Last week, Claroty, Corero, ESET and Sophos published several interesting research pieces. The latter looks at competitions run by cybercriminals. There were also product announcements from Noname Security, Okta and Tenable.
In other news, three new partnerships were announced. Axio partnered with Cyentia, LogRhythm partnered with Cimcor and SolCyber partnered with Brightworks Group.
Axio announced a new joint initiative with Cyentia, a research and data science firm with a mission to advance knowledge in the cybersecurity industry. Coupling Cyentia’s IRIS massive dataset of historical incidents with Axio’s leading platform, Axio360, and cyber risk expertise provides Axio customers with the most accurate and defensible cyber risk quantifications.
Nicole Sundin, Chief Product Officer for Axio, stated, “Axio’s mission is simple – to be the easiest and most defensible cyber risk management product on the market. With Axio360, teams can quickly and effectively quantify cyber risks, rapidly providing actionable, defensible, and transparent insights.”
Brendan Fitzpatrick, Vice President, Cyber Risk Quantification Modeling of Axio, said, “From my firsthand experience working with our clients, adding Cyentia to that mix makes our leading offering even better. Their rich analysis of industry-specific incident probability and impact data drives confidence throughout a company in understanding the actual potential impact of a cyber incident, taking the guesswork out of it.
“Security professionals can now present risk-driven business decisions based on data that give executives and boards confidence.”
Dr Wade Baker, Co-Founder of Cyentia, commented, “I’ve advocated for many years that better risk data will lead to better risk decisions and defenses. We demonstrated that principle with the IRIS research, and I’m thrilled that Axio is enabling organizations to benefit from the underlying data in a powerful way.”
Claroty announced the release of the Global Healthcare Cybersecurity Study 2023. The report is based on a survey of 1,100 cybersecurity, engineering, IT, and networking professionals from healthcare organizations. The key findings included the following:
- 78% of respondents experienced a minimum of one cybersecurity incident over the last year
- 47% cited at least one incident that affected cyber-physical systems such as medical devices and building management systems
- 30% cited that sensitive data like protected health information (PHI) was affected
- More than 60% reported that incidents caused a moderate or substantial impact on care delivery, and another 15% reported a severe impact that compromised patient health and/or safety
- Nearly 30% say current government policies and regulations require improvement or do nothing to prevent threats
- NIST (38%) and HITRUST Cybersecurity Frameworks (38%) were selected by most respondents as important to their organizations
- 44% cite regulatory developments such as mandated incident reporting as the most influential external factor to an organization’s overall security strategy
- More than 70% of healthcare organizations are looking to hire in cybersecurity roles
- 80% of those hiring say it’s difficult to find qualified candidates who have the skills and experience required to properly manage a healthcare network’s cybersecurity
Yaniv Vardi, CEO of Claroty, said, “The healthcare industry has a lot working against it on the cybersecurity front—a rapidly expanding attack surface, outdated legacy technology, budget constraints and a global cyber talent shortage. Our research shows that healthcare organizations need the full support of the cyber industry and regulatory bodies in order to defend medical devices from mounting threats and protect patient safety.”
Corero released its latest threat research note, “TCP SYN Packets: The Good, The Bad, and The Ugly.” Written by Cyber Security Engineer Huy Nguyen, the research looks at:
- The Good: What constitutes a valid SYN packet?
- The Bad: How to identify a suspicious or malicious packet.
- The Ugly: Uncommon uses of SYN packets.
ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Key findings from the research include:
- ESET Research has discovered trojanized Signal and Telegram apps for Android, named Signal Plus Messenger and FlyGram, on Google Play and Samsung Galaxy Store; both apps were later removed from Google Play.
- Signal Plus Messenger represents the first documented case of spying on a victim’s Signal communications by secretly auto-linking the compromised device to the attacker’s Signal device.
- The malicious code found in these apps is attributed to the BadBazaar malware family, which has been used in the past by a China-aligned APT group called GREF.
- Thousands of users downloaded the spy apps. ESET telemetry reported detections on Android devices in several EU countries, the United States, Ukraine, and other places worldwide.
- BadBazaar malware was previously used to target Uyghurs and other Turkic ethnic minorities. FlyGram malware was also seen shared in an Uyghur Telegram group, which aligns with previous targeting by the BadBazaar malware family.
ESET researcher Lukáš Štefanko, who made the discovery, said, “Malicious code from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which provide victims a working app experience but with espionage happening in the background.
“BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device.”
Europol has supported the coordination of a large-scale international operation that has taken down the infrastructure of the Qakbot malware and led to the seizure of nearly EUR 8 million in cryptocurrencies. The international investigation, supported by Eurojust, involved judicial and law enforcement authorities from France, Germany, Latvia, The Netherlands, Romania, the United Kingdom and the United States.
Qakbot, operated by a group of organised cyber criminals, targeted critical infrastructure and businesses across multiple countries, stealing financial data and login credentials. Cybercriminals used this persistent malware to commit ransomware, fraud, and other cyber-enabled crimes.
The investigation suggests that between October 2021 and April 2023, the administrators received fees corresponding to nearly EUR 54 million in ransoms paid by the victims. The lawful examination of the seized infrastructure uncovered that the malware had infected over 700,000 computers worldwide. Law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa, enabling the malware’s activity on a global scale.
Infoblox Inc. announced the appointment of Mukesh Gupta as Senior Vice President and Chief Product Officer. Gupta joins Infoblox from Palo Alto Networks, where he helped grow the company into a multi-billion-dollar leader in network security. Before Palo Alto Networks, Gupta held senior product leadership roles at Illumio and Juniper Networks. He also co-founded LocalCircles, India’s leading community and public pulse aggregation platform.
Scott Harrell, President and CEO of Infoblox, said, “Mukesh brings the ideal blend of experiences to drive Infoblox’s next phase of growth. He possesses an incredible mix of networking and security backgrounds, coupled with entrepreneurial vision and vast domain expertise. I’m confident his passion and commitment to building world-class products and bringing them to market will serve Infoblox well as we look to expand our market leadership in security and networking.”
Gupta commented, “Infoblox is an undisputed market leader and pioneer in Secure DNS with an ever-growing and fanatical customer community. The company’s incredible culture combined with its rich history of innovation has enabled Infoblox to extend its market leadership into hybrid-cloud environments.
“In addition, Infoblox’s unique ability to help customers proactively improve their cyber defenses with DNS Detection and Response is a true game changer. I’m incredibly thrilled to join this amazing team and to bring the next-gen of cloud networking, security and automation solutions to market.”
LogRhythm announced a partnership with Cimcor, an industry leader in developing innovative security and integrity software solutions. LogRhythm and Cimcor work together to help organizations around the globe increase visibility and protect against modern cyberattacks. The partnership will leverage LogRhythm’s comprehensive security information and event management (SIEM) platform and Cimcor’s file integrity monitoring (FIM) solution, CimTrak.
Andrew Hollister, Chief Information Security Officer at LogRhythm, commented, “Security threats are constantly evolving, and organizations must remain vigilant in protecting their sensitive data and infrastructure.
“Our partnership with Cimcor allows us to offer a holistic cybersecurity solution that not only detects and monitors threats but also safeguards the integrity and compliance of crucial files and systems. By leveraging this joint offering, organizations can strengthen their security posture and effectively combat ever-evolving cyber threats.”
Robert E. Johnson, III, President/CEO and co-founder at Cimcor, said, “LogRhythm offers extensive support for and integration across our entire product portfolio to address the ever-evolving cybersecurity landscape. This partnership enables us to extend the reach of our solutions and provide customers with a comprehensive security offering. Together, we can help organizations stay one step ahead of cybercriminals and protect their most critical assets.”
LRQA Nettitude has achieved a significant milestone by becoming a Microsoft Solutions Partner for Security. The designation recognizes LRQA Nettitude’s deep understanding of Microsoft technologies and showcases a proven track record of successfully implementing security solutions. As a Solutions Partner for Security, organizations must demonstrate a broad capability to help clients safeguard their entire organization with integrated security, compliance, and identity solutions.
Ben Densham, Chief Technology Officer at LRQA Nettitude, said, “This designation recognizes our outstanding Microsoft security capabilities and gives our clients even greater confidence that we are the cyber partner to support their security needs. Having this recognition from Microsoft reinforces our capability to provide end-to-end security solutions and commends how we deliver Microsoft Sentinel and Microsoft cloud-based services to clients.”
José Lázaro Pinos, Microsoft Partner Security Architect, commented, “LRQA Nettitude’s Solution Partner status identifies them as a Microsoft partner committed to training and driving customer usage. This status is a reflection of their expertise in their specialist area and proven track record in delivering successful adoption of Microsoft solutions.”
Noname Security announced its API security platform now fully supports the 2023 OWASP API Security Top 10 risk categories. Noname’s API Security Platform detects OWASP API Top 10 related vulnerabilities across the widest possible set of sources, including log files, replays of historical traffic, configuration files, and more. This allows customers to find and remediate critical issues like excessive data exposure, broken authentication, lack of resources, and rate limiting.
Oz Golan, CEO and Co-Founder of Noname Security said, “APIs have many stakeholders, and frameworks like the OWASP API Security Top 10 allow diverse groups across teams to come together and speak the same language. The integration of the 2023 OWASP API Security Top 10 into our platform is a strategic step in helping organizations tackle API security concerns and incorporate API security as part of their broader application security conversations.”
Okta announced Okta for Global 2000, an industry-leading solution designed to give the world’s largest organizations choice in how they run their technology infrastructure with flexible and automated identity management. Okta for Global 2000 enables the technical agility executives need to balance centralization and decentralization of their organizations as well as resources and governance models with secure identity infrastructure.
Todd McKinnon, CEO and co-founder at Okta commented, “Today’s enterprises can’t be constrained by a single platform as they look to drive growth and value in a world where supply chains and customer expectations have shifted dramatically over the last two years. Okta for Global 2000 gives executives choice in how they evolve their technology strategies to keep pace with this new environment, centralizing security and improving efficiency and employee productivity.”
Okta Global 2000 delivers functionality such as:
- Flexible User Management: Collect and sync users and groups from extended workforces across directories — including Active Directory — and systems of record through centralized hubs or through spoke Okta tenants.
- Automated identity actions across tenants: Automate complex lifecycle management actions across distributed business units and shared corporate resources alike, minimizing manual workloads and driving efficiency.
- Delegated control and autonomy: Empower distributed tenants with fine-grained access permissions to adopt new technologies and manage user identities without creating new identity silos.
- Seamless user experiences: Enable the use of existing identity providers for acquisitions or subsidiaries to avoid impacting end-user experiences.
SolCyber announced a strategic partnership with Brightworks Group, a leading digital transformation and cloud IT service company. Brightworks Group’s reputation for delivering exceptional cloud-based services across various industries, including Healthcare and Financial Services, complements SolCyber’s commitment to creating a secure digital landscape for all. Together, they aim to reduce cyber risks, complexity, and barriers to technology adoption.
Scott McCrady, CEO of SolCyber, said, “We’re excited to join forces with Brightworks Group to redefine managed security services and serve the needs of the Midwest. Their deep understanding of the unique challenges faced by businesses in this region aligns perfectly with our mission to provide dedicated support and accelerate the adoption of a robust security program.”
Doug Miller, CEO of Brightworks Group, commented, “This partnership is a significant milestone for us. Our shared dedication to simplifying technology will empower businesses in the Midwest to leverage its benefits more effectively. Together, we’re setting a new standard for managed security services that focuses on accessibility and impact.”
Sophos has uncovered how research contests run by cybercrime forums are helping to inspire new methods of attack and detection evasion. The contests mirror legitimate security conference ‘Call For Papers’ and provide the winners considerable financial rewards, recognition from peers, and potential jobs.
As outlined in Sophos X-Ops latest report, “For the Win? Offensive Research Contests on Criminal Forums,” these contests are designed to drive innovation. When analyzed, the entries provide invaluable insight into how cybercriminals attempt to overcome security obstacles.
Christopher Budd, director of threat research at Sophos, said, “The fact that cybercriminals are running, participating, and even sponsoring these contests, suggests that there is a community goal to advance their tactics and techniques. There is even evidence to suggest that these competitions act as a tool for recruitment amongst prominent threat actor groups.
“While our research shows an increased focus on Web-3 related topics such as cryptocurrency, smart contracts and NFTs, many of the winning entries had a broader appeal and could be put to practical use, even if they weren’t particularly novel. This may be reflective of the priorities of the community but could indicate that attackers keep their best research to themselves as they can profit more from using them in real-world attacks.”
Sophos X-Ops explored two prominent annual contests: one run by the Russian-language cybercrime forum Exploit, offering a total prize fund of $80,000 to the winner of its contest in 2021, and another run on the XSS forum, with a prize pool of $40,000 in 2022. For several years, prominent members of the cybercriminal community have sponsored these events, including All World Cards and Lockbit.
Tenable announced web application and API scanning in Tenable Nessus Expert, new features that provide simple and comprehensive vulnerability scanning for modern web applications and APIs.
Web application and API scanning in Nessus Expert are dynamic application security testing (DAST) features that enable security practitioners to proactively identify and assess web applications and APIs for known vulnerabilities. This includes OWASP’s Top 10 vulnerabilities in custom application code and known vulnerabilities found in third-party components.
Glen Pendley, chief technology officer of Tenable, said, “Web applications are under siege and the security practitioners in charge of protecting them face numerous challenges. With Nessus Expert – the gold standard in vulnerability assessment – we’re tackling the crux of these challenges head on by widening visibility into web applications and APIs.
“Whether the apps are running on-prem or in the public cloud, Nessus Expert assesses their exposures and provides security practitioners, consultants and pentesters with actionable results quickly.”
Security practitioners will see benefits such as:
- Set up new web app and API scans and easily generate comprehensive results
- Rapidly discover known vulnerabilities and cyber hygiene issues using predefined scan templates for SSL/TLS certificates and HTTP header misconfigurations
- Identify all web applications, APIs and underlying components owned by a given organization
- Confidently and safely scan environments without disruptions or delays