Information Security News 8-21-2023

‘Play’ Ransomware Group Targeting MSPs Worldwide in New Campaign

Article Link: https://www.darkreading.com/cloud/-play-ransomware-group-targeting-msps-worldwide-in-new-campaign

• The Play ransomware group is targeting MSPs around the globe in a cyberattack campaign to distribute ransomware to their downstream customers. The group leverages MSPs’ remote management tools to further target a variety of industries such as finance and logistics.
• A report from Adlumin highlighted that once bad actors gain initial access to the systems of MSPs, they work to establish additional network persistence. A variety of exploits that Play has used include those for Microsoft Exchange and FortiOS with fixes available that are several years old. Likewise, Play has leveraged legitimate PowerShell scripts and other legitimate tools to camouflage their activities.
• Additionally, Play’s ransomware tool makes use of intermittent encryption when launching its ransomware. Essentially, Play only encrypts specific sections of files in an attempt to disable access to files while also encrypting files at a faster rate than fully encrypting files.
• Link to Adlumin’s Report: https://adlumin.com/post/playcrypt-ransomware/

Don’t Just Patch Your Citrix Gear, Check for Intrusion: 2 Bugs Exploited in Wild

Article Link: https://www.theregister.com/2023/08/17/citrix_mft_exploit/

• This article highlights two 9.8 out of 10 severity Citrix vulnerabilities, the first from May/June of 2023 pertaining to ShareFile and the second from July/August for their NetScaler product.
• While alerts and patches have been released for these issues, both vulnerabilities are still being exploited in the wild. Specifically, Citrix noted that the ShareFile issue impacted 3% of their install base (2,800 customers) and security researchers identified that 31,127 public-facing NetScaler servers were still vulnerable as of August 14.
• Although patching helps with preventing malicious actors from exploiting vulnerabilities, checking for intrusion following a patch is important as well. Of the 31,127 NetScaler servers identified, 1,828 appeared to be compromised and backdoored despite 1,248 having the appropriate patches installed.

Alarming Lack of Cybersecurity Practices on World’s Most Popular Websites

Article Link: https://cybernews.com/security/most-popular-websites-cyber-hygiene/

• This article looks at a list of top 100 websites that lack security best practices via HTTP security headers. HTTP security headers dictate how browsers interact with webpages and can be leveraged to launch client-side attacks on a user’s device.
• The report reviewed several common security headers and, depending on the header, 18% to 88% of the websites reviewed lacked certain headers. Ultimately this increases the possibility of exploitation by bad actors for website visitors.

Ransomware: To Pay or not to Pay

Article Link: https://www.helpnetsecurity.com/2023/08/15/ransom-paying/

• This article aims to provide insight on the question of “Should we pay a ransom?” for organizations.
• To answer this question, the author discusses both the ethical nature of ransom payments as well as the ineffectiveness of paying a ransom that often occurs. Several specific points include paying a ransom funds cybercrime and may be outright illegal, increases the chances of the victim organization being hit again, and may lead to the victim organization losing money and the data that was stolen.
• Although there is little that can be done if an organization is in a situation where they are considering paying a ransom, preparation before an incident, via protection and resilience, goes a long way.
• The article highlights the importance of educating employees on ransomware, maintaining patch management processes, scheduling regular system backups and backup tests, and implementing segmentation as key ransomware mitigation steps. Likewise, having plans and processes on how to respond to incidents like ransomware, both administratively and technically, are vital.

Federally Insured Credit Unions Required to Report Cyber Incidents Within 3 Days

Article Link: https://www.securityweek.com/federally-insured-credit-unions-required-to-report-cyber-incidents-within-3-days/

• The National Credit Union Administration (NCUA) recently updated its cyberattack reporting requirements. Starting on September 1, 2023, all federally insured credit unions must notify the NCUA up to 72 hours after a credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party.
• The article outlines a variety of instances where incidents must be reported. Several examples provided include if the institution was a victim of a DDoS attack, if sensitive data was accidentally exposed, or if member account systems otherwise become inaccessible. However, failed attacks do not need to be reported.
• The NCUA also highlighted that what determines an incident as “substantial” varies based on a credit union’s size, the impact of the loss, and the incident’s duration.
• Link to the NCUA’s Announcement: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/cyber-incident-notification-requirements

AWS Customers’ Most Common Security Mistake

Article Link: https://www.cybersecuritydive.com/news/aws-customers-common-mistake/691047/

• This article looks at how organizations misconfigure their AWS instances simply by not following least-privilege practices when setting up permissions. Users and software alike are regularly given more access than is truly necessary.
• A Google Cloud report referenced by the article directly linked more than 3 in 5 cloud compromises to poor identity and access management. In other words, limiting privileges for employees and tools can reduce risk to the organization and help prevent cloud-based cyberattacks.
• Link to Google’s Report (non-PDF version): https://www.cybersecuritydive.com/news/account-access-cloud-compromises/689886/

Most Businesses to Ban ChatGPT, Generative AI Apps on Work Devices

Article Link: https://www.csoonline.com/article/648942/most-businesses-to-ban-chatgpt-generative-ai-apps-on-work-devices.html

• According to a study from Blackberry, which surveyed 2,000 IT decision makers across the globe, 75% of those surveyed are implementing or considering implementing bans on ChatGPT and other AI tools. Likewise, 61% stated that these bans will likely be permanent.
• Additionally, while around 50% of those surveyed see potential benefits to leveraging AI in the workplace, 83% voiced concerns that unsecured AI apps pose a cybersecurity threat to organizations.
• Overall, the article notes that organizations should take cautious, yet dynamic, approaches to managing AI. Likewise, the development of AI policies should be a top priority for cybersecurity leaders.
• Link to Blackberry’s Report: https://www.blackberry.com/us/en/company/newsroom/press-releases/2023/75-percent-of-organizations-worldwide-set-to-ban-chatgpt-and-generative-ai-apps-on-work-devices

Four Ways Simulation Training Alleviates Team Burnout

Article Link: https://www.helpnetsecurity.com/2023/08/18/simulation-training/

• Within the cybersecurity industry, burnout is common. This article looks at how simulation training (i.e., tabletops) can not only enhance security preparedness, but also address burnout.
• Training simulations can alleviate burnout in a variety of ways. The article noted that simulations can help teams boost their confidence, reduce alert fatigue, limit loneliness, and ensure skill relevance, growth, and recognition.
• As the article notes, addressing team burnout doesn’t just impact personal wellbeing, but also an organization’s security readiness.
• While the article doesn’t note this specifically, it is important to recognize that simulation training isn’t the only way to address burnout in employees. A desire to listen and openly communicate with security personnel to make team adjustments when burnout arises, in addition to many other burnout busters, go a long way to chipping away at an industry-wide issue.

Insurance and Cybersecurity Strategy Go Together

Article Link: https://www.csoonline.com/article/649014/insurance-and-cybersecurity-strategy-go-together.html

• Cyber insurance is all about transferring cyber risk. This article looks at how organizations that transfer this risk to insurers tend to improve their cybersecurity posture.
• According to a report from Sophos, who surveyed 3,000 cybersecurity and IT professionals across the globe, 91% of those surveyed have cyber insurance coverage. Likewise, 95% with policies said that their cyber defenses directly impacted aspects of their insurability.
• While assessing your organization’s cybersecurity posture begins with the application process, it shouldn’t end there. Re-evaluating your organization’s posture should be an ongoing process not only to get a better policy, but also to continue improving your organization’s security posture.
• Link to Sophos’ Report: https://news.sophos.com/en-us/2023/05/03/cyber-insurance-adoption-the-critical-role-of-frontline-cyber-defenses/