Two mostly defunct threats — WannaCry and NonPetya — top the list of ransomware searches, but does that mean they are still causing problems?

Five years ago, two ransomware programs, WannaCry and NonPetya, used self propagation to spread quickly across the globe, infecting hundreds of thousands of computers, shutting down business operations, and causing billions in damages.

The two programs, often referred to as worms, have refused to die. In a back-of-the-napkin analysis of search terms for common ransomware programs, Canadian IT services and support firm Firewall Technical found that WannaCry and Petya claimed the top and third spot on a list of most searched-for ransomware — at 6,000 and 1,800 monthly searches, respectively — with Ryuk beating out Petya to claim the No. 2 slot, according to data collected from keyword-search tools commonly used by search engine optimization (SEO) firms.

With the Petya searches, it is likely that people are equating Petya with the more damaging NotPetya. People searching for information about Petya are more than likely looking for how to deal with NotPetya, as it has far more effect on everyone, the company says.

Certain other keyword phrases — such as "_X_ decryptor" and "_X_ ransomware removal" — highlighted different trends: "Locky ransomware removal" had a slight lead in monthly searches, and "Cerber decryptor" was the second most common after WannaCry. Arguably, searches for decryptors and removal information are more indicative of infections, according to the support firm's experts.

"Although reports of infections are the best way of detecting threats, monitoring search engine user behavior can give us a clue into both trends and the infections that users are dealing with," a Firewall Technical spokesperson said.

    

Source: Firewall Technical (https://www.firewalltechnical.com)

The fact that two worm-like programs continue to have a long-term impact on systems is not surprising. In its threat update on ransomware, security software firm WithSecure found that WannaCry still accounted for 53% of all detections in 2021 — more than the next four ransomware families combined.

The programs typically embed themselves inside organizations that do not have good visibility into the state of their systems and lack the ability to regularly patch systems, says Neeraj Singh, research and development manager at WithSecure.

"Most of the upstream ... cases that we receive come from the organizations \[that\] do not have the infrastructure to upgrade \[or\] patch operating systems," he says.

Luckily, the worms' impacts are blunted at present. Following a successful infection, WannaCry attempts to connect to a URL and, if successful, does not encrypt the files on the system — a behavior that researcher Marcus Hutchins used to create a kill switch that continues to work to this day.

While NotPetya has no kill switch, current volumes of infections are low enough to make tracking them difficult, according to WithSecure. To date, no new versions of either program have been observed since 2017, the company said.

If WannaCry and NotPetya follow the trajectory of past worm-like threats, they are unlikely to fade away quickly. Four years after the Slammer worm started spreading, for example, the so-called "flash" worm remained the most common network threat. More than a decade after the Conficker worm started spreading in 2008, endpoint security firms continue to block hundreds of thousands of intrusion attempts by infected systems every year.

The data collected by Firewall Tactical also shows the limits of relying on search terms for threat intelligence. Searches for "WannaCry ransomware" were only a sliver of the 201,000 hits in May 2017, when the crypto ransomware worm first appeared, suggesting that the long tail will continue to cause headaches for IT administrators. The 6,000 searches is also a far cry from the more general query for the keyword "WannaCry," which topped 3.4 million that month.

Internet Searches Reveal Surprisingly Prevalent Ransomware

It's time to expand the approach of TPRM solutions so risk management is more effective in the digital world.

SaaS-to-SaaS integrations are an inherent part of modern software-as-a-service use in business, and the adoption of third-party services is scaling rapidly to adapt. Malicious actors aren't lagging behind. They realize the lucrative benefits of leveraging these integrations to steal, leak, or abuse organizational assets.

Traditional third-party risk management (TPRM) solutions were introduced to help streamline and automate compliance processes. Recent supply chain breaches, such as the malicious third-party OAuth token abuse that affected GitHub customers, show how threats grow while SaaS use scales, making it imperative for business requirements around third-party risk evaluation and management to shift. The cybersecurity community's approach to these risks must shift accordingly.

While TPRM solutions serve a noble purpose — assessing the security of an organization's vendors — their value stops there. A vendor could be considered healthy in terms of its security controls, with a low-risk score, but only as a stand-alone vendor and regardless of its required integration and interaction with the organization and its valuable assets. Risk assessments, questionnaires, and aggregated data are time-consuming and costly to manage and provide minimal value without the proper context and holistic strategy to govern them.

Here are three critical considerations that should be top of mind as you assess and onboard third-party vendors:

**Can You Continuously Assess Their Access Level and Business Impact Risk?  
**

Existing TPRM solutions usually lack the context needed to understand the scope and nature of SaaS-to-SaaS integrations with third-party vendors. Given the dynamic nature of the SaaS sprawl, this can introduce tremendous amounts of (otherwise avoidable) risk. As part of the onboarding process, organizations must be able to accurately gauge critical elements of this partnership: Is the original business impact assessment aligned with the actual interaction with the vendor? Is the initial vendor assessment aligned with the permissions granted and the organizational need for the vendor? Did the relationship with the vendor or business requirement change over time?

TPRM questionnaires must be customizable and allow organizations to evaluate and manage vendors according to their associated business risk. Vendors that are crucial to your business and require access to sensitive information such as employee or customer data should be assessed using different parameters from those used to assess a lower-risk vendor.

Adding to this complexity is the interconnectivity between vendors. As the number of vendors grows, so does the number of connections. Supply chain management requires comprehensive visibility into all vendors and the vendors connected to them. Without such accountability, an organization can be breached through a third-party integration it wasn't even aware existed in its supply chain. For example, Salesforce may have third-party plug-ins that access sensitive data and personal identifiable information (PII) in Salesforce and therefore may pose a risk for an organization that uses Salesforce but is unaware of other vendors connected to it. In such a case, the vendors behind such plug-ins should be assessed accordingly.

**Do You Have a Vendor Offboarding Process?  
**

This is a deceptively simple question that has profound implications for third-party risk management. When an employee leaves the company, their privileges are revoked using a dedicated identity access and management (IAM) offboarding process, yet there's no similar procedure to offboard vendors. Making matters worse, vendors are onboarded daily by multiple functions across the organization. Even if a TPRM assessment process is triggered, it is set and forget, without the necessary continuous reassessment over time as the vendor access drifts from the initial setup.

What follows is a veritable vendor graveyard. Some vendors may have been onboarded during a previous vendor selection process, one was chosen, but the other two remain dormant and connected to the organization, usually with high privilege access that is never revoked. It is imperative to realize that even if you terminate your tenant on a vendor's platform, it doesn't mean you revoked its tokens to your environment.

Most organizations fail to adopt the required processes that answer this significant question: Is the vendor still used by the business unit? Without a periodic review of your vendors, their access privileges, who uses them, and how — you will have no way to establish and assess their risk.

**Can Your Vendor Risk Processes Scale to Support a Decentralized IT Organization?  
**

In a modern organization with dozens or hundreds of SaaS applications, IT is now decentralized and end users, citizen developers, and business owners onboard new third-party vendors daily. The lack of continuous supply chain risk assessment as the organization becomes more decentralized renders initial vendor evaluations irrelevant and outdated. As a result, security teams are increasingly unable to detect if a vendor has altered its characteristics, if its access into the organization has widened, or worse — if it has been compromised.

It's therefore critical to ask whether the vendor's business impact has increased over time and whether it requires a new assessment. Manually assessing vendor privileges and integrations is impractical and quickly becomes irrelevant in an increasingly agile and dynamic SaaS environment. Adding to this burden is the lack of awareness on the part of users and even system administrators of the importance of updating assessments and ensuring they're aligned with current needs and requirements. The absence of a clear policy defining when and how to conduct inventories of vendor integrations prevents common-sense changes from being implemented.

**Make Room for Changes  
**

A uniform approach to third-party vendor assessments is a near-sighted, partial solution to a dynamic problem.

Vendors differ in their essential purpose, with some geared toward low risk and others requiring access to personal or financial client information which, if leaked, lost, or stolen, could pose significant harm. Therefore, the security community must expand existing TPRM approaches to adapt to the vendor risk management life cycle and ensure its effectiveness in securing SaaS-to-SaaS integrations in the dynamic digital enterprise.

3 Golden Rules of Modern Third-Party Risk Management

Cynet CISO survey reveals lack of staff, skills, and resources driving smaller teams to outsource security with advanced tools, technologies, and services.

**Boston, MA – July 13, 2022 –** Cynet, the world’s first provider of an autonomous, end-to-end, fully automated extended detection and response (XDR) platform, today announced the results of its second annual “CISO Survey of Small Cyber Security Teams." The survey found that companies with small security teams continue to face a number of unique challenges that place these organizations at greater risk than larger enterprises. These enhanced risks are moving these companies to consolidate security platforms to fewer, more robust and comprehensive tools to simplify and improve protections.

The Cynet survey analyzed responses from 200 Chief Information Security Officers (CISOs) at small and medium size enterprises (SMEs) with five or fewer security staff members and cybersecurity budgets of $1M USD or less. It found that a majority of these organizations were overwhelmed by an endless volley of cyberattacks. These security professionals report that they are inundated by many of the same threats facing larger organizations, but lack the financial resources, staff specialists, training and proper tools to consistently remediate them.

According to the survey results:

*   58% of the responding CISOs felt their risk of attack was higher compared to enterprises, despite the fact that enterprises have a larger target on their back.
*   94% say they have barriers in maintaining their security posture, due to a lack of skilled security personnel (40%), excessive manual analysis (37%), and the increasingly remote workforce (37%) among other factors.
*   87% have difficulty in managing and operating their threat protection products due to overlapping capabilities (44%) and difficulty visualizing the full scope of an attack (42%).
*   As a result, 90% of small security teams are outsourcing security mitigation to a Managed Detection and Response (MDR) service, while also using Managed Security Service Provider (MSSP) services (21%) and Virtual Chief Information Officer (vCISO) services (15%).

The survey also revealed a huge year-over-year rise in the use of Endpoint Detection and Response (EDR) tools (from 52% to 85% of respondents), as well as a doubling of Extended Detection and Response (XDR) tool usage (from 15% to 30%). Among respondents, 77% indicated that EDR is now the #1 tool for detecting threats, up significantly from 23% in 2021. Those reporting Network Detection and Response (NDR) as the primary method for detecting threats fell from 46% in 2021 to only 3% in the 2022 survey. It's clear that small security teams are seeing the value in robust EDR/XDR solutions, especially in remote working landscapes where employees are often not on the company network.

"CISOs with small security teams struggle to purchase and maintain the comprehensive set of security solutions needed to protect their companies from increasingly sophisticated threats," said Eyal Gruner, CEO and Co-Founder of Cynet. "The survey results once again show how these security experts continue to adapt their protection strategies in response to the ongoing wave of criminal and state sponsored cyberattacks."

To see complete metrics, analyses and data visualizations, download a free copy of the 2022 Cynet CISO Survey of Small Cyber Security Teams.

About Cynet  
Cynet is a provider of the world’s first end-to-end, natively automated extended detection and response (XDR) platform – Cynet 360 AutoXDR™ – backed by a 24/7 MDR service. Its mission is to make it easy and stress-less for any organization to be safe and secure from cyber threats. The platform was purpose-built to enable small security teams to achieve comprehensive and effective protection regardless of their resources, team size, or skills. It does this by managing day-to-day security operations so teams can focus on managing security rather than operating it. The complementary 24/7 MDR service provides organizations with monitoring, investigation, on-demand analysis, incident response, and threat hunting. Visit to learn more: https://www.cynet.com.

Survey: Small Cybersecurity Teams Face Greater Risk from Attacks than Larger Enterprises

The massive phishing campaign does not exploit a vulnerability in MFA. Instead, it spoofs an Office 365 authentication page to steal credentials.

Microsoft recently discovered a widespread phishing attack campaign targeting Office 365 users that lures victims to a phony Office authentication page where it pilfers their credentials and later executes a second wave of attack, business email compromise (BEC), using intel gathered from their email accounts.

The attackers behind the campaign have targeted more than 10,000 organizations since September 2021, according to Microsoft, and employ the Evilginx2 phishing kit as the infrastructure for hijacking the authentication process. "We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds," according to a post by the Microsoft 365 Defender Research Team that details the attacks.

The man-in-the-middle attack — or, as Microsoft now calls it, adversary-in-the-middle (AiTM) — sets up a proxy server that sits between the victim and the actual authentication page. "Such a setup allows the attacker to steal and intercept the target's password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses," Microsoft said in its post.

Organizations should up their MFA game with conditional access policies, which vet sign-in requests based on identity, IP location, and device status, for example, according to Microsoft.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft: 10,000 Orgs Targeted in Phishing Attack That Bypasses Multifactor Authentication

QuSecure’s QuProtect leverages unique post-quantum cryptographic algorithm on government legacy systems to achieve world’s first and only post-quantum resilient channel within a government facility.

**SAN MATEO, Calif. — July 12, 2022 —** QuSecure™, Inc., a leader in post-quantum cybersecurity (PQC), today announced the U.S. Federal Government is currently orchestrating the world’s first-ever post-quantum encryption communication over a Government network by utilizing its QuProtect™ PQC solution. QuProtect is the industry’s first end-to-end PQC software-based solution uniquely designed to protect encrypted communications and data with quantum-resilience using quantum secure channels.

The Government is leveraging QuSecure’s unique post-quantum cryptographic algorithm on its legacy systems at a combined Air Force, Space Force and NORAD location. The quantum-resilient deployment has 100-percent uptime protecting data that previously used standard encryption, with no increased bandwidth or latency issues through QuProtect’s quantum tunnel. Data currently being transmitted cannot be decrypted by others unless they have the QuProtect system, and any adversary collecting the protected data to store will be unlikely to decrypt it in the future, even with a quantum computer.

“This is extremely significant because the U.S. Government has not employed a post-quantum communications channel on premises before,” said Pete Ford, QuSecure Head of Federal Operations. “The QuProtect platform is performing exceptionally well with uninterrupted, continuous quantum channel uptime protecting formerly classically encrypted and quantum vulnerable asymmetric keys.”

This historic event was possible due to activities around QuSecure’s evaluation for, and eventually winning, the Small Business Innovation Research (SBIR) Phase III Federal Government procurement contract for PQC solutions. Announced last month, QuSecure has been established as the Government’s leading provider of PQC solutions, setting the standard for Government’s PQC requirements. This is the Government’s first and only Phase III designation aimed at addressing end-to-end comprehensive solutions to the post-quantum threat, and further emphasizes today’s need to deploy PQC for classical and future quantum attacks.

Federal agencies participating in SBIR include the following agencies and departments: Small Business Administration, Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Transportation, Environmental Protection, the National Aeronautics and Space Administration (NASA), and the National Science Foundation.

The Government’s deployment of QuSecure is being operated over an open Internet network on legacy equipment and systems. QuSecure has proven it works on Government systems by using cryptographic agility that supports all National Institute of Standards and Technology (NIST) finalist algorithms in the post-quantum cryptography standardization competition. The winners of the NIST competition were announced on July 5.

“With the current speed of business, commerce, warfare and everyday communications, QuProtect protects all data on existing systems and devices and does not slow the systems down,” added Ford. “We have proven this in our successful pilot, which will lead to the large-scale deployments as a result of our SBIR Phase III contract with the Government. This historic moment places QuSecure one step closer to fulfilling our vision of ensuring an exceptionally secure quantum future.”

QuProtect enables organizations for the first time to leverage quantum resilient technology to help prevent today’s cyberattacks, while future-proofing networks and preparing for post-quantum cyberthreats. It provides quantum-resilient cryptography, anytime, anywhere and on any device. QuProtect uses an end-to-end quantum-security-as-a-service (QSaaS) architecture that addresses the digital ecosystem’s most vulnerable aspects, uniquely combining zero-trust, next-generation post-quantum-cryptography, quantum-strength keys, high availability, easy deployment, and active defense into a comprehensive and interoperable cybersecurity suite. The end-to-end approach is designed around the entire data lifecycle as data is stored, communicated, and used.

**About QuSecure**  
QuSecure is a leader in post-quantum cybersecurity with a mission to protect enterprise and Government data from quantum and classical cybersecurity threats. Its patent-pending, quantum-safe solutions provide an easy transition path to quantum resiliency across any organization. The company’s QuProtect solution is the industry’s first PQC software-based platform uniquely designed to protect encrypted communications and data with quantum-resilience using a quantum secure channel. QuSecure has current customer deployments in banking/finance, healthcare, space/satellite, IT/data enterprises, datacenters, and various Department of Defense agencies. QuSecure is investor backed and has offices in Silicon Valley. For more information visit www.qusecure.com.

US Government and QuSecure Orchestrate First-Ever Post-Quantum Encryption Communication over a Government Network

Barracuda research finds organizations are struggling to protect operational technology and getting breached as a result.

CAMPBELL, Calif., July 12, 2022 /PRNewswire/ -- Barracuda Networks Inc. (Barracuda), a trusted partner and leading provider of cloud-enabled security solutions, today released key findings from a report titled _The State of Industrial Security in 2022__._ Commissioned by Barracuda, the research surveyed 800 senior IT managers, senior IT security managers, and project managers responsible for industrial internet of things (IIoT)/operational technology (OT) in their organization to get their perspectives on IIoT/OT security projects, implementation challenges, security incidents, technology investments, and a variety of issues related to cybersecurity risks.

Overall, the research shows that critical infrastructure is under attack, and despite agreement that IIoT and OT security is critical, businesses are facing some significant challenges as the geopolitical landscape becomes increasingly tense. Security breaches have shown to have impacts beyond monetary losses as well, resulting in significant downtime with long-lasting breach impact. The research found:

*   **Attacks are widespread:** 94% of organizations surveyed acknowledged experiencing a security incident in the last 12 months.
*   **Geopolitical concerns:** 89% of respondents are very or fairly concerned about the impact that the current threat landscape and geopolitical situation will have on their organizations.
*   **Breaches are impacting operations:** 87% of organizations that experienced an incident were impacted for more than one day.

"In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk," **said Tim Jefferson, SVP, Engineering for Data, Networks and Application Security, Barracuda.** "Issues such as the lack of network segmentation and the number of organizations that aren't requiring multifactor authentication leave networks open to attack and require immediate attention."

Organizations across the board have acknowledged the importance of investing even further in IIoT and OT security, with 96% of business leaders noting that their organization needs to increase their investment in industrial security. A full 72% of organizations signaled that they have either already implemented or are in the process of implementing IIoT/OT security projects, but many are facing significant challenges when it comes to implementation, including basic cyber hygiene.

*   **Manufacturing and healthcare lag behind:** Critical infrastructure organizations are leading with implementation, and 50% in oil and gas having completed projects. Only 24% in manufacturing and just 17% in healthcare have completed projects.
*   **Businesses are experiencing failures:** 93% have failed in their IIoT/OT security projects.
*   **Effective IIoT security implementations are making an impact:** For organizations with completed IIoT and OT security projects, 75% have experienced no impact at all from a major incident.
*   **Multifactor authentication (MFA) use is low:** Only 18% of companies surveyed restrict network access and enforce multifactor authentication when it comes to remote access to OT networks.
*   **Low MFA use is prevalent even in critical industries:** Critical verticals like energy (47%) allow full remote access without MFA for external users.
*   **Skills have an impact:** Less than half of organizations surveyed can handle applying security updates themselves (49%).
*   **Manual updates are cumbersome:** Organizations are hit the worst when security updates are not automatic.

IIoT and OT security continue to be a major target for attackers, but there is hope for businesses that take a proactive approach. Businesses should implement tools to combat these challenges, including the use of secure endpoint connectivity devices and ruggedized network firewalls, all centrally deployed and managed via a secure cloud service that can enable effective network segmentation and advanced threat protection, provide multifactor authentication, and even implement Zero Trust Access.

"IIoT attacks go beyond the digital realm and can have real-world implications." said **Klaus Gheri, VP Network Security, Barracuda.** "As attacks continue to rise across industries, taking a proactive security approach when it comes to industrial security is critical for businesses to avoid being the next victim of an attack."

**Resources:**

Download the full report: https://barracuda.com/iiot-2022-report  
Read the blog post: http://cuda.co/51231

**About Barracuda**

At Barracuda we strive to make the world a safer place. We believe every business deserves access to cloud-first, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers' journey. More than 200,000 organizations worldwide trust Barracuda to protect them — in ways they may not even know they are at risk — so they can focus on taking their business to the next level. For more information, visit barracuda.com.

New Research Reveals 93% of Organizations Surveyed Have Had Failed IIoT/OT Security Projects

Machine learning and automation can help free up security pros for higher-value tasks.

Humans have a well-deserved reputation for being the weakest link in the cybersecurity of any size organization. Whether it's an IT specialist misconfiguring a firewall setting, a DevOps engineer failing to secure a cloud storage bucket, or a hapless business user falling for a phishing scam, the vast majority of cybersecurity breaches are primarily caused by human error creating exploitable vulnerabilities. The result is many avoidable weaknesses being pursued by criminal opportunists enabled by cheap, plentiful cybercrime tools of the trade.

Thankfully, the humans working in the security operations center (SOC), the Tier 1 and Tier 2 analysts on the front line of cyber defense, are the strongest link in cybersecurity operations. They must be kept in the loop, ideally performing higher-value tasks than keeping "eyes on the glass" to review security telemetry.

**Tools for Assisting, Not Replacing, Humans  
**

Looking to technology to help us secure technology is the right approach. The servers, Web applications, endpoints, network devices, and security measures in a company's digital landscape produce massive volumes of security telemetry and alerts that must be monitored and analyzed, but most turn out to be benign.

Identifying the meaningful alerts in high-volume event streams is the perfect job for correlation rules and unsupervised machine learning (ML) algorithms that combine human knowledge and threat intelligence with continuous learning and improvement. Machines can handle the speed and scale required for the initial screening of the high-volume stream of event logs and alerts. Also, algorithms don't get tired or have a lapse in attention, go on vacation, or call in sick.

Automating this facet of SOC operations allows these AI-based tools to do the tedious work of sifting out false positives and correlating and surfacing real alerts in real time. Automation can also go a step further, applying rules in playbooks to enrich alerts with context (which machine or user, what happened, when), contain suspicious activity in the network, and trigger an automatic response in well-defined use cases.

The result can be minimizing the volume of alerts by a factor of 10 or more, from 10,000 a day to 1,000 or less. This noise reduction saves up to 50% of expert SOC labor, dramatically increasing SOC efficiency and effectiveness.

**Humans Are the Ones Who Catch the Cybercriminals in Action  
**

This type of automation frees expert human analysts to use their experience, skills, intuition, and problem solving in the hunt for cybercriminals active in your environment. The automation feeds junior SOC analysts who triage the findings by applying human intelligence to recognizing patterns, evaluating anomalies, eliminating false positives, and identifying alerts that need further human assessment.

For example, John in HR typically accesses two databases during regular business hours. An alert comes through that John has accessed a third database on a Saturday. Only a human can determine if this new behavior is anomalous but nonthreatening. After the SOC analyst notifies the IT department about the unexpected database activity, IT confirms that John has been granted temporary access to the additional data, which is HR-related.

After triage by junior SOC analysts, high-priority alerts are forwarded to SOC senior analysts. These skilled security specialists are charged with investigating the alerts and identifying where an attack is coming from, the cybercrime groups behind the attack, methods they are using, lateral movement observed, and the dwell time of attackers. SOC experts also propose strategies for mitigation and eradication.

Humans are most essential when identifying attacks that cut across different systems, applications, and access methods. It was skilled humans who uncovered new activity on the part of Hafnium. The nation-state cybercriminals had been exploiting vulnerabilities in Microsoft Exchange servers to steal emails, compromise networks, and move laterally in affected organizations. These incursions took place for three months prior to discoveries credited by Microsoft to researchers at security firms Volexity and Dubex.

**Key Takeaways  
**

Organizations of any size, but particularly midsize and larger enterprises, can benefit from having their SOCs use artificial intelligence, unsupervised ML, and automation to remove the burden of first-level event log screening from junior analysts and provide intelligence that senior analysts can use in investigations. Such automation is necessary to handle the ever-increasing volume, velocity, and variety of security telemetry. It cannot, however, eliminate the need for the expert human analyst.

SOC analysts need not be concerned about job security in the face of ML and automation. Rather, they should welcome the improved productivity and freedom automation provides to use their intelligence and creativity for higher-value activities such as research, threat analysis, remediation, and threat hunting.

Keep Humans in the Loop in SOC Operations

Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

Businesses receive an invoice via email with a credit card charge and are asked to call a fake number and hand over personal information to receive a refund.

Cybercriminals are posing as Intuit's popular accounting software package QuickBooks to target Google Workspace and Microsoft 365 small business users in a voice-phishing scam.

The campaign sends a false invoice via email containing a claim that a credit card has already been charged for an order. In order to dispute the charge, victims are directed to call the number included in the email, according to researchers with INKY. The scam was first uncovered in December 2021 and the frequency of attack has accelerated sharply, they said.

The threat actors have been leveraging QuickBooks' free 30-day trial offer to set up fake accounts from which to send fraudulent invoices, impersonating major IT companies including Amazon, Apple, PayPal, and McAfee. Once the victim calls, they are asked for bank account information, login credentials, or other personally identifiable information.

"These attacks were highly effective at evading detection because they were identical to non-fraudulent Quickbooks notifications, even when examining the emails' raw HTML files closely," the report noted. "All notifications originated from authentic Intuit IP addresses, passed email authentication (SPF and DKIM) tests for intuit\[.\]com, and only contained high-reputation intuit\[.\]com URLs."

One such scam in April impersonated an Amazon Prime shipping notification, which used the strings "amazn" and "amzn" to evade detection filters. By clicking on the "print or save" or "view invoice" buttons, the victim is then taken to Intuit's website and shown a fraudulent invoice, inducing the user to call the number and give up financial information.

"The natural response is to get right on the phone and try to back the order out, or, barring that, find a way to obtain a refund," the INKY report noted. "The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off."

**Defense Requires Vigilance**

INKY recommends that recipients of these kinds of messages should refrain from calling any phone numbers they provide and be wary of requests for payment through the form of gift cards, a method unlikely to be used by businesses.

"If there is any doubt about a charge, it is best to contact the relevant credit card company to see if there really is a charge in that amount," the report noted. "Any real charge would be shown as 'pending'."

Small businesses are increasingly targets for cyberattacks, according to recent research; however, just 40% of small businesses have a cybersecurity policy. Among the key steps small businesses can take to improve their security posture is adopting strong security policies and training employees in best practices, along with tactical investments in cybersecurity software.

**Plenty of Phishing in the Sea**

Meanwhile, cybercriminals are deploying new vishing methods to defraud victims, according to a report from Kaspersky, including attacks carried out through popular social media sites or major IT service providers like PayPal. A recent vishing scam cited by Kaspersky was based on a widespread TikTok prank where friends use an automated answering-machine voice to warn them that a lot of money will soon be taken out of their bank account.

"When people are convinced to disclose their personal data during a phone call rather than on a phishing page, they often don't have the chance to consider that they are the target of a hoax — and the large number of TikTok videos with this prank is a prominent example of this," according to Kaspersky.

The security firm reports that the volume of vishing is on the rise, with 350,000 vishing emails between March and June 2022, with nearly 100,000 of these emails spotted in June alone.

QuickBooks Vishing Scam Targets Small Businesses

This Tech Tip outlines how system administrators can get started with automated continuous patching for their Windows devices and applications.

The Windows Autopatch service, which allows enterprises to automatically roll out updates for Windows 10, Windows 11, Microsoft Edge, and Microsoft 365 software, is now live, Microsoft said this week. Autopatch is intended to streamline updating operations and reduce the time it takes for systems to be patched. Originally announced in April, the feature has been in public preview since May.  

"Essentially Microsoft engineers use the Windows Update for Business client policies and deployment service tools on your behalf," wrote Lior Bela, senior product marketing manager at Microsoft, on the Microsoft IT Pro blog. "The service creates testing rings and monitors rollouts—pausing and even rolling back changes where possible."

This Tech Tip summarizes the prerequisites for using Autopatch and instructions on enabling the new feature.

**Very Specific Prerequisites**

Customers must have Windows 10/11 Enterprise E3 or E5 licenses. The organization must also have Azure Active Directory Premium and Microsoft Intune. A proxy or firewall that uses TLS 1.2 is also required.

"Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join," Microsoft said in the deployment guide.

The endpoints that will be enrolled into Windows Autopatch must be managed by either Microsoft Intune or Configuration Manager Co-Management. Intune must be set as the mobile device management (MDM) authority or co-management must be turned on and enabled on the endpoints. The endpoints being enrolled must also have connected with Microsoft Intune within the last 28 days in order to be registered with Autopatch.

The endpoints, which must be corporate-owned (bring-your-own-device is not currently supported) should have 64-bit editions of Windows 10/11 Pro, Windows 10/11 Enterprise, or Windows 10/11 Pro for Workstations. However, Windows Autopatch will support updating of Windows 365 cloud PCs in mid-July.

**Configuring the Environment**

Since Autopatch is cloud-based, there are specific Microsoft services that must be available at all times. The four URLs that must be on the allowed list of the proxy or firewall are _mmdcustomer.microsoft.com_, _mmdls.microsoft.com_, _logcollection.mmd.microsoft.com_, and _support.mmd.microsoft.com_. 

The deployment guide lists other firewall configurations, IP ranges, and port requirements for Azure Active Directory, Microsoft Intune, Windows Update for Business, and individual Microsoft applications.

Azure Active Directory must have security defaults enabled and not have any user names that conflict with the ones Autopatch needs to use: _MsAdmin_, _MsAdminInt_, and _MsTest_. Azure AD must also be set so that conditional access policies and multifactor authentication aren’t assigned to all users. The point is that Autopatch can’t be required to have multifactor authentication enabled. 

"Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication," Microsoft said.

**How Do I Get Started?**

Customers with Windows Enterprise E3 and E5 licenses will find Tenant Administration in the Microsoft Endpoint Manager administrator center. The option _Tenant enrollment_ in the Windows Autopatch section will begin the process to set up and configure Autopatch.

But first, Microsoft will run the online Readiness assessment tool to check the settings in Microsoft Intune and Azure Active Directory to ensure they are properly configured to work with Windows Autopatch. If issues are found, the administrator must fix them before continuing.

Once everything is ready, the tool will show an _Enroll_ button to kick off the enrollment. During the enrollment process, administrators will be guided to create the policies, groups, and accounts necessary to run Autopatch.

"Once you've enrolled devices into Autopatch, the service does most of the work. But through the Autopatch blade in Microsoft Endpoint Manager, you can fine-tune ring membership, access the service health dashboard, generate reports, and file support requests," Microsoft said.

**What Sysadmins Can’t Do**

*   It would not be possible to schedule the updates to roll out on certain days or times. The decision of when to move to the next ring is also not configurable.
*   Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Currently, there is no support for individual device level control.
*   Windows Autopatch doesn't support managing update ring membership using your Azure AD groups.
*   There is currently no programmatic access via PowerShell to Autopatch

Source

DARKReading