The cyber campaign, aimed at siphoning funds, uses an improved version of the malware, which can adjust infection paths based on recognized antivirus software.

Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.

According to a new report from Proofpoint, the first email campaign was last December, with the initial campaign attempting to deliver Word documents that could install an updated version of the backdoor. The files contained social-engineering phishing tactics aimed at financial institutions, in one case suggesting the recipient must submit "proof of ownership of missing documents."

In later campaigns, the group tried to deliver multiple OneDrive URLs containing either an ISO attachment or shortcut file (.LNK). Then, the group again switched tactics midway through 2022, reverting back to Word files to entice victims to download a remote template, instead sending the victim to an actor-controlled domain delivering the Evilnum payload.

"Each campaign is highly fenced; the malware only allows one download per IP address to ensure only the target host can retrieve the final payload," the report, issued Thursday, notes.

The Evilnum backdoor, first observed in 2020, can be used for data theft, reconnaissance, or to load additional payloads — it's often a fixture in cyber-espionage campaigns.

**Evilnum: Under Active Development**

Based on Proofpoint's analysis, the malware also contains multiple evasion mechanisms and is under ongoing development.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, says this suggests the threat actors may incorporate new features of the malware to evade detection and improve efficacy in the campaigns.

"The use of Microsoft Word and .LNK files to launch malware, as well as other different delivery methods, allows the actor to experiment with what works or has a higher likelihood of achieving an infection," she adds.

She points out most targets generally have a potential financial windfall for the threat actor, and notes DeFi is a new, loosely regulated industry with many new technologies that may not be fully vetted or secured.

"It's an emerging, target-rich environment for threat actors to potentially benefit from," she says, adding that this particular campaign is targeting European organizations.

**Emerging DeFi Industry a Prime Cyber Target**

Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out the DeFi industry is still relatively new and reliant on open source platforms.

She explains open source means the source code is publicly available, which makes it easier for cybercriminals to identify potential flaws.

"Cybercriminals may also be drawn to the billions of dollars held within DeFi platforms," she adds.

Additionally, Hoffman says many DeFi platforms have cross-chain bridges, allowing users to transfer funds across multiple blockchains easily.

"This inadvertently allows malicious actors to disburse their stolen funds across multiple blockchains quickly," she says.

Hoffman says DeFi developers are learning "the hard way" that security needs to be a part of the development process from the beginning.

"The developers must address all security flaws and protect people's funds if they want continuous buy-in," she says. "Otherwise, the market will likely flop. Until these vulnerabilities are addressed, there will likely be more opportunistic attackers looking to make fast cash."

**Growing Pool of Victims as Investment in DeFi Rises**

DeGrippo adds that more people are aware of and investing in decentralized finance and cryptocurrency resources, so there is an increasing pool of potential victims for threat actors to target.

"Additionally, they may use different lure themes to target cryptocurrency-related products and services," she says.

She explains it's important that these organizations ensure employees are trained to identify and report suspicious emails.

From a technology perspective, they can also "restrict the use of container files such as ISO and LNK files, especially those downloaded from the internet," she says, and "block RTF files from being downloaded or accessed from Word where applicable."

The eponymous group behind Evilnum malware has been targeting financial institutions since its emergence in 2018 and has steadily evolved its methods, adopting a Python remote access Trojans (RATs) to carry out well-crafted spear-phishing attacks.

Cybercrime Group TA4563 Targets DeFi Market With Evolving Evilnum Backdoor

New global study from ESG and ISSA reveals nearly half of organizations are consolidating or plan on consolidating the number of vendors they do business with

EWTON, Mass. & VIENNA, Va.--(BUSINESS WIRE)--Driven by security operations complexity, nearly half (46%) of organizations are consolidating or plan on consolidating the number of vendors they do business with. As a result of this drive toward security technology consolidation, 77% of infosec pros would like to see more industry cooperation and support for open standards promoting interoperability. As thousands of cybersecurity technology vendors compete against each other across numerous security product categories, organizations are aiming to optimize _all_ security technologies in their stack at once, and vendors that support open standards for technology integration will be best positioned to meet this change in the industry, according to a new annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG).

The new research report, _Technology Perspectives from Cybersecurity Professional_s, surveyed 280 cybersecurity professionals, which were primarily ISSA members, focused on security processes and technologies and revealed that 83% of security professionals believe that future technology interoperability depends upon established industry standards. The report shows a cybersecurity landscape that looks favorably towards security product suites (or platforms) as it moves away from a defense-in-depth strategy based on deploying best-of-breed cybersecurity products; a historical precedent that has steadily increased organizational complexity and contributed to substantial operations overhead.

**From Best-of-Breed to Integrated Platforms**

Security professionals have long believed that purchasing best-of-breed products provided the best overall defense-in-depth. However, as the number of security products has skyrocketed, many organizations manage 25 or more independent security tools—an approach that comes with substantial operations overhead.

Security professionals identified numerous problems associated with managing an assortment of security products from different vendors such as increased training requirements, difficulty getting a holistic picture of security, and the need for manual intervention to fill the gaps between products. As a result of these issues, 21% of organizations are consolidating the number of vendors they do business with and 25% are considering consolidating.

**Most common reasons for vendor consolidation**

*   Operational efficiencies realized by security and IT teams (65%)
*   Tighter integration between previously disparate security controls (60%)
*   Improved threat detection efficiency (i.e., accurate high-fidelity alerts, better cyber-risk identification, etc.) (51%)

In addition:

*   53% tend to purchase or will in the future purchase security technology platforms rather than best-of-breed products
*   84% believe that a product’s integration capabilities are important and 86% of respondents say it is either critical or important that best-of-breed products are built for integration with other products
*   After cost (46%), product integration capabilities are the most important security product consideration for 37% of security professionals

**Evaluating “enterprise-class” security vendors**

As the security technology market consolidates, “centers of gravity” will become established around a few large vendors and affect future buying strategies; organizations will place more bets on fewer security technology vendors. According to cybersecurity professionals, the most important attributes for an enterprise-class cybersecurity vendor are:

*   A proven track record of executing its cybersecurity product roadmap and strategy (34%)
*   Provides products designed for enterprise-scale, integration, and business process requirements (33%)
*   Commitment to reducing operational complexity, lowering cost of ownership (31%)

“Given that nearly three-fourths (73%) of cybersecurity professionals feel that vendors engage in hype over substance, the vendors that demonstrate a genuine commitment towards supporting open standards will be best positioned to survive the industry-wide consolidation taking place,” said Candy Alexander, Board President, ISSA International. “CISOs have been so overburdened with vendor noise and dealing with security ‘tool sprawl’ that for many a wave of vendor consolidation is like a breath of fresh air.”

“The report reveals a massive change taking place within the industry, one that for many feels like a long time coming,” said Jon Oltsik, Senior Principal Analyst and ESG Fellow. “The fact that 36% of organizations might be willing to buy most security technologies from a single vendor speaks volumes to the shift in purchasing behavior as CISOs are openly considering security platforms in lieu of best-of-breed point tools.”

After reviewing this data, ESG and ISSA recommend that organizations push their security vendors to adopt open industry standards, possibly in cooperation with industry ISACs. There are a few established security standards from MITRE, OASIS, and the Open Cybersecurity Alliance (OCA), available, and while many vendors speak favorably of open standards, most do not actively participate or contribute to them.

This lukewarm behavior could change quickly, however, if cybersecurity professionals—especially those at organizations large enough to send a signal to the market—establish best practices for vendor qualification with process requirements that include adopting and developing open standards for technology integration as part of the comprehensive process for all security technology procurement.

The full report can be downloaded here.

**About ESG**

Enterprise Strategy Group (ESG) is an integrated technology analysis, research, and strategy firm providing market intelligence, actionable insight, and go-to-market content services to the global technology community. It is increasingly recognized as one of the world’s leading analyst firms in helping technology vendors make strategic decisions across their go-to-market programs through factual, peer-based research. ESG is a division of TechTarget, Inc. (Nasdaq: TTGT), the global leader in purchase intent-driven marketing and sales services focused on delivering business impact for enterprise technology companies.

**About ISSA**

The Information Systems Security Association (ISSA)™ is the community of choice for international cyber security professionals dedicated to advancing individual growth, managing technology risk, and protecting critical information and infrastructure. ISSA members and award winners include many of the industry’s notable luminaries and represent a broad range of industries – from communications, education, healthcare, manufacturing, financial and consulting to IT – as well as federal, state and local government departments and agencies. Through regional chapter meetings, conferences, networking events and content, members tap into a wealth of shared knowledge and expertise. Follow us on Twitter at @ISSAINTL. Learn more about ISSA.

Cybersecurity Professionals Push Their Organizations Toward Vendor Consolidation and Product Integration

The threat group 8220 Gang's cryptocurrency miner and botnet reach has exploded to 30,000 global hosts, a notable increase over the past month, researchers say.

Leveraging little more than Linux bugs, common cloud application vulnerabilities, and misconfigurations, the 8220 Gang has been able to use its latest IRC botnet to infect more than 30,000 hosts with their PwnRig cryptominer.

Researchers with SentinelOne reported observing this noteworthy increase in the number of infected hosts over the course of just the past month. In mid-2021, the analysts said the malicious botnet was running on just 2,000 hosts worldwide.

The 8220 Gang gets its name from its original command-and-control communications port choice:8220.

"Over the past few years, 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner," the cloud botnet security warning explained. "From our observations, the group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally."

Patching and better password hygiene would prevent most infections, researchers noted.

The report includes indicators of compromise (IoCs).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lax Security Fuels Massive 8220 Gang Botnet Army Surge

The rapidly growing Atlas Intelligence Group relies on cyber-mercenaries to carry out its missions.

A threat group calling itself the Atlas Intelligence Group (AIG, aka Atlantis Cyber-Army) has recently surfaced with what appears to be a somewhat different — and potentially trend-setting — cybercrime model.

Researchers from Cyberint who were the first to spot the group described the threat actor as selling a variety of services via its main website, including access to stolen databases, exclusive data leaks, distributed denial-of-service (DDoS) services, and initial access to enterprise networks via RDP clients and Web shells. Cyberint said this week that its researchers spotted AIG in May and have observed it growing rapidly since then.

What makes the threat actor different from the myriad others with similar offerings is the fact that the operators themselves appear to be entirely outsourcing the actual hacking activities to independent cyber-mercenaries who have no direct connection to the operation. For instance, when a client purchases AIG's DDoS, data theft, or malicious spam services, the group advertises for and hires independent contractors to execute the actual tasks. That's unlike most threat groups. which recruit and maintain the same team of hackers for different campaigns.

**A Model for OpSec**

AIG's model appears designed to ensure a high level of operations security for its leaders by keeping them segregated from those doing the criminal hacking activity, according to Cyberint.

"AIG is the first group I've seen that is using this business model," says Shmuel Gihon, security researcher with Cyberint. "Every team has its leaders, and every team has key members. But here it's different: we have one leader that controls everything and everyone."

AIG's business model appears designed to take advantage of the growing number of hacker-for-hire groups that have begun surfacing all over the world in recent years. The groups, many of which operate out of India, Russia, or the United Arab Emirates, specialize in breaking into target networks, stealing data, and carrying out a variety of other malicious activities on behalf of the clients who hire them. One example of such a group is Russia-based "Void Balaur," a cyber-mercenary group that researchers at Trend Micro and others have linked to attacks on thousands of organizations and individuals for several years.

Gihon says Cyberint's analysis of AIG's activities shows it is being run by a secretive individual using the handle "Mr. Eagle." This individual appears responsible for initiating all AIG campaigns and plans. Cyberint has so far been able to identify at least four other individuals that are operating under this leader, and who are responsible for tasks such as advertising the group's services, communicating with customers, and operating its Telegram channels.

"What makes them different is the fact that they are very good \[at\] making themselves anonymous and approaching this operation as entrepreneurs and not as technical people," Gihon says. The group's behavior suggests the core members — or at least its leader — were red teamers or malicious hackers that have decided to lead rather than operate.

"They have been around in the darknet and in the cybercrime industry for a while and observed how things are operating," he added.

**Telegram Communications**

Cyberint said it has observed the group use three different Telegram channels, with thousands of subscribers between them, for its operations.

One of the channels is a marketplace for leaked databases. The databases appear to belong to organizations in different sectors such as government, finance, manufacturing, and technology, from around the world. The collection of databases on sale via the Telegram channel suggests that AIG isn't focusing on any specific region or sector. Rather, the group appears to be targeting organizations that it thinks might be valuable for potential buyers.

Some of the databases are available for as little as 15 euros and contain information such as email and physical addresses, phone numbers, and other information likely of interest to distributors of malicious spam, spear-phishing groups, and hacktivists.

"AIG claims that these databases are exclusive, so the assumption is that they obtained it \[via\] their contractors," Gihon says. Given the low price, it is unlikely that AIG obtained them from a third-party and is reselling them, he says.

AIG has a second Telegram channel that it uses to publish ads for various hacking services that it might be looking for, and where hackers have an opportunity to bid for contracts. The channel serves as the threat group's source for finding malware developers, social engineers, red teamers, and other cyber-mercenaries.

AIG's third Telegram channel, which serves as its communication channel, is where the group posts announcements, lists of intended targets, and other information. The threat actor also maintains an e-commerce store where people can purchase AIG's services and stolen databases using cryptocurrency.

Gihon says AIG's business model gives it a level of flexibility that other threat groups do not have.

"The leader is not bound to any one of the members because they are all contractors," he says. "So, while other groups have their ups and downs given the fact that they are the same group of people most of the time, Mr. Eagle has the privilege to hire the best of the best anytime," he says. "This could make this team very lethal in the end game."

'AIG' Threat Group Launches With Unique Business Model

Law enforcement hopes that retuning ransom payments to impacted businesses will demonstrate that working with the feds following a cybersecurity breach is "good business."

Two healthcare companies — one in Kansas and another in Colorado — are about to have about $500,000 in combined ransomware payments returned, after the Department of Justice was able to follow a cryptocurrency trail back to Maui operators and seize the extorted funds. 

The Federal Bureau of Investigation seized the Maui-connected cryptocurrency accounts back in May and is now working through the courts with the Department of Justice to return the money to its victims. Maui is a strain of ransomware with ties to the North Korean state that focuses its crippling cyberattacks on healthcare and public health organizations. 

The returned ransom success story is meant to serve as a signal to other targeted organizations that working with law enforcement following a cybersecurity incident is "good business," Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division said in a statement about the court filing. 

"The FBI is dedicated to working with our federal and private sector partners to disrupt nation-state actors who pose a critical cyber-threat to the American people,” FBI Cyber Division Assistant Director Bryan Vorndran said about the recovered Maui ransomware payments. "We will continue to pursue these malicious cyber-actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds Recoup $500K From Maui Ransomware Gang

CHICAGO, July 20, 2022 /PRNewswire/ -- **Data-centric Security Market** **size is projected to grow from an estimated value of USD 4.2 billion in 2022 to USD 12.3 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 23.9% from 2022 to 2027** **according to a new report by MarketsandMarkets™.** The need to secure most sensitive information (credit card numbers, intellectual property, or medical records), stringent compliances and regulations; the need to secure sensitive data on cloud, and growing data breach incidents is driving the growth of data-centric security market across the globe.

**_Browse in-depth TOC on_** **"Data-centric Security Market"  
362 – Tables  
41 – Figures  
269 – Pages**

**Download Report Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=1504980

**By component, the services segment to register the highest growth rate during the forecast period**

Based on component, data-centric security services have witnessed a growing demand in recent years. The services segment includes various services that are required to deploy, execute, and maintain data-centric security platforms in organizations. Enterprises need support from service providers to enhance their data management, policy control, auditing & reporting, data protection, and for maintaining the governance over various silos. Professional service providers help enterprises in deploying data centric security software and solutions and managing all the queries in the product life cycle.

The professional services are offered through professionals, specialists, or experts to support the business. These services include consulting, designing and development and implementation, and support services. The latest techniques, strategies, and skills adopted by the professionals are said to be helping organizations in adopting data centric security features. They also offer customized implementation and risk assessment and assist with the deployment via industry-defined best practices.

With the increasing demand for data-centric security solutions in high-growth markets such as APAC and MEA, there is a significant demand for training and education services to spread awareness about various data-centric security solutions.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=1504980

**Based on organization size, the SMEs segment to grow at the highest CAGR during the forecast period**

By organization size, the data centric security market is sub-segmented into large enterprises and SMEs. SMEs use data centric security solutions to reduce data fraud while enhancing the customer experience. The growing usage of mobile devices has influenced the data transfer over business networks to personal devices, such as mobile phones and laptops. Hence, this helps in increasing the fraudulent data, cyberattacks, data losses, and threat of personal data thefts. These rising security issues have made way for SMEs to focus their concerns on data centric security. Although, SMEs have to consider their limited budget, the comprehension of corporate information being an important consideration, makes them use data discovery and classification, data protection, and data governance solutions. Moreover, these solutions are available at economical pricing in the cloud deployment type. In the coming years, data centric security solutions are expected to witness high adoption among SMEs, all over the region.

**North America to hold the largest market share in 2022**

North America is estimated to account for the highest market share in the data-centric security market in 2022. The region comprises some of the key vendors that offer data-centric security solutions and services; some of them are Informatica, IBM, Broadcom, Micro Focus, Varonis Systems, Forcepoint, among others. By country, the US is expected to hold the largest market share owing to the growing data breach incidents. Implementing these technologies enables large amounts of data to be operated upon, which has resulted in widespread adoption of cloud-based solutions and investments in the data-centric security market. North America is a highly regulated region in the world with numerous regulations and compliances, such as the Federal Energy Regulatory Commission (FERC), HIPAA, PCI DSS, and SOX, across verticals. All these factors contribute to the high market share.

**Speak to Research Expert:** https://www.marketsandmarkets.com/speaktoanalystNew.asp?id=1504980

The major Players in data-centric security market are Informatica (US), IBM (US), Broadcom (US), Micro Focus (US), Varonis Systems (US), Talend (US), Orange Cyberdefense (France), Forcepoint (US), Imperva (US), NetApp (US), Infogix (US), PKWARE (US), Seclore (US), Fasoo (South Korea), Protegrity (US), Egnyte (US), Netwrix (US), Digital Guardian (US), HelpSystems (US), BigID (US), Securiti (US), SecuPi (US), Concentric.AI (US), Lepide (US), NextLabs (US), SealPath (Spain), Nucleus Cyber (US), and Dathena (Singapore).

**Market Players**

Key and innovative vendors in the data-centric security market include Informatica (US), IBM (US), Broadcom (US), Micro Focus (US), Varonis Systems (US), Talend (US), Orange Cyberdefense (France), Forcepoint (US), Imperva (US), NetApp (US), Infogix (US), PKWARE (US), Seclore (US), Fasoo (South Korea), Protegrity (US), Egnyte (US), Netwrix (US), Digital Guardian (US), HelpSystems (US), BigID (US), Securiti (US), SecuPi (US), Concentric.AI (US), Lepide (US), NextLabs (US), SealPath (Spain), Nucleus Cyber (US), and Dathena (Singapore).

**Browse Adjacent Markets:** Information Security Market Research Reports & Consulting

**Related Reports:**

**Data Discovery Market** by Component, Functionality, Organization Size, Deployment Mode, Application, Vertical (BFSI, Healthcare and Life Sciences, Telecommunications and IT, Manufacturing), and Region - Global Forecast to 2025

**Serverless Security Market** by Service Model (BaaS and FaaS), Security Type (Data, Network, Perimeter, and Application), Deployment Mode (Public and Private), Organization Size (SMEs and Large enterprises), Vertical, and Region - Global Forecast to 2026

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Data-Centric Security Market Worth $12.3B by 2027 - Exclusive Report by MarketsandMarkets™

Unsecured voice traffic, skyrocketing adoption of Teams-centric enterprise collaboration tools widen enterprise cybersecurity gaps and increase risk of breach.

**_Chicago, IL – July 20, 2022_** – Mutare, Inc., the market leader in solutions to protect voice network traffic, today released a new industry **Voice Network Threat Survey** that reveals serious shortcomings in enterprise security protections against voice network attacks. With responses from cybersecurity and networking professionals at RSAC 2022 and Cisco Live, Mutare found that nearly half (47%) of organizations experienced a vishing (voice phishing) or social engineering attack in the past year. More troubling, most are unaware of the volume of unwanted voice traffic (phone calls) traversing their voice network, or the significance of threats lurking in unwanted traffic, which includes robocalls, spoof calls, scam calls, spam calls, spam storms, vishing, smishing and social engineering.

Mutare’s **Index of Unwanted Voice Traffic** shows that across all industries nine percent of all calls (or, voice traffic) received by businesses are unwanted. Moreover, 45% of all unwanted traffic is tied to nefarious activity, while 55% is tied to nuisance activity. Remarkably, more than one-third of respondents to the **Voice Network Threat Survey** (38%) said their organizations do not collect any data on the amount of inbound, unwanted, and potentially malicious voice traffic hitting their organizations. Of those that do collect such data, 23% of respondents estimated that 5% to 10% of inbound calls were unwanted, followed by 15% of respondents who estimated that over 10% of inbound calls were unwanted, and 10% of respondents who estimated that over 20% of calls were unwanted.

The biggest source of security risk stems from employee errors, according to 43% of survey respondents. That ranking was followed by the risk from email (36%), endpoints (35%), data networks (17%), data storage (12%), and applications/core systems (9%). Only 10% of respondents cited their voice networks and phone systems as the biggest source of security risk in their organizations, reinforcing a widespread lack of awareness about this problem.

More than one-third (36%) of respondents cited security awareness training as the top solution to protect voice networks from Vishing (voice vishing) and Smishing (SMS phishing) attacks. That approach was followed by traffic firewalls (34%), spam blockers (26%), training for vishing attacks (20%), training for social engineering (23%), and threat detection (13%). In addition, more than one-fourth of survey respondents (26%) were unsure about which tools were being used to protect their voice networks, and 9% said their organizations had no solutions in place whatsoever to protect their voice networks.

Other findings from the survey included:

*   More than four-in-five respondents (81%) agreed or strongly agreed that their organizations identified vishing, smishing, social engineering, and robocalls as major security threats
*   For those organizations that received voice attacks in the past year, nearly one-third (32%) involved SMS/text scams, followed by attacks on collaboration platforms such as Cisco WebEx and Microsoft Teams (16%), and voice networks (14%). 35% of respondents were unsure about what types of attacks had struck their organizations.
*   The responsibility for overseeing voice security was almost evenly divided between responses for the Security Team with 38%, and the Network Team with 37%. In addition, 15% of respondents cited the Unified Communications/Collaboration/Voice Team as being responsible for their company’s voice network security.

The Mutare Voice Network Threat Survey was taken by more than 150 onsite attendees at tech industry trade shows in June 2022. More than half of respondents (54%) came from the Technology and Innovation industry, followed by Government (12%), Education (9%), Financial Services (7%), Healthcare (5%), and Legal (3%). The largest group of respondents came from midlevel specialists and managers at 44%, followed by senior executives (27%), entry-level employees (13%), and C-level execs (9%).

For more information about the survey results, please visit: https://www.mutare.com/executive-report-voice-network-threat-survey-2022/.

For more information about the company, please visit: https://www.mutare.com/.

**About Mutare**

For three decades, Mutare has empowered organizations to reimagine a better way to connect. Today, through our transformative digital voice and text messaging solutions, we make communications with colleagues, customers, and prospects simple, secure, and effective. And that means more time and less stress for your employees, a positive experience for your customers, and improved bottom-line results for your organization. Our forward-looking leadership team is made up of dedicated, experienced individuals who care about transforming business communications and improving the lives of others. Ultimately, Mutare is dedicated to making a difference for all our stakeholders – team members, customers, partners, and communities. We are change makers.

Mutare Voice Network Threat Survey Shows Nearly Half of Organizations Experienced Vishing or Social Engineering Attacks in Past Year

Security pros' experience with transparency and evaluating third-party partners positions them to act as key environmental, social, and governance advisers.

With new reporting requirements looming, information security leaders' expertise positions them as key collaborators in improving their companies' environmental, social, and governance (ESG) posture.

The fundamental principle behind ESG is that transparency is required to understand whether business partners are ethical and making a positive impact in the world, but ESG has become something of a catch-all term for the qualities that companies want to see in their business partners.

Security underpins key aspects of ESG. Companies want to do business with organizations that are either advancing the cause of security and privacy or are at least not doing harm. How transparent companies are before, during, and after a breach tells you a lot about their corporate character. A data breach may be called a privacy responsibility or a security responsibility, but, at the end of the day, it’s a social responsibility.

**Security Incidents**

There are two common information security practices that can help organizations rise to meet the challenges of ESG transparency.  

The first is the sharing of information regarding security incidents.

When a breach occurs, ethical companies do more than just comply with regulations that require notification to affected individuals. They publicly share details about what happened, how they were able to recover, and the corrective measures they put in place. Companies going above and beyond publish relevant TTPs (tactics, techniques, and procedures) or IoCs (indicators of compromise) to help protect other organizations from falling victim to the same threats or threat actors.

An example of exemplary behavior in this space was the SolarWinds and FireEye incident. When FireEye (now known as Trellix) was breached, the organization shared information publicly. This enabled thousands of potential victims to identify threat indicators and respond in their own environments.

**Vulnerability Disclosures**

The second information security practice that can benefit ESG efforts relates to vulnerability disclosures. Organizations need to know if their business partners have been affected by zero-day vulnerabilities such as Log4j. A partner that proactively alerts the organizations it does business with that such a flaw exists in its systems, and then commits to addressing it, gets a high ESG grade. Partners that don't respond to requests for information about a vulnerability or that say such information is proprietary should be avoided.

There is a tremendous opportunity for security leaders to highlight how the valuable work they’re doing also improves their organizations' ESG profiles, and to help their teams understand and evaluate how well their business partners are doing along those same lines.

Consider developing baseline requirements or even a custom metric. Ask yourself and your business partners: What is your average time between identification and disclosure of incidents or breaches? How many disclosures have you made in a given timeframe?

Data points such as time to disclose and time to remediate can be rolled up into a kind of security-related "ESG credit score" to provide visibility. Once you’ve done this for your security requirements, it can be easily replicated across the other ESG domains.

A connected platform can be used to operationalize the assessment and monitoring of your supply chain ESG health. After you understand and can measure what's most important in your business relationships, you can help identify where there is room for improvement and help steer your company toward more ethical partnerships.

Environmental, sustainability, social, and governance issues are among the most visible and popular ways to evaluate business ethics today — and it’s not hard to imagine that the scope of what people care about will expand to other areas. Take this opportunity to coach business leaders on the importance of creating a culture of transparency and model what good governance looks like around identifying, drafting, reviewing, and approving disclosure material. Consider these and additional ways you and your team can add value to their organizations as ESG continues to gain momentum.

What InfoSec Pros Can Teach the Organization About ESG

The LAPSUS$ group emerged with a big splash at the end of 2021, targeting companies, including Okta, with a "reckless and disruptive" approach to hacking.

The LAPSUS$ extortion group has gone quiet following a notorious and rapid rise through the threat landscape, targeting companies including Microsoft, NVIDIA, and Okta, and earning notoriety for its freewheeling, decentralized approach to cybercrime.  

However, researchers said the group is likely not gone — and, in any case, its "brazen" tactics may leave a legacy.

A new report from exposure management specialist Tenable digs into the group's background and the tactics, techniques, and procedures (TTPs) it has used, maturing from distributed denial-of-service (DDoS) attacks and website vandalism to more sophisticated methods. These include the use of social engineering techniques to reset user passwords and co-opt multifactor authentication (MFA) tools.

"Characterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even accused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity news cycle was chaotic," the report notes.

**Chaos, Lack of Logic Part of the Plan**

"You could absolutely call LAPSUS$ 'a little punk rock,' but I try to avoid making bad actors sound that cool," notes Claire Tills, senior research engineer at Tenable. "Their chaotic and illogical approaches to attacks made it much harder to predict or prepare for the incidents, often catching defenders on the back foot."

She explains that perhaps due to the group’s decentralized structure and crowdsourced decisions, its target profile is all over the place, which means organizations can’t operate from the "we're not an interesting target" point of view with actors like LAPSUS$.

Tills adds that it’s always hard to say whether a threat group has disappeared, rebranded, or just gone temporarily dormant.

"Regardless of whether the group identifying themselves as LAPSUS$ ever claims another victim, organizations can learn valuable lessons about this type of actor," she says. "Several other extortion-only groups have gained prominence in recent months, likely inspired by LAPSUS$’s brief and boisterous career."

As noted in the report, extortion groups are likely to target cloud environments, which often contain sensitive, valuable information that extortion groups seek.

"They are also often misconfigured in ways that offer attackers access to such information with lower permissions," Tills adds. "Organizations must ensure their cloud environments are configured with least-privilege principles and institute robust monitoring for suspect behavior."

As with many threat actors, she says, social engineering remains a reliable tactic for extortion groups, and the first step many organizations will need to take is assuming they could be a target.

"After that, robust practices like multifactor and passwordless authentication are critical," she explains. "Organizations must also continuously assess for and remediate known-exploited vulnerabilities, particularly on virtual private network products, Remote Desktop Protocol, and Active Directory."

She adds that while initial access was typically achieved through social engineering, legacy vulnerabilities are invaluable to threat actors when seeking to elevate their privileges and move laterally through systems to gain access to the most sensitive information they can find.

**LAPSUS$ Members Likely Still Active**

Just because LAPSUS$ has been quiet for months does not mean the group is suddenly defunct. Cybercrime groups often go dark to stay out of the spotlight, recruit new members, and refine their TTPs.

"We would not be surprised to see LAPSUS$ resurface in the future, possibly under a different name in an effort to distance themselves from the infamy of the LAPSUS$ name," says Brad Crompton, director of intelligence for Intel 471’s Shared Services.

He explains that even though LAPSUS$ group members have been arrested, he believes the group’s communication channels will stay operational and that many businesses will be targeted by threat actors once affiliated with the group.

"Additionally, we may also see these previous LAPSUS$ group members develop new TTPs or potentially create spinoffs of the group with trusted group members," he says. "However, these are unlikely to be public groups and will probably enact a higher degree of operational security, unlike their predecessors."

**Money as the Main Motivator**

Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity provider, explains that cybercriminals are motivated by money while nation-states are motivated by national goals. So, while LAPSUS$ isn't playing by the rules, its actions are somewhat predictable.

"The most dangerous aspect, in my opinion, is that most organizations have spent the last five or more years developing symmetric defensive strategies based on threat actors with reasonably well-defined definitions and goals," he says. "When a chaotic threat actor is introduced into the mix, the game tilts and becomes asymmetric, and my main concern about LAPSUS$ and other similar actors is that defenders haven't really been preparing for this type of threat for quite some time." 

He points out LAPSUS$ relies heavily on social engineering to gain an initial foothold, so assessing your organization's readiness to social engineering threats, both on the human training and technical control levels, is a prudent precaution to take here.

Ellis says while the stated goals of LAPSUS$ and Anonymous/Antisec/Lulzsec are very different, he believes they will behave similarly in the future as threat actors.

He says the evolution of Anonymous in the early 2010s saw various subgroups and actors rise to prominence, then fade away, only to be replaced by others that replicated and doubled down on successful techniques.

"Perhaps LAPSUS$ has vanished completely and forever," he says, "but, as a defender, I wouldn't rely on this as my primary defensive strategy against this type of chaotic threat."

Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists

The group has become the new face of ransomware, taking advantage of vulnerabilities and poor encryption.

The Federal Bureau of Investigation (FBI), the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN) recently released a joint Cybersecurity Advisory (CSA) focusing on the Karakurt data extortion group, an emerging organization known for stealing company data and demanding ransom to avoid public exposure. The group has become the new face of ransomware, taking advantage of vulnerabilities and poor encryption.

So, what does this mean for businesses, both small and large?

Karakurt actors have long engaged in various tactics, techniques, and procedures (TTPs), that create considerable challenges for defense and mitigation. While the targets of Karakurt have not reported their data and files compromised, they have reported falling victim to ransom requests ranging from $25,000 to $13 million in Bitcoin.

**The Move Toward Data Decryption**

Karakurt is the new face of ransomware, taking advantage of poor encryption. Historically, ransomware did not care about the encryption used to protect the data because it did not decrypt the original data. Instead, it took existing encrypted data and made it unusable to the victim. Eventually, organizations began conducting proper backups and therefore stopped paying the ransom requested. As a result, ransomware entities have upped their game and are beginning to decrypt data.

Why is it so easy for these criminals to decrypt data? The answer is the use of a single key to encrypt all records and store the key in an unprotected environment. All it takes for an attacker is to find the key and they will have access to all an organization's data.

How can organizations mitigate this risk? One solution is OTP (one-time pad), as it is necessary to keep classified data safe and can be easily adopted. A big advantage for OTPs is that not only are they extremely secure, they are incredibly easy for organizations to integrate into their wider authentication strategies.

**OTP and Beyond**

OTPs may have been born before digital computing, but they continue to represent an unbeatable cryptographic standard. OTPs include a system where a private key is used by random generation and significantly helps prevent access to breaches. The key is employed only once in order to securely encrypt data, and will be decrypted by the recipient by utilizing a corresponding one-time pad and key. Even if an attacker or criminal group like Karakurt were to obtain a valid set of login credentials, it would be unable to breach the system.

Beyond OTP, and when examining Karakurt's TTPs, it's vital for organizations to review current encryption policies and technologies deployed, as well to ensure there are no open vulnerabilities to be exploited. In addition, the application of newer quantum-resistant approaches will mitigate potential short- and long-term harm. The time is now to take these proactive steps. Quantum computers can decipher cryptographic keys and create threats, much like Karakurt is known for.

Cybercriminals are becoming increasingly creative and organizations must be prepared with measures that will do the most to protect their most valuable assets: their data. It's time for organizations to take a look at security measures currently in place and act accordingly. Once adequate measures are in place, the problem with cyberattacks will become the ability to detect attacks rather than worrying about control and minimizing the damage.

Source

DARKReading