Information Security News 5-22-2023

**Note: In observance of Memorial Day, there will not be any Security News published for the week of May 29th – June 2nd. The next posting of the weekly Security News will be published the week after (June 5th/6th).

Luxottica Confirms 2021 Data Breach After Info of 70M Leaks Online

Article Link: https://www.bleepingcomputer.com/news/security/luxottica-confirms-2021-data-breach-after-info-of-70m-leaks-online/

• Luxottica, the world’s largest eyewear company, has confirmed one of its partners, who holds customer information, suffered a data breach in 2021 that exposed the personal information of over 70 million customers after a database was posted this month for free on hacking forums.
• Researcher Andrea Draghetti noted that the exfiltration occurred on March 16, 2021, following two incidents on Luxottica itself in 2020. Luxottica confirmed that customer names, emails, phone numbers, addresses, and dates of birth were exposed.
• Researchers also highlighted that the stolen data was initially sold privately on a hacker forum in November of 2022; however, the data was released for free on several hacking forums at the end of April and beginning of May of this year.

BianLian Cybercrime Group Changes Up Extortion Methods, Warns CISA

Article Link: https://www.darkreading.com/threat-intelligence/bianlian-cybercrime-group-changes-attack-methods-cisa-advisory-notes

• CISA, the FBI, and the Australian Cyber Security Centre (ACSC) are warning organizations of evolving tactics and attacks made by the ransomware developer and data extortion group known as BianLian.
• BianLian started in 2022 as a double-extortion ransomware gang. However, in January the ransomware gang shifted primarily to exfiltration-based extortion.
• In recent attacks, the group has leveraged stolen RDP credentials, open-source tools, and CLI scripting to access and navigate victim networks. From there, data exfiltration regularly occurs via FTP, Rclone, or Mega. CISA has outlined measures to mitigate BianLian’s ability to launch successful attacks.
• Link to CISA’s Advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
• Link to Project Hyphae Article on BianLian’s Free Decryptor: https://projecthyphae.com/threat/bianlian-ransomware-decryptor-made-public/

The New Info-Stealing Malware Operations to Watch Out For

Article Link: https://www.bleepingcomputer.com/news/security/the-new-info-stealing-malware-operations-to-watch-out-for/

• As the article discusses, the information-stealing malware market is constantly evolving, with multiple malware operations competing for cybercriminal customers by promoting better evasion and increased ability to steal data from victims.
• The article cites a report from KELA, a cybercrime monitoring and analysis firm, which looked at both incumbent info-stealers and info-stealers that have recently emerged on the cybercrime market.
• Ultimately, older info-stealers still maintain a large portion of the cybercrime market; however, it was found that newer products offer a wide range of features and competitively low prices in an attempt to gain customers, akin to a legitimate business.
• Link to KELA’s Report: https://ke-la.com/emerging-infostealers-2023-report/

Wemo Won’t Fix Smart Plug Vulnerability Allowing Remote Operation

Article Link: https://arstechnica.com/gadgets/2023/05/wemo-wont-fix-smart-plug-vulnerability-allowing-remote-operation/

• IoT security research firm Sternum has discovered and disclosed a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. However, Belkin, who makes the smart plugs, informed Sternum that the vulnerability wouldn’t be patched due to the device being at its end of life.
• Both this older V2 plug and newer Wemo devices respond to a community app, called pyWeMo, and Python commands in general, which allow users to interact with and hack Wemo IoT devices.
• Sternum suggests avoiding the exposure of any of these units to the wider Internet and segmenting them into a subnet away from sensitive devices, if possible.
• Link to Sternum’s Report: https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/

Insider Threats Surge Across US CNI as Attackers Exploit Human Factors

Article Link: https://www.csoonline.com/article/3696318/insider-threats-surge-across-us-cni-as-attackers-exploit-human-factors.html

• According to Bridewell, who surveyed 525 cybersecurity leaders in US critical infrastructure industries, 77% of organizations have seen a rise in insider-driven cyberthreats over the last three years. Also, some organizations stated that an act of intentional destruction by an employee was committed on average at least every other week within the last year.
• Research suggests that both economic downturn and the continuation of remote work have led to the growth of insider threats. The article also noted that intentional data theft and accidental loss or disclosure of data were the top perceived risks, especially in the finance sector.
• The article also highlighted that ransomware and cyberwarfare were other major areas of concern with surveyed organizations suffered an average of 27 nation-state attacks and an average of 26 ransomware-related incidents in the past year.
• Link to Bridewell’s Report: https://www.bridewell.com/us/insights/white-papers/detail/cyber-security-in-critical-national-infrastructure-organizations-2023

Insured Companies More Likely to be Ransomware Victims, Sometimes More Than Once

Article Link: https://www.csoonline.com/article/3696350/insured-companies-more-likely-to-be-ransomware-victims-sometimes-more-than-once.html

• According to Barracuda, companies with cyber insurance are more likely to get hit by ransomware, more likely to be attacked multiple times, and more likely to pay ransoms.
• Barracuda’s survey of 1,350 IT decision makers suggests that 77% of organizations with cyber insurance were hit at least once, and 39% of those with insurance paid the ransom. Furthermore, insured companies were 70% more likely to be hit again.
• However, a report from Coveware noted that the amount of ransomware victims who pay ransoms has been declining from 85% in 2019 to 45% in Q1 of 2023. Likewise, some cyber insurers have tried to motivate their clients to mitigate risks and avoid complacency, supporting this drop.
• Link to Barracuda’s Report: https://www.barracuda.com/reports/ransomware-insights-report-2023
• Link to Coveware’s Report: https://www.coveware.com/blog/2023/4/28/big-game-hunting-is-back-despite-decreasing-ransom-payment-amounts

Organizations Reporting Cyber Resilience are Hardly Resilient

Article Link: https://www.csoonline.com/article/3696932/organizations-reporting-cyber-resilience-are-hardly-resilient-study.html

• Cyber resilience is a measure of how well an organization can operate during a cyber incident.
• According to an Immersive Labs and Osterman Research survey of 570 senior security and risk employees at organizations in the US, UK, and Germany with over 1,000 employees, 86% of organizations have a cyber resilience program. However, 52% said that their organization lacks a comprehensive approach to assessing cyber resilience.
• Researchers from Osterman cited concerns relating to the relative immaturity of true cyber resilience metrics. One analyst noted that many of the organizations rely on assessment frameworks, tests, and metrics unrelated to resilience to determine their resilience capabilities.
• In addition to a variety of threats, survey respondents highlighted training-related concerns. Specifically, 32% of respondents said that cybersecurity certifications help mitigate cyberthreats despite 96% of respondents encouraging their employees to obtain certifications. Likewise, despite employees across the surveyed organizations receiving security awareness training and phishing tests for several years, 46% of respondents indicated that their employees would be uncertain in knowing how to handle a phishing email.
• Link to Immersive Labs’/Osterman Research’s Report: https://www.immersivelabs.com/press/new-osterman-research-report-finds-cyber-resilience-programs-are-falling-short-with-more-than-half-of-security-leaders-revealing-their-workforce-is-not-prepared-for-a-cyberattack/

Preparing for Federal Supply Chain Security Standardization

Article Link: https://www.helpnetsecurity.com/2023/05/17/federal-supply-chain-security-standardization/

• Businesses who ignore the cybersecurity compliance harbingers, such as those working to roll out CMMC, are the ones that will find themselves losing business-critical contracts. Based on the dialogue of various government entities, including CISA, the DoD, and Presidential Executive Orders, it is evident that NIST 800-171 requirements will go beyond just the Defense Industrial Base (DIB) in the future.
• As a business objective, any organization that wants to maintain a lucrative contract will need to secure controlled unclassified information (CUI). Organizations within the Federal Civilian Executive Branch (FCEB) supply chain need to assume that they will face the same challenges as their peers within the DIB.
• The article breaks managing CUI into three phases. These include identifying CUI, isolating CUI, and then maintaining control over data, including CUI.