissions, and revoke or remove applications or access.
*   **Automated Remediation**: Using low-code/no-code tools, organizations can automate security policy enforcement across the entire SaaS application stack. DoControl's Security Workflows reduce exposure introduced by third-party applications and prevent unsanctioned or high-risk application usage through automated remediation of potential threat vectors.

"Data security is paramount, yet many tools lack the granularity and suite of capabilities modern businesses need to secure sensitive data and operations – particularly in the complex and interconnected world of SaaS applications," said Adam Gavish, CEO and Co-founder, DoControl. "Our expanded platform offers a fully unified solution for seamlessly securing both human and machine access so businesses can avoid sensitive data loss, regulatory penalties, and revenue impacts stemming from the mismanagement of the SaaS estate."

The Shadow Applications Module is currently available to existing customers and will enter general availability in Q1 of 2023. To learn more, please review the list of supporting resources below:

*   View the Solutions webpage
*   Register for the Webinar
*   Read the Blog
*   Download the Solution Brief

**About DoControl**

DoControl is an agentless, event-driven SaaS Security Platform that secures business-critical SaaS applications and data. DoControl helps organizations expose their SaaS risk, remediate it quickly, and automatically remediate over time through granular, no-code workflows. DoControl uncovers all SaaS users, third-party collaborators, assets and metadata, OAuth applications, groups, and activity events. DoControl helps reduce risk, prevent data breaches, and mitigate insider risk without slowing down business enablement. To learn more about DoControl, visit www.docontrol.io, read the DoControl blogs, or follow us on Twitter and LinkedIn.

DoControl Announces SaaS Security Platform Expansion With Shadow Apps Module Launch

KnowBe4 releases overall 2022 and Q4 2022 global phishing test reports and finds business-related emails continue to be utilized as a phishing strategy and reveal top holiday email phishing subjects.

**Tampa Bay, FL (January 18, 2023)—** KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced the results of its 2022 and Q4 2022 top-clicked phishing report. The results include the top email subjects clicked in phishing tests, top attack vector types, holiday phishing email subjects and more insightful information that reveal the most popular phishing email tactics.  

Phishing emails continue to be one of the most common and effective methods to maliciously impact a variety of organizations around the world – everyone is a potential victim. Cybercriminals constantly refine their strategies to outsmart end users and organizations by changing phishing email subjects to be more believable and attention grabbing. This shift in phishing tactics over time is evident in the increasing trend of cybercriminals using business-related email subjects.

Business phishing emails are lucrative and successful because of their potential to affect a user’s workday and routine. These include emails from HR, IT, managers and web services such as Google and Amazon. KnowBe4’s 2022 phishing test results reveal that for the year, nearly 50% of email subjects were HR related, while the other half were related to career development, IT and work project notifications. These types of emails bait recipients into opening them and are likely successful because they create a sense of urgency in users to act quickly, sometimes without thinking and taking the time to question the email’s legitimacy. 

Additionally, this year’s phishing tests revealed the top vector for the year to be phishing links in the body of an email, which has stayed consistent for the last three consecutive quarters. The combination of these phishing tactics is clearly a working strategy for cybercriminals but detrimental to users and organizations as they can lead to cyber attacks such as business email compromise and ransomware.

Along with an increased utilization of more business-related emails and links within emails, the Q4 2022 phishing test also shares the top holiday phishing email subjects. The holiday season is one of the busiest times of year for online activities and cybercriminals count on end users having their guards down when it comes to staying alert and spotting phishing emails. Like general phishing email subjects, holiday phishing email subjects consist of emails from HR and IT, however, they are also tailored to the holiday season and the festivities that typically happen during that time of the year by mentioning holiday parties, gifts, food and more. 

“Cybercriminals are smart and pay attention to what works and what does not when it comes to effective phishing emails,” said Stu Sjouwerman, CEO, KnowBe4. “This is why we see email subjects evolve and upgrade over time to keep up with end users and what they may be susceptible to. Phishing emails are a year-round threat and remain a challenge during the holiday season as well – holiday phishing emails are the one gift that no one wants to receive in their inbox. KnowBe4’s phishing test reports emphasize the importance of new-school security awareness training that educate users on the latest and most common cyber attacks and threats. A strong security culture and an educated workforce is an organization’s best defense to remain vigilant and stay safe online from cybercriminals and their attempted threats.”

To download a copy of the 2022 and the Q4 2022 KnowBe4 Phishing Infographics, visit here and here.

**About KnowBe4**

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 54,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

KnowBe4 2022 Phishing Test Report Confirms Business-Related Emails Trend

From updating employee education and implementing stronger authentication protocols to monitoring corporate accounts and adopting a zero-trust model, companies can better prepare defenses against chatbot-augmented attacks.

Over LinkedIn, Slack, Twitter, email, and text messages, people are sharing examples created using ChatGPT, the new artificial intelligence (AI) model from the team behind OpenAI.

Using ChatGPT, you can produce authentic-sounding dialogue that can be used for almost anything — from answering follow-up questions in an online chat dialogue to writing poetry. There are plenty of opportunities for enterprises to take advantage of the new chatbot technology, including helping with enterprise support and customer interactions. Its ability to quickly generate content, and, according to its developers, "answer follow-up questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests," opens many opportunities and some new challenges.

AI and machine learning (ML) is shifting quickly from niche solutions in corporate scenarios that have been high cost/high reward toward solutions to more expansive implementations that can solve a range of enterprise challenges, particularly those which focus on end users. Cybersecurity, for example, is now embracing AI-based approaches to provide greater protection with smaller security teams. One example highlights how organizations can use AI/ML to perform dynamic, risk-based checks when someone tries to access sensitive applications or data. This replaces older, policy-based approaches, which can take significant time and human interaction to develop and maintain the individual access policies. In a larger company, maintaining those policies could include hundreds or even thousands of applications and data repositories.

**Using AI for Greater Efficiency**

Interest in AI is continuing to explode as modern attacks require rapid detection and response to anomalous user behavior — something an AI model can be trained to quickly identify, but which takes significant human power to try and replicate manually. The goal of AI is to increase efficiency and trust while reducing friction and improving the user interface for typical users. Self-driving cars, for example, are designed to increase the safety and security of end users. In cybersecurity, specifically in the authentication of users (human and nonhuman), AI-based approaches are advancing rapidly, working with rule-based systems to improve the experience for end users.

In an increasingly digital world, attackers can already sidestep detection of binary identity authentication, including location, device, network, and other checks. Inevitably, cybercriminals will also look at the new opportunities ChatGPT opens up. AI tools that interact in a conversational way can be leveraged by cybercriminals to launch convincing phishing campaigns or account takeovers. In the past, it may have been easier to spot a phishing attack due to the poor grammar, unusual phrasing, or frequent spelling errors so common in phishing emails. That is quickly evolving with solutions like ChatGPT, which use natural language processing to create the initial message and then generate realistic responses to a target user's questions without any of those telltale markers.

**Rethink Security Approaches**

To prepare for chatbot-augmented attacks, organizations need to rethink security approaches to mitigate potential threats. Five measures they can take include:

1.  **Updating employee education** regarding the risks of phishing. Employees who understand how ChatGPT can be leveraged are likely to be more cautious about interacting with chatbots and other AI-supported solutions, and thereby avoid falling victim to these types of attacks.
2.  **Implementing strong authentication protocols** to make it more difficult for attackers to gain access to accounts. Attackers already know how to take advantage of users tired of reauthenticating through multifactor authentication (MFA) tools, so leveraging AI/ML to authenticate users through digital fingerprint matching and avoiding passwords altogether can help increase security while reducing MFA fatigue.
3.  **Adopting a zero-trust model.** By only granting access after verification and ensuring least-privileged access, security leaders can create an environment where even if an attacker leverages ChatGPT to get around unsuspecting users, the cybercriminals will still have to verify their identity and, even then, will only have access to limited resources. Limiting the access not only of developers but also leadership, including technical leadership, to the least access needed to perform their jobs effectively, may initially meet with resistance, but will make it harder for an attacker to leverage any unauthorized access for gain.
4.  **Monitoring activity** on corporate accounts and using tools, including spam filters, behavioral analysis, and keyword filtering, to identify and block malicious messages. Your employees cannot fall victim to a phishing attack, no matter how sophisticated the language is, if they never see the message. Quarantining malicious messages based on the behavior and relationship of the correspondents rather than specific keywords is more likely to block malicious actors.
5.  **Leveraging AI.** Cyberattacks are already leveraging AI, and ChatGPT is just one more way that they will use it to gain access to your organization's environments. Organizations must take advantage of the capabilities offered by AI/ML to improve cybersecurity and respond faster to threats and potential breaches.

Account takeover via social engineering, leveraging passwords from data breaches, and phishing attacks will become more frequent and more successful — despite our best defenses — given that ChatGPT can provide authentic-sounding responses to target inquiries. By updating and adopting these five approaches, organizations can help to reduce the risks to themselves and their employees when chatbots and other AI tools are used for malicious purposes.

ChatGPT Opens New Opportunities for Cybercriminals: 5 Ways for Organizations to Get Ready

Threat actors are diversifying across all aspects to attack critical infrastructure, muddying the threat landscape, and forcing industrial organizations to rethink their security.

The motive of financial and political gain — fueled partially by the ongoing conflict in Ukraine — has emboldened threat actors to barrage industrial control systems (ICS) with ever more disruptive cyberattacks, diversifying the threat landscape for critical infrastructure, new research shows.

This trend is expected to continue throughout 2023 with attackers arming themselves with new tactics and malware, forcing ICS operators to level up if they want to protect their networks, according to Nozomi Networks' "OT/IoT Security Report: A Deep Look Into the ICS Threat Landscape" for the second half of 2022, published Jan. 18.

It used to be that nation-state actors were the leading perpetrators of attacks against ICS, primarily using remote access Trojans (RATs) to drop malware payloads and gain remote access to networks, as well as mounting distributed denial-of-service (DDoS) attacks to cause "inconvenient" disruption, says Roya Gordon, security research evangelist at Nozomi Networks. "Historically, critical infrastructure disruptions were seen as a nation-state tactic," she says.

However, the now-infamous Colonial Pipeline attack in May 2021 marked a significant shift in this trend. In that incident, a ransomware attack that started with a stolen password caused panic and gas shortages across the eastern United States, and attackers realized how disruptive and potentially lucrative new attack vectors could be, she says.

"The Colonial Pipeline attack demonstrated how cybercriminals can leverage ransomware attacks on critical infrastructure — since they tend to depend heavily on real-time data, and have the means to meet ransom demands — for financial gain," Gordon notes.

Then with Russia's attack on Ukraine last February, attacks on ICS got political, with hacktivists, traditionally known for data breaches and DDoS attacks, wielding destructive wiper malware to disrupt transportation systems such as railroads and other critical infrastructure in the Ukraine for political gain, she says.

This marked a shift in not only who was attacking ICS, but how and for what motive they were launching these attacks, Gordon says. "All in all, this unprecedented level of activity across all fronts should cause us concern."

**Top ICS Cyberattack Trends**

The report identified top trends in the ICS threat landscape based on a compilation of information from various sources including open source media, CISA ICS-CERT advisories, and Nozomi Networks telemetry, as well as on exclusive IoT honeypots that Nozomi researchers employ for "a deeper insight into how adversaries are targeting OT and IoT, furthering the understanding of malicious botnets that attempt to access these systems," Gordon says.

What researchers observed over the last six months was a significant uptick in attacks that caused disruption to a number of industries, with transportation and healthcare being among the top new sectors finding themselves in the crosshairs of adversaries among more traditional targets.

Attackers are using various methods of initial entry to ICS networks, although some common weak security links that have historically plagued not just ICS but the entire enterprise IT sector — weak/cleartext passwords and weak encryption — continue to be the top access threats.

Still, “Root” and “admin” credentials are most often used as a way for threat actors to gain initial access and escalate privileges once in the network, the findings show. Other ways threat actors find their way in include brute-force attacks and DDoS attempts.

In terms of malware, RATs remain the most common malware detected against ICS, while DDoS malware and unusually high and still-rising IoT botnet activity continued to be the top threat for IoT devices on a network. The use of default credentials to hack IoT devices was the primary means of entry for IoT botnets, the researchers found.

Over the second half of last year, attacks on ICS spiked in July, October, and December, with more than 5,000 unique attacks in each of those months. Manufacturing and energy remained the most vulnerable industries, followed by water/wastewater, healthcare, and transportation systems.

Interestingly, despite the uptick in targeting Ukraine, the top attacker IP addresses observed in the second half of 2023 didn't come from Russia nor countries that side with Russia, the researchers found. Instead, the main IP addresses associated with ICS attacks were in China, the US, South Korea, and Taiwan, according to Nozomi's data.

**The Look Ahead**

Top among ICS/IoT threats to watch out for: adversaries will use hybrid threat tactics that don't follow what operators may have seen in the past, which means "it will become increasingly difficult to categorize types of threat actors based on TTPs and motives," according to the report.

Organizations in the healthcare sector — which saw a spike in attacks when COVID-19 hit that has continued even as the pandemic largely wanes — should be mindful to stay on top of medical-device updates, according to Nozomi. Threat actors will likely use exploits to access medical systems that aggregate device data, a manipulation that can have dire and even life-threatening consequences for patients, potentially leading to malfunctions, misreadings, or even overdoses in automatic release of medication.

Another new threat on the horizon is from AI-driven chatbots that attackers will use for malicious purposes, such as writing code or developing exploits for vulnerabilities. They also can use them to generate more accurate phishing/social engineering texts that can be used as entry access to ICS networks, the researchers said.

"All this could reduce the time it takes to develop targeted threat campaigns, thus increasing the frequency of cyberattacks," according to the report.

Though the news appears gloomy, securing ICS against oncoming threats can be as simple as practicing "basic cyber hygiene," employing typical IT security practices that any organization already should be using, Gordon says.

"While threat actors may have the capability to access OT and IoT directly, it's one of their long-standing strategies to first breach IT and pivot into OT," she says. "Therefore, taking steps to secure IT is key."

ICS Confronted by Attackers Armed With New Motives, Tactics, and Malware

**NEW YORK****,** **Jan. 18, 2023** **/PRNewswire/ --** Abacus Group, the leading provider of hosted IT services and solutions to alternative investment firms, today announces that it has acquired two boutique cybersecurity consulting companies, Gotham Security and its parent company, GoVanguard, both of which have unparalleled track records of excellence in the cyber arena.

Gotham Security, as the new business will be known, will be a subsidiary of Abacus Group but continue to operate independently. The acquisition marks a milestone in Abacus Group's expansion from a security-focussed managed service provider (MSP) to a full-bodied managed security service provider (MSSP) with an extensive suite of industry-leading cybersecurity services and products.

The deal will see Gotham Security supercharge Abacus Group's existing services portfolio with a wide breadth of cybersecurity consulting expertise. Abacus Group will acquire a comprehensive set of information security capabilities to provide clients with real-world, actionable insight, including penetration testing, red teaming, tabletop exercises, risk and compliance gap assessments, and threat hunting services.

Complementing and aligning with Abacus Group's leading cybersecurity technology platform, Gotham Security's services will continue to be delivered by its team of industry trailblazers, comprised of cybersecurity leaders, researchers, educators, and creators. Gotham Security's dedicated leadership team will remain at the helm of the company, bringing their passion for elevated quality, insight, and cybersecurity awareness to both their own clients and customers of Abacus Group.  

Chris Grandi, CEO of Abacus Group, commented: "This acquisition is a natural next step in a long working relationship with Gotham Security, as the businesses have been valued resources to each other and our clients over the last decade. It's fantastic to now join forces and take further strides in our own expansion from MSP to MSSP. Abacus Group has always been committed to keeping our clients safe and secure, especially as the security and regulatory landscape continues to evolve in line with escalating cyber threats. Therefore, we are thrilled to be able to expand our cybersecurity capabilities and provide the full suite of services offered by Gotham Security to our customers and investors."

The synergy between Abacus Group's cybersecurity offerings and Gotham Security will result in a complete set of MSSP capabilities. Expanding further into the MSSP space will support Abacus Group in meeting the growing demand for comprehensive, expert-led cybersecurity insights at every level of an organization's technology stack, especially as security threats against businesses continue to increase and become ever more sophisticated.

Christian Scott, COO, CISO and Partner at Gotham Security, added: "This is a very exciting time for everyone at Gotham Security. Alongside the close, collaborative working relationship we've developed with Abacus Group over the years, our shared mission to provide a broader scope of high-quality cybersecurity and technology services to customers has been the key driving force behind our union under the same umbrella. We continue to take pride in the best-in-class security insight we provide to our customers, but we've also listened closely to their growing demand for integrated technology solutions that fulfil an entire spectrum of security needs and requirements. The complementary opportunities created by Abacus Group's robust technology solutions and Gotham Security's innovative cybersecurity services will provide greater value and more options than ever to our shared customer base."

Lowenstein Sandler LLP served as legal counsel to Abacus Group, while Szaferman, Lakind, Blumstein & Blader, PC. Served as legal counsel to GoVanguard and Gotham Security on the transaction.

**About Abacus Group**

Abacus Group is a leading provider of hosted IT solutions and services focused on helping alternative investment firms by providing an enterprise technology platform specifically designed for the unique needs of the financial services industry. The innovative and award-winning Abacus Cloud platform allows investment managers to source all technology needs as a service, offering the capacity to scale on demand to meet current and future cybersecurity, storage and compliance requirements. The company has offices in New York, NY; San Francisco, CA; Boston, MA; Dallas, TX; Greenwich, CT; Los Angeles, CA; Charlotte, NC; Miami, FL; and London, England. For more information, visit www.abacusgroupllc.com.

**About Gotham Security**

Gotham Security is a boutique cybersecurity firm founded in 2013 and based out of Manhattan, focused on providing high-quality penetration testing, malicious adversary simulation, threat intelligence services, and cybersecurity strategy services. Our team is comprised of elite white hat hackers, known as the go-to "cyber strike team." We are not just excellent at red teaming, more importantly, we know how to communicate cybersecurity threats in a practical way to organizations. We work with a growing number of Fortune 1000 companies across all major sectors of business, including multi-billion-dollar hedge funds, major insurance providers, international options trading exchanges, and more.

SOURCE Abacus Group LLC

Abacus Group Acquires Gotham Security and GoVanguard to Expand Cybersecurity Service Offerings

The integration provides crucial protection for businesses’ most vulnerable departments — help desks and customer support teams — preventing the most advanced threats sent by online users.

**(Tel Aviv, Israel – January 18, 2023) --** Perception Point, a leading provider of advanced threat protection across digital channels, today announced that it has launched _Advanced Threat Protection for Zendesk_, the champions of service-first CRM software, to provide unparalleled detection and remediation services for Zendesk customers. Perception Point customers can now protect Zendesk along with their email, web browsers and other cloud collaboration apps from a single, consolidated platform with the highest detection rates in the industry.

Helpdesk and customer support staff communicate regularly with people outside of the organization, making them especially vulnerable to external threats originating from malicious content within support tickets. Content uploaded externally can potentially be used as a vehicle for cyberattacks, allowing malicious payloads to enter an organization’s system.

Perception Point's _Advanced Threat Protection for Zendesk_, a multi-layered threat prevention platform, boosts Zendesk’s basic native security to protect customers from the most advanced malware and social engineering attacks. Easily deployed to protect all customer-facing personnel, Perception Point scans every single ticket attachment coming through Zendesk (including embedded URLs/files) in near real-time, using a combination of patented dynamic and static detection layers, based on threat intelligence, advanced algorithms and machine learning. Perception Point’s next-generation sandbox technology uniquely scans 100% of content, 40x faster than traditional technologies, to achieve unprecedented visibility into any type of attack, including advanced attacks like APTs and zero-days. Zendesk customers will be able to rapidly remediate any attack that slips through the cracks through the support of Perception Point’s free-of-charge 24/7 managed incident response service.

“The threat landscape is only becoming more complex, with threat actors initiating more advanced attacks across multiple attack vectors,” said Peleg Cabra, Product Marketing Manager, Perception Point. “Adding Zendesk integration to our Advanced Threat Protection platform allows Zendesk users to protect their organizations against malware and social engineering attacks that would otherwise avoid detection by traditional cyber defense mechanisms. The offering not only secures Zendesk’s support channels, but also reduces SOC team workloads through the support of Perception Point’s managed incident response service.”

_Advanced Threat Protection for Zendesk_ has already been successfully deployed by Agoda, an international hospitality company with over 7,000 employees worldwide, which uses Zendesk to process all customer requests. Over a three-month period, Perception Point’s solution scanned over 385,000 root files, scanned around 69,000 embedded files and URLs, identified and prevented 187 malicious events, and dynamically scanned all traffic at an average of 7.1 seconds, with 75% of content dynamically scanned in just three seconds.

“Perception Point has been instrumental in strengthening and fortifying both our organization and our Zendesk systems,” said Guy Fridman, Head of Security Operation and Response, Agoda. “Securing Zendesk is critical to the success of our customer relationships. Beyond future-proofing against potential threats, Perception Point also allows our SOC team to focus on other important security areas such as monitoring, testing, and analyzing our overall security posture. This combination of innovative technology and reliable client servicing has provided us with the confidence to operate with zero to little friction.”

Read more about the Zendesk case study with Agoda here.

Perception Point’s advanced threat protection solution is now available for Zendesk Support products. Read here for more information about protecting Zendesk.

**About Perception Point**

Perception Point is a Prevention-as-a-Service company for the fastest and most accurate next-generation detection and response to all attacks across email, cloud collaboration channels, and web browsers. The solution's natively integrated incident response service acts as a force multiplier to the SOC team, reducing management overhead, improving user experience and delivering continuous insights; providing proven best protection for all organizations.

Deployed in minutes, with no change to the enterprise’s infrastructure, the patented, cloud-native and easy-to-use service replaces cumbersome legacy systems to prevent phishing, BEC, spam, malware, Zero-days, ATO, and other advanced attacks well before they reach end-users. Fortune 500 enterprises and organizations across the globe are preventing content-borne attacks across their email and cloud collaboration channels with Perception Point.

To learn more about Perception Point, visit our website, or follow us on LinkedIn, Facebook, and Twitter.

Source

DARKReading