Players can only access the game by first joining its Telegram channel, with some going astray in copycat channels with hidden malware.

Source: Science Photo Library via Alamy Stock Photo

Malicious actors are targeting users of a mobile currency game by using fake Android and Windows software that installs spyware and other malware.

Hamster Kombat launched in March and already has more than 250 million users, likely due to the promises of winning TON-based cryptocurrency. The game is for Android users, who can earn in-game currency by completing certain tasks within the game.

To play, users must join the game's Telegram channel, scan a QR code, and then launch a Web app on their device. When users first search for the game's Telegram channel, they are likely to come across other Hamster-branded channels attempting to distribute Android malware. One channel, named "HAMSTER EASY," even distributes Ratel Android spyware as an APK file.

This malware can allow the threat actors to subscribe the victim to different services and hide the notifications so that they remain unaware.

Other fake websites include "hamsterkombat-ua.pro" and "hamsterkombat-win.pro," which redirect visitors to advertisements to generate money instead of the real game. 

On the Windows platform, researchers discovered GitHub repositories that promise its victims Hamster Kombat farm bots and autoclickers but instead deliver cryptors that contain Lumma Stealer, info-stealer malware.

As the game continues to grow in popularity among users, it will continue to attract malicious actors, so users should be wary of being tricked by threat actors and copycat apps and remain vigilant when downloading software.

**About the Author(s)**

Hamster Kombat Players Threatened by Spyware &amp; Infostealers

Though the cybersecurity vendor has since reverted the update, chaos continues as companies continue to struggle to get back up and running.

Source: SOPA Images Limited via Alamy Stock Photo

This is a breaking news story and will be updated as new developments occur.

This morning, Microsoft servers across the world displayed the dreaded "blue screen of death," leading to mass IT outages that disrupted business, airlines and flights, healthcare providers, banks, and more. The cause: A defective update to CrowdStrike Falcon Sensor, a widely used cloud-based endpoint detection and prevention (EDR) software program.

CrowdStrike said its engineering team has identified the issue that caused the massive disruption to Windows-based systems: A bug in the Memory Scanning prevention policy, which was not identified during their testing stages, Callie Guenther, senior manager at Critical Start, noted in an emailed statement.

"While CrowdStrike likely performed standard regression and functionality tests, these were insufficient because they did not simulate the real-world deployment environment where the bug caused the Falcon sensor to consume 100% of a CPU core," she wrote. This ultimately led to system performance issues.

CrowdStrike has since reverted the flawed Falcon software update. Even so, some users are still experiencing system crashes or are unable to stay online to receive the new and fixed version. The cybersecurity vendor has provided workaround steps for this issue.

In a post on social platform X, Microsoft CEO Satya Nadella said the company is aware of the issue and is working closely with CrowdStrike to provide technical support to its customers and get their systems back online.

**Falcon Fallout**

The severity of the broken CrowdStrike update became increasingly painful as victim reports rolled in throughout the day: More than 1,300 flights have been canceled or delayed, trains, card payments in stores, pharmacies, and even general practitioner (GP) surgeries were stalled. 

The Department of Health in Belfast reported that two-thirds of GP practices in Northern Ireland have been affected, with patient records inaccessible as well as lab tests and routine prescriptions.

Delta flights have been paused as it "works through a vendor technology issue," the New York Times reported, and Turkish Airlines has canceled at least 84 flights. Employees at financial institutions like JPMorgan Chase and Instinet have had trouble accessing their corporate systems as operations began to stutter.

Even the Paris Olympics organizing committee reports that its IT operations have been affected, mainly affecting delivery of uniforms and accreditations.

Meanwhile, President Joe Biden has been briefed on the outage, according to the White House, and administration officials are reportedly in touch with affected entities as well as CrowdStrike, which is working with customers that have been impacted.

"Mac and Linux hosts are not impacted," George Kurtz, president and CEO of CrowdStrike, wrote online. "This is not a security incident or cyberattack. The issue has been identified \[and isolated,\] and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website."

**It's Not a Data Breach, but it's a Disaster**

In an industry where cybersecurity practices and services are meant to protect an enterprise without interrupting them, this outage proves that "even non-malicious cybersecurity failures can bring businesses to their knees," according to Maxine Holt, cybersecurity analyst at Omdia.

This massive incident underscores an over-reliance on cloud services, Holt noted in an online statement, and the outage may prompt organizations to reconsider moving their mission-critical applications to the cloud.

"Omdia's Cloud and Data Center analysts have long warned about over-reliance on cloud services," Holt said. "Today's outages will make enterprises rethink moving mission-critical applications off-premises. The ripple effect is massive, hitting CrowdStrike, Microsoft, AWS, Azure, Google, and beyond. CrowdStrike's shares have plummeted by more than 20% in unofficial pre-market trading in the US, translating to a staggering $16 billion loss in value."

As CrowdStrike will undoubtedly face scrutiny as it gets back on its feet, only time will tell how this outage could affect regulation and pressure on software vendors.

"We need stronger regulations and guidance on vendor responsibilities for functional testing," Josh Thorngren, security strategist at ForAllSecure, wrote in an emailed statement. "If you're not testing the behavior of your application under-expected (and unexpected) conditions with every update — this type of issue will always be a risk."

Buggy CrowdStrike EDR Update Crashes Windows Systems Worldwide

The Coalition for Secure AI is a consortium of influential AI companies aiming to develop tools to secure AI applications and set up an ecosystem for sharing best practices.

Source: ElenaBS via Alamy Stock Photo

The largest and most influential artificial intelligence (AI) companies are joining forces to map out a security-first approach to the development and use of generative AI.

The Coalition for Secure AI, also called CoSAI, aims to provide the tools to mitigate the risks involved in AI. The goal is to create standardized guardrails, security technologies, and tools for the secure development of models.

"Our initial workstreams include AI and software supply chain security and preparing defenders for a changing cyber landscape," CoSAI said in a statement.

The initial efforts include creating a secure bubble and systems of checks and balances around the access and use of AI, and creating a framework to protect AI models from cyberattacks, according to Google, one of the coalition's founding members. Google, OpenAI, and Anthropic own the most widely used large language models (LLMs). Other members include infrastructure providers Microsoft, IBM, Intel, Nvidia, and PayPal.

"AI developers need — and end users deserve — a framework for AI security that meets the moment and responsibly captures the opportunity in front of us. CoSAI is the next step in that journey, and we can expect more updates in the coming months," wrote Google's vice president of security engineering, Heather Adkins, and Google Cloud's chief information security officer, Phil Venables.

**AI Safety as a Priority**

AI safety has raised a host of cybersecurity concerns since the launch of ChatGPT in 2022. Those include misuse for social engineering to penetrate systems and the creation of deepfake videos to spread misinformation. At the same time, security firms, such as Trend Micro and CrowdStrike, are now turning to AI to help companies root out threats.

AI safety, trust, and transparency are important as results could steer organizations into faulty — and sometimes harmful — actions and decisions, says Gartner analyst Avivah Litan.

"AI cannot run on its own without guardrails to rein it in — errors and exceptions need to be highlighted and investigated," Litan says.

AI security issues could multiply with technologies such as AI agents, which are add-ons that generate more accurate answers from custom data.

"The right tools need to be in place to automatically remediate all but the most opaque exceptions," Litan says.

US President Joe Biden has challenged the private sector to prioritize AI safety and ethics. His concern was around AI's potential to propagate inequity and to compromise national security.

In July 2023, President Biden issued an executive order that required commitments from major companies that are now part of CoSAI to develop safety standards, share safety test results, and prevent AI's misuse for biological materials and fraud and deception.

CoSAI will work with other organizations, including the Frontier Model Forum, Partnership on AI, OpenSSF, and MLCommons, to develop common standards and best practices.

MLCommons this week told Dark Reading that in fall this year it will release an AI safety benchmarking suite that will rate LLMs on responses related to hate speech, exploitation, child abuse, and sex crimes.

CoSAI will be managed by OASIS Open, which, like the Linux Foundation, manages open source development projects. OASIS is best known for its work around the XML standard and for the ODF file format, which is an alternative to Microsoft Word's .doc file format.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Tech Giants Agree to Standardize AI Security

After an extended period underground, the Chinese hackers have added a more sophisticated infection chain and additional EDR evasion techniques.

Source: Rokas Tenys via Alamy Stock Photo

The mysterious and covert Chinese hacking group GhostEmperor has resurfaced after a two-year hiatus with even more advanced capabilities and evasion techniques.

Initially discovered by Kaspersky Lab in 2021, GhostEmperor was notorious for targeting telecommunications and government entities in Southeast Asia through sophisticated supply chain attacks.

The group's recent activities were uncovered by cybersecurity firm Sygnia, which detailed the group's evolved attack methods in a report released this week. 

A recent investigation by the security firm into a compromised network of an unidentified client revealed that GhostEmperor was behind the breach.

The attackers used the compromised network as a launchpad to infiltrate another victim's systems, an incident which marks the first confirmed activity from GhostEmperor since 2021.

Sygnia's investigation found GhostEmperor had updated its well-known Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim's operating system while evading endpoint detection and response (EDR) software.

The updated variant includes a reflective loader to execute the Core-Implant and employs new obfuscation techniques, such as different file names and registry keys. Additionally, the variant analyzed appears to have been compiled in July 2021, indicating it might be a newer version than what Kaspersky originally documented.

**Infection Chain, Evasion Techniques**

The analysis also noted significant alterations in GhostEmperor's infection chain.

Traditionally, the group gained initial access by exploiting vulnerabilities such as ProxyLogon. A batch file was executed to initiate the infection, deploying various tools that communicated with a set of command-and-control (C2) servers.

In the most recent breach, GhostEmperor employed the WMIExec tool from the Impacket Toolkit to execute commands remotely via Windows Management Instrumentation (WMI), initiating the infection chain on the compromised machine.

The report noted the new infection chain is more sophisticated and stealthier, incorporating additional EDR evasion techniques.

“We are seeing, again and again — especially in this scenario, when we went into the customer's domain — that people are not aware of their environment,” Azeem Aleem, Sygnia's managing director, told The Record, cybersecurity firm Recorded Future's news site. 

**GhostEmperor Left a Global Trail**

When GhostEmperor was first identified in September 2021, Kaspersky described the group as a highly skilled and sophisticated threat actor, primarily targeting high-profile entities in Southeast Asia, including Malaysia, Thailand, Vietnam, and Indonesia. 

Additional victims included entities in Egypt, Ethiopia, and Afghanistan, indicating a broad and ambitious scope of operations.

The initial discovery by Kaspersky highlighted GhostEmperor's use of multistage malware designed for stealth and persistence, leveraging rootkits and other advanced tools to maintain a foothold in compromised networks.

The group's ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools.

**Chinese Threat Actors Multiply **

This month alone Chinese threat actors have been discovered targeting Internet cafes in China that allow attackers to execute malicious code with the highest privileges. 

The Chinese state-sponsored actor APT40 was discovered exploiting newly discovered software vulnerabilities within hours targeting organizations globally, including repeated attacks on Australian networks. At the start of the month China-backed threat group Velvet Ant was discovered using targeted malware to exploit a vulnerability in Cisco's NX-OS software for managing a variety of switches.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Notorious Chinese Hacker Gang GhostEmperor Re-Emerges After 2 Years

Private sector organizations are "hesitant" to seek guidance from the Coast Guard, which isn't sufficiently equipped to help them yet.

Source: Rick Pisio/RWP Photography via Alamy Stock Photo

The Coast Guard is struggling to secure the US maritime supply chain thanks to inadequate staffing, training, authority, and cyber expertise.

A new report from the Department of Homeland Security's Office of Inspector General paints a picture of an industry reluctant to seek cybersecurity support, and a military unable to adequately provide it.

Coast Guard "Cyber Protection Teams" (CPTs) have offered free cybersecurity help to organizations in the Maritime Transportation System (MTS) since 2021, yet only 36% of qualifying organizations have taken them up on it. The private sector is "hesitant," the report says, despite the many security vulnerabilities CPT assessments typically uncover.

Part of the blame lies with the Coast Guard itself. The DHS Inspector General's Office's found that CPT inspections of marine facilities and vessels don't always account for "the full scope of potential cybersecurity threats. This occurred because Coast Guard does not have the authority or training to enforce private industry compliance with standard cybersecurity practices."

Plus, the service branch lacks staff with cyber expertise, according to the DHS IG.

**Coast Guard Role in Private Sector Cybersecurity**

Earlier this year, the Biden administration issued an executive order that, among other things, empowered the Coast Guard to take an even greater role in private sector security.

The military branch now has the authority to quarterback response efforts after any facilities, harbors, ports, or individual vessels are impacted by cyber incidents, including by inspecting or even controlling the movement of vessels which might otherwise threaten US infrastructure. It was also assigned the task of creating a set of minimum cybersecurity requirements for the industry.

"You don't see the Air Force directly taking on transportation \[security\], but it makes sense here in this case due to their \[the Coast Guard's\] sector expertise," says Itay Glick, operational technology expert and vice president of products at Opswat. "They already have relationships with the different groups — ships, ports, etc. — because of their day- to-day work, and adding that layer of cybersecurity actually makes sense."

In some ways, the Coast Guard has been quite productive so far. Cyber incidents reported to, and reviewed by, the Coast Guard have risen 111% in the past few years. Its vulnerability assessments have uncovered hundreds of incidents involving dozens of vulnerabilities, more than half of "critical" or "high" severity, meaning they could cause complete network, application, or system compromise.

In other ways, though, the service branch has not seemed up to the task. The DHS observed some CPT inspectors ignoring cybersecurity entirely, and found that they "expressed a limited understanding of how to address cybersecurity" thanks to little to no cybersecurity training. And even when vulnerabilities were found, the branch had insufficient means to force companies to comply with its recommendations for remediation.

**Threats to Maritime**

If it wasn't obvious enough in years prior, the world learned just how valuable and sensitive the MTS is from COVID and the Ever Given incident in the Suez Canal. Hackers learned it, too, and now cyber threats to the system are far greater than they ever were before.

A report from the Coast Guard Cyber Command last year found an 80% rise in reported ransomware incidents, with ransom demands tripling on average. Cyber disruptions to marine industries can come in many other forms as well, and cyber espionage — particularly from capable nation-state adversaries — is a persistent risk.

A failure to account for the kinds of vulnerabilities uncovered by plenty of CPT assessments already could, in the worst-case scenarios, lead to physical danger for crew members or marine life, and major disruptions to the global supply chain.

"Years ago, you saw \[how\] you couldn't bring new supplies into countries across the world. This is something that can happen again," Glick Warns, "and this is what we need to fear. If you don't have produce coming in, that might terribly impact the commercial industry here in the US."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DHS Inspector General: Coast Guard Shortcomings Hinder US Maritime Security

As threat actors get smarter about how they target employees, the onus is on organizations to create a strong line of defense — and the human element is a critical component.

Masha Sedova, VP, Human Risk Strategy, Mimecast

July 19, 2024

4 Min Read

Source: Yuliya Volkovska via Alamy Stock Vector

COMMENTARY

As the stakes of cyberattacks continue to rise, organizations are throwing more and more money at innovative new services and equipment to thwart them. But, at the same time, many are still taking a customary, one-size-fits-all approach to securing perhaps the most critical threat vector: the human element. There's little to be gained by spending more on locks and security guards if someone unknowingly leaves the door open for robbers into the building.

Year after year, the human element consistently ranks among the greatest risk factors in cybersecurity — it is projected to play a central role in 68% to 90% of breaches in 2024 — and the standard practice of mandated security awareness trainings isn't driving improvement, as stolen credentials, data leaks, and targeted phishing emails remain prevalent. To address this critical vulnerability, chief information security officers (CISOs) must take a more data-driven, tailored approach to mitigating human risk that goes beyond just training — one that requires human-by-design cybersecurity.

**Quantifying Risk**

Security awareness training helps, but it doesn't complete the job, as it treats every employee the same. In reality, some users are highly adept at sniffing out threats, while others require additional support. Some subsets of users are targeted with great regularity, while others receive very few phishing attempts. As such, a human-centric security approach must begin with a detailed understanding of the organization's distribution of risk.

The first step is pinning down those at the company who are most at risk. Studies have found that just 8% of employees cause 80% of incidents, and many in this subset typically are repeat offenders. Certain individuals are also targeted more frequently, due to their prominence: Managers receive 2.5 times more phishing emails on average than non-managers, and the rate of attempts goes up for all employees the longer they remain at a company, nearly doubling every three years.

These figures can vary widely between organizations, so it's key for businesses to perform their own analysis. This can be done by analyzing data that's often overlooked — like the logs generated by security endpoints when they prevent employees from executing malware — and gathering patterns from it. In the ideal framework, security administrators should be able to pull data from all manner of security tools to understand what good or risky security decisions users make on an ongoing basis and build a profile on users' individual security risk.

**Managing Risk**

Much like financial institutions with credit scores or insurance companies with premiums, organizations can then begin leveraging these risk scores to create a personalized, adaptive approach to security, beginning with tailored training.

Rather than making all employees complete the same generic security awareness modules (which, let's be honest, most people will just blow through with little attention paid), individuals who have proven themselves a low risk can instead be served a light slate of policy reminders and checklists. Those on the opposite end of the spectrum, who are either frequently targeted or will be, can be mandated to take more rigorous training with a focus on the topics related to the risks they face.

With detailed insights into behavior patterns, organizations can also reward good security practices with recognition. They can then take steps to stem bad habits with interventions like adaptive nudges — personalized messages sent out at the right time, or context to prevent users from falling victim to attacks — or strategies like tighter email security filtering, stricter browsing permissions, or reducing the time that multifactor authentication tokens are valid on at-risk users' machines.

It's important that these practices are carried out with transparency so employees know how the security team plans on using this collected data. When security teams take a constructive stance — for example, by sending out report cards that affirm positive behavior and suggest areas to improve — employees almost universally respond with openness and appreciation. For the small percentage of users in the high-risk group, extra care should be taken to explain how the additional training and adaptive measures are designed to help them get better.

**Tracking Improvement**

Collecting and analyzing security events also allows administrators to take a more data-driven approach to measuring results and, ideally, improvement. By gauging their baseline, security teams can then track the number of risky behaviors occurring on the network over time and dial in the best methods of "bubble wrapping" subsets of the user base to reduce future occurrences.

This measurability stands in stark contrast to conventional human risk mitigation practices (i.e., simple awareness training), which can often take the form of a black hole in terms of understanding impact and, in turn, return on investment (ROI). With an objective, outcomes-first approach, CISOs can both deliver security improvement and clearly demonstrate the success of the investment to the rest of the C-suite.

As threat actors get smarter about how they target employees, the onus is on organizations and their cybersecurity partners to create a strong line of defense — and the human element is a critical component. Companies that take a more intelligent, personalized approach to curbing risky behavior will stand the best chance of safeguarding their organizations against cyberattacks, all while making more efficient use of their security budgets.

**About the Author(s)**

VP, Human Risk Strategy, Mimecast

Masha Sedova, co-founder of Elevate Security, has made her mark in cybersecurity through her practical and human-centered approach to the field. Under her leadership, Elevate Security's innovative platform significantly reduced user-related risks for enterprises. This led to its acquisition by Mimecast in 2024 where she now serves as VP of human risk strategy.

In Cybersecurity, Mitigating Human Risk Goes Far Beyond Training

According to Mandiant, among the many cyber espionage tools the threat actor is using is a sophisticated new dropper called DustTrap.

Source: Travel mania via Shutterstock

One of China's more prolific threat groups, APT41, is carrying out a sustained cyber espionage campaign targeting organizations in multiple sectors, including global shipping and logistics, media and entertainment, technology, and the automotive industry.

The advanced persistent threat (APT) actor appears to have launched the new campaign sometime in early 2023. Since then, the group has successfully infiltrated multiple victim networks and maintained prolonged access on them, Google's Mandiant security group said this week in a joint analysis with Google's Threat Analysis Group (TAG). Most of the affected organizations are located in the United Kingdom, Italy, Spain, Taiwan, Thailand, and Turkey.

APT41 is sort of an umbrella descriptor for a collective of China-based threat actors engaged in cyber espionage, supply chain attacks, and financially motivated cybercrime around the globe since at least 2012. Over the years security researchers have identified multiple subgroups as being part of the APT41 collective, including Wicked Panda, Winnti, Suckfly, and Barium. These groups have stolen trade secrets, intellectual property, healthcare related data and other sensitive information from US organizations and entities around the word on behalf of the Chinese government. In 2020, the US government indicted five members of APT41 for participating in or contributing to attacks on more than 100 companies worldwide. Those charges have done little to deter the group's activities so far, however.

**APT41's Widespread Geographic Impact**

Nearly all but one of the targeted organizations in the shipping and logistics sector were based in the Middle East and Europe, while all organizations that APT41 targeted in the media and entertainment sector were located in Asia. Many victims within the shipping and logistics sectors have operations across multiple continents, either as subsidiaries or affiliates of large multinational companies in the same sector, Mandiant researchers said.

"An analysis of victim organizations within specific sectors reveals a notable geographic distribution," Mandiant researchers said in its blog post.

Further, "Mandiant has detected reconnaissance activity directed towards similar organizations operating within other countries such as Singapore," the security vendor wrote. "At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting."

**Custom Cyber Espionage Tools**

Mandiant researchers also said it had observed APT41 actors using a range of custom tools in its ongoing campaign, including those for dropping malware on target systems, establishing backdoors, moving laterally in compromised networks, and exfiltrating data from them. The tools include two Web shells for persistence, called AntsWord and BlueBeam, which the threat actor has been using to download a dropper called DustPan, which in turn attempts to load the Beacon post-compromise tool on victim systems.

In addition to this, Mandiant said it observed APT41 use a hitherto unseen multi-stage plugin framework called DustTrap for decrypting malicious payloads and executing them in memory so as to enable communication between the compromised system and APT-41 controlled systems and infrastructure. "DustPan has been used by APT41 as far back as 2021, but DustTrap was first seen in this activity," says Ben Read, head of cyber espionage analysis at Mandiant.

Other tools that APT41 actors have effectively deployed in the current campaign include malware dubbed SQLULDR2 for copying data from Oracle Databases and PineGrove for exfiltrating large volumes of data from a compromised network to a OneDrive account for subsequent analysts.

"APT41 has always had a global mandate, so while their targeting in this campaign likely reflects current PRC priorities, the widespread nature is consistent with what we have seen previously from them," Read says.

So far, Mandiant has found no evidence to suggest that APT41 are seeking to monetize their attacks in the current campaign in any way. "However, we do not have full insight into the post compromise activity, so can't say for sure."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's APT41 Targets Global Logistics, Utilities Companies

Attackers are more likely to target critical infrastructure industries and, when they do, they cause more disruption and ask higher ransoms, with the median payment topping $2.5 million.

Source: Have a nice day Photo via Shutterstock

When ransomware targeted the city of Dallas, Texas last year, it took down city services, the municipal water utility's ability to bill and read meters, and emergency services. The city required more than a month to bring all its systems back online.

Dallas is not alone. In 2023, two-thirds of critical infrastructure operators (67%) in the oil, energy, and utility sectors suffered a ransomware attack, compared to 59% of all industries, according to a survey by Sophos. In addition, attacks on those critical-infrastructure sectors affected an average of 62% of systems, far higher than the 49% of systems across all industries impacted during a ransomware attack.

In fact, the groups collectively tie healthcare as the second-most impacted sectors, with only federal government agencies impacted more often, says Chester Wisniewski, global field CTO at Sophos.

"This sector needs to recognize this as a serious risk and position themselves to not be so vulnerable to ransom demands," he says. "This isn't impossible work. Ultimately it's about getting the basics right, just like in previous years."

Critical infrastructure sectors have been perennial favorites of ransomware gangs, dating back to the Colonial Pipeline incident and even earlier. Ransomware cases in the industrial sector almost doubled between 2022 and 2023 to 1,484 attacks, from 804 incidents, according to data from the NCC Group, a cybersecurity consultancy.

The industrial sector — under which critical-infrastructure companies fall — manages essential services, and disruptions can have severe consequences, prompting quick ransomware payments, says Ian Usher, associate director of threat intelligence operations and service innovation for the NCC Group.

"Organizations that provide a public service or support critical infrastructures are more attractive for ransomware attacks because they face external pressure to restore operations," he says.

**What Makes a Successful Industrial Ransomware Attack?**

Most ransomware attacks against companies in the critical-infrastructure sectors of oil, energy and utilities succeeded through exploiting software vulnerabilities, which accounted for 49% of successful attacks versus 35% the previous year, according to Sophos's report. Compromised credentials (27%) and malicious emails (14%) rounded out the top-3 vectors.

A critical measure is how often an attack led to data being encrypted. In 2023, eight in 10 attacks resulted in encrypted data, the same as the previous year, but significantly higher than the previous two years, says Sophos' Wisniewski.

"This is worrying," he says. "These numbers should be improving as the adoption of extended detection and response (XDR) and managed detection and response (MDR) is becoming increasingly common."

The impact of ransomware attacks are often brutal for businesses. The average respondent in Sophos's survey required more than a month to recover. For the first time, more companies paid the ransom (61%) than used backups for recovery, even while the median payment jumped to $2.54 million. The average cost of recovery from an incident topped $3 million in 2023, matching the previous year. (Note, while Sophos's report is labeled 2024, the data is from 2023, so Dark Reading uses the latter year.)

**Don't Be The Low-Hanging Cyber Fruit**

Organizations that fail to adopt simple technologies, such as multi-factor authentication (MFA), and fail to keep up with software updates, will likely find themselves targeted not just once, but multiple times, says Sophos' Wisniewski.

While the high rate of ransom payments really stood out this year, organizations should no longer consider paying cybercriminals as a solution, he says.

"There isn't a way to buy your way out of situations like a ransomware attack," Wisniewski says. "In rare cases, the payment can expedite recovery, but it is the exception, not the rule ... You are almost guaranteed not to get all of your files back, and you will still need to rebuild ... your systems."

The government needs to help set cybersecurity standards for the critical infrastructure sectors, says NCC Group's Usher. Currently, under the Cyber Incident Reporting for Critical Infrastructure Act passed in 2022, critical-infrastructure operators are required to report significant cyber events within 72 hours and disclose ransom payments within 24 hours, he says.

"The government can...ensure consistent cybersecurity standards across critical infrastructure," he says. "A continued lack of alignment will only serve to create an ever more complex Web of rules. This will likely be counterproductive to delivering better cyber resilience, and contribute to the problem of cybersecurity compliance becoming a 'tick box' exercise."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Has Outsized Impact on Gas, Energy &amp; Utility Firms

The latest version of the Cloud Security Alliance's certification provides a comprehensive catalog of essential skills that cybersecurity professionals need to master.

Source: Ronald Candonga via Pixabay

The Cloud Security Alliance (CSA) has released the Certificate of Cloud Security Knowledge (CCSK) v5, the latest version of its vendor-neutral, cloud security training and certificate.

Designed for security analysts, compliance managers, security engineers, architects, and administrators, the CCSK provides training on topics including cloud incident response, application security, and data encryption. Certification is widely regarded as a benchmark for demonstrating cloud security knowledge and skills.

The "program provides a survey of the most important topics cybersecurity professionals will face day in and day out and is complementary to virtually any other education available," the CSA said.

The CCSK v5 is a "substantial update to CCSK v4," according to CSA. It includes in-depth information, recommendations, and best practices to secure cloud architecture, cloud native security, workloads, virtual networking, data protection, DevSecOps, zero trust, and generative artificial intelligence (GenAI). The CCSK also covers serverless/function-as-a-service, application security, continuous integration and continuous delivery (CI/CD), automation, identity and access management, and incident response.

In addition, CSA has published corresponding security guidance material for the CCSK v5. Students also have access to a variety of training modules, the CCSK v5 Prep Kit, an online self-paced option (which can be completed in 10 hours) and instructor-led classes. Security pros have 120 minutes long to take the exam — a half hour more than the older program's 90 minutes. It is expected to cost $445, though the fee is waived for veterans, according to the CSA.

The CCSK v5 includes "vital information" about managing risks, achieving compliance, optimizing organizational cloud security strategies, and understanding the shared responsibility model between the cloud provider and customer. The GenAI tool CCSK Orb is included in CCSK v5, as well.

CSA Updates Cloud Security Certificate, Training

The manual provides guidance on how to improve the resiliency of critical infrastructure.

Source: Jochen Tack via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA) has published a supplemental manual to its infrastructure resilience planning framework, providing guidance on improving critical infrastructure security and resiliency. The "IRPF Playbook" provides state, local, tribal, territorial (SLTT) government planners and private-sector stakeholders with processes to help reduce the risk of disruption to critical services during a cyberattack on critical infrastructure, as well as to keep recovery and restoration costs low.

The manual also provides "fictional scenarios like a recipe" to help understand how to implement the guidance, CISA said. It outlines key actions for resilience planning, such as establishing incident-response groups, identifying critical infrastructure and dependencies, creating mitigation strategies, and integrating solutions into existing protocols. The narrative hypotheticals illustrate how a community might conduct resilience planning or incorporate resilience into existing planning efforts.

"Reading through the Playbook process, not only are the IRPF steps articulated with clear inputs and outputs, but the additional guidance on resilience concepts will help communities increase their readiness and bounce back quickly after a disaster," said David Mussington, CISA's executive assistant director for infrastructure security, in a statement.

The new playbook is a voluntary planning resource; it does not carry "any regulations, define mandatory practices, provide a checklist for compliance, or carry statutory authority," according to CISA.

**About the Author(s)**

Source

DARKReading