Twitter is charged with using emails and phone numbers ostensibly collected for account security to sell targeted ads.

The Federal Trade Commission (FTC) has issued a $150 million fine against Twitter for misrepresenting its security and privacy practices.

The FTC, in cooperation with the Department of Justice (DoJ), says that Twitter has been using the email addresses and phone numbers it collects from users to enable two-factor authentication to serve targeted advertising.   

In addition to the fine for the violation, Twitter has been given a list of do's and don'ts: It's prohibited from making a profit on data collected under the guise of security; it must allow users to use mobile authentication apps and security keys for multifactor authentication, which don't require a user to provide their phone number; it must notify users if their data has been misused; it must implement a comprehensive information security policy; it must limit employee access to personal user data; and it must notify the FTC of any company breaches. 

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina M. Khan in a statement about the Twitter security data misuse ruling. "This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Twitter Fined $150M for Security Data Misuse

The new draft guidance on premarket submissions incorporates quality system regulations and doubles down on a life-cycle approach to product security.

It's hard to believe, but medical device manufacturers who are subject to Food and Drug Administration premarket approval — the FDA process of review to evaluate the safety and effectiveness of Class III medical devices — are still operating under the FDA's original medical device cybersecurity guidance from 2014 and a subsequent update in 2018. But that is about to change in a major way.

Instead of finalizing the 2018 premarket cybersecurity draft guidance, the FDA has decided to issue a new 2022 version to reflect the rapid evolution of cybersecurity, incorporating a new set of quality system regulations (QSRs) with significant changes to its 2018 predecessor.

**New FDA Draft Guidance  
**The new draft guidance, titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," deals with myriad design, labeling, and documentation issues that will have to be addressed by medical device manufacturers before their new devices can gain FDA premarket approval.

The FDA's original guidance on cybersecurity was just nine pages while the 2022 version swells to 50 pages, reflecting advancements in the cybersecurity ecosystem and best practices. It appears that, when approving connected medical devices for market, the FDA will be taking a long look at how cybersecurity is implemented, especially regarding levels of risk to patient safety.

**Updated Regulations: Why Now?  
**Requiring greater cybersecurity measures to protect medical devices and their operational and patient data is vital since the healthcare industry has become a massive target of cyberattacks. Data breaches hit an all-time high in 2021, exposing a record volume of protected health information. Besides pilfering data, a growing number of breaches attempt to disrupt the smooth operation of medical devices like computed tomography and magnetic resonance imaging machines, potentially causing incorrect diagnoses, unnecessary medical procedures, or direct harm to patients.

The American Hospital Association's senior adviser for cybersecurity and risk has stated that medical devices used in hospital rooms suffer from an average of 6.2 vulnerabilities. As devices become more complex and interconnected, opportunities for cyberattackers to exploit vulnerabilities are becoming greater, hence the need for updated regulations.

**Incorporating Cybersecurity into Quality System Regulations to Boost Safety  
**With the new guidance, the FDA seeks to ensure that the next generation of medical devices will be far safer and secure throughout the entire device life cycle, from premarket and throughout the entire useful life, beginning from the earliest stages of design (shift-left) to post-production (shift-right).

With the proposed guidance, the FDA is doubling down on its efforts to incorporate cybersecurity into quality regulations to address the complexity of modern devices and today's evolving threat landscape.

**From CBOM to SBOM: What's the Difference?  
**Surprisingly, one of the major changes that the new guidance brings is a leniency in the requirement for manufacturers to provide a complete software bill of materials (SBOM) instead of a more tedious cybersecurity bill of materials (CBOM), as was required in the 2018 draft. Medical device manufacturers were balking at the 2018 guidelines because of this stringency.

An SBOM is more in line with cybersecurity standards across most industries and aligns with the Biden administration's recently issued Executive Order 14028, "Improving the Nation's Cybersecurity." It contains all of the required software packages (commercial and open source) and their versions.

The much more complicated CBOM, according to the 2018 guidance, demands "a list of commercial, open source, and off-the-shelf software and hardware components to enable device users (including patients, care providers, and healthcare delivery organizations) to effectively manage their assets, understand the potential impact of identified vulnerabilities to the device — and the connected system — and to deploy countermeasures to maintain the device's essential performance."

**A Secure Product Development Framework for Every Device  
**The latest guidance asks medical device manufacturers to consider using a secure product development framework (SPDF) to achieve the goals of the QSR: "An SPDF encompasses all aspects of a product's lifecycle, including development, release, support, and decommission."

Besides compliance with the draft guidance, the call for using an SPDF can add significant value to medical devices. As the draft guideline states: "Using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered."

**Is the New FDA Draft Guidance Binding?  
**Until July 7, the FDA is inviting medical device manufacturers and the public to comment on the new draft, which is expected to be finalized later this year when it will become the new FDA cybersecurity guidance for medical devices. While FDA guidance is nonbinding, the approved version will provide a road map for how medical device manufacturers should address cybersecurity in their products to ensure compliance and patient safety.

The FDA is not the only federal agency looking to strengthen cybersecurity regs. Legislation called the Protecting and Transforming Cyber Health Care (PATCH) Act was recently introduced in the US Congress. The act, the EO, and other proposed bills contain provisions that will strengthen the FDA's ability to require medical device manufacturers to meet certain cybersecurity objectives.

In order to future-proof for impending legislation, medical device manufacturers should start investigating solutions that can generate detailed SBOMs and continuously detect vulnerabilities and mitigate risks in order to stay compliant with the FDA's 2022 guidance and beyond.

The FDA's New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand

Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain.

Ransomware incidents are on the rise and this week proved no exception, with the discovery of a Linux-based ransomware family called Cheerscrypt targeting VMware ESXi servers and an attack on SpiceJet, India’s second largest airline.  

Meanwhile, an oddball "GoodWill" variant purports to help the needy.

The Cheerscrypt ransomware variant was uncovered by Trend Micro and relies on the double-extortion scheme to coerce victims to pay the ransom – i.e., stealing data as well and threatening to leak it if victims don’t pay up.

Because of the popularity of ESXi servers for creating and running multiple virtual machines (VMs) in enterprise settings, the Cheerscrypt ransomware could be appealing to malicious actors looking to rapidly distribute ransomware across many devices.

Meanwhile, low-cost carrier SpiceJet faced a ransomware attack this week, causing flight delays of between two and five hours as well as rendering unavailable online booking systems and customer service portals.

While the company’s IT team announced on Twitter that it had successfully prevented the attempted attack before it was able to fully breach all internal systems and take them over, customers and employees are still experiencing the ramifications.

**GoodWill: The Altruistic Ransomware  
**Then there's this: Researchers with CloudSEK announced this week they had discovered a Robin Hood-esque ransomware group called GoodWill, which demands that its victims perform three acts of charity in exchange for a decryption key.

GoodWill was discovered in March and uses a ransomware worm that encrypts documents and databases — among other important files — and renders them inaccessible without the decryption key.

The charitable actions that are accepted include taking poor children to fast-food restaurants, donating clothes to the homeless, and providing financial assistance to those in need of medical care. These actions must be backed up by photos posted to social media, the gang demands.

**Businesses Struggle to Keep Pace With Evolving Attacks  
**This week’s spate of ransomware attacks indicated no clear pattern but are rather more akin to the efforts of a marketing and sales department, says Stan Black, CISO at Delinea, a provider of privileged access-management solutions.

“Think about it: They harvest your information, alter their method delivery, they keep coming back until you bite, and when they get you on the hook, they demand a ransom,” he tells Dark Reading. “They are unregulated, don’t answer to legal, a board, or auditors, and don’t care whose business or lives they ruin.”

Black points out that there needs to be a recognition that malicious actors know more about IT operations than organizations think they do.

“For 24 hours a day, they are crawling every facet of our digital footprint and exhaust trail,” he says. “Through automation, they distill our telemetry and create the perfect go-to-market strategy: a cyberattack. These days, ransomware is targeting our identity and access-control security technology — the very tech we thought would protect us.”

Matthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology, says it’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: discovery, gaining a foothold, and escalating privileges.

"Detection, in addition to being aware as to what data you hold, will allow you to quickly respond to attacks and worst case be sure of post-exploitation handling of a ransomware event," he tells Dark Reading.

He adds that going forward, it also becomes clearer that time to respond and patch has been reduced, down to hours at the most.

“Evaluating your exposed attack surface should be the first item on your list, to ensure that your infrastructure is protected,” Warner says.

**DBIR Report Finds Ransomware Attacks Ballooning  
**Verizon also published its 15th annual "Data Breach Investigations Report" (DBIR), this week, which highlighted the emergence of ransomware-as-a-service (RaaS) as one of the factors behind the ballooning number of ransomware incidents.

The report, which analyzed 23,896 security incidents — of which 5,212 were confirmed breaches — found email phishing and desktop-sharing software were the most common ransomware attack points.

Overall, ransomware accounts for 25% of the total breaches, and was present in 70% of the malware breaches this year.

From Warner’s perspective, ransomware techniques have not necessarily evolved but, rather, have expanded over the last five years. For instance, previously, only certain groups would have the capability to perform advanced attacks that leverage zero-days within days of release. Now, it's no longer required to find your own.

“Now we see ransomware operators either buying or identifying their zero-days and leveraging zero-days as soon as possible within their campaigns,” he notes.

Warner also points out that ransomware operators are leveraging tooling improvements such as Cobalt Strike, enabling their evolution into a virtuous cycle: More funds allow for better tooling, processes, and execution across the environment, which leads to more funds.

That also paves the way for the gangs to expand their teams, as well.

“The ability to perform passive phishing attacks while also actively attacking vulnerable infrastructure with a team of paid hackers creates a unique and powerful environment for ransomware operators,” he explains.

VMware, Airline Targeted as Ransomware Chaos Reigns

Credential-stuffing attacks against online accounts are still popular, and they work thanks to continuing password reuse.

It has been a week of data breach news, with General Motors, Chicago Public Schools, and wedding-planner startup Zola all reeling from the exposure of customers' personal information. In the latter's case, customers were also riffed for stored funds and suffered fraudulent payment-card charges.

Credential stuffing was to blame in two of the incidents. In credential stuffing, attackers use automated scripts to try high volumes of stolen username and password combinations against online accounts in an effort to take them over. The stolen credentials are usually taken from data breaches of other sites — cybercriminals bank on password reuse and the use of common or easy-to-guess passwords, like “123456.”

Once in, cybercriminals can use the compromised accounts for various purposes: as a pivot point to penetrate deeper into a victim's machine and network; to drain accounts of sensitive information (or monetary value); and, if it's an email account, to impersonate the victim in attacks on others.

And such attacks are costly: The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs.

They're also wildly common. According to recent PerimeterX data, malicious login attempts out of total logins trended upward during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak.

Verizon's 2022 Data Breach Investigations Report (DBIR), released this week, noted that the use of stolen credentials for kicking off data breaches is the top attack vector, accounting for around 42% of all of the breaches analyzed by the carrier.

**General Motors Drives into Trouble**  

GM has alerted customers that a successful credential-stuffing attack last month on its customers resulted in a raft of account compromises. The incident exposed personal information for customers and allowed hackers to fraudulently redeem rewards points for gift cards.

The customer data involved lends itself to a veritable cornucopia of follow-on attacks, including convincing social-engineering efforts, spoofing attacks, and, alarmingly, potential physical threats at the extreme end of the spectrum. The info included first and last name, personal email address, personal address, username and phone number for registered family members tied to an account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile picture, search and destination information, and reward-card activity.

"Some may suggest that breaches that don't involve payment-card numbers or SSNs are not as serious, but other information (family member names, phone numbers, and addresses) is just as damaging as it will be used in future social engineering attacks and will forever place these people in danger," noted John Gunn, CEO at Token, via email. "How easy is it to change family member names, phone numbers, and addresses? This type of attack is eminently preventable simply with better multi-factor authentication."

GM is reinstating any lost loyalty points and forced a password reset for customers.

**Chicago Public Schools Face Student Exposure**

Also this week, news emerged of a wide-ranging data breach that involved the personal information of nearly 500,000 students in Chicago Public Schools (CPS), and more than 56,000 employees.

The information was stolen as part of a ransomware attack on one of the district's third-party technology suppliers, Battelle for Kids, which maintains a server used to store the CPS student and staff information. The data was for the 2015-2019 school years.

CPS issued a data-breach notification flagging the exposed information, which included name, date of birth, gender, grade level, school, and district and state student ID numbers, as well as information about the courses students took.

The exposed staff records included name, school employee ID number, CPS email address, and scores on tasks used to evaluate teachers during the time period, the district said.

Perhaps most notably, the breach occurred months ago, on Dec. 1, but Battelle for Kids didn't notify CPS until April 26. It took that long for the vendor to verify the authenticity of the breach and commission an independent forensic analysis, and for law enforcement authorities to investigate, CPS noted.

The data was old and there's no evidence that the ransomware gang has made a move to exploit the data, but students and staff should still be on the lookout for phishing efforts, the district warned. It's offering everyone involved a year of free credit monitoring in response to the incident.

"Ransomware attacks have become a growing threat to education centers across the United States," says Erfan Shadabi, cybersecurity expert with data security specialists Comforte AG. "Schools are becoming more dependent on a computing infrastructure to support their daily functions, and they also hold a vast amount of sensitive information. School districts and universities need to understand that they are high-profile targets, and they need to assume that a cyberattack is imminent."

**Zola Customer Accounts Hijacked**

Wedding-planning site Zola has discovered that 3,000 customer accounts were compromised in an apparent brute-force or credential-stuffing attack on its customers.

The site allows couples to create wedding destination websites, build gift registries, and access a variety of financial tools. Over the weekend, customers began reporting on Reddit that their accounts had been hijacked, with the cyberattackers making off with stolen funds or racking up fraudulent credit-card charges. Zola didn't reveal how high the losses have mounted.

TechCrunch, which first reported the breach, said that it saw posts on a Dark Web Telegram channel from hackers, who swapped tips, posted screenshots of pwned accounts, and discussed ordering gift cards using the credit card on file with Zola.

"Credential stuffing attacks continue to fuel the web-attack lifecycle, potentially using these stolen user credentials on other e-commerce sites," said Uriel Maimon, vice president of emerging products at PerimeterX, via email. "We can expect that these credentials will soon be tested on other apps that we use daily to power our lives. The responsibility lies on app providers and website owners to make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks. This means stopping the theft, validation, and fraudulent use of account and identity information everywhere along a consumer's digital journey."

He added that that one way to do that is by tracking behavioral and forensics signals of users logging in, in order to differentiate between real users and attackers.

Big Cyber Hits on GM, Chicago Public Schools, & Zola Showcase the Password Problem

Let the threat landscape guide your company's timeline for complying with new data security standards for credit cards. Use the phase-in time to improve security overall — security as a process — not just comply with new standards.

In March, the PCI Council released the latest update to its Data Security Standard (DSS). The PCI DSS 4.0 is a major refresh of the current version, 3.2.1, which was released in May 2018. The threat landscape has certainly changed in the last four years, so it's not surprising to see significant changes to this version of the DSS, which is meant to reduce the risk of debit and credit card data loss and protects merchants and cardholders.

However, none of the changes in version 4.0 will require immediate action. Version 3.2.1 won't be retired until the second quarter of 2023, and many of the newer requirements in version 4.0 are considered best practice — i.e., not required — until March 2025. For affected organizations, it's not uncommon to see this deadline and create a plan based on an extended, two-year timeline. That said, delaying implementation is also the strategy that includes accepting the most risk.

**Full Compliance Is Difficult  
**The reality is that compliance with version 3.2.1 hasn't been an easy task for most organizations. Verizon's most recent "Payment Security Report" (registration required), published in 2020, found that only 27.9% of organizations were able to maintain full compliance with the PCI DSS, which is down 8.8% from the prior year. That decline is part of a longer trend, with compliance down 27.5% since 2016, when full compliance peaked at 55.4%.

Faced with this reality and the changes in version 4.0, there's an opportunity for organizations to take a different approach through this transition. Rather than creating a plan to meet compliance deadlines, organizations should create a plan to improve security that also meets compliance requirements. It's rare to have this kind of runway for a requirement, and it's an opportunity that shouldn't be squandered.

To illustrate this point, it's important to look at the changes to the DSS in groups, and by identifying trends. After all, these changes aren't arbitrary. They've been carefully made based on the threat landscape.

As an example, there are three changes to consider. First, Requirement 2 has been updated from "Do not use vendor-supplied defaults for system passwords and other security parameters" to "Apply secure configurations to all systems." Requirement 8.3.9 now provides an option to use dynamic assessment of security posture of assets in place of password rotation. Finally, Requirement 8.5.1 specifies secure configuration requirement for the implementation of multifactor authentication.

It's possible to consider each of these changes as separate items to be addressed in a transition plan, but they collectively point to a common underlying security control: security configuration management. Rather than address them individually, an organization should implement a comprehensive SCM program that also meets compliance needs. As a relevant aside, the Center for Internet Security documents in its Community Defense Model "that establishing and maintaining a secure configuration process (CIS Safeguard 4.1) is a linchpin Safeguard for all five attack types, which reinforces the importance of configurations, such as those found in the CIS Benchmarks." In other words, there's more security benefit to be gained than just PCI compliance.

There are certainly other examples to consider as well. Requirement 8.3.9 might be combined with Requirements 8.4 and 8.5 around MFA to drive a more comprehensive zero-trust architecture (ZTA) project. PCI compliance certainly doesn't require ZTA, but the data suggests that security can be enhanced with a best-practice ZTA implementation. By prioritizing a security-oriented objective and using the transition in PCI as a driver, organizations can maximize their benefits from a required project.

This type of a strategy isn't limited to new requirements, either. The Verizon report shows that Requirement 11, "Regularly Test Security Systems and Processes," has been the most problematic for organizations since the report's inception 10 years back. While one could argue that there haven't been major changes in Requirement 11, there are certainly changes that will cause work. For example, Requirement 11.3.1.2 now requires authenticated vulnerability scanning for internal assets. Such changes present an opportunity to address long-standing obstacles to both security and compliance with a more comprehensive approach to vulnerability management.

**Compliance as Tool, Not Burden  
**The other side of the equation is the cost of addressing the changes as individual requirements. It's possible to take the full two years to implement some of these requirements and remain fully compliant with PCI, but doing so also adds avoidable risk to your business. First, you're not escaping PCI compliance in the meantime. You'll simply have to comply with version 3.2.1, which still consumes resources. More importantly, the changes in version 4.0 were made to address the threat landscape we currently face, and by delaying implementation of things like expanded MFA and monitoring of security controls, you're allowing recognized, known risks to persist in your environment.

While PCI compliance serves to protect the card brands themselves, the security controls you choose to implement should protect your organization and its data. Set security as the priority and leverage compliance as a tool rather than seeing it as a burden.

Act Now: Leveraging PCI Compliance to Improve Security

Researchers discover 3-year-old critical firmware vulnerability, running in popular cloud servers used to power hyperscalers and cloud providers alike.

Several popular Quanta Cloud Technology (QCT) server models that power hyperscale data center operations and cloud provider infrastructure are vulnerable to a critical firmware vulnerability that puts them at risk of attacks that take full control over the server — and that can spread across numerous servers on the same network.

The QCT models are vulnerable to the so-called "Pantsdown" vulnerability (CVE-2019-6260), a flaw discovered in 2019 affecting baseboard management controller (BMC) technology on a number of firmware stacks used in modern servers, according to new research published today by Eclypsium.

BMCs are minicomputers placed within servers that include their own power, firmware, memory, and networking stack. They're there to give remote administrators control over the server to manage low-level hardware settings, update host operating systems, and manage virtual hosts, applications, or data on the system. Often servers are managed through BMCs via the use of Intelligent Platform Management Interface (IPMI) controlled groups that share the same password, making it trivial to jump across systems once they compromise one BMC. That kind of concentrated privilege makes BMCs extremely juicy targets for attackers when flaws like these arise.

That attractiveness to the bad guys was on full display back in January when Eclypsium found threat actors using BMC implants in the wild via iLOBleed attacks that successfully targeted thousands of HPE servers. In that case, attackers even took steps to prevent BMC updates and falsify update success to administrators.

It's a problem that security researchers have warned about for the better part of a decade — for example, back in 2013 Metasploit creator HD Moore was drawing attention to them with some pivotal research that showed hundreds of thousands of servers running online were vulnerable to BMC flaws.

The Pantsdown flaw present on QCT servers in this most recent research and proof-of-concept has a CVSS score of 9.8 and is targeted by numerous exploits seen floating around in the wild in the past.

"This vulnerability can provide an attacker with full control over the server including the ability to propagate ransomware, stealthily steal data, or disable the BMC or the server itself," Eclypsium researchers said in a blog post about the report. "Additionally, by gaining code execution in the BMC, attackers could steal the BMC credentials, which could allow the attack to spread to other servers in the same IPMI group."

The researchers said they conducted their tests and developed the proof-of-concept against QCT servers after refreshing them with the most updated firmware package publicly accessible on QCT's download site.

"On inspection, we found that the server contained an Aspeed 2500 BMC (AST2500(A2)) and was running a version of AMI-based BMC software vulnerable to Pantsdown," they said, explaining they disclosed the flaw in October 2021 to Quanta. "At the time of writing, QCT has informed us that they have addressed the vulnerability and new firmware is available privately to their customers, but will not be made publicly available."

**Watch That BMC Firmware**

The proof-of-concept attack Eclypsium researchers developed had them patching Web server code while it ran in memory on the BMC and replacing it with malicious code to trigger a reverse shell when a user refreshes a webpage or connects to the server. They noted that this particular proof-of-concept requires an attacker to have root access on the physical server, but that these permissions are routinely provided by default when users rent a bare-metal instance of a server.

"Additionally, an attacker could gain root access by exploiting a web-facing application and escalating privileges or simply taking advantage of any services already running with root privileges," the research team added.

They say that this particular piece of research further emphasizes the need for organizations to regularly verify the integrity of their BMC firmware.

Quanta Servers Caught With 'Pantsdown' BMC Vulnerability

Supply chain and ransomware attacks increased dramatically in 2021, which explains why so many data breaches in Verizon's "2022 Data Breach Investigations Report" were grouped as system intrusion.

Breaches due to system intrusion have ratcheted up dramatically since 2019, according to Verizon’s "2022 Data Breach Investigations Report." While system intrusion, which includes hacking, malware, and ransomware, was the most common type of data breach in 2021, it didn’t even make the top three in 2019.

The researchers analyzed 23,896 security incidents, of which 5,212 were confirmed data breaches. Similar incidents are grouped together into “patterns.”

To clarify, DBIR looks at eight patterns:

*   **Basic Web application attacks:** Attacks against Web applications where the attacker is after the data.
*   **Denial-of-service attacks:** Network and application-layer attacks compromising the availability of networks and systems.
*   **Lost and stolen assets:** Assets that went missing, either maliciously or by mistake.
*   **Miscellaneous errors:** Unintentional actions compromised an asset’s security.
*   **Privilege misuse:** Involves unapproved or malicious use of legitimate privileges.
*   **Social engineering:** Tricking an individual into compromising the security of a device or data.
*   **System intrusion:** Attacks depending on malware (including ransomware) or hacking to compromise systems.
*   **“Everything else.”**

The second and third most common types of data breach in 2021 were basic Web application attacks and social engineering. In 2020, social engineering was the most common, followed by Web application attacks and then system intrusion. The top three in 2019 were Web application attacks, social engineering, and miscellaneous errors. System intrusions were the fourth most common pattern observed in Verizon’s dataset, the researchers said.

    

**Where the Threats Are**

System intrusions tend to be one of the more complex breaches because they consist of multiple different actions, such as social engineering, malware, and hacking. One reason for the spike for system intrusion may be the fact that supply chain and ransomware attacks increased dramatically this year, the researchers say. The most common actions -- how attackers are carrying out their activities -- for data breaches (grouped under system intrusions) included use of command-and-control servers to execute commands, stolen credentials, malware deploying backdoors, and ransomware. The five most common attack vectors were third-party software, software updates (SolarWinds, anyone?), desktop sharing software, email, and Web applications. 

In contrast, Web application attacks in Verizon's dataset consist of two groups of actions: ways to access the server and the payload itself. Ways to access the server include actions such as stealing credentials, exploiting vulnerabilities, and brute-forcing passwords. While the majority of the attacks focus on the Web application, breaches in this group, attackers also relied on backdoors, remote injection, and accessing desktop sharing software to compromise the server. 

The system intrusions in Verizon's dataset primarily targeted manufacturing (14.4%) and public-sector (13.9%) organizations. For Web applications, manufacturing remained the primary target, at 16.1%, and financial services was the second most popular target, at 15.8%. The list looks different for social engineering, where retail organizations (16.6%) were the most common target, followed by professional (13.8) organizations. 

While most breaches were the result of attacks by external adversaries, 14% of breaches were due to errors such as misconfigured cloud storage and exposed cloud servers. People are fallible – and it’s not just about configuration errors, as the report notes that 82% of breaches involved the human element. “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” researchers wrote.

Most Common Threats in DBIR

New threat hunting and risk identification service provides organizations with an enterprise-wide baseline of their threat landscape and risk exposure.

San Jose, Calif., 24 May 2022 – Forescout Technologies, the leader in automated cybersecurity, today announced the launch of Forescout Frontline, a new threat hunting service utilizing a team of highly-trained cybersecurity analysts to support cybersecurity teams by proactively identifying risks, enabling accelerated incident response, and maturing security posture. Forescout is offering this complimentary service for organizations that lack the internal resources and visibility to defend themselves from cybersecurity attacks, including ransomware and advanced persistent threats (APT).

“Cybersecurity attacks are on the rise. Simultaneously, cybersecurity teams are perennially understaffed and under resourced. This has created a perfect storm,” said Shawn Taylor, vice president of threat defense. “Organizations are under immense pressure to cope with the scale and speed of attacks and the havoc caused by the adversaries. Forescout is launching this new service to help organizations defend against attacks by providing a complete and holistic view of their assets.”

Many organizations use multiple security tools across multiple teams to help identify threats and risks. However, insights may be limited due to siloed views of IT, IoT, IoMT or OT assets. Typically, a variety of these asset types exist across an organization’s digital terrain and are often interconnected, which means cybersecurity risk must be identified and tackled holistically.

Delivered by Forescout Frontline analysts, the Threat Hunting and Risk Identification Service overcomes staffing resources and asset visibility challenges to uncover threats and identify risks that may otherwise remain undiscovered. Forescout Frontline will help organizations:

Discover, validate and prioritize a wide variety of cyber threats and vulnerabilities across all assets, including IT, IoT, IoMT and OT

Analyze the context and risk associated with all findings

Leverage the comprehensive insights to develop effective risk mitigation and remediation strategies

A State of Florida Agency, which supports several key Florida departments, engaged Forescout Frontline to understand each instance of Log4j, a zero-day vulnerability in a popular Java logging framework, across the organization’s 220 sites in 16 diverse divisions. In less than a day and a half, Forescout Frontline delivered insights into thousands of assets with vulnerabilities such as Log4j and Windows-based PrintNightmare. Additionally, hundreds of Critical CVSS-rated vulnerabilities affecting infrastructure devices such as switches and routers were found. Finally, actionable intelligence concerning critical embedded IoT TCP-IP stack-based instances such as NUCLEUS: 13 and RIPPLE 20, insecure communications, and other risks were also discovered. Leveraging this free service shrunk time to mitigation and remediation of these security gaps and improved overall security posture.

“When Log4J broke, we knew it was a critical issue, but we lacked a full picture of the risk within our extended enterprise. The \[Forescout threat hunting\] report was way more thorough than I expected, with in-depth information and actionable intelligence. Not just on Log4j but on other critical vulnerabilities as well, and not just in general terms but exactly where they exist in our environment.” – Information Security Manager, State of Florida Agency

Forescout Frontline levels the cybersecurity playing field by operationalizing the vulnerability research and threat intelligence produced by Forescout’s Vedere Labs and enhancing it with the Forescout Continuum Platform to provide threat hunting services across multiple dimensions. Forescout Frontline analysts include former public sector and private sector threat hunters with training in threat detection and incident response.

To learn more about Forescout Frontline visit here and for further insight into how a State of Florida agency benefitted from this new service visit here.

**About Forescout**

Forescout Technologies, Inc. delivers automated cybersecurity across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types – IT, OT, IoT, IoMT. The Forescout Continuum Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets.

Managing cyber risk, together.

Forescout Launches Forescout Frontline to Help Organizations Tackle Ransomware and Real Time Threats

Gartner's security service edge fundamentally changes how companies should be delivering data protection in a cloud and mobile first world.

Do you live life on the edge? If you're a rock climber, skydiver, or striving to be a TikTok dance influencer, the answer might be yes. Putting yourself out there requires risk but can be rewarding. Why? When you are able to confidently look risk in the eye and say "I win," that dopamine hit makes you feel invincible! So, do you feel the same way about your data protection? Letting your data protection live on the edge might sound risky, but in reality it's a step in the right direction, and it dramatically transforms how you think and deliver data security.

Before we get too far into it, let's actually explore what the "edge" means. If you're familiar with Gartner's latest collection of letter-soup offerings for the security industry, you probably know where this is going. Secure access service edge (SASE) and its better half, security service edge (SSE), are frameworks that define how organizations should think about cloud security platforms. In short, organizations are being encouraged to double down on SSE, which unifies all security services into a zero-trust cloud platform. SSE follows the user over any connection, drives down risk with always-on protection, and ditches the cost and complexity of point products like SWG, DLP, VPN, CASB, firewalls, and sandboxes. It's the next big thing, but how does this change data protection?

Let's start with the traditional view of data protection, which has been driven by DLP and CASB vendors over the last several years. The discussion focuses on how users interact with data, how the data is handled (sometimes dangerously), and how the internal threat to your data should be controlled. It's the standard data-protection pitch you've probably heard multiple times. Well, here are the real questions: What about the _external_ threat? Which has the most potential to damage your organization: internal or external threats? I often talk to customers that know they are losing data due to accidental user error but have come to accept it as background noise. Those same customers, when a data breach happens, spring into action with the force of a thousand caffeinated SOC employees. See my point? Now, please don't get me wrong — the internal threat shouldn't be neglected, but it's clear that the best strategy should masterfully combine both external and internal data threat protection. This is why SSE is such a powerful concept — if delivered correctly.

Since SSE focuses on incorporating data protection into a larger zero-trust, cyber-threat story, we should understand what that means. Like any great architecture, it starts with a strong foundation. In the case of SSE, that foundation without a doubt is inline proxy inspection, which enables SSL inspection. Want to keep data from leaking to the Internet? Want full visibility to find and classify sensitive data? Want to stop data exfiltration during a breach? They all require full, scalable SSL inspection. Inline inspection sets up everything else, which is why it's so important to get that part right. But there's a big caveat here — your inline security cloud needs to prove that it can deliver when the going gets tough. If it can't perform or scale, everyone across the organization will immediately know there's a problem.

After that, stopping external and internal threats with SSE becomes easy. First, start with SWG to block risky destinations and content. This prevents external threats like phishing and ransomware from targeting your users and data. Add to that a helping of sandbox and AI/ML to quickly stop zero-days and advanced threats. Now, move to DLP, which is the core building block of great data protection. Define this to find and control your sensitive content and then send it hunting across your data in motion and at rest in your clouds (with CASB). Since you're already inline, and everything is unified, you only have one policy, which reduces complexity and alert noise. You get full control over user and cloud app activity, and can ensure data isn't accidentally or maliciously lost. Once you've tackled the basics, you can move on to other aspects of data protection, like browser isolation for BYOD or UEBA to quickly zero in on suspicious activity. Best of all, services can be easily added as you grow.

Hopefully, you're beginning to see that the right SSE platform can drastically change how you deliver data protection. It applies a more holistic approach to securing data, and equally focuses on external and internal threats, while drastically reducing cost, complexity, and overall risk. So as you look to evolve your data protection strategy, remember to live life on the edge! And maybe keep those TikTok videos to yourself.

**About the Author**

    

Steve Grossenbacher is Director of Product Marketing at Zscaler, where he currently focuses on data protection. Prior to Zscaler, Steve held marketing, competitive, sales engineering and support positions at McAfee and Xerox Engineering Systems. With more than 20 years of experience in the network and security industry, he has helped companies navigate the ever-changing world of IT and currently helps organizations securely transform their networks to a cloud-first architecture

Is Your Data Security Living on the Edge?

A sprawling, multiyear operation nabs a suspected SilverTerrier BEC group ringleader, exposing a massive attack infrastructure and sapping the group of a bit of its strength.

Business email compromise (BEC) attacks have caused billions of dollars in losses to businesses globally in recent years — but now international law-enforcement has notched up another victory in the battle against them.

Interpol on Wednesday announced that "Operation Delilah" has resulted in Nigerian police arresting the suspected head of SilverTerrier, aka TMT, which is a massive BEC operation that has been active since at least 2015, impacting thousands of businesses and individuals across four continents. The 37-year-old Nigerian man, who the Interpol did not name, was apprehended at the Murtala Muhammed International Airport in Lagos as he attempted to re-enter the country after fleeing ahead of the police in 2021.

The arrest marks the culmination of a year-long investigative effort that was led by the Interpol's Africa desk and involved law-enforcement agencies from multiple countries. Three security vendors — Palo Alto Networks, Group-IB, and Trend Micro — also supported the effort by providing information on the BEC effort and its operators to the investigating entities. And Interpol also flagged CyberTOOLBELT as providing "ad hoc support" to the investigative effort.

**Notching Up Arrests**

The latest arrest brings to 15 the total number of individuals who have been arrested in recent years for their alleged involvement in BEC scams out of Nigeria — a hotbed of activity for this type of threat for years. In January, Nigeria's police, acting on information from Interpol, arrested 11 individuals for allegedly defrauding or attempting to defraud some 50,000 organizations worldwide via BEC scams. Six of the individuals were identified as belonging to SilverTerrier. At the time of the January arrests, law enforcement authorities recovered one laptop that contained a staggering 800,000 usernames and passwords that appeared to belong to victim organizations.

    

The suspect. Source: Group-IB

That 10-day operation was code-named "Falcon II"; it was preceded by another in November 2020 dubbed "Falcon I," when three alleged SilverTerrier members were arrested for their involvement in BEC scams that compromised 500,000 organizations worldwide.

Pete Renals, principal researcher for Unit 42 at Palo Alto Networks, says researchers from the company have been tracking the Nigerian individual who was arrested recently since at least 2017. He notes that while this person is suspected to be a ringleader, it's hard to say what exactly the individual's role was within SilverTerrier because of the sheer number of people who are part of the group and the amorphous nature of their malicious activities. 

"It is difficult to draw boundaries around subgroups or affix certain roles to actors, as these groups are often time-bound, fluid in organization, and the individual role of a specific actor usually evolves over time," Renals says.

**A Massive Operation**

That said, Unit 42's research shows that the arrested individual likely owned the infrastructure that served as the command- and-control (C2) for malware such as ISRStealer, a keystroke logging tool; Pony, a password stealer; and the LokiBot information stealer, Renals notes. 

The security vendor says it also identified more than 240 domains that the threat actor had registered under various aliases. Fifty of those domains were used as C2 infrastructure for malware the threat actors used in their BEC campaigns. 

Significantly, the arrested individual provided a street address that belonged to a major US financial institution in NY when registering the domains, Palo Alto Networks said. The same individual also shared social-media connections with at least three of the BEC operators who were previously arrested as part of Operation Falcon II.

The string of arrests since late 2020 has highlighted the growing ability of international law enforcement authorities, cybersecurity vendors, and other stakeholders to work together in tracking down major BEC operators. Even so, BEC remains a major cyberscourge to organizations worldwide. 

According to statistics maintained by the FBI, BEC attacks caused a staggering $43 billion in actual and attempted losses worldwide between June 2016 and last December. In that time frame, there were some 241,200 BEC incidents involving victims in all 50 US states and 177 countries. Approximately 116,400 individuals and organizations in the US reported being targeted by a BEC scam during that period, causing over $14.7 billion in losses.

Renals says the sheer scope of BEC activity has made it challenging to stop. "The BEC threat landscape is extremely active and constantly evolving," he says. "As a threat type, it has grown over the years to become the most prevalent and costly form of malicious cyber activity targeting our organizations."

While Nigeria has been the center of BEC activity in recent years, there have been similar scams originating from other countries as well, he says. "We also see BEC schemes originate from Malaysia and India, and we see facilitation of BEC schemes in most developed nations to include money mules laundering the money from the attacks," Renals says.

Source

DARKReading