Category: Securin

By Ram Movva, CEO at Securin

This past year showed us that the ransomware landscape is only getting increasingly sophisticated. This can be seen through ransomware attacks steadily increasing scale, frequency, cost and impact. In fact, 2023 broke the record in ransomware payouts, exceeding $1 billion globally; a stark increase from the $567 million in ransomware payouts seen in 2022.

Securin’s 2023 Year in Review: Ransomware Report, analyzed the 230,648 Common Vulnerabilities and Exposures (CVEs) listed in the National Vulnerability Database (NVD), prioritizing them on severity, affected systems, and vulnerability characteristics. Below are some of the key findings and themes from this year’s report.

Ransomware is on the rise 

The public sector has seen its fair share of breaches and ransomware attacks throughout 2023. The MGM Resorts breach is a prime example as the Scattered Spider ransomware group utilized BlackCat/ALPHV-developed ransomware to gain access to all the resort’s websites and mobile app. Furthermore, they shut down digital hotel room keys, took slot machines offline, and gained access to guests’ personal information.

Two other notable breaches were orchestrated by the Cl0p ransomware group. Cl0p exploited a zero-day vulnerability within Fortra GoAnywhere Managed File Transfer (vulnerability identified as CVE-2023-0669) resulting in 2095 organizations being affected. The MOVEit Transfer breach (vulnerability identified as CVE-2023-34362) was also notably carried out by Cl0p, which compromised over 1,000 organizations and affected more than 60 million individuals.

The public sector also includes government services as well as public goods. This means that as we enter 2024, if we do not continue to evolve with the ransomware landscape and learn from the breaches that took place in 2023; then further sections of the public sector such as the military, infrastructure, public education, law enforcement, public transit, and healthcare are all at risk of a ransomware attack.

New Year, New Threats  

Securin’s report identified that in 2023 there were 38 new vulnerabilities associated with ransomware. This report also provides a deep dive into the state of ransomware as 2024 begins, with critical information on newly identified vulnerabilities, insight into the most significant ransomware attacks, and new ransomware families and APT groups.

“These discoveries are alarming, but they are far from surprising. Talking to our customers over the last year, we have heard the same thing repeatedly: the attacks, successful or thwarted, keep coming. This onslaught, combined with an ongoing talent shortage and slashed IT budgets, has created a combustible situation for organizations of every kind,” said Ram Movva, CEO and co-founder of Securin.

In 2023, the ransomware landscape was dominated by three notorious groups: Cl0p, BlackCat, and Vice Society. These entities spearheaded a wave of cyberattacks that targeted high-profile organizations such as MOVEit Transfer, and the Industrial and Commercial Bank of China. Their coordinated efforts resulted in significant disruptions and financial losses, highlighting the escalating threat posed by ransomware groups on a global scale.

As the frequency and severity of ransomware attacks surged, so did the number of vulnerabilities associated with these malicious activities. From 344 in the previous year, the tally climbed to 382 in 2023, underscoring the expanding attack surface for cybercriminals to exploit. Among these vulnerabilities, the Progress MOVEit Transfer Vulnerability (CVE-2023-34362) stood out the most.

Despite efforts to bolster defenses, a concerning revelation surfaced regarding the efficacy of popular vulnerability scanners. Sixteen ransomware-associated Common Vulnerabilities and Exposures (CVEs) managed to evade detection by widely-used scanners like Nessus, Qualys, and Nexpose, remaining hidden during routine vulnerability scans. However, approaches such as those employed by Securin, proved instrumental in uncovering these stealthy threats. This underscores the necessity for a multifaceted approach to cybersecurity that combines proactive detection methods with cutting-edge technologies to stay one step ahead of cyber adversaries.

“Addressing these challenges head on, with the best information possible, will be essential to keeping the worst from transpiring in 2024,” said Movva. “The fact is that, despite increased vigilance, major vulnerabilities continue to be ignored. Third-party

software manufacturers and repositories are both struggling to stay fully informed of the active threats facing every organization. Our predictive platform has long been able to fill this gap for our customers, illuminating active threats before ransomware gangs began weaponizing them.”

It’s Time To Take Control of Security  

As our society continues to become more advanced, so does the ransomware landscape alongside it. These advancements prove that cyber resilience is no longer an option – it is a necessity in order to create a secure future.

If security leaders want to protect their data, especially within the public sector, then it is imperative to prioritize staying ahead of the latest ransomware threats by implementing preventative measures, remaining vigilant and being dedicated to action when  facing potential vulnerabilities and ransomware threats.

For organizations, this can mean implementing training and routine learning cycles for employees on basic security practices. Typically, employees are overlooked in an organization’s overall security plan, essentially creating a new layer of vulnerability in organizational systems that can be exploited by bad actors. Organizations can implement a more comprehensive cybersecurity approach that considers all angles by simply educating and empowering their employees on how to take proactive security measures.

The post The Public Sector’s Troubled Relationship to Ransomware in 2023: A Year in Review appeared first on Cybersecurity Insiders.

[By Ram Movva, CEO, Securin]

As ransomware attackers continue to evolve and adapt their techniques, organizations must refine and adapt their security strategies to stay ahead of these threats.   

Human-augmented, actionable threat intelligence plays a critical role in every organization’s strategy – and Securin’s 2023 retrospective on a year’s worth of ransomware threats and attack groups brings additional insight to help enterprises learn, proactively mitigate risks and strengthen their security posture.  

2023 Year in Review: Ransomware Through the Lens of Threat and Vulnerability Management analyzes the 230,648 Common Vulnerabilities and Exposures (CVEs) listed in the National Vulnerability Database (NVD), prioritizing them on severity, affected systems and vulnerability characteristics. Here’s what we’ve learned.  

Ransomware Is Up 

Ransomware attacks are becoming more common and costly for businesses. On average, a data breach caused by a ransomware attack costs approximately $5.11 million and results in significant downtime lasting days or weeks, severely disrupting business operations.   

Unfortunately, even high-level businesses such as banks and famous casinos are now frequent targets of these attacks, attracting more publicity than ever before.  

Compared to the 344 attacks counted in 2022, we found 38 new ransomware-associated vulnerabilities by the end of last year. This brings the total number of ransomware-specific CVEs to 382 – a growth of 11.05% by the end of Q4 2023. While the CVSS scoring system notes that 17% of the 382 CVEs are low or medium risk, they remain a viable ransomware target.   

Since 2020, there has been an annual increase of approximately 50 new ransomware-related vulnerabilities. Of the 382 vulnerabilities linked to ransomware, 67.5% are connected to MITRE’s 2023 Top 25 Most Dangerous Software Weaknesses. This implies that 258 of the 382 vulnerabilities are considered the most widespread and harmful in software and should be avoided by developers.  

In addition, the number of kill chain vulnerabilities has increased since Q1 2023. Attackers now have 21 more pathways for start-to-finish exploitation than they did last year. Kill chain vulnerabilities are CVEs that allow attackers to go from network infiltration to data extortion. By exploiting just one vulnerability, bad actors can compromise an organization’s network and put their entire systems at risk. 

With the increase in attacks, there emerged some established as well as some new prominent players…  

New Threats on the Block 

The year’s dominant ransomware groups included Cl0p, BlackCat, and LockBit 3.0, and all three are poised to continue their attacks in 2024. The groups relentlessly exploited and weaponized some of the year’s most critical vulnerabilities, including the Progress MOVEit Transfer, CitrixBleed, and Fortra GoAnywhere Managed File Transfer.   

In addition, our cybersecurity experts noticed the emergence of ten new ransomware families this year. These families consist of one or more ransomware groups characterized by unique tactics and malware.  

On top of these newly established families, three Advanced Persistent Threat (APT) groups – Scattered Spider, FIN8, and RomCom – began using ransomware in 2023. These groups are highly specialized threat actors and can operate within a system or network for a prolonged period without detection, often with state backing. This brings the total number of APT groups using ransomware to 55. This expanded arsenal is a cause for concern, as APT groups now have additional destructive tools to use alongside their already sophisticated attack technologies.  

These ransomware groups have increasingly begun targeting the education, healthcare and financial sectors. These sectors are particularly vulnerable due to the vast amounts of critical data they handle, including sensitive personal information, authentication data, and financial records. Ransomware groups have shifted their focus toward these sectors because they can leverage this highly confidential data to extort costly ransom payments from victims by threatening to publish or destroy the stolen information. The consequences of these attacks can be devastating for both the targeted organization and the individuals whose data is compromised.   

Taking Control of Security 

The emergence and sharp increase in threats and attacks pose a significant challenge for security teams. Sensitive data and credentials are constantly at risk from newly discovered vulnerabilities and weaknesses. It’s imperative that security leaders prioritize staying ahead of the latest ransomware threats and implement preventative measures that can effectively defend against such attacks.  

Training and refreshing employees on basic security practices like password protection, complexity, and updates can go a long way in safeguarding a company’s systems. Too often, employees are overlooked in security practices, creating a new layer of vulnerability in organizational systems. By educating and empowering them to take proactive security measures, organizations can implement a more comprehensive cybersecurity approach that considers all angles. 

External attack surface management and periodic penetration testing play a key role in providing a holistic view of potential entry points or weaknesses in the attack surface. Scheduling regular backups can ensure that organizations can restore critical data if the system is compromised during a ransomware attack.  

It is crystal clear that cyber resilience is no longer an option – it is a necessity if we want to create a secure future. The nature and severity of attacks are constantly evolving, from AI-driven threats to the rising number of ransomware groups. Finding continuous monitoring solutions and implementing prompt patching is crucial to protecting business operations. Organizations must take a proactive approach and implement mitigation and defensive strategies to strengthen their systems and pave the way for a safer future. 

The post Navigating Ransomware: Securin’s Insights and Analysis from 2023 appeared first on Cybersecurity Insiders.

[By Rahul Kannan, President and Chief Operating Officer, Securin]

Critical infrastructure is facing a wave of cyberattacks, posing a severe threat to essential services across the United States and globally. The scale and frequency of these attacks have elevated defending infrastructure to a national priority, as emphasized by the White House’s National Cybersecurity Strategy. The urgency is underscored by recent incidents, such as the cyberattack on India’s Tata Power, impacting millions, and the data breach at Colorado Springs Utilities, exposing the personal information of 200,000 customers.

The consequences of these attacks reach far beyond compromised data; they extend to societal function. Critical service providers, including power companies and utilities, hold a wealth of sensitive data, from financial information to personal details. Breaches at these entities can lead to life-threatening situations with service disruptions and put individuals at risk of data theft. The interconnectedness of these systems means that a breach in one sector can have cascading effects, affecting public safety, national security, and economic stability.

Breaches: A Tier-One National Priority

Recognizing the gravity of the situation, the White House designated defending critical infrastructure as its foremost national security priority stating: “Defending the systems and assets that constitute our critical infrastructure is vital to our national security, public safety and economic prosperity”. This acknowledgment reflects the essential role these services play in our daily lives, from ensuring clean drinking water to safeguarding schoolchildren’s privacy.

In 2022, 106 U.S. state and local government entities reported ransomware attacks; 25% of the attacks resulted in data theft, putting citizens’ privacy and security at risk. Breaches like these can result from using old legacy systems, third-party applications, or internal exposure of vulnerable information that can inflict costly consequences.

The economic implications are equally significant, with attacks on governments and critical infrastructure causing disruptions that can take up to five months to fully recover. These disruptions can lead to operational technology shutdowns, outages, leakages, and even explosions, further highlighting the vulnerability of critical systems and the potential risks to citizens.

Increasing Threats Loom

The escalating threats to infrastructure are fueled by a combination of factors, including global economic downturns, geopolitical tensions, nation-state actors, and the pervasive rise of ransomware. Industries across the board are affected, within the past three years energy facilities have been the most targeted (39%), followed by critical manufacturing (11%) and transportation (10%). On the healthcare side, a recent report between Securin, Finite State, and Health-ISAC found an alarming 59% year-over-year increase in firmware vulnerabilities within connected medical products and devices.

Moreover, the tactics employed by cyber attackers are evolving. While phishing techniques remain prevalent, the integration of artificial intelligence is enabling more sophisticated and automated attacks, reducing the response time to defend against these attacks. The stakes are high, with utility companies facing 1,101 attacks every week (compared to 504 weekly in 2020), emphasizing the need for a proactive and comprehensive cybersecurity strategy.

CISOs Call for Collaboration

Chief Information Security Officers (CISOs) are at the forefront of this battle, tasked with safeguarding critical systems. With the average data breach costing $4.45 million, it is imperative for CISOs to plan and proactively increase their security posture prior to an attack. To tackle growing security threats, industrial control systems and operational technologies (ICS/OT) must be updated. CISOs, who spearhead essential and rapid security initiatives, should:

  • Keep up to date with government advisories.
  • Ensure all individuals across the organization know established security measures, have proper security training, and are following best practices.
  • Patch high-risk vulnerabilities as soon as possible.
  • Establish a comprehensive cybersecurity strategy.
  • Allocate sufficient resources to develop a continuous threat exposure management (CTEM) program that regularly monitors your security status.
  • Have a contingency plan for when your systems are under attack.
  • Consider consolidating cybersecurity operations to reduce redundancy and their applications’ attack surfaces.

Solving the security problems within infrastructure will take commitment and dedication from CISOs and collaboration between both private and public entities. The White House made clear its financial and political commitment to update and strengthen America’s National Cybersecurity Strategy, so it is important for security leaders to uphold that pledge. By leveraging the expertise of security professionals, government entities can work more strategically to outpace the rapidly evolving tactics of cyber attackers.

In conclusion, defending the nation’s critical infrastructure is not just a priority; it is a must that demands commitment. From implementing proactive security measures to fostering collaboration between sectors, every effort contributes to the resilience of critical systems. Through information sharing, collaboration, and a united front against bad actors, the country can fortify the most sensitive systems and protect the foundation of society. No measure is too small when it comes to securing critical infrastructure and thwarting the evolving threats posed by cyber adversaries.

The post Critical infrastructure in the crosshairs: Examining the threats facing service providers in the U.S. appeared first on Cybersecurity Insiders.

By Aaron Sandeen, CEO and co-founder at Securin

In 2023, you can divide organizations into two categories: those who have been hit by a ransomware attack and those who will be soon.

Ransomware is ubiquitous, inescapable, and—despite widespread efforts to combat it—ever-escalating. It has caused the death of patients in critical condition, disrupted the Colonial Pipeline supply on the East Coast, affected daily operations of entities as diverse as the San Francisco 49ers, the Costa Rican Government and the Los Angeles Unified School District. It doesn’t matter where your organization is or what it does. Ransomware doesn’t discriminate. If you have data to exfiltrate, if you have money that can be extorted, a ransomware attack will be coming for you, and soon—if it hasn’t already.

The current situation in cybersecurity is akin to an ongoing cyber-arms race between ransomware groups and cybersecurity experts. As ransomware groups become more sophisticated, cybersecurity experts work to develop new tools and strategies to combat them. This cat-and-mouse game is a never-ending war of attrition with no clear winners. However, despite the challenge, there is no reason for hopelessness. While some aspects of the situation may be beyond the control of IT teams, there are still countless precautions that can be taken to minimize the risk of a ransomware attack or the harm a successful attack might cause.

IT teams know this—and yet, per research from Securin, there are still many hundreds of vulnerabilities that have been left exposed by organizations. Until these vulnerabilities are addressed, the problem of ransomware will only get worse. Here is a quick run-through of the four most common types of vulnerabilities that organizations should watch out for.

1) Vulnerabilities Allowing Intruders into Networks

According to Securin’s research, services such as external remote services, VPN, and public-facing applications contain 133 vulnerabilities associated with ransomware that could be exploited for initial access.

External remote services refer to services like Windows Server Message Block (SMB) or Microsoft’s Remote Desktop Protocol. These services have become more widespread since the onset of the pandemic and the rise of work from home (WFH). They can be highly vulnerable to attack, as some are rife with misconfigurations or exploits well-known to cyber-criminals. For example, the 2017 WannaCry ransomware attack—one of the biggest in history—exploited an SMB vulnerability. There are many other vulnerabilities out there that have continued to go unaddressed: the Log4Shell vulnerability, for instance, which affects 176 products from 21 vendors and was exploited by six ransomware groups, including Conti and AvosLocker.

2) Vulnerabilities Requiring User Action

It’s important to note that ‘vulnerabilities’ don’t simply refer to problems with software or hardware—they also refer to human error. In fact, a large percentage of ransomware attacks can be chalked up to precisely that.

Ransomware threat actors are highly skilled at social engineering to achieve their goals: say, by posing as their target’s friend, colleague, or boss. This can lead users to inadvertently execute malicious code by opening harmful email attachments, links, or adversary-placed files. Unfortunately, as everyday users grow more sophisticated on noticing social engineering, the bad guys refine their tools in turn.

As this is a human problem, it requires a human response to combat it: namely, intensive and thoughtful in-person training where IT team members explain to people in other departments how to identify a potential threat (and what to do if they’ve unknowingly allowed someone into the system). It’s imperative that IT departments stay on top of current social engineering trends and regularly update their organizations on what to look out for.

3) Vulnerabilities Providing Elevated Access

The vulnerabilities we’ve discussed so far have addressed techniques used by hackers to try to get into your network. Unfortunately, that is usually only step one. Once hackers have exploited vulnerabilities to enter your system, they can then take advantage of additional vulnerabilities—ones that allow privilege escalation to penetrate deeper into the network and execute malware.

Put otherwise: if your attacker has a sophisticated-enough understanding of the vulnerabilities at play in your system, they can break into an account with limited permissions and use that understanding to turn themselves into an administrator and gain access to even more sensitive information.

According to the aforementioned Securin research, there are 75 vulnerabilities with ransomware associations that could enable ransomware actors to elevate privileges and easily facilitate lateral movement across organizational domains, including the Windows CLFS Privilege Escalation vulnerability and the Microsoft Exchange Server Elevation of Privilege vulnerability.

4) Vulnerabilities Allowing Stealthy Movement

Increasingly, we’re seeing malicious actors use tactics like disabling security software or blocking script execution to invade and move laterally across vulnerable networks without being identified. One well-known example of this is the Mark-of-the-web bypass (T1553.005), which ransomware groups use to abuse specific file formats and override controls.

Or take the example of BlackByte, a significant new ransomware gang that the FBI issued a warning about last year. BlackByte has become known for a technique that, according to ZDNet, “allows attacks to bypass detection by security products by exploiting a vulnerability in more than 1,000 drivers used in antivirus software.” This problem—which researchers describe as “Bring Your Own Driver”—suggests a significant and troubling new front in the war against ransomware attacks.

Ransomware attacks are on the rise, and it’s becoming increasingly apparent that every organization, regardless of industry or size, is at risk. No one can hope to protect themselves from ransomware attacks fully.  What organizations can do is avoid easy mistakes—properly training staff, getting a clearer sense of their system’s vulnerabilities, and taking serious steps to fix them.  The war against ransomware might not be ending anytime soon, but we can take steps to limit the casualties along the way.

The post The Top 4 Ransomware Vulnerabilities Putting your Company in Danger appeared first on Cybersecurity Insiders.