Information Security News 4-3-2023

Ransomware Attacks Skyrocket as Threat Actors Double Down on U.S., Global Attacks

Article Link: https://www.techrepublic.com/article/nccgroup-ransomware-attacks-up-february/

• New studies by NCC Group and Barracuda Networks show threat actors are increasing ransomware exploits, with consumer goods and services receiving the brunt of attacks and a large percentage of victims being hit multiple times.
• Additionally, the United States has been disproportionally targeted by ransomware actors, with LockBit being the most prevalent strain of ransomware deployed.
• Barracuda Networks’ research found that 27% of the organizations surveyed feel they are not fully prepared to deal with a ransomware attack. Barracuda Networks noted that the growth of ransomware as a service has made it easier for inexperienced hackers to launch ransomware attacks.
• Link to NCC Group Study: https://newsroom.nccgroup.com/news/ncc-group-monthly-threat-pulse-february-2023-464318
• Link to Barracuda Networks Study: https://www.barracuda.com/reports/ransomware-insights-report-2023

Dish Slapped with Multiple Lawsuits After Ransomware Cyberattack

Article Link: https://www.bleepingcomputer.com/news/security/dish-slapped-with-multiple-lawsuits-after-ransomware-cyber-attack/

• Around February 24th, American TV giant and satellite broadcast provider, Dish had mysteriously gone offline with its websites and apps ceasing to function for days. What the company had previously dubbed a “network outage,” also hit its subsidiaries, including Boost Mobile. By February 28^th, SEC filings confirmed that Dish had been hit by ransomware.
• Following the disclosure, Dish struggled to bring its IT systems and website back up. The company has continued to battle widespread disruption to its cyber systems, including the customer portal MyDISH. Dish has informed its customers that they will receive a paper bill for the month of March.
• As a result of the ransomware attack, Dish’s stock price has suffered. Likewise, at least six law firms are pursuing class action lawsuits against Dish on behalf of Dish shareholders. The lawsuits allege that Dish “overstated” its operational efficiency while having a deficient cybersecurity and IT infrastructure and subsequently committed securities fraud.

Fake Ransomware Gang Targets U.S. Orgs with Empty Data Leak Threats

Article Link: https://www.bleepingcomputer.com/news/security/fake-ransomware-gang-targets-us-orgs-with-empty-data-leak-threats/

• Fake extortionists, called Midnight, are piggybacking on data breaches and ransomware incidents, threatening U.S. companies with publishing or selling allegedly stolen data unless they get paid. Additionally, they often launch DDoS attacks if message recipients don’t comply.
• Incident responders have observed three key aspects of Midnight. First, they attempt to impersonate other ransomware and extortion gangs. Second, they regularly target organizations that have previously been ransomware victims. Third, they use legitimate data that is believed to either be snagged from the leak websites of other threat actors or purchased directly from ransomware gangs.
• The article notes that Midnight has been scamming organizations with fraudulent data breaches since at least 2019. However, a new wave of campaigns on U.S. organizations began in March of 2023.

Using Observability to Power a Smarter Cybersecurity Strategy

Article Link: https://www.darkreading.com/vulnerabilities-threats/using-observability-to-power-a-smarter-cybersecurity-strategy

• Observability, or how well you can understand the inside of a system based on external output, enables organizations to fully see, understand, and manage their systems. It is an essential piece of the puzzle, shining a light on the attack surface that allows teams to identify and prevent breaches.
• Observability not only helps to establish a baseline of “normal behavior,” but helps identity and access management (IAM) systems use data to make decisions. Using a strategy of behavior-driven governance, granular data about how people actually use their identities and access privileges can be leveraged into identifying IAM-based threats.
• When developing baselines for IAM systems, three key data types are vital. These include metrics to quantify performance, traces that allow teams to source alerts, and logs to answer the who, what, when, and how of access activities.

Strategizing Cybersecurity: Why a Risk-Based Approach is Key

Article Link: https://www.weforum.org/agenda/2023/04/strategizing-cybersecurity-why-a-risk-based-approach-is-key/

• Modern and effective cybersecurity management entails more than managing technology risk; it encompasses managing business risk. Organizations must recognize cybersecurity as a strategic imperative integrated into their overall risk management framework, and this can be done at the board level.
• Organizations regularly use solely a maturity-based approach to cybersecurity, which may not adequately address an organization’s unique risk profile. A solution to this is adopting a risk-based approach to cybersecurity, which emphasizes the identification and prioritization of the most critical cybersecurity risks.
• Additionally, cybersecurity leaders should collaborate with leadership to develop key risk indicators to provide a snapshot of the current risk level and key performance indicators that highlight how the organization is moving towards or away from the defined risk appetite level.

Exchange Online Will Soon Start Blocking Emails from Old, Vulnerable On-Prem Servers

Article Link: https://www.helpnetsecurity.com/2023/03/28/exchange-online-blocking-emails-from-vulnerable-servers/

• Microsoft aims to make it impossible for unsupported and/or unpatched on-prem Microsoft Exchange servers to use the company’s Exchange Online hosted cloud service to deliver email. This task will be accomplished by an eight-phase process, involving reporting, throttling, and blocking of messages to Exchange to incentivize the switch from unsupported or unsecure on-premises Exchange servers to Exchange Online.
• Microsoft’s stated goal is to protect its internal infrastructure and to raise the security profile of the Exchange ecosystem, especially because there has been a significant increase in the frequency of attacks against Exchange servers in the last few years.
• The first wave of impacted customers will see the new mail flow report and alerts starting on May 23^rd, with the final blocking phase of the first wave beginning in July. The rollout of this feature is set to be staggered with subsequent waves of customers receiving notifications of unsupported servers when the wave prior begins the full blocking phase.
• Link to Microsoft’s Announcement: https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3762078

The FDA’s Medical Device Cybersecurity Overhaul Has Real Teeth, Experts Say

Article Link: https://www.darkreading.com/cloud/the-fda-medical-device-cybersecurity-overhaul-real-teeth

• The FDA recently put into effect fresh guidance concerning the cybersecurity of medical devices, long a concerning area of risk for healthcare organizations and patients alike. This policy is meant to provide some guardrails around the susceptibility of medical devices, like insulin pumps and heart monitors, to hacking.
• Effective immediately, medical device manufacturers are advised to submit “a plan to monitor, identify, and address, as appropriate, in a reasonable time, post market cybersecurity vulnerabilities, and exploits.” Additionally, they are asked to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.”
• Manufacturers that lack this documentation will be susceptible to “refuse to accept” (RTA) decisions, which prevent any unapproved devices from reaching the market. These guidelines are set to fully take effect in October of 2023.
• Link to the FDA’s Guidance: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity