Your Weekly DHS/CISA Threat Assessment (Jul …
Stay tuned for this update each week. This is a joint cybersecurity weekly product from the Missouri Information Analysis Center, St. Louis Fusion Center, Kansas City Regional Fusion Center and the Missouri Office of Homeland Security.
The recent DarkSide attack makes it clear: no system is safe from ransomware. And while the attackers say they weren’t out to hurt anyone, only to make money, the impact is the same. It could lead to potential disruptions of critical services across the country. At the same time, it stokes fears that similar attacks could happen more often in the future. The long-term outcome of these attacks, however, is a hyper-focus on ransomware as the top threat to governments and enterprises. For example, the federal government recently pledged billions of dollars to fight ransomware. There’s no doubt that ransomware remains a major (and evolving) risk. However, this IT tunnel vision makes it easy to miss the forest for the trees. You don’t want to let distributed-denial-of-service (DDoS) attacks and other problems slip behind network defenses unnoticed.
Traditional ransomware defenses are failing, with 54% of all victims having anti-phishing training and 49% having perimeter defenses in place at the time of attack, according to a Claudian survey of 200 IT decision makers whose organizations experienced a ransomware attack between 2019 and 2021. Citing this and other findings from the survey—including the widespread impact of the attacks and the average financial costs totaling over $400,000—the report calls for organizations to focus greater attention on putting systems in place that enable quick data recovery in the event of an attack, without paying ransom.
More than 700 organizations were attacked with ransomware and had their data posted to data leak sites in Q2 of 2021, according to a new research report from cybersecurity firm Digital Shadows. Out of the almost 2,600 victims listed on ransomware data leak sites, 740 of them were named in Q2 2021, representing a 47% increase compared to Q1. The report chronicles the quarter’s major events, which included the DarkSide attack on Colonial Pipeline, the attack on global meat processor JBS, and increased law enforcement action from US and European agencies. But Digital Shadows’ Photon Research Team found that under the surface, other ransomware trends were emerging. Since the Maze ransomware group helped popularize the data leak site concept, double extortion tactics have become en vogue among groups looking to inflict maximum damage after attacks.
MITRE has shared this year’s top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years. Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors impacting a software solution’s code, architecture, implementation, or design, potentially exposing systems it’s running on to attacks. MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs).
The U.S. House of Representatives this week passed several cybersecurity bills, including ones related to critical infrastructure, industrial control systems (ICS), and grants for state and local governments. One of the bills focusing on critical infrastructure is the Cybersecurity Vulnerability Remediation Act, which aims to authorize the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to assist owners and operators of critical infrastructure with mitigation strategies against serious vulnerabilities. The bill covers vulnerabilities in IT and OT systems, as well as security holes in hardware or software that is no longer supported. It also authorizes the DHS to create a competition for identifying remediation solutions for vulnerabilities in IT and ICS products. The House this week also passed the CISA Cyber Exercise Act, which establishes a program within CISA with the goal of promoting regular testing and assessments of preparedness and resilience to cyberattacks aimed at critical infrastructure.
A recently disclosed vulnerability affecting a popular survey creation tool has been exploited by a threat group that may be linked to China against organizations in the United States. Cybersecurity consulting and incident response solutions provider Sygnia on Tuesday published a report detailing attacks launched by a threat actor against “high-profile public and private entities” in the United States. Sygnia does not mention China in its report, but the company said it found some links to attacks that were previously attributed to the Chinese government. The attacks involve CVE-2021-27852, a deserialization-related code execution vulnerability affecting Checkbox Survey, an ASP.NET tool designed for adding survey functionality to websites. The Checkbox Survey vulnerability can be exploited remotely without authentication and it impacts version 6 of the application. The flaw does not exist in version 7.0 (released in 2019), but older versions are no longer supported and they will not receive patches.
Cybersecurity experts can be a crabby bunch. The debates and arguments last for decades (responsible disclosure, anyone?) and it’s rare to find consensus from all stakeholders on the best risk mitigation decisions. There’s one very noticeable exception: Multi-factor authentication (MFA) is universally hailed as a leapfrog security measure that drastically reduces online threats like identity theft and online fraud. Security experts routinely recommend that users implement MFA technology where available, stressing the value of additional layers of authentication to thwart malicious hackers. Still, after a decade of evangelism and multi-millions spent on innovation, overall MFA adoption remains stagnant and the latest numbers from Twitter tell a startling story.
Cybercrime is getting more organized than ever, as threat actors increase collaboration and adapt methods to drive greater monetization, selling access to breached systems to organized criminal groups and ransomware gangs. The latest HP Wolf Security Threat Insights Report, reveals a 65 percent rise in the use of hacking tools downloaded from underground forums and file sharing websites between the second half of 2020 and the first half of 2021. Many tools in circulation are surprisingly capable too, with one using computer vision techniques to bypass CAPTCHA challenges and perform credential stuffing attacks against websites.
Encryption is under threat from two sides. The first we can call bad actors, which comprises criminals and nation states. The second is bad encryption, which comprises poor systems and bad random. These two threats already combine to make common encryption less secure than we like to believe ‒ and with the power of quantum computing, it will only get worse. Bad actors comprise nation states and criminals. Nation states often subcontract their work to criminals, so it is better to differentiate them by intent. Nation states seek to gain national security or economic advantage; criminals seek financial gain. The two most important bad nation state actors are Russia and China. Russia is the biggest immediate threat while China is the bigger long-term threat (although long term is already a misnomer). Jeremy Fleming, director of GCHQ commented in April 2021, “Russia is affecting the weather, while China is shaping the climate.”
Vade released its Phishers’ Favorites report for H1 2021, which revealed that there has been a major jump in phishing attacks since the start of the year with a 281 percent spike in May and another 284 percent increase in June, for a total of 4.2 billion phishing emails detected by Vade for June alone. For this 6-month window researchers identified Crédit Agricole as the most impersonated brand, with 17,555 unique phishing URLs, followed by Facebook, with 17,338, and Microsoft, with 12,777. H1 marks the first time Crédit Agricole has found itself in the top spot, but its position comes as no surprise in a year dominated by economic headlines. In February 2021, Crédit Agricole announced a “return to normal” after affording significant payment holidays from business and consumer loans during the COVID pandemic.
The global shift to remote work has exacerbated the onslaught, sophistication, and impact of phishing attacks, according to Ivanti. Nearly three-quarters (74%) of respondents said their organizations have fallen victim to a phishing attack in the last year, with 40% confirming they have experienced one in the last month. Eighty percent of respondents said they have witnessed an increase in volume of phishing attempts and 85% said those attempts are getting more sophisticated. In fact, 73% of respondents said that their IT staff had been targeted by phishing attempts, and 47% of those attempts were successful. Smishing and vishing scams are the latest variants to gain traction and target mobile users. According to recent research by Aberdeen, attackers have a higher success rate on mobile endpoints than on servers – a pattern that is trending dramatically worse. Meanwhile, the annualized risk of a data breach resulting from mobile phishing attacks has a median value of about $1.7M, and a long tail of value of about $90M.
Zhi Wang, Chaoge Liu, and Xiang Cui presented a technique to deliver malware through neural network models to evade the detection without impacting the performance of the network. Tests conducted by the experts demonstrated how to embed 36.9MB of malware into a 178MB-AlexNet model within 1% accuracy loss, this means that the threat is completely transparent to antivirus engines. Experts believe that with the massive adoption of artificial intelligence, malware authors will look with an increasing interest in the use of neural networks. We hope this work could provide a referenceable scenario for the defense on neural network-assisted attacks.
Malware developers increasingly are relying on “exotic” programming languages – such as Go, Rust, DLang and Nim – to create malicious code that can avoid security detection by tools and add a layer of obfuscation to an attack, according to a report released Monday by BlackBerry. The BlackBerry researchers found malware developers are creating a new array of loaders and droppers using these four languages to deliver or disguise remote access Trojans, or RATs, as well as malicious versions of legitimate tools, such as Cobalt Strike, to potential victims, the report notes. In many cases, threat actors are turning to these languages to avoid detection and obscure an attack, according to the report.
Recent news posts
State, Local, Federal Cybersecurity Executives Confer On 2022 Threats, Attack Landscape
Your Weekly DHS/CISA Threat Assessment (September 14)
Assistant to the Special Agent in Charge at USSS-DHS Leads Keynote Presentation in Philadelphia
CISA Insights: Risk Considerations for Managed Service Provider Customers
Your Weekly DHS/CISA Threat Assessment (September 3)
Attend an Event!
Connect and collaborate with fellow security innovators at our Virtual Cybersecurity Summits.