By Rudra Srinivas, Senior Feature Writer, CISO MAG

According to a Kaspersky report , threat actors targeted multiple distributors of equipment and software for industrial enterprises to steal credentials using phishing and steganography techniques.

What is Steganography?

In general, steganography is an ancient art of hiding information in images and paintings. Most artists use this technique to conceal their signatures and other hidden messages within their paintings. Even kings used this data hiding technique to send secret messages to their soldiers in the warzone.

Use of Steganography in Cyberattacks 

Cybercriminals are now leveraging steganography as an attack vector to hide malicious JavaScripts and malware within the images and distribute them to targets. When the victim clicks the malicious image, the malware embedded in the image automatically downloads the malicious code or malware, infecting the targeted system.

Types of Steganography Attacks

Based on the targets, the attackers use different types of steganography attacks, which include:

1. Text Steganography

In a Text Steganography attack, hackers conceal information (malware code) inside the text files. Bad actors do this by altering the text format in the existing file, such as changing words, creating random characters or sentences.

2. Image Steganography

Attackers hide malicious data in images in an Image steganography attack. They exploit the large number of bits or pixels in an image and replace them with malware codes. Threat actors leverage different tactics to establish image steganography attacks, including the Least significant bit insertion, Masking and Filtering, Pattern encoding, Coding, and Cosine transformation methods.

3. Audio Steganography

In an Audio steganography attack, threat actors exploit WAV audio files to hide their customized malware. Attackers embed the malicious code within the WAV audio files that contain a loader component to decode and execute malicious content embedded in audio files.

4. Video Steganography

Video steganography is a combination of both text and image-based steganography attacks. Adversaries embed a large amount of malicious data inside the moving stream of images and audio files.

How Do You Prevent Steganography Attacks?

• Avoid employees downloading software and other applications from unknown sources as they may contain steganographic codes.
• Never click/open/download suspicious text/audio/image files from unknown sources.
• Closely monitor the software distribution procedures in your organizations to identify malicious insiders.
• Train employees on various phishing and social engineering lures.
• Use anti-malware tools to identify the presence of malware in the files, text docs, images received from unknown sources.

About the Author

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

More from the Rudra.

The post How to Prevent Steganography Attacks appeared first on CISO MAG | Cyber Security Magazine.

By Sriram Tarikere, Senior Director with Alvarez & Marsal’s Global Cyber Risk Services in New York

1. Ransomware threats will continue to evolve. Ransomware threats will continue to dominate the rest of 2021 and into 2022. Cyberthreats actors will continue to get creative, and their attacks will become more sophisticated to ensure that the organizations cannot recover normal business operations without paying the ransom. In a shift from a single group managing the full attack life cycle, threat actors will form specialized groups to gain access into organizations that then sell that access to ransomware operators. The malware  deployed by these groups will not be limited to one single vulnerability; rather, the malware will dynamically modify and adapt to the wide range of vulnerabilities available for corporate IT as well as operation technology (OT) systems.

2. Cybersecurity enters the boardroom: Cybersecurity will be on the top of mind for the Board of Directors and Executive leadership teams. Expect to see cybersecurity-focused board members taking an active role in understanding the organization’s cybersecurity posture, including requests for additional metrics and frequent board updates. This is due to the regulatory pressure from agencies like Federal Trade Commission (FTC) and Security Exchange Commission (SEC) that have made strong statements on enforcement against organizations failing to protect customer data. Gartner predicts that by 2025, about 40% of the Boards will either have dedicated cybersecurity committees or have qualified board members focused on cybersecurity overseeing organizations’ cybersecurity maturity, up from less than 10% today.

3. Heightened scrutiny by cyber insurance companies on organizations’ cyber hygiene: Cyber liability insurance is a type of business insurance that organizations acquire to cover the losses, penalties, and other liabilities associated with cyberattacks and data breaches. Considering that ransomware incidents are becoming more prevalent, it is reported that the insurance claims and payouts are exceeding the premiums being paid. As a result, cyber insurance companies will enhance their due diligence and start performing a comprehensive assessment of the organizations’ cyber hygiene and security posture when issuing or renewing the policies. We can also expect to see cyber insurance premiums increasing exponentially and, in some cases, cyber insurance providers excluding ransomware coverage when issuing or renewing the policies.

Also see:

Mastering Art and Science Is Imperative for CISOs to Be Successful

About the Author

Sriram Tarikere has over 15 years of experience in executing cybersecurity and privacy risk assessments, ranging from very detailed ISO 27001/NIST, HIPAA, PCIDSS and Risk Quantification assessments, to technical cloud and blockchain secure design and architecture reviews, application and network security assessments, red teaming, threat hunting and social engineering exercises. He has led and coordinated incident response and forensic investigation efforts for some of the largest and high-profile breaches in the recent past. He also advises clients on some of the most complex cybersecurity initiatives and acts as a trusted security adviser to organizations, C-Suite and board members.

Tarikere earned a master’s degree in computer sciences/cybersecurity from New York University. He holds the Chief Information Security Officer (CISO) certificate. He is a CISSP, PCI-QSA, GWAPT, GCIH and ISO 27001 Lead Auditor.

The post Cybersecurity Will Become the Top Agenda in Boardroom Discussions appeared first on CISO MAG | Cyber Security Magazine.

“Our investigation teams have identified the malware on dozens of impacted systems, and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting,” MSTIC said.

While the attackers behind this malware campaign are unknown, Microsoft stated it had notified the affected users and organizations about WhisperGate.

WhisperGate Campaign Infection 

The WhisperGate malware is capable of overwriting the Master Boot Record (MBR) on victim systems with a fake ransom note. The ransom note contains a Bitcoin wallet and Tox ID. The malware executes when the compromised device is powered down. Once infected, the malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe.

Also Read: Russian Networks Accused of Carrying Out Massive Cyberattack on Ukraine

“The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse, and the malware destructs MBR and the contents of the files it targets,” MSTIC added.

Mitigations

• Review all authentication activity for remote access infrastructure, focusing on accounts configured with single-factor authentication, to confirm the authenticity and investigate any abnormal activity.
• Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and enforce MFA for remote connectivity.
• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Enable Controlled Folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.

The post Microsoft Finds New Malware Targeting Organizations in Ukraine appeared first on CISO MAG | Cyber Security Magazine.

In formjacking attacks, hackers inject malicious JavaScript code into the victim’s website to compromise and steal sensitive information. The deployed malware code alters the behavior of the targeted website without a user’s knowledge.

The researchers stated the skimmer has harvested victims’ sensitive information such as names, emails, phone numbers and sent them to a collection server – https://cdn-imgcloud[.]com/img, which is also malicious.

Also Read: Indian Users Third Most Affected by Formjacking Attacks

“The skimmer itself is highly polymorphic, elusive, and continuously evolving. When combined with cloud distribution platforms, the impact of a skimmer of this type could be very large. For these reasons, attacks like this raise the stakes for security researchers to untangle their sophisticated strategies and trace them to the root cause. We have to invent more sophisticated strategies to detect skimmer campaigns of this type since merely blocking domain names or URLs used by skimmers is ineffective,” the researchers said.

Hackers Deploy Malicious Code in Video

Unit42 researchers stated that attackers injected the skimmer codes into the player of the cloud video platform. It automatically downloads whenever a user imports the video embedded with malicious codes. Explaining how hackers injected the skimmer into the video, the researchers added, “When the cloud platform user creates a player, the user is allowed to add their own JavaScript customizations by uploading a JavaScript file to be included in their player. In this specific instance, the user uploaded a script that could be modified upstream to include malicious content. We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.”

The post Researchers Find New Web Skimmer Campaign Targeted Over 100 Sites appeared first on CISO MAG | Cyber Security Magazine.

“Based on the malware and the manner in which it was posted, we believe that is was not part of a coordinated campaign and was simply targeting new or naive users of the channel. The sample of Echelon that we analyzed targets credentials, crypto wallets, and has some fingerprinting capabilities,” SafeGuard said.

The Incident

Researchers at SafeGuard revealed that the attackers exploited the Telegram handle “Smokes Night” to propagate the malware Echelon and steal credentials from user accounts and crypto wallets.

“This was an isolated, one-off incident meant to target new unsuspecting users of the channel. The handle “Smokes Night” was only used once on the channel, and the only post it made was to post Echelon. The post did not appear to be a response to any of the surrounding messages in the channel. We did not see anyone respond to “Smokes Night” or complain about the file, though this does not prove that users of the channel did not get infected,” shared SafeGuard.

Malware Brief

Explaining the malware, the researchers explained that the analysis of the malicious executable actor shows that it contains some anti-analysis features. It has two anti-debugging functions, which immediately terminate the process if a debugger or other malware analysis tools are detected. Additionally, the sample is obfuscated using ConfuserEx v1.0.0.

Also Read: Hackers Steal Cryptocurrency Worth $150 Mn From BitMart Exchange

SafeGuard divulged, “After de-obfuscating the .NET code, we found that the sample performs several crypto wallet and credential-stealing functions, as well as domain detection and computer fingerprinting. The malware will also attempt to take a screenshot of the victim machine.”

Exploited Platforms:

• Discord
• Edge
• FileZilla
• NordVPN
• OpenVPN
• Outlook
• Pidgin
• ProtonVPN
• Psi(Jabber)
• Telegram
• TotalCommander

Aimed Digital Currency Wallets:

• Armory
• AtomicWallet
• BitcoinCore
• ByteCoin
• DashCore
• Electrum
• Exodus
• Ethereum
• Jaxx
• LitecoinCore
• Monero
• Zcash

Threat actors continue to prey on the digital platform and leverage every opportunity to cause disruption and assuage their financial greed. Cryptocurrency is now like a trademark to these attacks. Be it the platform or as a medium of ransom exchange, digital currency is a haven for cybercriminals.

Akshat Jain, CTO of Cyware, opines, “Cryptocurrencies continue to provide a safe haven for cybercriminals and ransomware groups looking to evade being traced. Because these coins are largely anonymous, cybercriminals are heavily relying on these currencies to carry out attacks. As per the data shared earlier this year by the National Cybersecurity Coordinator, India, ​​“by the end of 2021, ransomware is expected to attack a company every 11 seconds and cause damages of up to $20 billion.” The illicit use of cryptocurrency, both to evade sanctions and to obfuscate involvement in criminal activity, will continue to increase in 2022, with ransomware and crypto-jacking being the two most prominent ways that criminals can directly receive cryptocurrency payments from their victims.”

Cryptocurrency exchanges and hot wallets continue to become a primary target for threat actors.  Another victim who joined the bandwagon of crypto hacks was the cryptocurrency trading platform BitMart.

The post Echelon Malware Posted on Cryptocurrency Trading Telegram Channel Targets Crypto Wallets appeared first on CISO MAG | Cyber Security Magazine.

According to Egress’ Insider Data Breach Survey 2021, 94% of organizations sustained insider data breaches last year. Nearly 84% of security leaders surveyed stated that human error was the top cause of cyberattacks, while 28% of the respondents admitted that insiders’ malicious intent is their biggest fear.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

Insider Threats on Rise 

Insider threats and attacks become a burning issue for organizations globally, as a single negligent act of an employee could cost a fortune for the company’s security. Insider threats increased by 47%, from 3,200 in 2018 to 4,716 in 2020. The cost of insider threat incidents also surged by 31%, from $8.76 million in 2018 to $11.45 million in 2020. Employee negligence led to 62% of security incidents, costing global organizations an average of $307,111 per incident.

Also Read: Insider Threats: A Byproduct of the New Normal

Types of Insiders  

All insider attacks are not due to employee errors. Some attacks are the result of employees with malicious intent.

1. Careless Insider

The careless/negligent insiders are the common type of insiders that most organizations face. These insiders have no ill intentions towards the company; however, their negligent acts create chaos. The common actions (harmful yet unintentional) of a careless insider includes clicking/downloading malicious attachments, responding to phishing lures, and leaving flash drives containing sensitive data unattended, etc.

2. Oblivious Insider

Oblivious insiders have access to the company’s confidential data, making them a primary target for phishers. Attackers often trick these insiders via social engineering to obtain sensitive data or deploy malware.

3. Malicious Insider

These insiders purposefully cause damage to the organization’s security by erasing/stealing sensitive corporate data or helping outsiders deploy malware or ransomware.

4. Saboteur Insider

Insiders making career shifts come under this category. Saboteurs intentionally try to harm their current company’s reputation to show their frustration. Saboteur insiders take revenge against their present company by giving hackers corporate data and vulnerability exploits.

Best Practices 

While we cannot predict insider actions, implementing certain security actions could mitigate the risks. These include:

• Providing cybersecurity education and training to all employees to boost endpoint security
• Encouraging all employees and third-party users to maintain cyber by choosing complex passwords (Eg.: “T1g3rudhxn!vo?LSU”)
• Establishing physical security in work environments by inspecting everyone entering critical IT server rooms
• Monitoring remote access from all endpoints and mobile devices
• Creating a backup system or backup policy

Note: Do not use the passwords used as example in this article for your actual password.

About the Author

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

More from the Rudra.

 

The post 4 Types of Insiders You Need to Know appeared first on CISO MAG | Cyber Security Magazine.

Once the malware infects a NAS device, the CPU usage becomes unusually high, where a process named “oom_reaper” could occupy around 50% of the total CPU usage. A NAS device is an internet-connected storage device that allows data storage and retrieval from a central location for authorized network users and clients.

“This process mimics a normal, legitimate kernel process with the same name. However, while the legitimate kernel process PID is usually below 1000, the bitcoin miner PID is usually greater than 1000,” the advisory said. While the actors behind the malware campaign are unknown, QNAP stated it is currently investigating the severity of the threat.

Also Read: Illicit Cryptomining Surges Amid Soaring Crypto Value

Mitigation

QNAP stated the infection could be removed by rebooting the affected devices. Customers also need to take proactive measures such as updating operating systems (QTS or QuTS), all QNAP add-on apps, and changing their NAS account passwords.

To protect the NAS devices from the Bitcoin mining malware, the company recommended users to:

• Update QTS or QuTS hero to the latest version
• Install and update Malware Remover to the latest version
• Use stronger passwords for your administrator and other user accounts
• Update all installed applications to their latest versions
• Do not expose your NAS to the internet or avoid using default system port numbers 443 and 8080
• If you suspect your NAS has been infected with the bitcoin miner, restarting the NAS may also remove the malware

Not the First Time

This is not the first that QNAP NAS devices have been under attack. Earlier, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’ National Cyber Security Centre (NCSC) uncovered a strain of malware known as QSnatch that targeted QNAP NAS systems.

The post QNAP Warns About New Bitcoin Miner Targeting NAS Devices appeared first on CISO MAG | Cyber Security Magazine.

“Botnets are a real threat to Internet users and require the efforts of industry and law enforcement to deter them. As part of our ongoing work to protect people who use Google services via Windows and other IoT devices, our Threat Analysis Group took steps to detect and track Glupteba’s malicious activity over time. Our research and understanding of this botnet’s operations put us in a unique position to disrupt it and safeguard Internet users around the world,” Google said.

Glupteba Botnet in Brief

A botnet is a set of Internet-connected devices that carries malicious commands under the remote control of the attacker. Threat actors often use botnets to compromise a targeted network, deploy malware, and launch Distributed Denial-of-Service (DDoS) attacks.

Also Read: Meris Botnet Hits Russian Search Engine Yandex Again with 21.8 Mn RPS

Google stated that Glupteba can steal users’ credentials and data, mining cryptocurrencies on infected hosts, and set up proxies to funnel other people’s internet traffic through infected machines and routers. The botnet currently involves approximately one million compromised Windows devices worldwide and is expected to grow at a rate of thousands of new devices per day.

Legal Action Against Glupteba

While the operators behind the Glupteba botnet are unknown, Google suspects that Russian cybercriminals are involved in the campaign. Google took legal action against the Glupteba for infiltrating more than a million computers and other devices worldwide, including the theft and unauthorized use of Google users’ login and account information. Reports suggest that threat actors could leverage the Glupteba botnet to launch ransomware or DDoS attacks.

“Our litigation was filed against the operators of the botnet, who we believe are based in Russia. We filed the action in the Southern District of New York for computer fraud and abuse, trademark infringement, and other claims. We also filed a temporary restraining order to bolster our technical disruption effort. If successful, this action will create real legal liability for the operators,” Google added.

The post Google Takes Legal Action Against Glupteba Botnet appeared first on CISO MAG | Cyber Security Magazine.

Per the report, the French entities have also been recipients of malicious emails sent from compromised foreign institutions. The agency has attributed these attacks to the Nobelium intrusion set. The Russian-backed Nobelium hacking group is also responsible for last year’s SolarWinds attack.

According to Microsoft, Nobelium was active in October 2021. The intrusion set was possibly used during attack campaigns that target Active Directory Federation Services servers to compromise government bodies, think tanks, and private firms in the U.S. and Europe.

“The Microsoft Threat Intelligence Center (MSTIC) observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system,” Microsoft added.

Recommendations

1. Restrict the execution of file attachments

Given the chain of compromise, which relies on the opening of a malicious file attachment as part of a phishing campaign, it is recommended that suspicious files are not executed.

2. Tightening Active Directory security

The intrusion set tends to focus on Active Directory (AD) servers in particular. Tighter security measures should be applied. ANSSI has produced a guide containing recommendations for security hardening, which can be found on the CERT-FR website.

The Nobelium Attacks 

• Pentagon (August 2015)
• Democratic National Committee (2016)
• US think tanks and NGOs (2016)
• Norwegian government (2017)
• Dutch ministries (2017)
• Operation Ghost
• COVID-19 vaccine data (2020)
• SUNBURST malware supply chain attack (2020)
• Republican National Committee (2021)

Mandiant, which has been tracking the Russian threat actor closely since the SolarWinds supply chain attack has shared a few observations in its report.

• Compromise of multiple technology solutions, services, and reseller companies since 2020.
• Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
• Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
• Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
• Use of novel TTPs to bypass security restrictions within environments including but not limited to the extraction of virtual machines to determine internal routing configurations.
• Use of a new bespoke downloader called CEELOADER.
• Abuse of multi-factor authentication leveraging “push” notifications on smartphones.

“In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts,” Mandiant said.

This reflects what has been reported in the French organizations’ case where the compromised emails are further used to launch attacks on foreign institutions – creating routes to access other victim environments.

The post Nobelium’s Phishing Campaign Targets French Entities appeared first on CISO MAG | Cyber Security Magazine.

Per the flash alert, Cuba ransomware actors use “.cuba” extension for the encryption of the target files and infiltrate the network. The ransomware gang has supposedly demanded at least $74 million and received at least $43.9 million in ransom payments.

Cuba Ransomware Deployed by Hancitor

The Group-IB Threat Intelligence and Attribution team discovered that the threat actors actively use Hancitor to deploy Cuba ransomware. According to the team, Cuba ransomware has been active since at least January 2020. Its operators have a DLS site, where they post exfiltrated data from their victims who refused to pay the ransom. It added that the Hancitor downloader has been active since at least 2016 for dropping Pony and Vawtrak. As a loader, it has been used to download other malware families, such as Ficker stealer and NetSupport RAT, to compromised hosts. The Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows Admin privileges to execute their ransomware and other processes remotely.

The Technical View

The FBI explained the technical working of the malicious ransomware. It stated, “Cuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com.”

Mitigations

Following mitigations have been suggested to ease the risk of compromise by Cuba ransomware:

• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
• Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
• Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
• Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
• Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between — and access to — various subnetworks and by restricting adversary lateral movement.
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
• Implement time-based access for accounts set at the admin level and higher. This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
• Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

As the festive season witnesses a significant spike in premediated cybercrimes, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI remind all organizations – big or small – and critical infrastructure partners that malicious actor groups are proactively launching premeditated cyberattacks.

The authorities had issued advisories for organizations, especially critical infrastructure and services, to assess the current security posture and implement best practices and mitigations to attenuate the threat posed by cyberattacks.

Despite the alerts, we continue to see a rise in the number of ransomware attack victims. Many organizations give in to these demands to safeguard their reputation, critical information, data, and financial status.

Satya Gupta, Cofounder and CTO, Virsec, opined, “Critical infrastructure will remain a highly lucrative target. There is a subtle but massive change in attacker tactics that is taking place and we are at risk of being totally blindsided. Attackers are increasingly burrowing their attacks deep in the software runtime by exploiting vulnerabilities. Being deeper in the software’s runtime helps attackers evade early discovery as evidenced by this group’s method.”

“While many vulnerability disclosures are accompanied by a software patch, the most sophisticated attackers often leverage undisclosed vulnerabilities. In a recent interview, CISA Director Jen Easterly remarked that more than ‘90 percent of vulnerabilities exploited by ransomware have patches associated with them.’  What is left unsaid is that 10% attacks are vulnerabilities for which patches are not available. Irrespective, patching is not a successful security strategy. This is because even if a patch were available, many entities will drag their heels in deploying the patch.”

Government authorities have also prioritized ransomware attacks and are pressurizing ransomware groups to cease operations to address the growing menace.

See also: Biden Administration and Tech Giants Come Together to Raise Bar on Cybersecurity

Organizations need to be on a constant alert and review their security posture at a micro-level as threat actors are actively scouting for the smallest vulnerability and launching their vicious attack.

Gupta expressed, “The only way organizations can truly protect themselves is by deploying runtime security controls that take away the attacker’s ability to successfully exploit vulnerabilities. These controls will stop attackers, in milliseconds, from successfully exploiting vulnerabilities. This type of protection is not only possible, but mandatory if we want to prevent further successful ransomware attacks.”

The post Cuba Ransomware Infringed 49 Critical Infrastructure Entities appeared first on CISO MAG | Cyber Security Magazine.