SUPPLY CHAIN RISKS – ARE YOU RESILIANT?
This Past Week: Most enterprises have no clue they're sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources; Phishing: These are the most common techniques used to attack your PC; US Authorities take ‘sweeping actions’ against North Korean hackers; First Malware Infecting Apple M1 Chip Appears: Here’s What We Know; A Florida municipal water plant breach raises alarm; Ransomware impacts hospital care in France: Spotify is in the spotlight with yet another breach; Third-party risk backfires on multiple organizations; Just who is attacking us; Vehicle rental body hacked; The most common hacks used to attack your PC; US Authorities ‘nail’ North Korean hackers and major breaches in FRANCE; AUSTRALIA and UNITED STATES.
Dark Web ID Trends:
Top Source Hits: ID Theft Forums
Top Compromise Type: Domain
Top Industry: Education & Research
Top Employee Count: 501+
Most enterprises have no clue they're sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources.
The recent SolarWinds mega-hack has managed to grab mainstream media headlines around the world but the more you read, the more you will think the press coverage has buried the knowledge. The incident gets called a "supply chain" attack which hints at war-time tactics and, we are willing to bet, will launch a dozen VC-backed startups. People are (rightfully) worried about the knock-on effect since the SolarWinds attackers had access to several other development-houses. This is definitely scary but there's a hard, sobering truth below that actually makes this a bit worse than you might think. An abstracted, low resolution summary for those (very few) who haven't paid attention to the incident:
SolarWinds make a network management product called Orion that is deployed on hundreds of thousands of networks worldwide;
Attackers broke into SolarWinds and made their way to the SolarWinds build environment;
They compromised the build pipelines, to inject malicious code into the SolarWinds update process;
Networks all over the world updated themselves with this poisoned update;
(Now-compromised) SolarWinds servers worldwide attacked internal networks of selected organizations;
Almost nobody discovered any of this for months until a security company discovered its own compromise.
Here are the four main reasons why it's actually worse than you think.
1. The state of enterprise security: While we've made progress in some areas of information security (e.g. the degree of knowledge and skill required to exploit memory corruption bugs in modern operating systems) , enterprise security is still stuck pretty firmly in the early 2000s. An enterprise network consists of an untold number of disparate products, duct-taped together through poorly documented interfaces where often the standard for product integration is "this config works, don't touch it!". Any moderately skilled attacker will decimate an internal corporate network long before they are discovered, and the average time it takes to gain Domain Admin is measured in hours and days instead of weeks or months.
Most organizations, sadly, don't know this. They know they spend money on security and they know they see charts with red and green boxes and arrows tracking progress. Most have no clue they're sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources.
2. Enterprise Products: Even ignoring the weakness that comes with cobbling together many products (security at the joints), most enterprise products won't hold up very well to serious security testing. Heavyweight suppliers like Adobe and Microsoft were publicly spanked into upping their game years ago, but it drops off pretty steeply after them. There's an interesting carveout for online SaaS (Software AS A Service) companies who have to build security competency since they run their own infrastructure and compromising their products is the same as compromising them. But for products installed into an Enterprise network the incentives are horribly misaligned. Owning, say, Symantec's antivirus agent doesn't compromise Symantec, it compromises you (who are running it) and this separation makes all the difference. 3. Enterprise networks have too many moving parts: The past few years have seen creative hackers exploit software in places that we never knew were running software. The Thunderstrike crew ran code on Apple VGA adaptors. Ang Cui has rwritten exploits for monitors, and office phones. Bunnie and xobs ran code on SD-cards and a number of people have now run Linux on hard drive controllers. This makes it clear that the average office network is connected to dozens and dozens of types of devices that wont ever make it into a regular audit, that are nonetheless capable of hiding attackers and injecting badness into your network. 4. Third Party Risk Evaluations: The joke going around after the Solar Winds mega-Hack incident was that SolarWinds had negatively impacted hundreds of enterprises, but definitely passed their third-party risk evaluations. It's slightly unfair, but also true. We simply do not have a good way for most organizations to test software like this, and third-party questionnaires have always been a weak substitute. Even if we could tell whether a product was meeting a minimum security bar (using safe patterns, avoiding unsafe calls, using compile time safety nets, etc.) automatic-updates mean that tomorrow's version of the product might not be the product you tested today. And if the vendor doesn't know when they are compromised, then they probably won't know when their update mechanism is used to convert their product into an attacker's proxy. We not saying that auto-updates are bad. We believe they solve important problems, but they do introduce a new set of variables that need to be considered. The current focus on "supply chain" security will no doubt see the VC-backed creation of next-gen start-ups claiming to solve the problem, but this part of the problem seems intractable. There's the "easy" suite of software you know about: applications installed on your infrastructure and their dependencies. But, for one, this ignores your vendor's own vendors. In addition, what product is going to provide guidance on the provenance of the code running in your monitors (on processors you didn't even know were there?). Will you examine the firmware on the microphone that people are now using for their Zoom calls? Will you re-examine it post-automatic-update? There are way too many connected pieces of code to tackle the problem from this angle. If it takes just hours or days to successfully compromise an internal network, and if the average network has enough hiding places for skilled attackers to burrow deep, what do you think happens when attackers are allowed to move around undetected for months? A bunch of analysts looking at the SolarWinds incident point out (correctly) that compromised SolarWinds servers were installed on so many networks that the ripples of this attack could be crazily exponential. What this analysis misses is that the average enterprise runs dozens and dozens of SolarWinds-look-alikes everywhere. Ransomware didn't spring up overnight. Networks hit by ransomware were typically vulnerable for years and ran along blissfully unaware until attackers figured out a way to monetize those compromises. Most enterprises have been completely vulnerable to their vendors' horrible insecurity too, the SolarWinds incident just published a blueprint for how to abuse it. The situation is dire not because we are fighting some fundamental laws of physics, but because we've deluded ourselves for a long time. If there's a silver lining out of this, it's that customers will hopefully demand more from their suppliers. Proof that they've gone through more than compliance checklists and proof that they'd have a shot at knowing when they were compromised. That more enterprises will ask "how would we fare if those boxes in the corner turned evil? Would we even know?"
Canadian vehicle rental service hit by ransomware
One of Canada’s biggest car and truck rental agencies is trying to recover after being hit by a ransomware attack. A spokesperson for U.S. based vehicle rental giant Enterprise Holdings acknowledged Saturday that its Canadian division, Discount Car and Truck Rentals, was hit by a cyberattack. Enterprise’s Canadian division bought Discount last fall. This is the latest Canadian firm to be victimized by ransomware on the heels of a B.C. real estate company suffering from a similar attack in late January. Among Enterprise Holding’s brands are Enterprise Rent-A-Car, National Car Rental and Alamo Rent a Car. IT World Canada asked the car dealership for comment when the Darkside ransomware group posted a notice on its site several days ago that it had copied 120GB of corporate, banking and franchise data of Discount’s. “Discount Car and Truck Rentals was subject to a ransomware attack that impacted the Discount headquarters office,” according to a statement sent to the publication. “A fully-dedicated team isolated and contained the attack quickly. The team is working to investigate and restore service as quickly and safely as possible.” Asked by email if any customer or employee personal information was copied and how the attack started, a spokesperson would only say the investigation is still underway. The online statement from the Darkside group says, “We downloaded a lot of interesting data from your network. If you need proofs we are ready to provide you with it. The data is preloaded and will automatically be published if you do not pay.” As proof of the data, there is a screenshot of alleged folders from Discount’s file structure. According to cybersecurity firm Acronis, Darkside emerged around August, 2020 to use encryption and data theft as pressure tactics to get money from corporate victims. Among its Canadian victims is Brookside Residential. Several months after starting operations, Darkside announced an affiliate program (dubbed ransomware-as-a-service by infosec pros), allowing paying or authorized cybercriminals to use its code for attacks in exchange for a share of ransom payments. “We are a new product on the market, but that does not mean that we have no experience and we came from nowhere,” the group said at the time. “We received millions of dollars in profit by partnering with other well-known cryptolockers. We created Darkside because we didn’t find the perfect product for us. Now we have it” “Based on our principles, we will not attack the following targets: Medicine, education, non-profit organizations, government. We only attack targets that can pay the requested amount, we do not want to kill your business. Before any attack, we analyse your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying and our support team will answer them.” Cybersecurity firm Bitdefender released a decryption key in January, hoping it would foil the ransomware. However, Darkside published a statement saying it has “fixed” this and victims can’t rely on that solution.
Phishing: These are the most common techniques used to attack your PC
Creating malicious Office macros is still the most common attack technique deployed by cyber criminals looking to compromise PCs after they've tricked victims into opening phishing emails. Phishing Emails are the first stage in the attack for the majority of cyber intrusions, with cyber criminals using psychological tricks to convince potential victims to open and interact with malicious messages. These can include creating emails which claim to come from well-known brands, fake invoices, or even messages which claim to come from your boss. There are number of methods which cyber criminals can exploit in order to use phishing emails to gain the access they require and according to researchers at cybersecurity company Proofpoint, Office macros are the most common means of achieving this. Macros are a function of Microsoft Office which allows users to enable automated commands to help run tasks. However, the feature is also abused by cyber criminals. As macros are often enabled by default to run commands these can be used to execute malicious code, and thus provide cyber criminals with a sneaky way to gain control of a PC. Many of these campaigns will use social engineering to encourage the victim to enable macros by claiming the functionality is need in order to view a Microsoft Word or Microsoft Excel attachment. It's proving a successful method of attack for cyber criminals, with Office macros accounting for almost one in ten attacks by volume. But Office macros are far from the only attack technique which cyber criminals are commonly adopting in order to make hacking campaigns as successful as possible. Sandbox evasion is the second most common attack technique used by criminals distributing phishing emails. This is when the developers of malware build in threat-detection which stops the malware from running - effectively hiding it - if there's a suspicion that the malware is running on a virtual machine or sinkhole set up by security researchers. The aim is to stop analysts from being able to examine the attack – and therefore being able to protect other systems against it. PowerShell is also still regularly abused by attackers as a means of gaining access to networks after getting an initial foothold following a phishing email. Unlike attacks involving macros, these often rely on sending the victim to click a link with code to execute PowerShell. The attacks are often difficult to detect because they're using a legitimate Windows function, which is why PowerShell remains popular with attackers. Other common attack techniques used to make phishing emails more successful include redirecting users to websites laced with malicious HTML code which will drop malware onto the victim's PC when they visit, while attackers are also known to simply hijack email threads, exploiting how victims will trust a known contact and abusing that trust for malicious purposes, such as sending malware or requesting login credentials. The data on the most common attack techniques has been drawn from campaigns targeting Proofpoint customers and the analysis of billions of emails. "Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable. The best simulations mimic real-world attack techniques," said Proofpoint researchers in a blog post.
US Authorities take ‘sweeping actions’ against North Korean hackers.
Several U.S. federal agencies on Wednesday released a batch of indictments, cybersecurity advisories, and malware analysis reports that represents one of the most expansive cybersecurity-related actions against North Korea in years. The U.S. Justice Department unsealed charges against three North Korean hackers who are accused of stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions around the globe. It’s the first indictment related to North Korean hacking operations since 2018, according to an analysis by researchers. The defendants—Jon Chang Hyok, Kim Il, and Park Jin Hyok, who were also charged in 2018 in connection with the 2014 attack against Sony Pictures—are alleged to have participated in a broad array of hacking schemes while they served as members of North Korea’s Reconnaissance General Bureau. This includes attempts from 2015 to 2019 to steal more than $1.2 billion from banks in Bangladesh, Mexico, Vietnam, Taiwan, and elsewhere, and creating the destructive WannaCry ransomware in May 2017. They also targeted “hundreds of cryptocurrency companies” and stole tens of millions of dollars worth of cryptocurrency, including $75 million from a Slovenian firm in 2017, $24.9 million from an Indonesian firm in 2018, and $11.8 million from a New York financial services company in 2020, prosecutors said. They are also alleged to have launched multiple spearphishing campaigns from March 2016 to February 2020 aimed at the U.S. Department of Defense and the U.S. Department of State, as well as defense contractors, energy companies, aerospace firms, and technology businesses. The Justice Department also announced that a Canadian-American citizen pleaded guilty to acting as a “high-level money launderer” for North Korean hackers, including ATM cash-out operations and a cyber-enabled bank heist. The charges provide detail to what the government has warned of for years: that North Korea, increasingly cut off from global markets and subject to sanctions, is turning to cybercrime as a key revenue source. Ransomware attacks demanding cryptocurrency payments can be difficult to trace, and the Treasury Department has taken steps to caution companies against paying demands if they can be linked to North Korea or other sanctioned jurisdictions. In 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control announced sanctions targeting three North Korean state-sponsored malicious cyber groups—Lazarus Group, Bluenoroff, and Andariel—based on their relationship to the Reconnaissance General Bureau and their roles in using malicious cyber activity to target critical infrastructure. Last October, OFAC and the Financial Crimes Enforcement Network, another Treasury unit, issued a pair of ransomware advisories warning of potential sanctions risks for making and facilitating payments to designated entities. “As laid out in the indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” Assistant Attorney General John Demers of the DoJ’s National Security Division said. “The Department will continue to confront malicious nation state cyber activity with our unique tools and work with fellow agencies and the family of norms abiding nations to do the same.” Shortly before the charges were unsealed, the Federal Bureau of Investigation, Department of the Treasury, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released a joint advisory warning that North Korea’s Lazarus Group targeted organizations for cryptocurrency theft in over 30 countries during the past year alone. According to the alert, the advanced persistent threat group carries out these attacks by disseminating cryptocurrency trading applications that have been modified to include malware that allows them to steal funds. Authorities identified malware and indicators of compromise related to the activity, which is referred to as “AppleJeus.” According to the advisory, North Korea has used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus malware since at least 2018. However, the actors are now using other infection vectors, including phishing and social engineering techniques, to get users to download the malware.
First Malware Infecting Apple M1 Chip Appears: Here’s What We Know
Several people claim with evangelical fervor that Mac devices are safer than Windows and a recent report by Malwarebytes corroborates the claims. However, today, the first malware targeting Apple’s latest M1 SoCs has been spotted by security researchers. This could be a turning point for Apple, and we might see a different report next year because of it.
Here’s what we know so far about the first malware that could bring down your M1-powered Macbook. When Apple shifted to its own silicon and parted ways with Intel, it also moved away from Intel x86 architecture that has been used by developers to create apps for Macs since 2005. This move also allowed developers to integrate security features right into the processor, which wasn’t possible earlier. In order to run apps natively on M1-powered Macs, they have to be recompiled using Rosetta emulator. Now, they can develop applications that can run ‘natively’ on M1 processors without translating x86_64 (Intel) instructions into native arm64 instructions. It seems that hackers have also engineered a technique to tailor malware for M1 chips using the transition. Popular Mac security researcher Patrick Wardle has published a report on his website detailing the incredibly easy process of adapting and recompiling malware to run natively on the M1 chipset. He spotted a malicious Safari extension named “GoSearch22”, originally made to run on Intel x86 architecture, which has been re-engineered to run on the M1 processor. According to Patrick, GoSearch22 belongs to the infamous Pirrit Mac adware family. It is known for its evading techniques to avoid detection by security researchers. GoSearch22 extension looks like a normal extension but in the background, it collects all user data and also floods users with ads and popups that could lead to other malicious websites. Patrick found in his research that the extension was signed with an Apple developer ID on November 23, 2020, but Apple has already revoked the certificate of the extension. A Red Canary intelligence analyst, Tony Lambert says, “Watching malware make the transition from Intel to M1 rapidly is concerning because security tools aren’t ready to deal with it.” As per Patrick, GoSearch22 isn’t the only malware that has been adapted to run on Apple M1 chips, there are many more to come, and the threat detection tools need to gear up for forthcoming Apple M1 malware.
THREAT FOCUS: United States – Washington State Auditor
Exploit: Third Party Data Breach
Washington State Auditor: Regional Government Regulator
Risk to Business: 1.379 = Severe - The unemployment claims data of more than 1 million people in Washington State has been reported as stolen in a hack of software used by the state auditor’s office. The State announced the breach after receiving notice that it was involved through a third party service provider, Accellion, a software provider the auditor’s office uses to transfer large computer files. the breach affects the personal information of people who filed for unemployment claims with the Washington Employment Security Department (ESD) between Jan. 1, 2020, and Dec. 10, 2020, and included a total of 1.6 million claims. Those claims represent at least 1.47 million individuals, according to data from the ESD website.
Individual Risk: 1.379 = Severe - The data breach involved claimants’ names, Social Security numbers and/or driver’s license or state identification number, bank information, and place of employment. The state auditor has set up a web page for people who think their personal information could have been exposed in the data breach.
Customers Impacted: 1.40 million or more people
How it Could Affect Your Business: Data like this is sought-after by cybercriminals to power phishing operations. Unfortunately for these folks, it often hangs around for years on the Dark Web, acting as fuel for future cybercrime.
Avantia Cyber Security & ID Agent to the Rescue: Watch for threats from the Dark Web without lifting a finger using Dark Web ID, 24/7/365 credential monitoring that alerts you to trouble fast. Call Avantia on +61 7 30109711 for a free Dark Web Data Search for your Username/Password.
THREAT FOCUS: United States – DriveSure
https://www.scmagazine.com/home/security-news/data-on-3-2-million-drivesure-users-exposed-on-hacking-forum/ Exploit: Hacking DriveSure: Customer Retention Platform
Risk to Business: 2.211 = Severe - Hackers dropped data on 3.2 million DriveSure users on the Raidforums hacking boards late in January. One leaked folder totaled 22 gigabytes and included the company’s MySQL databases, exposing 91 sensitive databases. The databases range from detailed dealership and inventory information, revenue data, reports, claims and client data. A second compromised folder contained 11,474 files in 105 folders and totals 5.93 GB, likely a repository of backup data.
Individual Risk: 2.325 = Severe - The information exposed included names, addresses, phone numbers, email addresses, IP addresses, car makes and models, VIN numbers, car service records and dealership records, damage claims and 93,063 bcrypt hashed passwords.
Customers Impacted: 3.2 million
How it Could Affect Your Business : Data isn’t always stolen via ransomware – sometimes it’s just old-fashioned hacking. That’s one reason why it’s essential to use a secure identity and access management solution to keep hackers locked out.
Avantia Cyber Security & ID Agent to the Rescue: Multifactor authentication can stop up to 99% of cyberattacks, and that’s just one piece of the security toolkit that you get when you start using Passly. To find out more, call Avantia on 07 30109711 (Business Hours)
THREAT FOCUS: United States – WestRock
WestRock: Packaging Manufacturer
Risk to Business: 2.779 = Extreme - Packaging giant WestRock has experienced a ransomware attack that has impacted both its manufacturing and IT environments, severely impacting production. The company has noted in an announcement to shareholders that it expects that continued delays during the recovery and cleanup process are expected.
Individual Impact: No sensitive personal or financial information was announced as part of this incident, but the investigation is ongoing.
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware can be especially devastating to manufacturing companies by not just impacting office business but halting production, leading to a cascade effect.
Avantia Cyber Security & ID Agent to the Rescue: Ransomware is almost always the result of a successful phishing attack. BullPhish ID prepares staffers to spot and stop phishing attacks, putting everyone on the IT team. For more info, please call Avantia on 07 30109711.
THREAT FOCUS: United States – SN Servicing Company
SN Servicing Company: Mortgage Loan Services
Risk to Business: 2.022 = Severe - SN Servicing, the California-based servicing arm of Security National Master Holding Company, disclosed a data breach impacting clients in Vermont and California. The incident was also reported by the Egregor ransomware gang. SN Servicing says that it has engaged a third party team of investigators to determine the scope of the incident.
Individual Impact: 2.171 = Severe - The stolen data appears to be related to billing statements and fee notices to customers from 2018, including names, addresses, loan numbers, balance information, and billing information such as charges assessed, owed, or paid. Clients should be aware of potential spear phishing and identity theft risks.
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware is around every corner these days, and just one miss-click on a phishing email can spell disaster.
Avantia Cyber Security & ID Agent to the Rescue: Ransomware comes in the wake of a phishing attack. Are you taking the right precautions against it? Read Phish Files to be sure that you’re using the right strategy! Call 07 90109711 for more Info.
THREAT FOCUS: United States – Spotify
Exploit: Credential Stuffing
Spotify: Streaming Music Service
Risk to Business: 1.668 = Severe - Spotify has returned for another appearance with a credential stuffing disaster eerily similar. This time, data for approximately 100k users appeared in an Elasticsearch instance spotted by researchers. This is distinctly different data than the load that researchers discovered in November 2020.
Individual Impact: 1.802 = Severe - No specifics were listed about the stolen data, but Spotify users should reset their account passwords and be on the lookout for spear phishing attempts.
Customers Impacted: 100K+
How it Could Affect Your Business: Protection against credential stuffing isn’t something that a company like Spotify should struggle with, and suffering two credential stuffing incidents in one quarter shows a sloppy attitude toward security.
Avantia Cyber Security & ID Agent to the Rescue: Choose Passly to secure the gateways to your systems and data quickly and affordably with a multipronged solution that covers your bases. Call Avantia on 07 30109711 for more info.
THREAT FOCUS: France – StormShield
StormShield: Cybersecurity Firm
Risk to Business: 1.711 = Severe - French Government contracting cybersecurity firm StormShield has confirmed that cybercriminals were able to gain access to one of its customer support portals and stole information on some of its clients. The hackers also gained access to some source code for StormShield Network Security (SNS) firewall, an upcoming tool designed for government use. The intruders may have also accessed personal and technical data for some of its customers, its tech support portal and the Stormshield Institute customer training portal.
Individual Impact: No sensitive personal or financial information was announced as part of this incident, but the investigation is ongoing.
Customers Impacted: Unknown
How it Could Affect Your Business: Even cybersecurity experts can get tripped up by hackers. Taking extra precautions to update security awareness training and bolster access point security is always a good idea.
Avantia Cyber Security & ID Agent to the Rescue: In Our Security Awareness Champion’s Guide, you’ll learn the details of how cybercriminals conduct today’s nastiest cyberattacks and how to beat them. Call Avantia on 07 30109711 for more info.
THREAT FOCUS: Luxembourg – European Volleyball Confederation
Exploit: Unsecured Database
European Volleyball Confederation: Sports League
Risk to Business: 2.625 = Moderate - A publically accessible Microsoft Azure blob belonging to the European Volleyball Confederation led to the exposure of hundreds of passports and identity documents belonging to journalists and volleyball players from around the world. The blob also contained thousands of headshots of volleyball players from Europe, Russia, and other countries in both the ‘backup‘ directory and an ‘AccreditationPhotos‘ subfolder.
Individual Risk: 2.601 = Moderate Members of the league and journalists who cover it should be vigilant for identity theft and spear phishing attempts that use this data.
Customers Impacted: 21,000
How it Could Affect Your Business: Failure to secure a database, especially one that contains sensitive data, is a rookie mistake that can cost you a fortune.
Avantia Cyber Security & ID Agent to the Rescue: Make sure that the sensitive information you control is strongly protected with cutting edge secure identity and access management from Passly. Please call Avantia on 07 30109711 for more info.
THREAT FOCUS: Australia – Oxfam Australia
Oxfam Australia: Charitable Organization
Risk to Business: 2.006 = Severe - A donor database for Oxfam Australia was discovered by cybersecurity researchers. Oxfam Australia is a charity focused on alleviating poverty within the indigenous Australian people. A threat actor was attempting to sell the Oxfam Australia contact and donor information for 1.7 million people. The incident is under investigation.
Individual Risk: 2.719 = Moderate - The exposed information appears to be limited to donor names, email addresses, addresses, phone numbers, and donation amounts. No financial information was exposed.
Customers Impacted: 1.7 million donors
How it Could Affect Your Business: Hacking is an ever-present menace, and organizations that have a strong security plan coupled with high cyber resilience are more likely to make it through an incident with minimal damage.
ID Agent to the Rescue: Read our eBook The Road to Cyber Resilience to learn strategies and solutions that can make your business bounce back faster from cybersecurity failures. READ THE BOOK>>
THREAT FOCUS: Australia – SitePoint
Exploit: Third Party Data Breach
SitePoint: Web Development Education Resources
Risk to Business: 1.616 = Severe - Web developer education platform SitePoint has disclosed a security breach this week in emails sent to some of its users after a threat actor listed a collection of one million SitePoint user details for sale on a cybercrime forum. SitePoint has now initiated a password reset on all accounts and is asking users to choose new ones that are at least ten characters long.
Individual Risk: 1.711 = Moderate - The stolen passwords were hashed with the bcrypt algorithm and salted, but SitePoint encourages users who may be recycling their password elsewhere to reset those accounts too.
Customers Impacted: Unknown
How it Could Affect Your Business: Password reuse and recycling is endemic, and it can lead to a world of cybersecurity trouble.Add protections that blunt the impact of a reused (and compromised) password.
Avantia Cyber Security & ID Agent to the Rescue: Limit the damage that can be done to your company with a recycled or compromised password with affordable, multifunctional secure identity and access management starring Passly. Call Avantia on 07 30109711 to find out more.
Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
Extended Remote Work is Changing the Calculus on Risk
The rapid transition to remote work was a fundamental shock for many companies. Getting used to a new out-of-the-office culture, new technology and new stressors was hard enough, but the fact that this state of affairs is fated to continue for a long time with no real end in sight has caused companies to need to thoroughly rethink their approach to cybersecurity.
An estimated 90 percent of companies experienced a sharp increase in cyberattacks during the global pandemic. In the UK, 65 percent of organizations noted they have either been breached or exposed to an attack during the lockdown. Plus, 73 percent of security and IT executives are concerned about new vulnerabilities and risks that have been created or extended by supporting a remote workforce.
Some of those risks were exacerbated by both a lack of preparation to be ready to go fully remote and a lack of essential upkeep because of pandemic chaos after going remote – 98 percent of IT professionals in an international survey said they experienced security challenges within the first two months of the pandemic. Only 42 percent of survey respondents felt that their organization was “well prepared” for moving to remote work, compared to 45 percent that considered their companies “somewhat prepared” and 13 percent who stated that their businesses were were not prepared at al
Extended Remote Work Means Extended Risk
Companies suddenly discovered a lot more challenges that threw them off their game as they made the transition to remote operations, as well as unexpected stumbling blocks. In the same survey, 93 percent of respondents said they had to delay key security projects in order to work on the transition to remote work forced by the pandemic. Over 30 percent of security executives said that software updates and BYOD policy considerations were deprioritized during the switch, and 42 percent said that routine reporting had been neglected since the start of the pandemic.
The cascade effect of those choices coincided with a huge global increase in cybercrime, as businesses were often forced to take on more cybersecurity risk in order to keep operating if they were unprepared for the transition. Like allowing workers to use personal devices until business devices could be obtained for workers who had never been remote – 43 percent experienced difficulties patching remote workers’ personal devices, exposing their organization to risk and more than 90 percent reported that their companies were forced to make rapid decisions about cybersecurity policy just to keep the lights on.
The Time for Excuses is Over
While the start of the global pandemic was extremely chaotic and disruptive throughout the world, that was almost a year ago. Companies have had time to solve these complex security issues, but many haven’t. Researchers note that only about half of the surveyed companies had adopted simple security tools like multifactor authentication to combat the increased risk of remote work.
The numbers are in for 2020, and it was a record-breaking year for new vulnerabilities, with a 30 percent year over year increase. That’s not even counting attacks like phishing that have skyrocketed by more than 660 percent. That leaves huge gaps for security teams to handle – only 11 percent confirmed they could confidently maintain a holistic view of their organizations’ attack surfaces.
Remote working isn’t going anywhere either, and that continues to be problematic for companies that have failed to adjust. Some companies have chosen to remain fully remote as both a cost-cutting measure and an employee convenience aid. Many companies also intend to return to their offices as soon as they’re safely able, but that doesn’t mean anytime soon. More than 70 percent of respondents projected that at least one-third of their employees will remain remote 18 months from now.
DISCLAIMER* Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, other members of the 5 Eyes Alliance, the Australian Cyber Security Centers, and other sources in 56 countries who provide cyber breach and cyber security information in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.
*COPYRIGHT 2020* Avantia Corporate Services - All Rights Reserved.