US Construction Giant Unearths Concrete Evidence of Cyberattack
- Recently, the multi-billion-dollar construction company, Simpson Manufacturing, was the victim of a cyberattack forcing the California-based organization to start taking systems offline as remediation efforts began.
- While not officially confirmed, the article notes that the SEC filing made by Simpson Manufacturing suggests that they were the victim of a ransomware incident leading to system disruptions.
- The article references a paper from the Association of General Construction of America which noted that the construction industry seemed immune to security incidents for many years. However, this has quickly stopped being the case due to a variety of reasons, including just how lucrative of a target the construction industry is and limited data security and privacy requirements.
ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic
- According to AhnLab, cyberattackers are targeting Linux SSH servers with the ShellBot malware. Hackers are also using hexadecimal IP (Hex IP) addresses to evade behavior-based detection.
- Essentially the hex IPs are formatted in a way that subverts URL-based detection signatures. An example of a hex IP in use from the article was the “hxxp://39.99.219[.]78” address.
- If ShellBot is installed, Linux servers can be used for a variety of tasks including downloading additional malware or as a means for launching DDoS attacks.
- The article recommends practicing strong password hygiene to protect against ShellBot attacks.
- Link to AhnLab’s Report: https://asec.ahnlab.com/en/57635/
CISA Warns of Vulnerabilities and Misconfigurations Exploited in Ransomware Attacks
- CISA recently updated their known exploited vulnerabilities (KEV) catalog to include a column that outlines if known exploited vulnerabilities have been used in previous ransomware campaigns.
- Additionally, CISA released a list of misconfigurations and weaknesses that are known to be exploited in ransomware attacks (i.e., TELNET), which includes common port information and recommended actions to mitigate risks associated with identified issues.
- Link to CISA’s KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Link to CISA’s Misconfigurations and Weaknesses List: https://www.cisa.gov/stopransomware/misconfigurations-and-weaknesses-known-be-used-ransomware-campaigns
Stronger Ransomware Protection Finally Pays Off
- According to a survey by Hornet Security, who surveyed over 150 business decision makers and IT professionals across the globe, 60% of companies are very to extremely concerned about ransomware attacks and 93.2% rank ransomware protection as very to extremely important IT priorities for their organizations.
- Additionally, 39.7% said that they were happy to leave it to IT to deal with the issue of ransomware. Likewise, 12.2% of organizations stated that they currently lack any sort of disaster recovery plan in case a ransomware attack occurred.
- The survey also looked at how organizations are securing their data from potential threats. Specifically, 87.8% use end-point detection software with anti-ransomware capabilities and 84.4% use email filtration and threat analysis tools. The survey noted that 40.6% of respondents use immutable storage for their backups with less than that tightening user controls or leveraging air-gapped storage to protect their data backups.
- Link to Hornet Security’s Report: https://www.hornetsecurity.com/us/press-releases-us/ransomware-attacks-survey-2023/
Addressing a Breach Starts with Getting Everyone on the Same Page
- This article highlights that cyberattacks continue to rise, citing a Check Point study that notes a 38% increase in global incidents over the past year. As such, it is vital for organizations to be prepared for incidents, starting with an incident response plan.
- During an incident there will likely be a variety of competing priorities across various departments in an organization. The article recommends maintaining not one, but several interconnected plans to coordinate response efforts. These include a business continuity plan, crisis communications plan, and incident response plan, all of which would address different sections of an organization.
- In addition to developing plans, it is vital to test the plans through tabletops and other simulations. As the article states, the best incident-response plans cover contingencies and are fine-tuned in stress tests to ensure collaboration, remediation, and recovery efforts align.
Microsoft to Kill Off VBScript in Windows to Block Malware Delivery
- Microsoft recently announced that VBScript, a service in use since 1996, will be deprecated in the near future. The service will be an on-demand feature as other tools look to move away from VBScript.
- This move is part of a broader strategy to mitigate the increasing prevalence of malware campaigns exploiting various Windows and Office features for infections.
- Malicious actors, such as Emotet and QakBot, have frequently leveraged VBScript in their attacks. As such, this change should limit the capabilities of bad actors from exploiting Microsoft Office tools.
- Link to Microsoft’s Announcement: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features
Improve Your Cyber Threat Understanding with Geopolitical Context
- As this article notes, cybersecurity analysts navigate through a plethora of signals and reports daily. However, viewing this data in isolation is not enough. Security teams must also consider the broader geopolitical context from which security alerts emerge as a means of better understanding the “why” behind current attacks and being prepared for future threats.
- The article discusses how Microsoft has observed a rapid evolution of digital warfare tactics on the battlefields of Ukraine, where cyberattacks and malign influence campaigns converge as parts of a broader warfighting strategy. However, utilizing a geopolitical lens can be applied beyond just the war in Ukraine.
- Microsoft specifically notes five key cyber-related tactics threat actors have leveraged in the Russia-Ukraine War. These include the intensifying of computer network operations (especially destructive ones), weaponizing pacifism and mobilizing nationalism, exploiting divisions and demonizing refugees, targeting diaspora communities, and increasing hacktivist operations.
Three Questions to ask SMEs During Cybersecurity Awareness Month
- This article highlights how many organizations, especially small and medium enterprises, don’t consider themselves as targets for cyber criminals, which is not the case.
- Three key questions are posed for organizational leaders to consider just how much of a target they are. They include “Do you have customers?”, “Do you have a bank account?”, and “Do you have information on a customer or employee in your care, custody, and control?”.
- A “yes” to any of the three questions indicates that your organization is likely a target. As such, it is vital for your organization to be properly protected at a technical level and work towards identifying and mitigating identified risk.