As the holiday season drew closer, the news was reduced, although the battle against cybercriminals heated up. News this week comes from several pieces of research and product updates. Action1 announced a product update. Check Point, Ivanti, Logpoint, and Microsoft revealed research. Sophos studied a single piece of malware, Emotet.
Action1
Action1 released the latest version of its patch management solution. The update includes granular update policies and a new patch compliance dashboard.
Alex Vovk, CEO and co-founder of Action1, commented, “Work-from-anywhere reality makes patching especially labor-intensive and causes IT teams to work overtime double-checking if all updates are deployed successfully; Otherwise, missing updates can let threat actors exploit security vulnerabilities, leading to data breaches and costly compliance fines. With this upgrade, we provide IT teams with intelligent automation capabilities, empowering them to eliminate manual work while ensuring a 99% success rate for patch deployment and improving cybersecurity for their organizations.”
Check Point
Check Point Software Ltd published its November Global Threat Index. Emotet, the ambitious Trojan Malware, made a return after a break during the summer. Qbot moved up to third place for the first time since July 2021. There was also a notable increase in Raspberry Robin attacks, a sophisticated worm that typically uses malicious USB drives to infect machines.
The research also revealed that “Web Servers Malicious URL Directory Traversal” is the most commonly exploited vulnerability, impacting 46% of organizations globally. That was closely followed by “Web Server Exposed Git Repository Information Disclosure”, with an impact of 45%. November also saw Education/Research remain in first place as the most attacked industry globally.
Maya Horowitz, VP Research at Check Point Software, commented, “While these sophisticated malwares can lie dormant during quieter periods, the last few weeks act a stark reminder that they will not remain quiet for long. We cannot afford to become complacent, so it’s important that everyone remains vigilant when opening emails, clicking on links, visiting websites or sharing personal information.”
Claroty
Claroty, the cyber-physical systems protection company, announced it had joined the World Economic Forum’s Global Innovators Community. This is an invitation-only group of the world’s most promising start-ups and scale-ups at the forefront of ethical, technological and business model innovation. As a Global Innovator, Claroty will engage with the Forum’s Centre for Cybersecurity, and Claroty CEO Yaniv Vardi will attend the Annual Meeting in Davos in January 2023.
Vardi commented, “We are honored to join the World Economic Forum’s Global Innovators Community and partner with world leaders to address systemic security risks and threats, especially those facing critical infrastructure.
“Our industry is at a pivotal juncture, as the world has woken up to the staggering financial and societal repercussions that can occur when critical infrastructure is disrupted. On top of this, business leaders continue to deal with the impact of the pandemic, the economic recession, and geopolitical tensions, while determining how to operate efficiently and securely. It is against this backdrop that organizations must strive to remain resilient despite unprecedented and unpredictable issues.”
Dragos
Dragos published another blog in a series of guides for OT Cybersecurity aimed at SMEs. This blog detailed how to respond to a ransomware attack. It offers five questions that SMEs should consider now before being attacked. Having done so, the difficult decisions, should they be attacked, will be much easier.
Europol
Europol has helped take down fifty of the world’s biggest booter services which help launch DDoS attacks. Operation Power Off saw law enforcement in the United States, the United Kingdom, the Netherlands, Poland, and Germany take action against these types of attacks which can paralyse the internet.
Ivanti
Ivanti published its State of Security Preparedness 2023 study. Based on a survey of 6,500, it aims to understand the perception of threats today and how organisations are preparing for the future. Key findings included the following:
- 97% of leaders and security professionals reporting their organization is as prepared or more prepared to defend against cybersecurity attacks than they were a year ago.
- However, one in five wouldn’t bet a chocolate bar they could prevent a damaging breach.
- 92% of security professionals reported they have a method to prioritize patches. They also indicated that all types of patches rank high – meaning none do.
Dr Srinivas Mukkamala, Chief Product Officer at Ivanti, commented, “Patching is not nearly as simple as it sounds. Even well-staffed, well-funded IT and security teams experience prioritization challenges amidst other pressing demands. To reduce risk without increasing
workload organizations must implement a risk-based patch management solution and leverage automation to identify, prioritize, and even address vulnerabilities without excess manual intervention.”
Weak passwords persist and are often shared. More education is still needed, with more than 1 in 3 leaders having clicked on a phishing link
Logpoint
Logpoint research looked at the resurgence of Emotet and offered some insights into the malware’s attack patterns and possible detections to help organizations stop it before it becomes a threat. The research found that Emotet has changed its tactics from stealing credentials in the banking sector to stealing other sensitive data and acting as a dropper to distribute other malware like IcedID, Trickbot, or Ruyk.
Doron Davidson, VP Logpoint Global Services, commented, “Emotet is the most detected malware sample on many platforms. The fact that there has been a variant for several years and it still manages to bypass defenses is a true testament to its amazing adaptability. At Logpoint, we’re working to stop threats like Emotet in their tracks before they wreak havoc and cause detrimental damage.”
Logpoint offers four recommendations:
- Look out for common Tactics, Techniques and Procedures (TTPs) used by Emotet
- Familiarize yourself with known Indicators of Compromise (IoC) and ensure you can detect and block them.
- Look out for malicious macros, like a download of a macro-enabled document, and delete or isolate the spawned and child processes.
- Isolate the endpoints, i.e., in case of an attack, isolate the system, take proper logs, evaluate the situation and remediate.
Microsoft
Microsoft issued the third edition of Cyber Signals. The report shares new insights on wider risks that converging IT, Internet of Things (IoT), and operational technology (OT) systems pose to critical infrastructure. Based on trends and insights gathered from Microsoft’s 43 trillion daily security signals and 8,500 security experts, it offers a wide range of insights.
Sophos
Sophos revealed it had found malicious code in multiple drivers signed by legitimate digital certificates. Its latest report, “Signed Driver Malware Moves up the Software Trust Chain.” The malicious driver is designed to specifically target processes used by major Endpoint
Detection and Response (EDR) software packages. It was installed by malware tied to threat actors affiliated with Cuba ransomware. Sophos Rapid Response successfully thwarted the attack, and the investigation triggered a comprehensive collaboration between Sophos and Microsoft to take action and address the threat.
Christopher Budd, senior manager threat research at Sophos, commented, “These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent. We’ve found a total of 11 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, with the oldest driver dating back to at least July.
“The oldest ones we’ve found to date were signed by certificates from unknown Chinese companies; they then moved on and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate. Now, they’re using a certificate from Microsoft, which is one of the most trusted authorities in the Windows ecosystem. If you think about it like company security, the attackers have essentially received valid company IDs to enter the building without question and do whatever they please.”