More security news.
Microsoft is warning about a series of attacks that use SEO poisoning to infect systems. Thousands of PDFs stuffed with SEO keywords start a series of redirections that lead to the malware. The enticement – free office forms, like invoices, questionnaires, and resumes.
The company has also disrupted a business email compromise campaign, which used legacy protocols like IMAP and POP3 to go around MFA, targeting Exchange Online. This isn’t small scale – BEC scammers are another avenue of revenue.
If you’re thinking about opening a ransomware business, the source code for the Paradise Ransomware was released on a hacking forum. It’s only available to active users, however. Comments within the code are in Russian.
A US Nuclear Weapons contractor was hit by REevil. They claim to have stolen data, which they are now auctioning off. It’s also come out that the Teamsters were hit back in 2019 – but they refused to pay, despite FBI advice to do so, and they rebuilt their network instead. Their insurance company had made that recommendation, and pulled 99% of their data from archived material… and in some cases, hard copies.
And.. too many tools may be the problem. The attackers themselves use common tools, and thus make them a lot less likely to be spotted. This per Sophos’s Active Adversary Playbook 2021 report. Blocking threats automatically means it may not be followed up on, and may be part of a larger attack pattern. This is reflected in software sprawl too — There are an average of 96 unique applications per device, including 13 mission-critical applications on the average endpoint device today. Software client sprawl on endpoints is increasing, growing to an average of 11.7 software clients or security controls per endpoint device in 2021. Nearly two-thirds of endpoint devices, 66%, also have two or more encryption apps installed. Evidence discloses that 60% of devices have two or more encryption apps installed, and 52% have three or more endpoint management tools installed today, while 11% have two or more identity access management (IAM) clients installed.
And, in case you thought this was a North American and European problem – Ensign InfoSecurity published data findings highlighting similar threat actors cross Asia Pacific, Hong Kong, Malaysia, Singapore and South Korea.
Cyberreason has released a report which examines all of the ransomware attacks across multiple companies, and the findings show that cyberinsurance just doesn’t cover the losses… even when it does cover the ransomware. Some 54% of the cyber pros who responded said their organisation had bought a cyber insurance policy that covered ransomware in the past two years – versus 24% who bought one that did not. Of those that were subsequently attacked and extorted by a ransomware crew, 42% said their insurer covered only a portion of the losses.
The Washington Post covered that too — Prices for at least half of insurance buyers went up 10 percent to 30 percent in late 2020. Quoting the piece. “Underwriters are demanding to see detailed proof of clients’ cybersecurity measures in ways they never have before. For example, not using multifactor authentication, which requires a user to verify themselves in multiple ways, might result in a rejection. Many insurers are also restricting how much cyber coverage they can offer or limiting the terms and conditions, several industry executives said. In some cases, that means slashing the amount of reimbursement that can be used specifically for ransomware attacks.”
Ready for the worst news – 80% of organizations that paid ransom demands experienced a second attack, of which 46% believed came from the same attackers. This from data by Censuswide.
Why do we care?
Go Teamsters. Tip of the cap for that one.
So, you’re breached, insurance won’t cover the whole damage, and you’re really likely to get hit again even if you pay. It’s getting harder to get insurance, and too many tools might even be making it worse.
My theme continues to be rethink this problem – finding ways to simplify your customers environments, address the basics better, and don’t take the unnecessary risks. You should have your do-not-cross lines – because the insurance companies do now.