Request Demo

Connective Platform™

Connective Shield

Connective Identity

Connective Vigilance

Solutions

Partners

Support

Company

Blog

Career

About Us

+1-303-423-4500

Contact Us

IBM has a comprehensive approach to encourage security by design. A free Red Book is available for developers: The IBM Redbook for Security in Development

The home page for IBM’s main security testing tool is IBM Rational AppScan

IBM has a comprehensive approach to encourage security by design. A free Red Book is available for developers: The IBM Redbook for Security in Development The home page for IBM’s main security testing tool is IBM Rational AppScan

IBM Security Tools

Analytics

Big Data

Billing

Business

Business Intelligence

Cloud Computing

Consulting

Cybersecurity

Data Warehouse

News

Services

Technology

Testing as a Service

We focus on reliability, quality, and value.

Cybercriminals are looking for ways to integrate large language models (LLMs) into their attacks, and they have three main options: trying to bypass the safeguards on existing LLMs, building their own LLMs, or using uncensored open-source models.

One recent example is Dark Gemini, an underground service that appears to modify prompts sent to a legitimate LLM in order to bypass restrictions. While Dark Gemini's abilities weren't very impressive, it demonstrates how cybercriminals can leverage existing LLMs to enhance phishing attacks, for instance, by generating more convincing text.

Security researchers are concerned that nation-state actors are already using LLMs to improve their operations. Additionally, some researchers believe the safeguards on LLMs can be easily bypassed. However, it seems that using LLMs for more complex tasks, like creating malware, will still be difficult due to the current limitations.

In conclusion, cybercriminals are actively looking for ways to exploit LLMs, and while there are challenges, even basic use of LLMs can improve the effectiveness of existing attacks.

Cybercriminals Weigh Options for Using LLMs: Buy, Build, or Break?

In a proactive measure to enhance user security, Google has announced an update to its Chrome browser, effectively patching a series of vulnerabilities, including the zero-day flaw CVE-2024-3159, unveiled at the Pwn2Own hacking contest in March 2024. This critical issue, an out-of-bounds memory access in the V8 JavaScript engine, was exploited by Edouard Bochin and Tao Yan from Palo Alto Networks, earning them a $42,500 reward.

CVE-2024-3159 is the third zero-day discovered at Pwn2Own 2024 to be addressed by Google, following earlier fixes for vulnerabilities in WebCodecs and WebAssembly. In addition to CVE-2024-3159, the latest update also corrects two other vulnerabilities reported by external researchers, with Google disbursing $10,000 in total bounties.

The updated Chrome versions—123.0.6312.105/.106/.107 for Windows and macOS, and version 123.0.6312.105 for Linux—are currently being deployed. 

The diligent response from Google emphasizes the tech giant's commitment to user security and the pivotal role of ethical hacking competitions like Pwn2Own in identifying and mitigating potential threats. These contests not only help in uncovering hidden vulnerabilities but also foster a culture of proactive security measures among tech companies. Users are strongly advised to update their browsers to the latest version to ensure they have the most up-to-date defenses against this specific vulnerability and others that may pose a risk. Google's commitment to security, combined with the collaborative efforts of the cybersecurity community, continues to play a vital role in maintaining the integrity and safety of the digital landscape.

Source: SecurityWeek 04/03/2024

In a proactive measure to enhance user security, Google has announced an update to its Chrome browser, effectively patching a series of vulnerabilities, including the zero-day flaw CVE-2024-3159, unveiled at the Pwn2Own hacking contest in March 2024. 

Google Updates Chrome to Patch Zero-Day Flaw Exposed at Pwn2Own

It’s been three months since the Securities and Exchange Commission’s cyber disclosure rules took effect and rather than creating a deluge of incident revelations, only a trickle has emerged. Companies have submitted 12 initial Form 8-K, Item 1.05 filings, the form the SEC began requiring businesses to file for material cybersecurity incidents on Dec. 18. Each of these filings mention an “incident,” and all but two said the activity or access was “unauthorized.” While the language businesses use in Item 1.05 filings are ultimately crafted to notify regulators and investors of potential risks, these words also signal how a company detects, mitigates, contains and recovers from cyberattacks. Across the filings Cybersecurity Dive analyzed, none of the businesses described the incident as a breach or data breach in the filing with the SEC — and that was likely by design.

“Words like ‘breach’ and ‘data breach’ have very specific legal meanings and consequences, and they also have a particular meaning within what I’ll call the public consciousness,” said Travis Brennan, partner and chair of the privacy and data security practice at Stradling. “It’s just become a very loaded term, generally, and I think it’s one that companies in these disclosures will studiously avoid using in most cases,” Brennan said. “Once there has been a breach, as opposed to merely an incident, that suggests that the risk of harm has just gone up a few notches.” 

It’s been three months since the Securities and Exchange Commission’s cyber disclosure rules took effect and rather than creating a deluge of incident revelations, only a trickle has emerged. 

How companies describe cyber incidents in SEC filings

APIs were the target of 29% of web attacks in 2023, with cybercriminals exploiting the swiftly growing API economy for new avenues of attack, according to a report from Akamai. The commerce sector experienced the highest number of attacks, accounting for about 44%. Business services followed at nearly 32%. Attacks ranged from Local File Inclusion (LFI) and SQL Injection (SQLi) to Cross-Site Scripting (XSS).

Akamai’s findings underscore the escalating concerns in the industry surrounding API security threats. In 2021, Gartner predicted API abuse and data breaches would double by 2024. In 2023, the Open Web Application Security Project (OWASP) released a dedicated list of API-specific risks, highlighting the growing concern. “APIs are increasingly critical to organizations, but their security is often not designed into the capability, or the security team is not able to keep up with the rapid deployment of new technology,” Steve Winterfeld, advisory CISO of Akamai, said in the State of the Internet (SOTI) report.

APIs are pivotal in developing new capabilities within companies. However, their security often receives inadequate attention, either overlooked in early planning stages or failing to match the pace of rapid technological deployment. Akamai pointed out two distinct issues in this regard — posture and runtime problems.

API implementation flaws in an enterprise can lead to posture problems. Most common among them include shadow endpoints, unauthenticated resource access, sensitive data in a URL, a permissive cross-origin resource sharing (CORS) policy, and excessive client errors.

Runtime problems, on the other hand, are active threats demanding immediate action. These include unauthenticated resource access attempts, API activity with unusual JSON payloads, path parameter fuzzing attempts, illogical API timestamps, geolocation, or sequence, and data scraping. 

Adopting a comprehensive API security program provides organizations with unparalleled visibility across their digital ecosystem. This includes discovering all APIs within the organization, auditing their risk levels, detecting abnormal behaviors indicative of abuse, and enabling expert-led investigations to hunt for hidden threats.

APIs were the target of 29% of web attacks in 2023, with cybercriminals exploiting the swiftly growing API economy for new avenues of attack, according to a report from Akamai. 

A third of web attacks targeted APIs in 2023, threatening the expanding API economy

DDoS attacks against the financial services sector historically accounted for about 10-15% of all attacks, however that trend began to rise in 2021, the FS-ISAC and Akamai found. “Financial services companies are prime targets because successfully disrupting operations, for even just a moment, can lead to severe reputational risks and distrust in the global financial system,” Teresa Walsh, chief intelligence officer and managing director, EMEA, at FS-ISAC, said via email.

Akamai in September said it prevented a DDoS attack on a major U.S. financial institution. The attack peaked at 633.7 gigabits per second and 55 million packets per second. The increased activity was driven in large part by hacktivist groups using DDoS as a tool to disrupt institutions at a time of rising geopolitical tensions.

U.S. authorities in July warned that threat groups were potentially targeting multiple sectors using DDoS capabilities, including one group which claimed to have targeted the Treasury Department’s Electronic Federal Tax Payment System. By October, security researchers warned a novel zero day vulnerability, known as HTTP/2 Rapid Reset, was being used to launch some of the most powerful DDoS attacks ever recorded.  

DDoS attacks against the financial services sector historically accounted for about 10-15% of all attacks, however that trend began to rise in 2021, the FS-ISAC and Akamai found. 

Financial services sees sharp increase in DDoS attacks as geopolitical tensions rise

The NIST Cybersecurity Framework (CSF) 2.0, an evolution of its predecessor, is a comprehensive guide designed to assist organizations across various sectors in managing and mitigating cybersecurity risks effectively. This framework, while not prescribing specific actions, offers a taxonomy of high-level cybersecurity outcomes, enabling organizations, regardless of their size, sector, or maturity, to better understand, assess, prioritize, and communicate their cybersecurity efforts.

The CSF 2.0 emphasizes the importance of communication and integration in cybersecurity risk management. It advocates for a shared understanding and approach to managing cybersecurity risk, not just within an organization but also in its interactions with third parties. This shared understanding is crucial for making informed decisions about cybersecurity expenditures and actions, ultimately enhancing an organization’s cybersecurity posture.  The NIST Cybersecurity Framework 2.0 serves as a foundational resource for organizations seeking to navigate the complex landscape of cybersecurity risks. It encourages a proactive, nuanced approach to cybersecurity, emphasizing flexibility, adaptability, and continuous improvement. 

The NIST Cybersecurity Framework (CSF) 2.0, an evolution of its predecessor, is a comprehensive guide designed to assist organizations across various sectors in managing and mitigating cybersecurity risks effectively.

An Overview of the NIST Cybersecurity Framework 2.0

Google’s new Security Command Center Enterprise (SCC Enterprise) could streamline cloud risk management through AI automation, saving security teams time, experts say. Enhanced with Mandiant threat intelligence and generative AI, SCC Enterprise aims to offer comprehensive insights across the cloud security lifecycle. Google Cloud has identified gaps in the protection provided by current cloud-native application protection platforms (CNAPPs) and introduced SCC Enterprise as a solution to better guard against emerging threats.

“There are two things that Security Command Center Enterprise addresses compared with previous solutions: tighter integration between cloud and enterprise security and coverage across multi-cloud rather than just operating in silos,” Narayana Pappu, CEO at Zendata, a San Francisco-based provider of data security and privacy compliance solutions said in an interview. “Automation and integration of Gen AI brings efficiencies that will save teams time as well.”

According to Suni Potti, VP/GM of Google Cloud Security, the new platform integrates Mandiant Threat Intelligence with modern SecOps capabilities, enabling swift responses to cloud security incidents through “SIEM-powered visibility and SOAR-driven accountability.”

“Security teams can get a single view of their posture controls, active threats, cloud identities, data, and more, while integrating remediation and issue accountability into the end-to-end workflows of a converged cloud risk management platform,” Potti wrote in a blog post.

Google’s new Security Command Center Enterprise (SCC Enterprise) could streamline cloud risk management through AI automation, saving security teams time, experts say. Enhanced with Mandiant threat intelligence and generative AI, SCC Enterprise aims to offer comprehensive insights across the cloud security lifecycle.

Google’s Security Command Center Enterprise fills gaps across cloud security lifecycle

Lookout recently discovered an advanced phishing kit exhibiting novel tactics to target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices. Following the tactics of groups like Scattered Spider, this kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs and even photo IDs from hundreds of victims, mostly in the United States.

Lookout first flagged this phishing kit when our automated analysis discovered a suspicious new domain registration that matched a common format used by Scattered Spider, as mentioned in a recent warning by CISA.  The domain in question was fcc-okta[.]com, which is only a single character different from the legitimate FCC Okta Single Sign On (SSO) page. This phishing kit first asks the victim to complete a captcha using hCaptcha. This is a novel tactic that prevents automated analysis tools from crawling and identifying the phishing site. It may also give the illusion of credibility to the victim, as typically only legitimate sites use captcha. Once the captcha is completed, the login page mimics the FCC’s legitimate Okta page. Upon providing their credentials, the victim can be sent to wait, sign in, or ask for the MFA token.

Unlike typical phishing kits, which attempt to harvest credentials as quickly as possible, this one seems to be aware of modern security controls organizations have put in place such as MFA. 

Lookout researchers saw that there is an administrative console that the operator uses to monitor the phishing page. While we were unable to directly access this console, we were able to access its javascript and css and piece together much of its functionality.  Each time a victim visited the page and entered information, we observed that a new row was populated on a table. Once the victim enters their username and password, the admin is able to select from a long list of options of where to send them next. The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access, For example, they can be redirected to a page that asks for their MFA token from their authenticator app or a page requesting an SMS-based token.  

We were also able to investigate the phishing kit, which gave us additional insight into targets and tactics used. The kit contains numerous references to cryptocurrency platforms and SSO services. While the version of the kit targeted at the FCC impersonates the FCC’s specific Okta page by default, the kit is able to impersonate many different company’s brands. 

Lookout recently discovered an advanced phishing kit exhibiting novel tactics to target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices.

CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack

The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates’ money by pretending the FBI seized their site and infrastructure. The gang announced they are now selling the source code for the malware for the hefty price of $5 million. On a hacker forum, ALPHV said that they decided "to close the project" because of "the feds," without providing additional details or a clarification. However, a national law enforcement agency listed on the seizure banner confirmed to BleepingComputer that they were not involved in any recent disruption of ALPHV infrastructure.

The ransomware gang started the exit-scam operation on Friday, when they took their Tor data leak blog  offline. On Monday, they further shut down the negotiation servers, saying that they decided to turn everything off, amid complaints from an affiliate that the operators stole a $20 million Change Healthcare ransom from them." Yesterday, the gang's status on Tox changed to 'GG' ('good game') - hinting at the end of the operation, and later to "selling source code 5kk," indicating that they wanted $5 million for their malware. In a message on a hacker forum shared by Recorded Future's Dmitry Smilyanets, the administrators of the operation said that they "decided to completely close the project" and "we can officially declare that the feds screwed us over. At the time of writing, the ALPHV leak site shows a fake banner announcing that the Federal Bureau of Investigation (FBI) seized the server in a “coordinated law enforcement action taken against ALPHV Blackcat Ransomware.

Rumors of a possible exit scam from ALPHV started when a longtime ALPHV partner, a so-called "Notchy," claimed that the gang had closed their account and robbed them of a $22 million payment from the ransom allegedly paid by Optum for the Change Healthcare attack.

The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates’ money by pretending the FBI seized their site and infrastructure.

BlackCat ransomware shuts down in exit scam, blames the "feds"

Chris Betz is neither fearful nor overly optimistic about the role of generative AI in cybersecurity. Instead Betz, CISO at AWS, balances both ends of the spectrum — he treats it just as he does any other burgeoning technology. “For what it’s worth, I’m not sure that the sky is falling,” Betz told Cybersecurity Dive.

The security industry has not yet seen evidence that substantiates broad concerns about threat actors using generative AI to initiate cyberattacks more quickly, more often or with more damaging outcomes.

While researchers expect AI to amplify the impact for defenders and attackers, threat actors’ use of AI in their operations is limited, according to Crowdstrike’s annual global threat report. “Throughout 2023, generative AI was rarely observed supporting malicious computer network operations development and/or execution,” the firm said last month in the report.

It’s tough and too early to say if the advantages afforded by generative AI rest with defenders or attackers, according to Betz. Threat actors and security professionals are leveraging the technology in scenarios that play to their strengths. For defense, generative AI can resolve problems faster and more efficiently. Organizations can use AI to scan for hard-to-find vulnerabilities and determine steps for remediation.

“There’s a ton of information for security analysts to understand. There’s a ton of information for an application security engineer to understand. That ability to synthesize, to help answer questions, to help lead and find the right data and bring it together in a usable way is incredibly powerful for defenders,” Betz said. “That’s perhaps the place where attackers are not quite in the same place. They don’t have that rich data about the people that they’re attacking. And so this could be a case where there’s an advantage to the defender.”

AWS CISO: Generative AI is just a tool, ‘not a magic wand’

Despite arrests, infrastructure seizure and international law enforcement efforts, LockBit ransomware has resurfaced, promising robust security and threatening aggressive cyber attacks on UK and USA government sectors.

The leader of the LockBit ransomware, whose identity is still unknown to authorities, admitted negligence in letting the FBI and the UK’s National Crime Agency control its servers via a PHP attack but promised backups and continued operations. The announcement comes only a week after the group was neutralized in Operation Cronos, a multinational law enforcement investigation, reportedly neutralized the ransomware gang.

The message from the gang’s admin which directly addressed the FBI and the NCA, revealed that servers without PHP installed in backup blogs are unaffected and will continue to release stolen data from targeted companies, even after the FBI hack, and stolen data will be published on the LockBit blog.

The admin claims that Operation Cronos was successful because of their negligence and irresponsibility in “not updating PHP settings on their servers in good time.” They denied Operation Cronos investigators’ claims regarding arresting their two alleged affiliates, the gang donating to a Crimea-based Russian propagandist (Sevastapol Colonel Cassad), and recovering a high number of decryptors.  

LockBit Ransomware Gang Returns, Taunts FBI and Vows Data Leaks

NIST on Feb 26th announced the official release of version 2.0 of its Cybersecurity Framework (CSF), the first major update since its creation a decade ago.

The cybersecurity framework was originally aimed at critical infrastructure organizations, but it has been widely used and widely recommended and NIST highlighted that CSF 2.0 is designed to help all organizations reduce risks, regardless of sector, size, or level of security sophistication. 

Based on the feedback it received on the draft of the Cybersecurity Framework 2.0, NIST expanded the core guidance and created additional resources to help organizations use the CSF to its full potential. 

Users are provided implementation examples and quick-start guides that are tailored to their specific needs. The CSF 2.0 also offers a searchable catalog of references that enables organizations to map guidance to over 50 other relevant cybersecurity documents.

“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said NIST Director Laurie E. Locascio. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.” 

NIST Cybersecurity Framework 2.0 Officially Released

Google is testing a new feature to prevent malicious public websites from pivoting through a user's browser to attack devices and services on internal, private networks. More simply, Google plans to prevent bad websites on the internet from attacking a visitor's devices (like printers or routers) in your home or on your computer. People usually consider these devices safe as they're not directly connected to the internet and are protected by a router. "To prevent malicious websites from pivoting through the user agent's network position to attack devices and services which reasonably assumed they were unreachable from the Internet at large, by virtue of residing on the user's local intranet or the user's machine," Google described the idea in a support document.

The proposed "Private Network Access protections" feature, which will be in a "warning-only" mode in Chrome 123, conducts checks before a public website (referred to as "site A") directs a browser to visit another site (referred to as "site B") within the user's private network. 

While in the warning stage, even if the checks fail, the feature won't block the requests. Instead, developers will see a warning in the DevTools console, giving them time to adjust before stricter enforcement begins. The motivation behind this development is to prevent malicious websites on the internet from exploiting flaws on devices and servers in users' internal networks, which were presumed safe from internet-based threats.

Google is testing a new feature to prevent malicious public websites from pivoting through a user's browser to attack devices and services on internal, private networks. More simply, Google plans to prevent bad websites on the internet from attacking a visitor's devices (like printers or routers) in your home or on your computer. 

New Google Chrome feature blocks attacks against home networks

Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System (DNS) security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet. DNS servers translate website URLs into IP addresses and, mostly invisibly, carry all Internet traffic.

The team behind the discovery is from ATHENE National Research Center for Applied Cybersecurity in Germany. They named the security vulnerability "KeyTrap," tracked as CVE-2023-50387. According to their new report on the KeyTrap DNS bug, the researchers found that a single packet sent to a DNS server implementation using the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all of its own computing power and stall. If multiple DNS servers were exploited at the same time with KeyTrap, they could be downed at the same time, resulting in widespread Internet outages, according to the team of academics.

In testing, the length of time the DNS servers remained offline after an attack differed, but the report noted that Bind 9, the most widely deployed DNS implementation, could remain stalled for up to 16 hours. According to the Internet Systems Consortium (ISC), which oversees DNS servers worldwide, 34% of DNS servers in North America use DNSSEC for authentication and are therefore vulnerable to this flaw.

The good news is that there is no evidence of active exploit so far, according to the report and ISC.

Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System (DNS) security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet. 

'KeyTrap' DNS Bug Threatens Widespread Internet Outages

Apple on Wednesday unveiled PQ3, a new post-quantum cryptographic protocol for iMessage that is designed to protect encrypted communications even against future quantum computing attacks. End-to-end encryption is present by default in many popular messaging applications, but the actual level of protection depends on the cryptographic protocols they use and how they are implemented. 

Apple describes three levels of encryption in messaging apps: level 0, apps that don’t provide end-to-end encryption by default; level 1, apps that provide end-to-end encryption by default via traditional cryptography; level 2, apps that provide post-quantum security in the initial encryption key establishment; and level 3, apps that provide post-quantum security in both key establishment and ongoing message exchanges. The privacy-focused application Signal recently reached ‘level 2’, when it announced support for the Post-Quantum Extended Diffie-Hellman (PQXDH) protocol, but Apple says the PQ3 protocol puts iMessage in ‘level 3’, ensuring that communications are protected even if an encryption key is compromised. 

The tech giant says iMessage will be the only messaging application that limits the number of past and future messages that can be decrypted by an attacker who has obtained a single encryption key. This is done by automatically changing post-quantum keys on an ongoing basis. Apple says PQ3 has been designed to combine post-quantum algorithms with classic Elliptic Curve cryptography, requiring an attacker to defeat both the classic and the post-quantum cryptography in order to gain access to communications. The company notes that PQ3 has been designed to amortize the message size to avoid excessive overhead.

While we may be many years away from practical quantum computing attacks, Apple says the introduction of PQ3 is useful now against so-called ‘Harvest Now, Decrypt Later’ attacks. This refers to threat actors collecting and storing encrypted communications now with the goal of decrypting them in the future when quantum computers become available.

Apple on Wednesday unveiled PQ3, a new post-quantum cryptographic protocol for iMessage that is designed to protect encrypted communications even against future quantum computing attacks.

Apple Adds Post-Quantum Encryption to iMessage

Email attacks relying on QR codes surged in the last quarter, with attackers specifically targeting corporate executives and managers, reinforcing recommendations that companies place additional digital protections around their business leadership. Making matters worse, phishing emails using QR codes (aka "quishing") can often get by spam filters, with attacks targeting users of Microsoft 365 and DocuSign successfully landing in email inboxes, according to a report published this week by Abnormal Security, a provider of cloud email security.

In the fourth quarter of 2023, the average top executive in the C-suite saw 42 times more phishing attacks using QR codes compared to the average employee. Other managerial roles suffered an increase in attacks as well, although significantly smaller, with these non-C-suite executives encountering five times more QR-code-based phishing attacks, according to the company's report. 

Overall, the data demonstrates that attackers have executives — and other privileged users — in their sites, says Mike Britton, CISO for Abnormal Security. "If I'm an attacker, I want to attack the people that have the ability for me to get paid and have credentials that give me access to the most interesting information," he says. "Or I want to pretend to be those people, because once again, social engineering requires that trust, [for a victim to think,] hey, this VP of sales or this VP of HR is asking me to do something, [making them] typically more likely ... to take action."

While QR codes have been around for three decades, they became much more popular during the pandemic, as restaurants and other businesses directed customers to contact-free and online ordering. In a business context, a top use case for QR codes is offering links to ease the sign-up process for multifactor authentication (MFA). Cyberattackers have hopped on: More than a quarter of QR code attacks (27%) in Q4 were fake notices of MFA, for example, while about one-in-five attacks (21%) were fake notifications about a shared document, according to Abnormal Security's report.

Email attacks relying on QR codes surged in the last quarter, with attackers specifically targeting corporate executives and managers, reinforcing recommendations that companies place additional digital protections around their business leadership.

QR Code 'Quishing' Attacks on Execs Surge, Evading Email Security

Ransomware operators were especially successful targeting critical zero-day vulnerabilities in widely used IT products.

Last year’s surge in ransomware attacks was driven in part by zero-day exploit sprees targeting the MOVEit and GoAnywhere file-transfer services, Citrix networking devices and print management software PaperCut, according to Unit 42. 

Unit 42's analysis discerned a correlation between an upsurge in posts on ransomware leak sites and the periods when these four vulnerabilities were most heavily exploited. However, they caution that the volume of posts on these leak sites does not necessarily provide an exhaustive or accurate representation of the ransomware landscape.

Certain ransomware groups initiate operations without resorting to these 'name and shame' sites. Furthermore, organizations that promptly acquiesce to ransom demands often remain unlisted on a group’s leak site. Consequently, the true extent of ransomware attacks may vary significantly from what is suggested by these platforms, as noted by Unit 42 in their report.

Blockchain analysis company Chainalysis echoed similar concerns about tracking ransom payments. The firm stated, "The ransomware landscape is not only prolific but continually expanding, making it challenging to monitor every incident or trace all ransom payments made in cryptocurrencies."

Federal cyber officials have consistently emphasized the need for more comprehensive and timely information on attacks as they unfold. A pervasive lack of reporting by victims of ransomware attacks impedes law enforcement's ability to take effective action, allowing for a significant portion of criminal activity to persist undetected in the shadows.

Ransomware actors hit zero-day exploits hard in 2023

A study by Surfshark, a VPN service provider, has revealed that ethical hackers, or white hat hackers, played a vital role in improving cybersecurity in 2023 by identifying 835 vulnerabilities across 105 websites. Their efforts not only secured these platforms but also generated €417,000 ($450,000) in earnings through bug bounty programs.

The study is based on HackerOne bug bounty program data, a platform that fosters collaboration between security researchers and organizations, facilitating the detection and disclosure of system vulnerabilities. The HackerOne repository collected data on security vulnerability reports in 2023, meticulously organizing it by company, vulnerability type, and bounty size. This data was subsequently accessed by Surfshark in January 2024.

Surfshark’s research team head, Agneska Sablovskaja, emphasizes the importance of fostering symbiotic “partnerships between companies and ethical hackers”. She emphasized the essential role these professionals play in addressing software vulnerabilities, as complex platforms “with millions of lines of codes” may leave flaws behind.

A study by Surfshark, a VPN service provider, has revealed that ethical hackers, or white hat hackers, played a vital role in improving cybersecurity in 2023 by identifying 835 vulnerabilities across 105 websites.

Ethical Hackers Reported 835 Vulnerabilities, Earned $450K in 2023

Ransomware payments in 2023 soared above $1.1 billion for the first time, shattering previous records and reversing the decline seen in 2022, marking the year as an exceptionally profitable period for ransomware gangs. The previous record-high figure was set in 2021, with ransomware payments amounting to $983 million, surpassing the preceding record of $905 million in 2020 by approximately 10%.

Unfortunately, the resurgence of ransomware in 2023 confirms that 2022 was a statistical anomaly, with that year's activity impacted by geopolitical events like the war between Russia and Ukraine and law enforcement's dismantling of the Hive operation.

According to a new Chainalysis report, the 2023 record can be attributed to escalating attacks against major institutions and critical infrastructure and Clop's massive MOVEit campaign, which impacted thousands of organizations worldwide.

In July 2023, Chainalysis warned that based on the activity and recorded payments up until that time, ransomware payments were on a record-breaking trajectory, and unfortunately, the prediction was confirmed. The most prolific threat groups in terms of ransom amounts they received in 2023, are ALPHV/Blackcat, Clop, Play, LockBit, BlackBasta, Royal, Ransomhouse, and Dark Angels.

Ransomware payments reached record $1.1 billion in 2023​

A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses.

The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by establishing guiding principles and policy options for States, industry, and civil society in relation to the development, facilitation, purchase, and use of such tools. The declaration stated that "uncontrolled dissemination" of spyware offerings contributes to "unintentional escalation in cyberspace," noting it poses risks to cyber stability, human rights, national security, and digital security.

"Where these tools are used maliciously, attacks can access victims' devices, listen to calls, obtain photos and remotely operate a camera and microphone via 'zero-click' spyware, meaning no user interaction is needed," the U.K. government said in a press release.

According to the National Cyber Security Centre (NCSC), thousands of individuals are estimated to have been globally targeted by spyware campaigns every year. "And as the commercial market for these tools grows, so too will the number and severity of cyber attacks compromising our devices and our digital systems, causing increasingly expensive damage and making it more challenging than ever for our cyber defenses to protect public institutions and services," Deputy Prime Minister Oliver Dowden said at the U.K.-France Cyber Proliferation conference. 

Videos

IBM Security Tools

You may also like