Year-long analysis from Norton Labs finds nearly three-quarters of phishing sites imitate Facebook.

TEMPE, Ariz., July 26, 2022 /PRNewswire/ -- NortonLifeLock's global research team, Norton Labs, today published its quarterly Consumer Cyber Safety Pulse Report, detailing the top consumer cybersecurity insights and takeaways from April through June 2022. Leveraging the company's global threat telemetry, the analysis includes new findings on how cybercriminals are using social media phishing attacks to steal people's private information.

Norton Labs analyzed a full year of phishing attacks on the top social media platforms, and while plenty of fake login pages designed to trick victims into inputting their login credentials were found, the diversity and complexity of lures went far beyond that one technique.

"Threat actors use social media for phishing attacks because it's a low-effort and high return way to target billions of people around the world," said Darren Shou, head of technology, NortonLifeLock. "As social media is intertwined in our daily lives, it's key to know how to spot the signs of a scam, and keep a sharp eye on where requests for your information are coming from. Even better, consider strong, multi-layered security that can be on the lookout for you."

Norton Labs uncovered the top tactics cybercriminals use to get victims to reveal personal information, and while classic login phishing pages are still the most common ploy, cybercriminals are finding new ways to deceive social media users. Tactics include account lockouts – making it seem that a victim's account has been locked luring victims to reveal login credentials or install malware on the promise of increasing follower count; and verified badge scams – prompting users to login to obtain, or not to lose, their verified status on the platform.

Another phishing campaign tactic aims to intercept temporary codes to break into profiles with two-factor authentication enabled. These tokens are generally tied to the victim's device and allow the scammer to perform privileged operations such as modifying personal details or login credentials.

This quarter, Norton also found that it's never too early for scammers to take advantage of the back-to-school season. As school-aged children enjoy their summer, cybercriminals are already at work, using the back-to-school time to inspire a variety of financial scams, such as bogus offers of scholarships and financial aid.

**By the Numbers**

From April through June 2022, Norton thwarted over 900 million threats, or around 10 million threats per day. Norton blocked:

*   22.6 million phishing attempts
*   103.7 million file threats
*   302 thousand mobile threats
*   78 thousand ransomware attacks

For more information and Cyber Safety guidance, visit the Norton Internet Security Center.

**About NortonLifeLock Inc.**  
NortonLifeLock Inc. (NASDAQ: NLOK) is a global leader in consumer Cyber Safety, protecting and empowering people to live their digital lives safely. We are the consumer's trusted ally in an increasingly complex and connected world. Learn more about how we're transforming Cyber Safety at www.NortonLifeLock.com.

SOURCE NortonLifeLock Inc.

Norton Consumer Cyber Safety Pulse Report: Phishing for New Bait on Social Media

Just ahead of its headline-grabbing attack on the Italian tax agency, the infamous ransomware group debuted an improved version of the malware featuring parts from Egregor and BlackMatter.

Reverse-engineering the latest ransomware executables from the group behind LockBit shows that the developers have added capabilities from other popular attack tools and are actively working to improve LockBit's anti-analysis capabilities, according to researchers.

This significant evolution, seen in the recently debuted LockBit 3.0 (aka LockBit Black), is likely meant to offset better defenses, a greater scrutiny by researchers and investigators, and competition from other gangs, according to analyses by multiple researchers.

"There is no question that, whether it is law enforcement pressure or the defenders getting better, that we are seeing that these groups are forced to evolve — they have to get better at what they are doing," says Jon Clay, vice president of threat intelligence for Trend Micro.

They also have to keep up with the Dark-Web Joneses. To that end, the latest version now requires a key to obfuscate its main routines and hinders reverse engineering and analysis, for example — a technique used by other ransomware families, such as Egregor, cybersecurity firm Trend Micro stated in an advisory published on Tuesday. The new version of the ransomware program also enumerates available application programming interfaces (APIs), a feature identical to the BlackMatter ransomware program, the company stated.

**Ransomware Attack on Italy's Tax Agency**

Earlier this month, the Italian Revenue Agency became the latest purported victim of LockBit, with the group boasting that it encrypted and exfiltrated 78 gigabytes of files from the tax agency. If true, the organization will have to find a way to recover, but the attack also threatens Italian citizens, Gil Dabah, co-founder and CEO of data-protection firm Piiano, said via email.

"The second type of victim is the individual whose data was compromised," he said. "In this case, there is a high chance that the data of an individual taxpayer was compromised."

Following Russia's invasion of Ukraine, these ransomware groups have committed to supporting Russia and are increasingly facing requests to conduct operations against nation-state targets, says Paul Martini, CEO of iBoss, a provider of cloud-security solutions.

"The shadow cyber-war between nations that has been carried out through espionage, disinformation campaigns, and strategic attacks on critical targets is just starting to come out of the shadows," he said. "We can expect this to boil over and the West is going to need stronger defenses in place to protect government and civilian targets."

The group behind LockBit has had a good run so far in 2022. Despite an 18% drop in overall attacks, likely due to the disruption of the infrastructure behind the Conti cybercrime group or possibly fallout from Russia's invasion of Ukraine, LockBit has become the most commonly encountered ransomware family, accounting for 40% of all attacks detected by security firm NCC Group in May.

But evolution is necessary to stay on top.

**Major Improvements for LockBit 3.0**

The changes to the latest version of the LockBit ransomware includes functions that collect system APIs as a way to use legitimate functions as part of its attack and extensive — albeit fairly simple — encryption of configuration data and code, according to Trend Micro's advisory.

Perhaps most notably, a major addition to LockBit 3.0 is a set of features to slow down or prevent reverse engineering. The program includes, for example, a password required to decrypt the main body of executable code and a feature that attempts to crash debuggers.

"They pride themselves on their ability to regularly update their ransomware and ransomware-as-a-service offerings," says Trend Micro's Clay. "There are a lot more obfuscation capabilities in 3.0, and they put in a lot of features that try to minimize how much analysts and researchers can discover about their code."

Meanwhile, the adoption of BlackMatter tactics is unsurprising, given that both LockBit and BlackMatter are Russia-linked groups and cybercriminals are increasingly moving between groups.

**The Basics of Ransomware Defense Still Work**

For the most part, the new features found in LockBit 3.0 do not undermine current defenses, says Trend Micro's Clay. Multi-factor authentication can block the most common approach to gaining access — through stolen credentials — while modern endpoint detection and response (EDR) can detect and stop and attack before attackers start encrypting data. Finally, having a good backup process for critical data will make recovery easier.

"They \[ransomware groups\] claim that backups will not help, but if you have a proper procedure then you can recover your data," he says. "The good news is that the defenders have implemented a lot of these best practices, and they seem to be working."

LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top

Wide use of Microsoft 365 applications by business lets phishers easily launch data theft, BEC, ransomware, and other attacks, new report finds.

Microsoft is the most popular brand targeted for phishing attack abuse, followed by Facebook, Crédit Agricole, WhatsApp, and Orange, according to newly released research. 

The team at Vade has put together its "Phishers' Favorites" report for the first half of 2022. The report names Microsoft as the brand of choice for lures because of widespread use of Microsoft 365 applications by businesses of all sizes, as well as the veritable buffet of possible attacks a threat actor could launch for a compromised account, including ransomware, business email compromise (BEC), and more. 

Additional findings in the phishing attack overview shows financial services is the most targeted sector for phishing attacks, with cloud, e-commerce/logistics, telecom, and social media following just behind. 

“Detecting phishing emails is difficult not only for users but also for security vendors,” the phishing report explains. “As the sophistication of attacks increases, so does the likelihood that a costly attack will bypass security and land in an inbox.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Tops Brands Phishers Prefer

Insiders could become more vulnerable to cybercrime recruitment efforts, new report says.

Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.

Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.

The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.

**Vulnerable Insiders**

Unit 42 researchers analyzed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cybercrime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.

Palo Alto Networks' report points to how some threat actors — such as the highly destructive LAPSUS$ group — have attempted to recruit insiders by offering money for access credentials or for helping them carry out their attack in other ways. "When some people are struggling to make ends meet, \[such\] offers could be more tempting to some," the report said.

This trend has been flagged before: A report from Flashpoint in May noted the growing popularity of insider recruitment efforts among threat actors. Flashpoint counted as many as 3,988 unique insider-related chat discussions — primarily on Telegram — between Jan. 1 and Nov. 30, 2021, with a particularly sharp spike happening after August. Many of those attempting to recruit were ransomware operators or other extortion groups. Commonly employed tactics included using a known insider or running public recruitment advertisements and direct solicitation.

Another survey that Pulse and Hitachi ID conducted of 100 IT and security professionals showed 65% saying that threat actors had approached them or their employees for assistance with a ransomware attack over the past year.

**Phishing, Software Vulns Remain Major Initial Access Vectors**

Unit 42's research also confirmed what security teams fighting on the front lines to keep their organizations safe already know: Ransomware and BEC attacks continue to dominate the need for incident response. A startling 70% of intrusions were tied to one of these two causes. In BEC attacks, the data showed that threat actors typically spent between 7 and 48 days in the breached environment before the victim contained the threat, with a median dwell time of 38 days. The median dwell time for ransomware attacks was slightly lower, at 28 days, likely because of how noisy these attacks are.

Phishing continues to be the top vector for initial access so far in 2022, and was the suspected cause in 37% of the incident response cases that Unit 42 completed between April 2021 and May 2022.

"Unfortunately, most organizations learn about one of these attacks the hard way — upon receiving an extortion demand or after wire fraud is committed," says Dan O’Day, consulting director, Unit 42 at Palo Alto Networks. "Increasingly, threat actors quickly gain access, identify and exfiltrate sensitive data, and deploy extortion tactics — sometimes in a matter of hours or in just a few days."

Notably, 31% — or nearly one-in-three intrusions — resulted from attackers gaining an initial foothold via a software vulnerability. Some 87% of the vulnerabilities that Unit 42 researchers were able to positively identity fell into one of six categories: ProxyLogon and ProxyShell flaws in Exchange Server; the Apache Log4j flaw; and vulnerabilities in technologies from Zoho, SonicWall and Fortinet. In 55% of incidents where Unit 42 was able to positively identify the vulnerability that an attacker used to gain initial access, the vulnerability was ProxyShell, and in 14% of the cases it was Log4j.

"Because one-third of attacks target software vulnerabilities, security teams should continue to patch vulnerabilities early and often," says O'Day. While some threat actors continue to rely on older, unpatched vulnerabilities, others are looking to exploit new vulnerabilities increasingly quickly. "In fact, it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough," he says.

As one example, he points to a threat prevention signature that Palo Alto Networks released for an authentication bypass vulnerability in F5 Big IP technology (CVE-2022-1388). "Within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts," he says. "More and more, we're seeing attackers scanning as soon as details of a critical vulnerability are published."

Poor patch management practices exacerbated the issue for many organizations — it contributed to 28% of the breaches that Unit 42 responded to. One example of poor patch management is simply waiting too long to implement a patch for a known vulnerability, O'Day notes. "Further, around 30% of organizations were running end-of-life software versions that were affected by CVEs that had known active exploits in the wild and were featured in cybersecurity advisories from the US government."

Economic Downturn Raises Risk of Insiders Going Rogue

Artificial intelligence tools can help companies strike the right balance between preventing financial crime and maintaining customer service and satisfaction.

We've entered a perfect storm for financial crime where fraud is flourishing. This maelstrom has been created by the combined effects of geopolitical events and the ongoing global pandemic, which has led to the digitalization of society ramping up, by necessity, even faster than it was before.

While all sectors are suffering, financial technology (fintech) has been hit particularly hard, which makes striking the right balance between preventing financial crime and maintaining high levels of customer service and satisfaction all the more difficult — and business-critical. As the situation continues to evolve and worsen, it has become a high priority for fintechs to learn how to effectively fight and defeat fraudsters, while continuing to grow their top lines.

As companies address this challenge, they must consider:

*   What key areas should fintechs focus on? Where is fraud rife?
*   How can fintech minimize the negative impact of fraud on operations and finances?
*   Can technology defend against the fraudsters?

**'Fraud-as-a-Service' Takes Center Stage**

It sounds like just a clever play on words based on the software-as-a-service (SaaS) model, but fraud-as-a-service (FaaS) is a real phenomenon. Mirroring the cloud model through which fintechs deploy many of their capabilities via services, bad actors with worse intentions are leveraging similar technology to commit service-based crime on an unprecedented scale. FaaS occurs when an individual or group of fraudsters facilitate fraudulent online activity by providing tools and services to others.

This devious method enables fraudsters to purchase and exploit data and tools leveraging stolen or synthetic identities, which they then use for fraudulent purposes. FaaS also enables scaled attacks on fintechs in which fraudsters overwhelm financial systems with bad traffic and complete illegal transactions at a high volume. Using this approach, fraudsters are mimicking the fintechs' use of quick, easy, and cost-effective online processes, as well as the best analytics and data, only to defraud instead of enrich. The result: Software fights software at an unmanageable scale.

**Trouble Spots**

One area where fraud is particularly pernicious in the industry is onboarding, where it's vital for fintechs to balance keeping crime at bay while still ensuring a high level of customer service. Identity fraud and fraudulent documentation issues often arise during the onboarding of new customers, which can hurt a company's growth objectives and hinder its customer service goals.

Identity theft and document fraud are on the rise and already cost the global economy billions of dollars a year, with no end in sight. Beyond onboarding, institutions are asking for more documents to verify customer identities, requiring proof of residence and age and evidence of income, in addition to standard IDs. Whether it's the alteration of bank or government documents or the creation of false ones, the fact is that it just takes one valid forgery for a bad actor to wreak havoc.

If that same fraudster has access to multiple stolen identities, then the fintech is going to face scaled attacks via serial fraud attempts. Often a case of successful fraud is the precursor to other crimes, such as money laundering, human trafficking, and even terrorism.

**Using AI to Scrutinize Identity**

It can feel hopeless when learning of scaled-up attacks executed at high speed, but resisting and rooting out fraud is possible with artificial intelligence (AI). Typically, new fraud patterns are hard to detect until they have been observed for a period of time, at which point fintechs can react and deploy defenses against the attack. Usually, the time lag is too great and the damage has been done. But AI can subject every customer interaction, from documentation to behaviors, to a level of forensic analysis that would be impossible for humans to achieve at the same speed. The technique can filter out everything from fake documents and stolen data to bot-executed serial fraud efforts.

Incorporating AI ensures that fintechs will allow fewer high-risk identities and document transactions in their processes, helping them outsmart the fraudsters and beat them at their own game.

However, it's not enough to simply invest in AI technologies; human capabilities are just as important to achieve financial crime prevention at scale within an AI-centric model. Fintechs should not only understand the data they're working with and have AI expertise at the ready, but they should also ensure alignment with business objectives and establish an appropriate operational workflow. By blending these critical elements, fintechs _can_ successfully fight financial crime.

AI Can Help Fintechs Fight Fraud-as-a-Service

Attackers are easily turning popular messaging apps and their associated services — like bots, cloud infrastructure, and CDNs — against users, researchers warn.

Threat actors have figured out how to use the existing functionality and infrastructure of popular messaging apps such as Telegram and Discord to host, launch, and execute a variety of malware, as shown by ongoing, dangerous campaigns. 

From bots that enable games and content sharing, to robust content delivery networks (CDNs) ideal for hosting malicious files, these platforms are helping fuel a surge of new attacks, according to the security research team at Intel 471. 

Most often, the malware is used along with easily acquired infostealers to prey on unsuspecting users and steal their credentials, auto-filled data, payment card information, and more.   

"Using messaging platforms, such as Telegram and Discord, allows threat actors to hide in plain view," John Bambenek, principal threat hunter at Netenrich, explains to Dark Reading. "Many people already use these applications so you can't just block them (though you may be able to block API access to those services in an enterprise environment). And there is no a large team administering those platforms so they are not staffed to monitor channels and servers for criminal misuse." 

**CDNs Abused to Host Malware **

Some attackers have found success using CDNs like Discord's to host their malware, which the analysts point out has no restrictions for file hosting. 

"The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads," according to the report on messaging app threats. PrivateLoader, Discoloader, Agent Tesla stealer, and Smokeloader are just a few of the malware families the researchers found lurking in Discord's CDN.  

**Telegram Bots Swipe OTP Tokens **

Although the tactic isn't new, 471 analysts point out an emerging threat group, Astro OTP. It's actively using Telegram bots to steal one-time-password (OTP) tokens and SMS message verification codes used for two-factor authentication.  

"The operator allegedly could control the bot directly through the Telegram interface by executing simple commands," the report explains. "Access to the bot is extremely cheap, a one-day subscription can be bought for $25, with a lifetime subscription available for $300."

The threat from this tactic lasts far beyond the initial compromise The Intel 471 team warn that gathering compromised credentials and other information can be a critical precursor to a devastating enterprise attack. 

It's up to users to be aware of the security of messaging platforms they use, the 471 researchers say, adding that enterprise security teams should take the time to protect against these types of messaging application man-in-the-middle attacks.   

"Whether these actors are stealing credentials for further sales or bypassing verification codes to gain unauthorized access into a victim's bank account, the ease by which threat actors can obtain this information should serve as a warning," Michael DeBolt, chief intelligence officer at Intel 471, tells Dark Reading about his research team's findings. "Security teams should institute token-based multi-factor authentication wherever possible, and educate their user base on what possible scams stemming from these automated schemes can look like."

Discord, Telegram Services Hijacked to Launch Array of Cyberattacks

Too many organizations are STILL getting breached. Every day across large and small organizations, intrusions and breaches happen.

Every day across organizations both large and small, intrusions and breaches happen. Attackers get inside. If the organizations are fortunate, they detect and get them out before they do any damage. They remediate the situation before the intrusion turns into an official breach. But for many less fortunate, when breaches happen they can last for weeks, months, or years under the radar. Once finally discovered, the investigations can be long and painful, and they often get publicized.

We live in a world where attackers appear to have the upper hand and, on some days, even seem to be winning. It's hard to understand the current state of affairs when there is an endless number of cybersecurity vendors, service providers, and experts touting their abilities to secure organizations of all sizes.

There are many promises. Many promote 99.9% accuracy and their ability to stop all breaches. Vendors talk about their solutions having artificial intelligence (AI) and machine learning (ML) to identify unknown threats, but not too many people can really explain exactly how AI and ML work in cybersecurity. There's a lot of hype.

There is not a single vendor on the planet right now that can provide a one-stop shop of world-class technology to prevent and stop breaches. One doesn't exist. Organizations need to be able to choose best-in-class technologies that work well and integrate together no matter what company built them.

**Breaches Keep Happening**

According to the Identity Theft Resource Center, the landscape has not improved much over the last 15 years. With all of the protection and intelligence available contrasted against successful intrusions and breaches, something is not adding up.

The industry as a whole has not achieved the objective of preventing, or even mitigating, breaches.

We must keep in mind that while intrusions and breaches are a reality, they don't need to be devastating. One of the main reasons they often are so harmful: blind spots.

Despite security controls focused on specific areas of environments such as identity and access management (IAM), endpoint protection platform (EPP), endpoint detection and response (EDR), next-generation firewall (NGFW), data loss prevention (DLP), network detection and response (NDR), and so on, blind spots are still everywhere. All these different security controls are great for looking at the area they're assigned, but if they aren't all talking to each other, organizations are flying blind.

**Attackers Love Blind Spots and Credentials**

While security teams are chasing false alerts, external attackers are finding legitimate credentials already exposed, and exploiting vulnerabilities that enable them to find credentials from within the environment. Or they're using a large amount of money to entice a legitimate user to share their credentials voluntarily. Once the credentials are in hand, a bad actor can take their time to scour the environment, map sensitive data locations, and quietly create "backdoors" for future use.

If the attacker is more of the "smash and grab" type, they can carry out a flash attack, deploy malware, ransomware, or any number of damaging attacks and watch the chaos ensue.

For those rare trusted employees who goes rogue, their path to carrying out a devastating attack is much shorter. Already with an established presence, legitimate access, and user IDs/passwords inside the environment, the opportunity to prevent them in carrying out nefarious activities is often nonexistent. The only hope for organizations is the domain of detection and response.

**Know Normal, Prevent, and Detect **

Security teams need to know what is normal behavior in their organization to quickly identify anything abnormal like the situations mentioned above. Right now, there is still way too much focus in cybersecurity on prevention, and not enough on detection and response. No matter how many prevention tools are in place, attackers are still getting in and insiders are still getting out. Too many security operations teams are still flying blind.

Currently, organizations will continue to experience intrusions and breaches, but what the pain and lasting consequences aren't inevitable. By incorporating the ability to determine what normal activity is for users and entities, organizations stand a better chance of detecting the abnormal and uncovering external and insider threats (whether malicious or accidental), turn the tables on the attackers, and mitigate damage. And that's true even as "normal" constantly changes.

Organizations will win when they know normal and identify what's abnormal — the breach.

**About the Author**

    

Gorka Sadowski is Chief Strategy Officer at Exabeam. In his role, Sadowski assists the executive team and functional leaders across the company. Sadowski has more than 30 years of security experience. Most recently, Sadowski was senior director and security and risk management analyst at Gartner. Prior to Gartner, Sadowski led business development at Splunk and built the Splunk security ecosystem. Prior to Splunk, Sadowski established presence for LogLogic in southern Europe, ran security activities for Unisys in France, and launched the first partner-led intrusion detection and prevention system in the industry.

Flying Blind in Security Operations

Trying to remediate everything was never a winning strategy. RBVM is an approach that gets organizations better results with less effort.

For the past five years, the National Vulnerability Database (NVD) has broken its own record of reported vulnerabilities and is on pace to do the same in 2022. With a threat landscape growing that quickly, it's no surprise to see security teams can't keep pace.

According to a report from Cobalt, 79% of security teams struggle to consistently monitor for vulnerabilities amid today's labor shortages, and 54% of security respondents are considering quitting their jobs.

Trying to remediate everything was never a winning strategy. Risk-based vulnerability management (RBVM) is an approach that gets organizations better results with less effort than trying to keep up with the daily average of more than 60 new vulnerabilities so far in 2022.

Five years of data backs this up. The top four metrics used to measure success with RBVM have consistently gotten better, even as a record number of common vulnerabilities and exposures (CVEs) has added more noise to the fray each year.

Let's take a deeper look at those metrics, how they've improved, and why they've improved.

**RBVM 101**

In its early days, RBVM was taboo because everyone saw vulnerability management as an all-or-nothing proposition. Precious few reached "all" status, and getting there meant a lot of time wasted on remediating vulnerabilities that posed no threat.

"Maturity models" attempt to collect the best cybersecurity practices determined by experts and tweak them over time, but there's an even better way: data. A series of research reports from the Cyentia Institute has provided some answers on what organizations should be prioritizing and informed a better approach to RBVM.

Research produced in conjunction with the Cyentia Institute has shown that 23% of published vulnerabilities have associated exploit code and 2% have observed exploits in the wild. That dramatically reduces the amount of effort required … if you're remediating the right way.

We can judge how organizations are doing by looking at remediation capacity, velocity, coverage, and efficiency. The Cyentia Institute analyzed data from Kenna's platform across the past five years and visualized it in the charts below.

Capacity, the proportion of open vulnerabilities being closed on average every month, has generally increased over the past five years for leading and average organizations. While most organizations are remediating more of their open vulnerabilities, the bottom quarter of organizations has remained steady with no meaningful shifts.  

    

Source: Kenna Security

Remediation velocity saw quick, meaningful progress and has since been improving slowly. Where we are now is a _vast_ advancement over early 2016, when the half-life was more than 125 days. Over the last four years, the half-life — or time it takes to remediate half the newly discovered vulnerabilities — has dropped by more than a third from 32 days to 21 days.  

    

Source: Kenna Security

Efficiency and coverage are related, which is why they're shown together, and without a significant change in prioritization strategy, improving one of those metrics will often lead to a decrease in the other. For example, one way to increase coverage is to simply remediate more, but that makes you less efficient.

Around 2018, both coverage and efficiency were around 35%, but an increase in coverage (more exploited vulns are remediated correctly) causes a decrease in efficiency (fewer of the remediated vulnerabilities are being exploited). This is likely caused by organizations increasing their capacity to remediate more vulnerabilities.  

    

Source: Kenna Security

Keep in mind that this is all happening as we've seen the number of reported vulnerabilities increase each year since 2017. Organizations that have adopted RBVM are filtering out the noise by focusing on risk. They're also remediating more vulnerabilities faster, which is why coverage and efficiency continue to improve.

**Explaining the Success**

While a more intelligent approach to vulnerability management makes the biggest difference, vendors have gotten smarter, too. Research tells us that Microsoft has more vulnerable assets observed and more exploitation activity than its peers. When the software giant issues patches quickly, it has a heavy impact on remediation velocity (organizations address half their vulnerabilities affecting Microsoft products in roughly 22 days, more than 40 times quicker than SAP or Linux at 900 days).

Between a smarter approach and quick patches from software vendors, vulnerability management is in a far better position than it was five years ago. The proof is in the numbers that organizations have better success when they approach security through a risk lens.

The labor market has further complicated the already complex issue of security, but now organizations know they don't have to fix everything. In fact, it would be silly to and you'll end up driving your valuable security practitioners away. By adopting RBVM, organizations can start to quell the unrelenting pandemonium today's security landscape has become.

How Risk-Based Vulnerability Management Has Made Security Easier

Ducktail targets marketing and HR professionals through LinkedIn to hijack Facebook accounts and run malvertising schemes.

A spear-phishing campaign dubbed "Ducktail" has been discovered targeting marketing and HR professionals through LinkedIn, with the aim of taking over Facebook Business accounts and abusing the Ads function to run malvertising schemes.  

The campaign delivers a tailored malware, which identifies individuals likely to have admin privileges, scans the victim' machine, searches for popular browsers, and extracts all the stored cookies, including any Facebook session cookies, from the browsers it finds.  

The malware component can take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account, which it then uses to hijack the victim's Facebook Business and Facebook Ads accounts.

The campaign appears to be financially motivated, according to security specialist WithSecure's new report on the Ducktail campaign.

"One of the unique features of the malware is its ability to hijack Facebook Business accounts associated with the victim's Facebook account," WithSecure's report explains. "It attempts to grant the threat actor's emails access to the business with the highest-privilege roles."

Mohammad Kazem Hassan Nejad, researcher for WithSecure Intelligence, explains that the attackers carefully select their targets, making sure they're likely to be on Facebook Ads or Business first. if the threat actor blindly distributes the malware through other forms of attack, such as malicious spam campaigns, this could ring more bells that would alarm companies, cybersecurity vendors, and Meta about Ducktail's activity much sooner, he notes.

"By scouting for companies that operate on Facebook's Ads and Business platform beforehand and targeting individuals that most likely have access to a Facebook Business account, we believe the threat actor tries to increase their chance of success whilst making the least amount of noise," he says.

**Connections to SilentFade**

Nejad adds that Ducktail is the first Facebook-centric malware operation he's aware of that attempts to directly hijack Facebook Business accounts. However, Nejad notes that an earlier Facebook malware operation, dubbed SilentFade, used similar tactics, such as utilizing infostealer logic that leverages Meta's GraphAPI to gather private information about the victims' Facebook account. SilentFade was focused on committing ad fraud.

"However, SilentFade and Ducktail also differ in a few notable ways," Nejad says. "Whereas SilentFade infects victim systems via modified pirated software and potentially unwanted programs, we've observed the Ducktail operation utilizing spear-phishing over a combination of LinkedIn and file/cloud hosting services, in a targeted manner."

And while the SilentFade operation was attributed to a group in China, Nejad says WithSecure has attributed this operation, with high confidence, to an outfit in Vietnam.

Nejad points out the threat actor has continued to update the malware to improve its ability to bypass existing or new Facebook security features alongside other implemented features.

"For instance, one of the latest mechanisms added to the malware allows the threat actor to send a list of email addresses, through their command-and-communication channel, that they would like to use to hijack a specific business," he explains.

**Facebook Business Offers Hackers a Prime Opportunity**

Facebook remains one of the most popular social-network platforms, with close to 3 billion monthly active users, according to its latest quarterly results. That large user base and the wide outreach it provides makes it a perfect platform for advertisers and businesses to operate on — and so, Facebook is one of phishers' favorite brands, according to a recent report.

Just last month, a social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers targeted business pages via a savvy campaign incorporating Facebook's Messenger chatbot feature.

As Ducktail hijacks Facebook business accounts by gaining administrator-level access, it essentially gives the threat actor the ability to gain unlimited access to use the hijacked business account as they wish. This could include carrying out malicious advertising (malvertising), classic fraud efforts (running scams), or to spread disinformation. The threat actor could also potentially use its newfound access to blackmail a company by locking them out of its own business account.

"However, we believe the Ducktail operation uses hijacked business accounts purely to make money by pushing out ads, similar to the SilentFade campaign," Nejad says.

**Review Users, Revoke Access**

Nejad added that to protect themselves from these types of attacks, organizations must exercise caution, practice vigilance, and follow common cybersecurity practices.

"If you believe you've been a victim, we also recommend reviewing users who have been added to your Facebook Business account through Meta's Business Manager, and revoking access for unknown users that were granted Admin access with finance editor role, as well as terminating all browser authentication sessions and resetting your existing login credentials," Nejad says.

Ducktail Spear-Phishing Campaign Uses LinkedIn to Hijack Facebook Business Accounts

Machine learning should be considered an extension of — not a replacement for — existing security methods, systems, and teams.

Contrary to what you may have read, machine learning (ML) isn't magic pixie dust. In general, ML is good for narrowly scoped problems with huge datasets available, and where the patterns of interest are highly repeatable or predictable. Most security problems neither require nor benefit from ML. Many experts, including the folks at Google, suggest that when solving a complex problem you should exhaust all other approaches before trying ML.

ML is a broad collection of statistical techniques that allows us to train a computer to estimate an answer to a question even when we haven't explicitly coded the correct answer. A well-designed ML system applied to the right type of problem can unlock insights that would not have been attainable otherwise.

A successful ML example is natural language processing (NLP). NLP allows computers to "understand" human language, including things like idioms and metaphors. In many ways, cybersecurity faces the same challenges as language processing. Attackers may not use idioms, but many techniques are analogous to homonyms, words that have the same spelling or pronunciations but different meanings. Some attacker techniques likewise closely resemble actions a system administrator might take for perfectly benign reasons.

IT environments vary across organizations in purpose, architecture, prioritization, and risk tolerance. It's impossible to create algorithms, ML or otherwise, that broadly address security use cases in all scenarios. This is why most successful applications of ML in security combine multiple methods to address a very specific issue. Good examples include spam filters, DDoS or bot mitigation, and malware detection.

**Garbage in, Garbage Out**

The biggest challenge in ML is availability of relevant, usable data to solve your problem. For supervised ML, you need a large, correctly labeled dataset. To build a model that identifies cat photos, for example, you train the model on many photos of cats labeled "cat" and many photos of things that aren't cats labeled "not cat." If you don’t have enough photos or they're poorly labeled, your model won't work well.

In security, a well-known supervised ML use case is signatureless malware detection. Many endpoint protection platform (EPP) vendors use ML to label huge quantities of malicious samples and benign samples, training a model on "what malware looks like." These models can correctly identify evasive mutating malware and other trickery where a file is altered enough to dodge a signature but remains malicious. ML doesn't match the signature. It predicts malice using another feature set and can often catch malware that signature-based methods miss.

However, because ML models are probabilistic, there's a trade-off. ML can catch malware that signatures miss, but it may also miss malware that signatures catch. This is why modern EPP tools use hybrid methods that combine ML and signature-based techniques for optimal coverage.

**Something, Something, False Positives**

Even if the model is well-crafted, ML presents some additional challenges when it comes to interpreting the output, including:

*   **The result is a probability.** The ML model outputs the likelihood of something. If your model is designed to identify cats, you'll get results like "this thing is 80% cat." This uncertainty is an inherent characteristic of ML systems and can make the result difficult to interpret. Is 80% cat enough?
*   **The model can't be tuned**, at least not by the end user. To handle the probabilistic outcomes, a tool might have vendor-set thresholds that collapse them to binary results. For example, the cat-identification model may report that anything >90% "cat" is a cat. Your business’s tolerance for cat-ness may be higher or lower than what the vendor set.
*   **False negatives (FN)**, the failure to detect real evil, are one painful consequence of ML models, especially poorly tuned ones. We dislike false positives (FP) because they waste time. But there is an inherent trade-off between FP and FN rates. ML models are tuned to optimize the trade-off, prioritizing the "best" FP-FN rate balance. However, the "correct" balance varies among organizations, depending on their individual threat and risk assessments. When using ML-based products, you must trust vendors to select the appropriate thresholds for you.
*   **Not enough context for alert triage.** Part of the ML magic is extracting powerful predictive but arbitrary "features" from datasets. Imagine that identifying a cat happened to be highly correlated with the weather. No human would reason this way. But this is the point of ML — to find patterns we couldn't otherwise find and to do so at scale. Yet, even if the reason for the prediction can be exposed to the user, it's often unhelpful in an alert triage or incident response situation. This is because the "features" that ultimately define the ML system's decision are optimized for predictive power, not practical relevance to security analysts.

**Would "Statistics" by Any Other Name Smell as Sweet?**

Beyond the pros and cons of ML, there's one more catch: Not all "ML" is really ML. Statistics gives you some conclusions about your data. ML makes predictions about data you didn't have based on data you did have. Marketers have enthusiastically latched onto "machine learning" and "artificial intelligence" to signal a modern, innovative, advanced technology product of some kind. However, there's often very little regard for whether the tech even uses ML, never mind if ML was the right approach.

**So, Can ML Detect Evil or Not?**

ML can detect evil when "evil" is well-defined and narrowly scoped. It can also detect deviations from expected behavior in highly predictable systems. The more stable the environment, the more likely ML is to correctly identify anomalies. But not every anomaly is malicious, and the operator isn't always equipped with enough context to respond. ML's superpower is not in replacing but in extending the capabilities of existing methods, systems, and teams for optimal coverage and efficiency.

Source

DARKReading