The LAPSUS$ group emerged with a big splash at the end of 2021, targeting companies, including Okta, with a "reckless and disruptive" approach to hacking.

The LAPSUS$ extortion group has gone quiet following a notorious and rapid rise through the threat landscape, targeting companies including Microsoft, NVIDIA, and Okta, and earning notoriety for its freewheeling, decentralized approach to cybercrime.  

However, researchers said the group is likely not gone — and, in any case, its "brazen" tactics may leave a legacy.

A new report from exposure management specialist Tenable digs into the group's background and the tactics, techniques, and procedures (TTPs) it has used, maturing from distributed denial-of-service (DDoS) attacks and website vandalism to more sophisticated methods. These include the use of social engineering techniques to reset user passwords and co-opt multifactor authentication (MFA) tools.

"Characterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even accused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity news cycle was chaotic," the report notes.

**Chaos, Lack of Logic Part of the Plan**

"You could absolutely call LAPSUS$ 'a little punk rock,' but I try to avoid making bad actors sound that cool," notes Claire Tills, senior research engineer at Tenable. "Their chaotic and illogical approaches to attacks made it much harder to predict or prepare for the incidents, often catching defenders on the back foot."

She explains that perhaps due to the group’s decentralized structure and crowdsourced decisions, its target profile is all over the place, which means organizations can’t operate from the "we're not an interesting target" point of view with actors like LAPSUS$.

Tills adds that it’s always hard to say whether a threat group has disappeared, rebranded, or just gone temporarily dormant.

"Regardless of whether the group identifying themselves as LAPSUS$ ever claims another victim, organizations can learn valuable lessons about this type of actor," she says. "Several other extortion-only groups have gained prominence in recent months, likely inspired by LAPSUS$’s brief and boisterous career."

As noted in the report, extortion groups are likely to target cloud environments, which often contain sensitive, valuable information that extortion groups seek.

"They are also often misconfigured in ways that offer attackers access to such information with lower permissions," Tills adds. "Organizations must ensure their cloud environments are configured with least-privilege principles and institute robust monitoring for suspect behavior."

As with many threat actors, she says, social engineering remains a reliable tactic for extortion groups, and the first step many organizations will need to take is assuming they could be a target.

"After that, robust practices like multifactor and passwordless authentication are critical," she explains. "Organizations must also continuously assess for and remediate known-exploited vulnerabilities, particularly on virtual private network products, Remote Desktop Protocol, and Active Directory."

She adds that while initial access was typically achieved through social engineering, legacy vulnerabilities are invaluable to threat actors when seeking to elevate their privileges and move laterally through systems to gain access to the most sensitive information they can find.

**LAPSUS$ Members Likely Still Active**

Just because LAPSUS$ has been quiet for months does not mean the group is suddenly defunct. Cybercrime groups often go dark to stay out of the spotlight, recruit new members, and refine their TTPs.

"We would not be surprised to see LAPSUS$ resurface in the future, possibly under a different name in an effort to distance themselves from the infamy of the LAPSUS$ name," says Brad Crompton, director of intelligence for Intel 471’s Shared Services.

He explains that even though LAPSUS$ group members have been arrested, he believes the group’s communication channels will stay operational and that many businesses will be targeted by threat actors once affiliated with the group.

"Additionally, we may also see these previous LAPSUS$ group members develop new TTPs or potentially create spinoffs of the group with trusted group members," he says. "However, these are unlikely to be public groups and will probably enact a higher degree of operational security, unlike their predecessors."

**Money as the Main Motivator**

Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity provider, explains that cybercriminals are motivated by money while nation-states are motivated by national goals. So, while LAPSUS$ isn't playing by the rules, its actions are somewhat predictable.

"The most dangerous aspect, in my opinion, is that most organizations have spent the last five or more years developing symmetric defensive strategies based on threat actors with reasonably well-defined definitions and goals," he says. "When a chaotic threat actor is introduced into the mix, the game tilts and becomes asymmetric, and my main concern about LAPSUS$ and other similar actors is that defenders haven't really been preparing for this type of threat for quite some time." 

He points out LAPSUS$ relies heavily on social engineering to gain an initial foothold, so assessing your organization's readiness to social engineering threats, both on the human training and technical control levels, is a prudent precaution to take here.

Ellis says while the stated goals of LAPSUS$ and Anonymous/Antisec/Lulzsec are very different, he believes they will behave similarly in the future as threat actors.

He says the evolution of Anonymous in the early 2010s saw various subgroups and actors rise to prominence, then fade away, only to be replaced by others that replicated and doubled down on successful techniques.

"Perhaps LAPSUS$ has vanished completely and forever," he says, "but, as a defender, I wouldn't rely on this as my primary defensive strategy against this type of chaotic threat."

Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists

The group has become the new face of ransomware, taking advantage of vulnerabilities and poor encryption.

The Federal Bureau of Investigation (FBI), the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN) recently released a joint Cybersecurity Advisory (CSA) focusing on the Karakurt data extortion group, an emerging organization known for stealing company data and demanding ransom to avoid public exposure. The group has become the new face of ransomware, taking advantage of vulnerabilities and poor encryption.

So, what does this mean for businesses, both small and large?

Karakurt actors have long engaged in various tactics, techniques, and procedures (TTPs), that create considerable challenges for defense and mitigation. While the targets of Karakurt have not reported their data and files compromised, they have reported falling victim to ransom requests ranging from $25,000 to $13 million in Bitcoin.

**The Move Toward Data Decryption**

Karakurt is the new face of ransomware, taking advantage of poor encryption. Historically, ransomware did not care about the encryption used to protect the data because it did not decrypt the original data. Instead, it took existing encrypted data and made it unusable to the victim. Eventually, organizations began conducting proper backups and therefore stopped paying the ransom requested. As a result, ransomware entities have upped their game and are beginning to decrypt data.

Why is it so easy for these criminals to decrypt data? The answer is the use of a single key to encrypt all records and store the key in an unprotected environment. All it takes for an attacker is to find the key and they will have access to all an organization's data.

How can organizations mitigate this risk? One solution is OTP (one-time pad), as it is necessary to keep classified data safe and can be easily adopted. A big advantage for OTPs is that not only are they extremely secure, they are incredibly easy for organizations to integrate into their wider authentication strategies.

**OTP and Beyond**

OTPs may have been born before digital computing, but they continue to represent an unbeatable cryptographic standard. OTPs include a system where a private key is used by random generation and significantly helps prevent access to breaches. The key is employed only once in order to securely encrypt data, and will be decrypted by the recipient by utilizing a corresponding one-time pad and key. Even if an attacker or criminal group like Karakurt were to obtain a valid set of login credentials, it would be unable to breach the system.

Beyond OTP, and when examining Karakurt's TTPs, it's vital for organizations to review current encryption policies and technologies deployed, as well to ensure there are no open vulnerabilities to be exploited. In addition, the application of newer quantum-resistant approaches will mitigate potential short- and long-term harm. The time is now to take these proactive steps. Quantum computers can decipher cryptographic keys and create threats, much like Karakurt is known for.

Cybercriminals are becoming increasingly creative and organizations must be prepared with measures that will do the most to protect their most valuable assets: their data. It's time for organizations to take a look at security measures currently in place and act accordingly. Once adequate measures are in place, the problem with cyberattacks will become the ability to detect attacks rather than worrying about control and minimizing the damage.

How to Mitigate the Risk of Karakurt Data Extortion Group's Tactics, Techniques, and Procedures

One of the announcements out of the National Cyber Workforce and Education Summit on July 19 was the 120-day Cybersecurity Apprenticeship Sprint.

Despite all the ways people enter the cybersecurity industry -- obtaining industry certifications, going through a bootcamp program, taking courses at a school as part of a degree (or certificate) program, shifting over from related technical fields, or self-study to learn the necessary skills -- hiring managers say they are having difficulty filling open cybersecurity roles.

"With approximately 700,000 cybersecurity positions open, America faces a national security challenge that must be tackled aggressively," the White House said in a **press release** on Monday, announcing Tuesday's National Cyber Workforce and Education Summit.

Led by National Cyber Director Chris Inglis, the July 19 summit brought together government officials and private-sector executives to brainstorm solutions and educational initiatives to fill open cybersecurity positions across the country.

Will apprenticeships help make a dent in the problem? One of the announcements that came out of the July 19 summit was the **Cybersecurity Apprenticeship Sprint**. The departments of Labor and Commerce unveiled the 120-day sprint to promote the Registered Apprenticeship model to help develop and train the cybersecurity workforce.

The Registered Apprenticeship model is "an industry-driven, high-quality career pathway where employers can develop and prepare their future workforce, and individuals can obtain paid work experience with a mentor, classroom instruction and a portable, nationally recognized credential," according to a **Department of Labor press release**. These apprenticeship programs are registered at a state or federal level.

There are currently 714 registered apprenticeship programs and 42,260 apprentices in cybersecurity-related occupations, according to the Labor Department. The goal of this sprint is to recruit employers, industry associations, labor unions, educational providers, community-based organizations, and others to establish more.

**Developing the Workforce**

Apprenticeships fill a real gap in hiring, says Will Carlson, director of content for Cybrary. People have the opportunity to gain firsthand experience in the field, find mentors, land a job, and validate whether this is the career for them. Employers get a talent pool where they can learn more about the candidate over a period of time before extending any longer-term offers.

"People often mention, 'I can't get an entry-level job to get the experience for an entry-level job.' \[Apprenticeships\] help remove a significant blocker to growing the capacity and capability gaps in the market," Carson says.

Historically, many professions have relied on apprentices to teach the necessary skills of the trade and develop a workforce. Something similar can work for cybersecurity, says Larry Whiteside, Jr, co-founder and president of Cyversity. Current programs train people on specific tools and skills and then send them out to apply for jobs, hoping the training and skills align to the needs of the hiring organization. The apprenticeship, on the other hand, provides on-the-job training.

"The training and skills that the person acquires directly relates to the organization that needs the skills," Whiteside says.

It’s important to note that apprenticeships are different from internships, as apprenticeships take a more direct approach to skills development, Whiteside says.

"Over the years, internships have gotten a negative connotation due to organizations' lack of programmatic ways to train and utilize cyber interns," he says. Interns have historically been treated as a person who can be assigned to work on tasks that the rest of the team didn’t have time to do.

The apprenticeship model is a "far more well-established, entry-level mechanism that has years of proven teaching and training mechanisms applied to it," Whiteside says.

**Key Elements for a Successful Program**

An apprenticeship is not a complicated program; all it needs to include is training, mentorship, and a paid job, says Tony Bryan, executive director at CyberUp, noting that training should include both on-the-job and any other related instruction. The point is to create a standard process with clear expectations so that both the apprentice and the manager have "guardrails" on what the first six to 12 months should look like.

Employers should get meaningful tasks accomplished while providing beneficial experience to interns, Carlson says. Instead of increasing the organization’s risk by placing someone new to the field in a high-risk role, the program should be structured so that the apprentices get real-world experience in lower-risk roles.

A program should provide employers with a "step-by-step, competency-based plan to onboard new cyber talent," says Dan Weeks, director of employer partnerships at Fullstack Academy. Many organizations are unclear on what a reasonable timeline is for new hires to take on key cyber tasks. A program like this makes it easier to measure the candidate’s progression in gaining those skills and identifying areas that need extra help.

**Setting Up the Program**

However, setting up a good apprenticeship program requires planning. Employers need to determine what skills they expect the apprentice to end up with at the end of their apprenticeship period in order to create "a pathway for success," Whiteside says. Organizations should have a defined goal or identify specific skills to develop and align the apprenticeship program accordingly.

The hardest part is creating the organizational culture to enable this process, finding the candidates, and funding the initiative, Whiteside says.

Costs for starting up an apprenticeship can range from $25,000 to $250,000, taking into account multiple factors, such as the size of the organization, the number of staff required to support the program, how training is delivered, and whether there are any existing processes that can be used, says Bryan.

Many organizations partner with third-party intermediaries such as CyberUp to register the program, establish requirements for hiring, bring in candidates to interview, and manage the program. Having a partner can also help shorten hiring cycles because they are proactively recommending future apprentices.

"When constructed well, \[apprenticeships\] allow organizations the chance to address the broader skill gap in our market by providing skills and opportunities for those wanting to enter the space," says Carlson. "Getting more people in the field to address the capacity and capability needs of the space is a win for all involved."

Tackling the Cybersecurity Workforce Challenge With Apprentices

More than 311 local eateries have been breached through online ordering platforms MenuDrive, Harbortouch, and InTouchPOS, impacting 50K records — and counting.

A massive Magecart e-skimmer campaign has siphoned off the payment records of hundreds of restaurants by attacking their online payment platforms. Targets include MenuDrive, Harbortouch, and InTouchPOS, according to a new advisory.

So far, researchers at Insikt Group, Recorded Future's threat research division, Magecart attackers have posted more than 50,000 stolen order payment records from at least 311 restaurants — and they're offering them for sale on the underground Web. Researchers warn they expect that number to rise.

The report added that the compromised records include payment card data, as well as billing and contact details.

The three platforms in question are a departure from Magecart's usual target, the Magento e-commerce platform. During the pandemic, many local restaurants rushed to implement online ordering and payment, and they may not be paying attention to patching vulnerabilities or shoring up security in general for their new lines of business.

"Cybercriminals often seek the highest payout for the least amount of work," the Tuesday Magecart campaign report said. "This has led them to target restaurants' online ordering platforms; when even a single platform is attacked, dozens or even hundreds of restaurants can have their transactions compromised, which allows cybercriminals to steal vast amounts of customer payment card data disproportionate to the number of systems they actually hack."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ongoing Magecart Campaign Targets Online Ordering at Local Restaurants

The gang's members have moved into different criminal activities, and could regroup once law-enforcement attention has simmered down a bit, researchers say.

Two months after the infamous Conti ransomware gang ceased operations, several of its members remain as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.

Separately, they remain as dangerous to organizations as they used to be as members of a single gang, according to Intel 471. Its researchers have been tracking Conti actors as they have moved in different directions since the group dissolved in May. 

The cessation of operations appears to be a bid by the group's operators to distance themselves from the brand more than anything else. In a new report, the threat intelligence firm speculates that once law-enforcement attention around the Conti group wanes, it's likely that its now-scattered members will regroup and form another criminal organization similar in structure to the original.

"In order to defend their enterprises, security practitioners need to understand how cybercriminals organize their operations," says Brad Crompton, director of intelligence for Intel 471's shared services group. "Even though Conti is defunct, former operators are still using similar \[tactics, techniques, and procedures\], which means security teams can still use their prior strategies in stopping similar attacks rather than ignoring them altogether in light of Conti's demise."

**Most-Destructive Ransomware Group**

The Conti group is widely regarded within the security industry as one of the most destructive ransomware operations of all time. The predominantly Russia-based group first surfaced in 2020, and has used a variety of tactics to break into victim networks — including via spear-phishing campaigns, stolen Remote Desktop Protocol credentials, software vulnerabilities, and poisoned software.

The FBI estimated that by January, the gang had collected some $150 million in ransom payouts from more than 1,000 victims worldwide—including more than 400 in the US. The scale of its destruction prompted the US State Department in May to announce a $10 million reward for information leading to the identification and/or location of key individuals of the gang. The State Department offered another $5 million for information leading to the arrest and conviction of individuals participating in attacks involving Conti ransomware incidents.

**Leaking a Window into Conti's Operations**

In May, a Ukrainian member of the gang publicly released a big trove of Conti's internal conversations after the Conti team officially announced its support for the Russian government's invasion of Ukraine. Information from that leak, and another previous leak in September 2021 showed the Conti ransomware operation was structured along the lines of a formal business complete with a physical office, scheduled working hours, managers at various tiers and separate departments for HR, coding, training, testing, intelligence gathering, and other functions. 

The FBI, the National Security Agency (NSA), and the US Cybersecurity and Infrastructure Security Agency (CISA) earlier assessed that Conti's developers used a ransomware-as-a-service model to distribute their malware. But instead of taking a cut of the ransom from affiliates — as is usually the case with ransomware-as-a-service — Conti's developers paid attackers a flat fee for deploying their malware on victims' networks.

Significantly, the leaks also appeared to confirm widely held suspicions about a link between Conti's developers and Russia's Federal Security Service (FSB).

**Rebrand & Regroup?**

In mid-May, Conti's developers seemingly abruptly began shutting down infrastructure — such as admin panels, servers, proxy hosts, chatrooms, and a negotiations service site — likely in response to the high level of attention it had managed to attract from law enforcement and media. A few weeks later, it also shut down a site it had used to name-and-shame victims that refused to pay a ransom. 

One analysis by AdvIntel at the time concluded that the group's main actors had already put in place plans to continue the operation under various guises a few months before its official shutdown.

The Black Basta ransomware gang, which started operations in April, or one month before Conti's official exit from the ransomware scene appears to be one such operation. Intel 471 said its analysis of the group's activities show that Black Basta's infrastructure — such as its payment and data leak sites, its payment site, recovery portals, and communication and negotiation methods — have overlaps with Conti's operations.

Intel 471 also  has identified two other ransomware operations — BlackByte and Karakurt — that have similar, significant overlaps with Conti and in fact may simply be rebranded Conti operations. In addition, some Conti affiliates and managers have forged alliances with other ransomware teams, including Ryuk, Maze, LockBit 2.0, BlackCat, Hive, and HelloKitty. According to Intel 471, it is possible also that other actors could use leaked Conti source code to developer their own ransomware and decryption tools.

Post-Breakup, Conti Ransomware Members Remain Dangerous

With security experts warning against attacks on machine learning models and data, startup HiddenLayer aims to protect the neural networks powering AI-augmented products.

As companies increasingly add artificial intelligence (AI) capabilities to their product portfolios, cybersecurity experts warn that the machine learning (ML) components are vulnerable to new types of attacks and need to be protected.

Startup HiddenLayer, which launched on July 19, aims to help companies better protect their sensitive machine-learning models and the data used to train those models. The company has released its first products aimed at the ML detection and response segment, aiming to harden models against attack as well as protect the data used to train those models.

The risks are not theoretical: The company's founders worked at Cylance when researchers found ways to bypass the company's AI engine for detecting malware, says Christopher Sestito, CEO of HiddenLayer.

"They attacked the model through the product itself and interacted with the model enough to ... determine where the model was weakest," he says.

Sestito expects attacks against AI/ML systems to grow as more companies incorporate the features into their products.

"AI and ML are the fastest growing technologies we have ever seen, so we expect them to be the fastest growing attack vectors that we have ever seen as well," he says.

**Flaws in the Machine Learning Model**

ML has become a must-have for many companies' next generation of products, but businesses typically add AI-based features without considering the security implications. Among the threats are model evasion, such as the research conducted against Cylance, and functional extraction, where attackers can query a model and construct a functional equivalent system based on the outputs.

Two years ago, Microsoft, MITRE, and other companies created the Adversarial Machine Learning Threat Matrix to catalog the potential threats against AI-based systems. Now rebranded as the Adversarial Threat Landscape for Artificial Intelligence Systems (ATLAS), the dictionary of possible attacks highlights that innovative technologies will attract innovative attacks.

"Unlike traditional cybersecurity vulnerabilities that are tied to specific software and hardware systems, adversarial ML vulnerabilities are enabled by inherent limitations underlying ML algorithms," according to the ATLAS project page on GitHub. "Data can be weaponized in new ways which requires an extension of how we model cyber adversary behavior, to reflect emerging threat vectors and the rapidly evolving adversarial machine learning attack lifecycle."

The practical threat is well known to the three founders of HiddenLayer — Sestito, Tanner Burns, and James Ballard — who worked together at Cylance. Back then, researchers at Skylight Cyber appended known good code — actually, a list of strings from the game Rocket League's executable — to fool Cylance's technology into believing that 84% of malware was actually benign.

"We led the relief effort after our machine learning model was attacked directly through our product and realized this would be an enormous problem for any organization deploying ML models in their products," Sestito said in a statement announcing HiddenLayer's launch.

**Looking for Adversaries in Real Time**

HiddenLayer aims to create a system that can monitor the operation of ML systems and, without needing access to the data or calculations, determine whether the software is being attacked using one of the known adversarial methods.

"We are looking at the behavioral interactions with the models — it could be an IP address or endpoint," Sestito says. "We are analyzing whether the model is being used as it is intended to be used or if the inputs and outputs are being leveraged or is the requester making very high entropy decisions."

The ability to do behavioral analysis in real time sets the company's ML detection and response apart from other approaches, he says. In addition, the technology does not require access to the specific model or the training data, further insulating intellectual property, HiddenLayer says.

The approach also means that the overhead from the security agent is small, on the order of 1 or 2 milliseconds, says Sestito.

"We are looking at the inputs after the raw data has been vectorized, so there is very little performance hit," he says.

Startup Aims to Secure AI, Machine Learning Development

Researchers say Okta could allow attackers to easily exfiltrate passwords, impersonate other users, and alter logs to cover their tracks.

Identity services provider Okta is facing serious security flaws, researchers contend, that could easily let an attacker gain remote access to the platform, extract plaintext passwords, impersonate users of downstream applications, and alter logs to hide any evidence they were ever there.

That's according to researchers from Authomize. However, Okta said in a blog that the issues are features, not bugs — and that the app works according to design.

Last January, threat group Lapsus$ claimed to have breached Okta with "superuser" account credentials, posting screenshots they claimed to have grabbed from internal systems. It was determined 366 Okta customers were potentially impacted in that incident, though Okta later said it determined only two actual breaches.

"Following the news of the Okta breach earlier this year, we focused our efforts on understanding what sorts of actions a malicious actor could do if they achieved even a minimal level of access within the Okta platform," Authomize CTO Gal Diskin said in the team's security analysis this week.

Diskin explained Okta's architecture for password synching allows potential malicious actors to access passwords in plaintext, including admin credentials, even over encrypted channels. To do so, the attacker would need to be signed into the system as an app admin of a downstream app (examples include customer service agents or financial operations teams) — from there, the person could reconfigure the System for Cross-domain Identity Management (SCIM) to nab passwords for any Okta user in the organization.

"All that is needed for extracting the clear text passwords is for an actor to gain app admin privileges," according to the report. Given the constantly expanding number of users within organizations of all sizes, especially in enterprises, Diskin said that the probability of an app admin being compromised is statistically quite high, with the Verizon Data Breach Investigations Report for 2022 finding that 82% of breaches involved human elements like stolen credentials and phishing. More concerningly, these app admins are generally not treated as privileged identities.

For Okta's part, the passwords are in clear text because there is no standard reliable protocol for syncing hashes, researchers noted. However, Authomize noted that Okta did pledge to have its product team take a closer look at the password-leak risks.

Okta Exposes Passwords in Clear Text for Possible Theft

Multiple cyber-insurance carriers have adopted act-of-war exclusions due to global political instability and are seeking to stretch the definition of war to deny coverage.

With the surge in cybercrime continuing to advance, companies are scrambling to protect themselves. What's more, the attacks are increasingly politically motivated, and government-related industries are finding themselves targeted among heightened global tensions. Geopolitical conflicts are expanding into the digital realm, and threats are coming from all angles.

Given the ubiquitous risks, the cyber-insurance industry is booming. Corporations are increasingly transferring the risk of cybercrime to the insurance industry. So, if a cyberattack does occur, a company won't have to cover the expenses out of pocket — be they in ransom form or through damages and losses.

And yet, despite the market growth, multiple cyber-insurance carriers have moved to adopt act-of-war exclusions due to global political instability. This means that your carrier could deny you coverage if your cybersecurity breach has international political implications. You might pay a ransom to restore your systems, but your cyber insurance won't necessarily have to cover it.

So, how will shifting global conflicts shape the future of the cyber-insurance industry, and how can you protect your organization?

**Impact of the Russian-Ukrainian Conflict**

Let's start with the elephant in the room: the Russian-Ukrainian conflict. While the political ramifications of the conflict don't need repeating here, there are a multitude of uncertainties regarding its impact on the cyber-insurance sector.  

While act-of-war exclusions in insurance policies have been common since the Spanish Civil War, the language wasn't explicit regarding cyberattacks, which of course arose much later.

But now cyberattacks by state and non-state actors are causing hand-wringing across the insurance industry, which is seeking to protect itself from frequent, high cost payouts. Insurance companies are largely moving to rewrite your existing act-of-war clauses to make the language crystal clear that international cyber warfare is not covered.

But what exactly constitutes an act of war? Theoretically, to deny coverage, the cyberattack would have to be launched by official state actors. However, that can be very difficult to determine when you're talking about countries where the line between state and non-state actors is fuzzy at best. Non-state actors may be unofficially acting in collusion with government forces.

So, if Russian cybercriminals, harbored by the government, launch a cyberattack against your organization, are you covered? This is largely a gray area, but insurance companies are increasingly seeking to stretch the definition of war here to deny you coverage.

**How to Secure Adequate Coverage**

Due to the changing market and geopolitical situation, you need to be keenly aware of the exact kind of cyber-insurance coverage your organization requires. Your decisions should be dictated by the industry you're working in, the security risk, and how much you stand to lose in the event of an attack.

It's important to note that insurance providers are also being more stringent in their requirements for companies to even obtain cyber coverage in the first place. Carriers are increasingly requiring companies to practice good cyber hygiene and have rigid cybersecurity protocols in place before even offering a quote.

Once you have proper cybersecurity protocols in place, you should better qualify for adequate plans. However, remember that no two plans are alike or equally inclusive. When choosing a plan, be sure to look for any fine print regarding act-of-war and terrorism exclusions or those for other "hostile acts." Even when you've done everything right, your carrier can still attempt to deny you coverage under these loopholes.

For instance, after the pharmaceutical corporation Merck suffered millions in losses from Russian hackers, the company was denied payout by an arsenal of cyber-insurance providers. They collectively cited act-of-war exclusions. However, a judge ended up ruling in favor of the corporation, saying the clause only applied to armed conflict, and that insurers needed to expand the language to cover cyber warfare. So, know your plan and be prepared to advocate for yourself when making a claim.

**The Future of Cyber Insurance**

The insurance industry is learning from its past mistakes and getting a better handle on pricing cyber risk. As risk increases, you can expect that your premiums will also spike, all while your actual coverage decreases. In essence, corporations are paying more while getting less.

Again, it's not clear what constitutes an act of war today, but you can be sure that the definition will be ever expanding as insurance providers scramble to reduce their risk exposure.

The providers are paying attention — and you should be too.

Will Your Cyber-Insurance Premiums Protect You in Times of War?

The Curricula platform uses behavioral science with a simplified approach to train and educate users — and marks another step forward in Huntress’ mission to secure the 99%.

ELLICOTT CITY, Md., July 19, 2022 (GLOBE NEWSWIRE) -- Huntress, the managed security platform for small and mid-market businesses (SMBs), today announced it has acquired Curricula, a fun, story-based security awareness training platform that empowers employees to better defend themselves against hackers.

As cybercriminals continue to prey on individuals with little or no security training, the acquisition adds another critical layer to Huntress’ growing Managed Security Platform — delivered through an interactive eLearning experience that empowers employees to become their own line of defense in the fight against attackers.

“Delivering education and rallying the community have always been a core part of our mission,” said Kyle Hanslovan, Huntress CEO and Co-Founder. “Employees today need relatable and effective learning — not just more uninspired content that punishes learners and sets SMBs up for failure.Our team had already seen Curricula’s results internally, so it seemed criminal to not bring it to our partner ecosystem. Together, we're combining Curricula's creativity with Huntress' offensive expertise to address the demand for memorable and actionable threat training.”

In addition to its core platform, Curricula offers a number of additional features to help businesses build a positively focused security culture — including a gamified phishing simulator, story-based training episodes, custom content creation tools, compliance reporting and more.

“Curricula is already embraced by thousands of organizations across the globe simply because our training content is second to none,” said Curricula CEO Nick Santora. “Our animation studio creates security awareness content that is fun, memorable, and, most importantly, effective. Now under Huntress, we’re able to scale our global reach to resellers and service providers, setting the tone for what a remarkable security awareness program should be for every organization.”

More information can be found about Curricula’s training at www.curricula.com/cyber-security-awareness-training.

Today, Huntress partners with more than 3,000 service providers that in turn protect more than 1.2 million endpoints across more than 68,000 businesses.

**About Huntress**  
Hackers are constantly evolving, exploiting new vulnerabilities and dwelling in IT environments,—,until they meet Huntress.

Huntress protects small and mid-market businesses from modern cyberattackers. Founded by former NSA Cyber Operators—and backed by a team of 24/7 threat hunters — our managed security platform defends businesses from persistent footholds, ransomware and other attacks.

We're on a mission to secure the 99%. Learn more at www.huntress.com and follow us on social @HuntressLabs.

**About Curricula**  
Founded in 2015, Curricula is a fun security awareness training platform that uses story-based learning to communicate cyber risk to employees. Curricula’s mission is to fix boring security awareness programs by empowering employees to defend themselves against hackers. For more information visit: www.Curricula.com.

Huntress Acquires Curricula for $22M to Disrupt Security Training Market, Elevate Cyber Readiness for SMB Employees

A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.

Six vulnerabilities have been found in a GPS tracking device used by businesses to monitor vehicle fleets, and by consumers as an anti-theft device. If exploited, they could allow attackers to widely disrupt fleet operations and track individual vehicles.

That's according to cybersecurity firm BitSight, which stated in a Tuesday advisory that the device, the MiCODUS MV720, has vulnerabilities in both the device and the back-end service. These pave the way for man-in-the-middle (MitM) attacks, authentication bypasses, and location tracking. The vulnerabilities include a hard-coded device password that allows access via SMS requests, and a default password on the API server, BitSight found.

"The exploitation of these vulnerabilities could have disastrous and even life-threatening implications," BitSight states in the report. "For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways."

The vulnerabilities include a hard-coded password that could allow commands to be sent to devices, the ability to use administrator privileges for commands, and a default password of 123456. Flaws of lesser severity include a reflected cross-site scripting (XSS) issue and the ability to directly access parts of the application. Five of the vulnerabilities have been assigned identifiers under the Common Vulnerabilities and Exposures (CVE) program: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944. The default password security weakness was not considered a vulnerability, and so did not get a CVE identifier.

**GPS Bugs Remain Unpatched**

While the company has not observed any signs that the vulnerabilities have been exploited, the Chinese firm that manufacturers the device, MiCODUS, has not responded to attempts at discussing the issues, says Stephen Boyer, co-founder and CTO for BitSight.

BitSight originally contacted MiCODUS about the problems in September 2021, and after an initial request for more information, the company refused subsequent attempts to communicate, according to the firm. MiCODUS did not immediately respond to a request for comment from Dark Reading.

"Unfortunately, the hard-coded password means that the only real remediation strategy is to remove the MV720 device or remove the SIM card from the device," he says. The firm shared the bug information with the Department of Homeland Security, he added, in hopes that it could develop an appropriate remediation strategy.

"IoT devices are full of vulnerabilities, and this will not change going into the future no matter how many of these stories come out," Roger Grimes, data-driven defense evangelist at KnowBe4, said via email. "IoT devices are particularly hard to patch. They should all be auto-patching, but most aren't. Most require end-user interaction, and many times a physical connection."

He added, "If you think it's hard to patch regular software, it's ten times as hard to patch IoT devices. I'm purely guessing here, but I'd speculate that 90% of vulnerable GPS tracking devices will remain vulnerable and exploitable if and when the vendor actually decides to fix them. Hackers love those odds."

**IoT: Still No Security by Design, Widespread Threat**

The vulnerabilities underscore the risks posed by Internet of Things (IoT) devices that have not benefited from adequate attention to security design and audits. Connected devices typically have less security, but are distributed throughout many companies' infrastructure and handle physical processes — such as entry access and power control — unlike traditional information technology. 

Concerned with the lack of security, the US government has established requirements for IoT device security.

    

MiCODUS GPS trackers are used by businesses and individuals in 169 countries. Source: BitSight

IoT devices often are also far more widespread than most business users recognize. As shown by the BitSight research, for example, GPS devices in general are used in vehicles belonging to at least five Fortune 50 companies, as well as energy utilities and governments in the Middle East, Europe, and North America.  

BitSight could not determine the prevalence of the MiCODUS MV720 specifically, but noted that MiCODUS claims that 1.5 million devices are used globally. In addition, BitSight saw nearly 2.4 million connections to the MiCODUS API server from 169 countries worldwide. The MiCODUS MV720 is a basic model sold for $20 online, but other models could account for some, or even most, of the IoT manufacturer's installed base.  

The BitSight report notes that two broad use cases exist for the devices. In some countries, data suggests that the devices are used to manage fleets of vehicles. However, in other countries, the large number of individual connections per capita suggests that individuals are using the devices for anti-theft applications.

"Indonesia has many unique IP addresses communicating with the MiCODUS server, but mostly in the GPS tracker port," BitSight states in the advisory. "This may suggest there are a small number of users with a high number of devices, which is typical in a fleet-management scenario. By comparison, Mexico has a very high number of connections to the web and mobile ports, which could indicate individuals are using the GPS tracker as an anti-theft device."

Mexico, Russia, and Uzbekistan are the countries with the most individual users, the company estimates. Russia, Morocco, and Chile appear to have the greatest number of actual devices.

Source

DARKReading